[gentoo-commits] proj/linux-patches:4.14 commit in: /

Mike Pagano Wed, 30 Jun 2021 07:26:43 -0700

commit:     b4dd90b1bc402c72ed0d3e4fad8c8dadaf1197d2
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Wed Jun 30 14:26:14 2021 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Wed Jun 30 14:26:14 2021 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b4dd90b1


Linux patch 4.14.238

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

 0000_README               |    4 +
 1237_linux-4.14.238.patch | 2489 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 2493 insertions(+)

diff --git a/0000_README b/0000_README
index 165f37f..487ae9d 100644
--- a/0000_README
+++ b/0000_README
@@ -991,6 +991,10 @@ Patch:  1236_linux-4.14.237.patch
 From:   https://www.kernel.org
 Desc:   Linux 4.14.237
 
+Patch:  1237_linux-4.14.238.patch
+From:   https://www.kernel.org
+Desc:   Linux 4.14.238
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1237_linux-4.14.238.patch b/1237_linux-4.14.238.patch
new file mode 100644
index 0000000..bf167cd
--- /dev/null
+++ b/1237_linux-4.14.238.patch
@@ -0,0 +1,2489 @@
+diff --git a/Makefile b/Makefile
+index bc9833fdca1ae..5442918651e00 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 237
++SUBLEVEL = 238
+ EXTRAVERSION =
+ NAME = Petit Gorille
+ 
+@@ -716,12 +716,11 @@ KBUILD_CFLAGS += $(call cc-disable-warning, 
tautological-compare)
+ # See modpost pattern 2
+ KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
+ KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
+-else
++endif
+ 
+ # These warnings generated too much noise in a regular build.
+ # Use make W=1 to enable them (see scripts/Makefile.extrawarn)
+ KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
+-endif
+ 
+ KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
+ ifdef CONFIG_FRAME_POINTER
+diff --git a/arch/arc/include/uapi/asm/sigcontext.h 
b/arch/arc/include/uapi/asm/sigcontext.h
+index 95f8a4380e110..7a5449dfcb290 100644
+--- a/arch/arc/include/uapi/asm/sigcontext.h
++++ b/arch/arc/include/uapi/asm/sigcontext.h
+@@ -18,6 +18,7 @@
+  */
+ struct sigcontext {
+       struct user_regs_struct regs;
++      struct user_regs_arcv2 v2abi;
+ };
+ 
+ #endif /* _ASM_ARC_SIGCONTEXT_H */
+diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c
+index da243420bcb58..68901f6f18bab 100644
+--- a/arch/arc/kernel/signal.c
++++ b/arch/arc/kernel/signal.c
+@@ -64,6 +64,41 @@ struct rt_sigframe {
+       unsigned int sigret_magic;
+ };
+ 
++static int save_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs)
++{
++      int err = 0;
++#ifndef CONFIG_ISA_ARCOMPACT
++      struct user_regs_arcv2 v2abi;
++
++      v2abi.r30 = regs->r30;
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++      v2abi.r58 = regs->r58;
++      v2abi.r59 = regs->r59;
++#else
++      v2abi.r58 = v2abi.r59 = 0;
++#endif
++      err = __copy_to_user(&mctx->v2abi, &v2abi, sizeof(v2abi));
++#endif
++      return err;
++}
++
++static int restore_arcv2_regs(struct sigcontext *mctx, struct pt_regs *regs)
++{
++      int err = 0;
++#ifndef CONFIG_ISA_ARCOMPACT
++      struct user_regs_arcv2 v2abi;
++
++      err = __copy_from_user(&v2abi, &mctx->v2abi, sizeof(v2abi));
++
++      regs->r30 = v2abi.r30;
++#ifdef CONFIG_ARC_HAS_ACCL_REGS
++      regs->r58 = v2abi.r58;
++      regs->r59 = v2abi.r59;
++#endif
++#endif
++      return err;
++}
++
+ static int
+ stash_usr_regs(struct rt_sigframe __user *sf, struct pt_regs *regs,
+              sigset_t *set)
+@@ -97,6 +132,10 @@ stash_usr_regs(struct rt_sigframe __user *sf, struct 
pt_regs *regs,
+ 
+       err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), &uregs.scratch,
+                            sizeof(sf->uc.uc_mcontext.regs.scratch));
++
++      if (is_isa_arcv2())
++              err |= save_arcv2_regs(&(sf->uc.uc_mcontext), regs);
++
+       err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t));
+ 
+       return err ? -EFAULT : 0;
+@@ -112,6 +151,10 @@ static int restore_usr_regs(struct pt_regs *regs, struct 
rt_sigframe __user *sf)
+       err |= __copy_from_user(&uregs.scratch,
+                               &(sf->uc.uc_mcontext.regs.scratch),
+                               sizeof(sf->uc.uc_mcontext.regs.scratch));
++
++      if (is_isa_arcv2())
++              err |= restore_arcv2_regs(&(sf->uc.uc_mcontext), regs);
++
+       if (err)
+               return -EFAULT;
+ 
+diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
+index a6d27284105a1..ac4ffd97ae823 100644
+--- a/arch/arm/kernel/setup.c
++++ b/arch/arm/kernel/setup.c
+@@ -547,9 +547,11 @@ void notrace cpu_init(void)
+        * In Thumb-2, msr with an immediate value is not allowed.
+        */
+ #ifdef CONFIG_THUMB2_KERNEL
+-#define PLC   "r"
++#define PLC_l "l"
++#define PLC_r "r"
+ #else
+-#define PLC   "I"
++#define PLC_l "I"
++#define PLC_r "I"
+ #endif
+ 
+       /*
+@@ -571,15 +573,15 @@ void notrace cpu_init(void)
+       "msr    cpsr_c, %9"
+           :
+           : "r" (stk),
+-            PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
++            PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
+             "I" (offsetof(struct stack, irq[0])),
+-            PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
++            PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
+             "I" (offsetof(struct stack, abt[0])),
+-            PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE),
++            PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE),
+             "I" (offsetof(struct stack, und[0])),
+-            PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
++            PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
+             "I" (offsetof(struct stack, fiq[0])),
+-            PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
++            PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
+           : "r14");
+ #endif
+ }
+diff --git a/arch/arm/mach-omap2/board-n8x0.c 
b/arch/arm/mach-omap2/board-n8x0.c
+index 20f25539d5726..47abea1475d46 100644
+--- a/arch/arm/mach-omap2/board-n8x0.c
++++ b/arch/arm/mach-omap2/board-n8x0.c
+@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, 
int slot)
+ 
+ static void n8x0_mmc_callback(void *data, u8 card_mask)
+ {
++#ifdef CONFIG_MMC_OMAP
+       int bit, *openp, index;
+ 
+       if (board_is_n800()) {
+@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask)
+       else
+               *openp = 0;
+ 
+-#ifdef CONFIG_MMC_OMAP
+       omap_mmc_notify_cover_event(mmc_device, index, *openp);
+ #else
+       pr_warn("MMC: notify cover event not available\n");
+diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
+index 53df84b2a07f4..4ee1228d29eb8 100644
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -670,6 +670,28 @@ static void armv8pmu_disable_event(struct perf_event 
*event)
+       raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+ }
+ 
++static void armv8pmu_start(struct arm_pmu *cpu_pmu)
++{
++      unsigned long flags;
++      struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
++
++      raw_spin_lock_irqsave(&events->pmu_lock, flags);
++      /* Enable all counters */
++      armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E);
++      raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
++}
++
++static void armv8pmu_stop(struct arm_pmu *cpu_pmu)
++{
++      unsigned long flags;
++      struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
++
++      raw_spin_lock_irqsave(&events->pmu_lock, flags);
++      /* Disable all counters */
++      armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E);
++      raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
++}
++
+ static irqreturn_t armv8pmu_handle_irq(int irq_num, void *dev)
+ {
+       u32 pmovsr;
+@@ -695,6 +717,11 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void 
*dev)
+        */
+       regs = get_irq_regs();
+ 
++      /*
++       * Stop the PMU while processing the counter overflows
++       * to prevent skews in group events.
++       */
++      armv8pmu_stop(cpu_pmu);
+       for (idx = 0; idx < cpu_pmu->num_events; ++idx) {
+               struct perf_event *event = cpuc->events[idx];
+               struct hw_perf_event *hwc;
+@@ -719,6 +746,7 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void 
*dev)
+               if (perf_event_overflow(event, &data, regs))
+                       cpu_pmu->disable(event);
+       }
++      armv8pmu_start(cpu_pmu);
+ 
+       /*
+        * Handle the pending perf events.
