commit: 050be68ee8c0b57473adf52cd98ffef922a49596 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> AuthorDate: Thu Jun 3 10:32:31 2021 +0000 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> CommitDate: Thu Jun 3 10:32:43 2021 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=050be68e
Linux patch 4.19.193 Signed-off-by: Alice Ferrazzi <alicef <AT> gentoo.org> 0000_README | 4 + 1192_linux-4.19.193.patch | 4207 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 4211 insertions(+) diff --git a/0000_README b/0000_README index a935472..757010f 100644 --- a/0000_README +++ b/0000_README @@ -807,6 +807,10 @@ Patch: 1191_linux-4.19.192.patch From: https://www.kernel.org Desc: Linux 4.19.192 +Patch: 1192_linux-4.19.193.patch +From: https://www.kernel.org +Desc: Linux 4.19.193 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1192_linux-4.19.193.patch b/1192_linux-4.19.193.patch new file mode 100644 index 0000000..866e21f --- /dev/null +++ b/1192_linux-4.19.193.patch @@ -0,0 +1,4207 @@ +diff --git a/Makefile b/Makefile +index 51ee6da4c1ab5..e5d41b6792d7f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 19 +-SUBLEVEL = 192 ++SUBLEVEL = 193 + EXTRAVERSION = + NAME = "People's Front" + +diff --git a/arch/mips/alchemy/board-xxs1500.c b/arch/mips/alchemy/board-xxs1500.c +index 5f05b8714385d..b968cff5baa77 100644 +--- a/arch/mips/alchemy/board-xxs1500.c ++++ b/arch/mips/alchemy/board-xxs1500.c +@@ -31,6 +31,7 @@ + #include <asm/reboot.h> + #include <asm/setup.h> + #include <asm/mach-au1x00/au1000.h> ++#include <asm/mach-au1x00/gpio-au1000.h> + #include <prom.h> + + const char *get_system_type(void) +diff --git a/arch/mips/ralink/of.c b/arch/mips/ralink/of.c +index 1ada8492733b6..92b3d48499967 100644 +--- a/arch/mips/ralink/of.c ++++ b/arch/mips/ralink/of.c +@@ -10,6 +10,7 @@ + + #include <linux/io.h> + #include <linux/clk.h> ++#include <linux/export.h> + #include <linux/init.h> + #include <linux/sizes.h> + #include <linux/of_fdt.h> +@@ -27,6 +28,7 @@ + + __iomem void *rt_sysc_membase; + __iomem void *rt_memc_membase; ++EXPORT_SYMBOL_GPL(rt_sysc_membase); + + __iomem void *plat_of_remap_node(const char *node) + { +diff --git a/arch/openrisc/include/asm/barrier.h b/arch/openrisc/include/asm/barrier.h +new file mode 100644 +index 0000000000000..7538294721bed +--- /dev/null ++++ b/arch/openrisc/include/asm/barrier.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __ASM_BARRIER_H ++#define __ASM_BARRIER_H ++ ++#define mb() asm volatile ("l.msync" ::: "memory") ++ ++#include <asm-generic/barrier.h> ++ ++#endif /* __ASM_BARRIER_H */ +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index c0732f0322484..68f02318cee32 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -975,6 +975,8 @@ static acpi_status hpet_resources(struct acpi_resource *res, void *data) + if (ACPI_SUCCESS(status)) { + hdp->hd_phys_address = addr.address.minimum; + hdp->hd_address = ioremap(addr.address.minimum, addr.address.address_length); ++ if (!hdp->hd_address) ++ return AE_ERROR; + + if (hpet_is_known(hdp)) { + iounmap(hdp->hd_address); +@@ -988,6 +990,8 @@ static acpi_status hpet_resources(struct acpi_resource *res, void *data) + hdp->hd_phys_address = fixmem32->address; + hdp->hd_address = ioremap(fixmem32->address, + HPET_RANGE_SIZE); ++ if (!hdp->hd_address) ++ return AE_ERROR; + + if (hpet_is_known(hdp)) { + iounmap(hdp->hd_address); +diff --git a/drivers/dma/qcom/hidma_mgmt.c b/drivers/dma/qcom/hidma_mgmt.c +index d64edeb6771a9..f9640e37b1397 100644 +--- a/drivers/dma/qcom/hidma_mgmt.c ++++ b/drivers/dma/qcom/hidma_mgmt.c +@@ -423,6 +423,20 @@ static int __init hidma_mgmt_init(void) + hidma_mgmt_of_populate_channels(child); + } + #endif ++ /* ++ * We do not check for return value here, as it is assumed that ++ * platform_driver_register must not fail. The reason for this is that ++ * the (potential) hidma_mgmt_of_populate_channels calls above are not ++ * cleaned up if it does fail, and to do this work is quite ++ * complicated. In particular, various calls of of_address_to_resource, ++ * of_irq_to_resource, platform_device_register_full, of_dma_configure, ++ * and of_msi_configure which then call other functions and so on, must ++ * be cleaned up - this is not a trivial exercise. ++ * ++ * Currently, this module is not intended to be unloaded, and there is ++ * no module_exit function defined which does the needed cleanup. For ++ * this reason, we have to assume success here. ++ */ + platform_driver_register(&hidma_mgmt_driver); + + return 0; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c +index 69c5d22f29bdf..d55ff59584c82 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c +@@ -297,10 +297,13 @@ out: + static int amdgpu_fbdev_destroy(struct drm_device *dev, struct amdgpu_fbdev *rfbdev) + { + struct amdgpu_framebuffer *rfb = &rfbdev->rfb; ++ int i; + + drm_fb_helper_unregister_fbi(&rfbdev->helper); + + if (rfb->base.obj[0]) { ++ for (i = 0; i < rfb->base.format->num_planes; i++) ++ drm_gem_object_put(rfb->base.obj[0]); + amdgpufb_destroy_pinned_object(rfb->base.obj[0]); + rfb->base.obj[0] = NULL; + drm_framebuffer_unregister_private(&rfb->base); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index 757fa486aac41..50807d621ecac 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1277,6 +1277,7 @@ static void amdgpu_ttm_tt_unpopulate(struct ttm_tt *ttm) + if (gtt && gtt->userptr) { + amdgpu_ttm_tt_set_user_pages(ttm, NULL); + kfree(ttm->sg); ++ ttm->sg = NULL; + ttm->page_flags &= ~TTM_PAGE_FLAG_SG; + return; + } +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index e3bedf4cc9c03..c9c81090d580a 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -768,6 +768,24 @@ bool dc_link_detect(struct dc_link *link, enum dc_detect_reason reason) + dc_is_dvi_signal(link->connector_signal)) { + if (prev_sink != NULL) + dc_sink_release(prev_sink); ++ link_disconnect_sink(link); ++ ++ return false; ++ } ++ /* ++ * Abort detection for DP connectors if we have ++ * no EDID and connector is active converter ++ * as there are no display downstream ++ * ++ */ ++ if (dc_is_dp_sst_signal(link->connector_signal) && ++ (link->dpcd_caps.dongle_type == ++ DISPLAY_DONGLE_DP_VGA_CONVERTER || ++ link->dpcd_caps.dongle_type == ++ DISPLAY_DONGLE_DP_DVI_CONVERTER)) { ++ if (prev_sink) ++ dc_sink_release(prev_sink); ++ link_disconnect_sink(link); + + return false; + } +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 25b06771f2387..1887473cdd79c 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -387,11 +387,12 @@ static int meson_probe_remote(struct platform_device *pdev, + static void meson_drv_shutdown(struct platform_device *pdev) + { + struct meson_drm *priv = dev_get_drvdata(&pdev->dev); +- struct drm_device *drm = priv->drm; + +- DRM_DEBUG_DRIVER("\n"); +- drm_kms_helper_poll_fini(drm); +- drm_atomic_helper_shutdown(drm); ++ if (!priv) ++ return; ++ ++ drm_kms_helper_poll_fini(priv->drm); ++ drm_atomic_helper_shutdown(priv->drm); + } + + static int meson_drv_probe(struct platform_device *pdev) +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 3ac3b26cc9317..efafd028c5d16 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -384,11 +384,9 @@ static int i801_check_post(struct i801_priv *priv, int status) + dev_err(&priv->pci_dev->dev, "Transaction timeout\n"); + /* try to stop the current command */ + dev_dbg(&priv->pci_dev->dev, "Terminating the current operation\n"); +- outb_p(inb_p(SMBHSTCNT(priv)) | SMBHSTCNT_KILL, +- SMBHSTCNT(priv)); ++ outb_p(SMBHSTCNT_KILL, SMBHSTCNT(priv)); + usleep_range(1000, 2000); +- outb_p(inb_p(SMBHSTCNT(priv)) & (~SMBHSTCNT_KILL), +- SMBHSTCNT(priv)); ++ outb_p(0, SMBHSTCNT(priv)); + + /* Check if it worked */ + status = inb_p(SMBHSTSTS(priv)); +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index 2f2e28d60ef52..d3603e261a847 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -493,7 +493,10 @@ static int i2c_s3c_irq_nextbyte(struct s3c24xx_i2c *i2c, unsigned long iicstat) + * forces us to send a new START + * when we change direction + */ ++ dev_dbg(i2c->dev, ++ "missing START before write->read\n"); + s3c24xx_i2c_stop(i2c, -EINVAL); ++ break; + } + + goto retry_write; +diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c +index 23a6e7baa396b..b5952ee3031c7 100644 +--- a/drivers/iio/adc/ad7793.c ++++ b/drivers/iio/adc/ad7793.c +@@ -279,6 +279,7 @@ static int ad7793_setup(struct iio_dev *indio_dev, + id &= AD7793_ID_MASK; + + if (id != st->chip_info->id) { ++ ret = -ENODEV; + dev_err(&st->sd.spi->dev, "device ID query failed\n"); + goto out; + } +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 3f0c2c1ef0cb2..bc565f8e8ac2b 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1119,7 +1119,7 @@ static int alloc_iommu(struct dmar_drhd_unit *drhd) + + err = iommu_device_register(&iommu->iommu); + if (err) +- goto err_unmap; ++ goto err_sysfs; + } + + drhd->iommu = iommu; +@@ -1127,6 +1127,8 @@ static int alloc_iommu(struct dmar_drhd_unit *drhd) + + return 0; + ++err_sysfs: ++ iommu_device_sysfs_remove(&iommu->iommu); + err_unmap: + unmap_iommu(iommu); + error_free_seq_id: +diff --git a/drivers/isdn/hardware/mISDN/mISDNinfineon.c b/drivers/isdn/hardware/mISDN/mISDNinfineon.c +index 3e01012be4abc..95a0d728eecc5 100644 +--- a/drivers/isdn/hardware/mISDN/mISDNinfineon.c ++++ b/drivers/isdn/hardware/mISDN/mISDNinfineon.c +@@ -645,17 +645,19 @@ static void + release_io(struct inf_hw *hw) + { + if (hw->cfg.mode) { +- if (hw->cfg.p) { ++ if (hw->cfg.mode == AM_MEMIO) { + release_mem_region(hw->cfg.start, hw->cfg.size); +- iounmap(hw->cfg.p); ++ if (hw->cfg.p) ++ iounmap(hw->cfg.p); + } else + release_region(hw->cfg.start, hw->cfg.size); + hw->cfg.mode = AM_NONE; + } + if (hw->addr.mode) { +- if (hw->addr.p) { ++ if (hw->addr.mode == AM_MEMIO) { + release_mem_region(hw->addr.start, hw->addr.size); +- iounmap(hw->addr.p); ++ if (hw->addr.p) ++ iounmap(hw->addr.p); + } else + release_region(hw->addr.start, hw->addr.size); + hw->addr.mode = AM_NONE; +@@ -685,9 +687,12 @@ setup_io(struct inf_hw *hw) + (ulong)hw->cfg.start, (ulong)hw->cfg.size); + return err; + } +- if (hw->ci->cfg_mode == AM_MEMIO) +- hw->cfg.p = ioremap(hw->cfg.start, hw->cfg.size); + hw->cfg.mode = hw->ci->cfg_mode; ++ if (hw->ci->cfg_mode == AM_MEMIO) { ++ hw->cfg.p = ioremap(hw->cfg.start, hw->cfg.size); ++ if (!hw->cfg.p) ++ return -ENOMEM; ++ } + if (debug & DEBUG_HW) + pr_notice("%s: IO cfg %lx (%lu bytes) mode%d\n", + hw->name, (ulong)hw->cfg.start, +@@ -712,9 +717,12 @@ setup_io(struct inf_hw *hw) + (ulong)hw->addr.start, (ulong)hw->addr.size); + return err; + } +- if (hw->ci->addr_mode == AM_MEMIO) +- hw->addr.p = ioremap(hw->addr.start, hw->addr.size); + hw->addr.mode = hw->ci->addr_mode; ++ if (hw->ci->addr_mode == AM_MEMIO) { ++ hw->addr.p = ioremap(hw->addr.start, hw->addr.size); ++ if (!hw->addr.p) ++ return -ENOMEM; ++ } + if (debug & DEBUG_HW) + pr_notice("%s: IO addr %lx (%lu bytes) mode%d\n", + hw->name, (ulong)hw->addr.start, +diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c +index 7d96836294713..52101e5c72588 100644 +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -794,7 +794,7 @@ static int dm_add_exception(void *context, chunk_t old, chunk_t new) + static uint32_t __minimum_chunk_size(struct origin *o) + { + struct dm_snapshot *snap; +- unsigned chunk_size = 0; ++ unsigned chunk_size = rounddown_pow_of_two(UINT_MAX); + + if (o) + list_for_each_entry(snap, &o->snapshots, list) +diff --git a/drivers/media/dvb-frontends/sp8870.c b/drivers/media/dvb-frontends/sp8870.c +index 8d31cf3f4f078..3a577788041d5 100644 +--- a/drivers/media/dvb-frontends/sp8870.c ++++ b/drivers/media/dvb-frontends/sp8870.c +@@ -293,7 +293,9 @@ static int sp8870_set_frontend_parameters(struct dvb_frontend *fe) + sp8870_writereg(state, 0xc05, reg0xc05); + + // read status reg in order to clear pending irqs +- sp8870_readreg(state, 0x200); ++ err = sp8870_readreg(state, 0x200); ++ if (err < 0) ++ return err; + + // system controller start + sp8870_microcontroller_start(state); +diff --git a/drivers/media/usb/gspca/m5602/m5602_po1030.c b/drivers/media/usb/gspca/m5602/m5602_po1030.c +index 37d2891e5f5b6..81d8eb72ac41c 100644 +--- a/drivers/media/usb/gspca/m5602/m5602_po1030.c ++++ b/drivers/media/usb/gspca/m5602/m5602_po1030.c +@@ -159,6 +159,7 @@ static const struct v4l2_ctrl_config po1030_greenbal_cfg = { + int po1030_probe(struct sd *sd) + { + u8 dev_id_h = 0, i; ++ int err; + struct gspca_dev *gspca_dev = (struct gspca_dev *)sd; + + if (force_sensor) { +@@ -177,10 +178,13 @@ int po1030_probe(struct sd *sd) + for (i = 0; i < ARRAY_SIZE(preinit_po1030); i++) { + u8 data = preinit_po1030[i][2]; + if (preinit_po1030[i][0] == SENSOR) +- m5602_write_sensor(sd, +- preinit_po1030[i][1], &data, 1); ++ err = m5602_write_sensor(sd, preinit_po1030[i][1], ++ &data, 1); + else +- m5602_write_bridge(sd, preinit_po1030[i][1], data); ++ err = m5602_write_bridge(sd, preinit_po1030[i][1], ++ data); ++ if (err < 0) ++ return err; + } + + if (m5602_read_sensor(sd, PO1030_DEVID_H, &dev_id_h, 1)) +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index f2cfc96194250..49e08b6133f50 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -112,8 +112,9 @@ + printk(KERN_INFO a); \ + } while (0) + #define v2printk(a...) do { \ +- if (verbose > 1) \ ++ if (verbose > 1) { \ + printk(KERN_INFO a); \ ++ } \ + touch_nmi_watchdog(); \ + } while (0) + #define eprintk(a...) do { \ +diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h +index c439c827eea80..0ef759671b546 100644 +--- a/drivers/misc/lis3lv02d/lis3lv02d.h ++++ b/drivers/misc/lis3lv02d/lis3lv02d.h +@@ -284,6 +284,7 @@ struct lis3lv02d { + int regs_size; + u8 *reg_cache; + bool regs_stored; ++ bool init_required; + u8 odr_mask; /* ODR bit mask */ + u8 whoami; /* indicates measurement precision */ + s16 (*read_data) (struct lis3lv02d *lis3, int reg); +diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c +index 5a661cbdf2aef..66f4d12d00602 100644 +--- a/drivers/misc/mei/interrupt.c ++++ b/drivers/misc/mei/interrupt.c +@@ -224,6 +224,9 @@ static int mei_cl_irq_read(struct mei_cl *cl, struct mei_cl_cb *cb, + return ret; + } + ++ pm_runtime_mark_last_busy(dev->dev); ++ pm_request_autosuspend(dev->dev); ++ + list_move_tail(&cb->list, &cl->rd_pending); + + return 0; +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index a0f954f36c09f..94d5ce9419ca6 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -279,7 +279,6 @@ static int caif_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct ser_device *ser; + +- BUG_ON(dev == NULL); + ser = netdev_priv(dev); + + /* Send flow off once, on high water mark */ +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 616afd81536af..6335c4ea09577 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -851,14 +851,6 @@ mt7530_port_set_vlan_aware(struct dsa_switch *ds, int port) + { + struct mt7530_priv *priv = ds->priv; + +- /* The real fabric path would be decided on the membership in the +- * entry of VLAN table. PCR_MATRIX set up here with ALL_MEMBERS +- * means potential VLAN can be consisting of certain subset of all +- * ports. +- */ +- mt7530_rmw(priv, MT7530_PCR_P(port), +- PCR_MATRIX_MASK, PCR_MATRIX(MT7530_ALL_MEMBERS)); +- + /* Trapped into security mode allows packet forwarding through VLAN + * table lookup. CPU port is set to fallback mode to let untagged + * frames pass through. +diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c +index 122fdb80a7899..9993f1162ac68 100644 +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -8253,9 +8253,9 @@ bnx2_init_board(struct pci_dev *pdev, struct net_device *dev) + BNX2_WR(bp, PCI_COMMAND, reg); + } else if ((BNX2_CHIP_ID(bp) == BNX2_CHIP_ID_5706_A1) && + !