Merge branch 'ti-lsk-linux-4.4.y' of git://git.ti.com/ti-linux-kernel/ti-linux-kernel into p-ti-lsk-linux-4.4.yp-ti-lsk-linux-4.4.y

Auto Merge of: TI-Feature: lcpd-linux-4.4.y_linux-4.4.y TI-Tree: git://git.ti.com/ti-linux-kernel/ti-linux-kernel.git TI-Branch: ti-lsk-linux-4.4.y * 'ti-lsk-linux-4.4.y' of git://git.ti.com/ti-linux-kernel/ti-linux-kernel: (2458 commits) Linux 4.4.150 x86/speculation/l1tf: Exempt zeroed PTEs from inversion Linux 4.4.149 x86/mm: Add TLB purge to free pmd/pte page interfaces ioremap: Update pgtable free interfaces with addr Bluetooth: hidp: buffer overflow in hidp_process_report ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization crypto: ablkcipher - fix crash flushing dcache in error path crypto: blkcipher - fix crash flushing dcache in error path crypto: vmac - separate tfm and request context crypto: vmac - require a block cipher with 128-bit block size kbuild: verify that $DEPMOD is installed i2c: ismt: fix wrong device address when unmap the data buffer kasan: don't emit builtin calls when sanitization is off tcp: Fix missing range_truesize enlargement in the backport x86/mm: Disable ioremap free page handling on x86-PAE Linux 4.4.148 x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures x86/init: fix build with CONFIG_SWAP=n x86/speculation/l1tf: Fix up CPU feature flags ... Signed-off-by: David Huang <d-huang@ti.com>
author: David Huang 2018-08-21 05:01:29 -0500
committer: David Huang 2018-08-21 05:01:29 -0500
commit: c4efa79993284d3b96ac49bccd84a9e9f113c755 (patch)
tree: 9346c8d62b4fe85810fa4876dc66c45b818c733f
parent: 5761aab0d699493c2eb9907e3b249d29407cba17 (diff)
parent: 09a53c9ff85affd1c6fbe66734e0d3e839dcb1c3 (diff)
download: psdkla-kernel-p-ti-lsk-linux-4.4.y.tar.gz
psdkla-kernel-p-ti-lsk-linux-4.4.y.tar.xz
psdkla-kernel-p-ti-lsk-linux-4.4.y.zip
1967 files changed, 24539 insertions, 11245 deletions
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index ea6a043f5beb..50f95689ab38 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -276,6 +276,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
                /sys/devices/system/cpu/vulnerabilities/meltdown
                /sys/devices/system/cpu/vulnerabilities/spectre_v1
                /sys/devices/system/cpu/vulnerabilities/spectre_v2
+                /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
 Date:           January 2018
 Contact:        Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:    Information about CPU vulnerabilities
diff --git a/Documentation/Changes b/Documentation/Changes
index ec97b77c8b00..f25649ffb892 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -25,7 +25,7 @@ o  GNU C                  3.2                     # gcc --version
 o  GNU make               3.80                    # make --version
 o  binutils               2.12                    # ld -v
 o  util-linux             2.10o                   # fdformat --version
-o  module-init-tools      0.9.10                  # depmod -V
+o  kmod                   13                      # depmod -V
 o  e2fsprogs              1.41.4                  # e2fsck -V
 o  jfsutils               1.1.3                   # fsck.jfs -V
 o  reiserfsprogs          3.6.3                   # reiserfsck -V
@@ -132,12 +132,6 @@ is not build with CONFIG_KALLSYMS and you have no way to rebuild and
 reproduce the Oops with that option, then you can still decode that Oops
 with ksymoops.
-Module-Init-Tools
-----------------
-A new module loader is now in the kernel that requires module-init-tools
-to use.  It is backward compatible with the 2.4.x series kernels.
 Mkinitrd
 --------
@@ -319,14 +313,15 @@ Util-linux
 ----------
 o  <ftp://ftp.kernel.org/pub/linux/utils/util-linux/>
+Kmod
+----
+o  <https://www.kernel.org/pub/linux/utils/kernel/kmod/>
+o  <https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git>
 Ksymoops
 --------
 o  <ftp://ftp.kernel.org/pub/linux/utils/kernel/ksymoops/v2.4/>
-Module-Init-Tools
-----------------
-o  <ftp://ftp.kernel.org/pub/linux/kernel/people/rusty/modules/>
 Mkinitrd
 --------
 o  <https://code.launchpad.net/initrd-tools/main>
diff --git a/Documentation/device-mapper/thin-provisioning.txt b/Documentation/device-mapper/thin-provisioning.txt
index 1699a55b7b70..ef639960b272 100644
--- a/Documentation/device-mapper/thin-provisioning.txt
+++ b/Documentation/device-mapper/thin-provisioning.txt
@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks of size $data_block_size.  If
 free space on the data device drops below this level then a dm event
 will be triggered which a userspace daemon should catch allowing it to
 extend the pool device.  Only one such event will be sent.
-Resuming a device with a new table itself triggers an event so the
-userspace daemon can use this to detect a situation where a new table
+No special event is triggered if a just resumed device's free space is below
-already exceeds the threshold.
+the low water mark. However, resuming a device always triggers an
+event; a userspace daemon should verify that free space exceeds the low
+water mark when handling this event.
 A low water mark for the metadata device is maintained in the kernel and
 will trigger a dm event if free space on the metadata device drops below
diff --git a/Documentation/devicetree/bindings/dma/snps-dma.txt b/Documentation/devicetree/bindings/dma/snps-dma.txt
index c261598164a7..17d43ca27f41 100644
--- a/Documentation/devicetree/bindings/dma/snps-dma.txt
+++ b/Documentation/devicetree/bindings/dma/snps-dma.txt
@@ -58,6 +58,6 @@ Example:
                interrupts = <0 35 0x4>;
                status = "disabled";
                dmas = <&dmahost 12 0 1>,
-                        <&dmahost 13 0 1 0>;
+                        <&dmahost 13 1 0>;
                dma-names = "rx", "rx";
        };
diff --git a/Documentation/filesystems/ext4.txt b/Documentation/filesystems/ext4.txt
index 6c0108eb0137..2139ea253142 100644
--- a/Documentation/filesystems/ext4.txt
+++ b/Documentation/filesystems/ext4.txt
@@ -233,7 +233,7 @@ data_err=ignore(*)	Just print an error message if an error occurs
 data_err=abort          Abort the journal if an error occurs in a file
                        data buffer in ordered mode.
-grpid                   Give objects the same group ID as their creator.
+grpid                   New objects have the group ID of their parent.
 bsdgroups
 nogrpid         (*)     New objects have the group ID of their creator.
diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
index 6716413c17ba..6d2689ebf824 100644
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -383,32 +383,6 @@ is not associated with a file:
 or if empty, the mapping is anonymous.
-The /proc/PID/task/TID/maps is a view of the virtual memory from the viewpoint
-of the individual tasks of a process. In this file you will see a mapping marked
-as [stack] if that task sees it as a stack. Hence, for the example above, the
-task-level map, i.e. /proc/PID/task/TID/maps for thread 1001 will look like this:
-08048000-08049000 r-xp 00000000 03:00 8312       /opt/test
-08049000-0804a000 rw-p 00001000 03:00 8312       /opt/test
-0804a000-0806b000 rw-p 00000000 00:00 0          [heap]
-a7cb1000-a7cb2000 ---p 00000000 00:00 0
-a7cb2000-a7eb2000 rw-p 00000000 00:00 0
-a7eb2000-a7eb3000 ---p 00000000 00:00 0
-a7eb3000-a7ed5000 rw-p 00000000 00:00 0          [stack]
-a7ed5000-a8008000 r-xp 00000000 03:00 4222       /lib/libc.so.6
-a8008000-a800a000 r--p 00133000 03:00 4222       /lib/libc.so.6
-a800a000-a800b000 rw-p 00135000 03:00 4222       /lib/libc.so.6
-a800b000-a800e000 rw-p 00000000 00:00 0
-a800e000-a8022000 r-xp 00000000 03:00 14462      /lib/libpthread.so.0
-a8022000-a8023000 r--p 00013000 03:00 14462      /lib/libpthread.so.0
-a8023000-a8024000 rw-p 00014000 03:00 14462      /lib/libpthread.so.0
-a8024000-a8027000 rw-p 00000000 00:00 0
-a8027000-a8043000 r-xp 00000000 03:00 8317       /lib/ld-linux.so.2
-a8043000-a8044000 r--p 0001b000 03:00 8317       /lib/ld-linux.so.2
-a8044000-a8045000 rw-p 0001c000 03:00 8317       /lib/ld-linux.so.2
-aff35000-aff4a000 rw-p 00000000 00:00 0
-ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
 The /proc/PID/smaps is an extension based on maps, showing the memory
 consumption for each of the process's mappings. For each of mappings there
 is a series of lines such as the following:
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 41b24ef46d1e..44a2467ba15c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -652,7 +652,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
        clearcpuid=BITNUM [X86]
                        Disable CPUID feature X for the kernel. See
-                        arch/x86/include/asm/cpufeature.h for the valid bit
+                        arch/x86/include/asm/cpufeatures.h for the valid bit
                        numbers. Note the Linux specific bits are not necessarily
                        stable over kernel options, but the vendor specific
                        ones should be.
@@ -2402,6 +2402,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
        noalign         [KNL,ARM]
+        noaltinstr      [S390] Disables alternative instructions patching
+                        (CPU alternatives feature).
        noapic          [SMP,APIC] Tells the kernel to not make use of any
                        IOAPICs that may be present in the system.
@@ -2457,6 +2460,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        allow data leaks with this option, which is equivalent
                        to spectre_v2=off.
+        nospec_store_bypass_disable
+                        [HW] Disable all mitigations for the Speculative Store Bypass vulnerability
        noxsave         [BUGS=X86] Disables x86 extended register state save
                        and restore using xsave. The kernel will fallback to
                        enabling legacy floating-point and sse state.
@@ -2565,8 +2571,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
        norandmaps      Don't use address space randomization.  Equivalent to
                        echo 0 > /proc/sys/kernel/randomize_va_space
-        noreplace-paravirt      [X86,IA-64,PV_OPS] Don't patch paravirt_ops
        noreplace-smp   [X86-32,SMP] Don't replace SMP instructions
                        with UP alternatives
@@ -3626,6 +3630,48 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        Not specifying this option is equivalent to
                        spectre_v2=auto.
+        spec_store_bypass_disable=
+                        [HW] Control Speculative Store Bypass (SSB) Disable mitigation
+                        (Speculative Store Bypass vulnerability)
+                        Certain CPUs are vulnerable to an exploit against a
+                        a common industry wide performance optimization known
+                        as "Speculative Store Bypass" in which recent stores
+                        to the same memory location may not be observed by
+                        later loads during speculative execution. The idea
+                        is that such stores are unlikely and that they can
+                        be detected prior to instruction retirement at the
+                        end of a particular speculation execution window.
+                        In vulnerable processors, the speculatively forwarded
+                        store can be used in a cache side channel attack, for
+                        example to read memory to which the attacker does not
+                        directly have access (e.g. inside sandboxed code).
+                        This parameter controls whether the Speculative Store
+                        Bypass optimization is used.
+                        on      - Unconditionally disable Speculative Store Bypass
+                        off     - Unconditionally enable Speculative Store Bypass
+                        auto    - Kernel detects whether the CPU model contains an
+                                  implementation of Speculative Store Bypass and
+                                  picks the most appropriate mitigation. If the
+                                  CPU is not vulnerable, "off" is selected. If the
+                                  CPU is vulnerable the default mitigation is
+                                  architecture and Kconfig dependent. See below.
+                        prctl   - Control Speculative Store Bypass per thread
+                                  via prctl. Speculative Store Bypass is enabled
+                                  for a process by default. The state of the control
+                                  is inherited on fork.
+                        seccomp - Same as "prctl" above, but all seccomp threads
+                                  will disable SSB unless they explicitly opt out.
+                        Not specifying this option is equivalent to
+                        spec_store_bypass_disable=auto.
+                        Default mitigations:
+                        X86:    If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
        spia_io_base=   [HW,MTD]
        spia_fio_base=
        spia_pedr=
diff --git a/Documentation/networking/netdev-FAQ.txt b/Documentation/networking/netdev-FAQ.txt
index 0fe1c6e0dbcd..bfc6b3e68cc4 100644
--- a/Documentation/networking/netdev-FAQ.txt
+++ b/Documentation/networking/netdev-FAQ.txt
@@ -168,6 +168,15 @@ A: No.  See above answer.  In short, if you think it really belongs in
   dash marker line as described in Documentation/SubmittingPatches to
   temporarily embed that information into the patch that you send.
+Q: Are all networking bug fixes backported to all stable releases?
+A: Due to capacity, Dave could only take care of the backports for the last
+   2 stable releases. For earlier stable releases, each stable branch maintainer
+   is supposed to take care of them. If you find any patch is missing from an
+   earlier stable branch, please notify stable@vger.kernel.org with either a
+   commit ID or a formal patch backported, and CC Dave and other relevant
+   networking developers.
 Q: Someone said that the comment style and coding convention is different
   for the networking content.  Is this true?
diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt
index b784c270105f..ed6f6abaad57 100644
--- a/Documentation/printk-formats.txt
+++ b/Documentation/printk-formats.txt
@@ -273,11 +273,10 @@ struct clk:
        %pC     pll1
        %pCn    pll1
-        %pCr    1560000000
        For printing struct clk structures. '%pC' and '%pCn' print the name
        (Common Clock Framework) or address (legacy clock framework) of the
-        structure; '%pCr' prints the current clock rate.
+        structure.
        Passed by reference.
diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt
new file mode 100644
index 000000000000..32f3d55c54b7
--- /dev/null
+++ b/Documentation/spec_ctrl.txt
@@ -0,0 +1,94 @@
+===================
+Speculation Control
+===================
+Quite some CPUs have speculation-related misfeatures which are in
+fact vulnerabilities causing data leaks in various forms even across
+privilege domains.
+The kernel provides mitigation for such vulnerabilities in various
+forms. Some of these mitigations are compile-time configurable and some
+can be supplied on the kernel command line.
+There is also a class of mitigations which are very expensive, but they can
+be restricted to a certain set of processes or tasks in controlled
+environments. The mechanism to control these mitigations is via
+:manpage:`prctl(2)`.
+There are two prctl options which are related to this:
+ * PR_GET_SPECULATION_CTRL
+ * PR_SET_SPECULATION_CTRL
+PR_GET_SPECULATION_CTRL
+-----------------------
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
+which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
+the following meaning:
+==== ===================== ===================================================
+Bit  Define                Description
+==== ===================== ===================================================
+0    PR_SPEC_PRCTL         Mitigation can be controlled per task by
+                           PR_SET_SPECULATION_CTRL.
+1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is
+                           disabled.
+2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is
+                           enabled.
+3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
+                           subsequent prctl(..., PR_SPEC_ENABLE) will fail.
+==== ===================== ===================================================
+If all bits are 0 the CPU is not affected by the speculation misfeature.
+If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
+misfeature will fail.
+PR_SET_SPECULATION_CTRL
+-----------------------
+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
+is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
+PR_SPEC_FORCE_DISABLE.
+Common error codes
+------------------
+======= =================================================================
+Value   Meaning
+======= =================================================================
+EINVAL  The prctl is not implemented by the architecture or unused
+        prctl(2) arguments are not 0.
+ENODEV  arg2 is selecting a not supported speculation misfeature.
+======= =================================================================
+PR_SET_SPECULATION_CTRL error codes
+-----------------------------------
+======= =================================================================
+Value   Meaning
+======= =================================================================
+0       Success
+ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
+        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
+ENXIO   Control of the selected speculation misfeature is not possible.
+        See PR_GET_SPECULATION_CTRL.
+EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
+        tried to enable it again.
+======= =================================================================
+Speculation misfeature controls
+-------------------------------
+- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
+  Invocations:
+   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
diff --git a/Documentation/speculation.txt b/Documentation/speculation.txt
new file mode 100644
index 000000000000..e9e6cbae2841
--- /dev/null
+++ b/Documentation/speculation.txt
@@ -0,0 +1,90 @@
+This document explains potential effects of speculation, and how undesirable
+effects can be mitigated portably using common APIs.
+===========
+Speculation
+===========
+To improve performance and minimize average latencies, many contemporary CPUs
+employ speculative execution techniques such as branch prediction, performing
+work which may be discarded at a later stage.
+Typically speculative execution cannot be observed from architectural state,
+such as the contents of registers. However, in some cases it is possible to
+observe its impact on microarchitectural state, such as the presence or
+absence of data in caches. Such state may form side-channels which can be
+observed to extract secret information.