+@@ -732,28 +760,6 @@ static irqreturn_t armv8pmu_handle_irq(int irq_num, void 
*dev)
+       return IRQ_HANDLED;
+ }
+ 
+-static void armv8pmu_start(struct arm_pmu *cpu_pmu)
+-{
+-      unsigned long flags;
+-      struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
+-
+-      raw_spin_lock_irqsave(&events->pmu_lock, flags);
+-      /* Enable all counters */
+-      armv8pmu_pmcr_write(armv8pmu_pmcr_read() | ARMV8_PMU_PMCR_E);
+-      raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+-}
+-
+-static void armv8pmu_stop(struct arm_pmu *cpu_pmu)
+-{
+-      unsigned long flags;
+-      struct pmu_hw_events *events = this_cpu_ptr(cpu_pmu->hw_events);
+-
+-      raw_spin_lock_irqsave(&events->pmu_lock, flags);
+-      /* Disable all counters */
+-      armv8pmu_pmcr_write(armv8pmu_pmcr_read() & ~ARMV8_PMU_PMCR_E);
+-      raw_spin_unlock_irqrestore(&events->pmu_lock, flags);
+-}
+-
+ static int armv8pmu_get_event_idx(struct pmu_hw_events *cpuc,
+                                 struct perf_event *event)
+ {
+diff --git a/arch/mips/generic/board-boston.its.S 
b/arch/mips/generic/board-boston.its.S
+index a7f51f97b9102..c45ad27594218 100644
+--- a/arch/mips/generic/board-boston.its.S
++++ b/arch/mips/generic/board-boston.its.S
+@@ -1,22 +1,22 @@
+ / {
+       images {
+-              fdt@boston {
++              fdt-boston {
+                       description = "img,boston Device Tree";
+                       data = /incbin/("boot/dts/img/boston.dtb");
+                       type = "flat_dt";
+                       arch = "mips";
+                       compression = "none";
+-                      hash@0 {
++                      hash {
+                               algo = "sha1";
+                       };
+               };
+       };
+ 
+       configurations {
+-              conf@boston {
++              conf-boston {
+                       description = "Boston Linux kernel";
+-                      kernel = "kernel@0";
+-                      fdt = "fdt@boston";
++                      kernel = "kernel";
++                      fdt = "fdt-boston";
+               };
+       };
+ };
+diff --git a/arch/mips/generic/board-ni169445.its.S 
b/arch/mips/generic/board-ni169445.its.S
+index e4cb4f95a8cc1..0a2e8f7a8526f 100644
+--- a/arch/mips/generic/board-ni169445.its.S
++++ b/arch/mips/generic/board-ni169445.its.S
+@@ -1,22 +1,22 @@
+ / {
+       images {
+-              fdt@ni169445 {
++              fdt-ni169445 {
+                       description = "NI 169445 device tree";
+                       data = /incbin/("boot/dts/ni/169445.dtb");
+                       type = "flat_dt";
+                       arch = "mips";
+                       compression = "none";
+-                      hash@0 {
++                      hash {
+                               algo = "sha1";
+                       };
+               };
+       };
+ 
+       configurations {
+-              conf@ni169445 {
++              conf-ni169445 {
+                       description = "NI 169445 Linux Kernel";
+-                      kernel = "kernel@0";
+-                      fdt = "fdt@ni169445";
++                      kernel = "kernel";
++                      fdt = "fdt-ni169445";
+               };
+       };
+ };
+diff --git a/arch/mips/generic/vmlinux.its.S b/arch/mips/generic/vmlinux.its.S
+index 1a08438fd8930..3e254676540f4 100644
+--- a/arch/mips/generic/vmlinux.its.S
++++ b/arch/mips/generic/vmlinux.its.S
+@@ -6,7 +6,7 @@
+       #address-cells = <ADDR_CELLS>;
+ 
+       images {
+-              kernel@0 {
++              kernel {
+                       description = KERNEL_NAME;
+                       data = /incbin/(VMLINUX_BINARY);
+                       type = "kernel";
+@@ -15,18 +15,18 @@
+                       compression = VMLINUX_COMPRESSION;
+                       load = /bits/ ADDR_BITS <VMLINUX_LOAD_ADDRESS>;
+                       entry = /bits/ ADDR_BITS <VMLINUX_ENTRY_ADDRESS>;
+-                      hash@0 {
++                      hash {
+                               algo = "sha1";
+                       };
+               };
+       };
+ 
+       configurations {
+-              default = "conf@default";
++              default = "conf-default";
+ 
+-              conf@default {
++              conf-default {
+                       description = "Generic Linux kernel";
+-                      kernel = "kernel@0";
++                      kernel = "kernel";
+               };
+       };
+ };
+diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
+index d99a8ee9e185e..86a231338bbfe 100644
+--- a/arch/x86/kernel/fpu/signal.c
++++ b/arch/x86/kernel/fpu/signal.c
+@@ -272,6 +272,7 @@ static int __fpu__restore_sig(void __user *buf, void 
__user *buf_fx, int size)
+       int state_size = fpu_kernel_xstate_size;
+       u64 xfeatures = 0;
+       int fx_only = 0;
++      int ret = 0;
+ 
+       ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) ||
+                        IS_ENABLED(CONFIG_IA32_EMULATION));
+@@ -281,15 +282,21 @@ static int __fpu__restore_sig(void __user *buf, void 
__user *buf_fx, int size)
+               return 0;
+       }
+ 
+-      if (!access_ok(VERIFY_READ, buf, size))
+-              return -EACCES;
++      if (!access_ok(VERIFY_READ, buf, size)) {
++              ret = -EACCES;
++              goto out_err;
++      }
+ 
+       fpu__initialize(fpu);
+ 
+-      if (!static_cpu_has(X86_FEATURE_FPU))
+-              return fpregs_soft_set(current, NULL,
+-                                     0, sizeof(struct user_i387_ia32_struct),
+-                                     NULL, buf) != 0;
++      if (!static_cpu_has(X86_FEATURE_FPU)) {
++              ret = fpregs_soft_set(current, NULL,
++                                    0, sizeof(struct user_i387_ia32_struct),
++                                    NULL, buf) != 0;
++              if (ret)
++                      goto out_err;
++              return 0;
++      }
+ 
+       if (use_xsave()) {
+               struct _fpx_sw_bytes fx_sw_user;
+@@ -349,6 +356,7 @@ static int __fpu__restore_sig(void __user *buf, void 
__user *buf_fx, int size)
+               fpu__restore(fpu);
+               local_bh_enable();
+ 
++              /* Failure is already handled */
+               return err;
+       } else {
+               /*
+@@ -356,13 +364,14 @@ static int __fpu__restore_sig(void __user *buf, void 
__user *buf_fx, int size)
+                * state to the registers directly (with exceptions handled).
+                */
+               user_fpu_begin();
+-              if (copy_user_to_fpregs_zeroing(buf_fx, xfeatures, fx_only)) {
+-                      fpu__clear(fpu);
+-                      return -1;
+-              }
++              if (!copy_user_to_fpregs_zeroing(buf_fx, xfeatures, fx_only))
++                      return 0;
++              ret = -1;
+       }
+ 
+-      return 0;
++out_err:
++      fpu__clear(fpu);
++      return ret;
+ }
+ 
+ static inline int xstate_sigframe_size(void)
+diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig
+index 79b809dbfda01..ff69feefc1c67 100644
+--- a/drivers/dma/Kconfig
++++ b/drivers/dma/Kconfig
+@@ -58,6 +58,7 @@ config DMA_OF
+ #devices
+ config ALTERA_MSGDMA
+       tristate "Altera / Intel mSGDMA Engine"
++      depends on HAS_IOMEM
+       select DMA_ENGINE
+       help
+         Enable support for Altera / Intel mSGDMA controller.
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index c034f506e015a..a8cea236099a1 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2563,13 +2563,15 @@ static struct dma_async_tx_descriptor 
*pl330_prep_dma_cyclic(
+       for (i = 0; i < len / period_len; i++) {
+               desc = pl330_get_desc(pch);
+               if (!desc) {
++                      unsigned long iflags;
++
+                       dev_err(pch->dmac->ddma.dev, "%s:%d Unable to fetch 
desc\n",
+                               __func__, __LINE__);
+ 
+                       if (!first)
+                               return NULL;
+ 
+-                      spin_lock_irqsave(&pl330->pool_lock, flags);
++                      spin_lock_irqsave(&pl330->pool_lock, iflags);
+ 
+                       while (!list_empty(&first->node)) {
+                               desc = list_entry(first->node.next,
+@@ -2579,7 +2581,7 @@ static struct dma_async_tx_descriptor 
*pl330_prep_dma_cyclic(
+ 
+                       list_move_tail(&first->node, &pl330->desc_pool);
+ 
+-                      spin_unlock_irqrestore(&pl330->pool_lock, flags);
++                      spin_unlock_irqrestore(&pl330->pool_lock, iflags);
+ 
+                       return NULL;
+               }
+diff --git a/drivers/dma/qcom/Kconfig b/drivers/dma/qcom/Kconfig
+index a7761c4025f41..a97c7123d913c 100644
+--- a/drivers/dma/qcom/Kconfig
++++ b/drivers/dma/qcom/Kconfig
+@@ -9,6 +9,7 @@ config QCOM_BAM_DMA
+ 
+ config QCOM_HIDMA_MGMT
+       tristate "Qualcomm Technologies HIDMA Management support"
++      depends on HAS_IOMEM
+       select DMA_ENGINE
+       help
+         Enable support for the Qualcomm Technologies HIDMA Management.
+diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c
+index 90feb6a05e59b..ee15d4fefbad2 100644
+--- a/drivers/dma/ste_dma40.c
++++ b/drivers/dma/ste_dma40.c
+@@ -3656,6 +3656,9 @@ static int __init d40_probe(struct platform_device *pdev)
+ 
+       kfree(base->lcla_pool.base_unaligned);
+ 
++      if (base->lcpa_base)
++              iounmap(base->lcpa_base);
++
+       if (base->phy_lcpa)
+               release_mem_region(base->phy_lcpa,
+                                  base->lcpa_size);
+diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c 
b/drivers/gpu/drm/nouveau/nouveau_prime.c
+index 1fefc93af1d78..bbfce7b9d03e1 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_prime.c
++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c
+@@ -98,7 +98,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj)
+       if (ret)
+               return -EINVAL;
+ 
+-      return 0;
++      ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL);
++      if (ret)
++              goto error;
++
++      if (nvbo->bo.moving)
++              ret = dma_fence_wait(nvbo->bo.moving, true);
++
++      ttm_bo_unreserve(&nvbo->bo);
++      if (ret)
++              goto error;
++
++      return ret;
++
++error:
++      nouveau_bo_unpin(nvbo);
++      return ret;
+ }
+ 
+ void nouveau_gem_prime_unpin(struct drm_gem_object *obj)
+diff --git a/drivers/gpu/drm/radeon/radeon_prime.c 
b/drivers/gpu/drm/radeon/radeon_prime.c
+index 7110d403322c4..c138e07f51a3e 100644
+--- a/drivers/gpu/drm/radeon/radeon_prime.c
++++ b/drivers/gpu/drm/radeon/radeon_prime.c
+@@ -92,9 +92,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj)
+ 
+       /* pin buffer into GTT */
+       ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL);
+-      if (likely(ret == 0))
+-              bo->prime_shared_count++;
+-
++      if (unlikely(ret))
++              goto error;
++
++      if (bo->tbo.moving) {
++              ret = dma_fence_wait(bo->tbo.moving, false);
++              if (unlikely(ret)) {
++                      radeon_bo_unpin(bo);
++                      goto error;
++              }
++      }
++
++      bo->prime_shared_count++;
++error:
+       radeon_bo_unreserve(bo);
+       return ret;
+ }
+diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c 
b/drivers/gpu/drm/radeon/radeon_uvd.c
+index 95f4db70dd223..fde9c69ecc869 100644
+--- a/drivers/gpu/drm/radeon/radeon_uvd.c
++++ b/drivers/gpu/drm/radeon/radeon_uvd.c
+@@ -286,7 +286,7 @@ int radeon_uvd_resume(struct radeon_device *rdev)
+       if (rdev->uvd.vcpu_bo == NULL)
+               return -EINVAL;
+ 
+-      memcpy(rdev->uvd.cpu_addr, rdev->uvd_fw->data, rdev->uvd_fw->size);
++      memcpy_toio((void __iomem *)rdev->uvd.cpu_addr, rdev->uvd_fw->data, 
rdev->uvd_fw->size);
+ 
+       size = radeon_bo_size(rdev->uvd.vcpu_bo);
+       size -= rdev->uvd_fw->size;
+@@ -294,7 +294,7 @@ int radeon_uvd_resume(struct radeon_device *rdev)
+       ptr = rdev->uvd.cpu_addr;
+       ptr += rdev->uvd_fw->size;
+ 
+-      memset(ptr, 0, size);
++      memset_io((void __iomem *)ptr, 0, size);
+ 
+       return 0;
+ }
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 71ee1267d2efc..381ab96c1e389 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1824,6 +1824,9 @@ int hid_connect(struct hid_device *hdev, unsigned int 
connect_mask)
+       case BUS_I2C:
+               bus = "I2C";
+               break;
++      case BUS_VIRTUAL:
++              bus = "VIRTUAL";
++              break;
+       default:
+               bus = "<UNKNOWN>";
+       }
+diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c
+index a298fbd8db6b9..8ca4c1baeda89 100644
+--- a/drivers/hid/hid-gt683r.c
++++ b/drivers/hid/hid-gt683r.c
+@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = {
+       { HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) 
},
+       { }
+ };
++MODULE_DEVICE_TABLE(hid, gt683r_led_id);
+ 
+ static void gt683r_brightness_set(struct led_classdev *led_cdev,
+                               enum led_brightness brightness)
+diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
+index aa078c1dad14f..6c7e12d8e7d93 100644
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device 
*hsdev, u32 report_id,
+       buffer_size = buffer_size / sizeof(__s32);
+       if (buffer_size) {
+               for (i = 0; i < buffer_size; ++i) {
+-                      hid_set_field(report->field[field_index], i,
+-                                    (__force __s32)cpu_to_le32(*buf32));
++                      ret = hid_set_field(report->field[field_index], i,
++                                          (__force __s32)cpu_to_le32(*buf32));
++                      if (ret)
++                              goto done_proc;
++
+                       ++buf32;
+               }
+       }
+       if (remaining_bytes) {
+               value = 0;
+               memcpy(&value, (u8 *)buf32, remaining_bytes);
+-              hid_set_field(report->field[field_index], i,
+-                            (__force __s32)cpu_to_le32(value));
++              ret = hid_set_field(report->field[field_index], i,
++                                  (__force __s32)cpu_to_le32(value));
++              if (ret)
++                      goto done_proc;
+       }
+       hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT);
+       hid_hw_wait(hsdev->hdev);
+diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
+index 98916fb4191a7..46b8f4c353def 100644
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
+       raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report;
+       dir = usbhid->ctrl[usbhid->ctrltail].dir;
+ 
+-      len = ((report->size - 1) >> 3) + 1 + (report->id > 0);
++      len = hid_report_len(report);
+       if (dir == USB_DIR_OUT) {
+               usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
+               usbhid->urbctrl->transfer_buffer_length = len;
+diff --git a/drivers/hwmon/scpi-hwmon.c b/drivers/hwmon/scpi-hwmon.c
+index 7e49da50bc69b..562f3e287297a 100644
+--- a/drivers/hwmon/scpi-hwmon.c
++++ b/drivers/hwmon/scpi-hwmon.c
+@@ -107,6 +107,15 @@ scpi_show_sensor(struct device *dev, struct 
device_attribute *attr, char *buf)
+ 
+       scpi_scale_reading(&value, sensor);
+ 
++      /*
++       * Temperature sensor values are treated as signed values based on
++       * observation even though that is not explicitly specified, and
++       * because an unsigned u64 temperature does not really make practical
++       * sense especially when the temperature is below zero degrees Celsius.
