commit: b4dd90b1bc402c72ed0d3e4fad8c8dadaf1197d2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Wed Jun 30 14:26:14 2021 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Wed Jun 30 14:26:14 2021 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b4dd90b1
Linux patch 4.14.238 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 + 1237_linux-4.14.238.patch | 2489 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2493 insertions(+) diff --git a/0000_README b/0000_README index 165f37f..487ae9d 100644 --- a/0000_README +++ b/0000_README @@ -991,6 +991,10 @@ Patch: 1236_linux-4.14.237.patch From: https://www.kernel.org Desc: Linux 4.14.237 +Patch: 1237_linux-4.14.238.patch +From: https://www.kernel.org +Desc: Linux 4.14.238 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1237_linux-4.14.238.patch b/1237_linux-4.14.238.patch new file mode 100644 index 0000000..bf167cd --- /dev/null +++ b/1237_linux-4.14.238.patch @@ -0,0 +1,2489 @@ +diff --git a/Makefile b/Makefile +index bc9833fdca1ae..5442918651e00 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 237 ++SUBLEVEL = 238 + EXTRAVERSION = + NAME = Petit Gorille + +@@ -716,12 +716,11 @@ KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare) + # See modpost pattern 2 + KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,) + KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior) +-else ++endif + + # These warnings generated too much noise in a regular build. + # Use make W=1 to enable them (see scripts/Makefile.extrawarn) + KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable) +-endif + + KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable) + ifdef CONFIG_FRAME_POINTER +diff --git a/arch/arc/include/uapi/asm/sigcontext.h b/arch/arc/include/uapi/asm/sigcontext.h +index 95f8a4380e110..7a5449dfcb290 100644 +--- a/arch/arc/include/uapi/asm/sigcontext.h ++++ b/arch/arc/include/uapi/asm/sigcontext.h +@@ -18,6 +18,7 @@ + */ + struct sigcontext { + struct user_regs_struct regs; ++ struct user_regs_arcv2 v2abi; + }; + + #endif /* _ASM_ARC_SIGCONTEXT_H */ +diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c +index da243420bcb58..68901f6f18bab 100644 +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -64,6 +64,41 @@ struct rt_sigframe { + unsigned int sigret_magic; + }; + ++static int save_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) ++{ ++ int err = 0; ++#ifndef CONFIG_ISA_ARCOMPACT ++ struct user_regs_arcv2 v2abi; ++ ++ v2abi.r30 = regs->r30; ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ v2abi.r58 = regs->r58; ++ v2abi.r59 = regs->r59; ++#else ++ v2abi.r58 = v2abi.r59 = 0; ++#endif ++ err = __copy_to_user(&mctx->v2abi, &v2abi, sizeof(v2abi)); ++#endif ++ return err; ++} ++ ++static int restore_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs) ++{ ++ int err = 0; ++#ifndef CONFIG_ISA_ARCOMPACT ++ struct user_regs_arcv2 v2abi; ++ ++ err = __copy_from_user(&v2abi, &mctx->v2abi, sizeof(v2abi)); ++ ++ regs->r30 = v2abi.r30; ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ regs->r58 = v2abi.r58; ++ regs->r59 = v2abi.r59; ++#endif ++#endif ++ return err; ++} ++ + static int + stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs, + sigset_t *set) +@@ -97,6 +132,10 @@ stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs, + + err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), &uregs.scratch, + sizeof(sf->uc.uc_mcontext.regs.scratch)); ++ ++ if (is_isa_arcv2()) ++ err |= save_arcv2_regs(&(sf->uc.uc_mcontext), regs); ++ + err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t)); + + return err ? -EFAULT : 0; +@@ -112,6 +151,10 @@ static int restore_usr_regs(struct pt_regs *regs, struct rt_sigframe __user *sf) + err |= __copy_from_user(&uregs.scratch, + &(sf->uc.uc_mcontext.regs.scratch), + sizeof(sf->uc.uc_mcontext.regs.scratch)); ++ ++ if (is_isa_arcv2()) ++ err |= restore_arcv2_regs(&(sf->uc.uc_mcontext), regs); ++ + if (err) + return -EFAULT; + +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c +index a6d27284105a1..ac4ffd97ae823 100644 +--- a/arch/arm/kernel/setup.c ++++ b/arch/arm/kernel/setup.c +@@ -547,9 +547,11 @@ void notrace cpu_init(void) + * In Thumb-2, msr with an immediate value is not allowed. + */ + #ifdef CONFIG_THUMB2_KERNEL +-#define PLC "r" ++#define PLC_l "l" ++#define PLC_r "r" + #else +-#define PLC "I" ++#define PLC_l "I" ++#define PLC_r "I" + #endif + + /* +@@ -571,15 +573,15 @@ void notrace cpu_init(void) + "msr cpsr_c, %9" + : + : "r" (stk), +- PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE), + "I" (offsetof(struct stack, irq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE), + "I" (offsetof(struct stack, abt[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE), + "I" (offsetof(struct stack, und[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), ++ PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE), + "I" (offsetof(struct stack, fiq[0])), +- PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE) ++ PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE) + : "r14"); + #endif + } +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index 20f25539d5726..47abea1475d46 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot) + + static void n8x0_mmc_callback(void *data, u8 card_mask) + { ++#ifdef CONFIG_MMC_OMAP + int bit, *openp, index; + + if (board_is_n800()) { +@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask) + else + *openp = 0; + +-#ifdef CONFIG_MMC_OMAP + omap_mmc_notify_cover_event(mmc_device, index, *openp); + #else + pr_warn("MMC: notify cover event not available\n"); +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c +index 53df84b2a07f4..4ee1228d29eb8 100644 +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -670,6 +670,28 @@ static void armv8pmu_disable_event(struct perf_event *event) + raw_spin_unlock_irqrestore(&events->pmu_lock, flags); + } + ++static void armv8pmu_start(struct arm_pmu *cpu_pmu) ++{ ++ unsigned long flags; ++ struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events); ++ ++ raw_spin_lock_irqsave(&events->pmu_lock, flags); ++ /* Enable all counters */ ++ armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E); ++ raw_spin_unlock_irqrestore(&events->pmu_lock, flags); ++} ++ ++static void armv8pmu_stop(struct arm_pmu *cpu_pmu) ++{ ++ unsigned long flags; ++ struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events); ++ ++ raw_spin_lock_irqsave(&events->pmu_lock, flags); ++ /* Disable all counters */ ++ armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E); ++ raw_spin_unlock_irqrestore(&events->pmu_lock, flags); ++} ++ + static irqreturn_t armv8pmu_handle_irq(int irq_num, void *dev) + { + u32 pmovsr; +@@ -695,6 +717,11 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void *dev) + */ + regs = get_irq_regs(); + ++ /* ++ * Stop the PMU while processing the counter overflows ++ * to prevent skews in group events. ++ */ ++ armv8pmu_stop(cpu_pmu); + for (idx = 0; idx < cpu_pmu->num_events; ++idx) { + struct perf_event *event = cpuc->events[idx]; + struct hw_perf_event *hwc; +@@ -719,6 +746,7 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void *dev) + if (perf_event_overflow(event, &data, regs)) + cpu_pmu->disable(event); + } ++ armv8pmu_start(cpu_pmu); + + /* + * Handle the pending perf events. +@@ -732,28 +760,6 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void *dev) + return IRQ_HANDLED; + } + +-static void armv8pmu_start(struct arm_pmu *cpu_pmu) +-{ +- unsigned long flags; +- struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events); +- +- raw_spin_lock_irqsave(&events->pmu_lock, flags); +- /* Enable all counters */ +- armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E); +- raw_spin_unlock_irqrestore(&events->pmu_lock, flags); +-} +- +-static void armv8pmu_stop(struct arm_pmu *cpu_pmu) +-{ +- unsigned long flags; +- struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events); +- +- raw_spin_lock_irqsave(&events->pmu_lock, flags); +- /* Disable all counters */ +- armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E); +- raw_spin_unlock_irqrestore(&events->pmu_lock, flags); +-} +- + static int armv8pmu_get_event_idx(struct pmu_hw_events *cpuc, + struct perf_event *event) + { +diff --git a/arch/mips/generic/board-boston.its.S b/arch/mips/generic/board-boston.its.S +index a7f51f97b9102..c45ad27594218 100644 +--- a/arch/mips/generic/board-boston.its.S ++++ b/arch/mips/generic/board-boston.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@boston { ++ fdt-boston { + description = "img,boston Device Tree"; + data = /incbin/("boot/dts/img/boston.