+For example, in the presence of branch prediction, it is possible for bounds
+checks to be ignored by code which is speculatively executed. Consider the
+following code:
+        int load_array(int *array, unsigned int index)
+        {
+                if (index >= MAX_ARRAY_ELEMS)
+                        return 0;
+                else
+                        return array[index];
+        }
+Which, on arm64, may be compiled to an assembly sequence such as:
+        CMP     <index>, #MAX_ARRAY_ELEMS
+        B.LT    less
+        MOV     <returnval>, #0
+        RET
+  less:
+        LDR     <returnval>, [<array>, <index>]
+        RET
+It is possible that a CPU mis-predicts the conditional branch, and
+speculatively loads array[index], even if index >= MAX_ARRAY_ELEMS. This
+value will subsequently be discarded, but the speculated load may affect
+microarchitectural state which can be subsequently measured.
+More complex sequences involving multiple dependent memory accesses may
+result in sensitive information being leaked. Consider the following
+code, building on the prior example:
+        int load_dependent_arrays(int *arr1, int *arr2, int index)
+        {
+                int val1, val2,
+                val1 = load_array(arr1, index);
+                val2 = load_array(arr2, val1);
+                return val2;
+        }
+Under speculation, the first call to load_array() may return the value
+of an out-of-bounds address, while the second call will influence
+microarchitectural state dependent on this value. This may provide an
+arbitrary read primitive.
+====================================
+Mitigating speculation side-channels
+====================================
+The kernel provides a generic API to ensure that bounds checks are
+respected even under speculation. Architectures which are affected by
+speculation-based side-channels are expected to implement these
+primitives.
+The array_index_nospec() helper in <linux/nospec.h> can be used to
+prevent information from being leaked via side-channels.
+A call to array_index_nospec(index, size) returns a sanitized index
+value that is bounded to [0, size) even under cpu speculation
+conditions.
+This can be used to protect the earlier load_array() example:
+        int load_array(int *array, unsigned int index)
+        {
+                if (index >= MAX_ARRAY_ELEMS)
+                        return 0;
+                else {
+                        index = array_index_nospec(index, MAX_ARRAY_ELEMS);
+                        return array[index];
+                }
+        }
diff --git a/Makefile b/Makefile
index 39019c9d205c..7789195c6a59 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 VERSION = 4
 PATCHLEVEL = 4
-SUBLEVEL = 113
+SUBLEVEL = 150
 EXTRAVERSION =
 NAME = Blurry Fish Butt
@@ -87,10 +87,12 @@ endif
 ifneq ($(filter 4.%,$(MAKE_VERSION)),)  # make-4
 ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),)
  quiet=silent_
+  tools_silent=s
 endif
 else                                    # make-3.8x
 ifneq ($(filter s% -s%,$(MAKEFLAGS)),)
  quiet=silent_
+  tools_silent=-s
 endif
 endif
@@ -416,7 +418,8 @@ export MAKE AWK GENKSYMS INSTALLKERNEL PERL PYTHON UTS_MACHINE
 export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
 export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KASAN
+export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV
+export CFLAGS_KASAN CFLAGS_KASAN_NOSANITIZE
 export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
 export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
 export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
@@ -622,6 +625,7 @@ KBUILD_CFLAGS	+= $(call cc-disable-warning,frame-address,)
 KBUILD_CFLAGS   += $(call cc-disable-warning, format-truncation)
 KBUILD_CFLAGS   += $(call cc-disable-warning, format-overflow)
 KBUILD_CFLAGS   += $(call cc-disable-warning, int-in-bool-context)
+KBUILD_CFLAGS   += $(call cc-disable-warning, attribute-alias)
 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
 KBUILD_CFLAGS   += -Os
@@ -782,6 +786,15 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
 # disable invalid "can't wrap" optimizations for signed / pointers
 KBUILD_CFLAGS   += $(call cc-option,-fno-strict-overflow)
+# clang sets -fmerge-all-constants by default as optimization, but this
+# is non-conforming behavior for C and in fact breaks the kernel, so we
+# need to disable it here generally.
+KBUILD_CFLAGS   += $(call cc-option,-fno-merge-all-constants)
+# for gcc -fno-merge-all-constants disables everything, but it is fine
+# to have actual conforming behavior enabled.
+KBUILD_CFLAGS   += $(call cc-option,-fmerge-constants)
 # Make sure -fstack-check isn't enabled (like gentoo apparently did)
 KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check,)
@@ -1523,11 +1536,11 @@ image_name:
 # Clear a bunch of variables before executing the submake
 tools/: FORCE
        $(Q)mkdir -p $(objtree)/tools
-        $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(shell cd $(objtree) && /bin/pwd) subdir=tools -C $(src)/tools/
+        $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(shell cd $(objtree) && /bin/pwd) subdir=tools -C $(src)/tools/
 tools/%: FORCE
        $(Q)mkdir -p $(objtree)/tools
-        $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(filter --j% -j,$(MAKEFLAGS))" O=$(shell cd $(objtree) && /bin/pwd) subdir=tools -C $(src)/tools/ $*
+        $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(shell cd $(objtree) && /bin/pwd) subdir=tools -C $(src)/tools/ $*
 # Single targets
 # ---------------------------------------------------------------------------
diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h
index f939794363ac..56474690e685 100644
--- a/arch/alpha/include/asm/futex.h
+++ b/arch/alpha/include/asm/futex.h
@@ -29,18 +29,10 @@
        :       "r" (uaddr), "r"(oparg)                         \
        :       "memory")
-static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -66,17 +58,9 @@ static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/alpha/include/asm/xchg.h b/arch/alpha/include/asm/xchg.h
index 0ca9724597c1..7081e52291d0 100644
--- a/arch/alpha/include/asm/xchg.h
+++ b/arch/alpha/include/asm/xchg.h
@@ -11,6 +11,10 @@
 * Atomic exchange.
 * Since it can be used to implement critical sections
 * it must clobber "memory" (also for interrupts in UP).
+ *
+ * The leading and the trailing memory barriers guarantee that these
+ * operations are fully ordered.
+ *
 */
 static inline unsigned long
@@ -18,6 +22,7 @@ ____xchg(_u8, volatile char *m, unsigned long val)
 {
        unsigned long ret, tmp, addr64;
+        smp_mb();
        __asm__ __volatile__(
        "       andnot  %4,7,%3\n"
        "       insbl   %1,%4,%1\n"
@@ -42,6 +47,7 @@ ____xchg(_u16, volatile short *m, unsigned long val)
 {
        unsigned long ret, tmp, addr64;
+        smp_mb();
        __asm__ __volatile__(
        "       andnot  %4,7,%3\n"
        "       inswl   %1,%4,%1\n"
@@ -66,6 +72,7 @@ ____xchg(_u32, volatile int *m, unsigned long val)
 {
        unsigned long dummy;
+        smp_mb();
        __asm__ __volatile__(
        "1:     ldl_l %0,%4\n"
        "       bis $31,%3,%1\n"
@@ -86,6 +93,7 @@ ____xchg(_u64, volatile long *m, unsigned long val)
 {
        unsigned long dummy;
+        smp_mb();
        __asm__ __volatile__(
        "1:     ldq_l %0,%4\n"
        "       bis $31,%3,%1\n"
@@ -127,10 +135,12 @@ ____xchg(, volatile void *ptr, unsigned long x, int size)
 * store NEW in MEM.  Return the initial value in MEM.  Success is
 * indicated by comparing RETURN with OLD.
 *
- * The memory barrier should be placed in SMP only when we actually
+ * The leading and the trailing memory barriers guarantee that these
- * make the change. If we don't change anything (so if the returned
+ * operations are fully ordered.
- * prev is equal to old) then we aren't acquiring anything new and
+ *
- * we don't need any memory barrier as far I can tell.
+ * The trailing memory barrier is placed in SMP unconditionally, in
+ * order to guarantee that dependency ordering is preserved when a
+ * dependency is headed by an unsuccessful operation.
 */
 static inline unsigned long
@@ -138,6 +148,7 @@ ____cmpxchg(_u8, volatile char *m, unsigned char old, unsigned char new)
 {
        unsigned long prev, tmp, cmp, addr64;
+        smp_mb();
        __asm__ __volatile__(
        "       andnot  %5,7,%4\n"
        "       insbl   %1,%5,%1\n"
@@ -149,8 +160,8 @@ ____cmpxchg(_u8, volatile char *m, unsigned char old, unsigned char new)
        "       or      %1,%2,%2\n"
        "       stq_c   %2,0(%4)\n"
        "       beq     %2,3f\n"
-                __ASM__MB
        "2:\n"
+                __ASM__MB
        ".subsection 2\n"
        "3:     br      1b\n"
        ".previous"
@@ -165,6 +176,7 @@ ____cmpxchg(_u16, volatile short *m, unsigned short old, unsigned short new)
 {
        unsigned long prev, tmp, cmp, addr64;
+        smp_mb();
        __asm__ __volatile__(
        "       andnot  %5,7,%4\n"
        "       inswl   %1,%5,%1\n"
@@ -176,8 +188,8 @@ ____cmpxchg(_u16, volatile short *m, unsigned short old, unsigned short new)
        "       or      %1,%2,%2\n"
        "       stq_c   %2,0(%4)\n"
        "       beq     %2,3f\n"
-                __ASM__MB
        "2:\n"
+                __ASM__MB
        ".subsection 2\n"
        "3:     br      1b\n"
        ".previous"
@@ -192,6 +204,7 @@ ____cmpxchg(_u32, volatile int *m, int old, int new)
 {
        unsigned long prev, cmp;
+        smp_mb();
        __asm__ __volatile__(
        "1:     ldl_l %0,%5\n"
        "       cmpeq %0,%3,%1\n"
@@ -199,8 +212,8 @@ ____cmpxchg(_u32, volatile int *m, int old, int new)
        "       mov %4,%1\n"
        "       stl_c %1,%2\n"
        "       beq %1,3f\n"
-                __ASM__MB
        "2:\n"
+                __ASM__MB
        ".subsection 2\n"
        "3:     br 1b\n"
        ".previous"
@@ -215,6 +228,7 @@ ____cmpxchg(_u64, volatile long *m, unsigned long old, unsigned long new)
 {
        unsigned long prev, cmp;
+        smp_mb();
        __asm__ __volatile__(
        "1:     ldq_l %0,%5\n"
        "       cmpeq %0,%3,%1\n"
@@ -222,8 +236,8 @@ ____cmpxchg(_u64, volatile long *m, unsigned long old, unsigned long new)
        "       mov %4,%1\n"
        "       stq_c %1,%2\n"
        "       beq %1,3f\n"
-                __ASM__MB
        "2:\n"
+                __ASM__MB
        ".subsection 2\n"
        "3:     br 1b\n"
        ".previous"
diff --git a/arch/alpha/kernel/console.c b/arch/alpha/kernel/console.c
index 6a61deed4a85..ab228ed45945 100644
--- a/arch/alpha/kernel/console.c
+++ b/arch/alpha/kernel/console.c
@@ -20,6 +20,7 @@
 struct pci_controller *pci_vga_hose;
 static struct resource alpha_vga = {
        .name   = "alpha-vga+",
+        .flags  = IORESOURCE_IO,
        .start  = 0x3C0,
        .end    = 0x3DF
 };
diff --git a/arch/alpha/kernel/pci_impl.h b/arch/alpha/kernel/pci_impl.h
index 2b0ac429f5eb..412bb3c24f36 100644
--- a/arch/alpha/kernel/pci_impl.h
+++ b/arch/alpha/kernel/pci_impl.h
@@ -143,7 +143,8 @@ struct pci_iommu_arena
 };
 #if defined(CONFIG_ALPHA_SRM) && \
-    (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA))
+    (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA) || \
+     defined(CONFIG_ALPHA_AVANTI))
 # define NEED_SRM_SAVE_RESTORE
 #else
 # undef NEED_SRM_SAVE_RESTORE
diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c
index 84d13263ce46..8095fb2c5c94 100644
--- a/arch/alpha/kernel/process.c
+++ b/arch/alpha/kernel/process.c
@@ -273,12 +273,13 @@ copy_thread(unsigned long clone_flags, unsigned long usp,
           application calling fork.  */
        if (clone_flags & CLONE_SETTLS)
                childti->pcb.unique = regs->r20;
+        else
+                regs->r20 = 0;  /* OSF/1 has some strange fork() semantics.  */
        childti->pcb.usp = usp ?: rdusp();
        *childregs = *regs;
        childregs->r0 = 0;
        childregs->r19 = 0;
        childregs->r20 = 1;     /* OSF/1 has some strange fork() semantics.  */
-        regs->r20 = 0;
        stack = ((struct switch_stack *) regs) - 1;
        *childstack = *stack;
        childstack->r26 = (unsigned long) ret_from_fork;
diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
index 2d785f5a3041..c4ee25e88a7b 100644
--- a/arch/arc/Kconfig
+++ b/arch/arc/Kconfig
@@ -479,7 +479,6 @@ config ARC_CURR_IN_REG
 config ARC_EMUL_UNALIGNED
        bool "Emulate unaligned memory access (userspace only)"
-        default N
        select SYSCTL_ARCH_UNALIGN_NO_WARN
        select SYSCTL_ARCH_UNALIGN_ALLOW
        depends on ISA_ARCOMPACT
diff --git a/arch/arc/include/asm/futex.h b/arch/arc/include/asm/futex.h
index 11e1b1f3acda..eb887dd13e74 100644
--- a/arch/arc/include/asm/futex.h
+++ b/arch/arc/include/asm/futex.h
@@ -73,20 +73,11 @@
 #endif
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
-                return -EFAULT;
 #ifndef CONFIG_ARC_HAS_LLSC
        preempt_disable();      /* to guarantee atomic r-m-w of futex op */
 #endif
@@ -118,30 +109,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        preempt_enable();
 #endif
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ:
-                        ret = (oldval == cmparg);
-                        break;
-                case FUTEX_OP_CMP_NE:
-                        ret = (oldval != cmparg);
-                        break;
-                case FUTEX_OP_CMP_LT:
-                        ret = (oldval < cmparg);
-                        break;
-                case FUTEX_OP_CMP_GE:
-                        ret = (oldval >= cmparg);
-                        break;
-                case FUTEX_OP_CMP_LE:
-                        ret = (oldval <= cmparg);
-                        break;
-                case FUTEX_OP_CMP_GT:
-                        ret = (oldval > cmparg);
-                        break;
-                default:
-                        ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/arc/include/asm/page.h b/arch/arc/include/asm/page.h
index 429957f1c236..8f1145ed0046 100644
--- a/arch/arc/include/asm/page.h
+++ b/arch/arc/include/asm/page.h
@@ -102,7 +102,7 @@ typedef pte_t * pgtable_t;
 #define virt_addr_valid(kaddr)  pfn_valid(__pa(kaddr) >> PAGE_SHIFT)
 /* Default Permissions for stack/heaps pages (Non Executable) */
-#define VM_DATA_DEFAULT_FLAGS   (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE)
+#define VM_DATA_DEFAULT_FLAGS   (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
 #define WANT_PAGE_VIRTUAL   1
diff --git a/arch/arc/include/asm/pgtable.h b/arch/arc/include/asm/pgtable.h
index e5fec320f158..c07d7b0a4058 100644
--- a/arch/arc/include/asm/pgtable.h
+++ b/arch/arc/include/asm/pgtable.h
@@ -372,7 +372,7 @@ void update_mmu_cache(struct vm_area_struct *vma, unsigned long address,
 /* Decode a PTE containing swap "identifier "into constituents */
 #define __swp_type(pte_lookalike)       (((pte_lookalike).val) & 0x1f)
-#define __swp_offset(pte_lookalike)     ((pte_lookalike).val << 13)
+#define __swp_offset(pte_lookalike)     ((pte_lookalike).val >> 13)
 /* NOPs, to keep generic kernel happy */
 #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) })
diff --git a/arch/arm/boot/dts/am4372.dtsi b/arch/arm/boot/dts/am4372.dtsi
index 0f296c1b5617..d70e96c64e6e 100644
--- a/arch/arm/boot/dts/am4372.dtsi
+++ b/arch/arm/boot/dts/am4372.dtsi
@@ -1084,7 +1084,8 @@
                        reg = <0x48038000 0x2000>,
                              <0x46000000 0x400000>;
                        reg-names = "mpu", "dat";
-                        interrupts = <80>, <81>;
+                        interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_HIGH>,
+                                     <GIC_SPI 81 IRQ_TYPE_LEVEL_HIGH>;
                        interrupt-names = "tx", "rx";
                        status = "disabled";
                        dmas = <&edma 8 2>,
@@ -1098,7 +1099,8 @@
                        reg = <0x4803C000 0x2000>,
                              <0x46400000 0x400000>;
                        reg-names = "mpu", "dat";
-                        interrupts = <82>, <83>;
+                        interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_HIGH>,