++       */
++      if (sensor->info.class == TEMPERATURE)
++              return sprintf(buf, "%lld\n", (s64)value);
++
+       return sprintf(buf, "%llu\n", value);
+ }
+ 
+diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c 
b/drivers/i2c/busses/i2c-robotfuzz-osif.c
+index 9c0f52b7ff7ec..b9b4758c6be7a 100644
+--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
+@@ -89,7 +89,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct 
i2c_msg *msgs,
+                       }
+               }
+ 
+-              ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
++              ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
+               if (ret) {
+                       dev_err(&adapter->dev, "failure sending STOP\n");
+                       return -EREMOTEIO;
+@@ -159,7 +159,7 @@ static int osif_probe(struct usb_interface *interface,
+        * Set bus frequency. The frequency is:
+        * 120,000,000 / ( 16 + 2 * div * 4^prescale).
+        * Using dev = 52, prescale = 0 give 100KHz */
+-      ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
++      ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
+                           NULL, 0);
+       if (ret) {
+               dev_err(&interface->dev, "failure sending bit rate");
+diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
+index ce76ed50a1a25..1516d621e0402 100644
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -360,6 +360,7 @@ static int ldisc_open(struct tty_struct *tty)
+       rtnl_lock();
+       result = register_netdevice(dev);
+       if (result) {
++              tty_kref_put(tty);
+               rtnl_unlock();
+               free_netdev(dev);
+               return -ENODEV;
+diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
+index a09e3f6c2c504..6b0c6009dde0d 100644
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -93,6 +93,8 @@ struct mcba_priv {
+       bool can_ka_first_pass;
+       bool can_speed_check;
+       atomic_t free_ctx_cnt;
++      void *rxbuf[MCBA_MAX_RX_URBS];
++      dma_addr_t rxbuf_dma[MCBA_MAX_RX_URBS];
+ };
+ 
+ /* CAN frame */
+@@ -644,6 +646,7 @@ static int mcba_usb_start(struct mcba_priv *priv)
+       for (i = 0; i < MCBA_MAX_RX_URBS; i++) {
+               struct urb *urb = NULL;
+               u8 *buf;
++              dma_addr_t buf_dma;
+ 
+               /* create a URB, and a buffer for it */
+               urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -653,7 +656,7 @@ static int mcba_usb_start(struct mcba_priv *priv)
+               }
+ 
+               buf = usb_alloc_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE,
+-                                       GFP_KERNEL, &urb->transfer_dma);
++                                       GFP_KERNEL, &buf_dma);
+               if (!buf) {
+                       netdev_err(netdev, "No memory left for USB buffer\n");
+                       usb_free_urb(urb);
+@@ -672,11 +675,14 @@ static int mcba_usb_start(struct mcba_priv *priv)
+               if (err) {
+                       usb_unanchor_urb(urb);
+                       usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE,
+-                                        buf, urb->transfer_dma);
++                                        buf, buf_dma);
+                       usb_free_urb(urb);
+                       break;
+               }
+ 
++              priv->rxbuf[i] = buf;
++              priv->rxbuf_dma[i] = buf_dma;
++
+               /* Drop reference, USB core will take care of freeing it */
+               usb_free_urb(urb);
+       }
+@@ -719,7 +725,14 @@ static int mcba_usb_open(struct net_device *netdev)
+ 
+ static void mcba_urb_unlink(struct mcba_priv *priv)
+ {
++      int i;
++
+       usb_kill_anchored_urbs(&priv->rx_submitted);
++
++      for (i = 0; i < MCBA_MAX_RX_URBS; ++i)
++              usb_free_coherent(priv->udev, MCBA_USB_RX_BUFF_SIZE,
++                                priv->rxbuf[i], priv->rxbuf_dma[i]);
++
+       usb_kill_anchored_urbs(&priv->tx_submitted);
+ }
+ 
+diff --git a/drivers/net/ethernet/atheros/alx/main.c 
b/drivers/net/ethernet/atheros/alx/main.c
+index ce2e644108237..bb0e217460c93 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1857,6 +1857,7 @@ out_free_netdev:
+       free_netdev(netdev);
+ out_pci_release:
+       pci_release_mem_regions(pdev);
++      pci_disable_pcie_error_reporting(pdev);
+ out_pci_disable:
+       pci_disable_device(pdev);
+       return err;
+diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c
+index 1b79a6defd56d..5561dd2953248 100644
+--- a/drivers/net/ethernet/ec_bhf.c
++++ b/drivers/net/ethernet/ec_bhf.c
+@@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev)
+       struct ec_bhf_priv *priv = netdev_priv(net_dev);
+ 
+       unregister_netdev(net_dev);
+-      free_netdev(net_dev);
+ 
+       pci_iounmap(dev, priv->dma_io);
+       pci_iounmap(dev, priv->io);
++
++      free_netdev(net_dev);
++
+       pci_release_regions(dev);
+       pci_clear_master(dev);
+       pci_disable_device(dev);
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c 
b/drivers/net/ethernet/emulex/benet/be_main.c
+index cabeb1790db76..43ae124cabff6 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -5926,6 +5926,7 @@ drv_cleanup:
+ unmap_bars:
+       be_unmap_pci_bars(adapter);
+ free_netdev:
++      pci_disable_pcie_error_reporting(pdev);
+       free_netdev(netdev);
+ rel_reg:
+       pci_release_regions(pdev);
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c 
b/drivers/net/ethernet/freescale/fec_ptp.c
+index e63df6455fbad..40c5c09f60dc6 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -586,6 +586,10 @@ void fec_ptp_init(struct platform_device *pdev)
+       fep->ptp_caps.enable = fec_ptp_enable;
+ 
+       fep->cycle_speed = clk_get_rate(fep->clk_ptp);
++      if (!fep->cycle_speed) {
++              fep->cycle_speed = NSEC_PER_SEC;
++              dev_err(&fep->pdev->dev, "clk_ptp clock rate is zero\n");
++      }
+       fep->ptp_inc = NSEC_PER_SEC / fep->cycle_speed;
+ 
+       spin_lock_init(&fep->tmreg_lock);
+diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c 
b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+index a0a555052d8ca..1ac2bc75edb1f 100644
+--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const 
struct pci_device_id *ent)
+               dev_err(&pdev->dev,
+                       "invalid sram_size %dB or board span %ldB\n",
+                       mgp->sram_size, mgp->board_span);
++              status = -EINVAL;
+               goto abort_with_ioremap;
+       }
+       memcpy_fromio(mgp->eeprom_strings,
+diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c 
b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+index 8f8a1894378e3..5b91c8f823ffa 100644
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -1624,6 +1624,8 @@ err_out_free_netdev:
+       free_netdev(netdev);
+ 
+ err_out_free_res:
++      if (NX_IS_REVISION_P3(pdev->revision))
++              pci_disable_pcie_error_reporting(pdev);
+       pci_release_regions(pdev);
+ 
+ err_out_disable_pdev:
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c 
b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+index d62dccb855394..1ee58a24afe31 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+@@ -1259,9 +1259,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
+               p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC;
+ 
+       p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
++      BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
++                   sizeof(p_hwfn->p_dcbx_info->set.config.params));
+       memcpy(&p_hwfn->p_dcbx_info->set.config.params,
+              &dcbx_info->operational.params,
+-             sizeof(struct qed_dcbx_admin_params));
++             sizeof(p_hwfn->p_dcbx_info->set.config.params));
+       p_hwfn->p_dcbx_info->set.config.valid = true;
+ 
+       memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c 
b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+index 6684a4cb8b88b..45361310eea0a 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+@@ -2711,6 +2711,7 @@ err_out_free_hw_res:
+       kfree(ahw);
+ 
+ err_out_free_res:
++      pci_disable_pcie_error_reporting(pdev);
+       pci_release_regions(pdev);
+ 
+ err_out_disable_pdev:
+diff --git a/drivers/net/ethernet/realtek/r8169.c 
b/drivers/net/ethernet/realtek/r8169.c
+index 530b8da11960a..191531a03415a 100644
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -2355,7 +2355,7 @@ static void rtl8169_get_strings(struct net_device *dev, 
u32 stringset, u8 *data)
+ {
+       switch(stringset) {
+       case ETH_SS_STATS:
+-              memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
++              memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
+               break;
+       }
+ }
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c 
b/drivers/net/ethernet/renesas/sh_eth.c
+index dab1597287b96..36f1019809ea6 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2197,7 +2197,7 @@ static void sh_eth_get_strings(struct net_device *ndev, 
u32 stringset, u8 *data)
+ {
+       switch (stringset) {
+       case ETH_SS_STATS:
+-              memcpy(data, *sh_eth_gstrings_stats,
++              memcpy(data, sh_eth_gstrings_stats,
+                      sizeof(sh_eth_gstrings_stats));
+               break;
+       }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h 
b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+index c02d36629c528..6f7ed3aaff1b1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+@@ -87,10 +87,10 @@ enum power_event {
+ #define LPI_CTRL_STATUS_TLPIEN        0x00000001      /* Transmit LPI Entry */
+ 
+ /* GMAC HW ADDR regs */
+-#define GMAC_ADDR_HIGH(reg)   (((reg > 15) ? 0x00000800 : 0x00000040) + \
+-                              (reg * 8))
+-#define GMAC_ADDR_LOW(reg)    (((reg > 15) ? 0x00000804 : 0x00000044) + \