(bp->flags & BNX2_FLAG_PCIX)) { +- + dev_err(&pdev->dev, + "5706 A1 can only be used in a PCIX bus, aborting\n"); ++ rc = -EPERM; + goto err_out_unmap; + } + +diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c +index ea5f32ea308a9..1e25c3b5f563b 100644 +--- a/drivers/net/ethernet/brocade/bna/bnad.c ++++ b/drivers/net/ethernet/brocade/bna/bnad.c +@@ -3290,7 +3290,7 @@ bnad_change_mtu(struct net_device *netdev, int new_mtu) + { + int err, mtu; + struct bnad *bnad = netdev_priv(netdev); +- u32 rx_count = 0, frame, new_frame; ++ u32 frame, new_frame; + + mutex_lock(&bnad->conf_mutex); + +@@ -3306,12 +3306,9 @@ bnad_change_mtu(struct net_device *netdev, int new_mtu) + /* only when transition is over 4K */ + if ((frame <= 4096 && new_frame > 4096) || + (frame > 4096 && new_frame <= 4096)) +- rx_count = bnad_reinit_rx(bnad); ++ bnad_reinit_rx(bnad); + } + +- /* rx_count > 0 - new rx created +- * - Linux set err = 0 and return +- */ + err = bnad_mtu_set(bnad, new_frame); + if (err) + err = -EBUSY; +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index f16853c3c851a..c813e6f2b371e 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4927,11 +4927,11 @@ mii_get_oui(u_char phyaddr, u_long ioaddr) + u_char breg[2]; + } a; + int i, r2, r3, ret=0;*/ +- int r2, r3; ++ int r2; + + /* Read r2 and r3 */ + r2 = mii_rd(MII_ID0, phyaddr, ioaddr); +- r3 = mii_rd(MII_ID1, phyaddr, ioaddr); ++ mii_rd(MII_ID1, phyaddr, ioaddr); + /* SEEQ and Cypress way * / + / * Shuffle r2 and r3 * / + a.reg=0; +diff --git a/drivers/net/ethernet/dec/tulip/media.c b/drivers/net/ethernet/dec/tulip/media.c +index dcf21a36a9cf4..011604787b8ed 100644 +--- a/drivers/net/ethernet/dec/tulip/media.c ++++ b/drivers/net/ethernet/dec/tulip/media.c +@@ -319,13 +319,8 @@ void tulip_select_media(struct net_device *dev, int startup) + break; + } + case 5: case 6: { +- u16 setup[5]; +- + new_csr6 = 0; /* FIXME */ + +- for (i = 0; i < 5; i++) +- setup[i] = get_u16(&p[i*2 + 1]); +- + if (startup && mtable->has_reset) { + struct medialeaf *rleaf = &mtable->mleaf[mtable->has_reset]; + unsigned char *rst = rleaf->leafdata; +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 7d1a669416f20..6b9eada1feb21 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3221,7 +3221,9 @@ static int fec_enet_init(struct net_device *ndev) + return ret; + } + +- fec_enet_alloc_queue(ndev); ++ ret = fec_enet_alloc_queue(ndev); ++ if (ret) ++ return ret; + + bd_size = (fep->total_tx_ring_size + fep->total_rx_ring_size) * dsize; + +@@ -3229,7 +3231,8 @@ static int fec_enet_init(struct net_device *ndev) + cbd_base = dmam_alloc_coherent(&fep->pdev->dev, bd_size, &bd_dma, + GFP_KERNEL); + if (!cbd_base) { +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto free_queue_mem; + } + + memset(cbd_base, 0, bd_size); +@@ -3309,6 +3312,10 @@ static int fec_enet_init(struct net_device *ndev) + fec_enet_update_ethtool_stats(ndev); + + return 0; ++ ++free_queue_mem: ++ fec_enet_free_queue(ndev); ++ return ret; + } + + #ifdef CONFIG_OF +diff --git a/drivers/net/ethernet/fujitsu/fmvj18x_cs.c b/drivers/net/ethernet/fujitsu/fmvj18x_cs.c +index a69cd19a55ae2..b8fc9bbeca2c7 100644 +--- a/drivers/net/ethernet/fujitsu/fmvj18x_cs.c ++++ b/drivers/net/ethernet/fujitsu/fmvj18x_cs.c +@@ -547,6 +547,11 @@ static int fmvj18x_get_hwinfo(struct pcmcia_device *link, u_char *node_id) + return -1; + + base = ioremap(link->resource[2]->start, resource_size(link->resource[2])); ++ if (!base) { ++ pcmcia_release_window(link, link->resource[2]); ++ return -1; ++ } ++ + pcmcia_map_mem_page(link, link->resource[2], 0); + + /* +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 3b89673f09daf..19165a3548bfd 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -702,8 +702,6 @@ static bool hns3_tunnel_csum_bug(struct sk_buff *skb) + if (!(!skb->encapsulation && l4.udp->dest == htons(IANA_VXLAN_PORT))) + return false; + +- skb_checksum_help(skb); +- + return true; + } + +@@ -764,8 +762,7 @@ static int hns3_set_l3l4_type_csum(struct sk_buff *skb, u8 ol4_proto, + /* the stack computes the IP header already, + * driver calculate l4 checksum when not TSO. + */ +- skb_checksum_help(skb); +- return 0; ++ return skb_checksum_help(skb); + } + + l3.hdr = skb_inner_network_header(skb); +@@ -796,7 +793,7 @@ static int hns3_set_l3l4_type_csum(struct sk_buff *skb, u8 ol4_proto, + break; + case IPPROTO_UDP: + if (hns3_tunnel_csum_bug(skb)) +- break; ++ return skb_checksum_help(skb); + + hnae3_set_bit(*type_cs_vlan_tso, HNS3_TXD_L4CS_B, 1); + hnae3_set_field(*type_cs_vlan_tso, +@@ -821,8 +818,7 @@ static int hns3_set_l3l4_type_csum(struct sk_buff *skb, u8 ol4_proto, + /* the stack computes the IP header already, + * driver calculate l4 checksum when not TSO. + */ +- skb_checksum_help(skb); +- return 0; ++ return skb_checksum_help(skb); + } + + return 0; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +index f6ffd9fb20793..8aaf856771d7b 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -467,12 +467,16 @@ static int ixgbe_set_vf_vlan(struct ixgbe_adapter *adapter, int add, int vid, + return err; + } + +-static s32 ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) ++static int ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 max_frame, u32 vf) + { + struct ixgbe_hw *hw = &adapter->hw; +- int max_frame = msgbuf[1]; + u32 max_frs; + ++ if (max_frame < ETH_MIN_MTU || max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE) { ++ e_err(drv, "VF max_frame %d out of range\n", max_frame); ++ return -EINVAL; ++ } ++ + /* + * For 82599EB we have to keep all PFs and VFs operating with + * the same max_frame value in order to avoid sending an oversize +@@ -532,12 +536,6 @@ static s32 ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf) + } + } + +- /* MTU < 68 is an error and causes problems on some kernels */ +- if (max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE) { +- e_err(drv, "VF max_frame %d out of range\n", max_frame); +- return -EINVAL; +- } +- + /* pull current max frame size from hardware */ + max_frs = IXGBE_READ_REG(hw, IXGBE_MAXFRS); + max_frs &= IXGBE_MHADD_MFS_MASK; +@@ -1240,7 +1238,7 @@ static int ixgbe_rcv_msg_from_vf(struct ixgbe_adapter *adapter, u32 vf) + retval = ixgbe_set_vf_vlan_msg(adapter, msgbuf, vf); + break; + case IXGBE_VF_SET_LPE: +- retval = ixgbe_set_vf_lpe(adapter, msgbuf, vf); ++ retval = ixgbe_set_vf_lpe(adapter, msgbuf[1], vf); + break; + case IXGBE_VF_SET_MACVLAN: + retval = ixgbe_set_vf_macvlan_msg(adapter, msgbuf, vf); +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index 7a99eb1572fd9..6a005014d46af 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -2011,8 +2011,6 @@ static int mlx4_en_set_tunable(struct net_device *dev, + return ret; + } + +-#define MLX4_EEPROM_PAGE_LEN 256 +- + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -2047,7 +2045,7 @@ static int mlx4_en_get_module_info(struct net_device *dev, + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + return -EINVAL; +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +index 29041d4a3f28e..6517e53da520d 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c +@@ -862,6 +862,7 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev) + struct mlx4_en_tx_desc *tx_desc; + struct mlx4_wqe_data_seg *data; + struct mlx4_en_tx_info *tx_info; ++ u32 __maybe_unused ring_cons; + int tx_ind; + int nr_txbb; + int desc_size; +@@ -875,7 +876,6 @@ netdev_tx_t mlx4_en_xmit(struct sk_buff *skb, struct net_device *dev) + bool stop_queue; + bool inline_ok; + u8 data_offset; +- u32 ring_cons; + bool bf_ok; + + tx_ind = skb_get_queue_mapping(skb); +diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c +index ba6ac31a339dc..256a06b3c096b 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -1973,6 +1973,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_slave); + #define I2C_ADDR_LOW 0x50 + #define I2C_ADDR_HIGH 0x51 + #define I2C_PAGE_SIZE 256 ++#define I2C_HIGH_PAGE_SIZE 128 + + /* Module Info Data */ + struct mlx4_cable_info { +@@ -2026,6 +2027,88 @@ static inline const char *cable_info_mad_err_str(u16 mad_status) + return "Unknown Error"; + } + ++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id) ++{ ++ struct mlx4_cmd_mailbox *inbox, *outbox; ++ struct mlx4_mad_ifc *inmad, *outmad; ++ struct mlx4_cable_info *cable_info; ++ int ret; ++ ++ inbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(inbox)) ++ return PTR_ERR(inbox); ++ ++ outbox = mlx4_alloc_cmd_mailbox(dev); ++ if (IS_ERR(outbox)) { ++ mlx4_free_cmd_mailbox(dev, inbox); ++ return PTR_ERR(outbox); ++ } ++ ++ inmad = (struct mlx4_mad_ifc *)(inbox->buf); ++ outmad = (struct mlx4_mad_ifc *)(outbox->buf); ++ ++ inmad->method = 0x1; /* Get */ ++ inmad->class_version = 0x1; ++ inmad->mgmt_class = 0x1; ++ inmad->base_version = 0x1; ++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */ ++ ++ cable_info = (struct mlx4_cable_info *)inmad->data; ++ cable_info->dev_mem_address = 0; ++ cable_info->page_num = 0; ++ cable_info->i2c_addr = I2C_ADDR_LOW; ++ cable_info->size = cpu_to_be16(1); ++ ++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3, ++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C, ++ MLX4_CMD_NATIVE); ++ if (ret) ++ goto out; ++ ++ if (be16_to_cpu(outmad->status)) { ++ /* Mad returned with bad status */ ++ ret = be16_to_cpu(outmad->status); ++ mlx4_warn(dev, ++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n", ++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret, ++ cable_info_mad_err_str(ret)); ++ ret = -ret; ++ goto out; ++ } ++ cable_info = (struct mlx4_cable_info *)outmad->data; ++ *module_id = cable_info->data[0]; ++out: ++ mlx4_free_cmd_mailbox(dev, inbox); ++ mlx4_free_cmd_mailbox(dev, outbox); ++ return ret; ++} ++ ++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ *i2c_addr = I2C_ADDR_LOW; ++ *page_num = 0; ++ ++ if (*offset < I2C_PAGE_SIZE) ++ return; ++ ++ *i2c_addr = I2C_ADDR_HIGH; ++ *offset -= I2C_PAGE_SIZE; ++} ++ ++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset) ++{ ++ /* Offsets 0-255 belong to page 0. ++ * Offsets 256-639 belong to pages 01, 02, 03. ++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2 ++ */ ++ if (*offset < I2C_PAGE_SIZE) ++ *page_num = 0; ++ else ++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE; ++ *i2c_addr = I2C_ADDR_LOW; ++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE; ++} ++ + /** + * mlx4_get_module_info - Read cable module eeprom data + * @dev: mlx4_dev. +@@ -2045,12 +2128,30 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + struct mlx4_cmd_mailbox *inbox, *outbox; + struct mlx4_mad_ifc *inmad, *outmad; + struct mlx4_cable_info *cable_info; +- u16 i2c_addr; ++ u8 module_id, i2c_addr, page_num; + int ret; + + if (size > MODULE_INFO_MAX_READ) + size = MODULE_INFO_MAX_READ; + ++ ret = mlx4_get_module_id(dev, port, &module_id); ++ if (ret) ++ return ret; ++ ++ switch (module_id) { ++ case MLX4_MODULE_ID_SFP: ++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ case MLX4_MODULE_ID_QSFP: ++ case MLX4_MODULE_ID_QSFP_PLUS: ++ case MLX4_MODULE_ID_QSFP28: ++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset); ++ break; ++ default: ++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id); ++ return -EINVAL; ++ } ++ + inbox = mlx4_alloc_cmd_mailbox(dev); + if (IS_ERR(inbox)) + return PTR_ERR(inbox); +@@ -2076,11 +2177,9 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + */ + size -= offset + size - I2C_PAGE_SIZE; + +- i2c_addr = I2C_ADDR_LOW; +- + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); +- cable_info->page_num = 0; ++ cable_info->page_num = page_num; + cable_info->i2c_addr = i2c_addr; + cable_info->size = cpu_to_be16(size); + +diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c +index ebbdfb9087451..623a05d78343d 100644 +--- a/drivers/net/ethernet/micrel/ksz884x.c ++++ b/drivers/net/ethernet/micrel/ksz884x.c +@@ -1657,8 +1657,7 @@ static inline void set_tx_len(struct ksz_desc *desc, u32 len) + + #define HW_DELAY(hw, reg) \ + do { \ +- u16 dummy; \ +- dummy = readw(hw->io + reg); \ ++ readw(hw->io + reg); \ + } while (0) + + /** +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index df4519c04ba07..0d681714878b1 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -156,9 +156,8 @@ static void lan743x_tx_isr(void *context, u32 int_sts, u32 flags) + struct lan743x_tx *tx = context; + struct lan743x_adapter *adapter = tx->adapter; + bool enable_flag = true; +- u32 int_en = 0; + +- int_en = lan743x_csr_read(adapter, INT_EN_SET); ++ lan743x_csr_read(adapter, INT_EN_SET); + if (flags & LAN743X_VECTOR_FLAG_SOURCE_ENABLE_CLEAR) { + lan743x_csr_write(adapter, INT_EN_CLR, + INT_BIT_DMA_TX_(tx->channel_number)); +@@ -1635,10 +1634,9 @@ static int lan743x_tx_napi_poll(struct napi_struct *napi, int weight) + bool start_transmitter = false; + unsigned long irq_flags = 0; + u32 ioc_bit = 0; +- u32 int_sts = 0; + + ioc_bit = DMAC_INT_BIT_TX_IOC_(tx->channel_number); +- int_sts = lan743x_csr_read(adapter, DMAC_INT_STS); ++ lan743x_csr_read(adapter, DMAC_INT_STS); + if (tx->vector_flags & LAN743X_VECTOR_FLAG_SOURCE_STATUS_W2C) + lan743x_csr_write(adapter, DMAC_INT_STS, ioc_bit); + spin_lock_irqsave(&tx->ring_lock, irq_flags); +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-traffic.c b/drivers/net/ethernet/neterion/vxge/vxge-traffic.c +index 0c3b5dea2858a..ad3702d3d8310 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-traffic.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-traffic.c +@@ -29,8 +29,6 @@ + */ + enum vxge_hw_status vxge_hw_vpath_intr_enable(struct __vxge_hw_vpath_handle *vp) + { +- u64 val64; +- + struct __vxge_hw_virtualpath *vpath; + struct vxge_hw_vpath_reg __iomem *vp_reg; + enum vxge_hw_status status = VXGE_HW_OK; +@@ -83,7 +81,7 @@ enum vxge_hw_status vxge_hw_vpath_intr_enable(struct __vxge_hw_vpath_handle *vp) + __vxge_hw_pio_mem_write32_upper((u32)VXGE_HW_INTR_MASK_ALL, + &vp_reg->xgmac_vp_int_status); + +- val64 = readq(&vp_reg->vpath_general_int_status); ++ readq(&vp_reg->vpath_general_int_status); + + /* Mask unwanted interrupts */ + +@@ -156,8 +154,6 @@ exit: + enum vxge_hw_status vxge_hw_vpath_intr_disable( + struct __vxge_hw_vpath_handle *vp) + { +- u64 val64; +- + struct __vxge_hw_virtualpath *vpath; + enum vxge_hw_status status = VXGE_HW_OK; + struct vxge_hw_vpath_reg __iomem *vp_reg; +@@ -178,8 +174,6 @@ enum vxge_hw_status vxge_hw_vpath_intr_disable( + (u32)VXGE_HW_INTR_MASK_ALL, + &vp_reg->vpath_general_int_mask); + +- val64 = VXGE_HW_TIM_CLR_INT_EN_VP(1 << (16 - vpath->vp_id)); +- + writeq(VXGE_HW_INTR_MASK_ALL, &vp_reg->kdfcctl_errors_mask); + + __vxge_hw_pio_mem_write32_upper((u32)VXGE_HW_INTR_MASK_ALL, +@@ -486,9 +480,7 @@ void vxge_hw_device_unmask_all(struct __vxge_hw_device *hldev) + */ + void vxge_hw_device_flush_io(struct __vxge_hw_device *hldev) + { +- u32 val32; +- +- val32 = readl(&hldev->common_reg->titan_general_int_status); ++ readl(&hldev->common_reg->titan_general_int_status); + } + + /** +@@ -1726,8 +1718,8 @@ void vxge_hw_fifo_txdl_free(struct __vxge_hw_fifo *fifo, void *txdlh) + enum vxge_hw_status + vxge_hw_vpath_mac_addr_add( + struct __vxge_hw_vpath_handle *vp, +- u8 (macaddr)[ETH_ALEN], +- u8 (macaddr_mask)[ETH_ALEN], ++ u8 *macaddr, ++ u8 *macaddr_mask, + enum vxge_hw_vpath_mac_addr_add_mode duplicate_mode) + { + u32 i; +@@ -1789,8 +1781,8 @@ exit: + enum vxge_hw_status + vxge_hw_vpath_mac_addr_get( + struct __vxge_hw_vpath_handle *vp, +- u8 (macaddr)[ETH_ALEN], +- u8 (macaddr_mask)[ETH_ALEN]) ++ u8 *macaddr, ++ u8 *macaddr_mask) + { + u32 i; + u64 data1 = 0ULL; +@@ -1841,8 +1833,8 @@ exit: + enum vxge_hw_status + vxge_hw_vpath_mac_addr_get_next( + struct __vxge_hw_vpath_handle *vp, +- u8 (macaddr)[ETH_ALEN], +- u8 (macaddr_mask)[ETH_ALEN]) ++ u8 *macaddr, ++ u8 *macaddr_mask) + { + u32 i; + u64 data1 = 0ULL; +@@ -1894,8 +1886,8 @@ exit: + enum vxge_hw_status + vxge_hw_vpath_mac_addr_delete( + struct __vxge_hw_vpath_handle *vp, +- u8 (macaddr)[ETH_ALEN], +- u8 (macaddr_mask)[ETH_ALEN]) ++ u8 *macaddr, ++ u8 *macaddr_mask) + { + u32 i; + u64 data1 = 0ULL; +@@ -2385,7 +2377,6 @@ enum vxge_hw_status vxge_hw_vpath_poll_rx(struct __vxge_hw_ring *ring) + u8 t_code; + enum vxge_hw_status status = VXGE_HW_OK; + void *first_rxdh; +- u64 val64 = 0; + int new_count = 0; + + ring->cmpl_cnt = 0; +@@ -2413,8 +2404,7 @@ enum vxge_hw_status vxge_hw_vpath_poll_rx(struct __vxge_hw_ring *ring) + } + writeq(VXGE_HW_PRC_RXD_DOORBELL_NEW_QW_CNT(new_count), + &ring->vp_reg->prc_rxd_doorbell); +- val64 = +- readl(&ring->common_reg->titan_general_int_status); ++ readl(&ring->common_reg->titan_general_int_status); + ring->doorbell_cnt = 0; + } + } +diff --git a/drivers/net/ethernet/sfc/falcon/farch.c b/drivers/net/ethernet/sfc/falcon/farch.c +index 411a2f419447c..8a14f77163026 100644 +--- a/drivers/net/ethernet/sfc/falcon/farch.c ++++ b/drivers/net/ethernet/sfc/falcon/farch.c +@@ -873,17 +873,12 @@ static u16 ef4_farch_handle_rx_not_ok(struct ef4_rx_queue *rx_queue, + { + struct ef4_channel *channel = ef4_rx_queue_channel(rx_queue); + struct ef4_nic *efx = rx_queue->efx; +- bool rx_ev_buf_owner_id_err, rx_ev_ip_hdr_chksum_err; ++ bool __maybe_unused rx_ev_buf_owner_id_err, rx_ev_ip_hdr_chksum_err; + bool rx_ev_tcp_udp_chksum_err, rx_ev_eth_crc_err; + bool rx_ev_frm_trunc, rx_ev_drib_nib, rx_ev_tobe_disc; +- bool rx_ev_other_err, rx_ev_pause_frm; +- bool rx_ev_hdr_type, rx_ev_mcast_pkt; +- unsigned rx_ev_pkt_type; ++ bool rx_ev_pause_frm; + +- rx_ev_hdr_type = EF4_QWORD_FIELD(*event, FSF_AZ_RX_EV_HDR_TYPE); +- rx_ev_mcast_pkt = EF4_QWORD_FIELD(*event, FSF_AZ_RX_EV_MCAST_PKT); + rx_ev_tobe_disc = EF4_QWORD_FIELD(*event, FSF_AZ_RX_EV_TOBE_DISC); +- rx_ev_pkt_type = EF4_QWORD_FIELD(*event, FSF_AZ_RX_EV_PKT_TYPE); + rx_ev_buf_owner_id_err = EF4_QWORD_FIELD(*event, + FSF_AZ_RX_EV_BUF_OWNER_ID_ERR); + rx_ev_ip_hdr_chksum_err = EF4_QWORD_FIELD(*event, +@@ -896,10 +891,6 @@ static u16 ef4_farch_handle_rx_not_ok(struct ef4_rx_queue *rx_queue, + 0 : EF4_QWORD_FIELD(*event, FSF_AA_RX_EV_DRIB_NIB)); + rx_ev_pause_frm = EF4_QWORD_FIELD(*event, FSF_AZ_RX_EV_PAUSE_FRM_ERR); + +- /* Every error apart from tobe_disc and pause_frm */ +- rx_ev_other_err = (rx_ev_drib_nib | rx_ev_tcp_udp_chksum_err | +- rx_ev_buf_owner_id_err | rx_ev_eth_crc_err | +- rx_ev_frm_trunc | rx_ev_ip_hdr_chksum_err); + + /* Count errors that are not in MAC stats. Ignore expected + * checksum errors during self-test. */ +@@ -919,6 +910,13 @@ static u16 ef4_farch_handle_rx_not_ok(struct ef4_rx_queue *rx_queue, + * to a FIFO overflow. + */ + #ifdef DEBUG ++ { ++ /* Every error apart from tobe_disc and pause_frm */ ++ ++ bool rx_ev_other_err = (rx_ev_drib_nib | rx_ev_tcp_udp_chksum_err | ++ rx_ev_buf_owner_id_err | rx_ev_eth_crc_err | ++ rx_ev_frm_trunc | rx_ev_ip_hdr_chksum_err); ++ + if (rx_ev_other_err && net_ratelimit()) { + netif_dbg(efx, rx_err, efx->net_dev, + " RX queue %d unexpected RX event " +@@ -935,6 +933,7 @@ static u16 ef4_farch_handle_rx_not_ok(struct ef4_rx_queue *rx_queue, + rx_ev_tobe_disc ? " [TOBE_DISC]" : "", + rx_ev_pause_frm ? " [PAUSE]" : ""); + } ++ } + #endif + + /* The frame must be discarded if any of these are true. */ +@@ -1646,15 +1645,11 @@ void ef4_farch_rx_push_indir_table(struct ef4_nic *efx) + */ + void ef4_farch_dimension_resources(struct ef4_nic *efx, unsigned sram_lim_qw) + { +- unsigned vi_count, buftbl_min; ++ unsigned vi_count; + + /* Account for the buffer table entries backing the datapath channels + * and the descriptor caches for those channels. + */ +- buftbl_min = ((efx->n_rx_channels * EF4_MAX_DMAQ_SIZE + +- efx->n_tx_channels * EF4_TXQ_TYPES * EF4_MAX_DMAQ_SIZE + +- efx->n_channels * EF4_MAX_EVQ_SIZE) +- * sizeof(ef4_qword_t) / EF4_BUF_SIZE); + vi_count = max(efx->n_channels, efx->n_tx_channels * EF4_TXQ_TYPES); + + efx->tx_dc_base = sram_lim_qw - vi_count * TX_DC_ENTRIES; +@@ -2535,7 +2530,6 @@ int ef4_farch_filter_remove_safe(struct ef4_nic *efx, + enum ef4_farch_filter_table_id table_id; + struct ef4_farch_filter_table *table; + unsigned int filter_idx; +- struct ef4_farch_filter_spec *spec; + int rc; + + table_id = ef4_farch_filter_id_table_id(filter_id); +@@ -2546,7 +2540,6 @@ int ef4_farch_filter_remove_safe(struct ef4_nic *efx, + filter_idx = ef4_farch_filter_id_index(filter_id); + if (filter_idx >= table->size) + return -ENOENT; +- spec = &table->spec[filter_idx]; + + spin_lock_bh(&efx->filter_lock); + rc = ef4_farch_filter_remove(efx, table, filter_idx, priority); +diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c +index d5bcbc40a55fc..823873030a218 100644 +--- a/drivers/net/ethernet/sis/sis900.c ++++ b/drivers/net/ethernet/sis/sis900.c +@@ -783,10 +783,9 @@ static u16 sis900_default_phy(struct net_device * net_dev) + static void sis900_set_capability(struct net_device *net_dev, struct mii_phy *phy) + { + u16 cap; +- u16 status; + +- status = mdio_read(net_dev, phy->phy_addr, MII_STATUS); +- status = mdio_read(net_dev, phy->phy_addr, MII_STATUS); ++ mdio_read(net_dev, phy->phy_addr, MII_STATUS); ++ mdio_read(net_dev, phy->phy_addr, MII_STATUS); + + cap = MII_NWAY_CSMA_CD | + ((phy->status & MII_STAT_CAN_TX_FDX)? MII_NWAY_TX_FDX:0) | +diff --git a/drivers/net/ethernet/synopsys/dwc-xlgmac-common.c b/drivers/net/ethernet/synopsys/dwc-xlgmac-common.c +index eb1c6b03c329a..df26cea459048 100644 +--- a/drivers/net/ethernet/synopsys/dwc-xlgmac-common.c ++++ b/drivers/net/ethernet/synopsys/dwc-xlgmac-common.c +@@ -513,7 +513,7 @@ void xlgmac_get_all_hw_features(struct xlgmac_pdata *pdata) + + void xlgmac_print_all_hw_features(struct xlgmac_pdata *pdata) + { +- char *str = NULL; ++ char __maybe_unused *str = NULL; + + XLGMAC_PR("\n"); + XLGMAC_PR("=====================================================\n"); +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 9bb84d83afc15..56130cf293f37 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -1240,7 +1240,7 @@ static int emac_poll(struct napi_struct *napi, int budget) + struct net_device *ndev = priv->ndev; + struct device *emac_dev = &ndev->dev; + u32 status = 0; +- u32 num_tx_pkts = 0, num_rx_pkts = 0; ++ u32 num_rx_pkts = 0; + + /* Check interrupt vectors and call packet processing */ + status = emac_read(EMAC_MACINVECTOR); +@@ -1251,8 +1251,7 @@ static int emac_poll(struct napi_struct *napi, int budget) + mask = EMAC_DM646X_MAC_IN_VECTOR_TX_INT_VEC; + + if (status & mask) { +- num_tx_pkts = cpdma_chan_process(priv->txchan, +- EMAC_DEF_TX_MAX_SERVICE); ++ cpdma_chan_process(priv->txchan, EMAC_DEF_TX_MAX_SERVICE); + } /* TX processing */ + + mask = EMAC_DM644X_MAC_IN_VECTOR_RX_INT_VEC; +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index a1d335a3c5e43..6099865217f29 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -1364,9 +1364,9 @@ int netcp_txpipe_open(struct netcp_tx_pipe *tx_pipe) + tx_pipe->dma_queue = knav_queue_open(name, tx_pipe->dma_queue_id, + KNAV_QUEUE_SHARED); + if (IS_ERR(tx_pipe->dma_queue)) { ++ ret = PTR_ERR(tx_pipe->dma_queue); + dev_err(dev, "Could not open DMA queue for channel \"%s\": %d\n", + name, ret); +- ret = PTR_ERR(tx_pipe->dma_queue); + goto err; + } + +diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c +index 93d142867c2af..01f99e5df1456 100644 +--- a/drivers/net/ethernet/ti/tlan.c ++++ b/drivers/net/ethernet/ti/tlan.c +@@ -671,7 +671,6 @@ module_exit(tlan_exit); + static void __init tlan_eisa_probe(void) + { + long ioaddr; +- int rc = -ENODEV; + int irq; + u16 device_id; + +@@ -736,8 +735,7 @@ static void __init tlan_eisa_probe(void) + + + /* Setup the newly found eisa adapter */ +- rc = tlan_probe1(NULL, ioaddr, irq, +- 12, NULL); ++ tlan_probe1(NULL, ioaddr, irq, 12, NULL); + continue; + + out: +diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c +index ef9538ee53d0d..f0c33d00dcb41 100644 +--- a/drivers/net/ethernet/via/via-velocity.c ++++ b/drivers/net/ethernet/via/via-velocity.c +@@ -875,26 +875,13 @@ static u32 check_connection_type(struct mac_regs __iomem *regs) + */ + static int velocity_set_media_mode(struct velocity_info *vptr, u32 mii_status) + { +- u32 curr_status; + struct mac_regs __iomem *regs = vptr->mac_regs; + + vptr->mii_status = mii_check_media_mode(vptr->mac_regs); +- curr_status = vptr->mii_status & (~VELOCITY_LINK_FAIL); + + /* Set mii link status */ + set_mii_flow_control(vptr); + +- /* +- Check if new status is consistent with current status +- if (((mii_status & curr_status) & VELOCITY_AUTONEG_ENABLE) || +- (mii_status==curr_status)) { +- vptr->mii_status=mii_check_media_mode(vptr->mac_regs); +- vptr->mii_status=check_connection_type(vptr->mac_regs); +- VELOCITY_PRT(MSG_LEVEL_INFO, "Velocity link no change\n"); +- return 0; +- } +- */ +- + if (PHYID_GET_PHY_ID(vptr->phy_id) == PHYID_CICADA_CS8201) + MII_REG_BITS_ON(AUXCR_MDPPS, MII_NCONFIG, vptr->mac_regs); + +diff --git a/drivers/net/phy/mdio-octeon.c b/drivers/net/phy/mdio-octeon.c +index ab6914f8bd50f..1da104150f445 100644 +--- a/drivers/net/phy/mdio-octeon.c ++++ b/drivers/net/phy/mdio-octeon.c +@@ -75,7 +75,6 @@ static int octeon_mdiobus_probe(struct platform_device *pdev) + + return 0; + fail_register: +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return err; +@@ -89,7 +88,6 @@ static int octeon_mdiobus_remove(struct platform_device *pdev) + bus = platform_get_drvdata(pdev); + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return 0; +diff --git a/drivers/net/phy/mdio-thunder.c b/drivers/net/phy/mdio-thunder.c +index 564616968cad4..c0c922eff760c 100644 +--- a/drivers/net/phy/mdio-thunder.c ++++ b/drivers/net/phy/mdio-thunder.c +@@ -129,7 +129,6 @@ static void thunder_mdiobus_pci_remove(struct pci_dev *pdev) + continue; + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + oct_mdio_writeq(0, bus->register_base + SMI_EN); + } + pci_set_drvdata(pdev, NULL); +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 94f1c2422f844..a66077f514572 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1703,7 +1703,7 @@ static int hso_serial_tiocmset(struct tty_struct *tty, + spin_unlock_irqrestore(&serial->serial_lock, flags); + + return usb_control_msg(serial->parent->usb, +- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22, ++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22, + 0x21, val, if_num, NULL, 0, + USB_CTRL_SET_TIMEOUT); + } +@@ -2450,7 +2450,7 @@ static int hso_rfkill_set_block(void *data, bool blocked) + if (hso_dev->usb_gone) + rv = 0; + else +- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0), ++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0), + enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0, + USB_CTRL_SET_TIMEOUT); + mutex_unlock(&hso_dev->mutex); +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index ec287c9741e83..62f2862c9775e 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- return ret; ++ goto err; + } + + smsc75xx_init_mac_address(dev); +@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- return ret; ++ goto err; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1514,6 +1514,10 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len; + dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; + return 0; ++ ++err: ++ kfree(pdata); ++ return ret; + } + + static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 68cda1564c77a..0a7551dc0f945 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -1769,14 +1769,62 @@ static void ath10k_htt_rx_h_unchain(struct ath10k *ar, + ath10k_unchain_msdu(amsdu, unchain_cnt); + } + ++static bool ath10k_htt_rx_validate_amsdu(struct ath10k *ar, ++ struct sk_buff_head *amsdu) ++{ ++ u8 *subframe_hdr; ++ struct sk_buff *first; ++ bool is_first, is_last; ++ struct htt_rx_desc *rxd; ++ struct ieee80211_hdr *hdr; ++ size_t hdr_len, crypto_len; ++ enum htt_rx_mpdu_encrypt_type enctype; ++ int bytes_aligned = ar->hw_params.decap_align_bytes; ++ ++ first = skb_peek(amsdu); ++ ++ rxd = (void *)first->data - sizeof(*rxd); ++ hdr = (void *)rxd->rx_hdr_status; ++ ++ is_first = !!(rxd->msdu_end.common.info0 & ++ __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU)); ++ is_last = !!(rxd->msdu_end.common.info0 & ++ __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU)); ++ ++ /* Return in case of non-aggregated msdu */ ++ if (is_first && is_last) ++ return true; ++ ++ /* First msdu flag is not set for the first msdu of the list */ ++ if (!is_first) ++ return false; ++ ++ enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0), ++ RX_MPDU_START_INFO0_ENCRYPT_TYPE); ++ ++ hdr_len = ieee80211_hdrlen(hdr->frame_control); ++ crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype); ++ ++ subframe_hdr = (u8 *)hdr + round_up(hdr_len, bytes_aligned) + ++ crypto_len; ++ ++ /* Validate if the amsdu has a proper first subframe. ++ * There are chances a single msdu can be received as amsdu when ++ * the unauthenticated amsdu flag of a QoS header ++ * gets flipped in non-SPP AMSDU's, in such cases the first ++ * subframe has llc/snap header in place of a valid da. ++ * return false if the da matches rfc1042 pattern ++ */ ++ if (ether_addr_equal(subframe_hdr, rfc1042_header)) ++ return false; ++ ++ return true; ++} ++ + static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar, + struct sk_buff_head *amsdu, + struct ieee80211_rx_status *rx_status) + { +- /* FIXME: It might be a good idea to do some fuzzy-testing to drop +- * invalid/dangerous frames. +- */ +- + if (!rx_status->freq) { + ath10k_dbg(ar, ATH10K_DBG_HTT, "no channel configured; ignoring frame(s)!\n"); + return false; +@@ -1787,6 +1835,11 @@ static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar, + return false; + } + ++ if (!ath10k_htt_rx_validate_amsdu(ar, amsdu)) { ++ ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid amsdu received\n"); ++ return false; ++ } ++ + return true; + } + +diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c +index b0cb16ef8d1d0..b313c78e21544 100644 +--- a/drivers/net/wireless/marvell/libertas/mesh.c ++++ b/drivers/net/wireless/marvell/libertas/mesh.c +@@ -793,19 +793,6 @@ static const struct attribute_group mesh_ie_group = { + .attrs = mesh_ie_attrs, + }; + +-static void lbs_persist_config_init(struct net_device *dev) +-{ +- int ret; +- ret = sysfs_create_group(&(dev->dev.kobj), &boot_opts_group); +- ret = sysfs_create_group(&(dev->dev.kobj), &mesh_ie_group); +-} +- +-static void lbs_persist_config_remove(struct net_device *dev) +-{ +- sysfs_remove_group(&(dev->dev.kobj), &boot_opts_group); +- sysfs_remove_group(&(dev->dev.kobj), &mesh_ie_group); +-} +- + + /*************************************************************************** + * Initializing and starting, stopping mesh +@@ -1005,6 +992,10 @@ static int lbs_add_mesh(struct lbs_private *priv) + SET_NETDEV_DEV(priv->mesh_dev, priv->dev->dev.parent); + + mesh_dev->flags |= IFF_BROADCAST | IFF_MULTICAST; ++ mesh_dev->sysfs_groups[0] = &lbs_mesh_attr_group; ++ mesh_dev->sysfs_groups[1] = &boot_opts_group; ++ mesh_dev->sysfs_groups[2] = &mesh_ie_group; ++ + /* Register virtual mesh interface */ + ret = register_netdev(mesh_dev); + if (ret) { +@@ -1012,19 +1003,10 @@ static int lbs_add_mesh(struct lbs_private *priv) + goto err_free_netdev; + } + +- ret = sysfs_create_group(&(mesh_dev->dev.kobj), &lbs_mesh_attr_group); +- if (ret) +- goto err_unregister; +- +- lbs_persist_config_init(mesh_dev); +- + /* Everything successful */ + ret = 0; + goto done; + +-err_unregister: +- unregister_netdev(mesh_dev); +- + err_free_netdev: + free_netdev(mesh_dev); + +@@ -1045,8 +1027,6 @@ void lbs_remove_mesh(struct lbs_private *priv) + + netif_stop_queue(mesh_dev); + netif_carrier_off(mesh_dev); +- sysfs_remove_group(&(mesh_dev->dev.kobj), &lbs_mesh_attr_group); +- lbs_persist_config_remove(mesh_dev); + unregister_netdev(mesh_dev); + priv->mesh_dev = NULL; + kfree(mesh_dev->ieee80211_ptr); +diff --git a/drivers/platform/x86/hp-wireless.c b/drivers/platform/x86/hp-wireless.c +index d6ea5e998fb88..bb95bec0b110d 100644 +--- a/drivers/platform/x86/hp-wireless.c ++++ b/drivers/platform/x86/hp-wireless.c +@@ -30,12 +30,14 @@ MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Alex Hung"); + MODULE_ALIAS("acpi*:HPQ6001:*"); + MODULE_ALIAS("acpi*:WSTADEF:*"); ++MODULE_ALIAS("acpi*:AMDI0051:*"); + + static struct input_dev *hpwl_input_dev; + + static const struct acpi_device_id hpwl_ids[] = { + {"HPQ6001", 0}, + {"WSTADEF", 0}, ++ {"AMDI0051", 0}, + {"", 0}, + }; + +diff --git a/drivers/platform/x86/hp_accel.c b/drivers/platform/x86/hp_accel.c +index 7b12abe86b94f..9c3c83ef445bf 100644 +--- a/drivers/platform/x86/hp_accel.c ++++ b/drivers/platform/x86/hp_accel.c +@@ -101,6 +101,9 @@ MODULE_DEVICE_TABLE(acpi, lis3lv02d_device_ids); + static int lis3lv02d_acpi_init(struct lis3lv02d *lis3) + { + struct acpi_device *dev = lis3->bus_priv; ++ if (!lis3->init_required) ++ return 0; ++ + if (acpi_evaluate_object(dev->handle, METHOD_NAME__INI, + NULL, NULL) != AE_OK) + return -EINVAL; +@@ -367,6 +370,7 @@ static int lis3lv02d_add(struct acpi_device *device) + } + + /* call the core layer do its init */ ++ lis3_dev.init_required = true; + ret = lis3lv02d_init_device(&lis3_dev); + if (ret) + return ret; +@@ -414,11 +418,27 @@ static int lis3lv02d_suspend(struct device *dev) + + static int lis3lv02d_resume(struct device *dev) + { ++ lis3_dev.init_required = false; ++ lis3lv02d_poweron(&lis3_dev); ++ return 0; ++} ++ ++static int lis3lv02d_restore(struct device *dev) ++{ ++ lis3_dev.init_required = true; + lis3lv02d_poweron(&lis3_dev); + return 0; + } + +-static SIMPLE_DEV_PM_OPS(hp_accel_pm, lis3lv02d_suspend, lis3lv02d_resume); ++static const struct dev_pm_ops hp_accel_pm = { ++ .suspend = lis3lv02d_suspend, ++ .resume = lis3lv02d_resume, ++ .freeze = lis3lv02d_suspend, ++ .thaw = lis3lv02d_resume, ++ .poweroff = lis3lv02d_suspend, ++ .restore = lis3lv02d_restore, ++}; ++ + #define HP_ACCEL_PM (&hp_accel_pm) + #else + #define HP_ACCEL_PM NULL +diff --git a/drivers/platform/x86/intel_punit_ipc.c b/drivers/platform/x86/intel_punit_ipc.c +index 2efeab650345c..d6a7039a0591b 100644 +--- a/drivers/platform/x86/intel_punit_ipc.c ++++ b/drivers/platform/x86/intel_punit_ipc.c +@@ -331,6 +331,7 @@ static const struct acpi_device_id punit_ipc_acpi_ids[] = { + { "INT34D4", 0 }, + { } + }; ++MODULE_DEVICE_TABLE(acpi, punit_ipc_acpi_ids); + + static struct platform_driver intel_punit_ipc_driver = { + .probe = intel_punit_ipc_probe, +diff --git