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@boston { ++ conf-boston { + description = "Boston Linux kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@boston"; ++ kernel = "kernel"; ++ fdt = "fdt-boston"; + }; + }; + }; +diff --git a/arch/mips/generic/board-ni169445.its.S b/arch/mips/generic/board-ni169445.its.S +index e4cb4f95a8cc1..0a2e8f7a8526f 100644 +--- a/arch/mips/generic/board-ni169445.its.S ++++ b/arch/mips/generic/board-ni169445.its.S +@@ -1,22 +1,22 @@ + / { + images { +- fdt@ni169445 { ++ fdt-ni169445 { + description = "NI 169445 device tree"; + data = /incbin/("boot/dts/ni/169445.dtb"); + type = "flat_dt"; + arch = "mips"; + compression = "none"; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- conf@ni169445 { ++ conf-ni169445 { + description = "NI 169445 Linux Kernel"; +- kernel = "kernel@0"; +- fdt = "fdt@ni169445"; ++ kernel = "kernel"; ++ fdt = "fdt-ni169445"; + }; + }; + }; +diff --git a/arch/mips/generic/vmlinux.its.S b/arch/mips/generic/vmlinux.its.S +index 1a08438fd8930..3e254676540f4 100644 +--- a/arch/mips/generic/vmlinux.its.S ++++ b/arch/mips/generic/vmlinux.its.S +@@ -6,7 +6,7 @@ + #address-cells = <ADDR_CELLS>; + + images { +- kernel@0 { ++ kernel { + description = KERNEL_NAME; + data = /incbin/(VMLINUX_BINARY); + type = "kernel"; +@@ -15,18 +15,18 @@ + compression = VMLINUX_COMPRESSION; + load = /bits/ ADDR_BITS <VMLINUX_LOAD_ADDRESS>; + entry = /bits/ ADDR_BITS <VMLINUX_ENTRY_ADDRESS>; +- hash@0 { ++ hash { + algo = "sha1"; + }; + }; + }; + + configurations { +- default = "conf@default"; ++ default = "conf-default"; + +- conf@default { ++ conf-default { + description = "Generic Linux kernel"; +- kernel = "kernel@0"; ++ kernel = "kernel"; + }; + }; + }; +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index d99a8ee9e185e..86a231338bbfe 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -272,6 +272,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) + int state_size = fpu_kernel_xstate_size; + u64 xfeatures = 0; + int fx_only = 0; ++ int ret = 0; + + ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) || + IS_ENABLED(CONFIG_IA32_EMULATION)); +@@ -281,15 +282,21 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) + return 0; + } + +- if (!access_ok(VERIFY_READ, buf, size)) +- return -EACCES; ++ if (!access_ok(VERIFY_READ, buf, size)) { ++ ret = -EACCES; ++ goto out_err; ++ } + + fpu__initialize(fpu); + +- if (!static_cpu_has(X86_FEATURE_FPU)) +- return fpregs_soft_set(current, NULL, +- 0, sizeof(struct user_i387_ia32_struct), +- NULL, buf) != 0; ++ if (!static_cpu_has(X86_FEATURE_FPU)) { ++ ret = fpregs_soft_set(current, NULL, ++ 0, sizeof(struct user_i387_ia32_struct), ++ NULL, buf) != 0; ++ if (ret) ++ goto out_err; ++ return 0; ++ } + + if (use_xsave()) { + struct _fpx_sw_bytes fx_sw_user; +@@ -349,6 +356,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) + fpu__restore(fpu); + local_bh_enable(); + ++ /* Failure is already handled */ + return err; + } else { + /* +@@ -356,13 +364,14 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) + * state to the registers directly (with exceptions handled). + */ + user_fpu_begin(); +- if (copy_user_to_fpregs_zeroing(buf_fx, xfeatures, fx_only)) { +- fpu__clear(fpu); +- return -1; +- } ++ if (!copy_user_to_fpregs_zeroing(buf_fx, xfeatures, fx_only)) ++ return 0; ++ ret = -1; + } + +- return 0; ++out_err: ++ fpu__clear(fpu); ++ return ret; + } + + static inline int xstate_sigframe_size(void) +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index 79b809dbfda01..ff69feefc1c67 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -58,6 +58,7 @@ config DMA_OF + #devices + config ALTERA_MSGDMA + tristate "Altera / Intel mSGDMA Engine" ++ depends on HAS_IOMEM + select DMA_ENGINE + help + Enable support for Altera / Intel mSGDMA controller. +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index c034f506e015a..a8cea236099a1 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2563,13 +2563,15 @@ static struct dma_async_tx_descriptor *pl330_prep_dma_cyclic( + for (i = 0; i < len / period_len; i++) { + desc = pl330_get_desc(pch); + if (!desc) { ++ unsigned long iflags; ++ + dev_err(pch->dmac->ddma.dev, "%s:%d Unable to fetch desc\n", + __func__, __LINE__); + + if (!first) + return NULL; + +- spin_lock_irqsave(&pl330->pool_lock, flags); ++ spin_lock_irqsave(&pl330->pool_lock, iflags); + + while (!list_empty(&first->node)) { + desc = list_entry(first->node.next, +@@ -2579,7 +2581,7 @@ static struct dma_async_tx_descriptor *pl330_prep_dma_cyclic( + + list_move_tail(&first->node, &pl330->desc_pool); + +- spin_unlock_irqrestore(&pl330->pool_lock, flags); ++ spin_unlock_irqrestore(&pl330->pool_lock, iflags); + + return NULL; + } +diff --git a/drivers/dma/qcom/Kconfig b/drivers/dma/qcom/Kconfig +index a7761c4025f41..a97c7123d913c 100644 +--- a/drivers/dma/qcom/Kconfig ++++ b/drivers/dma/qcom/Kconfig +@@ -9,6 +9,7 @@ config QCOM_BAM_DMA + + config QCOM_HIDMA_MGMT + tristate "Qualcomm Technologies HIDMA Management support" ++ depends on HAS_IOMEM + select DMA_ENGINE + help + Enable support for the Qualcomm Technologies HIDMA Management. +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index 90feb6a05e59b..ee15d4fefbad2 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -3656,6 +3656,9 @@ static int __init d40_probe(struct platform_device *pdev) + + kfree(base->lcla_pool.base_unaligned); + ++ if (base->lcpa_base) ++ iounmap(base->lcpa_base); ++ + if (base->phy_lcpa) + release_mem_region(base->phy_lcpa, + base->lcpa_size); +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c +index 1fefc93af1d78..bbfce7b9d03e1 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c +@@ -98,7 +98,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj) + if (ret) + return -EINVAL; + +- return 0; ++ ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL); ++ if (ret) ++ goto error; ++ ++ if (nvbo->bo.moving) ++ ret = dma_fence_wait(nvbo->bo.moving, true); ++ ++ ttm_bo_unreserve(&nvbo->bo); ++ if (ret) ++ goto error; ++ ++ return ret; ++ ++error: ++ nouveau_bo_unpin(nvbo); ++ return ret; + } + + void nouveau_gem_prime_unpin(struct drm_gem_object *obj) +diff --git a/drivers/gpu/drm/radeon/radeon_prime.c b/drivers/gpu/drm/radeon/radeon_prime.c +index 7110d403322c4..c138e07f51a3e 100644 +--- a/drivers/gpu/drm/radeon/radeon_prime.c ++++ b/drivers/gpu/drm/radeon/radeon_prime.c +@@ -92,9 +92,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj) + + /* pin buffer into GTT */ + ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL); +- if (likely(ret == 0)) +- bo->prime_shared_count++; +- ++ if (unlikely(ret)) ++ goto error; ++ ++ if (bo->tbo.moving) { ++ ret = dma_fence_wait(bo->tbo.moving, false); ++ if (unlikely(ret)) { ++ radeon_bo_unpin(bo); ++ goto error; ++ } ++ } ++ ++ bo->prime_shared_count++; ++error: + radeon_bo_unreserve(bo); + return ret; + } +diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c +index 95f4db70dd223..fde9c69ecc869 100644 +--- a/drivers/gpu/drm/radeon/radeon_uvd.c ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c +@@ -286,7 +286,7 @@ int radeon_uvd_resume(struct radeon_device *rdev) + if (rdev->uvd.vcpu_bo == NULL) + return -EINVAL; + +- memcpy(rdev->uvd.cpu_addr, rdev->uvd_fw->data, rdev->uvd_fw->size); ++ memcpy_toio((void __iomem *)rdev->uvd.cpu_addr, rdev->uvd_fw->data, rdev->uvd_fw->size); + + size = radeon_bo_size(rdev->uvd.vcpu_bo); + size -= rdev->uvd_fw->size; +@@ -294,7 +294,7 @@ int radeon_uvd_resume(struct radeon_device *rdev) + ptr = rdev->uvd.cpu_addr; + ptr += rdev->uvd_fw->size; + +- memset(ptr, 0, size); ++ memset_io((void __iomem *)ptr, 0, size); + + return 0; + } +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 71ee1267d2efc..381ab96c1e389 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1824,6 +1824,9 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask) + case BUS_I2C: + bus = "I2C"; + break; ++ case BUS_VIRTUAL: ++ bus = "VIRTUAL"; ++ break; + default: + bus = "<UNKNOWN>"; + } +diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c +index a298fbd8db6b9..8ca4c1baeda89 100644 +--- a/drivers/hid/hid-gt683r.c ++++ b/drivers/hid/hid-gt683r.c +@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) }, + { } + }; ++MODULE_DEVICE_TABLE(hid, gt683r_led_id); + + static void gt683r_brightness_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index aa078c1dad14f..6c7e12d8e7d93 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + buffer_size = buffer_size / sizeof(__s32); + if (buffer_size) { + for (i = 0; i < buffer_size; ++i) { +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(*buf32)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(*buf32)); ++ if (ret) ++ goto done_proc; ++ + ++buf32; + } + } + if (remaining_bytes) { + value = 0; + memcpy(&value, (u8 *)buf32, remaining_bytes); +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(value)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(value)); ++ if (ret) ++ goto done_proc; + } + hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT); + hid_hw_wait(hsdev->hdev); +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index 