+-                              (reg * 8))
++#define GMAC_ADDR_HIGH(reg)   ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \
++                               0x00000040 + (reg * 8))
++#define GMAC_ADDR_LOW(reg)    ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \
++                               0x00000044 + (reg * 8))
+ #define GMAC_MAX_PERFECT_ADDRESSES    1
+ 
+ #define GMAC_PCS_BASE         0x000000c0      /* PCS register base */
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c 
b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index 2241f98970926..939de185bc6b8 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -736,6 +736,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device 
*ndev)
+       /* Kick off the transfer */
+       lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
+ 
++      if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
++              netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
++              netif_stop_queue(ndev);
++      }
++
+       return NETDEV_TX_OK;
+ }
+ 
+diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
+index 9fd7dab42a534..2074fc55a88ad 100644
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty)
+       ax->tty = NULL;
+ 
+       unregister_netdev(ax->dev);
++      free_netdev(ax->dev);
+ }
+ 
+ /* Perform I/O control on an active ax25 channel. */
+diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c
+index f7180f8db39e1..9c15e1a1261be 100644
+--- a/drivers/net/usb/cdc_eem.c
++++ b/drivers/net/usb/cdc_eem.c
+@@ -138,10 +138,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, 
struct sk_buff *skb,
+       }
+ 
+       skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags);
++      dev_kfree_skb_any(skb);
+       if (!skb2)
+               return NULL;
+ 
+-      dev_kfree_skb_any(skb);
+       skb = skb2;
+ 
+ done:
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 468db50eb5e7e..5b5156508f7c6 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1667,7 +1667,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct 
urb *urb)
+ static const struct driver_info cdc_ncm_info = {
+       .description = "CDC NCM",
+       .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-                      | FLAG_LINK_INTR,
++                      | FLAG_LINK_INTR | FLAG_ETHER,
+       .bind = cdc_ncm_bind,
+       .unbind = cdc_ncm_unbind,
+       .manage_power = usbnet_manage_power,
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index f9c531a6ce064..8da3c891c9e80 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -4640,7 +4640,7 @@ static void rtl8152_get_strings(struct net_device *dev, 
u32 stringset, u8 *data)
+ {
+       switch (stringset) {
+       case ETH_SS_STATS:
+-              memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
++              memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
+               break;
+       }
+ }
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 62f2862c9775e..8b9fd4e071f3d 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct 
usb_interface *intf)
+       ret = smsc75xx_wait_ready(dev, 0);
+       if (ret < 0) {
+               netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+-              goto err;
++              goto free_pdata;
+       }
+ 
+       smsc75xx_init_mac_address(dev);
+@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct 
usb_interface *intf)
+       ret = smsc75xx_reset(dev);
+       if (ret < 0) {
+               netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+-              goto err;
++              goto cancel_work;
+       }
+ 
+       dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1515,8 +1515,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct 
usb_interface *intf)
+       dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+       return 0;
+ 
+-err:
++cancel_work:
++      cancel_work_sync(&pdata->set_multicast);
++free_pdata:
+       kfree(pdata);
++      dev->data[0] = 0;
+       return ret;
+ }
+ 
+@@ -1527,7 +1530,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct 
usb_interface *intf)
+               cancel_work_sync(&pdata->set_multicast);
+               netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+               kfree(pdata);
+-              pdata = NULL;
+               dev->data[0] = 0;
+       }
+ }
+diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
+index 3388d2788fe05..7a0a10777cd13 100644
+--- a/drivers/nvme/target/loop.c
++++ b/drivers/nvme/target/loop.c
+@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = {
+ 
+ static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
+ {
+-      clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
++      if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags))
++              return;
+       nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
+       blk_cleanup_queue(ctrl->ctrl.admin_q);
+       blk_mq_free_tag_set(&ctrl->admin_tag_set);
+@@ -322,6 +323,7 @@ static void nvme_loop_destroy_io_queues(struct 
nvme_loop_ctrl *ctrl)
+               clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags);
+               nvmet_sq_destroy(&ctrl->queues[i].nvme_sq);
+       }
++      ctrl->ctrl.queue_count = 1;
+ }
+ 
+ static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl)
+@@ -429,6 +431,7 @@ static int nvme_loop_configure_admin_queue(struct 
nvme_loop_ctrl *ctrl)
+       return 0;
+ 
+ out_cleanup_queue:
++      clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
+       blk_cleanup_queue(ctrl->ctrl.admin_q);
+ out_free_tagset:
+       blk_mq_free_tag_set(&ctrl->admin_tag_set);
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 1993e5e28ea7b..c847b5554db6d 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1378,11 +1378,21 @@ static int pci_enable_device_flags(struct pci_dev 
*dev, unsigned long flags)
+       int err;
+       int i, bars = 0;
+ 
+-      if (atomic_inc_return(&dev->enable_cnt) > 1) {
+-              pci_update_current_state(dev, dev->current_state);
+-              return 0;               /* already enabled */
++      /*
++       * Power state could be unknown at this point, either due to a fresh
++       * boot or a device removal call.  So get the current power state
++       * so that things like MSI message writing will behave as expected
++       * (e.g. if the device really is in D0 at enable time).
++       */
++      if (dev->pm_cap) {
++              u16 pmcsr;
++              pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
++              dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+       }
+ 
++      if (atomic_inc_return(&dev->enable_cnt) > 1)
++              return 0;               /* already enabled */
++
+       bridge = pci_upstream_bridge(dev);
+       if (bridge)
+               pci_enable_bridge(bridge);
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 510cb05aa96ff..db1ec8209b568 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3389,6 +3389,18 @@ static void quirk_no_bus_reset(struct pci_dev *dev)
+       dev->dev_flags |= PCI_DEV_FLAGS_NO_BUS_RESET;
+ }
+ 
++/*
++ * Some NVIDIA GPU devices do not work with bus reset, SBR needs to be
++ * prevented for those affected devices.
++ */
++static void quirk_nvidia_no_bus_reset(struct pci_dev *dev)
++{
++      if ((dev->device & 0xffc0) == 0x2340)
++              quirk_no_bus_reset(dev);
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
++                       quirk_nvidia_no_bus_reset);
++
+ /*
+  * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset.
+  * The device will throw a Link Down error on AER-capable systems and
+@@ -3402,6 +3414,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, 
quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset);
+ 
++/*
++ * Some TI KeyStone C667X devices do not support bus/hot reset.  The PCIESS
++ * automatically disables LTSSM when Secondary Bus Reset is received and
++ * the device stops working.  Prevent bus reset for these devices.  With
++ * this change, the device can be assigned to VMs with VFIO, but it will
++ * leak state between VMs.  Reference
++ * https://e2e.ti.com/support/processors/f/791/t/954382
++ */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TI, 0xb005, quirk_no_bus_reset);
++
+ static void quirk_no_pm_reset(struct pci_dev *dev)
+ {
+       /*
+@@ -3853,6 +3875,69 @@ static int reset_chelsio_generic_dev(struct pci_dev 
*dev, int probe)
+ #define PCI_DEVICE_ID_INTEL_IVB_M_VGA      0x0156
+ #define PCI_DEVICE_ID_INTEL_IVB_M2_VGA     0x0166
+ 
++#define PCI_DEVICE_ID_HINIC_VF      0x375E
++#define HINIC_VF_FLR_TYPE           0x1000
++#define HINIC_VF_FLR_CAP_BIT        (1UL << 30)
++#define HINIC_VF_OP                 0xE80
++#define HINIC_VF_FLR_PROC_BIT       (1UL << 18)
++#define HINIC_OPERATION_TIMEOUT     15000     /* 15 seconds */
++
++/* Device-specific reset method for Huawei Intelligent NIC virtual functions 
*/
++static int reset_hinic_vf_dev(struct pci_dev *pdev, int probe)
++{
++      unsigned long timeout;
++      void __iomem *bar;
++      u32 val;
++
++      if (probe)
++              return 0;
++
++      bar = pci_iomap(pdev, 0, 0);
++      if (!bar)
++              return -ENOTTY;
++
++      /* Get and check firmware capabilities */
++      val = ioread32be(bar + HINIC_VF_FLR_TYPE);
++      if (!(val & HINIC_VF_FLR_CAP_BIT)) {
++              pci_iounmap(pdev, bar);
++              return -ENOTTY;
++      }
++
++      /* Set HINIC_VF_FLR_PROC_BIT for the start of FLR */
++      val = ioread32be(bar + HINIC_VF_OP);
++      val = val | HINIC_VF_FLR_PROC_BIT;
++      iowrite32be(val, bar + HINIC_VF_OP);
++
++      pcie_flr(pdev);
++
++      /*
++       * The device must recapture its Bus and Device Numbers after FLR
++       * in order generate Completions.  Issue a config write to let the
++       * device capture this information.