+                                     <GIC_SPI 83 IRQ_TYPE_LEVEL_HIGH>;
                        interrupt-names = "tx", "rx";
                        status = "disabled";
                        dmas = <&edma 10 2>,
diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi
index a7da0dd0c98f..0898213f3bb2 100644
--- a/arch/arm/boot/dts/at91sam9g25.dtsi
+++ b/arch/arm/boot/dts/at91sam9g25.dtsi
@@ -21,7 +21,7 @@
                                atmel,mux-mask = <
                                      /*    A         B          C     */
                                       0xffffffff 0xffe0399f 0xc000001c  /* pioA */
-                                       0x0007ffff 0x8000fe3f 0x00000000  /* pioB */
+                                       0x0007ffff 0x00047e3f 0x00000000  /* pioB */
                                       0x80000000 0x07c0ffff 0xb83fffff  /* pioC */
                                       0x003fffff 0x003f8000 0x00000000  /* pioD */
                                      >;
diff --git a/arch/arm/boot/dts/exynos4412-trats2.dts b/arch/arm/boot/dts/exynos4412-trats2.dts
index 40a474c4374b..4c52358734ef 100644
--- a/arch/arm/boot/dts/exynos4412-trats2.dts
+++ b/arch/arm/boot/dts/exynos4412-trats2.dts
@@ -359,7 +359,7 @@
                reg = <0>;
                vdd3-supply = <&lcd_vdd3_reg>;
                vci-supply = <&ldo25_reg>;
-                reset-gpios = <&gpy4 5 GPIO_ACTIVE_HIGH>;
+                reset-gpios = <&gpf2 1 GPIO_ACTIVE_HIGH>;
                power-on-delay= <50>;
                reset-delay = <100>;
                init-delay = <100>;
diff --git a/arch/arm/boot/dts/imx53-qsrb.dts b/arch/arm/boot/dts/imx53-qsrb.dts
index 96d7eede412e..036c9bd9bf75 100644
--- a/arch/arm/boot/dts/imx53-qsrb.dts
+++ b/arch/arm/boot/dts/imx53-qsrb.dts
@@ -23,7 +23,7 @@
        imx53-qsrb {
                pinctrl_pmic: pmicgrp {
                        fsl,pins = <
-                                MX53_PAD_CSI0_DAT5__GPIO5_23    0x1e4 /* IRQ */
+                                MX53_PAD_CSI0_DAT5__GPIO5_23    0x1c4 /* IRQ */
                        >;
                };
        };
diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi
index 399103b8e2c9..c81fb8fdc41f 100644
--- a/arch/arm/boot/dts/imx6q.dtsi
+++ b/arch/arm/boot/dts/imx6q.dtsi
@@ -95,7 +95,7 @@
                                        clocks = <&clks IMX6Q_CLK_ECSPI5>,
                                                 <&clks IMX6Q_CLK_ECSPI5>;
                                        clock-names = "ipg", "per";
-                                        dmas = <&sdma 11 7 1>, <&sdma 12 7 2>;
+                                        dmas = <&sdma 11 8 1>, <&sdma 12 8 2>;
                                        dma-names = "rx", "tx";
                                        status = "disabled";
                                };
diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
index 167f77b3bd43..6963dff815dc 100644
--- a/arch/arm/boot/dts/imx6sx.dtsi
+++ b/arch/arm/boot/dts/imx6sx.dtsi
@@ -1250,7 +1250,7 @@
                                  /* non-prefetchable memory */
                                  0x82000000 0 0x08000000 0x08000000 0 0x00f00000>;
                        num-lanes = <1>;
-                        interrupts = <GIC_SPI 123 IRQ_TYPE_LEVEL_HIGH>;
+                        interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>;
                        clocks = <&clks IMX6SX_CLK_PCIE_REF_125M>,
                                 <&clks IMX6SX_CLK_PCIE_AXI>,
                                 <&clks IMX6SX_CLK_LVDS1_OUT>,
diff --git a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
index dde59c477a2b..ad5e5a128a97 100644
--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
+++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
@@ -94,6 +94,8 @@
 };
 &i2c1 {
+        pinctrl-names = "default";
+        pinctrl-0 = <&i2c1_pins>;
        clock-frequency = <2600000>;
        twl: twl@48 {
@@ -141,6 +143,12 @@
                        OMAP3_CORE1_IOPAD(0x218e, PIN_OUTPUT | MUX_MODE4)       /* mcbsp1_fsr.gpio_157 */
                >;
        };
+        i2c1_pins: pinmux_i2c1_pins {
+                pinctrl-single,pins = <
+                        OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0)        /* i2c1_scl.i2c1_scl */
+                        OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0)        /* i2c1_sda.i2c1_sda */
+                >;
+        };
 };
 &omap3_pmx_core2 {
diff --git a/arch/arm/boot/dts/ls1021a-qds.dts b/arch/arm/boot/dts/ls1021a-qds.dts
index 0521e6864cb7..76fce89d4f69 100644
--- a/arch/arm/boot/dts/ls1021a-qds.dts
+++ b/arch/arm/boot/dts/ls1021a-qds.dts
@@ -215,7 +215,7 @@
                                reg = <0x2a>;
                                VDDA-supply = <&reg_3p3v>;
                                VDDIO-supply = <&reg_3p3v>;
-                                clocks = <&sys_mclk 1>;
+                                clocks = <&sys_mclk>;
                        };
                };
        };
diff --git a/arch/arm/boot/dts/ls1021a-twr.dts b/arch/arm/boot/dts/ls1021a-twr.dts
index fbb89d13401e..674df87629bd 100644
--- a/arch/arm/boot/dts/ls1021a-twr.dts
+++ b/arch/arm/boot/dts/ls1021a-twr.dts
@@ -167,7 +167,7 @@
                reg = <0x0a>;
                VDDA-supply = <&reg_3p3v>;
                VDDIO-supply = <&reg_3p3v>;
-                clocks = <&sys_mclk 1>;
+                clocks = <&sys_mclk>;
        };
 };
diff --git a/arch/arm/boot/dts/ls1021a.dtsi b/arch/arm/boot/dts/ls1021a.dtsi
index 9430a9928199..00de37fe5f8a 100644
--- a/arch/arm/boot/dts/ls1021a.dtsi
+++ b/arch/arm/boot/dts/ls1021a.dtsi
@@ -132,7 +132,7 @@
                };
                esdhc: esdhc@1560000 {
-                        compatible = "fsl,esdhc";
+                        compatible = "fsl,ls1021a-esdhc", "fsl,esdhc";
                        reg = <0x0 0x1560000 0x0 0x10000>;
                        interrupts = <GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH>;
                        clock-frequency = <0>;
diff --git a/arch/arm/boot/dts/moxart-uc7112lx.dts b/arch/arm/boot/dts/moxart-uc7112lx.dts
index 10d088df0c35..4a962a26482d 100644
--- a/arch/arm/boot/dts/moxart-uc7112lx.dts
+++ b/arch/arm/boot/dts/moxart-uc7112lx.dts
@@ -6,7 +6,7 @@
 */
 /dts-v1/;
-/include/ "moxart.dtsi"
+#include "moxart.dtsi"
 / {
        model = "MOXA UC-7112-LX";
diff --git a/arch/arm/boot/dts/moxart.dtsi b/arch/arm/boot/dts/moxart.dtsi
index 1fd27ed65a01..64f2f44235d0 100644
--- a/arch/arm/boot/dts/moxart.dtsi
+++ b/arch/arm/boot/dts/moxart.dtsi
@@ -6,6 +6,7 @@
 */
 /include/ "skeleton.dtsi"
+#include <dt-bindings/interrupt-controller/irq.h>
 / {
        compatible = "moxa,moxart";
@@ -36,8 +37,8 @@
                ranges;
                intc: interrupt-controller@98800000 {
-                        compatible = "moxa,moxart-ic";
+                        compatible = "moxa,moxart-ic", "faraday,ftintc010";
-                        reg = <0x98800000 0x38>;
+                        reg = <0x98800000 0x100>;
                        interrupt-controller;
                        #interrupt-cells = <2>;
                        interrupt-mask = <0x00080000>;
@@ -59,7 +60,7 @@
                timer: timer@98400000 {
                        compatible = "moxa,moxart-timer";
                        reg = <0x98400000 0x42>;
-                        interrupts = <19 1>;
+                        interrupts = <19 IRQ_TYPE_EDGE_FALLING>;
                        clocks = <&clk_apb>;
                };
@@ -80,7 +81,7 @@
                dma: dma@90500000 {
                        compatible = "moxa,moxart-dma";
                        reg = <0x90500080 0x40>;
-                        interrupts = <24 0>;
+                        interrupts = <24 IRQ_TYPE_LEVEL_HIGH>;
                        #dma-cells = <1>;
                };
@@ -93,7 +94,7 @@
                sdhci: sdhci@98e00000 {
                        compatible = "moxa,moxart-sdhci";
                        reg = <0x98e00000 0x5C>;
-                        interrupts = <5 0>;
+                        interrupts = <5 IRQ_TYPE_LEVEL_HIGH>;
                        clocks = <&clk_apb>;
                        dmas =  <&dma 5>,
                                <&dma 5>;
@@ -120,7 +121,7 @@
                mac0: mac@90900000 {
                        compatible = "moxa,moxart-mac";
                        reg = <0x90900000 0x90>;
-                        interrupts = <25 0>;
+                        interrupts = <25 IRQ_TYPE_LEVEL_HIGH>;
                        phy-handle = <&ethphy0>;
                        phy-mode = "mii";
                        status = "disabled";
@@ -129,7 +130,7 @@
                mac1: mac@92000000 {
                        compatible = "moxa,moxart-mac";
                        reg = <0x92000000 0x90>;
-                        interrupts = <27 0>;
+                        interrupts = <27 IRQ_TYPE_LEVEL_HIGH>;
                        phy-handle = <&ethphy1>;
                        phy-mode = "mii";
                        status = "disabled";
@@ -138,7 +139,7 @@
                uart0: uart@98200000 {
                        compatible = "ns16550a";
                        reg = <0x98200000 0x20>;
-                        interrupts = <31 8>;
+                        interrupts = <31 IRQ_TYPE_LEVEL_HIGH>;
                        reg-shift = <2>;
                        reg-io-width = <4>;
                        clock-frequency = <14745600>;
diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi
index 2d90867a1df7..8c77535095fc 100644
--- a/arch/arm/boot/dts/omap4.dtsi
+++ b/arch/arm/boot/dts/omap4.dtsi
@@ -866,14 +866,12 @@
                        usbhsohci: ohci@4a064800 {
                                compatible = "ti,ohci-omap3";
                                reg = <0x4a064800 0x400>;
-                                interrupt-parent = <&gic>;
                                interrupts = <GIC_SPI 76 IRQ_TYPE_LEVEL_HIGH>;
                        };
                        usbhsehci: ehci@4a064c00 {
                                compatible = "ti,ehci-omap";
                                reg = <0x4a064c00 0x400>;
-                                interrupt-parent = <&gic>;
                                interrupts = <GIC_SPI 77 IRQ_TYPE_LEVEL_HIGH>;
                        };
                };
diff --git a/arch/arm/boot/dts/r8a7790.dtsi b/arch/arm/boot/dts/r8a7790.dtsi
index 7b39d8fae61e..bd83a61f724f 100644
--- a/arch/arm/boot/dts/r8a7790.dtsi
+++ b/arch/arm/boot/dts/r8a7790.dtsi
@@ -1360,8 +1360,11 @@
                        compatible = "renesas,r8a7790-mstp-clocks", "renesas,cpg-mstp-clocks";
                        reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>;
                        clocks = <&p_clk>,
-                                <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
+                                <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
-                                <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
+                                <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
                                <&p_clk>,
                                <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>,
                                <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>,
diff --git a/arch/arm/boot/dts/r8a7791-koelsch.dts b/arch/arm/boot/dts/r8a7791-koelsch.dts
index fc44ea361a4b..62eae315af1f 100644
--- a/arch/arm/boot/dts/r8a7791-koelsch.dts
+++ b/arch/arm/boot/dts/r8a7791-koelsch.dts
@@ -280,7 +280,7 @@
        x2_clk: x2-clock {
                compatible = "fixed-clock";
                #clock-cells = <0>;
-                clock-frequency = <148500000>;
+                clock-frequency = <74250000>;
        };
        x13_clk: x13-clock {
diff --git a/arch/arm/boot/dts/r8a7791.dtsi b/arch/arm/boot/dts/r8a7791.dtsi
index 328f48bd15e7..d2585a4c6098 100644
--- a/arch/arm/boot/dts/r8a7791.dtsi
+++ b/arch/arm/boot/dts/r8a7791.dtsi
@@ -1374,8 +1374,11 @@
                        compatible = "renesas,r8a7791-mstp-clocks", "renesas,cpg-mstp-clocks";
                        reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>;
                        clocks = <&p_clk>,
-                                <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
+                                <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
-                                <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
+                                <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
+                                <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
                                <&p_clk>,
                                <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>,
                                <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>,
diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
index 8344a0ee2b86..b03fe747b98c 100644
--- a/arch/arm/boot/dts/s5pv210.dtsi
+++ b/arch/arm/boot/dts/s5pv210.dtsi
@@ -461,6 +461,7 @@
                        compatible = "samsung,exynos4210-ohci";
                        reg = <0xec300000 0x100>;
                        interrupts = <23>;
+                        interrupt-parent = <&vic1>;
                        clocks = <&clocks CLK_USB_HOST>;
                        clock-names = "usbhost";
                        #address-cells = <1>;
diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi
index 3daf8d5d7878..fb0d1b252dc8 100644
--- a/arch/arm/boot/dts/sama5d4.dtsi
+++ b/arch/arm/boot/dts/sama5d4.dtsi
@@ -1354,7 +1354,7 @@
                        pinctrl@fc06a000 {
                                #address-cells = <1>;
                                #size-cells = <1>;
-                                compatible = "atmel,at91sam9x5-pinctrl", "atmel,at91rm9200-pinctrl", "simple-bus";
+                                compatible = "atmel,sama5d3-pinctrl", "atmel,at91sam9x5-pinctrl", "simple-bus";
                                ranges = <0xfc068000 0xfc068000 0x100
                                          0xfc06a000 0xfc06a000 0x4000>;
                                /* WARNING: revisit as pin spec has changed */
diff --git a/arch/arm/boot/dts/socfpga.dtsi b/arch/arm/boot/dts/socfpga.dtsi
index 39c470e291f9..69381deeb703 100644
--- a/arch/arm/boot/dts/socfpga.dtsi
+++ b/arch/arm/boot/dts/socfpga.dtsi
@@ -738,7 +738,7 @@
                timer@fffec600 {
                        compatible = "arm,cortex-a9-twd-timer";
                        reg = <0xfffec600 0x100>;
-                        interrupts = <1 13 0xf04>;
+                        interrupts = <1 13 0xf01>;
                        clocks = <&mpu_periph_clk>;
                };
diff --git a/arch/arm/boot/dts/spear1310-evb.dts b/arch/arm/boot/dts/spear1310-evb.dts
index e48857249ce7..3d83992efd90 100644
--- a/arch/arm/boot/dts/spear1310-evb.dts
+++ b/arch/arm/boot/dts/spear1310-evb.dts
@@ -349,7 +349,7 @@
                        spi0: spi@e0100000 {
                                status = "okay";
                                num-cs = <3>;
-                                cs-gpios = <&gpio1 7 0>, <&spics 0>, <&spics 1>;
+                                cs-gpios = <&gpio1 7 0>, <&spics 0 0>, <&spics 1 0>;
                                stmpe610@0 {
                                        compatible = "st,stmpe610";
diff --git a/arch/arm/boot/dts/spear1340.dtsi b/arch/arm/boot/dts/spear1340.dtsi
index df2232d767ed..6361cbfcbe5e 100644
--- a/arch/arm/boot/dts/spear1340.dtsi
+++ b/arch/arm/boot/dts/spear1340.dtsi
@@ -141,8 +141,8 @@
                                reg = <0xb4100000 0x1000>;
                                interrupts = <0 105 0x4>;
                                status = "disabled";
-                                dmas = <&dwdma0 0x600 0 0 1>, /* 0xC << 11 */
+                                dmas = <&dwdma0 12 0 1>,
-                                        <&dwdma0 0x680 0 1 0>; /* 0xD << 7 */
+                                        <&dwdma0 13 1 0>;
                                dma-names = "tx", "rx";
                        };
diff --git a/arch/arm/boot/dts/spear13xx.dtsi b/arch/arm/boot/dts/spear13xx.dtsi