a/drivers/scsi/BusLogic.c b/drivers/scsi/BusLogic.c +index 0d4ffe0ae3065..79b5c5457cc22 100644 +--- a/drivers/scsi/BusLogic.c ++++ b/drivers/scsi/BusLogic.c +@@ -3081,11 +3081,11 @@ static int blogic_qcmd_lck(struct scsi_cmnd *command, + ccb->opcode = BLOGIC_INITIATOR_CCB_SG; + ccb->datalen = count * sizeof(struct blogic_sg_seg); + if (blogic_multimaster_type(adapter)) +- ccb->data = (void *)((unsigned int) ccb->dma_handle + ++ ccb->data = (unsigned int) ccb->dma_handle + + ((unsigned long) &ccb->sglist - +- (unsigned long) ccb)); ++ (unsigned long) ccb); + else +- ccb->data = ccb->sglist; ++ ccb->data = virt_to_32bit_virt(ccb->sglist); + + scsi_for_each_sg(command, sg, count, i) { + ccb->sglist[i].segbytes = sg_dma_len(sg); +diff --git a/drivers/scsi/BusLogic.h b/drivers/scsi/BusLogic.h +index 8d47e2c88d242..1a33a4b28d45d 100644 +--- a/drivers/scsi/BusLogic.h ++++ b/drivers/scsi/BusLogic.h +@@ -821,7 +821,7 @@ struct blogic_ccb { + unsigned char cdblen; /* Byte 2 */ + unsigned char sense_datalen; /* Byte 3 */ + u32 datalen; /* Bytes 4-7 */ +- void *data; /* Bytes 8-11 */ ++ u32 data; /* Bytes 8-11 */ + unsigned char:8; /* Byte 12 */ + unsigned char:8; /* Byte 13 */ + enum blogic_adapter_status adapter_status; /* Byte 14 */ +diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c +index fad23dd391143..1a0b2ce398f7c 100644 +--- a/drivers/scsi/libsas/sas_port.c ++++ b/drivers/scsi/libsas/sas_port.c +@@ -41,7 +41,7 @@ static bool phy_is_wideport_member(struct asd_sas_port *port, struct asd_sas_phy + + static void sas_resume_port(struct asd_sas_phy *phy) + { +- struct domain_device *dev; ++ struct domain_device *dev, *n; + struct asd_sas_port *port = phy->port; + struct sas_ha_struct *sas_ha = phy->ha; + struct sas_internal *si = to_sas_internal(sas_ha->core.shost->transportt); +@@ -60,7 +60,7 @@ static void sas_resume_port(struct asd_sas_phy *phy) + * 1/ presume every device came back + * 2/ force the next revalidation to check all expander phys + */ +- list_for_each_entry(dev, &port->dev_list, dev_list_node) { ++ list_for_each_entry_safe(dev, n, &port->dev_list, dev_list_node) { + int i, rc; + + rc = sas_notify_lldd_dev_found(dev); +diff --git a/drivers/spi/spi-gpio.c b/drivers/spi/spi-gpio.c +index 77838d8fd9bb6..341d2953d7fca 100644 +--- a/drivers/spi/spi-gpio.c ++++ b/drivers/spi/spi-gpio.c +@@ -382,7 +382,7 @@ static int spi_gpio_probe(struct platform_device *pdev) + return -ENODEV; + #endif + +- master = spi_alloc_master(&pdev->dev, sizeof(*spi_gpio)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*spi_gpio)); + if (!master) + return -ENOMEM; + +@@ -438,11 +438,7 @@ static int spi_gpio_probe(struct platform_device *pdev) + } + spi_gpio->bitbang.setup_transfer = spi_bitbang_setup_transfer; + +- status = spi_bitbang_start(&spi_gpio->bitbang); +- if (status) +- spi_master_put(master); +- +- return status; ++ return spi_bitbang_start(&spi_gpio->bitbang); + } + + static int spi_gpio_remove(struct platform_device *pdev) +diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c +index 3e51476a70451..d2cb2bd6d9133 100644 +--- a/drivers/staging/emxx_udc/emxx_udc.c ++++ b/drivers/staging/emxx_udc/emxx_udc.c +@@ -2148,7 +2148,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc, + struct nbu2ss_ep *ep, + int status) + { +- struct nbu2ss_req *req; ++ struct nbu2ss_req *req, *n; + + /* Endpoint Disable */ + _nbu2ss_epn_exit(udc, ep); +@@ -2160,7 +2160,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc, + return 0; + + /* called with irqs blocked */ +- list_for_each_entry(req, &ep->queue, queue) { ++ list_for_each_entry_safe(req, n, &ep->queue, queue) { + _nbu2ss_ep_done(ep, req, status); + } + +diff --git a/drivers/staging/iio/cdc/ad7746.c b/drivers/staging/iio/cdc/ad7746.c +index f53612a6461d6..18a73ee48e7c6 100644 +--- a/drivers/staging/iio/cdc/ad7746.c ++++ b/drivers/staging/iio/cdc/ad7746.c +@@ -703,7 +703,6 @@ static int ad7746_probe(struct i2c_client *client, + indio_dev->num_channels = ARRAY_SIZE(ad7746_channels); + else + indio_dev->num_channels = ARRAY_SIZE(ad7746_channels) - 2; +- indio_dev->num_channels = ARRAY_SIZE(ad7746_channels); + indio_dev->modes = INDIO_DIRECT_MODE; + + if (pdata) { +diff --git a/drivers/staging/mt7621-spi/spi-mt7621.c b/drivers/staging/mt7621-spi/spi-mt7621.c +index 33c747bc83202..75ed48f60c8c7 100644 +--- a/drivers/staging/mt7621-spi/spi-mt7621.c ++++ b/drivers/staging/mt7621-spi/spi-mt7621.c +@@ -452,7 +452,7 @@ static int mt7621_spi_probe(struct platform_device *pdev) + if (status) + return status; + +- master = spi_alloc_master(&pdev->dev, sizeof(*rs)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rs)); + if (master == NULL) { + dev_info(&pdev->dev, "master allocation failed\n"); + clk_disable_unprepare(clk); +@@ -487,7 +487,11 @@ static int mt7621_spi_probe(struct platform_device *pdev) + + mt7621_spi_reset(rs, 0); + +- return spi_register_master(master); ++ ret = spi_register_master(master); ++ if (ret) ++ clk_disable_unprepare(clk); ++ ++ return ret; + } + + static int mt7621_spi_remove(struct platform_device *pdev) +@@ -498,8 +502,8 @@ static int mt7621_spi_remove(struct platform_device *pdev) + master = dev_get_drvdata(&pdev->dev); + rs = spi_master_get_devdata(master); + +- clk_disable(rs->clk); + spi_unregister_master(master); ++ clk_disable_unprepare(rs->clk); + + return 0; + } +diff --git a/drivers/thunderbolt/dma_port.c b/drivers/thunderbolt/dma_port.c +index f2701194f8100..994ac759d364f 100644 +--- a/drivers/thunderbolt/dma_port.c ++++ b/drivers/thunderbolt/dma_port.c +@@ -367,15 +367,15 @@ int dma_port_flash_read(struct tb_dma_port *dma, unsigned int address, + void *buf, size_t size) + { + unsigned int retries = DMA_PORT_RETRIES; +- unsigned int offset; +- +- offset = address & 3; +- address = address & ~3; + + do { +- u32 nbytes = min_t(u32, size, MAIL_DATA_DWORDS * 4); ++ unsigned int offset; ++ size_t nbytes; + int ret; + ++ offset = address & 3; ++ nbytes = min_t(size_t, size + offset, MAIL_DATA_DWORDS * 4); ++ + ret = dma_port_flash_read_block(dma, address, dma->buf, + ALIGN(nbytes, 4)); + if (ret) { +@@ -387,6 +387,7 @@ int dma_port_flash_read(struct tb_dma_port *dma, unsigned int address, + return ret; + } + ++ nbytes -= offset; + memcpy(buf, dma->buf + offset, nbytes); + + size -= nbytes; +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index 0c35c3c5e3734..c1ab0dbda8a90 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1480,10 +1480,12 @@ static int __init max310x_uart_init(void) + return ret; + + #ifdef CONFIG_SPI_MASTER +- spi_register_driver(&max310x_spi_driver); ++ ret = spi_register_driver(&max310x_spi_driver); ++ if (ret) ++ uart_unregister_driver(&max310x_uart); + #endif + +- return 0; ++ return ret; + } + module_init(max310x_uart_init); + +diff --git a/drivers/tty/serial/rp2.c b/drivers/tty/serial/rp2.c +index 5690c09cc0417..944a4c0105795 100644 +--- a/drivers/tty/serial/rp2.c ++++ b/drivers/tty/serial/rp2.c +@@ -195,7 +195,6 @@ struct rp2_card { + void __iomem *bar0; + void __iomem *bar1; + spinlock_t card_lock; +- struct completion fw_loaded; + }; + + #define RP_ID(prod) PCI_VDEVICE(RP, (prod)) +@@ -664,17 +663,10 @@ static void rp2_remove_ports(struct rp2_card *card) + card->initialized_ports = 0; + } + +-static void rp2_fw_cb(const struct firmware *fw, void *context) ++static int rp2_load_firmware(struct rp2_card *card, const struct firmware *fw) + { +- struct rp2_card *card = context; + resource_size_t phys_base; +- int i, rc = -ENOENT; +- +- if (!fw) { +- dev_err(&card->pdev->dev, "cannot find '%s' firmware image\n", +- RP2_FW_NAME); +- goto no_fw; +- } ++ int i, rc = 0; + + phys_base = pci_resource_start(card->pdev, 1); + +@@ -720,23 +712,13 @@ static void rp2_fw_cb(const struct firmware *fw, void *context) + card->initialized_ports++; + } + +- release_firmware(fw); +-no_fw: +- /* +- * rp2_fw_cb() is called from a workqueue long after rp2_probe() +- * has already returned success. So if something failed here, +- * we'll just leave the now-dormant device in place until somebody +- * unbinds it. +- */ +- if (rc) +- dev_warn(&card->pdev->dev, "driver initialization failed\n"); +- +- complete(&card->fw_loaded); ++ return rc; + } + + static int rp2_probe(struct pci_dev *pdev, + const struct pci_device_id *id) + { ++ const struct firmware *fw; + struct rp2_card *card; + struct rp2_uart_port *ports; + void __iomem * const *bars; +@@ -747,7 +729,6 @@ static int rp2_probe(struct pci_dev *pdev, + return -ENOMEM; + pci_set_drvdata(pdev, card); + spin_lock_init(&card->card_lock); +- init_completion(&card->fw_loaded); + + rc = pcim_enable_device(pdev); + if (rc) +@@ -780,21 +761,23 @@ static int rp2_probe(struct pci_dev *pdev, + return -ENOMEM; + card->ports = ports; + +- rc = devm_request_irq(&pdev->dev, pdev->irq, rp2_uart_interrupt, +- IRQF_SHARED, DRV_NAME, card); +- if (rc) ++ rc = request_firmware(&fw, RP2_FW_NAME, &pdev->dev); ++ if (rc < 0) { ++ dev_err(&pdev->dev, "cannot find '%s' firmware image\n", ++ RP2_FW_NAME); + return rc; ++ } + +- /* +- * Only catastrophic errors (e.g. ENOMEM) are reported here. +- * If the FW image is missing, we'll find out in rp2_fw_cb() +- * and print an error message. +- */ +- rc = request_firmware_nowait(THIS_MODULE, 1, RP2_FW_NAME, &pdev->dev, +- GFP_KERNEL, card, rp2_fw_cb); ++ rc = rp2_load_firmware(card, fw); ++ ++ release_firmware(fw); ++ if (rc < 0) ++ return rc; ++ ++ rc = devm_request_irq(&pdev->dev, pdev->irq, rp2_uart_interrupt, ++ IRQF_SHARED, DRV_NAME, card); + if (rc) + return rc; +- dev_dbg(&pdev->dev, "waiting for firmware blob...\n"); + + return 0; + } +@@ -803,7 +786,6 @@ static void rp2_remove(struct pci_dev *pdev) + { + struct rp2_card *card = pci_get_drvdata(pdev); + +- wait_for_completion(&card->fw_loaded); + rp2_remove_ports(card); + } + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 8aaa7900927a8..bfbfe0d68d828 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1026,10 +1026,10 @@ static int scif_set_rtrg(struct uart_port *port, int rx_trig) + { + unsigned int bits; + ++ if (rx_trig >= port->fifosize) ++ rx_trig = port->fifosize - 1; + if (rx_trig < 1) + rx_trig = 1; +- if (rx_trig >= port->fifosize) +- rx_trig = port->fifosize; + + /* HSCIF can be set to an arbitrary level. */ + if (sci_getreg(port, HSRTRGR)->size) { +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 732e7f1687dd2..a45443482e0b4 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1189,7 +1189,12 @@ static int proc_bulk(struct usb_dev_state *ps, void __user *arg) + ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); + if (ret) + return ret; +- tbuf = kmalloc(len1, GFP_KERNEL); ++ ++ /* ++ * len1 can be almost arbitrarily large. Don't WARN if it's ++ * too big, just fail the request. ++ */ ++ tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN); + if (!tbuf) { + ret = -ENOMEM; + goto done; +@@ -1631,7 +1636,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb + if (num_sgs) { + as->urb->sg = kmalloc_array(num_sgs, + sizeof(struct scatterlist), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (!as->urb->sg) { + ret = -ENOMEM; + goto error; +@@ -1666,7 +1671,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb + (uurb_start - as->usbm->vm_start); + } else { + as->urb->transfer_buffer = kmalloc(uurb->buffer_length, +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (!as->urb->transfer_buffer) { + ret = -ENOMEM; + goto error; +diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h +index d0bbbd76ba8e9..df3aa0b69188f 100644 +--- a/drivers/usb/core/hub.h ++++ b/drivers/usb/core/hub.h +@@ -146,8 +146,10 @@ static inline unsigned hub_power_on_good_delay(struct usb_hub *hub) + { + unsigned delay = hub->descriptor->bPwrOn2PwrGood * 2; + +- /* Wait at least 100 msec for power to become stable */ +- return max(delay, 100U); ++ if (!hub->hdev->parent) /* root hub */ ++ return delay; ++ else /* Wait at least 100 msec for power to become stable */ ++ return max(delay, 100U); + } + + static inline int hub_port_debounce_be_connected(struct usb_hub *hub, +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 8ce13f5e83c73..1396ee5297923 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1162,6 +1162,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, + req->start_sg = sg_next(s); + + req->num_queued_sgs++; ++ req->num_pending_sgs--; + + /* + * The number of pending SG entries may not correspond to the +@@ -1169,7 +1170,7 @@ static void dwc3_prepare_one_trb_sg(struct dwc3_ep *dep, + * don't include unused SG entries. + */ + if (length == 0) { +- req->num_pending_sgs -= req->request.num_mapped_sgs - req->num_queued_sgs; ++ req->num_pending_sgs = 0; + break; + } + +@@ -1834,6 +1835,10 @@ static void dwc3_gadget_enable_irq(struct dwc3 *dwc) + if (dwc->revision < DWC3_REVISION_250A) + reg |= DWC3_DEVTEN_ULSTCNGEN; + ++ /* On 2.30a and above this bit enables U3/L2-L1 Suspend Events */ ++ if (dwc->revision >= DWC3_REVISION_230A) ++ reg |= DWC3_DEVTEN_EOPFEN; ++ + dwc3_writel(dwc->regs, DWC3_DEVTEN, reg); + } + +@@ -2357,15 +2362,15 @@ static int dwc3_gadget_ep_reclaim_trb_sg(struct dwc3_ep *dep, + struct dwc3_trb *trb = &dep->trb_pool[dep->trb_dequeue]; + struct scatterlist *sg = req->sg; + struct scatterlist *s; +- unsigned int pending = req->num_pending_sgs; ++ unsigned int num_queued = req->num_queued_sgs; + unsigned int i; + int ret = 0; + +- for_each_sg(sg, s, pending, i) { ++ for_each_sg(sg, s, num_queued, i) { + trb = &dep->trb_pool[dep->trb_dequeue]; + + req->sg = sg_next(s); +- req->num_pending_sgs--; ++ req->num_queued_sgs--; + + ret = dwc3_gadget_ep_reclaim_completed_trb(dep, req, + trb, event, status, true); +@@ -2388,7 +2393,7 @@ static int dwc3_gadget_ep_reclaim_trb_linear(struct dwc3_ep *dep, + + static bool dwc3_gadget_ep_request_completed(struct dwc3_request *req) + { +- return req->num_pending_sgs == 0; ++ return req->num_pending_sgs == 0 && req->num_queued_sgs == 0; + } + + static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, +@@ -2397,7 +2402,7 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep, + { + int ret; + +- if (req->num_pending_sgs) ++ if (req->request.num_mapped_sgs) + ret = dwc3_gadget_ep_reclaim_trb_sg(dep, req, event, + status); + else +diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c +index a5254e82d6282..c17d7a71e29a3 100644 +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -1466,7 +1466,7 @@ static void usb3_start_pipen(struct renesas_usb3_ep *usb3_ep, + struct renesas_usb3_request *usb3_req) + { + struct renesas_usb3 *usb3 = usb3_ep_to_usb3(usb3_ep); +- struct renesas_usb3_request *usb3_req_first = usb3_get_request(usb3_ep); ++ struct renesas_usb3_request *usb3_req_first; + unsigned long flags; + int ret = -EAGAIN; + u32 enable_bits = 0; +@@ -1474,7 +1474,8 @@ static void usb3_start_pipen(struct renesas_usb3_ep *usb3_ep, + spin_lock_irqsave(&usb3->lock, flags); + if (usb3_ep->halt || usb3_ep->started) + goto out; +- if (usb3_req != usb3_req_first) ++ usb3_req_first = __usb3_get_request(usb3_ep); ++ if (!usb3_req_first || usb3_req != usb3_req_first) + goto out; + + if (usb3_pn_change(usb3, usb3_ep->num) < 0) +diff --git a/drivers/usb/misc/trancevibrator.c b/drivers/usb/misc/trancevibrator.c +index b3e1f553954a4..ed63e954970a7 100644 +--- a/drivers/usb/misc/trancevibrator.c ++++ b/drivers/usb/misc/trancevibrator.c +@@ -59,9 +59,9 @@ static ssize_t speed_store(struct device *dev, struct device_attribute *attr, + /* Set speed */ + retval = usb_control_msg(tv->udev, usb_sndctrlpipe(tv->udev, 0), + 0x01, /* vendor request: set speed */ +- USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_OTHER, ++ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, + tv->speed, /* speed value */ +- 0, NULL, 0, USB_CTRL_GET_TIMEOUT); ++ 0, NULL, 0, USB_CTRL_SET_TIMEOUT); + if (retval) { + tv->speed = old; + dev_dbg(&tv->udev->dev, "retval = %d\n", retval); +diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c +index b5d6616442635..748139d262633 100644 +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, + parport_announce_port(pp); + + usb_set_intfdata(intf, pp); ++ usb_put_dev(usbdev); + return 0; + + probe_abort: +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index a5891cb2c72e3..37575d7983c0b 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1024,6 +1024,9 @@ static const struct usb_device_id id_table_combined[] = { + /* Sienna devices */ + { USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) }, + { USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) }, ++ /* IDS GmbH devices */ ++ { USB_DEVICE(IDS_VID, IDS_SI31A_PID) }, ++ { USB_DEVICE(IDS_VID, IDS_CM31A_PID) }, + /* U-Blox devices */ + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 