++       */
++      pci_write_config_word(pdev, PCI_VENDOR_ID, 0);
++
++      /* Firmware clears HINIC_VF_FLR_PROC_BIT when reset is complete */
++      timeout = jiffies + msecs_to_jiffies(HINIC_OPERATION_TIMEOUT);
++      do {
++              val = ioread32be(bar + HINIC_VF_OP);
++              if (!(val & HINIC_VF_FLR_PROC_BIT))
++                      goto reset_complete;
++              msleep(20);
++      } while (time_before(jiffies, timeout));
++
++      val = ioread32be(bar + HINIC_VF_OP);
++      if (!(val & HINIC_VF_FLR_PROC_BIT))
++              goto reset_complete;
++
++      pci_warn(pdev, "Reset dev timeout, FLR ack reg: %#010x\n", val);
++
++reset_complete:
++      pci_iounmap(pdev, bar);
++
++      return 0;
++}
++
+ static const struct pci_dev_reset_methods pci_dev_reset_methods[] = {
+       { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82599_SFP_VF,
+                reset_intel_82599_sfp_virtfn },
+@@ -3862,6 +3947,8 @@ static const struct pci_dev_reset_methods 
pci_dev_reset_methods[] = {
+               reset_ivb_igd },
+       { PCI_VENDOR_ID_CHELSIO, PCI_ANY_ID,
+               reset_chelsio_generic_dev },
++      { PCI_VENDOR_ID_HUAWEI, PCI_DEVICE_ID_HINIC_VF,
++              reset_hinic_vf_dev },
+       { 0 }
+ };
+ 
+@@ -4662,6 +4749,8 @@ static const struct pci_dev_acs_enabled {
+       { PCI_VENDOR_ID_AMPERE, 0xE00A, pci_quirk_xgene_acs },
+       { PCI_VENDOR_ID_AMPERE, 0xE00B, pci_quirk_xgene_acs },
+       { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs },
++      /* Broadcom multi-function device */
++      { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs },
+       { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs },
+       { 0 }
+ };
+diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c 
b/drivers/pinctrl/stm32/pinctrl-stm32.c
+index 072bd11074c6f..b38e82a868df8 100644
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
+@@ -956,7 +956,7 @@ static int stm32_gpiolib_register_bank(struct 
stm32_pinctrl *pctl,
+       struct resource res;
+       struct reset_control *rstc;
+       int npins = STM32_GPIO_PINS_PER_BANK;
+-      int bank_nr, err;
++      int bank_nr, err, i = 0;
+ 
+       rstc = of_reset_control_get_exclusive(np, NULL);
+       if (!IS_ERR(rstc))
+@@ -985,9 +985,14 @@ static int stm32_gpiolib_register_bank(struct 
stm32_pinctrl *pctl,
+ 
+       of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label);
+ 
+-      if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) {
++      if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) {
+               bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK;
+               bank->gpio_chip.base = args.args[1];
++
++              npins = args.args[2];
++              while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3,
++                                                       ++i, &args))
++                      npins += args.args[2];
+       } else {
+               bank_nr = pctl->nbanks;
+               bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK;
+diff --git a/drivers/target/target_core_transport.c 
b/drivers/target/target_core_transport.c
+index 0d0be7d8b9d64..852680e859217 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2966,9 +2966,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool 
fabric_stop,
+       __releases(&cmd->t_state_lock)
+       __acquires(&cmd->t_state_lock)
+ {
+-
+-      assert_spin_locked(&cmd->t_state_lock);
+-      WARN_ON_ONCE(!irqs_disabled());
++      lockdep_assert_held(&cmd->t_state_lock);
+ 
+       if (fabric_stop)
+               cmd->transport_state |= CMD_T_FABRIC_STOP;
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 40743e9e9d937..276a63ae510e6 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -38,6 +38,8 @@
+ #define USB_VENDOR_GENESYS_LOGIC              0x05e3
+ #define USB_VENDOR_SMSC                               0x0424
+ #define USB_PRODUCT_USB5534B                  0x5534
++#define USB_VENDOR_CYPRESS                    0x04b4
++#define USB_PRODUCT_CY7C65632                 0x6570
+ #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND      0x01
+ #define HUB_QUIRK_DISABLE_AUTOSUSPEND         0x02
+ 
+@@ -5325,6 +5327,11 @@ static const struct usb_device_id hub_id_table[] = {
+       .idProduct = USB_PRODUCT_USB5534B,
+       .bInterfaceClass = USB_CLASS_HUB,
+       .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND},
++    { .match_flags = USB_DEVICE_ID_MATCH_VENDOR
++                   | USB_DEVICE_ID_MATCH_PRODUCT,
++      .idVendor = USB_VENDOR_CYPRESS,
++      .idProduct = USB_PRODUCT_CY7C65632,
++      .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND},
+     { .match_flags = USB_DEVICE_ID_MATCH_VENDOR
+                       | USB_DEVICE_ID_MATCH_INT_CLASS,
+       .idVendor = USB_VENDOR_GENESYS_LOGIC,
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index f3fca4537d255..0e179274ba7cd 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1337,8 +1337,8 @@ static int dwc3_remove(struct platform_device *pdev)
+        */
+       res->start -= DWC3_GLOBALS_REGS_START;
+ 
+-      dwc3_debugfs_exit(dwc);
+       dwc3_core_exit_mode(dwc);
++      dwc3_debugfs_exit(dwc);
+ 
+       dwc3_core_exit(dwc);
+       dwc3_ulpi_exit(dwc);
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 0a0dd3178483e..be969f24ccf04 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1456,6 +1456,7 @@ __acquires(&lru_lock)
+       while(!list_empty(list)) {
+               gl = list_entry(list->next, struct gfs2_glock, gl_lru);
+               list_del_init(&gl->gl_lru);
++              clear_bit(GLF_LRU, &gl->gl_flags);
+               if (!spin_trylock(&gl->gl_lockref.lock)) {
+ add_back_to_lru:
+                       list_add(&gl->gl_lru, &lru_list);
+@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr)
+               if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
+                       list_move(&gl->gl_lru, &dispose);
+                       atomic_dec(&lru_count);
+-                      clear_bit(GLF_LRU, &gl->gl_flags);
+                       freed++;
+                       continue;
+               }
+diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
+index 5019058e0f6ab..610267585f8f9 100644
+--- a/fs/kernfs/mount.c
++++ b/fs/kernfs/mount.c
+@@ -320,6 +320,7 @@ struct dentry *kernfs_mount_ns(struct file_system_type 
*fs_type, int flags,
+ 
+       info->root = root;
+       info->ns = ns;
++      INIT_LIST_HEAD(&info->node);
+ 
+       sb = sget_userns(fs_type, kernfs_test_super, kernfs_set_super, flags,
+                        &init_user_ns, info);
+diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c
+index 490303e3d5179..e9903bceb2bf1 100644
+--- a/fs/nilfs2/sysfs.c
++++ b/fs/nilfs2/sysfs.c
+@@ -1064,6 +1064,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs 
*nilfs)
+       nilfs_sysfs_delete_superblock_group(nilfs);
+       nilfs_sysfs_delete_segctor_group(nilfs);
+       kobject_del(&nilfs->ns_dev_kobj);
++      kobject_put(&nilfs->ns_dev_kobj);
+       kfree(nilfs->ns_dev_subgroups);
+ }
+ 
+diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
+index 20b8f82e115b6..2bbe84d9c0a81 100644
+--- a/fs/sysfs/mount.c
++++ b/fs/sysfs/mount.c
+@@ -28,7 +28,7 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
+ {
+       struct dentry *root;
+       void *ns;
+-      bool new_sb;
++      bool new_sb = false;
+ 
+       if (!(flags & MS_KERNMOUNT)) {
+               if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
+@@ -38,9 +38,9 @@ static struct dentry *sysfs_mount(struct file_system_type 
*fs_type,
+       ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
+       root = kernfs_mount_ns(fs_type, flags, sysfs_root,
+                               SYSFS_MAGIC, &new_sb, ns);
+-      if (IS_ERR(root) || !new_sb)
++      if (!new_sb)
+               kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
+-      else if (new_sb)
++      else if (!IS_ERR(root))
+               root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
+ 
+       return root;
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index d07fe33a90457..5a2c55ed33fac 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev)
+  */
+ static inline u32 hid_report_len(struct hid_report *report)
+ {
+-      /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
+-      return ((report->size - 1) >> 3) + 1 + (report->id > 0);
++      return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
+ }
+ 
+ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 55d16db84ea44..70fe85bee4e56 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1744,7 +1744,8 @@ static inline u32 net_tx_rndhash(void)
+ 
+ static inline void sk_set_txhash(struct sock *sk)
+ {
+-      sk->sk_txhash = net_tx_rndhash();
++      /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
++      WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
+ }
+ 
+ static inline void sk_rethink_txhash(struct sock *sk)
+@@ -2018,9 +2019,12 @@ static inline void sock_poll_wait(struct file *filp,
+ 
+ static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
+ {
+-      if (sk->sk_txhash) {
++      /* This pairs with WRITE_ONCE() in sk_set_txhash() */
++      u32 txhash = READ_ONCE(sk->sk_txhash);
++
++      if (txhash) {
+               skb->l4_hash = 1;
+-              skb->hash = sk->sk_txhash;
++              skb->hash = txhash;
+       }
+ }
+ 
+diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
+index 48e8a225b985a..2a66ab49f14dd 100644
+--- a/include/uapi/linux/in.h
++++ b/include/uapi/linux/in.h
+@@ -280,6 +280,9 @@ struct sockaddr_in {
+ /* Address indicating an error return. */
+ #define       INADDR_NONE             ((unsigned long int) 0xffffffff)
+ 
++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). 
*/
++#define       INADDR_DUMMY            ((unsigned long int) 0xc0000008)
++
+ /* Network number for local host loopback. */
+ #define       IN_LOOPBACKNET          127
+ 
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 42531ee852ffb..0cc67bc0666e4 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1737,9 +1737,6 @@ struct saved_cmdlines_buffer {
+ };
+ static struct saved_cmdlines_buffer *savedcmd;
+ 
+-/* temporary disable recording */
+-static atomic_t trace_record_taskinfo_disabled __read_mostly;
+-
+ static inline char *get_saved_cmdlines(int idx)
+ {
+       return &savedcmd->saved_cmdlines[idx * TASK_COMM_LEN];
+@@ -2024,8 +2021,6 @@ static bool tracing_record_taskinfo_skip(int flags)
+ {
+       if (unlikely(!(flags & (TRACE_RECORD_CMDLINE | TRACE_RECORD_TGID))))
+               return true;
+-      if (atomic_read(&trace_record_taskinfo_disabled) || !tracing_is_on())
+-              return true;
+       if (!__this_cpu_read(trace_taskinfo_save))
+               return true;
+       return false;
+@@ -3259,9 +3254,6 @@ static void *s_start(struct seq_file *m, loff_t *pos)
+               return ERR_PTR(-EBUSY);
+ #endif
+ 
+-      if (!iter->snapshot)
+-              atomic_inc(&trace_record_taskinfo_disabled);
+-
+       if (*pos != iter->pos) {
+               iter->ent = NULL;
+               iter->cpu = 0;
+@@ -3304,9 +3296,6 @@ static void s_stop(struct seq_file *m, void *p)
+               return;
+ #endif
+ 
+-      if (!iter->snapshot)
+-              atomic_dec(&trace_record_taskinfo_disabled);
+-
+       trace_access_unlock(iter->cpu_file);
+       trace_event_read_unlock();
+ }
+diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
+index c82875834c425..b3b02d2c29266 100644
+--- a/kernel/trace/trace_clock.c
++++ b/kernel/trace/trace_clock.c
+@@ -114,9 +114,9 @@ u64 notrace trace_clock_global(void)
+       prev_time = READ_ONCE(trace_clock_struct.prev_time);
+       now = sched_clock_cpu(this_cpu);
+ 
+-      /* Make sure that now is always greater than prev_time */
++      /* Make sure that now is always greater than or equal to prev_time */
+       if ((s64)(now - prev_time) < 0)
+-              now = prev_time + 1;
++              now = prev_time;
+ 
+       /*
+        * If in an NMI context then dont risk lockups and simply return
+@@ -130,7 +130,7 @@ u64 notrace trace_clock_global(void)
+               /* Reread prev_time in case it was already updated */
+               prev_time = READ_ONCE(trace_clock_struct.prev_time);
+               if ((s64)(now - prev_time) < 0)
+-                      now = prev_time + 1;
++                      now = prev_time;
+ 
+               trace_clock_struct.prev_time = now;
+ 
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c
+index 001b6bfccbfbd..e7827b9e63976 100644
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1267,7 +1267,12 @@ int memory_failure(unsigned long pfn, int trapno, int 
flags)
+               return 0;
+       }
+ 
+-      if (!PageTransTail(p) && !PageLRU(p))
++      /*
++       * __munlock_pagevec may clear a writeback page's LRU flag without
++       * page_lock. We need wait writeback completion for this page or it
++       * may trigger vfs BUG while evict inode.