index 14594ce8c18a..8fd8a3328acb 100644
--- a/arch/arm/boot/dts/spear13xx.dtsi
+++ b/arch/arm/boot/dts/spear13xx.dtsi
@@ -100,7 +100,7 @@
                        reg = <0xb2800000 0x1000>;
                        interrupts = <0 29 0x4>;
                        status = "disabled";
-                        dmas = <&dwdma0 0 0 0 0>;
+                        dmas = <&dwdma0 0 0 0>;
                        dma-names = "data";
                };
@@ -288,8 +288,8 @@
                                #size-cells = <0>;
                                interrupts = <0 31 0x4>;
                                status = "disabled";
-                                dmas = <&dwdma0 0x2000 0 0 0>, /* 0x4 << 11 */
+                                dmas = <&dwdma0 4 0 0>,
-                                        <&dwdma0 0x0280 0 0 0>;  /* 0x5 << 7 */
+                                        <&dwdma0 5 0 0>;
                                dma-names = "tx", "rx";
                        };
diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi
index 9f60a7b6a42b..bd379034993c 100644
--- a/arch/arm/boot/dts/spear600.dtsi
+++ b/arch/arm/boot/dts/spear600.dtsi
@@ -194,6 +194,7 @@
                        rtc@fc900000 {
                                compatible = "st,spear600-rtc";
                                reg = <0xfc900000 0x1000>;
+                                interrupt-parent = <&vic0>;
                                interrupts = <10>;
                                status = "disabled";
                        };
diff --git a/arch/arm/boot/dts/stih407.dtsi b/arch/arm/boot/dts/stih407.dtsi
index d60f0d8add26..e4b508ce38a2 100644
--- a/arch/arm/boot/dts/stih407.dtsi
+++ b/arch/arm/boot/dts/stih407.dtsi
@@ -8,6 +8,7 @@
 */
 #include "stih407-clock.dtsi"
 #include "stih407-family.dtsi"
+#include <dt-bindings/gpio/gpio.h>
 / {
        soc {
                sti-display-subsystem {
@@ -112,7 +113,7 @@
                                         <&clk_s_d2_quadfs 0>,
                                         <&clk_s_d2_quadfs 1>;
-                                hdmi,hpd-gpio = <&pio5 3>;
+                                hdmi,hpd-gpio = <&pio5 3 GPIO_ACTIVE_LOW>;
                                reset-names = "hdmi";
                                resets = <&softreset STIH407_HDMI_TX_PHY_SOFTRESET>;
                                ddc = <&hdmiddc>;
diff --git a/arch/arm/boot/dts/stih410.dtsi b/arch/arm/boot/dts/stih410.dtsi
index 40318869c733..3c32fb8cdcac 100644
--- a/arch/arm/boot/dts/stih410.dtsi
+++ b/arch/arm/boot/dts/stih410.dtsi
@@ -9,6 +9,7 @@
 #include "stih410-clock.dtsi"
 #include "stih407-family.dtsi"
 #include "stih410-pinctrl.dtsi"
+#include <dt-bindings/gpio/gpio.h>
 / {
        aliases {
                bdisp0 = &bdisp0;
@@ -203,7 +204,7 @@
                                         <&clk_s_d2_quadfs 0>,
                                         <&clk_s_d2_quadfs 1>;
-                                hdmi,hpd-gpio = <&pio5 3>;
+                                hdmi,hpd-gpio = <&pio5 3 GPIO_ACTIVE_LOW>;
                                reset-names = "hdmi";
                                resets = <&softreset STIH407_HDMI_TX_PHY_SOFTRESET>;
                                ddc = <&hdmiddc>;
diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index 2c16d9e7c03c..4a275fba6059 100644
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -530,4 +530,14 @@ THUMB(	orr	\reg , \reg , #PSR_T_BIT	)
 #endif
        .endm
+#ifdef CONFIG_KPROBES
+#define _ASM_NOKPROBE(entry)                            \
+        .pushsection "_kprobe_blacklist", "aw" ;        \
+        .balign 4 ;                                     \
+        .long entry;                                    \
+        .popsection
+#else
+#define _ASM_NOKPROBE(entry)
+#endif
 #endif /* __ASM_ASSEMBLER_H__ */
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
index 6795368ad023..cc414382dab4 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
@@ -128,20 +128,10 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
 #endif /* !SMP */
 static inline int
-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret, tmp;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
 #ifndef CONFIG_SMP
        preempt_disable();
 #endif
@@ -172,17 +162,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        preempt_enable();
 #endif
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/arm/include/asm/kgdb.h b/arch/arm/include/asm/kgdb.h
index 0a9d5dd93294..6949c7d4481c 100644
--- a/arch/arm/include/asm/kgdb.h
+++ b/arch/arm/include/asm/kgdb.h
@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;
 #define KGDB_MAX_NO_CPUS        1
 #define BUFMAX                  400
-#define NUMREGBYTES             (DBG_MAX_REG_NUM << 2)
+#define NUMREGBYTES             (GDB_MAX_REGS << 2)
 #define NUMCRITREGBYTES         (32 << 2)
 #define _R0                     0
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 7fb59199c6bb..7665bd2f4871 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -251,7 +251,7 @@ extern int __put_user_8(void *, unsigned long long);
        ({                                                              \
                unsigned long __limit = current_thread_info()->addr_limit - 1; \
                const typeof(*(p)) __user *__tmp_p = (p);               \
-                register const typeof(*(p)) __r2 asm("r2") = (x);       \
+                register typeof(*(p)) __r2 asm("r2") = (x);     \
                register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \
                register unsigned long __l asm("r1") = __limit;         \
                register int __e asm("r0");                             \
diff --git a/arch/arm/include/asm/vdso.h b/arch/arm/include/asm/vdso.h
index d0295f1dd1a3..ff65b6d96c7e 100644
--- a/arch/arm/include/asm/vdso.h
+++ b/arch/arm/include/asm/vdso.h
@@ -11,8 +11,6 @@ struct mm_struct;
 void arm_install_vdso(struct mm_struct *mm, unsigned long addr);
-extern char vdso_start, vdso_end;
 extern unsigned int vdso_total_pages;
 #else /* CONFIG_VDSO */
diff --git a/arch/arm/include/asm/xen/events.h b/arch/arm/include/asm/xen/events.h
index 71e473d05fcc..620dc75362e5 100644
--- a/arch/arm/include/asm/xen/events.h
+++ b/arch/arm/include/asm/xen/events.h
@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(struct pt_regs *regs)
        return raw_irqs_disabled_flags(regs->ARM_cpsr);
 }
-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr),      \
+#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\
                                                            atomic64_t, \
                                                            counter), (val))
diff --git a/arch/arm/kernel/ftrace.c b/arch/arm/kernel/ftrace.c
index 709ee1d6d4df..faa9a905826e 100644
--- a/arch/arm/kernel/ftrace.c
+++ b/arch/arm/kernel/ftrace.c
@@ -29,11 +29,6 @@
 #endif
 #ifdef CONFIG_DYNAMIC_FTRACE
-#ifdef CONFIG_OLD_MCOUNT
-#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
-#define OLD_NOP         0xe1a00000      /* mov r0, r0 */
 static int __ftrace_modify_code(void *data)
 {
@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command)
        stop_machine(__ftrace_modify_code, &command, NULL);
 }
+#ifdef CONFIG_OLD_MCOUNT
+#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
+#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
+#define OLD_NOP         0xe1a00000      /* mov r0, r0 */
 static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec)
 {
        return rec->arch.old_mcount ? OLD_NOP : NOP;
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index c92b535150a0..306a2a581785 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -19,6 +19,7 @@
 #include <linux/uaccess.h>
 #include <linux/hardirq.h>
 #include <linux/kdebug.h>
+#include <linux/kprobes.h>
 #include <linux/module.h>
 #include <linux/kexec.h>
 #include <linux/bug.h>
@@ -395,7 +396,8 @@ void unregister_undef_hook(struct undef_hook *hook)
        raw_spin_unlock_irqrestore(&undef_lock, flags);
 }
-static int call_undef_hook(struct pt_regs *regs, unsigned int instr)
+static nokprobe_inline
+int call_undef_hook(struct pt_regs *regs, unsigned int instr)
 {
        struct undef_hook *hook;
        unsigned long flags;
@@ -468,6 +470,7 @@ die_sig:
        arm_notify_die("Oops - undefined instruction", regs, &info, 0, 6);
 }
+NOKPROBE_SYMBOL(do_undefinstr)
 /*
 * Handle FIQ similarly to NMI on x86 systems.
diff --git a/arch/arm/kernel/vdso.c b/arch/arm/kernel/vdso.c
index 54a5aeab988d..2dee87273e51 100644
--- a/arch/arm/kernel/vdso.c
+++ b/arch/arm/kernel/vdso.c
@@ -38,6 +38,8 @@
 static struct page **vdso_text_pagelist;
+extern char vdso_start[], vdso_end[];
 /* Total number of pages needed for the data and text portions of the VDSO. */
 unsigned int vdso_total_pages __read_mostly;
@@ -178,13 +180,13 @@ static int __init vdso_init(void)
        unsigned int text_pages;
        int i;
-        if (memcmp(&vdso_start, "\177ELF", 4)) {
+        if (memcmp(vdso_start, "\177ELF", 4)) {
                pr_err("VDSO is not a valid ELF object!\n");
                return -ENOEXEC;
        }
-        text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT;
+        text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT;
-        pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start);
+        pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start);
        /* Allocate the VDSO text pagelist */
        vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *),
@@ -199,7 +201,7 @@ static int __init vdso_init(void)
        for (i = 0; i < text_pages; i++) {
                struct page *page;
-                page = virt_to_page(&vdso_start + i * PAGE_SIZE);
+                page = virt_to_page(vdso_start + i * PAGE_SIZE);
                vdso_text_pagelist[i] = page;
        }
@@ -210,7 +212,7 @@ static int __init vdso_init(void)
        cntvct_ok = cntvct_functional();
-        patch_vdso(&vdso_start);
+        patch_vdso(vdso_start);
        return 0;
 }
diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c
index f36b5b1acd1f..05b2f8294968 100644
--- a/arch/arm/kvm/handle_exit.c
+++ b/arch/arm/kvm/handle_exit.c
@@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
        ret = kvm_psci_call(vcpu);
        if (ret < 0) {
-                kvm_inject_undefined(vcpu);
+                vcpu_set_reg(vcpu, 0, ~0UL);
                return 1;
        }
@@ -54,7 +54,16 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
 static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
 {
-        kvm_inject_undefined(vcpu);
+        /*
+         * "If an SMC instruction executed at Non-secure EL1 is
+         * trapped to EL2 because HCR_EL2.TSC is 1, the exception is a
+         * Trap exception, not a Secure Monitor Call exception [...]"
+         *
+         * We need to advance the PC after the trap, as it would
+         * otherwise return to the same address...
+         */
+        vcpu_set_reg(vcpu, 0, ~0UL);
+        kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
        return 1;
 }
diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
index 1712f132b80d..b83fdc06286a 100644
--- a/arch/arm/lib/csumpartialcopyuser.S
+++ b/arch/arm/lib/csumpartialcopyuser.S
@@ -85,7 +85,11 @@
                .pushsection .text.fixup,"ax"
                .align  4
 9001:           mov     r4, #-EFAULT
+#ifdef CONFIG_CPU_SW_DOMAIN_PAN
+                ldr     r5, [sp, #9*4]          @ *err_ptr
+#else
                ldr     r5, [sp, #8*4]          @ *err_ptr
+#endif
                str     r4, [r5]
                ldmia   sp, {r1, r2}            @ retrieve dst, len
                add     r2, r2, r1
diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
index df73914e81c8..746e7801dcdf 100644
--- a/arch/arm/lib/getuser.S
+++ b/arch/arm/lib/getuser.S
@@ -38,6 +38,7 @@ ENTRY(__get_user_1)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_1)
+_ASM_NOKPROBE(__get_user_1)
 ENTRY(__get_user_2)
        check_uaccess r0, 2, r1, r2, __get_user_bad
@@ -58,6 +59,7 @@ rb	.req	r0
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_2)
+_ASM_NOKPROBE(__get_user_2)
 ENTRY(__get_user_4)
        check_uaccess r0, 4, r1, r2, __get_user_bad
@@ -65,6 +67,7 @@ ENTRY(__get_user_4)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_4)
+_ASM_NOKPROBE(__get_user_4)
 ENTRY(__get_user_8)
        check_uaccess r0, 8, r1, r2, __get_user_bad8
@@ -78,6 +81,7 @@ ENTRY(__get_user_8)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_8)
+_ASM_NOKPROBE(__get_user_8)
 #ifdef __ARMEB__
 ENTRY(__get_user_32t_8)
@@ -91,6 +95,7 @@ ENTRY(__get_user_32t_8)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_32t_8)
+_ASM_NOKPROBE(__get_user_32t_8)
 ENTRY(__get_user_64t_1)
        check_uaccess r0, 1, r1, r2, __get_user_bad8
@@ -98,6 +103,7 @@ ENTRY(__get_user_64t_1)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_64t_1)
+_ASM_NOKPROBE(__get_user_64t_1)
 ENTRY(__get_user_64t_2)
        check_uaccess r0, 2, r1, r2, __get_user_bad8
@@ -114,6 +120,7 @@ rb	.req	r0
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_64t_2)
+_ASM_NOKPROBE(__get_user_64t_2)
 ENTRY(__get_user_64t_4)
        check_uaccess r0, 4, r1, r2, __get_user_bad8
@@ -121,6 +128,7 @@ ENTRY(__get_user_64t_4)
        mov     r0, #0
        ret     lr
 ENDPROC(__get_user_64t_4)
+_ASM_NOKPROBE(__get_user_64t_4)
 #endif
 __get_user_bad8:
@@ -131,6 +139,8 @@ __get_user_bad:
        ret     lr
 ENDPROC(__get_user_bad)
 ENDPROC(__get_user_bad8)
+_ASM_NOKPROBE(__get_user_bad)
+_ASM_NOKPROBE(__get_user_bad8)
 .pushsection __ex_table, "a"
        .long   1b, __get_user_bad
diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c
index cf432868e990..d6b6f96246fd 100644
--- a/arch/arm/mach-davinci/devices-da8xx.c
+++ b/arch/arm/mach-davinci/devices-da8xx.c
@@ -841,6 +841,8 @@ static struct platform_device da8xx_dsp = {
        .resource       = da8xx_rproc_resources,
 };
+static bool rproc_mem_inited __initdata;
 #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC)
 static phys_addr_t rproc_base __initdata;
@@ -879,6 +881,8 @@ void __init da8xx_rproc_reserve_cma(void)
        ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0);
        if (ret)
                pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret);
+        else
+                rproc_mem_inited = true;
 }
 #else
@@ -893,6 +897,12 @@ int __init da8xx_register_rproc(void)
 {
        int ret;
+        if (!rproc_mem_inited) {
+                pr_warn("%s: memory not reserved for DSP, not registering DSP device\n",
+                        __func__);
+                return -ENOMEM;
+        }
        ret = platform_device_register(&da8xx_dsp);
        if (ret)
                pr_err("%s: can't register DSP device: %d\n", __func__, ret);
diff --git a/arch/arm/mach-imx/cpu.c b/arch/arm/mach-imx/cpu.c
index 5b0f752d5507..24be631e487d 100644
--- a/arch/arm/mach-imx/cpu.c
+++ b/arch/arm/mach-imx/cpu.c
@@ -133,6 +133,9 @@ struct device * __init imx_soc_device_init(void)
        case MXC_CPU_IMX6UL:
                soc_id = "i.MX6UL";
                break;
+        case MXC_CPU_IMX6ULL:
+                soc_id = "i.MX6ULL";
+                break;
        case MXC_CPU_IMX7D:
                soc_id = "i.MX7D";
                break;
diff --git a/arch/arm/mach-imx/mxc.h b/arch/arm/mach-imx/mxc.h
index a5b1af6d7441..478cd91d0885 100644
--- a/arch/arm/mach-imx/mxc.h
+++ b/arch/arm/mach-imx/mxc.h
@@ -39,6 +39,7 @@
 #define MXC_CPU_IMX6SX          0x62
 #define MXC_CPU_IMX6Q           0x63
 #define MXC_CPU_IMX6UL          0x64
+#define MXC_CPU_IMX6ULL         0x65
 #define MXC_CPU_IMX7D           0x72
 #define IMX_DDR_TYPE_LPDDR2             1
@@ -171,6 +172,11 @@ static inline bool cpu_is_imx6ul(void)
        return __mxc_cpu_type == MXC_CPU_IMX6UL;
 }
+static inline bool cpu_is_imx6ull(void)
+{
+        return __mxc_cpu_type == MXC_CPU_IMX6ULL;
+}
 static inline bool cpu_is_imx6q(void)
 {
        return __mxc_cpu_type == MXC_CPU_IMX6Q;
diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig
index e20fc4178b15..1c8a6098a2ca 100644
--- a/arch/arm/mach-mvebu/Kconfig
+++ b/arch/arm/mach-mvebu/Kconfig
@@ -37,7 +37,7 @@ config MACH_ARMADA_370
 config MACH_ARMADA_375
        bool "Marvell Armada 375 boards" if ARCH_MULTI_V7