3d47c6d72256e..d854e04a4286e 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1567,6 +1567,13 @@ + #define UNJO_VID 0x22B7 + #define UNJO_ISODEBUG_V1_PID 0x150D + ++/* ++ * IDS GmbH ++ */ ++#define IDS_VID 0x2CAF ++#define IDS_SI31A_PID 0x13A2 ++#define IDS_CM31A_PID 0x13A3 ++ + /* + * U-Blox products (http://www.u-blox.com). + */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index aeaa3756f6ee8..5e3430d456f36 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1240,6 +1240,10 @@ static const struct usb_device_id option_ids[] = { + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ + .driver_info = NCTRL(0) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x7010, 0xff), /* Telit LE910-S1 (RNDIS) */ ++ .driver_info = NCTRL(2) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x7011, 0xff), /* Telit LE910-S1 (ECM) */ ++ .driver_info = NCTRL(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, 0x9010), /* Telit SBL FN980 flashing device */ + .driver_info = NCTRL(0) | ZLP }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 2d78ad2842a44..7df0fbede21bc 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -107,6 +107,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, + { USB_DEVICE(SANWA_VENDOR_ID, SANWA_PRODUCT_ID) }, + { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530_PRODUCT_ID) }, ++ { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530GC_PRODUCT_ID) }, + { USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) }, + { USB_DEVICE(AT_VENDOR_ID, AT_VTKIT3_PRODUCT_ID) }, + { } /* Terminating entry */ +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index a897680473a78..3e5442573fe4e 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -152,6 +152,7 @@ + /* ADLINK ND-6530 RS232,RS485 and RS422 adapter */ + #define ADLINK_VENDOR_ID 0x0b63 + #define ADLINK_ND6530_PRODUCT_ID 0x6530 ++#define ADLINK_ND6530GC_PRODUCT_ID 0x653a + + /* SMART USB Serial Adapter */ + #define SMART_VENDOR_ID 0x0b8c +diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c +index c9201e0a82417..ccd516ea29626 100644 +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -37,6 +37,7 @@ + /* Vendor and product ids */ + #define TI_VENDOR_ID 0x0451 + #define IBM_VENDOR_ID 0x04b3 ++#define STARTECH_VENDOR_ID 0x14b0 + #define TI_3410_PRODUCT_ID 0x3410 + #define IBM_4543_PRODUCT_ID 0x4543 + #define IBM_454B_PRODUCT_ID 0x454b +@@ -374,6 +375,7 @@ static const struct usb_device_id ti_id_table_3410[] = { + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1131_PRODUCT_ID) }, + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1150_PRODUCT_ID) }, + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1151_PRODUCT_ID) }, ++ { USB_DEVICE(STARTECH_VENDOR_ID, TI_3410_PRODUCT_ID) }, + { } /* terminator */ + }; + +@@ -412,6 +414,7 @@ static const struct usb_device_id ti_id_table_combined[] = { + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1131_PRODUCT_ID) }, + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1150_PRODUCT_ID) }, + { USB_DEVICE(MXU1_VENDOR_ID, MXU1_1151_PRODUCT_ID) }, ++ { USB_DEVICE(STARTECH_VENDOR_ID, TI_3410_PRODUCT_ID) }, + { } /* terminator */ + }; + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 7b940264c7b9d..1cd610ddbb244 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1770,8 +1770,6 @@ static noinline int link_to_fixup_dir(struct btrfs_trans_handle *trans, + ret = btrfs_update_inode(trans, root, inode); + } else if (ret == -EEXIST) { + ret = 0; +- } else { +- BUG(); /* Logic Error */ + } + iput(inode); + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index ee824131c02e4..43478ec6fd67a 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -791,6 +791,13 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) + /* Internal types */ + server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES; + ++ /* ++ * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context ++ * Set the cipher type manually. ++ */ ++ if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) ++ server->cipher_type = SMB2_ENCRYPTION_AES128_CCM; ++ + security_blob = smb2_get_data_area_len(&blob_offset, &blob_length, + (struct smb2_sync_hdr *)rsp); + /* +@@ -3117,10 +3124,10 @@ smb2_new_read_req(void **buf, unsigned int *total_len, + * Related requests use info from previous read request + * in chain. + */ +- shdr->SessionId = 0xFFFFFFFF; ++ shdr->SessionId = 0xFFFFFFFFFFFFFFFF; + shdr->TreeId = 0xFFFFFFFF; +- req->PersistentFileId = 0xFFFFFFFF; +- req->VolatileFileId = 0xFFFFFFFF; ++ req->PersistentFileId = 0xFFFFFFFFFFFFFFFF; ++ req->VolatileFileId = 0xFFFFFFFFFFFFFFFF; + } + } + if (remaining_bytes > io_parms->length) +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 3a2fea8d211d7..b313627b1801b 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -426,7 +426,7 @@ static void remove_inode_hugepages(struct inode *inode, loff_t lstart, + u32 hash; + + index = page->index; +- hash = hugetlb_fault_mutex_hash(h, mapping, index, 0); ++ hash = hugetlb_fault_mutex_hash(h, mapping, index); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + /* +@@ -623,7 +623,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, + addr = index * hpage_size; + + /* mutex taken here, fault path and hole punch */ +- hash = hugetlb_fault_mutex_hash(h, mapping, index, addr); ++ hash = hugetlb_fault_mutex_hash(h, mapping, index); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + /* See if already present in mapping to avoid alloc/free */ +diff --git a/fs/nfs/filelayout/filelayout.c b/fs/nfs/filelayout/filelayout.c +index 2478a69da0f0c..e8e825497cbdc 100644 +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -717,7 +717,7 @@ filelayout_decode_layout(struct pnfs_layout_hdr *flo, + if (unlikely(!p)) + goto out_err; + fl->fh_array[i]->size = be32_to_cpup(p++); +- if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) { ++ if (fl->fh_array[i]->size > NFS_MAXFHSIZE) { + printk(KERN_ERR "NFS: Too big fh %d received %d\n", + i, fl->fh_array[i]->size); + goto out_err; +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 75d3cf86f1723..e053a883d08d4 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -148,7 +148,7 @@ static loff_t nfs4_file_llseek(struct file *filep, loff_t offset, int whence) + case SEEK_HOLE: + case SEEK_DATA: + ret = nfs42_proc_llseek(filep, offset, whence); +- if (ret != -ENOTSUPP) ++ if (ret != -EOPNOTSUPP) + return ret; + /* Fall through */ + default: +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 2c7d76b4c5e18..a9e1bcdd9394d 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -987,17 +987,16 @@ static void nfs_pageio_doio(struct nfs_pageio_descriptor *desc) + { + struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc); + +- + if (!list_empty(&mirror->pg_list)) { + int error = desc->pg_ops->pg_doio(desc); + if (error < 0) + desc->pg_error = error; +- else ++ if (list_empty(&mirror->pg_list)) { + mirror->pg_bytes_written += mirror->pg_count; +- } +- if (list_empty(&mirror->pg_list)) { +- mirror->pg_count = 0; +- mirror->pg_base = 0; ++ mirror->pg_count = 0; ++ mirror->pg_base = 0; ++ mirror->pg_recoalesce = 0; ++ } + } + } + +@@ -1095,7 +1094,6 @@ static int nfs_do_recoalesce(struct nfs_pageio_descriptor *desc) + + do { + list_splice_init(&mirror->pg_list, &head); +- mirror->pg_bytes_written -= mirror->pg_count; + mirror->pg_count = 0; + mirror->pg_base = 0; + mirror->pg_recoalesce = 0; +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index af255109c5bf9..c900cb2119bae 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1268,6 +1268,11 @@ _pnfs_return_layout(struct inode *ino) + { + struct pnfs_layout_hdr *lo = NULL; + struct nfs_inode *nfsi = NFS_I(ino); ++ struct pnfs_layout_range range = { ++ .iomode = IOMODE_ANY, ++ .offset = 0, ++ .length = NFS4_MAX_UINT64, ++ }; + LIST_HEAD(tmp_list); + nfs4_stateid stateid; + int status = 0; +@@ -1294,16 +1299,10 @@ _pnfs_return_layout(struct inode *ino) + } + valid_layout = pnfs_layout_is_valid(lo); + pnfs_clear_layoutcommit(ino, &tmp_list); +- pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0); ++ pnfs_mark_matching_lsegs_return(lo, &tmp_list, &range, 0); + +- if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) { +- struct pnfs_layout_range range = { +- .iomode = IOMODE_ANY, +- .offset = 0, +- .length = NFS4_MAX_UINT64, +- }; ++ if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) + NFS_SERVER(ino)->pnfs_curr_ld->return_range(lo, &range); +- } + + /* Don't send a LAYOUTRETURN if list was initially empty */ + if (!test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags) || +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 5e705fa9a913d..bc736ea1192ad 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2564,6 +2564,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, + void *page; + int rv; + ++ /* A task may only write when it was the opener. */ ++ if (file->f_cred != current_real_cred()) ++ return -EPERM; ++ + rcu_read_lock(); + task = pid_task(proc_pid(inode), PIDTYPE_PID); + if (!task) { +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 91393724e9331..1c8517320ea64 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -144,10 +144,11 @@ struct bpf_verifier_state_list { + }; + + /* Possible states for alu_state member. */ +-#define BPF_ALU_SANITIZE_SRC 1U +-#define BPF_ALU_SANITIZE_DST 2U ++#define BPF_ALU_SANITIZE_SRC (1U << 0) ++#define BPF_ALU_SANITIZE_DST (1U << 1) + #define BPF_ALU_NEG_VALUE (1U << 2) + #define BPF_ALU_NON_POINTER (1U << 3) ++#define BPF_ALU_IMMEDIATE (1U << 4) + #define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \ + BPF_ALU_SANITIZE_DST) + +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index cae7fd6804488..c129c1c14c5f2 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -124,7 +124,7 @@ void free_huge_page(struct page *page); + void hugetlb_fix_reserve_counts(struct inode *inode); + extern struct mutex *hugetlb_fault_mutex_table; + u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, +- pgoff_t idx, unsigned long address); ++ pgoff_t idx); + + pte_t *huge_pmd_share(struct mm_struct *mm, unsigned long addr, pud_t *pud); + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index ae936cd5567e0..b96debd18e142 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -4605,7 +4605,7 @@ unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr); + */ + int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, + const u8 *addr, enum nl80211_iftype iftype, +- u8 data_offset); ++ u8 data_offset, bool is_amsdu); + + /** + * ieee80211_data_to_8023 - convert an 802.11 data frame to 802.3 +@@ -4617,7 +4617,7 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, + static inline int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr, + enum nl80211_iftype iftype) + { +- return ieee80211_data_to_8023_exthdr(skb, NULL, addr, iftype, 0); ++ return ieee80211_data_to_8023_exthdr(skb, NULL, addr, iftype, 0, false); + } + + /** +diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h +index df5c69db68afc..e67564af6f934 100644 +--- a/include/net/nfc/nci_core.h ++++ b/include/net/nfc/nci_core.h +@@ -310,6 +310,7 @@ int nci_nfcc_loopback(struct nci_dev *ndev, void *data, size_t data_len, + struct sk_buff **resp); + + struct nci_hci_dev *nci_hci_allocate(struct nci_dev *ndev); ++void nci_hci_deallocate(struct nci_dev *ndev); + int nci_hci_send_event(struct nci_dev *ndev, u8 gate, u8 event, + const u8 *param, size_t param_len); + int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate, +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f49f84b71a6bc..1f4c88ce58deb 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2729,37 +2729,43 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) + return &env->insn_aux_data[env->insn_idx]; + } + ++enum { ++ REASON_BOUNDS = -1, ++ REASON_TYPE = -2, ++ REASON_PATHS = -3, ++ REASON_LIMIT = -4, ++ REASON_STACK = -5, ++}; ++ + static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, +- u32 *ptr_limit, u8 opcode, bool off_is_neg) ++ u32 *alu_limit, bool mask_to_left) + { +- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || +- (opcode == BPF_SUB && !off_is_neg); +- u32 off, max; ++ u32 max = 0, ptr_limit = 0; + + switch (ptr_reg->type) { + case PTR_TO_STACK: + /* Offset 0 is out-of-bounds, but acceptable start for the +- * left direction, see BPF_REG_FP. ++ * left direction, see BPF_REG_FP. Also, unknown scalar ++ * offset where we would need to deal with min/max bounds is ++ * currently prohibited for unprivileged. + */ + max = MAX_BPF_STACK + mask_to_left; +- off = ptr_reg->off + ptr_reg->var_off.value; +- if (mask_to_left) +- *ptr_limit = MAX_BPF_STACK + off; +- else +- *ptr_limit = -off - 1; +- return *ptr_limit >= max ? -ERANGE : 0; ++ ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); ++ break; + case PTR_TO_MAP_VALUE: + max = ptr_reg->map_ptr->value_size; +- if (mask_to_left) { +- *ptr_limit = ptr_reg->umax_value + ptr_reg->off; +- } else { +- off = ptr_reg->smin_value + ptr_reg->off; +- *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; +- } +- return *ptr_limit >= max ? -ERANGE : 0; ++ ptr_limit = (mask_to_left ? ++ ptr_reg->smin_value : ++ ptr_reg->umax_value) + ptr_reg->off; ++ break; + default: +- return -EINVAL; ++ return REASON_TYPE; + } ++ ++ if (ptr_limit >= max) ++ return REASON_LIMIT; ++ *alu_limit = ptr_limit; ++ return 0; + } + + static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, +@@ -2777,7 +2783,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, + if (aux->alu_state && + (aux->alu_state != alu_state || + aux->alu_limit != alu_limit)) +- return -EACCES; ++ return REASON_PATHS; + + /* Corresponding fixup done in fixup_bpf_calls(). */ + aux->alu_state = alu_state; +@@ -2796,14 +2802,28 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, + return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); + } + ++static bool sanitize_needed(u8 opcode) ++{ ++ return opcode == BPF_ADD || opcode == BPF_SUB; ++} ++ ++struct bpf_sanitize_info { ++ struct bpf_insn_aux_data aux; ++ bool mask_to_left; ++}; ++ + static int sanitize_ptr_alu(struct bpf_verifier_env *env, + struct bpf_insn *insn, + const struct bpf_reg_state *ptr_reg, ++ const struct bpf_reg_state *off_reg, + struct bpf_reg_state *dst_reg, +- bool off_is_neg) ++ struct bpf_sanitize_info *info, ++ const bool commit_window) + { ++ struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : &info->aux; + struct bpf_verifier_state *vstate = env->cur_state; +- struct bpf_insn_aux_data *aux = cur_aux(env); ++ bool off_is_imm = tnum_is_const(off_reg->var_off); ++ bool off_is_neg = off_reg->smin_value < 0; + bool ptr_is_dst_reg = ptr_reg == dst_reg; + u8 opcode = BPF_OP(insn->code); + u32 alu_state, alu_limit; +@@ -2821,18 +2841,47 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, + if (vstate->speculative) + goto do_sim; + +- alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; +- alu_state |= ptr_is_dst_reg ? +- BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; ++ if (!commit_window) { ++ if (!tnum_is_const(off_reg->var_off) && ++ (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) ++ return REASON_BOUNDS; ++ ++ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) || ++ (opcode == BPF_SUB && !off_is_neg); ++ } + +- err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); ++ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left); + if (err < 0) + return err; + ++ if (commit_window) { ++ /* In commit phase we narrow the masking window based on ++ * the observed pointer move after the simulated operation. ++ */ ++ alu_state = info->aux.alu_state; ++ alu_limit = abs(info->aux.alu_limit - alu_limit); ++ } else { ++ alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; ++ alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0; ++ alu_state |= ptr_is_dst_reg ? ++ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; ++ } ++ + err = update_alu_sanitation_state(aux, alu_state, alu_limit); + if (err < 0) + return err; + do_sim: ++ /* If we're in commit phase, we're done here given we already ++ * pushed the truncated dst_reg into the speculative verification ++ * stack. ++ * ++ * Also, when register is a known constant, we rewrite register-based ++ * operation to immediate-based, and thus do not need masking (and as ++ * a consequence, do not need to simulate the zero-truncation either). ++ */ ++ if (commit_window || off_is_imm) ++ return 0; ++ + /* Simulate and find potential out-of-bounds access under + * speculative execution from truncation as a result of + * masking when off was not within expected range. If off +@@ -2849,7 +2898,81 @@ do_sim: + ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); + if (!ptr_is_dst_reg && ret) + *dst_reg = tmp; +- return !ret ? -EFAULT : 0; ++ return !ret ? REASON_STACK : 0; ++} ++ ++static int sanitize_err(struct bpf_verifier_env *env, ++ const struct bpf_insn *insn, int reason, ++ const struct bpf_reg_state *off_reg, ++ const struct bpf_reg_state *dst_reg) ++{ ++ static const char *err = "pointer arithmetic with it prohibited for !root"; ++ const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; ++ u32 dst = insn->dst_reg, src = insn->src_reg; ++ ++ switch (reason) { ++ case REASON_BOUNDS: ++ verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n", ++ off_reg == dst_reg ? dst : src, err); ++ break; ++ case REASON_TYPE: ++ verbose(env, "R%d has pointer with unsupported alu operation, %s\n", ++ off_reg == dst_reg ? src : dst, err); ++ break; ++ case REASON_PATHS: ++ verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n", ++ dst, op, err); ++ break; ++ case REASON_LIMIT: ++ verbose(env, "R%d tried to %s beyond pointer bounds, %s\n", ++ dst, op, err); ++ break; ++ case REASON_STACK: ++ verbose(env, "R%d could not be pushed for speculative verification, %s\n", ++ dst, err); ++ break; ++ default: ++ verbose(env, "verifier internal error: unknown reason (%d)\n", ++ reason); ++ break; ++ } ++ ++ return -EACCES; ++} ++ ++static int sanitize_check_bounds(struct bpf_verifier_env *env, ++ const struct bpf_insn *insn, ++ const struct bpf_reg_state *dst_reg) ++{ ++ u32 dst = insn->dst_reg; ++ ++ /* For unprivileged we require that resulting offset must be in bounds ++ * in order to be able to sanitize access later on. ++ */ ++ if (env->allow_ptr_leaks) ++ return 0; ++ ++ switch (dst_reg->type) { ++ case PTR_TO_STACK: ++ if (check_stack_access(env, dst_reg, dst_reg->off + ++ dst_reg->var_off.value, 1)) { ++ verbose(env, "R%d stack pointer arithmetic goes out of range, " ++ "prohibited for !root\n", dst); ++ return -EACCES; ++ } ++ break; ++ case PTR_TO_MAP_VALUE: ++ if (check_map_access(env, dst, dst_reg->off, 1, false)) { ++ verbose(env, "R%d pointer arithmetic of map value goes out of range, " ++ "prohibited for !root\n", dst); ++ return -EACCES; ++ } ++ break; ++ default: ++ break; ++ } ++ ++ return 0; + } + + /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. +@@ -2870,8 +2993,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; + u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, + umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; +- u32 dst = insn->dst_reg, src = insn->src_reg; ++ struct bpf_sanitize_info info = {}; + u8 opcode = BPF_OP(insn->code); ++ u32 dst = insn->dst_reg; + int ret; + + dst_reg = ®s[dst]; +@@ -2908,12 +3032,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + dst); + return -EACCES; + } +- if (ptr_reg->type == PTR_TO_MAP_VALUE && +- !env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { +- verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", +- off_reg == dst_reg ? dst : src); +- return -EACCES; +- } + + /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. + * The id may be overwritten later if we create a new variable offset. +@@ -2925,13 +3043,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) + return -EINVAL; + ++ if (sanitize_needed(opcode)) { ++ ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, ++ &info, false); ++ if (ret < 0) ++ return sanitize_err(env, insn, ret, off_reg, dst_reg); ++ } ++ + switch (opcode) { + case BPF_ADD: +- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); +- if (ret < 0) { +- verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); +- return ret; +- } + /* We can take a fixed offset as long as it doesn't overflow + * the s32 'off' field + */ +@@ -2982,11 +3102,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + } + break; + case BPF_SUB: +- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); +- if (ret < 0) { +- verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); +- return ret; +- } + if (dst_reg == off_reg) { + /* scalar -= pointer. Creates an unknown scalar */ + verbose(env, "R%d tried to subtract pointer from scalar\n", +@@ -3067,22 +3182,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + __reg_deduce_bounds(dst_reg); + __reg_bound_offset(dst_reg); + +- /* For unprivileged we require that resulting offset must be in bounds +- * in order to be able to sanitize access later on. +- */ +- if (!env->allow_ptr_leaks) { +- if (dst_reg->type == PTR_TO_MAP_VALUE && +- check_map_access(env, dst, dst_reg->off, 1, false)) { +- verbose(env, "R%d pointer arithmetic of map value goes out of range, " +- "prohibited for !root\n", dst); +- return -EACCES; +- } else if (dst_reg->type == PTR_TO_STACK && +- check_stack_access(env, dst_reg, dst_reg->off + +- dst_reg->var_off.value, 1)) { +- verbose(env, "R%d stack pointer arithmetic goes out of range, " +- "prohibited for !root\n", dst); +- return -EACCES; +- } ++ if (sanitize_check_bounds(env, insn, dst_reg) < 0) ++ return -EACCES; ++ if (sanitize_needed(opcode)) { ++ ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, ++ &info, true); ++ if (ret < 0) ++ return sanitize_err(env, insn, ret, off_reg, dst_reg); + } + + return 0; +@@ -3103,7 +3209,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, + s64 smin_val, smax_val; + u64 umin_val, umax_val; + u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; +- u32 dst = insn->dst_reg; + int ret; + + if (insn_bitness == 32) { +@@ -3137,13 +3242,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, + return 0; + } + ++ if (sanitize_needed(opcode)) { ++ ret = sanitize_val_alu(env, insn); ++ if (ret < 0) ++ return sanitize_err(env, insn, ret, NULL, NULL); ++ } ++ + switch (opcode) { + case BPF_ADD: +- ret = sanitize_val_alu(env, insn); +- if (ret < 0) { +- verbose(env, "R%d tried to add from different pointers or scalars\n", dst); +- return ret; +- } + if (signed_add_overflows(dst_reg->smin_value, smin_val) || + signed_add_overflows(dst_reg->smax_value, smax_val)) { + dst_reg->smin_value = S64_MIN; +@@ -3163,11 +3269,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, + dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); + break; + case BPF_SUB: +- ret = sanitize_val_alu(env, insn); +- if (ret < 0) { +- verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); +- return ret; +- } + if (signed_sub_overflows(dst_reg->smin_value, smax_val) || + signed_sub_overflows(dst_reg->smax_value, smin_val)) { + /* Overflow possible, we know nothing */ +@@ -4127,8 +4228,9 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + struct bpf_verifier_state *this_branch = env->cur_state; + struct bpf_verifier_state *other_branch; + struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs; +- struct bpf_reg_state *dst_reg, *other_branch_regs; ++ struct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL; + u8 opcode = BPF_OP(insn->code); ++ int pred = -1; + int err; + + if (opcode > BPF_JSLE) { +@@ -4152,6 +4254,7 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + insn->src_reg); + return -EACCES; + } ++ src_reg = ®s[insn->src_reg]; + } else { + if (insn->src_reg != BPF_REG_0) { + verbose(env, "BPF_JMP uses reserved fields\n"); +@@ -4166,19 +4269,21 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + + dst_reg = ®s[insn->dst_reg]; + +- if (BPF_SRC(insn->code) == BPF_K) { +- int pred = is_branch_taken(dst_reg, insn->imm, opcode); +- +- if (pred == 1) { +- /* only follow the goto, ignore fall-through */ +- *insn_idx += insn->off; +- return 0; +- } else if (pred == 0) { +- /* only follow fall-through branch, since +- * that's where the program will go +- */ +- return 0; +- } ++ if (BPF_SRC(insn->code) == BPF_K) ++ pred = is_branch_taken(dst_reg, insn->imm, opcode); ++ else if (src_reg->type == SCALAR_VALUE && ++ tnum_is_const(src_reg->var_off)) ++ pred = is_branch_taken(dst_reg, src_reg->var_off.value, ++ opcode); ++ if (pred == 1) { ++ /* only follow the goto, ignore fall-through */ ++ *insn_idx += insn->off; ++ return 0; ++ } else if (pred == 0) { ++ /* only follow fall-through branch, since ++ * that's where the program will go ++ */ ++ return 0; + } + + other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx, +@@ -6079,7 +6184,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) + const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X; + struct bpf_insn insn_buf[16]; + struct bpf_insn *patch = &insn_buf[0]; +- bool issrc, isneg; ++ bool issrc, isneg, isimm; + u32 off_reg; + + aux = &env->insn_aux_data[i + delta]; +@@ -6090,16 +6195,21 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) + isneg = aux->alu_state & BPF_ALU_NEG_VALUE; + issrc = (aux->alu_state & BPF_ALU_SANITIZE) == + BPF_ALU_SANITIZE_SRC; ++ isimm = aux->alu_state & BPF_ALU_IMMEDIATE; + + off_reg = issrc ? insn->src_reg : insn->dst_reg; +- if (isneg) +- *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); +- *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); +- *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); +- *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); +- *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); +- *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); +- *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); ++ if (isimm) { ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); ++ } else { ++ if (isneg) ++ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); ++ *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); ++ *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); ++ *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); ++ *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); ++ *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); ++ } + if (!issrc) + *patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg); + insn->src_reg = BPF_REG_AX; +@@ -6107,7 +6217,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) + insn->code = insn->code == code_add ? + code_sub : code_add; + *patch++ = *insn; +- if (issrc && isneg) ++ if (issrc && isneg && !isimm) + *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); + cnt = patch - insn_buf; + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 1dfaec50ff933..2f769a6615688 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3862,7 +3862,7 @@ retry: + * handling userfault. Reacquire after handling + * fault to make calling code simpler. + */ +- hash = hugetlb_fault_mutex_hash(h, mapping, idx, haddr); ++ hash = hugetlb_fault_mutex_hash(h, mapping, idx); + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + ret = handle_userfault(&vmf, VM_UFFD_MISSING); + mutex_lock(&hugetlb_fault_mutex_table[hash]); +@@ -3971,7 +3971,7 @@ backout_unlocked: + + #ifdef CONFIG_SMP + u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, +- pgoff_t idx, unsigned long address) ++ pgoff_t idx) + { + unsigned long key[2]; + u32 hash; +@@ -3979,7 +3979,7 @@ u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, + key[0] = (unsigned long) mapping; + key[1] = idx; + +- hash = jhash2((u32 *)&key, sizeof(key)/sizeof(u32), 0); ++ hash = jhash2((u32 *)&key, sizeof(key)/(sizeof(u32)), 0); + + return hash & (num_fault_mutexes - 1); + } +@@ -3989,7 +3989,7 @@ u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, + * return 0 and avoid the hashing overhead. + */ + u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, +- pgoff_t idx, unsigned long address) ++ pgoff_t idx) + { + return 0; + } +@@ -4033,7 +4033,7 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + * get spurious allocation failures if two CPUs race to instantiate + * the same page in the page cache. + */ +- hash = hugetlb_fault_mutex_hash(h, mapping, idx, haddr); ++ hash = hugetlb_fault_mutex_hash(h, mapping, idx); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + entry = huge_ptep_get(ptep); +diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c +index 7529d3fcc8999..93a12cc107c98 100644 +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -271,7 +271,7 @@ retry: + */ + idx = linear_page_index(dst_vma, dst_addr); + mapping = dst_vma->vm_file->f_mapping; +- hash = hugetlb_fault_mutex_hash(h, mapping, idx, dst_addr); ++ hash = hugetlb_fault_mutex_hash(h, mapping, idx); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + err = -ENOMEM; +diff --git a/mm/vmstat.c b/mm/vmstat.c +index ce81b0a7d0186..21e07e71ea2df 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1384,6 +1384,9 @@ static void pagetypeinfo_showfree_print(struct seq_file *m, + list_for_each(curr, &area->free_list[mtype]) + freecount++; + seq_printf(m, "%6lu ", freecount); ++ spin_unlock_irq(&zone->lock); ++ cond_resched(); ++ spin_lock_irq(&zone->lock); + } + seq_putc(m, '\n'); + } +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c +index 7f26a5a19ff6d..9873684a9d8ff 100644 +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -391,6 +391,11 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock) + if (!(session->flags & BIT(CMTP_LOOPBACK))) { + err = cmtp_attach_device(session); + if (err < 0) { ++ /* Caller will call fput in case of failure, and so ++ * will cmtp_session kthread. ++ */ ++ get_file(session->sock->file); ++ + atomic_inc(&session->terminate); + wake_up_interruptible(sk_sleep(session->sock->sk)); + up_write(&cmtp_session_sem); +diff --git a/net/core/filter.c b/net/core/filter.c +index 6272570fe1396..01561268d2166 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3020,6 +3020,7 @@ static inline int __bpf_skb_change_head(struct sk_buff *skb, u32 head_room, + __skb_push(skb, head_room); + memset(skb->data, 0, head_room); + skb_reset_mac_header(skb); ++ skb_reset_mac_len(skb); + } + + return ret; +diff --git a/net/dsa/master.c b/net/dsa/master.c +index aae478d611018..22e9ce6e51a48 100644 +--- a/net/dsa/master.c ++++ b/net/dsa/master.c +@@ -87,8 +87,7 @@ static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset, + struct dsa_switch *ds = cpu_dp->ds; + int port = cpu_dp->index; + int len = ETH_GSTRING_LEN; +- int mcount = 0, count; +- unsigned int i; ++ int mcount = 0, count, i; + uint8_t pfx[4]; + uint8_t *ndata; + +@@ -118,6 +117,8 @@ static void dsa_master_get_strings(struct net_device *dev, uint32_t stringset, + */ + ds->ops->get_strings(ds, port, stringset, ndata); + count = ds->ops->get_sset_count(ds, port, stringset); ++ if (count < 0) ++ return; + for (i = 0; i < count; i++) { + memmove(ndata + (i * len + sizeof(pfx)), + ndata + i * len, len - sizeof(pfx)); +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index 11f1560de6391..b887d9edb9c38 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -598,13 +598,15 @@ static int dsa_slave_get_sset_count(struct net_device *dev, int sset) + struct dsa_switch *ds = dp->ds; + + if (sset == ETH_SS_STATS) { +- int count; ++ int count = 0; + +- count = 4; +- if (ds->ops->get_sset_count) +- count += ds->ops->get_sset_count(ds, dp->index, sset); ++ if (ds->ops->get_sset_count) { ++ count = ds->ops->get_sset_count(ds, dp->index, sset); ++ if (count < 0) ++ return count; ++ } + +- return count; ++ return count + 4; + } + + return -EOPNOTSUPP; +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index f2f8551416c33..3d048401141f3 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1606,10 +1606,7 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) + IPV6_TLV_PADN, 0 }; + + /* we assume size > sizeof(ra) here */ +- /* limit our allocations to order-0 page */ +- size = min_t(int, size, SKB_MAX_ORDER(0, 0)); + skb = sock_alloc_send_skb(sk, size, 1, &err); +- + if (!skb) + return NULL; + +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index c6132e39ab16b..60dfd0d118512 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -347,7 +347,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + hdr = ipv6_hdr(skb); + fhdr = (struct frag_hdr *)skb_transport_header(skb); + +- if (!(fhdr->frag_off & htons(0xFFF9))) { ++ if (!