98916fb4191a7..46b8f4c353def 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid) + raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report; + dir = usbhid->ctrl[usbhid->ctrltail].dir; + +- len = ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ len = hid_report_len(report); + if (dir == USB_DIR_OUT) { + usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0); + usbhid->urbctrl->transfer_buffer_length = len; +diff --git a/drivers/hwmon/scpi-hwmon.c b/drivers/hwmon/scpi-hwmon.c +index 7e49da50bc69b..562f3e287297a 100644 +--- a/drivers/hwmon/scpi-hwmon.c ++++ b/drivers/hwmon/scpi-hwmon.c +@@ -107,6 +107,15 @@ scpi_show_sensor(struct device *dev, struct device_attribute *attr, char *buf) + + scpi_scale_reading(&value, sensor); + ++ /* ++ * Temperature sensor values are treated as signed values based on ++ * observation even though that is not explicitly specified, and ++ * because an unsigned u64 temperature does not really make practical ++ * sense especially when the temperature is below zero degrees Celsius. ++ */ ++ if (sensor->info.class == TEMPERATURE) ++ return sprintf(buf, "%lld\n", (s64)value); ++ + return sprintf(buf, "%llu\n", value); + } + +diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c +index 9c0f52b7ff7ec..b9b4758c6be7a 100644 +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -89,7 +89,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs, + } + } + +- ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); ++ ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0); + if (ret) { + dev_err(&adapter->dev, "failure sending STOP\n"); + return -EREMOTEIO; +@@ -159,7 +159,7 @@ static int osif_probe(struct usb_interface *interface, + * Set bus frequency. The frequency is: + * 120,000,000 / ( 16 + 2 * div * 4^prescale). + * Using dev = 52, prescale = 0 give 100KHz */ +- ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, ++ ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0, + NULL, 0); + if (ret) { + dev_err(&interface->dev, "failure sending bit rate"); +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index ce76ed50a1a25..1516d621e0402 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -360,6 +360,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); + return -ENODEV; +diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c +index a09e3f6c2c504..6b0c6009dde0d 100644 +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -93,6 +93,8 @@ struct mcba_priv { + bool can_ka_first_pass; + bool can_speed_check; + atomic_t free_ctx_cnt; ++ void *rxbuf[MCBA_MAX_RX_URBS]; ++ dma_addr_t rxbuf_dma[MCBA_MAX_RX_URBS]; + }; + + /* CAN frame */ +@@ -644,6 +646,7 @@ static int mcba_usb_start(struct mcba_priv *priv) + for (i = 0; i < MCBA_MAX_RX_URBS; i++) { + struct urb *urb = NULL; + u8 *buf; ++ dma_addr_t buf_dma; + + /* create a URB, and a buffer for it */ + urb = usb_alloc_urb(0, GFP_KERNEL); +@@ -653,7 +656,7 @@ static int mcba_usb_start(struct mcba_priv *priv) + } + + buf = usb_alloc_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, +- GFP_KERNEL, &urb->transfer_dma); ++ GFP_KERNEL, &buf_dma); + if (!buf) { + netdev_err(netdev, "No memory left for USB buffer\n"); + usb_free_urb(urb); +@@ -672,11 +675,14 @@ static int mcba_usb_start(struct mcba_priv *priv) + if (err) { + usb_unanchor_urb(urb); + usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, +- buf, urb->transfer_dma); ++ buf, buf_dma); + usb_free_urb(urb); + break; + } + ++ priv->rxbuf[i] = buf; ++ priv->rxbuf_dma[i] = buf_dma; ++ + /* Drop reference, USB core will take care of freeing it */ + usb_free_urb(urb); + } +@@ -719,7 +725,14 @@ static int mcba_usb_open(struct net_device *netdev) + + static void mcba_urb_unlink(struct mcba_priv *priv) + { ++ int i; ++ + usb_kill_anchored_urbs(&priv->rx_submitted); ++ ++ for (i = 0; i < MCBA_MAX_RX_URBS; ++i) ++ usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE, ++ priv->rxbuf[i], priv->rxbuf_dma[i]); ++ + usb_kill_anchored_urbs(&priv->tx_submitted); + } + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index ce2e644108237..bb0e217460c93 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1857,6 +1857,7 @@ out_free_netdev: + free_netdev(netdev); + out_pci_release: + pci_release_mem_regions(pdev); ++ pci_disable_pcie_error_reporting(pdev); + out_pci_disable: + pci_disable_device(pdev); + return err; +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index 1b79a6defd56d..5561dd2953248 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index cabeb1790db76..43ae124cabff6 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5926,6 +5926,7 @@ drv_cleanup: + unmap_bars: + be_unmap_pci_bars(adapter); + free_netdev: ++ pci_disable_pcie_error_reporting(pdev); + free_netdev(netdev); + rel_reg: + pci_release_regions(pdev); +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index e63df6455fbad..40c5c09f60dc6 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -586,6 +586,10 @@ void fec_ptp_init(struct platform_device *pdev) + fep->ptp_caps.enable = fec_ptp_enable; + + fep->cycle_speed = clk_get_rate(fep->clk_ptp); ++ if (!fep->cycle_speed) { ++ fep->cycle_speed = NSEC_PER_SEC; ++ dev_err(&fep->pdev->dev, "clk_ptp clock rate is zero\n"); ++ } + fep->ptp_inc = NSEC_PER_SEC / fep->cycle_speed; + + spin_lock_init(&fep->tmreg_lock); +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index a0a555052d8ca..1ac2bc75edb1f 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + dev_err(&pdev->dev, + "invalid sram_size %dB or board span %ldB\n", + mgp->sram_size, mgp->board_span); ++ status = -EINVAL; + goto abort_with_ioremap; + } + memcpy_fromio(mgp->eeprom_strings, +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index 8f8a1894378e3..5b91c8f823ffa 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1624,6 +1624,8 @@ err_out_free_netdev: + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +index d62dccb855394..1ee58a24afe31 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c +@@ -1259,9 +1259,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn, + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC; + + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled; ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) != ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + memcpy(&p_hwfn->p_dcbx_info->set.config.params, + &dcbx_info->operational.params, +- sizeof(struct qed_dcbx_admin_params)); ++ sizeof(p_hwfn->p_dcbx_info->set.config.params)); + p_hwfn->p_dcbx_info->set.config.valid = true; + + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set)); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index 6684a4cb8b88b..45361310eea0a 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2711,6 +2711,7 @@ err_out_free_hw_res: + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c +index 530b8da11960a..191531a03415a 100644 +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -2355,7 +2355,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch(stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings)); ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings)); + break; + } + } +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index dab1597287b96..36f1019809ea6 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2197,7 +2197,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *sh_eth_gstrings_stats, ++ memcpy(data, sh_eth_gstrings_stats, + sizeof(sh_eth_gstrings_stats)); + break; + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index c02d36629c528..6f7ed3aaff1b1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -87,10 +87,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 2241f98970926..939de185bc6b8 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -736,6 +736,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + /* Kick off the transfer */ + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */ + ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) { ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__); ++ netif_stop_queue(ndev); ++ } ++ + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index 9fd7dab42a534..2074fc55a88ad 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c +index f7180f8db39e1..9c15e1a1261be 100644 +--- a/drivers/net/usb/cdc_eem.c ++++ b/drivers/net/usb/cdc_eem.c +@@ -138,10 +138,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + } + + skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); ++ dev_kfree_skb_any(skb); + if (!skb2) + return NULL; + +- dev_kfree_skb_any(skb); + skb = skb2; + + done: +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 468db50eb5e7e..5b5156508f7c6 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1667,7 +1667,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_LINK_INTR, ++ | FLAG_LINK_INTR | FLAG_ETHER, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .manage_power = usbnet_manage_power, +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index