        select ARM_ERRATA_720789
-        select ARM_ERRATA_753970
+        select PL310_ERRATA_753970
        select ARM_GIC
        select ARMADA_375_CLK
        select HAVE_ARM_SCU
@@ -52,7 +52,7 @@ config MACH_ARMADA_375
 config MACH_ARMADA_38X
        bool "Marvell Armada 380/385 boards" if ARCH_MULTI_V7
        select ARM_ERRATA_720789
-        select ARM_ERRATA_753970
+        select PL310_ERRATA_753970
        select ARM_GIC
        select ARMADA_38X_CLK
        select HAVE_ARM_SCU
diff --git a/arch/arm/mach-omap1/clock.c b/arch/arm/mach-omap1/clock.c
index 4f5fd4a084c0..034b89499bd7 100644
--- a/arch/arm/mach-omap1/clock.c
+++ b/arch/arm/mach-omap1/clock.c
@@ -1031,17 +1031,17 @@ static int clk_debugfs_register_one(struct clk *c)
                return -ENOMEM;
        c->dent = d;
-        d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount);
+        d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount);
        if (!d) {
                err = -ENOMEM;
                goto err_out;
        }
-        d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate);
+        d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate);
        if (!d) {
                err = -ENOMEM;
                goto err_out;
        }
-        d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags);
+        d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags);
        if (!d) {
                err = -ENOMEM;
                goto err_out;
diff --git a/arch/arm/mach-omap2/omap-secure.c b/arch/arm/mach-omap2/omap-secure.c
index 5ac122e88f67..fa7f308c9027 100644
--- a/arch/arm/mach-omap2/omap-secure.c
+++ b/arch/arm/mach-omap2/omap-secure.c
@@ -73,6 +73,27 @@ phys_addr_t omap_secure_ram_mempool_base(void)
        return omap_secure_memblock_base;
 }
+#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM)
+u32 omap3_save_secure_ram(void __iomem *addr, int size)
+{
+        u32 ret;
+        u32 param[5];
+        if (size != OMAP3_SAVE_SECURE_RAM_SZ)
+                return OMAP3_SAVE_SECURE_RAM_SZ;
+        param[0] = 4;           /* Number of arguments */
+        param[1] = __pa(addr);  /* Physical address for saving */
+        param[2] = 0;
+        param[3] = 1;
+        param[4] = 1;
+        ret = save_secure_ram_context(__pa(param));
+        return ret;
+}
+#endif
 /**
 * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
 * @idx: The PPA API index
diff --git a/arch/arm/mach-omap2/omap-secure.h b/arch/arm/mach-omap2/omap-secure.h
index bae263fba640..c509cde71f93 100644
--- a/arch/arm/mach-omap2/omap-secure.h
+++ b/arch/arm/mach-omap2/omap-secure.h
@@ -31,6 +31,8 @@
 /* Maximum Secure memory storage size */
 #define OMAP_SECURE_RAM_STORAGE (88 * SZ_1K)
+#define OMAP3_SAVE_SECURE_RAM_SZ        0x803F
 /* Secure low power HAL API index */
 #define OMAP4_HAL_SAVESECURERAM_INDEX   0x1a
 #define OMAP4_HAL_SAVEHW_INDEX          0x1b
@@ -65,6 +67,8 @@ extern u32 omap_smc2(u32 id, u32 falg, u32 pargs);
 extern u32 omap_smc3(u32 id, u32 process, u32 flag, u32 pargs);
 extern phys_addr_t omap_secure_ram_mempool_base(void);
 extern int omap_secure_ram_reserve_memblock(void);
+extern u32 save_secure_ram_context(u32 args_pa);
+extern u32 omap3_save_secure_ram(void __iomem *save_regs, int size);
 extern u32 rx51_secure_dispatcher(u32 idx, u32 process, u32 flag, u32 nargs,
                                  u32 arg1, u32 arg2, u32 arg3, u32 arg4);
diff --git a/arch/arm/mach-omap2/pm.c b/arch/arm/mach-omap2/pm.c
index 66e0003073fa..93c75b548415 100644
--- a/arch/arm/mach-omap2/pm.c
+++ b/arch/arm/mach-omap2/pm.c
@@ -226,7 +226,7 @@ static void omap_pm_end(void)
        cpu_idle_poll_ctrl(false);
 }
-static void omap_pm_finish(void)
+static void omap_pm_wake(void)
 {
        if (cpu_is_omap34xx())
                omap_prcm_irq_complete();
@@ -236,7 +236,7 @@ static const struct platform_suspend_ops omap_pm_ops = {
        .begin          = omap_pm_begin,
        .end            = omap_pm_end,
        .enter          = omap_pm_enter,
-        .finish         = omap_pm_finish,
+        .wake           = omap_pm_wake,
        .valid          = suspend_valid_only_mem,
 };
diff --git a/arch/arm/mach-omap2/pm.h b/arch/arm/mach-omap2/pm.h
index 2f9649b89053..6f26371ba80f 100644
--- a/arch/arm/mach-omap2/pm.h
+++ b/arch/arm/mach-omap2/pm.h
@@ -86,10 +86,6 @@ struct am33xx_pm_platform_data *am33xx_pm_get_pdata(void);
 extern struct am33xx_pm_sram_addr am33xx_pm_sram;
 extern struct am33xx_pm_sram_addr am43xx_pm_sram;
-/* save_secure_ram_context function pointer and size, for copy to SRAM */
-extern int save_secure_ram_context(u32 *addr);
-extern unsigned int save_secure_ram_context_sz;
 extern void omap3_save_scratchpad_contents(void);
 #define PM_RTA_ERRATUM_i608             (1 << 0)
diff --git a/arch/arm/mach-omap2/pm34xx.c b/arch/arm/mach-omap2/pm34xx.c
index 2dbd3785ee6f..181da202f981 100644
--- a/arch/arm/mach-omap2/pm34xx.c
+++ b/arch/arm/mach-omap2/pm34xx.c
@@ -48,6 +48,7 @@
 #include "prm3xxx.h"
 #include "pm.h"
 #include "sdrc.h"
+#include "omap-secure.h"
 #include "sram.h"
 #include "control.h"
 #include "vc.h"
@@ -66,7 +67,6 @@ struct power_state {
 static LIST_HEAD(pwrst_list);
-static int (*_omap_save_secure_sram)(u32 *addr);
 void (*omap3_do_wfi_sram)(void);
 static struct powerdomain *mpu_pwrdm, *neon_pwrdm;
@@ -121,8 +121,8 @@ static void omap3_save_secure_ram_context(void)
                 * will hang the system.
                 */
                pwrdm_set_next_pwrst(mpu_pwrdm, PWRDM_POWER_ON);
-                ret = _omap_save_secure_sram((u32 *)(unsigned long)
+                ret = omap3_save_secure_ram(omap3_secure_ram_storage,
-                                __pa(omap3_secure_ram_storage));
+                                            OMAP3_SAVE_SECURE_RAM_SZ);
                pwrdm_set_next_pwrst(mpu_pwrdm, mpu_next_state);
                /* Following is for error tracking, it should not happen */
                if (ret) {
@@ -431,15 +431,10 @@ static int __init pwrdms_setup(struct powerdomain *pwrdm, void *unused)
 *
 * The minimum set of functions is pushed to SRAM for execution:
 * - omap3_do_wfi for erratum i581 WA,
- * - save_secure_ram_context for security extensions.
 */
 void omap_push_sram_idle(void)
 {
        omap3_do_wfi_sram = omap_sram_push(omap3_do_wfi, omap3_do_wfi_sz);
-        if (omap_type() != OMAP2_DEVICE_TYPE_GP)
-                _omap_save_secure_sram = omap_sram_push(save_secure_ram_context,
-                                save_secure_ram_context_sz);
 }
 static void __init pm_errata_configure(void)
@@ -551,7 +546,7 @@ int __init omap3_pm_init(void)
        clkdm_add_wkdep(neon_clkdm, mpu_clkdm);
        if (omap_type() != OMAP2_DEVICE_TYPE_GP) {
                omap3_secure_ram_storage =
-                        kmalloc(0x803F, GFP_KERNEL);
+                        kmalloc(OMAP3_SAVE_SECURE_RAM_SZ, GFP_KERNEL);
                if (!omap3_secure_ram_storage)
                        pr_err("Memory allocation failed when allocating for secure sram context\n");
diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S
index 1b9f0520dea9..3e0d802c59da 100644
--- a/arch/arm/mach-omap2/sleep34xx.S
+++ b/arch/arm/mach-omap2/sleep34xx.S
@@ -93,20 +93,13 @@ ENTRY(enable_omap3630_toggle_l2_on_restore)
 ENDPROC(enable_omap3630_toggle_l2_on_restore)
 /*
- * Function to call rom code to save secure ram context. This gets
+ * Function to call rom code to save secure ram context.
- * relocated to SRAM, so it can be all in .data section. Otherwise
+ *
- * we need to initialize api_params separately.
+ * r0 = physical address of the parameters
 */
-        .data
-        .align  3
 ENTRY(save_secure_ram_context)
        stmfd   sp!, {r4 - r11, lr}     @ save registers on stack
-        adr     r3, api_params          @ r3 points to parameters
+        mov     r3, r0                  @ physical address of parameters
-        str     r0, [r3,#0x4]           @ r0 has sdram address
-        ldr     r12, high_mask
-        and     r3, r3, r12
-        ldr     r12, sram_phy_addr_mask
-        orr     r3, r3, r12
        mov     r0, #25                 @ set service ID for PPA
        mov     r12, r0                 @ copy secure service ID in r12
        mov     r1, #0                  @ set task id for ROM code in r1
@@ -120,18 +113,7 @@ ENTRY(save_secure_ram_context)
        nop
        nop
        ldmfd   sp!, {r4 - r11, pc}
-        .align
-sram_phy_addr_mask:
-        .word   SRAM_BASE_P
-high_mask:
-        .word   0xffff
-api_params:
-        .word   0x4, 0x0, 0x0, 0x1, 0x1
 ENDPROC(save_secure_ram_context)
-ENTRY(save_secure_ram_context_sz)
-        .word   . - save_secure_ram_context
-        .text
 /*
 * ======================
diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c
index a67af98e532b..a15116080047 100644
--- a/arch/arm/mach-omap2/timer.c
+++ b/arch/arm/mach-omap2/timer.c
@@ -156,12 +156,6 @@ static struct clock_event_device clockevent_gpt = {
        .tick_resume            = omap2_gp_timer_shutdown,
 };
-static struct property device_disabled = {
-        .name = "status",
-        .length = sizeof("disabled"),
-        .value = "disabled",
-};
 static const struct of_device_id omap_timer_match[] __initconst = {
        { .compatible = "ti,omap2420-timer", },
        { .compatible = "ti,omap3430-timer", },
@@ -203,8 +197,17 @@ static struct device_node * __init omap_get_timer_dt(const struct of_device_id *
                                  of_get_property(np, "ti,timer-secure", NULL)))
                        continue;
-                if (!of_device_is_compatible(np, "ti,omap-counter32k"))
+                if (!of_device_is_compatible(np, "ti,omap-counter32k")) {
-                        of_add_property(np, &device_disabled);
+                        struct property *prop;
+                        prop = kzalloc(sizeof(*prop), GFP_KERNEL);
+                        if (!prop)
+                                return NULL;
+                        prop->name = "status";
+                        prop->value = "disabled";
+                        prop->length = strlen(prop->value);
+                        of_add_property(np, prop);
+                }
                return np;
        }
diff --git a/arch/arm/mach-pxa/tosa-bt.c b/arch/arm/mach-pxa/tosa-bt.c
index e0a53208880a..b59a7a2df4e3 100644
--- a/arch/arm/mach-pxa/tosa-bt.c
+++ b/arch/arm/mach-pxa/tosa-bt.c
@@ -132,3 +132,7 @@ static struct platform_driver tosa_bt_driver = {
        },
 };
 module_platform_driver(tosa_bt_driver);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Dmitry Baryshkov");
+MODULE_DESCRIPTION("Bluetooth built-in chip control");
diff --git a/arch/arm/mach-tegra/Kconfig b/arch/arm/mach-tegra/Kconfig
index 0fa4c5f8b1be..2d43357d4a0a 100644
--- a/arch/arm/mach-tegra/Kconfig
+++ b/arch/arm/mach-tegra/Kconfig
@@ -12,8 +12,6 @@ menuconfig ARCH_TEGRA
        select ARCH_HAS_RESET_CONTROLLER
        select RESET_CONTROLLER
        select SOC_BUS
-        select USB_ULPI if USB_PHY
-        select USB_ULPI_VIEWPORT if USB_PHY
        help
          This enables support for NVIDIA Tegra based systems.
diff --git a/arch/arm/plat-omap/dmtimer.c b/arch/arm/plat-omap/dmtimer.c
index 4c48b52c4a7c..6c786b25ed74 100644
--- a/arch/arm/plat-omap/dmtimer.c
+++ b/arch/arm/plat-omap/dmtimer.c
@@ -861,11 +861,8 @@ static int omap_dm_timer_probe(struct platform_device *pdev)
        timer->irq = irq->start;
        timer->pdev = pdev;
-        /* Skip pm_runtime_enable for OMAP1 */
+        pm_runtime_enable(dev);
-        if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) {
+        pm_runtime_irq_safe(dev);
-                pm_runtime_enable(dev);
-                pm_runtime_irq_safe(dev);
-        }
        if (!timer->reserved) {
                ret = pm_runtime_get_sync(dev);
diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
index bcdecc25461b..b2aa9b32bff2 100644
--- a/arch/arm/probes/kprobes/opt-arm.c
+++ b/arch/arm/probes/kprobes/opt-arm.c
@@ -165,13 +165,14 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
 {
        unsigned long flags;
        struct kprobe *p = &op->kp;
-        struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+        struct kprobe_ctlblk *kcb;
        /* Save skipped registers */
        regs->ARM_pc = (unsigned long)op->kp.addr;
        regs->ARM_ORIG_r0 = ~0UL;
        local_irq_save(flags);
+        kcb = get_kprobe_ctlblk();
        if (kprobe_running()) {
                kprobes_inc_nmissed_count(&op->kp);
@@ -191,6 +192,7 @@ optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
        local_irq_restore(flags);
 }
+NOKPROBE_SYMBOL(optimized_callback)
 int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *orig)
 {
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 703b7f921806..2c4babb4c9f1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -57,6 +57,7 @@ config ARM64
        select HAVE_ARCH_SECCOMP_FILTER
        select HAVE_ARCH_TRACEHOOK
        select HAVE_BPF_JIT
+        select HAVE_EBPF_JIT
        select HAVE_C_RECORDMCOUNT
        select HAVE_CC_STACKPROTECTOR
        select HAVE_CMPXCHG_DOUBLE
@@ -395,6 +396,20 @@ config ARM64_ERRATUM_843419
          If unsure, say Y.
+config ARM64_ERRATUM_1024718
+        bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update"
+        default y
+        help
+          This option adds work around for Arm Cortex-A55 Erratum 1024718.
+          Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect
+          update of the hardware dirty bit when the DBM/AP bits are updated
+          without a break-before-make. The work around is to disable the usage
+          of hardware DBM locally on the affected cores. CPUs not affected by
+          erratum will continue to use the feature.
+          If unsure, say Y.
 config CAVIUM_ERRATUM_22375
        bool "Cavium erratum 22375, 24313"
        default y
@@ -910,7 +925,7 @@ source "fs/Kconfig.binfmt"
 config COMPAT
        bool "Kernel support for 32-bit EL0"
        depends on ARM64_4K_PAGES || EXPERT
-        select COMPAT_BINFMT_ELF
+        select COMPAT_BINFMT_ELF if BINFMT_ELF
        select HAVE_UID16
        select OLD_SIGSUSPEND3
        select COMPAT_OLD_SIGACTION
diff --git a/arch/arm64/Kconfig.platforms b/arch/arm64/Kconfig.platforms
index 4043c35962cc..5edb50772c11 100644
--- a/arch/arm64/Kconfig.platforms
+++ b/arch/arm64/Kconfig.platforms
@@ -90,8 +90,6 @@ config ARCH_TEGRA_132_SOC
        bool "NVIDIA Tegra132 SoC"
        depends on ARCH_TEGRA
        select PINCTRL_TEGRA124
-        select USB_ULPI if USB_PHY
-        select USB_ULPI_VIEWPORT if USB_PHY
        help
          Enable support for NVIDIA Tegra132 SoC, based on the Denver
          ARMv8 CPU.  The Tegra132 SoC is similar to the Tegra124 SoC,
diff --git a/arch/arm64/boot/dts/mediatek/mt8173.dtsi b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
index 4dd5f93d0303..7f42b646d528 100644
--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
@@ -54,6 +54,7 @@
                        reg = <0x000>;
                        enable-method = "psci";
                        cpu-idle-states = <&CPU_SLEEP_0>;
+                        #cooling-cells = <2>;
                };
                cpu1: cpu@1 {
@@ -70,6 +71,7 @@
                        reg = <0x100>;
                        enable-method = "psci";
                        cpu-idle-states = <&CPU_SLEEP_0>;
+                        #cooling-cells = <2>;
                };
                cpu3: cpu@101 {
diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
index 290e13428f4a..4fd2fe7a5525 100644
--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -26,6 +26,7 @@
 #include <asm/asm-offsets.h>
 #include <asm/page.h>
 #include <asm/pgtable-hwdef.h>
+#include <asm/cputype.h>
 #include <asm/ptrace.h>
 #include <asm/thread_info.h>
@@ -352,4 +353,43 @@ lr	.req	x30		// link register
        movk    \reg, :abs_g0_nc:\val
        .endm
+/*
+ * Check the MIDR_EL1 of the current CPU for a given model and a range of
+ * variant/revision. See asm/cputype.h for the macros used below.
+ *
+ *      model:          MIDR_CPU_PART of CPU
+ *      rv_min:         Minimum of MIDR_CPU_VAR_REV()
+ *      rv_max:         Maximum of MIDR_CPU_VAR_REV()
+ *      res:            Result register.