++       */
++      if (!PageTransTail(p) && !PageLRU(p) && !PageWriteback(p))
+               goto identify_page_state;
+ 
+       /*
+diff --git a/mm/slub.c b/mm/slub.c
+index a0cb3568b0b5d..484a75296a12b 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -15,6 +15,7 @@
+ #include <linux/module.h>
+ #include <linux/bit_spinlock.h>
+ #include <linux/interrupt.h>
++#include <linux/swab.h>
+ #include <linux/bitops.h>
+ #include <linux/slab.h>
+ #include "slab.h"
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 7a723e124dbb5..3ec16c48e7681 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -585,8 +585,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet 
*forw_packet)
+       if (WARN_ON(!forw_packet->if_outgoing))
+               return;
+ 
+-      if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
++      if (forw_packet->if_outgoing->soft_iface != soft_iface) {
++              pr_warn("%s: soft interface switch for queued OGM\n", __func__);
+               return;
++      }
+ 
+       if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
+               return;
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 14ff034e561c5..50a55553a25c5 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -93,8 +93,8 @@ struct br_vlan_stats {
+ };
+ 
+ struct br_tunnel_info {
+-      __be64                  tunnel_id;
+-      struct metadata_dst     *tunnel_dst;
++      __be64                          tunnel_id;
++      struct metadata_dst __rcu       *tunnel_dst;
+ };
+ 
+ /**
+diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c
+index 6d2c4eed2dc89..adb6845ceba46 100644
+--- a/net/bridge/br_vlan_tunnel.c
++++ b/net/bridge/br_vlan_tunnel.c
+@@ -46,26 +46,33 @@ static struct net_bridge_vlan 
*br_vlan_tunnel_lookup(struct rhashtable *tbl,
+                                     br_vlan_tunnel_rht_params);
+ }
+ 
++static void vlan_tunnel_info_release(struct net_bridge_vlan *vlan)
++{
++      struct metadata_dst *tdst = rtnl_dereference(vlan->tinfo.tunnel_dst);
++
++      WRITE_ONCE(vlan->tinfo.tunnel_id, 0);
++      RCU_INIT_POINTER(vlan->tinfo.tunnel_dst, NULL);
++      dst_release(&tdst->dst);
++}
++
+ void vlan_tunnel_info_del(struct net_bridge_vlan_group *vg,
+                         struct net_bridge_vlan *vlan)
+ {
+-      if (!vlan->tinfo.tunnel_dst)
++      if (!rcu_access_pointer(vlan->tinfo.tunnel_dst))
+               return;
+       rhashtable_remove_fast(&vg->tunnel_hash, &vlan->tnode,
+                              br_vlan_tunnel_rht_params);
+-      vlan->tinfo.tunnel_id = 0;
+-      dst_release(&vlan->tinfo.tunnel_dst->dst);
+-      vlan->tinfo.tunnel_dst = NULL;
++      vlan_tunnel_info_release(vlan);
+ }
+ 
+ static int __vlan_tunnel_info_add(struct net_bridge_vlan_group *vg,
+                                 struct net_bridge_vlan *vlan, u32 tun_id)
+ {
+-      struct metadata_dst *metadata = NULL;
++      struct metadata_dst *metadata = 
rtnl_dereference(vlan->tinfo.tunnel_dst);
+       __be64 key = key32_to_tunnel_id(cpu_to_be32(tun_id));
+       int err;
+ 
+-      if (vlan->tinfo.tunnel_dst)
++      if (metadata)
+               return -EEXIST;
+ 
+       metadata = __ip_tun_set_dst(0, 0, 0, 0, 0, TUNNEL_KEY,
+@@ -74,8 +81,8 @@ static int __vlan_tunnel_info_add(struct 
net_bridge_vlan_group *vg,
+               return -EINVAL;
+ 
+       metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX | IP_TUNNEL_INFO_BRIDGE;
+-      vlan->tinfo.tunnel_dst = metadata;
+-      vlan->tinfo.tunnel_id = key;
++      rcu_assign_pointer(vlan->tinfo.tunnel_dst, metadata);
++      WRITE_ONCE(vlan->tinfo.tunnel_id, key);
+ 
+       err = rhashtable_lookup_insert_fast(&vg->tunnel_hash, &vlan->tnode,
+                                           br_vlan_tunnel_rht_params);
+@@ -84,9 +91,7 @@ static int __vlan_tunnel_info_add(struct 
net_bridge_vlan_group *vg,
+ 
+       return 0;
+ out:
+-      dst_release(&vlan->tinfo.tunnel_dst->dst);
+-      vlan->tinfo.tunnel_dst = NULL;
+-      vlan->tinfo.tunnel_id = 0;
++      vlan_tunnel_info_release(vlan);
+ 
+       return err;
+ }
+@@ -186,12 +191,15 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb,
+ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
+                                struct net_bridge_vlan *vlan)
+ {
++      struct metadata_dst *tunnel_dst;
++      __be64 tunnel_id;
+       int err;
+ 
+-      if (!vlan || !vlan->tinfo.tunnel_id)
++      if (!vlan)
+               return 0;
+ 
+-      if (unlikely(!skb_vlan_tag_present(skb)))
++      tunnel_id = READ_ONCE(vlan->tinfo.tunnel_id);
++      if (!tunnel_id || unlikely(!skb_vlan_tag_present(skb)))
+               return 0;
+ 
+       skb_dst_drop(skb);
+@@ -199,7 +207,9 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
+       if (err)
+               return err;
+ 
+-      skb_dst_set(skb, dst_clone(&vlan->tinfo.tunnel_dst->dst));
++      tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst);
++      if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst))
++              skb_dst_set(skb, &tunnel_dst->dst);
+ 
+       return 0;
+ }
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 12d851c4604dc..8c8b02e544322 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -125,7 +125,7 @@ struct bcm_sock {
+       struct sock sk;
+       int bound;
+       int ifindex;
+-      struct notifier_block notifier;
++      struct list_head notifier;
+       struct list_head rx_ops;
+       struct list_head tx_ops;
+       unsigned long dropped_usr_msgs;
+@@ -133,6 +133,10 @@ struct bcm_sock {
+       char procname [32]; /* inode number in decimal with \0 */
+ };
+ 
++static LIST_HEAD(bcm_notifier_list);
++static DEFINE_SPINLOCK(bcm_notifier_lock);
++static struct bcm_sock *bcm_busy_notifier;
++
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
+ {
+       return (struct bcm_sock *)sk;
+@@ -406,6 +410,7 @@ static void bcm_tx_timeout_tsklet(unsigned long data)
+               if (!op->count && (op->flags & TX_COUNTEVT)) {
+ 
+                       /* create notification to user */
++                      memset(&msg_head, 0, sizeof(msg_head));
+                       msg_head.opcode  = TX_EXPIRED;
+                       msg_head.flags   = op->flags;
+                       msg_head.count   = op->count;
+@@ -453,6 +458,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct 
canfd_frame *data)
+       /* this element is not throttled anymore */
+       data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV);
+ 
++      memset(&head, 0, sizeof(head));
+       head.opcode  = RX_CHANGED;
+       head.flags   = op->flags;
+       head.count   = op->count;
+@@ -567,6 +573,7 @@ static void bcm_rx_timeout_tsklet(unsigned long data)
+       struct bcm_msg_head msg_head;
+ 
+       /* create notification to user */
++      memset(&msg_head, 0, sizeof(msg_head));
+       msg_head.opcode  = RX_TIMEOUT;
+       msg_head.flags   = op->flags;
+       msg_head.count   = op->count;
+@@ -1439,20 +1446,15 @@ static int bcm_sendmsg(struct socket *sock, struct 
msghdr *msg, size_t size)
+ /*
+  * notification handler for netdevice status changes
+  */
+-static int bcm_notifier(struct notifier_block *nb, unsigned long msg,
+-                      void *ptr)
++static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
++                     struct net_device *dev)
+ {
+-      struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+-      struct bcm_sock *bo = container_of(nb, struct bcm_sock, notifier);
+       struct sock *sk = &bo->sk;
+       struct bcm_op *op;
+       int notify_enodev = 0;
+ 
+       if (!net_eq(dev_net(dev), sock_net(sk)))
+-              return NOTIFY_DONE;
+-
+-      if (dev->type != ARPHRD_CAN)
+-              return NOTIFY_DONE;
++              return;
+ 
+       switch (msg) {
+ 
+@@ -1487,7 +1489,28 @@ static int bcm_notifier(struct notifier_block *nb, 
unsigned long msg,
+                               sk->sk_error_report(sk);
+               }
+       }
++}
+ 
++static int bcm_notifier(struct notifier_block *nb, unsigned long msg,
++                      void *ptr)
++{
++      struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++
++      if (dev->type != ARPHRD_CAN)
++              return NOTIFY_DONE;
++      if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN)
++              return NOTIFY_DONE;
++      if (unlikely(bcm_busy_notifier)) /* Check for reentrant bug. */
++              return NOTIFY_DONE;
++
++      spin_lock(&bcm_notifier_lock);
++      list_for_each_entry(bcm_busy_notifier, &bcm_notifier_list, notifier) {
++              spin_unlock(&bcm_notifier_lock);
++              bcm_notify(bcm_busy_notifier, msg, dev);
++              spin_lock(&bcm_notifier_lock);
++      }
++      bcm_busy_notifier = NULL;
++      spin_unlock(&bcm_notifier_lock);
+       return NOTIFY_DONE;
+ }
+ 
+@@ -1507,9 +1530,9 @@ static int bcm_init(struct sock *sk)
+       INIT_LIST_HEAD(&bo->rx_ops);
+ 
+       /* set notifier */
+-      bo->notifier.notifier_call = bcm_notifier;
+-
+-      register_netdevice_notifier(&bo->notifier);
++      spin_lock(&bcm_notifier_lock);
++      list_add_tail(&bo->notifier, &bcm_notifier_list);
++      spin_unlock(&bcm_notifier_lock);
+ 
+       return 0;
+ }
+@@ -1532,7 +1555,14 @@ static int bcm_release(struct socket *sock)
+ 
+       /* remove bcm_ops, timer, rx_unregister(), etc. */
+ 
+-      unregister_netdevice_notifier(&bo->notifier);
++      spin_lock(&bcm_notifier_lock);
++      while (bcm_busy_notifier == bo) {
++              spin_unlock(&bcm_notifier_lock);
++              schedule_timeout_uninterruptible(1);
++              spin_lock(&bcm_notifier_lock);
++      }
++      list_del(&bo->notifier);
++      spin_unlock(&bcm_notifier_lock);
+ 
+       lock_sock(sk);
+ 
+@@ -1747,6 +1777,10 @@ static struct pernet_operations canbcm_pernet_ops 
__read_mostly = {
+       .exit = canbcm_pernet_exit,
+ };
+ 
++static struct notifier_block canbcm_notifier = {
++      .notifier_call = bcm_notifier
++};
++
+ static int __init bcm_module_init(void)
+ {
+       int err;
+@@ -1760,12 +1794,14 @@ static int __init bcm_module_init(void)
+       }
+ 
+       register_pernet_subsys(&canbcm_pernet_ops);
++      register_netdevice_notifier(&canbcm_notifier);
+       return 0;
+ }
+ 
+ static void __exit bcm_module_exit(void)
+ {
+       can_proto_unregister(&bcm_can_proto);
++      unregister_netdevice_notifier(&canbcm_notifier);
+       unregister_pernet_subsys(&canbcm_pernet_ops);
+ }
+ 
+diff --git a/net/can/raw.c b/net/can/raw.c
+index e1f26441b49ac..24af08164b614 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -84,7 +84,7 @@ struct raw_sock {
+       struct sock sk;
+       int bound;
+       int ifindex;
+-      struct notifier_block notifier;
++      struct list_head notifier;
+       int loopback;
+       int recv_own_msgs;
+       int fd_frames;
+@@ -96,6 +96,10 @@ struct raw_sock {
+       struct uniqframe __percpu *uniq;
+ };
+ 
++static LIST_HEAD(raw_notifier_list);
++static DEFINE_SPINLOCK(raw_notifier_lock);
++static struct raw_sock *raw_busy_notifier;
++
+ /*
+  * Return pointer to store the extra msg flags for raw_recvmsg().