f9c531a6ce064..8da3c891c9e80 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -4640,7 +4640,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data) + { + switch (stringset) { + case ETH_SS_STATS: +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings)); ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings)); + break; + } + } +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 62f2862c9775e..8b9fd4e071f3d 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- goto err; ++ goto free_pdata; + } + + smsc75xx_init_mac_address(dev); +@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- goto err; ++ goto cancel_work; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1515,8 +1515,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; + return 0; + +-err: ++cancel_work: ++ cancel_work_sync(&pdata->set_multicast); ++free_pdata: + kfree(pdata); ++ dev->data[0] = 0; + return ret; + } + +@@ -1527,7 +1530,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) + cancel_work_sync(&pdata->set_multicast); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); +- pdata = NULL; + dev->data[0] = 0; + } + } +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 3388d2788fe05..7a0a10777cd13 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = { + + static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl) + { +- clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); ++ if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags)) ++ return; + nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + blk_cleanup_queue(ctrl->ctrl.admin_q); + blk_mq_free_tag_set(&ctrl->admin_tag_set); +@@ -322,6 +323,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl) + clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags); + nvmet_sq_destroy(&ctrl->queues[i].nvme_sq); + } ++ ctrl->ctrl.queue_count = 1; + } + + static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl) +@@ -429,6 +431,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl) + return 0; + + out_cleanup_queue: ++ clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); + blk_cleanup_queue(ctrl->ctrl.admin_q); + out_free_tagset: + blk_mq_free_tag_set(&ctrl->admin_tag_set); +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 1993e5e28ea7b..c847b5554db6d 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1378,11 +1378,21 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + int err; + int i, bars = 0; + +- if (atomic_inc_return(&dev->enable_cnt) > 1) { +- pci_update_current_state(dev, dev->current_state); +- return 0; /* already enabled */ ++ /* ++ * Power state could be unknown at this point, either due to a fresh ++ * boot or a device removal call. So get the current power state ++ * so that things like MSI message writing will behave as expected ++ * (e.g. if the device really is in D0 at enable time). ++ */ ++ if (dev->pm_cap) { ++ u16 pmcsr; ++ pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); ++ dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); + } + ++ if (atomic_inc_return(&dev->enable_cnt) > 1) ++ return 0; /* already enabled */ ++ + bridge = pci_upstream_bridge(dev); + if (bridge) + pci_enable_bridge(bridge); +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 510cb05aa96ff..db1ec8209b568 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3389,6 +3389,18 @@ static void quirk_no_bus_reset(struct pci_dev *dev) + dev->dev_flags |= PCI_DEV_FLAGS_NO_BUS_RESET; + } + ++/* ++ * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be ++ * prevented for those affected devices. ++ */ ++static void quirk_nvidia_no_bus_reset(struct pci_dev *dev) ++{ ++ if ((dev->device & 0xffc0) == 0x2340) ++ quirk_no_bus_reset(dev); ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID, ++ quirk_nvidia_no_bus_reset); ++ + /* + * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset. + * The device will throw a Link Down error on AER-capable systems and +@@ -3402,6 +3414,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); + ++/* ++ * Some TI KeyStone C667X devices do not support bus/hot reset. The PCIESS ++ * automatically disables LTSSM when Secondary Bus Reset is received and ++ * the device stops working. Prevent bus reset for these devices. With ++ * this change, the device can be assigned to VMs with VFIO, but it will ++ * leak state between VMs. Reference ++ * https://e2e.ti.com/support/processors/f/791/t/954382 ++ */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TI, 0xb005, quirk_no_bus_reset); ++ + static void quirk_no_pm_reset(struct pci_dev *dev) + { + /* +@@ -3853,6 +3875,69 @@ static int reset_chelsio_generic_dev(struct pci_dev *dev, int probe) + #define PCI_DEVICE_ID_INTEL_IVB_M_VGA 0x0156 + #define PCI_DEVICE_ID_INTEL_IVB_M2_VGA 0x0166 + ++#define PCI_DEVICE_ID_HINIC_VF 0x375E ++#define HINIC_VF_FLR_TYPE 0x1000 ++#define HINIC_VF_FLR_CAP_BIT (1UL << 30) ++#define HINIC_VF_OP 0xE80 ++#define HINIC_VF_FLR_PROC_BIT (1UL << 18) ++#define HINIC_OPERATION_TIMEOUT 15000 /* 15 seconds */ ++ ++/* Device-specific reset method for Huawei Intelligent NIC virtual functions */ ++static int reset_hinic_vf_dev(struct pci_dev *pdev, int probe) ++{ ++ unsigned long timeout; ++ void __iomem *bar; ++ u32 val; ++ ++ if (probe) ++ return 0; ++ ++ bar = pci_iomap(pdev, 0, 0); ++ if (!bar) ++ return -ENOTTY; ++ ++ /* Get and check firmware capabilities */ ++ val = ioread32be(bar + HINIC_VF_FLR_TYPE); ++ if (!(val & HINIC_VF_FLR_CAP_BIT)) { ++ pci_iounmap(pdev, bar); ++ return -ENOTTY; ++ } ++ ++ /* Set HINIC_VF_FLR_PROC_BIT for the start of FLR */ ++ val = ioread32be(bar + HINIC_VF_OP); ++ val = val | HINIC_VF_FLR_PROC_BIT; ++ iowrite32be(val, bar + HINIC_VF_OP); ++ ++ pcie_flr(pdev); ++ ++ /* ++ * The device must recapture its Bus and Device Numbers after FLR ++ * in order generate Completions. Issue a config write to let the ++ * device capture this information. ++ */ ++ pci_write_config_word(pdev, PCI_VENDOR_ID, 0); ++ ++ /* Firmware clears HINIC_VF_FLR_PROC_BIT when reset is complete */ ++ timeout = jiffies + msecs_to_jiffies(HINIC_OPERATION_TIMEOUT); ++ do { ++ val = ioread32be(bar + HINIC_VF_OP); ++ if (!(val & HINIC_VF_FLR_PROC_BIT)) ++ goto reset_complete; ++ msleep(20); ++ } while (time_before(jiffies, timeout)); ++ ++ val = ioread32be(bar + HINIC_VF_OP); ++ if (!(val & HINIC_VF_FLR_PROC_BIT)) ++ goto reset_complete; ++ ++ pci_warn(pdev, "Reset dev timeout, FLR ack reg: %#010x\n", val); ++ ++reset_complete: ++ pci_iounmap(pdev, bar); ++ ++ return 0; ++} ++ + static const struct pci_dev_reset_methods pci_dev_reset_methods[] = { + { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82599_SFP_VF, + reset_intel_82599_sfp_virtfn }, +@@ -3862,6 +3947,8 @@ static const struct pci_dev_reset_methods pci_dev_reset_methods[] = { + reset_ivb_igd }, + { PCI_VENDOR_ID_CHELSIO, PCI_ANY_ID, + reset_chelsio_generic_dev }, ++ { PCI_VENDOR_ID_HUAWEI, PCI_DEVICE_ID_HINIC_VF, ++ reset_hinic_vf_dev }, + { 0 } + }; + +@@ -4662,6 +4749,8 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_AMPERE, 0xE00A, pci_quirk_xgene_acs }, + { PCI_VENDOR_ID_AMPERE, 0xE00B, pci_quirk_xgene_acs }, + { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs }, ++ /* Broadcom multi-function device */ ++ { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + { 0 } + }; +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 072bd11074c6f..b38e82a868df8 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -956,7 +956,7 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + struct resource res; + struct reset_control *rstc; + int npins = STM32_GPIO_PINS_PER_BANK; +- int bank_nr, err; ++ int bank_nr, err, i = 0; + + rstc = of_reset_control_get_exclusive(np, NULL); + if (!IS_ERR(rstc)) +@@ -985,9 +985,14 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, + + of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label); + +- if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) { ++ if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) { + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; ++ ++ npins = args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++ ++i, &args)) ++ npins += args.args[2]; + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 0d0be7d8b9d64..852680e859217 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2966,9 +2966,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop, + __releases(&cmd->t_state_lock) + __acquires(&cmd->t_state_lock) + { +- +- assert_spin_locked(&cmd->t_state_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&cmd->t_state_lock); + + if (fabric_stop) + cmd->transport_state |= CMD_T_FABRIC_STOP; +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 40743e9e9d937..276a63ae510e6 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -38,6 +38,8 @@ + #define USB_VENDOR_GENESYS_LOGIC 0x05e3 + #define USB_VENDOR_SMSC 0x0424 + #define USB_PRODUCT_USB5534B 0x5534 ++#define USB_VENDOR_CYPRESS 0x04b4 ++#define USB_PRODUCT_CY7C65632 0x6570 + #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 + #define HUB_QUIRK_DISABLE_AUTOSUSPEND 0x02 + +@@ -5325,6 +5327,11 @@ static const struct usb_device_id hub_id_table[] = { + .idProduct = USB_PRODUCT_USB5534B, + .bInterfaceClass = USB_CLASS_HUB, + .