+ *      tmp1, tmp2, tmp3: Temporary registers
+ *
+ * Corrupts: res, tmp1, tmp2, tmp3
+ * Returns:  0, if the CPU id doesn't match. Non-zero otherwise
+ */
+        .macro  cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3
+        mrs             \res, midr_el1
+        mov_q           \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK)
+        mov_q           \tmp2, MIDR_CPU_PART_MASK
+        and             \tmp3, \res, \tmp2      // Extract model
+        and             \tmp1, \res, \tmp1      // rev & variant
+        mov_q           \tmp2, \model
+        cmp             \tmp3, \tmp2
+        cset            \res, eq
+        cbz             \res, .Ldone\@          // Model matches ?
+        .if (\rv_min != 0)                      // Skip min check if rv_min == 0
+        mov_q           \tmp3, \rv_min
+        cmp             \tmp1, \tmp3
+        cset            \res, ge
+        .endif                                  // \rv_min != 0
+        /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */
+        .if ((\rv_min != \rv_max) || \rv_min == 0)
+        mov_q           \tmp2, \rv_max
+        cmp             \tmp1, \tmp2
+        cset            \tmp2, le
+        and             \res, \res, \tmp2
+        .endif
+.Ldone\@:
+        .endm
 #endif  /* __ASM_ASSEMBLER_H */
diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h
index 39c1d340fec5..a000e47d5016 100644
--- a/arch/arm64/include/asm/atomic_lse.h
+++ b/arch/arm64/include/asm/atomic_lse.h
@@ -114,7 +114,7 @@ static inline void atomic_and(int i, atomic_t *v)
        /* LSE atomics */
        "       mvn     %w[i], %w[i]\n"
        "       stclr   %w[i], %[v]")
-        : [i] "+r" (w0), [v] "+Q" (v->counter)
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)
        : "r" (x1)
        : __LL_SC_CLOBBERS);
 }
@@ -131,7 +131,7 @@ static inline void atomic_sub(int i, atomic_t *v)
        /* LSE atomics */
        "       neg     %w[i], %w[i]\n"
        "       stadd   %w[i], %[v]")
-        : [i] "+r" (w0), [v] "+Q" (v->counter)
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)
        : "r" (x1)
        : __LL_SC_CLOBBERS);
 }
@@ -151,7 +151,7 @@ static inline int atomic_sub_return##name(int i, atomic_t *v)		\
        "       neg     %w[i], %w[i]\n"                                 \
        "       ldadd" #mb "    %w[i], w30, %[v]\n"                     \
        "       add     %w[i], %w[i], w30")                             \
-        : [i] "+r" (w0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)                         \
        : "r" (x1)                                                      \
        : __LL_SC_CLOBBERS , ##cl);                                     \
                                                                        \
@@ -255,7 +255,7 @@ static inline void atomic64_and(long i, atomic64_t *v)
        /* LSE atomics */
        "       mvn     %[i], %[i]\n"
        "       stclr   %[i], %[v]")
-        : [i] "+r" (x0), [v] "+Q" (v->counter)
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)
        : "r" (x1)
        : __LL_SC_CLOBBERS);
 }
@@ -272,7 +272,7 @@ static inline void atomic64_sub(long i, atomic64_t *v)
        /* LSE atomics */
        "       neg     %[i], %[i]\n"
        "       stadd   %[i], %[v]")
-        : [i] "+r" (x0), [v] "+Q" (v->counter)
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)
        : "r" (x1)
        : __LL_SC_CLOBBERS);
 }
@@ -292,7 +292,7 @@ static inline long atomic64_sub_return##name(long i, atomic64_t *v)	\
        "       neg     %[i], %[i]\n"                                   \
        "       ldadd" #mb "    %[i], x30, %[v]\n"                      \
        "       add     %[i], %[i], x30")                               \
-        : [i] "+r" (x0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)                         \
        : "r" (x1)                                                      \
        : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                        \
@@ -412,7 +412,7 @@ static inline long __cmpxchg_double##name(unsigned long old1,		\
        "       eor     %[old1], %[old1], %[oldval1]\n"                 \
        "       eor     %[old2], %[old2], %[oldval2]\n"                 \
        "       orr     %[old1], %[old1], %[old2]")                     \
-        : [old1] "+r" (x0), [old2] "+r" (x1),                           \
+        : [old1] "+&r" (x0), [old2] "+&r" (x1),                         \
          [v] "+Q" (*(unsigned long *)ptr)                              \
        : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4),             \
          [oldval1] "r" (oldval1), [oldval2] "r" (oldval2)              \
diff --git a/arch/arm64/include/asm/bug.h b/arch/arm64/include/asm/bug.h
index 561190d15881..0bfe1df12b19 100644
--- a/arch/arm64/include/asm/bug.h
+++ b/arch/arm64/include/asm/bug.h
@@ -20,9 +20,6 @@
 #include <asm/brk-imm.h>
-#ifdef CONFIG_GENERIC_BUG
-#define HAVE_ARCH_BUG
 #ifdef CONFIG_DEBUG_BUGVERBOSE
 #define _BUGVERBOSE_LOCATION(file, line) __BUGVERBOSE_LOCATION(file, line)
 #define __BUGVERBOSE_LOCATION(file, line)                               \
@@ -36,28 +33,36 @@
 #define _BUGVERBOSE_LOCATION(file, line)
 #endif
-#define _BUG_FLAGS(flags) __BUG_FLAGS(flags)
+#ifdef CONFIG_GENERIC_BUG
-#define __BUG_FLAGS(flags) asm volatile (               \
+#define __BUG_ENTRY(flags)                              \
                ".pushsection __bug_table,\"a\"\n\t"    \
                ".align 2\n\t"                          \
        "0:     .long 1f - 0b\n\t"                      \
 _BUGVERBOSE_LOCATION(__FILE__, __LINE__)                \
                ".short " #flags "\n\t"                 \
                ".popsection\n"                         \
-                                                        \
+        "1:     "
-        "1:     brk %[imm]"                             \
+#else
-                :: [imm] "i" (BUG_BRK_IMM)              \
+#define __BUG_ENTRY(flags) ""
-)
+#endif
+#define __BUG_FLAGS(flags)                              \
+        asm volatile (                                  \
+                __BUG_ENTRY(flags)                      \
+                "brk %[imm]" :: [imm] "i" (BUG_BRK_IMM) \
+        );
-#define BUG() do {                              \
-        _BUG_FLAGS(0);                          \
+#define BUG() do {                                      \
-        unreachable();                          \
+        __BUG_FLAGS(0);                                 \
+        unreachable();                                  \
 } while (0)
-#define __WARN_TAINT(taint) _BUG_FLAGS(BUGFLAG_TAINT(taint))
+#define __WARN_TAINT(taint)                             \
+        __BUG_FLAGS(BUGFLAG_TAINT(taint))
-#endif /* ! CONFIG_GENERIC_BUG */
+#define HAVE_ARCH_BUG
 #include <asm-generic/bug.h>
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index b3a83da152a7..8042c98ec040 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -51,7 +51,15 @@
 #define MIDR_IMPLEMENTOR(midr)  \
        (((midr) & MIDR_IMPLEMENTOR_MASK) >> MIDR_IMPLEMENTOR_SHIFT)
-#define MIDR_CPU_MODEL(imp, partnum) \
+#define MIDR_CPU_VAR_REV(var, rev) \
+        (((var) << MIDR_VARIANT_SHIFT) | (rev))
+#define MIDR_CPU_PART_MASK        \
+        (MIDR_IMPLEMENTOR_MASK  | \
+         MIDR_ARCHITECTURE_MASK | \
+         MIDR_PARTNUM_MASK)
+#define MIDR_CPU_PART(imp, partnum) \
        (((imp)                 << MIDR_IMPLEMENTOR_SHIFT) | \
        (0xf                    << MIDR_ARCHITECTURE_SHIFT) | \
        ((partnum)              << MIDR_PARTNUM_SHIFT))
@@ -75,14 +83,16 @@
 #define ARM_CPU_PART_FOUNDATION         0xD00
 #define ARM_CPU_PART_CORTEX_A57         0xD07
 #define ARM_CPU_PART_CORTEX_A53         0xD03
+#define ARM_CPU_PART_CORTEX_A55         0xD05
 #define APM_CPU_PART_POTENZA            0x000
 #define CAVIUM_CPU_PART_THUNDERX        0x0A1
-#define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53)
+#define MIDR_CORTEX_A53 MIDR_CPU_PART(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53)
-#define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
+#define MIDR_CORTEX_A55 MIDR_CPU_PART(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55)
-#define MIDR_THUNDERX   MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
+#define MIDR_CORTEX_A57 MIDR_CPU_PART(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57)
+#define MIDR_THUNDERX   MIDR_CPU_PART(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
 #ifndef __ASSEMBLY__
diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
index f2585cdd32c2..764dc2cced4f 100644
--- a/arch/arm64/include/asm/futex.h
+++ b/arch/arm64/include/asm/futex.h
@@ -51,20 +51,10 @@
        : "memory")
 static inline int
-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret, tmp;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
        switch (op) {
@@ -94,17 +84,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index d776037d199f..eac5a3d38b90 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -48,8 +48,10 @@
 * TASK_UNMAPPED_BASE - the lower boundary of the mmap VM area.
 */
 #define VA_BITS                 (CONFIG_ARM64_VA_BITS)
-#define VA_START                (UL(0xffffffffffffffff) << VA_BITS)
+#define VA_START                (UL(0xffffffffffffffff) - \
-#define PAGE_OFFSET             (UL(0xffffffffffffffff) << (VA_BITS - 1))
+        (UL(1) << VA_BITS) + 1)
+#define PAGE_OFFSET             (UL(0xffffffffffffffff) - \
+        (UL(1) << (VA_BITS - 1)) + 1)
 #define KIMAGE_VADDR            (MODULES_END)
 #define MODULES_END             (MODULES_VADDR + MODULES_VSIZE)
 #define MODULES_VADDR           (VA_START + KASAN_SHADOW_SIZE)
diff --git a/arch/arm64/include/asm/spinlock.h b/arch/arm64/include/asm/spinlock.h
index 73f5d548bba1..6d95f5d62d53 100644
--- a/arch/arm64/include/asm/spinlock.h
+++ b/arch/arm64/include/asm/spinlock.h
@@ -123,8 +123,8 @@ static inline int arch_spin_trylock(arch_spinlock_t *lock)
        "       cbnz    %w1, 1f\n"
        "       add     %w1, %w0, %3\n"
        "       casa    %w0, %w1, %2\n"
-        "       and     %w1, %w1, #0xffff\n"
+        "       sub     %w1, %w1, %3\n"
-        "       eor     %w1, %w1, %w0, lsr #16\n"
+        "       eor     %w1, %w1, %w0\n"
        "1:")
        : "=&r" (lockval), "=&r" (tmp), "+Q" (*lock)
        : "I" (1 << TICKET_SHIFT)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index b62ec1e8a843..22e413293fa3 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -49,7 +49,7 @@ static const char *handler[]= {
        "Error"
 };
-int show_unhandled_signals = 1;
+int show_unhandled_signals = 0;
 /*
 * Dump out the contents of some memory nicely...
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index d23342804230..5feb47778aa5 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -838,3 +838,15 @@ int pmd_clear_huge(pmd_t *pmd)
        pmd_clear(pmd);
        return 1;
 }
+#ifdef CONFIG_HAVE_ARCH_HUGE_VMAP
+int pud_free_pmd_page(pud_t *pud, unsigned long addr)
+{
+        return pud_none(*pud);
+}
+int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
+{
+        return pmd_none(*pmd);
+}
+#endif
diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
index 9d37e967fa19..178af2dd15c4 100644
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -242,6 +242,11 @@ ENTRY(__cpu_setup)
        cbz     x9, 2f
        cmp     x9, #2
        b.lt    1f
+#ifdef CONFIG_ARM64_ERRATUM_1024718
+        /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */
+        cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4
+        cbnz    x1, 1f
+#endif
        orr     x10, x10, #TCR_HD               // hardware Dirty flag update
 1:      orr     x10, x10, #TCR_HA               // hardware Access flag update
 2:
diff --git a/arch/frv/include/asm/futex.h b/arch/frv/include/asm/futex.h
index 4bea27f50a7a..2702bd802d44 100644
--- a/arch/frv/include/asm/futex.h
+++ b/arch/frv/include/asm/futex.h
@@ -7,7 +7,8 @@
 #include <asm/errno.h>
 #include <asm/uaccess.h>
-extern int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr);
+extern int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr);
 static inline int
 futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
diff --git a/arch/frv/include/asm/timex.h b/arch/frv/include/asm/timex.h
index a89bddefdacf..139093fab326 100644
--- a/arch/frv/include/asm/timex.h
+++ b/arch/frv/include/asm/timex.h
@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void)
 #define vxtime_lock()           do {} while (0)
 #define vxtime_unlock()         do {} while (0)
+/* This attribute is used in include/linux/jiffies.h alongside with
+ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp
+ * for frv does not contain another section specification.