(fhdr->frag_off & htons(IP6_OFFSET | IP6_MF))) { + /* It is not a fragmented frame */ + skb->transport_header += sizeof(struct frag_hdr); + __IP6_INC_STATS(net, +@@ -355,6 +355,8 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + + IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb); + IP6CB(skb)->flags |= IP6SKB_FRAGMENTED; ++ IP6CB(skb)->frag_max_size = ntohs(hdr->payload_len) + ++ sizeof(struct ipv6hdr); + return 1; + } + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index fc715bba59146..6c9d9c94983ba 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -53,12 +53,6 @@ struct ieee80211_local; + #define IEEE80211_ENCRYPT_HEADROOM 8 + #define IEEE80211_ENCRYPT_TAILROOM 18 + +-/* IEEE 802.11 (Ch. 9.5 Defragmentation) requires support for concurrent +- * reception of at least three fragmented frames. This limit can be increased +- * by changing this define, at the cost of slower frame reassembly and +- * increased memory use (about 2 kB of RAM per entry). */ +-#define IEEE80211_FRAGMENT_MAX 4 +- + /* power level hasn't been configured (or set to automatic) */ + #define IEEE80211_UNSET_POWER_LEVEL INT_MIN + +@@ -91,18 +85,6 @@ extern const u8 ieee80211_ac_to_qos_mask[IEEE80211_NUM_ACS]; + + #define IEEE80211_MAX_NAN_INSTANCE_ID 255 + +-struct ieee80211_fragment_entry { +- struct sk_buff_head skb_list; +- unsigned long first_frag_time; +- u16 seq; +- u16 extra_len; +- u16 last_frag; +- u8 rx_queue; +- bool check_sequential_pn; /* needed for CCMP/GCMP */ +- u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ +-}; +- +- + struct ieee80211_bss { + u32 device_ts_beacon, device_ts_presp; + +@@ -243,8 +225,15 @@ struct ieee80211_rx_data { + */ + int security_idx; + +- u32 tkip_iv32; +- u16 tkip_iv16; ++ union { ++ struct { ++ u32 iv32; ++ u16 iv16; ++ } tkip; ++ struct { ++ u8 pn[IEEE80211_CCMP_PN_LEN]; ++ } ccm_gcm; ++ }; + }; + + struct ieee80211_csa_settings { +@@ -884,9 +873,7 @@ struct ieee80211_sub_if_data { + + char name[IFNAMSIZ]; + +- /* Fragment table for host-based reassembly */ +- struct ieee80211_fragment_entry fragments[IEEE80211_FRAGMENT_MAX]; +- unsigned int fragment_next; ++ struct ieee80211_fragment_cache frags; + + /* TID bitmap for NoAck policy */ + u16 noack_map; +@@ -2204,4 +2191,7 @@ extern const struct ethtool_ops ieee80211_ethtool_ops; + #define debug_noinline + #endif + ++void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache); ++void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache); ++ + #endif /* IEEE80211_I_H */ +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 511ca6f74239d..358028a09ce4d 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -7,7 +7,7 @@ + * Copyright 2008, Johannes Berg <[email protected]> + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (c) 2016 Intel Deutschland GmbH +- * Copyright (C) 2018 Intel Corporation ++ * Copyright (C) 2018-2021 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -1111,16 +1111,12 @@ static void ieee80211_set_multicast_list(struct net_device *dev) + */ + static void ieee80211_teardown_sdata(struct ieee80211_sub_if_data *sdata) + { +- int i; +- + /* free extra data */ + ieee80211_free_keys(sdata, false); + + ieee80211_debugfs_remove_netdev(sdata); + +- for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) +- __skb_queue_purge(&sdata->fragments[i].skb_list); +- sdata->fragment_next = 0; ++ ieee80211_destroy_frag_cache(&sdata->frags); + + if (ieee80211_vif_is_mesh(&sdata->vif)) + ieee80211_mesh_teardown_sdata(sdata); +@@ -1832,8 +1828,7 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name, + sdata->wdev.wiphy = local->hw.wiphy; + sdata->local = local; + +- for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) +- skb_queue_head_init(&sdata->fragments[i].skb_list); ++ ieee80211_init_frag_cache(&sdata->frags); + + INIT_LIST_HEAD(&sdata->key_list); + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index f20bb39f492da..6775d6cb7d3d4 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -653,6 +653,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + struct ieee80211_sub_if_data *sdata, + struct sta_info *sta) + { ++ static atomic_t key_color = ATOMIC_INIT(0); + struct ieee80211_local *local = sdata->local; + struct ieee80211_key *old_key; + int idx = key->conf.keyidx; +@@ -688,6 +689,12 @@ int ieee80211_key_link(struct ieee80211_key *key, + key->sdata = sdata; + key->sta = sta; + ++ /* ++ * Assign a unique ID to every key so we can easily prevent mixed ++ * key and fragment cache attacks. ++ */ ++ key->color = atomic_inc_return(&key_color); ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +diff --git a/net/mac80211/key.h b/net/mac80211/key.h +index ebdb80b85dc3a..d8e187bcb7510 100644 +--- a/net/mac80211/key.h ++++ b/net/mac80211/key.h +@@ -127,6 +127,8 @@ struct ieee80211_key { + } debugfs; + #endif + ++ unsigned int color; ++ + /* + * key config, must be last because it contains key + * material as variable length member +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 9e92e5e2336be..2ba19decb1261 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -5,7 +5,7 @@ + * Copyright 2007-2010 Johannes Berg <[email protected]> + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 Intel Corporation ++ * Copyright (C) 2018-2021 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -2009,19 +2009,34 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) + return result; + } + ++void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(cache->entries); i++) ++ skb_queue_head_init(&cache->entries[i].skb_list); ++} ++ ++void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(cache->entries); i++) ++ __skb_queue_purge(&cache->entries[i].skb_list); ++} ++ + static inline struct ieee80211_fragment_entry * +-ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, ++ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache, + unsigned int frag, unsigned int seq, int rx_queue, + struct sk_buff **skb) + { + struct ieee80211_fragment_entry *entry; + +- entry = &sdata->fragments[sdata->fragment_next++]; +- if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) +- sdata->fragment_next = 0; ++ entry = &cache->entries[cache->next++]; ++ if (cache->next >= IEEE80211_FRAGMENT_MAX) ++ cache->next = 0; + +- if (!skb_queue_empty(&entry->skb_list)) +- __skb_queue_purge(&entry->skb_list); ++ __skb_queue_purge(&entry->skb_list); + + __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ + *skb = NULL; +@@ -2036,14 +2051,14 @@ ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, + } + + static inline struct ieee80211_fragment_entry * +-ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, ++ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache, + unsigned int frag, unsigned int seq, + int rx_queue, struct ieee80211_hdr *hdr) + { + struct ieee80211_fragment_entry *entry; + int i, idx; + +- idx = sdata->fragment_next; ++ idx = cache->next; + for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { + struct ieee80211_hdr *f_hdr; + +@@ -2051,7 +2066,7 @@ ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, + if (idx < 0) + idx = IEEE80211_FRAGMENT_MAX - 1; + +- entry = &sdata->fragments[idx]; ++ entry = &cache->entries[idx]; + if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || + entry->rx_queue != rx_queue || + entry->last_frag + 1 != frag) +@@ -2078,15 +2093,27 @@ ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, + return NULL; + } + ++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc) ++{ ++ return rx->key && ++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && ++ ieee80211_has_protected(fc); ++} ++ + static ieee80211_rx_result debug_noinline + ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + { ++ struct ieee80211_fragment_cache *cache = &rx->sdata->frags; + struct ieee80211_hdr *hdr; + u16 sc; + __le16 fc; + unsigned int frag, seq; + struct ieee80211_fragment_entry *entry; + struct sk_buff *skb; ++ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); + + hdr = (struct ieee80211_hdr *)rx->skb->data; + fc = hdr->frame_control; +@@ -2102,6 +2129,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + goto out_no_led; + } + ++ if (rx->sta) ++ cache = &rx->sta->frags; ++ + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + +@@ -2120,20 +2150,17 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + if (frag == 0) { + /* This is the first fragment of a new frame. */ +- entry = ieee80211_reassemble_add(rx->sdata, frag, seq, ++ entry = ieee80211_reassemble_add(cache, frag, seq, + rx->seqno_idx, &(rx->skb)); +- if (rx->key && +- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && +- ieee80211_has_protected(fc)) { ++ if (requires_sequential_pn(rx, fc)) { + int queue = rx->security_idx; + + /* Store CCMP/GCMP PN so that we can verify that the + * next fragment has a sequential PN value. + */ + entry->check_sequential_pn = true; ++ entry->is_protected = true; ++ entry->key_color = rx->key->color; + memcpy(entry->last_pn, + rx->key->u.ccmp.rx_pn[queue], + IEEE80211_CCMP_PN_LEN); +@@ -2145,6 +2172,11 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sizeof(rx->key->u.gcmp.rx_pn[queue])); + BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != + IEEE80211_GCMP_PN_LEN); ++ } else if (rx->key && ++ (ieee80211_has_protected(fc) || ++ (status->flag & RX_FLAG_DECRYPTED))) { ++ entry->is_protected = true; ++ entry->key_color = rx->key->color; + } + return RX_QUEUED; + } +@@ -2152,7 +2184,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + /* This is a fragment for a frame that should already be pending in + * fragment cache. Add this fragment to the end of the pending entry. + */ +- entry = ieee80211_reassemble_find(rx->sdata, frag, seq, ++ entry = ieee80211_reassemble_find(cache, frag, seq, + rx->seqno_idx, hdr); + if (!entry) { + I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); +@@ -2167,25 +2199,39 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + if (entry->check_sequential_pn) { + int i; + u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; +- int queue; + +- if (!rx->key || +- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256)) ++ if (!requires_sequential_pn(rx, fc)) ++ return RX_DROP_UNUSABLE; ++ ++ /* Prevent mixed key and fragment cache attacks */ ++ if (entry->key_color != rx->key->color) + return RX_DROP_UNUSABLE; ++ + memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); + for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { + pn[i]++; + if (pn[i]) + break; + } +- queue = rx->security_idx; +- rpn = rx->key->u.ccmp.rx_pn[queue]; ++ ++ rpn = rx->ccm_gcm.pn; + if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) + return RX_DROP_UNUSABLE; + memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); ++ } else if (entry->is_protected && ++ (!rx->key || ++ (!ieee80211_has_protected(fc) && ++ !(status->flag & RX_FLAG_DECRYPTED)) || ++ rx->key->color != entry->key_color)) { ++ /* Drop this as a mixed key or fragment cache attack, even ++ * if for TKIP Michael MIC should protect us, and WEP is a ++ * lost cause anyway. ++ */ ++ return RX_DROP_UNUSABLE; ++ } else if (entry->is_protected && rx->key && ++ entry->key_color != rx->key->color && ++ (status->flag & RX_FLAG_DECRYPTED)) { ++ return RX_DROP_UNUSABLE; + } + + skb_pull(rx->skb, ieee80211_hdrlen(fc)); +@@ -2371,13 +2417,13 @@ static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) + struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; + + /* +- * Allow EAPOL frames to us/the PAE group address regardless +- * of whether the frame was encrypted or not. ++ * Allow EAPOL frames to us/the PAE group address regardless of ++ * whether the frame was encrypted or not, and always disallow ++ * all other destination addresses for them. + */ +- if (ehdr->h_proto == rx->sdata->control_port_protocol && +- (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || +- ether_addr_equal(ehdr->h_dest, pae_group_addr))) +- return true; ++ if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol)) ++ return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || ++ ether_addr_equal(ehdr->h_dest, pae_group_addr); + + if (ieee80211_802_1x_port_control(rx) || + ieee80211_drop_unencrypted(rx, fc)) +@@ -2401,8 +2447,28 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb, + cfg80211_rx_control_port(dev, skb, noencrypt); + dev_kfree_skb(skb); + } else { ++ struct ethhdr *ehdr = (void *)skb_mac_header(skb); ++ + memset(skb->cb, 0, sizeof(skb->cb)); + ++ /* ++ * 802.1X over 802.11 requires that the authenticator address ++ * be used for EAPOL frames. However, 802.1X allows the use of ++ * the PAE group address instead. If the interface is part of ++ * a bridge and we pass the frame with the PAE group address, ++ * then the bridge will forward it to the network (even if the ++ * client was not associated yet), which isn't supposed to ++ * happen. ++ * To avoid that, rewrite the destination address to our own ++ * address, so that the authenticator (e.g. hostapd) will see ++ * the frame, but bridge won't forward it anywhere else. Note ++ * that due to earlier filtering, the only other address can ++ * be the PAE group address. ++ */ ++ if (unlikely(skb->protocol == sdata->control_port_protocol && ++ !ether_addr_equal(ehdr->h_dest, sdata->vif.addr))) ++ ether_addr_copy(ehdr->h_dest, sdata->vif.addr); ++ + /* deliver to local stack */ + if (rx->napi) + napi_gro_receive(rx->napi, skb); +@@ -2442,6 +2508,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx) + if ((sdata->vif.type == NL80211_IFTYPE_AP || + sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && + !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && ++ ehdr->h_proto != rx->sdata->control_port_protocol && + (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { + if (is_multicast_ether_addr(ehdr->h_dest) && + ieee80211_vif_get_num_mcast_if(sdata) != 0) { +@@ -2550,7 +2617,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset) + if (ieee80211_data_to_8023_exthdr(skb, ðhdr, + rx->sdata->vif.addr, + rx->sdata->vif.type, +- data_offset)) ++ data_offset, true)) + return RX_DROP_UNUSABLE; + + ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, +@@ -2607,6 +2674,23 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) + if (is_multicast_ether_addr(hdr->addr1)) + return RX_DROP_UNUSABLE; + ++ if (rx->key) { ++ /* ++ * We should not receive A-MSDUs on pre-HT connections, ++ * and HT connections cannot use old ciphers. Thus drop ++ * them, as in those cases we couldn't even have SPP ++ * A-MSDUs or such. ++ */ ++ switch (rx->key->conf.cipher) { ++ case WLAN_CIPHER_SUITE_WEP40: ++ case WLAN_CIPHER_SUITE_WEP104: ++ case WLAN_CIPHER_SUITE_TKIP: ++ return RX_DROP_UNUSABLE; ++ default: ++ break; ++ } ++ } ++ + return __ieee80211_rx_h_amsdu(rx, 0); + } + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index c0fae954082b7..71c6a462277fa 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -3,7 +3,7 @@ + * Copyright 2006-2007 Jiri Benc <[email protected]> + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2020 Intel Corporation ++ * Copyright (C) 2018-2021 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -369,6 +369,8 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata, + + u64_stats_init(&sta->rx_stats.syncp); + ++ ieee80211_init_frag_cache(&sta->frags); ++ + sta->sta_state = IEEE80211_STA_NONE; + + /* Mark TID as unreserved */ +@@ -1032,6 +1034,8 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + rate_control_remove_sta_debugfs(sta); + ieee80211_sta_debugfs_remove(sta); + ++ ieee80211_destroy_frag_cache(&sta->frags); ++ + cleanup_single_sta(sta); + } + +diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h +index 9a04327d71d1d..c33bc5fc0f2d8 100644 +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -2,6 +2,7 @@ + * Copyright 2002-2005, Devicescape Software, Inc. + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright(c) 2015-2017 Intel Deutschland GmbH ++ * Copyright(c) 2020-2021 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -411,6 +412,34 @@ struct ieee80211_sta_rx_stats { + u64 msdu[IEEE80211_NUM_TIDS + 1]; + }; + ++/* ++ * IEEE 802.11-2016 (10.6 "Defragmentation") recommends support for "concurrent ++ * reception of at least one MSDU per access category per associated STA" ++ * on APs, or "at least one MSDU per access category" on other interface types. ++ * ++ * This limit can be increased by changing this define, at the cost of slower ++ * frame reassembly and increased memory use while fragments are pending. ++ */ ++#define IEEE80211_FRAGMENT_MAX 4 ++ ++struct ieee80211_fragment_entry { ++ struct sk_buff_head skb_list; ++ unsigned long first_frag_time; ++ u16 seq; ++ u16 extra_len; ++ u16 last_frag; ++ u8 rx_queue; ++ u8 check_sequential_pn:1, /* needed for CCMP/GCMP */ ++ is_protected:1; ++ u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ ++ unsigned int key_color; ++}; ++ ++struct ieee80211_fragment_cache { ++ struct ieee80211_fragment_entry entries[IEEE80211_FRAGMENT_MAX]; ++ unsigned int next; ++}; ++ + /* + * The bandwidth threshold below which the per-station CoDel parameters will be + * scaled to be more lenient (to prevent starvation of slow stations). This +@@ -482,6 +511,7 @@ struct ieee80211_sta_rx_stats { + * @pcpu_rx_stats: per-CPU RX statistics, assigned only if the driver needs + * this (by advertising the USES_RSS hw flag) + * @status_stats: TX status statistics ++ * @frags: fragment cache + */ + struct sta_info { + /* General information, mostly static */ +@@ -583,6 +613,8 @@ struct sta_info { + + struct cfg80211_chan_def tdls_chandef; + ++ struct ieee80211_fragment_cache frags; ++ + /* keep last! */ + struct ieee80211_sta sta; + }; +diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c +index 5dd48f0a4b1bd..dbeccccf0fdf3 100644 +--- a/net/mac80211/wpa.c ++++ b/net/mac80211/wpa.c +@@ -2,6 +2,7 @@ + * Copyright 2002-2004, Instant802 Networks, Inc. + * Copyright 2008, Jouni Malinen <[email protected]> + * Copyright (C) 2016-2017 Intel Deutschland GmbH ++ * Copyright (C) 2020-2021 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -170,8 +171,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) + + update_iv: + /* update IV in key information to be able to detect replays */ +- rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; +- rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; ++ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32; ++ rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16; + + return RX_CONTINUE; + +@@ -297,8 +298,8 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) + key, skb->data + hdrlen, + skb->len - hdrlen, rx->sta->sta.addr, + hdr->addr1, hwaccel, rx->security_idx, +- &rx->tkip_iv32, +- &rx->tkip_iv16); ++ &rx->tkip.iv32, ++ &rx->tkip.iv16); + if (res != TKIP_DECRYPT_OK) + return RX_DROP_UNUSABLE; + +@@ -556,6 +557,8 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx, + } + + memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN); ++ if (unlikely(ieee80211_is_frag(hdr))) ++ memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); + } + + /* Remove CCMP header and MIC */ +@@ -784,6 +787,8 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) + } + + memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN); ++ if (unlikely(ieee80211_is_frag(hdr))) ++ memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); + } + + /* Remove GCMP header and MIC */ +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 074960154993f..33c23af6709d4 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1187,6 +1187,7 @@ EXPORT_SYMBOL(nci_allocate_device); + void nci_free_device(struct nci_dev *ndev) + { + nfc_free_device(ndev->nfc_dev); ++ nci_hci_deallocate(ndev); + kfree(ndev); + } + EXPORT_SYMBOL(nci_free_device); +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index c0d323b58e732..c972c212e7caf 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -807,3 +807,8 @@ struct nci_hci_dev *nci_hci_allocate(struct nci_dev *ndev) + + return hdev; + } ++ ++void nci_hci_deallocate(struct nci_dev *ndev) ++{ ++ kfree(ndev->hci_dev); ++} +diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c +index 5ea2471ffc03f..9b0c54f0702c0 100644 +--- a/net/openvswitch/meter.c ++++ b/net/openvswitch/meter.c +@@ -464,6 +464,14 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb, + spin_lock(&meter->lock); + + long_delta_ms = (now_ms - meter->used); /* ms */ ++ if (long_delta_ms < 0) { ++ /* This condition means that we have several threads fighting ++ * for a meter lock, and the one who received the packets a ++ * bit later wins. Assuming that all racing threads received ++ * packets at the same time to avoid overflow. ++ */ ++ long_delta_ms = 0; ++ } + + /* Make sure delta_ms will not be too large, so that bucket will not + * wrap around below. +diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c +index 1c2fce8c45b2d..fe030af9272c4 100644 +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -402,7 +402,8 @@ static void dsmark_reset(struct Qdisc *sch) + struct dsmark_qdisc_data *p = qdisc_priv(sch); + + pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p); +- qdisc_reset(p->q); ++ if (p->q) ++ qdisc_reset(p->q); + sch->qstats.backlog = 0; + sch->q.qlen = 0; + } +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index f04843ca82162..0ac2704449744 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -141,18 +141,13 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (unlikely(head)) + goto err; + *buf = NULL; ++ if (skb_has_frag_list(frag) && __skb_linearize(frag)) ++ goto err; + frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; + head = *headbuf = frag; + TIPC_SKB_CB(head)->tail = NULL; +- if (skb_is_nonlinear(head)) { +- skb_walk_frags(head, tail) { +- TIPC_SKB_CB(head)->tail = tail; +- } +- } else { +- skb_frag_list_init(head); +- } + return 0; + } + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 4c35f9893081c..3c41fb8edc5f1 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -1187,7 +1187,10 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq, + spin_lock_bh(&inputq->lock); + if (skb_peek(arrvq) == skb) { + skb_queue_splice_tail_init(&tmpq, inputq); +- __skb_dequeue(arrvq); ++ /* Decrease the skb's refcnt as increasing in the ++ * function tipc_skb_peek ++ */ ++ kfree_skb(__skb_dequeue(arrvq)); + } + spin_unlock_bh(&inputq->lock); + __skb_queue_purge(&tmpq); +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 1a878b84cbd0d..6f9cff2ee7953 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -422,7 +422,7 @@ EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen); + + int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, + const u8 *addr, enum nl80211_iftype iftype, +- u8 data_offset) ++ u8 data_offset, bool is_amsdu) + { + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; + struct { +@@ -510,7 +510,7 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr, + skb_copy_bits(skb, hdrlen, &payload, sizeof(payload)); + tmp.h_proto = payload.proto; + +- if (likely((ether_addr_equal(payload.hdr, rfc1042_header) && ++ if (likely((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) && + tmp.h_proto != htons(ETH_P_AARP) && + tmp.h_proto != htons(ETH_P_IPX)) || + ether_addr_equal(payload.hdr, bridge_tunnel_header))) +@@ -652,6 +652,9 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, + remaining = skb->len - offset; + if (subframe_len > remaining) + goto purge; ++ /* mitigate A-MSDU aggregation injection attacks */ ++ if (ether_addr_equal(eth.h_dest, rfc1042_header)) ++ goto purge; + + offset += sizeof(struct ethhdr); + last = remaining <= subframe_len + padding; +diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c +index 668cd3754209d..73fa784646e5a 100644 +--- a/sound/soc/codecs/cs35l33.c ++++ b/sound/soc/codecs/cs35l33.c +@@ -1204,6 +1204,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, + "CS35L33 Device ID (%X). Expected ID %X\n", + devid, CS35L33_CHIP_ID); ++ ret = -EINVAL; + goto err_enable; + } + +diff --git a/sound/soc/codecs/cs43130.c b/sound/soc/codecs/cs43130.c +index 80dc421971548..cf29dec28b5e3 100644 +--- a/sound/soc/codecs/cs43130.c ++++ b/sound/soc/codecs/cs43130.c +@@ -1738,6 +1738,14 @@ static DEVICE_ATTR(hpload_dc_r, 0444, cs43130_show_dc_r, NULL); + static DEVICE_ATTR(hpload_ac_l, 0444, cs43130_show_ac_l, NULL); + static DEVICE_ATTR(hpload_ac_r, 0444, cs43130_show_ac_r, NULL); + ++static struct attribute *hpload_attrs[] = { ++ &dev_attr_hpload_dc_l.attr, ++ &dev_attr_hpload_dc_r.attr, ++ &dev_attr_hpload_ac_l.attr, ++ &dev_attr_hpload_ac_r.attr, ++}; ++ATTRIBUTE_GROUPS(hpload); ++ + static struct reg_sequence hp_en_cal_seq[] = { + {CS43130_INT_MASK_4, CS43130_INT_MASK_ALL}, + {CS43130_HP_MEAS_LOAD_1, 0}, +@@ -2305,23 +2313,15 @@ static int cs43130_probe(struct snd_soc_component *component) + + cs43130->hpload_done = false; + if (cs43130->dc_meas) { +- ret = device_create_file(component->dev, &dev_attr_hpload_dc_l); +- if (ret < 0) +- return ret; +- +- ret = device_create_file(component->dev, &dev_attr_hpload_dc_r); +- if (ret < 0) +- return ret; +- +- ret = device_create_file(component->dev, &dev_attr_hpload_ac_l); +- if (ret < 0) +- return ret; +- +- ret = device_create_file(component->dev, &dev_attr_hpload_ac_r); +- if (ret < 0) ++ ret = sysfs_create_groups(&component->dev->kobj, hpload_groups); ++ if (ret) + return ret; + + cs43130->wq = create_singlethread_workqueue("cs43130_hp"); ++ if (!cs43130->wq) { ++ sysfs_remove_groups(&component->dev->kobj, hpload_groups); ++ return -ENOMEM; ++ } + INIT_WORK(&cs43130->work, cs43130_imp_meas); + } + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 6631970f96832..31331c42b0e35 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -858,7 +858,7 @@ static int get_maxfds(void) + struct rlimit rlim; + + if (getrlimit(RLIMIT_NOFILE, &rlim) == 0) +- return min((int)rlim.rlim_max / 2, 512); ++ return min(rlim.rlim_max / 2, (rlim_t)512); + + return 512; + } +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index e2f038f84dbc1..e2a6c22959f26 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1063,6 +1063,8 @@ static bool intel_pt_fup_event(struct intel_pt_decoder *decoder) + decoder->set_fup_tx_flags = false; + decoder->tx_flags = decoder->fup_tx_flags; + decoder->state.type = INTEL_PT_TRANSACTION; ++ if (decoder->fup_tx_flags & INTEL_PT_ABORT_TX) ++ decoder->state.type |= INTEL_PT_BRANCH; + decoder->state.from_ip = decoder->ip; + decoder->state.to_ip = 0; + decoder->state.flags = decoder->fup_tx_flags; +@@ -1129,8 +1131,10 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder) + return 0; + if (err == -EAGAIN || + intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) { ++ bool no_tip = decoder->pkt_state != INTEL_PT_STATE_FUP; ++ + decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; +- if (intel_pt_fup_event(decoder)) ++ if (intel_pt_fup_event(decoder) && no_tip) + return 0; + return -EAGAIN; + } +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index 2434a0014491f..256b4755c0870 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -505,8 +505,10 @@ static int intel_pt_walk_next_insn(struct intel_pt_insn *intel_pt_insn, + + *ip += intel_pt_insn->length; + +- if (to_ip && *ip == to_ip) ++ if (to_ip && *ip == to_ip) { ++ intel_pt_insn->length = 0; + goto out_no_cache; ++ } + + if (*ip >= al.map->end) + break; +@@ -893,6 +895,7 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt, + + static void intel_pt_sample_flags(struct intel_pt_queue *ptq) + { ++ ptq->insn_len = 0; + if (ptq->state->flags & INTEL_PT_ABORT_TX) { + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT; + } else if (ptq->state->flags & INTEL_PT_ASYNC) { +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c +index 9db5a7378f40f..e1e4b6ab83f74 100644 +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -2002,29 +2002,27 @@ static struct bpf_test tests[] = { + .result = ACCEPT, + }, + { +- "check skb->hash byte load not permitted 1", ++ "check skb->hash byte load permitted 1", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 1), + BPF_EXIT_INSN(), + }, +- .errstr = "invalid bpf_context access", +- .result = REJECT, ++ .result = ACCEPT, + }, + { +- "check skb->hash byte load not permitted 2", ++ "check skb->hash byte load permitted 2", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 2), + BPF_EXIT_INSN(), + }, +- .errstr = "invalid bpf_context access", +- .result = REJECT, ++ .result = ACCEPT, + }, + { +- "check skb->hash byte load not permitted 3", ++ "check skb->hash byte load permitted 3", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + #if __BYTE_ORDER == __LITTLE_ENDIAN +@@ -2036,8 +2034,7 @@ static struct bpf_test tests[] = { + #endif + BPF_EXIT_INSN(), + }, +- .errstr = "invalid bpf_context access", +- .result = REJECT, ++ .result = ACCEPT, + }, + { + "check cb access: byte, wrong type", +@@ -2149,7 +2146,7 @@ static struct bpf_test tests[] = { + .result = ACCEPT, + }, + { +- "check skb->hash half load not permitted", ++ "check skb->hash half load permitted 2", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + #if __BYTE_ORDER == __LITTLE_ENDIAN +@@ -2158,6 +2155,37 @@ static struct bpf_test tests[] = { + #else + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash)), ++#endif ++ BPF_EXIT_INSN(), ++ }, ++ .result = ACCEPT, ++ }, ++ { ++ "check skb->hash half load not permitted, unaligned 1", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++#if __BYTE_ORDER == __LITTLE_ENDIAN ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, ++ offsetof(struct __sk_buff, hash) + 1), ++#else ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, ++ offsetof(struct __sk_buff, hash) + 3), ++#endif ++ BPF_EXIT_INSN(), ++ }, ++ .errstr = "invalid bpf_context access", ++ .result = REJECT, ++ }, ++ { ++ "check skb->hash half load not permitted, unaligned 3", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++#if __BYTE_ORDER == __LITTLE_ENDIAN ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, ++ offsetof(struct __sk_buff, hash) + 3), ++#else ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, ++ offsetof(struct __sk_buff, hash) + 1), + #endif + BPF_EXIT_INSN(), + }, +@@ -2448,6 +2476,7 @@ static struct bpf_test tests[] = { + }, + .result = REJECT, + .errstr = "invalid stack off=-79992 size=8", ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", + }, + { + "PTR_TO_STACK store/load - out of bounds high", +@@ -2836,7 +2865,7 @@ static struct bpf_test tests[] = { + .result = ACCEPT, + }, + { +- "unpriv: adding of fp", ++ "unpriv: adding of fp, reg", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_1, 0), +@@ -2844,6 +2873,21 @@ static struct bpf_test tests[] = { + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", ++ .result_unpriv = REJECT, ++ .result = ACCEPT, ++ }, ++ { ++ "unpriv: adding of fp, imm", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), ++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), ++ BPF_EXIT_INSN(), ++ }, ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -7813,7 +7857,7 @@ static struct bpf_test tests[] = { + BPF_JMP_IMM(BPF_JA, 0, 0, -7), + }, + .fixup_map1 = { 4 }, +- .errstr = "R0 invalid mem access 'inv'", ++ .errstr = "unbounded min value", + .result = REJECT, + }, + { +@@ -7894,6 +7938,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -8266,6 +8311,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "pointer offset 1073741822", ++ .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", + .result = REJECT + }, + { +@@ -8287,6 +8333,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "pointer offset -1073741822", ++ .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", + .result = REJECT + }, + { +@@ -8458,6 +8505,7 @@ static struct bpf_test tests[] = { + BPF_EXIT_INSN() + }, + .errstr = "fp pointer offset 1073741822", ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", + .result = REJECT + }, + { +@@ -9739,8 +9787,9 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 2", +@@ -9753,6 +9802,8 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 1, + }, +@@ -9764,32 +9815,37 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 4", + .insns = { ++ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), +- BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R6 has pointer with unsupported alu operation", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { + "check deducing bounds from const, 5", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), +- BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), ++ BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1), + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 6", +@@ -9800,8 +9856,9 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 7", +@@ -9813,8 +9870,9 @@ static struct bpf_test tests[] = { + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 8", +@@ -9826,8 +9884,9 @@ static struct bpf_test tests[] = { + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 9", +@@ -9837,8 +9896,9 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 10", +@@ -9850,8 +9910,8 @@ static struct bpf_test tests[] = { + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, + .errstr = "math between ctx pointer and register with unbounded min value is not allowed", ++ .result = REJECT, + }, + { + "bpf_exit with invalid return code. test1", +@@ -12182,17 +12242,17 @@ static struct bpf_test tests[] = { + BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), +- BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)/2), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), +- BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)/2), + BPF_MOV64_IMM(BPF_REG_4, 256), + BPF_EMIT_CALL(BPF_FUNC_get_stack), + BPF_MOV64_IMM(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), + BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), +- BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16), ++ BPF_JMP_REG(BPF_JSLT, BPF_REG_8, BPF_REG_1, 16), + BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), +@@ -12202,7 +12262,7 @@ static struct bpf_test tests[] = { + BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), +- BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)), ++ BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)/2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5), + BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