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND}, ++ { .match_flags = USB_DEVICE_ID_MATCH_VENDOR ++ | USB_DEVICE_ID_MATCH_PRODUCT, ++ .idVendor = USB_VENDOR_CYPRESS, ++ .idProduct = USB_PRODUCT_CY7C65632, ++ .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND}, + { .match_flags = USB_DEVICE_ID_MATCH_VENDOR + | USB_DEVICE_ID_MATCH_INT_CLASS, + .idVendor = USB_VENDOR_GENESYS_LOGIC, +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index f3fca4537d255..0e179274ba7cd 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1337,8 +1337,8 @@ static int dwc3_remove(struct platform_device *pdev) + */ + res->start -= DWC3_GLOBALS_REGS_START; + +- dwc3_debugfs_exit(dwc); + dwc3_core_exit_mode(dwc); ++ dwc3_debugfs_exit(dwc); + + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 0a0dd3178483e..be969f24ccf04 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1456,6 +1456,7 @@ __acquires(&lru_lock) + while(!list_empty(list)) { + gl = list_entry(list->next, struct gfs2_glock, gl_lru); + list_del_init(&gl->gl_lru); ++ clear_bit(GLF_LRU, &gl->gl_flags); + if (!spin_trylock(&gl->gl_lockref.lock)) { + add_back_to_lru: + list_add(&gl->gl_lru, &lru_list); +@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr) + if (!test_bit(GLF_LOCK, &gl->gl_flags)) { + list_move(&gl->gl_lru, &dispose); + atomic_dec(&lru_count); +- clear_bit(GLF_LRU, &gl->gl_flags); + freed++; + continue; + } +diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c +index 5019058e0f6ab..610267585f8f9 100644 +--- a/fs/kernfs/mount.c ++++ b/fs/kernfs/mount.c +@@ -320,6 +320,7 @@ struct dentry *kernfs_mount_ns(struct file_system_type *fs_type, int flags, + + info->root = root; + info->ns = ns; ++ INIT_LIST_HEAD(&info->node); + + sb = sget_userns(fs_type, kernfs_test_super, kernfs_set_super, flags, + &init_user_ns, info); +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 490303e3d5179..e9903bceb2bf1 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1064,6 +1064,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs) + nilfs_sysfs_delete_superblock_group(nilfs); + nilfs_sysfs_delete_segctor_group(nilfs); + kobject_del(&nilfs->ns_dev_kobj); ++ kobject_put(&nilfs->ns_dev_kobj); + kfree(nilfs->ns_dev_subgroups); + } + +diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c +index 20b8f82e115b6..2bbe84d9c0a81 100644 +--- a/fs/sysfs/mount.c ++++ b/fs/sysfs/mount.c +@@ -28,7 +28,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, + { + struct dentry *root; + void *ns; +- bool new_sb; ++ bool new_sb = false; + + if (!(flags & MS_KERNMOUNT)) { + if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET)) +@@ -38,9 +38,9 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, + ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); + root = kernfs_mount_ns(fs_type, flags, sysfs_root, + SYSFS_MAGIC, &new_sb, ns); +- if (IS_ERR(root) || !new_sb) ++ if (!new_sb) + kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); +- else if (new_sb) ++ else if (!IS_ERR(root)) + root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE; + + return root; +diff --git a/include/linux/hid.h b/include/linux/hid.h +index d07fe33a90457..5a2c55ed33fac 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev) + */ + static inline u32 hid_report_len(struct hid_report *report) + { +- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ +- return ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ return DIV_ROUND_UP(report->size, 8) + (report->id > 0); + } + + int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, +diff --git a/include/net/sock.h b/include/net/sock.h +index 55d16db84ea44..70fe85bee4e56 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1744,7 +1744,8 @@ static inline u32 net_tx_rndhash(void) + + static inline void sk_set_txhash(struct sock *sk) + { +- sk->sk_txhash = net_tx_rndhash(); ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */ ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash()); + } + + static inline void sk_rethink_txhash(struct sock *sk) +@@ -2018,9 +2019,12 @@ static inline void sock_poll_wait(struct file *filp, + + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk) + { +- if (sk->sk_txhash) { ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */ ++ u32 txhash = READ_ONCE(sk->sk_txhash); ++ ++ if (txhash) { + skb->l4_hash = 1; +- skb->hash = sk->sk_txhash; ++ skb->hash = txhash; + } + } + +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index 48e8a225b985a..2a66ab49f14dd 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -280,6 +280,9 @@ struct sockaddr_in { + /* Address indicating an error return. */ + #define INADDR_NONE ((unsigned long int) 0xffffffff) + ++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ ++#define INADDR_DUMMY ((unsigned long int) 0xc0000008) ++ + /* Network number for local host loopback. */ + #define IN_LOOPBACKNET 127 + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 42531ee852ffb..0cc67bc0666e4 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1737,9 +1737,6 @@ struct saved_cmdlines_buffer { + }; + static struct saved_cmdlines_buffer *savedcmd; + +-/* temporary disable recording */ +-static atomic_t trace_record_taskinfo_disabled __read_mostly; +- + static inline char *get_saved_cmdlines(int idx) + { + return &savedcmd->saved_cmdlines[idx * TASK_COMM_LEN]; +@@ -2024,8 +2021,6 @@ static bool tracing_record_taskinfo_skip(int flags) + { + if (unlikely(!(flags & (TRACE_RECORD_CMDLINE | TRACE_RECORD_TGID)))) + return true; +- if (atomic_read(&trace_record_taskinfo_disabled) || !tracing_is_on()) +- return true; + if (!__this_cpu_read(trace_taskinfo_save)) + return true; + return false; +@@ -3259,9 +3254,6 @@ static void *s_start(struct seq_file *m, loff_t *pos) + return ERR_PTR(-EBUSY); + #endif + +- if (!iter->snapshot) +- atomic_inc(&trace_record_taskinfo_disabled); +- + if (*pos != iter->pos) { + iter->ent = NULL; + iter->cpu = 0; +@@ -3304,9 +3296,6 @@ static void s_stop(struct seq_file *m, void *p) + return; + #endif + +- if (!iter->snapshot) +- atomic_dec(&trace_record_taskinfo_disabled); +- + trace_access_unlock(iter->cpu_file); + trace_event_read_unlock(); + } +diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c +index c82875834c425..b3b02d2c29266 100644 +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -114,9 +114,9 @@ u64 notrace trace_clock_global(void) + prev_time = READ_ONCE(trace_clock_struct.prev_time); + now = sched_clock_cpu(this_cpu); + +- /* Make sure that now is always greater than prev_time */ ++ /* Make sure that now is always greater than or equal to prev_time */ + if ((s64)(now - prev_time) < 0) +- now = prev_time + 1; ++ now = prev_time; + + /* + * If in an NMI context then dont risk lockups and simply return +@@ -130,7 +130,7 @@ u64 notrace trace_clock_global(void) + /* Reread prev_time in case it was already updated */ + prev_time = READ_ONCE(trace_clock_struct.prev_time); + if ((s64)(now - prev_time) < 0) +- now = prev_time + 1; ++ now = prev_time; + + trace_clock_struct.prev_time = now; + +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 001b6bfccbfbd..e7827b9e63976 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1267,7 +1267,12 @@ int memory_failure(unsigned long pfn, int trapno, int flags) + return 0; + } + +- if (!PageTransTail(p) && !PageLRU(p)) ++ /* ++ * __munlock_pagevec may clear a writeback page's LRU flag without ++ * page_lock. We need wait writeback completion for this page or it ++ * may trigger vfs BUG while evict inode. ++ */ ++ if (!PageTransTail(p) && !PageLRU(p) && !PageWriteback(p)) + goto identify_page_state; + + /* +diff --git a/mm/slub.c b/mm/slub.c +index a0cb3568b0b5d..484a75296a12b 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -15,6 +15,7 @@ + #include <linux/module.h> + #include <linux/bit_spinlock.h> + #include <linux/interrupt.h> ++#include <linux/swab.h> + #include <linux/bitops.h> + #include <linux/slab.h> + #include "slab.h" +diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c +index 7a723e124dbb5..3ec16c48e7681 100644 +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -585,8 +585,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet) + if (WARN_ON(!forw_packet->if_outgoing)) + return; + +- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface)) ++ if (forw_packet->if_outgoing->soft_iface != soft_iface) { ++ pr_warn("%s: soft interface switch for queued OGM\n", __func__); + return; ++ } + + if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE) + return; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 14ff034e561c5..50a55553a25c5 