+ */
+#define __jiffy_arch_data       __attribute__((__section__(".data")))
 #endif
diff --git a/arch/frv/kernel/futex.c b/arch/frv/kernel/futex.c
index d155ca9e5098..37f7b2bf7f73 100644
--- a/arch/frv/kernel/futex.c
+++ b/arch/frv/kernel/futex.c
@@ -186,20 +186,10 @@ static inline int atomic_futex_op_xchg_xor(int oparg, u32 __user *uaddr, int *_o
 /*
 * do the futex operations
 */
-int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
        switch (op) {
@@ -225,18 +215,9 @@ int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS; break;
-                }
-        }
        return ret;
-} /* end futex_atomic_op_inuser() */
+} /* end arch_futex_atomic_op_inuser() */
diff --git a/arch/hexagon/include/asm/futex.h b/arch/hexagon/include/asm/futex.h
index 7e597f8434da..c607b77c8215 100644
--- a/arch/hexagon/include/asm/futex.h
+++ b/arch/hexagon/include/asm/futex.h
@@ -31,18 +31,9 @@
 static inline int
-futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
-                return -EFAULT;
        pagefault_disable();
@@ -72,30 +63,9 @@ futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ:
-                        ret = (oldval == cmparg);
-                        break;
-                case FUTEX_OP_CMP_NE:
-                        ret = (oldval != cmparg);
-                        break;
-                case FUTEX_OP_CMP_LT:
-                        ret = (oldval < cmparg);
-                        break;
-                case FUTEX_OP_CMP_GE:
-                        ret = (oldval >= cmparg);
-                        break;
-                case FUTEX_OP_CMP_LE:
-                        ret = (oldval <= cmparg);
-                        break;
-                case FUTEX_OP_CMP_GT:
-                        ret = (oldval > cmparg);
-                        break;
-                default:
-                        ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
index 76acbcd5c060..6d67dc1eaf2b 100644
--- a/arch/ia64/include/asm/futex.h
+++ b/arch/ia64/include/asm/futex.h
@@ -45,18 +45,9 @@ do {									\
 } while (0)
 static inline int
-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -84,17 +75,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
index b15933c31b2f..36b2c94a8eb5 100644
--- a/arch/ia64/kernel/module.c
+++ b/arch/ia64/kernel/module.c
@@ -153,7 +153,7 @@ slot (const struct insn *insn)
 static int
 apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
 {
-        if (slot(insn) != 2) {
+        if (slot(insn) != 1 && slot(insn) != 2) {
                printk(KERN_ERR "%s: invalid slot number %d for IMM64\n",
                       mod->name, slot(insn));
                return 0;
@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
 static int
 apply_imm60 (struct module *mod, struct insn *insn, uint64_t val)
 {
-        if (slot(insn) != 2) {
+        if (slot(insn) != 1 && slot(insn) != 2) {
                printk(KERN_ERR "%s: invalid slot number %d for IMM60\n",
                       mod->name, slot(insn));
                return 0;
diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c
index 71ea4c02795d..8a2dc0af4cad 100644
--- a/arch/m68k/coldfire/device.c
+++ b/arch/m68k/coldfire/device.c
@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = {
        .id                     = 0,
        .num_resources          = ARRAY_SIZE(mcf_fec0_resources),
        .resource               = mcf_fec0_resources,
-        .dev.platform_data      = FEC_PDATA,
+        .dev = {
+                .dma_mask               = &mcf_fec0.dev.coherent_dma_mask,
+                .coherent_dma_mask      = DMA_BIT_MASK(32),
+                .platform_data          = FEC_PDATA,
+        }
 };
 #ifdef MCFFEC_BASE1
@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = {
        .id                     = 1,
        .num_resources          = ARRAY_SIZE(mcf_fec1_resources),
        .resource               = mcf_fec1_resources,
-        .dev.platform_data      = FEC_PDATA,
+        .dev = {
+                .dma_mask               = &mcf_fec1.dev.coherent_dma_mask,
+                .coherent_dma_mask      = DMA_BIT_MASK(32),
+                .platform_data          = FEC_PDATA,
+        }
 };
 #endif /* MCFFEC_BASE1 */
 #endif /* CONFIG_FEC */
diff --git a/arch/m68k/mm/kmap.c b/arch/m68k/mm/kmap.c
index 6e4955bc542b..fcd52cefee29 100644
--- a/arch/m68k/mm/kmap.c
+++ b/arch/m68k/mm/kmap.c
@@ -88,7 +88,8 @@ static inline void free_io_area(void *addr)
        for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
                if (tmp->addr == addr) {
                        *p = tmp->next;
-                        __iounmap(tmp->addr, tmp->size);
+                        /* remove gap added in get_io_area() */
+                        __iounmap(tmp->addr, tmp->size - IO_SIZE);
                        kfree(tmp);
                        return;
                }
diff --git a/arch/microblaze/boot/Makefile b/arch/microblaze/boot/Makefile
index 91d2068da1b9..0f3fe6a151dc 100644
--- a/arch/microblaze/boot/Makefile
+++ b/arch/microblaze/boot/Makefile
@@ -21,17 +21,19 @@ $(obj)/linux.bin.gz: $(obj)/linux.bin FORCE
 quiet_cmd_cp = CP      $< $@$2
        cmd_cp = cat $< >$@$2 || (rm -f $@ && echo false)
-quiet_cmd_strip = STRIP   $@
+quiet_cmd_strip = STRIP   $< $@$2
        cmd_strip = $(STRIP) -K microblaze_start -K _end -K __log_buf \
-                                -K _fdt_start vmlinux -o $@
+                                -K _fdt_start $< -o $@$2
 UIMAGE_LOADADDR = $(CONFIG_KERNEL_BASE_ADDR)
+UIMAGE_IN = $@
+UIMAGE_OUT = $@.ub
 $(obj)/simpleImage.%: vmlinux FORCE
        $(call if_changed,cp,.unstrip)
        $(call if_changed,objcopy)
        $(call if_changed,uimage)
-        $(call if_changed,strip)
+        $(call if_changed,strip,.strip)
-        @echo 'Kernel: $@ is ready' ' (#'`cat .version`')'
+        @echo 'Kernel: $(UIMAGE_OUT) is ready' ' (#'`cat .version`')'
 clean-files += simpleImage.*.unstrip linux.bin.ub dts/*.dtb
diff --git a/arch/microblaze/include/asm/futex.h b/arch/microblaze/include/asm/futex.h
index 01848f056f43..a9dad9e5e132 100644
--- a/arch/microblaze/include/asm/futex.h
+++ b/arch/microblaze/include/asm/futex.h
@@ -29,18 +29,9 @@
 })
 static inline int
-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -66,30 +57,9 @@ futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ:
-                        ret = (oldval == cmparg);
-                        break;
-                case FUTEX_OP_CMP_NE:
-                        ret = (oldval != cmparg);
-                        break;
-                case FUTEX_OP_CMP_LT:
-                        ret = (oldval < cmparg);
-                        break;
-                case FUTEX_OP_CMP_GE:
-                        ret = (oldval >= cmparg);
-                        break;
-                case FUTEX_OP_CMP_LE:
-                        ret = (oldval <= cmparg);
-                        break;
-                case FUTEX_OP_CMP_GT:
-                        ret = (oldval > cmparg);
-                        break;
-                default:
-                        ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/mips/ath25/board.c b/arch/mips/ath25/board.c
index 9ab48ff80c1c..6d11ae581ea7 100644
--- a/arch/mips/ath25/board.c
+++ b/arch/mips/ath25/board.c
@@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t base, unsigned long size)
        }
        board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL);
+        if (!board_data)
+                goto error;
        ath25_board.config = (struct ath25_boarddata *)board_data;
        memcpy_fromio(board_data, bcfg, 0x100);
        if (broken_boarddata) {
diff --git a/arch/mips/ath79/common.c b/arch/mips/ath79/common.c
index 8ae4067a5eda..40ecb6e700cd 100644
--- a/arch/mips/ath79/common.c
+++ b/arch/mips/ath79/common.c
@@ -58,7 +58,7 @@ EXPORT_SYMBOL_GPL(ath79_ddr_ctrl_init);
 void ath79_ddr_wb_flush(u32 reg)
 {
-        void __iomem *flush_reg = ath79_ddr_wb_flush_base + reg;
+        void __iomem *flush_reg = ath79_ddr_wb_flush_base + (reg * 4);
        /* Flush the DDR write buffer. */
        __raw_writel(0x1, flush_reg);
diff --git a/arch/mips/bcm47xx/setup.c b/arch/mips/bcm47xx/setup.c
index 6d38948f0f1e..4ca33175ec05 100644
--- a/arch/mips/bcm47xx/setup.c
+++ b/arch/mips/bcm47xx/setup.c
@@ -249,6 +249,12 @@ static int __init bcm47xx_cpu_fixes(void)
                 */
                if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
                        cpu_wait = NULL;
+                /*
+                 * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
+                 * Enable ExternalSync for sync instruction to take effect
+                 */
+                set_c0_config7(MIPS_CONF7_ES);
                break;
 #endif
        }
diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c
index 4f9eb0576884..63d35076722d 100644
--- a/arch/mips/cavium-octeon/octeon-irq.c
+++ b/arch/mips/cavium-octeon/octeon-irq.c
@@ -2240,17 +2240,19 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node,
        parent_irq = irq_of_parse_and_map(ciu_node, 0);
        if (!parent_irq) {
-                pr_err("ERROR: Couldn't acquire parent_irq for %s\n.",
+                pr_err("ERROR: Couldn't acquire parent_irq for %s\n",
                        ciu_node->name);
                return -EINVAL;
        }
        host_data = kzalloc(sizeof(*host_data), GFP_KERNEL);
+        if (!host_data)
+                return -ENOMEM;
        raw_spin_lock_init(&host_data->lock);
        addr = of_get_address(ciu_node, 0, NULL, NULL);
        if (!addr) {
-                pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name);
+                pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name);
                return -EINVAL;
        }
        host_data->raw_reg = (u64)phys_to_virt(
@@ -2258,7 +2260,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node,
        addr = of_get_address(ciu_node, 1, NULL, NULL);
        if (!addr) {
-                pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name);
+                pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name);
                return -EINVAL;
        }
        host_data->en_reg = (u64)phys_to_virt(
@@ -2266,7 +2268,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node,
        r = of_property_read_u32(ciu_node, "cavium,max-bits", &val);
        if (r) {
-                pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.",
+                pr_err("ERROR: Couldn't read cavium,max-bits from %s\n",
                        ciu_node->name);
                return r;
        }
@@ -2276,7 +2278,7 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node,
                                           &octeon_irq_domain_cib_ops,
                                           host_data);
        if (!cib_domain) {
-                pr_err("ERROR: Couldn't irq_domain_add_linear()\n.");
+                pr_err("ERROR: Couldn't irq_domain_add_linear()\n");
                return -ENOMEM;
        }
diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h
index 1de190bdfb9c..a9e61ea54ca9 100644
--- a/arch/mips/include/asm/futex.h
+++ b/arch/mips/include/asm/futex.h
@@ -83,18 +83,9 @@
 }
 static inline int
-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -125,17 +116,9 @@ futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h
index d10fd80dbb7e..75fa296836fc 100644
--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -411,6 +411,8 @@ static inline type pfx##in##bwlq##p(unsigned long port)			\
        __val = *__addr;                                                \
        slow;                                                           \
                                                                        \
+        /* prevent prefetching of coherent DMA data prematurely */      \
+        rmb();                                                          \
        return pfx##ioswab##bwlq(__addr, __val);                        \
 }
diff --git a/arch/mips/include/asm/kprobes.h b/arch/mips/include/asm/kprobes.h
index daba1f9a4f79..174aedce3167 100644
--- a/arch/mips/include/asm/kprobes.h
+++ b/arch/mips/include/asm/kprobes.h
@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_opcode_t;
 #define flush_insn_slot(p)                                              \
 do {                                                                    \
-        flush_icache_range((unsigned long)p->addr,                      \
+        if (p->addr)                                                    \
+                flush_icache_range((unsigned long)p->addr,              \
                           (unsigned long)p->addr +                     \
                           (MAX_INSN_SIZE * sizeof(kprobe_opcode_t)));  \
 } while (0)
diff --git a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
index aa3800c82332..d99ca862dae3 100644
--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
+++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h
@@ -167,7 +167,7 @@
 #define AR71XX_AHB_DIV_MASK             0x7
 #define AR724X_PLL_REG_CPU_CONFIG       0x00
-#define AR724X_PLL_REG_PCIE_CONFIG      0x18
+#define AR724X_PLL_REG_PCIE_CONFIG      0x10
 #define AR724X_PLL_FB_SHIFT             0
 #define AR724X_PLL_FB_MASK              0x3ff
diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
index e43aca183c99..15c183ce9d4f 100644
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -605,6 +605,8 @@
 #define MIPS_CONF7_WII          (_ULCAST_(1) << 31)
 #define MIPS_CONF7_RPS          (_ULCAST_(1) << 2)
+/* ExternalSync */
+#define MIPS_CONF7_ES           (_ULCAST_(1) << 8)
 #define MIPS_CONF7_IAR          (_ULCAST_(1) << 10)
 #define MIPS_CONF7_AR           (_ULCAST_(1) << 16)
@@ -2012,6 +2014,7 @@ __BUILD_SET_C0(status)
 __BUILD_SET_C0(cause)
 __BUILD_SET_C0(config)
 __BUILD_SET_C0(config5)
+__BUILD_SET_C0(config7)
 __BUILD_SET_C0(intcontrol)
 __BUILD_SET_C0(intctl)
 __BUILD_SET_C0(srsmap)
diff --git a/arch/mips/include/asm/pci.h b/arch/mips/include/asm/pci.h
index 98c31e5d9579..a7bc901819c8 100644
--- a/arch/mips/include/asm/pci.h
+++ b/arch/mips/include/asm/pci.h
@@ -89,7 +89,7 @@ static inline void pci_resource_to_user(const struct pci_dev *dev, int bar,
        phys_addr_t size = resource_size(rsrc);
        *start = fixup_bigphys_addr(rsrc->start, size);
-        *end = rsrc->start + size;
+        *end = rsrc->start + size - 1;
 }
 /*
diff --git a/arch/mips/include/asm/pgtable-32.h b/arch/mips/include/asm/pgtable-32.h
index 832e2167d00f..ef7c02af7522 100644
--- a/arch/mips/include/asm/pgtable-32.h
+++ b/arch/mips/include/asm/pgtable-32.h
@@ -18,6 +18,10 @@
 #include <asm-generic/pgtable-nopmd.h>
+#ifdef CONFIG_HIGHMEM
+#include <asm/highmem.h>
+#endif
 extern int temp_tlb_entry;
 /*
@@ -61,7 +65,8 @@ extern int add_temporary_entry(unsigned long entrylo0, unsigned long entrylo1,
 #define VMALLOC_START     MAP_BASE
-#define PKMAP_BASE              (0xfe000000UL)
+#define PKMAP_END       ((FIXADDR_START) & ~((LAST_PKMAP << PAGE_SHIFT)-1))
+#define PKMAP_BASE      (PKMAP_END - PAGE_SIZE * LAST_PKMAP)
 #ifdef CONFIG_HIGHMEM
 # define VMALLOC_END    (PKMAP_BASE-2*PAGE_SIZE)
diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index c74c32ccc647..4f281768937f 100644
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -1238,6 +1238,13 @@ __clear_user(void __user *addr, __kernel_size_t size)
 {
        __kernel_size_t res;
+#ifdef CONFIG_CPU_MICROMIPS
+/* micromips memset / bzero also clobbers t7 & t8 */
+#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31"
+#else
+#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"
+#endif /* CONFIG_CPU_MICROMIPS */
        if (eva_kernel_access()) {
                __asm__ __volatile__(
                        "move\t$4, %1\n\t"
@@ -1247,7 +1254,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
                        "move\t%0, $6"
                        : "=r" (res)
                        : "r" (addr), "r" (size)
-                        : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
+                        : bzero_clobbers);
        } else {
                might_fault();
                __asm__ __volatile__(
@@ -1258,7 +1265,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
                        "move\t%0, $6"
                        : "=r" (res)
                        : "r" (addr), "r" (size)
-                        : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
+                        : bzero_clobbers);
        }
        return res;
diff --git a/arch/mips/kernel/mcount.S b/arch/mips/kernel/mcount.S
index 2f7c734771f4..0df911e772ae 100644
--- a/arch/mips/kernel/mcount.S
+++ b/arch/mips/kernel/mcount.S
@@ -116,10 +116,20 @@ ftrace_stub:
 NESTED(_mcount, PT_SIZE, ra)
        PTR_LA  t1, ftrace_stub
        PTR_L   t2, ftrace_trace_function /* Prepare t2 for (1) */
-        bne     t1, t2, static_trace
+        beq     t1, t2, fgraph_trace
         nop
+        MCOUNT_SAVE_REGS
+        move    a0, ra          /* arg1: self return address */
+        jalr    t2              /* (1) call *ftrace_trace_function */
+         move   a1, AT          /* arg2: parent's return address */
+        MCOUNT_RESTORE_REGS
+fgraph_trace:
 #ifdef  CONFIG_FUNCTION_GRAPH_TRACER
+        PTR_LA  t1, ftrace_stub
        PTR_L   t3, ftrace_graph_return
        bne     t1, t3, ftrace_graph_caller
         nop
@@ -128,24 +138,11 @@ NESTED(_mcount, PT_SIZE, ra)
        bne     t1, t3, ftrace_graph_caller
         nop
 #endif
-        b       ftrace_stub
-#ifdef CONFIG_32BIT
-         addiu sp, sp, 8
-#else
-         nop
-#endif
-static_trace:
-        MCOUNT_SAVE_REGS
-        move    a0, ra          /* arg1: self return address */
-        jalr    t2              /* (1) call *ftrace_trace_function */
-         move   a1, AT          /* arg2: parent's return address */
-        MCOUNT_RESTORE_REGS
 #ifdef CONFIG_32BIT
        addiu sp, sp, 8
 #endif
        .globl ftrace_stub
 ftrace_stub:
        RETURN_BACK
diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index e3384065f5e7..cbe0f025856d 100644
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -1097,10 +1097,20 @@ repeat:
                }
                break;
-        case beql_op:
-        case bnel_op:
        case blezl_op:
        case bgtzl_op:
+                /*
+                 * For BLEZL and BGTZL, rt field must be set to 0. If this
+                 * is not the case, this may be an encoding of a MIPS R6
+                 * instruction, so return to CPU execution if this occurs
+                 */
+                if (MIPSInst_RT(inst)) {
+                        err = SIGILL;
+                        break;
+                }
+                /* fall through */
+        case beql_op:
+        case bnel_op:
                if (delay_slot(regs)) {
                        err = SIGILL;
                        break;
@@ -2330,6 +2340,8 @@ static int mipsr2_stats_clear_show(struct seq_file *s, void *unused)
        __this_cpu_write((mipsr2bremustats).bgezl, 0);
        __this_cpu_write((mipsr2bremustats).bltzll, 0);
        __this_cpu_write((mipsr2bremustats).bgezll, 0);
+        __this_cpu_write((mipsr2bremustats).bltzall, 0);
+        __this_cpu_write((mipsr2bremustats).bgezall, 0);
        __this_cpu_write((mipsr2bremustats).bltzal, 0);
        __this_cpu_write((mipsr2bremustats).bgezal, 0);
        __this_cpu_write((mipsr2bremustats).beql, 0);
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index fcbc4e57d765..354b99f56c1e 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -629,21 +629,48 @@ unsigned long arch_align_stack(unsigned long sp)
        return sp & ALMASK;
 }
+static DEFINE_PER_CPU(struct call_single_data, backtrace_csd);
+static struct cpumask backtrace_csd_busy;
 static void arch_dump_stack(void *info)
 {
        struct pt_regs *regs;
+        static arch_spinlock_t lock = __ARCH_SPIN_LOCK_UNLOCKED;
+        arch_spin_lock(&lock);
        regs = get_irq_regs();
        if (regs)
                show_regs(regs);
+        else
+                dump_stack();
+        arch_spin_unlock(&lock);
-        dump_stack();
+        cpumask_clear_cpu(smp_processor_id(), &backtrace_csd_busy);
 }
 void arch_trigger_all_cpu_backtrace(bool include_self)
 {
-        smp_call_function(arch_dump_stack, NULL, 1);
+        struct call_single_data *csd;
+        int cpu;
+        for_each_cpu(cpu, cpu_online_mask) {
+                /*
+                 * If we previously sent an IPI to the target CPU & it hasn't
+                 * cleared its bit in the busy cpumask then it didn't handle
+                 * our previous IPI & it's not safe for us to reuse the
+                 * call_single_data_t.