+  * We use the space of one unsigned int beyond the 'struct sockaddr_can'
+@@ -266,21 +270,16 @@ static int raw_enable_allfilters(struct net *net, struct 
net_device *dev,
+       return err;
+ }
+ 
+-static int raw_notifier(struct notifier_block *nb,
+-                      unsigned long msg, void *ptr)
++static void raw_notify(struct raw_sock *ro, unsigned long msg,
++                     struct net_device *dev)
+ {
+-      struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+-      struct raw_sock *ro = container_of(nb, struct raw_sock, notifier);
+       struct sock *sk = &ro->sk;
+ 
+       if (!net_eq(dev_net(dev), sock_net(sk)))
+-              return NOTIFY_DONE;
+-
+-      if (dev->type != ARPHRD_CAN)
+-              return NOTIFY_DONE;
++              return;
+ 
+       if (ro->ifindex != dev->ifindex)
+-              return NOTIFY_DONE;
++              return;
+ 
+       switch (msg) {
+ 
+@@ -309,7 +308,28 @@ static int raw_notifier(struct notifier_block *nb,
+                       sk->sk_error_report(sk);
+               break;
+       }
++}
++
++static int raw_notifier(struct notifier_block *nb, unsigned long msg,
++                      void *ptr)
++{
++      struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++
++      if (dev->type != ARPHRD_CAN)
++              return NOTIFY_DONE;
++      if (msg != NETDEV_UNREGISTER && msg != NETDEV_DOWN)
++              return NOTIFY_DONE;
++      if (unlikely(raw_busy_notifier)) /* Check for reentrant bug. */
++              return NOTIFY_DONE;
+ 
++      spin_lock(&raw_notifier_lock);
++      list_for_each_entry(raw_busy_notifier, &raw_notifier_list, notifier) {
++              spin_unlock(&raw_notifier_lock);
++              raw_notify(raw_busy_notifier, msg, dev);
++              spin_lock(&raw_notifier_lock);
++      }
++      raw_busy_notifier = NULL;
++      spin_unlock(&raw_notifier_lock);
+       return NOTIFY_DONE;
+ }
+ 
+@@ -338,9 +358,9 @@ static int raw_init(struct sock *sk)
+               return -ENOMEM;
+ 
+       /* set notifier */
+-      ro->notifier.notifier_call = raw_notifier;
+-
+-      register_netdevice_notifier(&ro->notifier);
++      spin_lock(&raw_notifier_lock);
++      list_add_tail(&ro->notifier, &raw_notifier_list);
++      spin_unlock(&raw_notifier_lock);
+ 
+       return 0;
+ }
+@@ -355,7 +375,14 @@ static int raw_release(struct socket *sock)
+ 
+       ro = raw_sk(sk);
+ 
+-      unregister_netdevice_notifier(&ro->notifier);
++      spin_lock(&raw_notifier_lock);
++      while (raw_busy_notifier == ro) {
++              spin_unlock(&raw_notifier_lock);
++              schedule_timeout_uninterruptible(1);
++              spin_lock(&raw_notifier_lock);
++      }
++      list_del(&ro->notifier);
++      spin_unlock(&raw_notifier_lock);
+ 
+       lock_sock(sk);
+ 
+@@ -870,6 +897,10 @@ static const struct can_proto raw_can_proto = {
+       .prot       = &raw_proto,
+ };
+ 
++static struct notifier_block canraw_notifier = {
++      .notifier_call = raw_notifier
++};
++
+ static __init int raw_module_init(void)
+ {
+       int err;
+@@ -879,6 +910,8 @@ static __init int raw_module_init(void)
+       err = can_proto_register(&raw_can_proto);
+       if (err < 0)
+               printk(KERN_ERR "can: registration of raw protocol failed\n");
++      else
++              register_netdevice_notifier(&canraw_notifier);
+ 
+       return err;
+ }
+@@ -886,6 +919,7 @@ static __init int raw_module_init(void)
+ static __exit void raw_module_exit(void)
+ {
+       can_proto_unregister(&raw_can_proto);
++      unregister_netdevice_notifier(&canraw_notifier);
+ }
+ 
+ module_init(raw_module_init);
+diff --git a/net/compat.c b/net/compat.c
+index 45349658ed010..2ec822f4e4090 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, 
struct sock *sk,
+       if (kcmlen > stackbuf_size)
+               kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
+       if (kcmsg == NULL)
+-              return -ENOBUFS;
++              return -ENOMEM;
+ 
+       /* Now copy them over neatly. */
+       memset(kcmsg, 0, kcmlen);
+diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
+index 9bb321df08698..76c3f602ee153 100644
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule 
*rule,
+ {
+       struct net *net;
+       struct sk_buff *skb;
+-      int err = -ENOBUFS;
++      int err = -ENOMEM;
+ 
+       net = ops->fro_net;
+       skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 0168c700a2014..3bcaecc7ba69f 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3648,6 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev)
+       if (err < 0)
+               goto errout;
+ 
++      /* Notification info is only filled for bridge ports, not the bridge
++       * device itself. Therefore, a zero notification length is valid and
++       * should not result in an error.
++       */
+       if (!skb->len)
+               goto errout;
+ 
+diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
+index b1c55db737648..6d4c71a52b6b2 100644
+--- a/net/ieee802154/nl802154.c
++++ b/net/ieee802154/nl802154.c
+@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla,
+                                    nl802154_dev_addr_policy, NULL))
+               return -EINVAL;
+ 
+-      if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] ||
+-          !attrs[NL802154_DEV_ADDR_ATTR_MODE] ||
+-          !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] ||
+-            attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]))
++      if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || 
!attrs[NL802154_DEV_ADDR_ATTR_MODE])
+               return -EINVAL;
+ 
+       addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]);
+       addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]);
+       switch (addr->mode) {
+       case NL802154_DEV_ADDR_SHORT:
++              if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT])
++                      return -EINVAL;
+               addr->short_addr = 
nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]);
+               break;
+       case NL802154_DEV_ADDR_EXTENDED:
++              if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])
++                      return -EINVAL;
+               addr->extended_addr = 
nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]);
+               break;
+       default:
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 6a1b52b34e205..e8b8dd1cb1576 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -486,6 +486,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
+               kfree(doi_def->map.std->lvl.local);
+               kfree(doi_def->map.std->cat.cipso);
+               kfree(doi_def->map.std->cat.local);
++              kfree(doi_def->map.std);
+               break;
+       }
+       kfree(doi_def);
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 96ee1fbd999ef..ba07f128d7ad1 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -743,6 +743,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int 
code, __be32 info,
+               icmp_param.data_len = room;
+       icmp_param.head_len = sizeof(struct icmphdr);
+ 
++      /* if we don't have a source address at this point, fall back to the
++       * dummy address instead of sending out a packet with a source address
++       * of 0.0.0.0
++       */
++      if (!fl4.saddr)
++              fl4.saddr = htonl(INADDR_DUMMY);
++
+       icmp_push_reply(&icmp_param, &fl4, &ipc, &rt);
+ ende:
+       ip_rt_put(rt);
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index b6f0ee01f2e0b..a6b048ff30e6a 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1790,6 +1790,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
+       while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
+               in_dev->mc_list = i->next_rcu;
+               in_dev->mc_count--;
++              ip_mc_clear_src(i);
+               ip_ma_put(i);
+       }
+ }
+diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
+index f0782c91514ce..41e384834d509 100644
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, 
unsigned long jiffies_d
+ 
+ 
+ /*
+- *  Copy BOOTP-supplied string if not already set.
++ *  Copy BOOTP-supplied string
+  */
+ static int __init ic_bootp_string(char *dest, char *src, int len, int max)
+ {
+@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext)
+               }
+               break;
+       case 12:        /* Host name */
+-              ic_bootp_string(utsname()->nodename, ext+1, *ext,
+-                              __NEW_UTS_LEN);
+-              ic_host_name_set = 1;
++              if (!ic_host_name_set) {
++                      ic_bootp_string(utsname()->nodename, ext+1, *ext,
++                                      __NEW_UTS_LEN);
++                      ic_host_name_set = 1;
++              }
+               break;
+       case 15:        /* Domain name (DNS) */
+-              ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
++              if (!ic_domain[0])
++                      ic_bootp_string(ic_domain, ext+1, *ext, 
sizeof(ic_domain));
+               break;
+       case 17:        /* Root path */
+               if (!root_server_path[0])
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 186fdf0922d2f..aab141c4a3892 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -978,6 +978,7 @@ bool ping_rcv(struct sk_buff *skb)
+       struct sock *sk;
+       struct net *net = dev_net(skb->dev);
+       struct icmphdr *icmph = icmp_hdr(skb);
++      bool rc = false;
+ 
+       /* We assume the packet has already been checked by icmp_rcv */
+ 
+@@ -992,14 +993,15 @@ bool ping_rcv(struct sk_buff *skb)
+               struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+ 
+               pr_debug("rcv on socket %p\n", sk);
+-              if (skb2)
+-                      ping_queue_rcv_skb(sk, skb2);
++              if (skb2 && !ping_queue_rcv_skb(sk, skb2))
++                      rc = true;
+               sock_put(sk);
+-              return true;
+       }
+-      pr_debug("no socket, dropping\n");
+ 
+-      return false;
++      if (!rc)
++              pr_debug("no socket, dropping\n");
++
++      return rc;
+ }
+ EXPORT_SYMBOL_GPL(ping_rcv);
+ 
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 78d6bc61a1d87..81901b0529077 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -70,6 +70,7 @@
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/mm.h>
++#include <linux/bootmem.h>
+ #include <linux/string.h>
+ #include <linux/socket.h>
+ #include <linux/sockios.h>
+@@ -485,8 +486,10 @@ static void ipv4_confirm_neigh(const struct dst_entry 
*dst, const void *daddr)
+       __ipv4_confirm_neigh(dev, *(__force u32 *)pkey);
+ }
+ 
+-#define IP_IDENTS_SZ 2048u
+-
++/* Hash tables of size 2048..262144 depending on RAM size.
++ * Each bucket uses 8 bytes.