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -93,8 +93,8 @@ struct br_vlan_stats { + }; + + struct br_tunnel_info { +- __be64 tunnel_id; +- struct metadata_dst *tunnel_dst; ++ __be64 tunnel_id; ++ struct metadata_dst __rcu *tunnel_dst; + }; + + /** +diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c +index 6d2c4eed2dc89..adb6845ceba46 100644 +--- a/net/bridge/br_vlan_tunnel.c ++++ b/net/bridge/br_vlan_tunnel.c +@@ -46,26 +46,33 @@ static struct net_bridge_vlan *br_vlan_tunnel_lookup(struct rhashtable *tbl, + br_vlan_tunnel_rht_params); + } + ++static void vlan_tunnel_info_release(struct net_bridge_vlan *vlan) ++{ ++ struct metadata_dst *tdst = rtnl_dereference(vlan->tinfo.tunnel_dst); ++ ++ WRITE_ONCE(vlan->tinfo.tunnel_id, 0); ++ RCU_INIT_POINTER(vlan->tinfo.tunnel_dst, NULL); ++ dst_release(&tdst->dst); ++} ++ + void vlan_tunnel_info_del(struct net_bridge_vlan_group *vg, + struct net_bridge_vlan *vlan) + { +- if (!vlan->tinfo.tunnel_dst) ++ if (!rcu_access_pointer(vlan->tinfo.tunnel_dst)) + return; + rhashtable_remove_fast(&vg->tunnel_hash, &vlan->tnode, + br_vlan_tunnel_rht_params); +- vlan->tinfo.tunnel_id = 0; +- dst_release(&vlan->tinfo.tunnel_dst->dst); +- vlan->tinfo.tunnel_dst = NULL; ++ vlan_tunnel_info_release(vlan); + } + + static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, + struct net_bridge_vlan *vlan, u32 tun_id) + { +- struct metadata_dst *metadata = NULL; ++ struct metadata_dst *metadata = rtnl_dereference(vlan->tinfo.tunnel_dst); + __be64 key = key32_to_tunnel_id(cpu_to_be32(tun_id)); + int err; + +- if (vlan->tinfo.tunnel_dst) ++ if (metadata) + return -EEXIST; + + metadata = __ip_tun_set_dst(0, 0, 0, 0, 0, TUNNEL_KEY, +@@ -74,8 +81,8 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, + return -EINVAL; + + metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX | IP_TUNNEL_INFO_BRIDGE; +- vlan->tinfo.tunnel_dst = metadata; +- vlan->tinfo.tunnel_id = key; ++ rcu_assign_pointer(vlan->tinfo.tunnel_dst, metadata); ++ WRITE_ONCE(vlan->tinfo.tunnel_id, key); + + err = rhashtable_lookup_insert_fast(&vg->tunnel_hash, &vlan->tnode, + br_vlan_tunnel_rht_params); +@@ -84,9 +91,7 @@ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg, + + return 0; + out: +- dst_release(&vlan->tinfo.tunnel_dst->dst); +- vlan->tinfo.tunnel_dst = NULL; +- vlan->tinfo.tunnel_id = 0; ++ vlan_tunnel_info_release(vlan); + + return err; + } +@@ -186,12 +191,15 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb, + int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + struct net_bridge_vlan *vlan) + { ++ struct metadata_dst *tunnel_dst; ++ __be64 tunnel_id; + int err; + +- if (!vlan || !vlan->tinfo.tunnel_id) ++ if (!vlan) + return 0; + +- if (unlikely(!skb_vlan_tag_present(skb))) ++ tunnel_id = READ_ONCE(vlan->tinfo.tunnel_id); ++ if (!tunnel_id || unlikely(!skb_vlan_tag_present(skb))) + return 0; + + skb_dst_drop(skb); +@@ -199,7 +207,9 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb, + if (err) + return err; + +- skb_dst_set(skb, dst_clone(&vlan->tinfo.tunnel_dst->dst)); ++ tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst); ++ if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst)) ++ skb_dst_set(skb, &tunnel_dst->dst); + + return 0; + } +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 12d851c4604dc..8c8b02e544322 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -125,7 +125,7 @@ struct bcm_sock { + struct sock sk; + int bound; + int ifindex; +- struct notifier_block notifier; ++ struct list_head notifier; + struct list_head rx_ops; + struct list_head tx_ops; + unsigned long dropped_usr_msgs; +@@ -133,6 +133,10 @@ struct bcm_sock { + char procname [32]; /* inode number in decimal with \0 */ + }; + ++static LIST_HEAD(bcm_notifier_list); ++static DEFINE_SPINLOCK(bcm_notifier_lock); ++static struct bcm_sock *bcm_busy_notifier; ++ + static inline struct bcm_sock *bcm_sk(const struct sock *sk) + { + return (struct bcm_sock *)sk; +@@ -406,6 +410,7 @@ static void bcm_tx_timeout_tsklet(unsigned long data) + if (!op->count && (op->flags & TX_COUNTEVT)) { + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = TX_EXPIRED; + msg_head.flags = op->flags; + msg_head.count = op->count; +@@ -453,6 +458,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct canfd_frame *data) + /* this element is not throttled anymore */ + data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV); + ++ memset(&head, 0, sizeof(head)); + head.opcode = RX_CHANGED; + head.flags = op->flags; + head.count = op->count; +@@ -567,6 +573,7 @@ static void bcm_rx_timeout_tsklet(unsigned long data) + struct bcm_msg_head msg_head; + + /* create notification to user */ ++ memset(&msg_head, 0, sizeof(msg_head)); + msg_head.opcode = RX_TIMEOUT; + msg_head.flags = op->flags; + msg_head.count = op->count; +@@ -1439,20 +1446,15 @@ static int bcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + /* + * notification handler for netdevice status changes + */ +-static int bcm_notifier(struct notifier_block *nb, unsigned long msg, +- void *ptr) ++static void bcm_notify(struct bcm_sock *bo, unsigned long msg, ++ struct net_device *dev) + { +- struct net_device *dev = netdev_notifier_info_to_dev(ptr); +- struct bcm_sock *bo = container_of(nb, struct bcm_sock, notifier); + struct sock *sk = &bo->sk; + struct bcm_op *op; + int notify_enodev = 0; + + if (!net_eq(dev_net(dev), sock_net(sk))) +- return NOTIFY_DONE; +- +- if (dev->type != ARPHRD_CAN) +- return NOTIFY_DONE; ++ return; + + switch (msg) { + +@@ -1487,7 +1489,28 @@ static int bcm_notifier(struct notifier_block *nb, unsigned long msg, + sk->sk_error_report(sk); + } + } ++} + ++static int bcm_notifier(struct notifier_block *nb, unsigned long msg, ++ void *ptr) ++{ ++ struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ ++ if (dev->type != ARPHRD_CAN) ++ return NOTIFY_DONE; ++ if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN) ++ return NOTIFY_DONE; ++ if (unlikely(bcm_busy_notifier)) /* Check for reentrant bug. */ ++ return NOTIFY_DONE; ++ ++ spin_lock(&bcm_notifier_lock); ++ list_for_each_entry(bcm_busy_notifier, &bcm_notifier_list, notifier) { ++ spin_unlock(&bcm_notifier_lock); ++ bcm_notify(bcm_busy_notifier, msg, dev); ++ spin_lock(&bcm_notifier_lock); ++ } ++ bcm_busy_notifier = NULL; ++ spin_unlock(&bcm_notifier_lock); + return NOTIFY_DONE; + } + +@@ -1507,9 +1530,9 @@ static int bcm_init(struct sock *sk) + INIT_LIST_HEAD(&bo->rx_ops); + + /* set notifier */ +- bo->notifier.notifier_call = bcm_notifier; +- +- register_netdevice_notifier(&bo->notifier); ++ spin_lock(&bcm_notifier_lock); ++ list_add_tail(&bo->notifier, &bcm_notifier_list); ++ spin_unlock(&bcm_notifier_lock); + + return 0; + } +@@ -1532,7 +1555,14 @@ static int bcm_release(struct socket *sock) + + /* remove bcm_ops, timer, rx_unregister(), etc. */ + +- unregister_netdevice_notifier(&bo->notifier); ++ spin_lock(&bcm_notifier_lock); ++ while (bcm_busy_notifier == bo) { ++ spin_unlock(&bcm_notifier_lock); ++ schedule_timeout_uninterruptible(1); ++ spin_lock(&bcm_notifier_lock); ++ } ++ list_del(&bo->notifier); ++ spin_unlock(&bcm_notifier_lock); + + lock_sock(sk); + +@@ -1747,6 +1777,10 @@ static struct pernet_operations canbcm_pernet_ops __read_mostly = { + .exit = canbcm_pernet_exit, + }; + ++static struct notifier_block canbcm_notifier = { ++ .notifier_call = bcm_notifier ++}; ++ + static int __init bcm_module_init(void) + { + int err; +@@ -1760,12 +1794,14 @@ static int __init bcm_module_init(void) + } + + register_pernet_subsys(&canbcm_pernet_ops); ++ register_netdevice_notifier(&canbcm_notifier); + return 0; + } + + static void __exit bcm_module_exit(void) + { + can_proto_unregister(&bcm_can_proto); ++ unregister_netdevice_notifier(&canbcm_notifier); + unregister_pernet_subsys(&canbcm_pernet_ops); + } + +diff --git a/net/can/raw.c b/net/can/raw.c +index e1f26441b49ac..24af08164b614 100644 +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -84,7 +84,7 @@ struct raw_sock { + struct sock sk; + int bound; + int ifindex; +- struct notifier_block notifier; ++ struct list_head notifier; + int loopback; + int recv_own_msgs; + int fd_frames; +@@ -96,6 +96,10 @@ struct raw_sock { + struct uniqframe __percpu *uniq; + }; + ++static LIST_HEAD(raw_notifier_list); ++static DEFINE_SPINLOCK(raw_notifier_lock); ++static struct raw_sock *raw_busy_notifier; ++ + /* + * Return pointer to store the extra msg flags for raw_recvmsg(). + * We use the space of one unsigned int beyond the 'struct sockaddr_can' +@@ -266,21 +270,16 @@ static int raw_enable_allfilters(struct net *net, struct net_device *dev, + return err; + } + +-static int raw_notifier(struct notifier_block *nb, +- unsigned long msg, void *ptr) ++static void raw_notify(struct raw_sock *ro, unsigned long msg, ++ struct net_device *dev) + { +- struct net_device *dev = netdev_notifier_info_to_dev(ptr); +- struct raw_sock *ro = container_of(nb, struct raw_sock, notifier); + struct sock *sk = &ro->sk; + + if (!net_eq(dev_net(dev), sock_net(sk))) +- return NOTIFY_DONE; +- +- if (dev->type != ARPHRD_CAN) +- return NOTIFY_DONE; ++ return; + + if (ro->ifindex != dev->ifindex) +- return NOTIFY_DONE; ++ return; + + switch (msg) { + +@@ -309,7 +308,28 @@ static int raw_notifier(struct notifier_block *nb, + sk->sk_error_report(sk); + break; + } ++} ++ ++static int raw_notifier(struct notifier_block *nb, unsigned long msg, ++ void *ptr) ++{ ++ struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ ++ if (dev->type != ARPHRD_CAN) ++ return NOTIFY_DONE; ++ if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN) ++ return NOTIFY_DONE; ++ if (unlikely(raw_busy_notifier)) /* Check for reentrant bug. */ ++ return NOTIFY_DONE; + ++ spin_lock(&raw_notifier_lock); ++ list_for_each_entry(raw_busy_notifier, &raw_notifier_list, notifier) { ++ spin_unlock(&raw_notifier_lock); ++ raw_notify(raw_busy_notifier, msg, dev); ++ spin_lock(&raw_notifier_lock); ++ } ++ raw_busy_notifier = NULL; ++ spin_unlock(&raw_notifier_lock); + return NOTIFY_DONE; + } + +@@ -338,9 +358,9 @@ static int raw_init(struct sock *sk) + return -ENOMEM; + + /* set notifier */ +- ro->notifier.notifier_call = raw_notifier; +- +- register_netdevice_notifier(&ro->notifier); ++ spin_lock(&raw_notifier_lock); ++ list_add_tail(&ro->notifier, &raw_notifier_list); ++ spin_unlock(&raw_notifier_lock); + + return 0; + } +@@ -355,7 +375,14 @@ static int raw_release(struct socket *sock) + + ro = raw_sk(sk); + +- unregister_netdevice_notifier(&ro->notifier); ++ spin_lock(&raw_notifier_lock); ++ while (raw_busy_notifier == ro) { ++ spin_unlock(&raw_notifier_lock); ++ schedule_timeout_uninterruptible(1); ++ spin_lock(&raw_notifier_lock); ++ } ++ list_del(&ro->notifier); ++ spin_unlock(&raw_notifier_lock); + + lock_sock(sk); + +@@ -870,6 +897,10 @@ static const struct can_proto raw_can_proto = { + .prot = &raw_proto, + }; + ++static struct notifier_block canraw_notifier = { ++ .notifier_call = raw_notifier ++}; ++ + static __init int raw_module_init(void) + { + int err; +@@ -879,6 +910,8 @@ static __init int raw_module_init(void) + err = can_proto_register(&raw_can_proto); + if (err < 0) + printk(KERN_ERR "can: registration of raw protocol failed\n"); ++ else ++ register_netdevice_notifier(&canraw_notifier); + + return err; + } +@@ -886,6 +919,7 @@ static __init int raw_module_init(void) + static __exit void raw_module_exit(void) + { + can_proto_unregister(&raw_can_proto); ++ unregister_netdevice_notifier(&canraw_notifier); + } + + module_init(raw_module_init); +diff --git a/net/compat.c b/net/compat.c +index 45349658ed010..2ec822f4e4090 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, + if (kcmlen > stackbuf_size) + kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL); + if (kcmsg == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + /* Now copy them over neatly. */ + memset(kcmsg, 0, kcmlen); +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index 9bb321df08698..76c3f602ee153 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule *rule, + { + struct net *net; + struct sk_buff *skb; +- int err = -ENOBUFS; ++ int err = -ENOMEM; + + net = ops->fro_net; + skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL); +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0168c700a2014..3bcaecc7ba69f 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3648,6 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + ++ /* Notification info is only filled for bridge ports, not the bridge ++ * device itself. Therefore, a zero notification length is valid and ++ * should not result in an error. ++ */ + if (!skb->len) + goto errout; + +diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c +index b1c55db737648..6d4c71a52b6b2 100644 +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla, + nl802154_dev_addr_policy, NULL)) + return -EINVAL; + +- if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || +- !attrs[NL802154_DEV_ADDR_ATTR_MODE] || +- !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] || +- attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])) ++ if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || !attrs[NL802154_DEV_ADDR_ATTR_MODE]) + return -EINVAL; + + addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]); + addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]); + switch (addr->mode) { + case NL802154_DEV_ADDR_SHORT: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT]) ++ return -EINVAL; + addr->short_addr = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]); + break; + case NL802154_DEV_ADDR_EXTENDED: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]) ++ return -EINVAL; + addr->extended_addr = nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]); + break; + default: +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 6a1b52b34e205..e8b8dd1cb1576 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -486,6 +486,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) + kfree(doi_def->map.std->lvl.local); + kfree(doi_def->map.std->cat.cipso); + kfree(doi_def->map.std->cat.local); ++ kfree(doi_def->map.std); + break; + } + kfree(doi_def); +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 96ee1fbd999ef..ba07f128d7ad1 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -743,6 +743,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + icmp_param.data_len = room; + icmp_param.head_len = sizeof(struct icmphdr); + ++ /* if we don't have a source address at this point, fall back to the ++ * dummy address instead of sending out a packet with a source address ++ * of 0.0.0.0 ++ */ ++ if (!fl4.saddr) ++ fl4.saddr = htonl(INADDR_DUMMY); ++ + icmp_push_reply(&icmp_param, &fl4, &ipc, &rt); + ende: + ip_rt_put(rt); +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index b6f0ee01f2e0b..a6b048ff30e6a 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1790,6 +1790,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev) + while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) { + in_dev->mc_list = i->next_rcu; + in_dev->mc_count--; ++ ip_mc_clear_src(i); + ip_ma_put(i); + } + } +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c +index f0782c91514ce..41e384834d509 100644 +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d + + + /* +- * Copy BOOTP-supplied string if not already set. ++ * Copy BOOTP-supplied string + */ + static int __init ic_bootp_string(char *dest, char *src, int len, int max) + { +@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext) + } + break; + case 12: /* Host name */ +- ic_bootp_string(utsname()->nodename, ext+1, *ext, +- __NEW_UTS_LEN); +- ic_host_name_set = 1; ++ if (!ic_host_name_set) { ++ ic_bootp_string(utsname()->nodename, ext+1, *ext, ++ __NEW_UTS_LEN); ++ ic_host_name_set = 1; ++ } + break; + case 15: /* Domain name (DNS) */ +- ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); ++ if (!ic_domain[0]) ++ ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); + break; + case 17: /* Root path */ + if (!root_server_path[0]) +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 186fdf0922d2f..aab141c4a3892 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -978,6 +978,7 @@ bool ping_rcv(struct sk_buff *skb) + struct sock *sk; + struct net *net = dev_net(skb->dev); + struct icmphdr *icmph = icmp_hdr(skb); ++ bool rc = false; + + /* We assume the packet has already been checked by icmp_rcv */ + +@@ -992,14 +993,15 @@ bool ping_rcv(struct sk_buff *skb) + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); + + pr_debug("rcv on socket %p\n", sk); +- if (skb2) +- ping_queue_rcv_skb(sk, skb2); ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2)) ++ rc = true; + sock_put(sk); +- return true; + } +- pr_debug("no socket, dropping\n"); + +- return false; ++ if (!rc) ++ pr_debug("no socket, dropping\n"); ++ ++ return rc; + } + EXPORT_SYMBOL_GPL(ping_rcv); + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 78d6bc61a1d87..81901b0529077 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -70,6 +70,7 @@ + #include <linux/types.h> + #include <linux/kernel.h> + #include <linux/mm.h> ++#include <linux/bootmem.h> + #include <linux/string.h> + #include <linux/socket.h> + #include <linux/sockios.h> +@@ -485,8 +486,10 @@ static void ipv4_confirm_neigh(const struct dst_entry *dst, const void *daddr) + __ipv4_confirm_neigh(dev, *(__force u32 *)pkey); + } + +-#define IP_IDENTS_SZ 2048u +- ++/* Hash tables of size 2048..262144 depending on RAM size. ++ * Each bucket uses 8 bytes. ++ */ ++static u32 ip_idents_mask __read_mostly; + static atomic_t *ip_idents __read_mostly; + static u32 *ip_tstamps __read_mostly; + +@@ -496,12 +499,16 @@ static u32 *ip_tstamps __read_mostly; + */ + u32 ip_idents_reserve(u32 hash, int segs) + { +- u32 *p_tstamp = ip_tstamps + hash % IP_IDENTS_SZ; +- atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ; +- u32 old = ACCESS_ONCE(*p_tstamp); +- u32 now = (u32)jiffies; ++ u32 bucket, old, now = (u32)jiffies; ++ atomic_t *p_id; ++ u32 *p_tstamp; + u32 delta = 0; + ++ bucket = hash & ip_idents_mask; ++ p_tstamp = ip_tstamps + bucket; ++ p_id = ip_idents + bucket; ++ old = ACCESS_ONCE(*p_tstamp); ++ + if (old != now && cmpxchg(p_tstamp, old, now) == old) + delta = prandom_u32_max(now - old); + +@@ -3098,18 +3105,26 @@ struct ip_rt_acct __percpu *ip_rt_acct __read_mostly; + + int __init ip_rt_init(void) + { ++ void *idents_hash; + int rc = 0; + int cpu; + +- ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL); +- if (!ip_idents) +- panic("IP: failed to allocate ip_idents\n"); ++ /* For modern hosts, this will use 2 MB of memory */ ++ idents_hash = alloc_large_system_hash("IP idents", ++ sizeof(*ip_idents) + sizeof(*ip_tstamps), ++ 0, ++ 16, /* one bucket per 64 KB */ ++ HASH_ZERO, ++ NULL, ++ &ip_idents_mask, ++ 2048, ++ 256*1024); ++ ++ ip_idents = idents_hash; + +- prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents)); ++ prandom_bytes(ip_idents, (ip_idents_mask + 1) * sizeof(*ip_idents)); + +- ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL); +- if (!ip_tstamps) +- panic("IP: failed to allocate ip_tstamps\n"); ++ ip_tstamps = idents_hash + (ip_idents_mask + 1) * sizeof(*ip_idents); + + for_each_possible_cpu(cpu) { + struct uncached_list *ul = &per_cpu(rt_uncached_list, cpu); +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 8f298f27f6ecf..cf5c4d2f68c1a 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2337,6 +2337,9 @@ void udp_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + bool slow = lock_sock_fast(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_flush_pending_frames(sk); + unlock_sock_fast(sk, slow); + if (static_key_false(&udp_encap_needed) && up->encap_type) { +@@ -2570,10 +2573,17 @@ int udp_abort(struct sock *sk, int err) + { + lock_sock(sk); + ++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing ++ * with close() ++ */ ++ if (sock_flag(sk, SOCK_DEAD)) ++ goto out; ++ + sk->sk_err = err; + sk->sk_error_report(sk); + __udp_disconnect(sk, 0); + ++out: + release_sock(sk); + + return 0; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 38ad3fac8c37f..d9d25b9c07aea 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1434,6 +1434,9 @@ void udpv6_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + lock_sock(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_v6_flush_pending_frames(sk); + release_sock(sk); + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 790c771e8108e..0d4f7258b243b 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1393,7 +1393,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON_ONCE(!chanctx_conf)) { ++ if (!chanctx_conf) { + rcu_read_unlock(); + return NULL; + } +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 6b4fd56800f74..ac2c52709e1c7 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2014,17 +2014,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (is_multicast_ether_addr(hdr->addr1)) { +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount); +- goto out_no_led; +- } +- + if (rx->sta) + cache = &rx->sta->frags; + + if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) + goto out; + ++ if (is_multicast_ether_addr(hdr->addr1)) ++ return RX_DROP_MONITOR; ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -2150,7 +2148,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + + out: + ieee80211_led_rx(rx->local); +- out_no_led: + if (rx->sta) + rx->sta->rx_stats.packets++; + return RX_CONTINUE; +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index 49bd8bb16b181..9ff26eb0309a1 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + int length = (th->doff * 4) - sizeof(*th); + u8 buf[40], *ptr; + ++ if (unlikely(length < 0)) ++ return false; ++ + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); + if (ptr == NULL) + return false; +@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + length--; + continue; + default: ++ if (length < 2) ++ return true; + opsize = *ptr++; + if (opsize < 2) + return true; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b62ec43ed54f4..50ca70b3c1759 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2694,7 +2694,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2907,7 +2907,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); +- proto = po->num; ++ proto = READ_ONCE(po->num); + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -3177,7 +3177,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + /* prevents packet_notifier() from calling + * register_prot_hook() + */ +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, true); + rcu_read_lock(); + dev_curr = po->prot_hook.dev; +@@ -3187,17 +3187,17 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + } + + BUG_ON(po->running); +- po->num = proto; ++ WRITE_ONCE(po->num, proto); + po->prot_hook.type = proto; + + if (unlikely(unlisted)) { + dev_put(dev); + po->prot_hook.dev = NULL; +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + packet_cached_dev_reset(po); + } else { + po->prot_hook.dev = dev; +- po->ifindex = dev ? dev->ifindex : 0; ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); + packet_cached_dev_assign(po, dev); + } + } +@@ -3512,7 +3512,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, + uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex)); + if (dev) + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); + rcu_read_unlock(); +@@ -3528,16 +3528,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, + struct sock *sk = sock->sk; + struct packet_sock *po = pkt_sk(sk); + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr); ++ int ifindex; + + if (peer) + return -EOPNOTSUPP; + ++ ifindex = READ_ONCE(po->ifindex); + sll->sll_family = AF_PACKET; +- sll->sll_ifindex = po->ifindex; +- sll->sll_protocol = po->num; ++ sll->sll_ifindex = ifindex; ++ sll->sll_protocol = READ_ONCE(po->num); + sll->sll_pkttype = 0; + rcu_read_lock(); +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex); + if (dev) { + sll->sll_hatype = dev->type; + sll->sll_halen = dev->addr_len; +@@ -4117,7 +4119,7 @@ static int packet_notifier(struct notifier_block *this, + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- po->ifindex = -1; ++ WRITE_ONCE(po->ifindex, -1); + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); + po->prot_hook.dev = NULL; +@@ -4429,7 +4431,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + was_running = po->running; + num = po->num; + if (was_running) { +- po->num = 0; ++ WRITE_ONCE(po->num, 0); + __unregister_prot_hook(sk, false); + } + spin_unlock(&po->bind_lock); +@@ -4464,7 +4466,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + + spin_lock(&po->bind_lock); + if (was_running) { +- po->num = num; ++ WRITE_ONCE(po->num, num); + register_prot_hook(sk); + } + spin_unlock(&po->bind_lock); +@@ -4635,8 +4637,8 @@ static int packet_seq_show(struct seq_file *seq, void *v) + s, + refcount_read(&s->sk_refcnt), + s->sk_type, +- ntohs(po->num), +- po->ifindex, ++ ntohs(READ_ONCE(po->num)), ++ READ_ONCE(po->ifindex), + po->running, + atomic_read(&s->sk_rmem_alloc), + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)), +diff --git a/net/rds/recv.c b/net/rds/recv.c +index ef022d24f87ae..a1b2bdab6655d 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -663,7 +663,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; +- goto out; ++ break; + } + + rds_stats_inc(s_recv_delivered); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 44ff3f5c22dfd..8e7054fc27f8b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -535,12 +535,14 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.mnt = NULL; + state = sk->sk_state; + sk->sk_state = TCP_CLOSE; ++ ++ skpair = unix_peer(sk); ++ unix_peer(sk) = NULL; ++ + unix_state_unlock(sk); + + wake_up_interruptible_all(&u->peer_wait); + +- skpair = unix_peer(sk); +- + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); +@@ -555,7 +557,6 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ +- unix_peer(sk) = NULL; + } + + /* Try to flush out this socket. Throw out buffers at least */ +diff --git a/net/wireless/util.c b/net/wireless/util.c +index b3895a8a48ab2..bf4dd297a4db4 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1041,6 +1041,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev, + case NL80211_IFTYPE_MESH_POINT: + /* mesh should be handled? */ + break; ++ case NL80211_IFTYPE_OCB: ++ cfg80211_leave_ocb(rdev, dev); ++ break; + default: + break; + } +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 987e5f8cafbe3..fd0a6c6c77b62 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol, + if (protocol) + goto out; + +- rc = -ENOBUFS; ++ rc = -ENOMEM; + if ((sk = x25_alloc_socket(net, kern)) == NULL) + goto out; +