++ */
++static u32 ip_idents_mask __read_mostly;
+ static atomic_t *ip_idents __read_mostly;
+ static u32 *ip_tstamps __read_mostly;
+ 
+@@ -496,12 +499,16 @@ static u32 *ip_tstamps __read_mostly;
+  */
+ u32 ip_idents_reserve(u32 hash, int segs)
+ {
+-      u32 *p_tstamp = ip_tstamps + hash % IP_IDENTS_SZ;
+-      atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
+-      u32 old = ACCESS_ONCE(*p_tstamp);
+-      u32 now = (u32)jiffies;
++      u32 bucket, old, now = (u32)jiffies;
++      atomic_t *p_id;
++      u32 *p_tstamp;
+       u32 delta = 0;
+ 
++      bucket = hash & ip_idents_mask;
++      p_tstamp = ip_tstamps + bucket;
++      p_id = ip_idents + bucket;
++      old = ACCESS_ONCE(*p_tstamp);
++
+       if (old != now && cmpxchg(p_tstamp, old, now) == old)
+               delta = prandom_u32_max(now - old);
+ 
+@@ -3098,18 +3105,26 @@ struct ip_rt_acct __percpu *ip_rt_acct __read_mostly;
+ 
+ int __init ip_rt_init(void)
+ {
++      void *idents_hash;
+       int rc = 0;
+       int cpu;
+ 
+-      ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL);
+-      if (!ip_idents)
+-              panic("IP: failed to allocate ip_idents\n");
++      /* For modern hosts, this will use 2 MB of memory */
++      idents_hash = alloc_large_system_hash("IP idents",
++                                            sizeof(*ip_idents) + 
sizeof(*ip_tstamps),
++                                            0,
++                                            16, /* one bucket per 64 KB */
++                                            HASH_ZERO,
++                                            NULL,
++                                            &ip_idents_mask,
++                                            2048,
++                                            256*1024);
++
++      ip_idents = idents_hash;
+ 
+-      prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents));
++      prandom_bytes(ip_idents, (ip_idents_mask + 1) * sizeof(*ip_idents));
+ 
+-      ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL);
+-      if (!ip_tstamps)
+-              panic("IP: failed to allocate ip_tstamps\n");
++      ip_tstamps = idents_hash + (ip_idents_mask + 1) * sizeof(*ip_idents);
+ 
+       for_each_possible_cpu(cpu) {
+               struct uncached_list *ul = &per_cpu(rt_uncached_list, cpu);
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 8f298f27f6ecf..cf5c4d2f68c1a 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2337,6 +2337,9 @@ void udp_destroy_sock(struct sock *sk)
+ {
+       struct udp_sock *up = udp_sk(sk);
+       bool slow = lock_sock_fast(sk);
++
++      /* protects from races with udp_abort() */
++      sock_set_flag(sk, SOCK_DEAD);
+       udp_flush_pending_frames(sk);
+       unlock_sock_fast(sk, slow);
+       if (static_key_false(&udp_encap_needed) && up->encap_type) {
+@@ -2570,10 +2573,17 @@ int udp_abort(struct sock *sk, int err)
+ {
+       lock_sock(sk);
+ 
++      /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
++       * with close()
++       */
++      if (sock_flag(sk, SOCK_DEAD))
++              goto out;
++
+       sk->sk_err = err;
+       sk->sk_error_report(sk);
+       __udp_disconnect(sk, 0);
+ 
++out:
+       release_sock(sk);
+ 
+       return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 38ad3fac8c37f..d9d25b9c07aea 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1434,6 +1434,9 @@ void udpv6_destroy_sock(struct sock *sk)
+ {
+       struct udp_sock *up = udp_sk(sk);
+       lock_sock(sk);
++
++      /* protects from races with udp_abort() */
++      sock_set_flag(sk, SOCK_DEAD);
+       udp_v6_flush_pending_frames(sk);
+       release_sock(sk);
+ 
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 790c771e8108e..0d4f7258b243b 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1393,7 +1393,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+       rcu_read_lock();
+       chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+ 
+-      if (WARN_ON_ONCE(!chanctx_conf)) {
++      if (!chanctx_conf) {
+               rcu_read_unlock();
+               return NULL;
+       }
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 6b4fd56800f74..ac2c52709e1c7 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2014,17 +2014,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+       sc = le16_to_cpu(hdr->seq_ctrl);
+       frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-      if (is_multicast_ether_addr(hdr->addr1)) {
+-              I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
+-              goto out_no_led;
+-      }
+-
+       if (rx->sta)
+               cache = &rx->sta->frags;
+ 
+       if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+               goto out;
+ 
++      if (is_multicast_ether_addr(hdr->addr1))
++              return RX_DROP_MONITOR;
++
+       I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+       if (skb_linearize(rx->skb))
+@@ -2150,7 +2148,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 
+  out:
+       ieee80211_led_rx(rx->local);
+- out_no_led:
+       if (rx->sta)
+               rx->sta->rx_stats.packets++;
+       return RX_CONTINUE;
+diff --git a/net/netfilter/nf_synproxy_core.c 
b/net/netfilter/nf_synproxy_core.c
+index 49bd8bb16b181..9ff26eb0309a1 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned 
int doff,
+       int length = (th->doff * 4) - sizeof(*th);
+       u8 buf[40], *ptr;
+ 
++      if (unlikely(length < 0))
++              return false;
++
+       ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
+       if (ptr == NULL)
+               return false;
+@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned 
int doff,
+                       length--;
+                       continue;
+               default:
++                      if (length < 2)
++                              return true;
+                       opsize = *ptr++;
+                       if (opsize < 2)
+                               return true;
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index b62ec43ed54f4..50ca70b3c1759 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2694,7 +2694,7 @@ static int tpacket_snd(struct packet_sock *po, struct 
msghdr *msg)
+       }
+       if (likely(saddr == NULL)) {
+               dev     = packet_cached_dev_get(po);
+-              proto   = po->num;
++              proto   = READ_ONCE(po->num);
+       } else {
+               err = -EINVAL;
+               if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -2907,7 +2907,7 @@ static int packet_snd(struct socket *sock, struct msghdr 
*msg, size_t len)
+ 
+       if (likely(saddr == NULL)) {
+               dev     = packet_cached_dev_get(po);
+-              proto   = po->num;
++              proto   = READ_ONCE(po->num);
+       } else {
+               err = -EINVAL;
+               if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -3177,7 +3177,7 @@ static int packet_do_bind(struct sock *sk, const char 
*name, int ifindex,
+                       /* prevents packet_notifier() from calling
+                        * register_prot_hook()
+                        */
+-                      po->num = 0;
++                      WRITE_ONCE(po->num, 0);
+                       __unregister_prot_hook(sk, true);
+                       rcu_read_lock();
+                       dev_curr = po->prot_hook.dev;
+@@ -3187,17 +3187,17 @@ static int packet_do_bind(struct sock *sk, const char 
*name, int ifindex,
+               }
+ 
+               BUG_ON(po->running);
+-              po->num = proto;
++              WRITE_ONCE(po->num, proto);
+               po->prot_hook.type = proto;
+ 
+               if (unlikely(unlisted)) {
+                       dev_put(dev);
+                       po->prot_hook.dev = NULL;
+-                      po->ifindex = -1;
++                      WRITE_ONCE(po->ifindex, -1);
+                       packet_cached_dev_reset(po);
+               } else {
+                       po->prot_hook.dev = dev;
+-                      po->ifindex = dev ? dev->ifindex : 0;
++                      WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
+                       packet_cached_dev_assign(po, dev);
+               }
+       }
+@@ -3512,7 +3512,7 @@ static int packet_getname_spkt(struct socket *sock, 
struct sockaddr *uaddr,
+       uaddr->sa_family = AF_PACKET;
+       memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+       rcu_read_lock();
+-      dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
++      dev = dev_get_by_index_rcu(sock_net(sk), 
READ_ONCE(pkt_sk(sk)->ifindex));
+       if (dev)
+               strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+       rcu_read_unlock();
+@@ -3528,16 +3528,18 @@ static int packet_getname(struct socket *sock, struct 
sockaddr *uaddr,
+       struct sock *sk = sock->sk;
+       struct packet_sock *po = pkt_sk(sk);
+       DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
++      int ifindex;
+ 
+       if (peer)
+               return -EOPNOTSUPP;
+ 
++      ifindex = READ_ONCE(po->ifindex);
+       sll->sll_family = AF_PACKET;
+-      sll->sll_ifindex = po->ifindex;
+-      sll->sll_protocol = po->num;
++      sll->sll_ifindex = ifindex;
++      sll->sll_protocol = READ_ONCE(po->num);
+       sll->sll_pkttype = 0;
+       rcu_read_lock();
+-      dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
++      dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
+       if (dev) {
+               sll->sll_hatype = dev->type;
+               sll->sll_halen = dev->addr_len;
+@@ -4117,7 +4119,7 @@ static int packet_notifier(struct notifier_block *this,
+                               }
+                               if (msg == NETDEV_UNREGISTER) {
+                                       packet_cached_dev_reset(po);
+-                                      po->ifindex = -1;
++                                      WRITE_ONCE(po->ifindex, -1);
+                                       if (po->prot_hook.dev)
+                                               dev_put(po->prot_hook.dev);
+                                       po->prot_hook.dev = NULL;
+@@ -4429,7 +4431,7 @@ static int packet_set_ring(struct sock *sk, union 
tpacket_req_u *req_u,
+       was_running = po->running;
+       num = po->num;
+       if (was_running) {
+-              po->num = 0;
++              WRITE_ONCE(po->num, 0);
+               __unregister_prot_hook(sk, false);
+       }
+       spin_unlock(&po->bind_lock);
+@@ -4464,7 +4466,7 @@ static int packet_set_ring(struct sock *sk, union 
tpacket_req_u *req_u,
+ 
+       spin_lock(&po->bind_lock);
+       if (was_running) {
+-              po->num = num;
++              WRITE_ONCE(po->num, num);
+               register_prot_hook(sk);
+       }
+       spin_unlock(&po->bind_lock);
+@@ -4635,8 +4637,8 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+                          s,
+                          refcount_read(&s->sk_refcnt),
+                          s->sk_type,
+-                         ntohs(po->num),
+-                         po->ifindex,
++                         ntohs(READ_ONCE(po->num)),
++                         READ_ONCE(po->ifindex),
+                          po->running,
+                          atomic_read(&s->sk_rmem_alloc),
+                          from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index ef022d24f87ae..a1b2bdab6655d 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -663,7 +663,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, 
size_t size,
+ 
+               if (rds_cmsg_recv(inc, msg, rs)) {
+                       ret = -EFAULT;
+-                      goto out;
++                      break;
+               }
+ 
+               rds_stats_inc(s_recv_delivered);
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 44ff3f5c22dfd..8e7054fc27f8b 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -535,12 +535,14 @@ static void unix_release_sock(struct sock *sk, int 
embrion)
+       u->path.mnt = NULL;
+       state = sk->sk_state;
+       sk->sk_state = TCP_CLOSE;
++
++      skpair = unix_peer(sk);
++      unix_peer(sk) = NULL;
++
+       unix_state_unlock(sk);
+ 
+       wake_up_interruptible_all(&u->peer_wait);
+ 
+-      skpair = unix_peer(sk);
+-
+       if (skpair != NULL) {
+               if (sk->sk_type == SOCK_STREAM || sk->sk_type == 
SOCK_SEQPACKET) {
+                       unix_state_lock(skpair);
+@@ -555,7 +557,6 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 
+               unix_dgram_peer_wake_disconnect(sk, skpair);
+               sock_put(skpair); /* It may now die */
+-              unix_peer(sk) = NULL;
+       }
+ 
+       /* Try to flush out this socket. Throw out buffers at least */
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index b3895a8a48ab2..bf4dd297a4db4 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1041,6 +1041,9 @@ int cfg80211_change_iface(struct 
cfg80211_registered_device *rdev,
+               case NL80211_IFTYPE_MESH_POINT:
+                       /* mesh should be handled? */
+                       break;
++              case NL80211_IFTYPE_OCB:
++                      cfg80211_leave_ocb(rdev, dev);
++                      break;
+               default:
+                       break;
+               }
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index 987e5f8cafbe3..fd0a6c6c77b62 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket 
*sock, int protocol,
+       if (protocol)
+               goto out;
+ 
+-      rc = -ENOBUFS;
++      rc = -ENOMEM;
+       if ((sk = x25_alloc_socket(net, kern)) == NULL)
+               goto out;
+

[gentoo-commits] proj/linux-patches:4.14 commit in: /

Reply via email to