+                 */
+                if (cpumask_test_and_set_cpu(cpu, &backtrace_csd_busy)) {
+                        pr_warn("Unable to send backtrace IPI to CPU%u - perhaps it hung?\n",
+                                cpu);
+                        continue;
+                }
+                csd = &per_cpu(backtrace_csd, cpu);
+                csd->func = arch_dump_stack;
+                smp_call_function_single_async(cpu, csd);
+        }
 }
 int mips_get_process_fp_mode(struct task_struct *task)
@@ -680,6 +707,10 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
        if (value & ~known_bits)
                return -EOPNOTSUPP;
+        /* Setting FRE without FR is not supported.  */
+        if ((value & (PR_FP_MODE_FR | PR_FP_MODE_FRE)) == PR_FP_MODE_FRE)
+                return -EOPNOTSUPP;
        /* Avoid inadvertently triggering emulation */
        if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu &&
            !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64))
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index c3d2d2c05fdb..32fa3ae1a0a6 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -483,7 +483,7 @@ static int fpr_get_msa(struct task_struct *target,
 /*
 * Copy the floating-point context to the supplied NT_PRFPREG buffer.
 * Choose the appropriate helper for general registers, and then copy
- * the FCSR register separately.
+ * the FCSR and FIR registers separately.
 */
 static int fpr_get(struct task_struct *target,
                   const struct user_regset *regset,
@@ -491,6 +491,7 @@ static int fpr_get(struct task_struct *target,
                   void *kbuf, void __user *ubuf)
 {
        const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+        const int fir_pos = fcr31_pos + sizeof(u32);
        int err;
        if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
@@ -503,6 +504,12 @@ static int fpr_get(struct task_struct *target,
        err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
                                  &target->thread.fpu.fcr31,
                                  fcr31_pos, fcr31_pos + sizeof(u32));
+        if (err)
+                return err;
+        err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+                                  &boot_cpu_data.fpu_id,
+                                  fir_pos, fir_pos + sizeof(u32));
        return err;
 }
@@ -551,7 +558,8 @@ static int fpr_set_msa(struct task_struct *target,
 /*
 * Copy the supplied NT_PRFPREG buffer to the floating-point context.
 * Choose the appropriate helper for general registers, and then copy
- * the FCSR register separately.
+ * the FCSR register separately.  Ignore the incoming FIR register
+ * contents though, as the register is read-only.
 *
 * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
 * which is supposed to have been guaranteed by the kernel before
@@ -565,6 +573,7 @@ static int fpr_set(struct task_struct *target,
                   const void *kbuf, const void __user *ubuf)
 {
        const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+        const int fir_pos = fcr31_pos + sizeof(u32);
        u32 fcr31;
        int err;
@@ -592,6 +601,11 @@ static int fpr_set(struct task_struct *target,
                ptrace_setfcr31(target, fcr31);
        }
+        if (count > 0)
+                err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
+                                                fir_pos,
+                                                fir_pos + sizeof(u32));
        return err;
 }
@@ -816,7 +830,7 @@ long arch_ptrace(struct task_struct *child, long request,
                        fregs = get_fpu_regs(child);
 #ifdef CONFIG_32BIT
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                /*
                                 * The odd registers are actually the high
                                 * order bits of the values stored in the even
@@ -827,7 +841,7 @@ long arch_ptrace(struct task_struct *child, long request,
                                break;
                        }
 #endif
-                        tmp = get_fpr32(&fregs[addr - FPR_BASE], 0);
+                        tmp = get_fpr64(&fregs[addr - FPR_BASE], 0);
                        break;
                case PC:
                        tmp = regs->cp0_epc;
@@ -905,7 +919,7 @@ long arch_ptrace(struct task_struct *child, long request,
                        init_fp_ctx(child);
 #ifdef CONFIG_32BIT
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                /*
                                 * The odd registers are actually the high
                                 * order bits of the values stored in the even
diff --git a/arch/mips/kernel/ptrace32.c b/arch/mips/kernel/ptrace32.c
index 283b5a1967d1..d95117e71f69 100644
--- a/arch/mips/kernel/ptrace32.c
+++ b/arch/mips/kernel/ptrace32.c
@@ -97,7 +97,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
                                break;
                        }
                        fregs = get_fpu_regs(child);
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                /*
                                 * The odd registers are actually the high
                                 * order bits of the values stored in the even
@@ -107,7 +107,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
                                                addr & 1);
                                break;
                        }
-                        tmp = get_fpr32(&fregs[addr - FPR_BASE], 0);
+                        tmp = get_fpr64(&fregs[addr - FPR_BASE], 0);
                        break;
                case PC:
                        tmp = regs->cp0_epc;
@@ -203,7 +203,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
                                       sizeof(child->thread.fpu));
                                child->thread.fpu.fcr31 = 0;
                        }
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                /*
                                 * The odd registers are actually the high
                                 * order bits of the values stored in the even
diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c
index 78cf8c2f1de0..4874712b475e 100644
--- a/arch/mips/kernel/smp-bmips.c
+++ b/arch/mips/kernel/smp-bmips.c
@@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned int max_cpus)
                return;
        }
-        if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
+        if (request_irq(IPI0_IRQ, bmips_ipi_interrupt,
-                        "smp_ipi0", NULL))
+                        IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL))
                panic("Can't request IPI0 interrupt");
-        if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
+        if (request_irq(IPI1_IRQ, bmips_ipi_interrupt,
-                        "smp_ipi1", NULL))
+                        IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL))
                panic("Can't request IPI1 interrupt");
 }
diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index 31ca2edd7218..1b901218e3ae 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -344,6 +344,7 @@ static void __show_regs(const struct pt_regs *regs)
 void show_regs(struct pt_regs *regs)
 {
        __show_regs((struct pt_regs *)regs);
+        dump_stack();
 }
 void show_registers(struct pt_regs *regs)
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
index a017b23ee4aa..8a95c3d76a9a 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -40,7 +40,7 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
        { "cache",        VCPU_STAT(cache_exits),        KVM_STAT_VCPU },
        { "signal",       VCPU_STAT(signal_exits),       KVM_STAT_VCPU },
        { "interrupt",    VCPU_STAT(int_exits),          KVM_STAT_VCPU },
-        { "cop_unsuable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
+        { "cop_unusable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
        { "tlbmod",       VCPU_STAT(tlbmod_exits),       KVM_STAT_VCPU },
        { "tlbmiss_ld",   VCPU_STAT(tlbmiss_ld_exits),   KVM_STAT_VCPU },
        { "tlbmiss_st",   VCPU_STAT(tlbmiss_st_exits),   KVM_STAT_VCPU },
diff --git a/arch/mips/lib/Makefile b/arch/mips/lib/Makefile
index 0344e575f522..fba4ca56e46a 100644
--- a/arch/mips/lib/Makefile
+++ b/arch/mips/lib/Makefile
@@ -15,4 +15,5 @@ obj-$(CONFIG_CPU_R3000)		+= r3k_dump_tlb.o
 obj-$(CONFIG_CPU_TX39XX)        += r3k_dump_tlb.o
 # libgcc-style stuff needed in the kernel
-obj-y += ashldi3.o ashrdi3.o bswapsi.o bswapdi.o cmpdi2.o lshrdi3.o ucmpdi2.o
+obj-y += ashldi3.o ashrdi3.o bswapsi.o bswapdi.o cmpdi2.o lshrdi3.o multi3.o \
+         ucmpdi2.o
diff --git a/arch/mips/lib/libgcc.h b/arch/mips/lib/libgcc.h
index 05909d58e2fe..56ea0df60a44 100644
--- a/arch/mips/lib/libgcc.h
+++ b/arch/mips/lib/libgcc.h
@@ -9,10 +9,18 @@ typedef int word_type __attribute__ ((mode (__word__)));
 struct DWstruct {
        int high, low;
 };
+struct TWstruct {
+        long long high, low;
+};
 #elif defined(__LITTLE_ENDIAN)
 struct DWstruct {
        int low, high;
 };
+struct TWstruct {
+        long long low, high;
+};
 #else
 #error I feel sick.
 #endif
@@ -22,4 +30,13 @@ typedef union {
        long long ll;
 } DWunion;
+#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6)
+typedef int ti_type __attribute__((mode(TI)));
+typedef union {
+        struct TWstruct s;
+        ti_type ti;
+} TWunion;
+#endif
 #endif /* __ASM_LIBGCC_H */
diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S
index 8f0019a2e5c8..2d33cf2185d9 100644
--- a/arch/mips/lib/memset.S
+++ b/arch/mips/lib/memset.S
@@ -218,7 +218,7 @@
 1:      PTR_ADDIU       a0, 1                   /* fill bytewise */
        R10KCBARRIER(0(ra))
        bne             t1, a0, 1b
-        sb              a1, -1(a0)
+         EX(sb, a1, -1(a0), .Lsmall_fixup\@)
 2:      jr              ra                      /* done */
        move            a2, zero
@@ -249,13 +249,18 @@
        PTR_L           t0, TI_TASK($28)
        andi            a2, STORMASK
        LONG_L          t0, THREAD_BUADDR(t0)
-        LONG_ADDU       a2, t1
+        LONG_ADDU       a2, a0
        jr              ra
        LONG_SUBU       a2, t0
 .Llast_fixup\@:
        jr              ra
-        andi            v1, a2, STORMASK
+         nop
+.Lsmall_fixup\@:
+        PTR_SUBU        a2, t1, a0
+        jr              ra
+         PTR_ADDIU      a2, 1
        .endm
diff --git a/arch/mips/lib/multi3.c b/arch/mips/lib/multi3.c
new file mode 100644
index 000000000000..111ad475aa0c
--- /dev/null
+++ b/arch/mips/lib/multi3.c
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/export.h>
+#include "libgcc.h"
+/*
+ * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that
+ * specific case only we'll implement it here.
+ *
+ * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981
+ */
+#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7)
+/* multiply 64-bit values, low 64-bits returned */
+static inline long long notrace dmulu(long long a, long long b)
+{
+        long long res;
+        asm ("dmulu %0,%1,%2" : "=r" (res) : "r" (a), "r" (b));
+        return res;
+}
+/* multiply 64-bit unsigned values, high 64-bits of 128-bit result returned */
+static inline long long notrace dmuhu(long long a, long long b)
+{
+        long long res;
+        asm ("dmuhu %0,%1,%2" : "=r" (res) : "r" (a), "r" (b));
+        return res;
+}
+/* multiply 128-bit values, low 128-bits returned */
+ti_type notrace __multi3(ti_type a, ti_type b)
+{
+        TWunion res, aa, bb;
+        aa.ti = a;
+        bb.ti = b;
+        /*
+         * a * b =           (a.lo * b.lo)
+         *         + 2^64  * (a.hi * b.lo + a.lo * b.hi)
+         *        [+ 2^128 * (a.hi * b.hi)]
+         */
+        res.s.low = dmulu(aa.s.low, bb.s.low);
+        res.s.high = dmuhu(aa.s.low, bb.s.low);
+        res.s.high += dmulu(aa.s.high, bb.s.low);
+        res.s.high += dmulu(aa.s.low, bb.s.high);
+        return res.ti;
+}
+EXPORT_SYMBOL(__multi3);
+#endif /* 64BIT && CPU_MIPSR6 && GCC7 */
diff --git a/arch/mips/mm/ioremap.c b/arch/mips/mm/ioremap.c
index 8d5008cbdc0f..a853a83f2944 100644
--- a/arch/mips/mm/ioremap.c
+++ b/arch/mips/mm/ioremap.c
@@ -9,6 +9,7 @@
 #include <linux/module.h>
 #include <asm/addrspace.h>
 #include <asm/byteorder.h>
+#include <linux/ioport.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/vmalloc.h>
@@ -97,6 +98,20 @@ static int remap_area_pages(unsigned long address, phys_addr_t phys_addr,
        return error;
 }
+static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
+                               void *arg)
+{
+        unsigned long i;
+        for (i = 0; i < nr_pages; i++) {
+                if (pfn_valid(start_pfn + i) &&
+                    !PageReserved(pfn_to_page(start_pfn + i)))
+                        return 1;
+        }
+        return 0;
+}
 /*
 * Generic mapping function (not visible outside):
 */
@@ -115,8 +130,8 @@ static int remap_area_pages(unsigned long address, phys_addr_t phys_addr,
 void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long flags)
 {
+        unsigned long offset, pfn, last_pfn;
        struct vm_struct * area;
-        unsigned long offset;
        phys_addr_t last_addr;
        void * addr;
@@ -136,18 +151,16 @@ void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long
                return (void __iomem *) CKSEG1ADDR(phys_addr);
        /*
-         * Don't allow anybody to remap normal RAM that we're using..
+         * Don't allow anybody to remap RAM that may be allocated by the page
+         * allocator, since that could lead to races & data clobbering.
         */
-        if (phys_addr < virt_to_phys(high_memory)) {
+        pfn = PFN_DOWN(phys_addr);
-                char *t_addr, *t_end;
+        last_pfn = PFN_DOWN(last_addr);
-                struct page *page;
+        if (walk_system_ram_range(pfn, last_pfn - pfn + 1, NULL,
+                                  __ioremap_check_ram) == 1) {
-                t_addr = __va(phys_addr);
+                WARN_ONCE(1, "ioremap on RAM at %pa - %pa\n",
-                t_end = t_addr + (size - 1);
+                          &phys_addr, &last_addr);
+                return NULL;
-                for(page = virt_to_page(t_addr); page <= virt_to_page(t_end); page++)
-                        if(!PageReserved(page))
-                                return NULL;
        }
        /*
diff --git a/arch/mips/mm/pgtable-32.c b/arch/mips/mm/pgtable-32.c
index adc6911ba748..b19a3c506b1e 100644
--- a/arch/mips/mm/pgtable-32.c
+++ b/arch/mips/mm/pgtable-32.c
@@ -51,15 +51,15 @@ void __init pagetable_init(void)
        /*
         * Fixed mappings:
         */
-        vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK;
+        vaddr = __fix_to_virt(__end_of_fixed_addresses - 1);
-        fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base);
+        fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base);
 #ifdef CONFIG_HIGHMEM
        /*
         * Permanent kmaps:
         */
        vaddr = PKMAP_BASE;
-        fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
+        fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
        pgd = swapper_pg_dir + __pgd_offset(vaddr);
        pud = pud_offset(pgd, vaddr);
diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
index 1a8c96035716..c0c1e9529dbd 100644
--- a/arch/mips/net/bpf_jit.c
+++ b/arch/mips/net/bpf_jit.c
@@ -527,7 +527,8 @@ static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset)
        u32 sflags, tmp_flags;
        /* Adjust the stack pointer */
-        emit_stack_offset(-align_sp(offset), ctx);
+        if (offset)
+                emit_stack_offset(-align_sp(offset), ctx);
        tmp_flags = sflags = ctx->flags >> SEEN_SREG_SFT;
        /* sflags is essentially a bitmap */
@@ -579,7 +580,8 @@ static void restore_bpf_jit_regs(struct jit_ctx *ctx,
                emit_load_stack_reg(r_ra, r_sp, real_off, ctx);
        /* Restore the sp and discard the scrach memory */
-        emit_stack_offset(align_sp(offset), ctx);
+        if (offset)
+                emit_stack_offset(align_sp(offset), ctx);
 }
 static unsigned int get_stack_depth(struct jit_ctx *ctx)
@@ -626,8 +628,14 @@ static void build_prologue(struct jit_ctx *ctx)
        if (ctx->flags & SEEN_X)
                emit_jit_reg_move(r_X, r_zero, ctx);
-        /* Do not leak kernel data to userspace */
+        /*
-        if (bpf_needs_clear_a(&ctx->skf->insns[0]))
+         * Do not leak kernel data to userspace, we only need to clear
+         * r_A if it is ever used.  In fact if it is never used, we
+         * will not save/restore it, so clearing it in this case would
+         * corrupt the state of the caller.
+         */
+        if (bpf_needs_clear_a(&ctx->skf->insns[0]) &&
+            (ctx->flags & SEEN_A))
                emit_jit_reg_move(r_A, r_zero, ctx);
 }
diff --git a/arch/mips/net/bpf_jit_asm.S b/arch/mips/net/bpf_jit_asm.S
index 5d2e0c8d29c0..88a2075305d1 100644
--- a/arch/mips/net/bpf_jit_asm.S
+++ b/arch/mips/net/bpf_jit_asm.S
@@ -90,18 +90,14 @@ FEXPORT(sk_load_half_positive)
        is_offset_in_header(2, half)
        /* Offset within header boundaries */
        PTR_ADDU t1, $r_skb_data, offset
-        .set    reorder
+        lhu     $r_A, 0(t1)
-        lh      $r_A, 0(t1)
-        .set    noreorder
 #ifdef CONFIG_CPU_LITTLE_ENDIAN
 # if defined(__mips_isa_rev) && (__mips_isa_rev >= 2)
-        wsbh    t0, $r_A
+        wsbh    $r_A, $r_A
-        seh     $r_A, t0
 # else
-        sll     t0, $r_A, 24
+        sll     t0, $r_A, 8
-        andi    t1, $r_A, 0xff00
+        srl     t1, $r_A, 8
-        sra     t0, t0, 16
+        andi    t0, t0, 0xff00
-        srl     t1, t1, 8
        or      $r_A, t0, t1
 # endif
 #endif
@@ -115,7 +111,7 @@ FEXPORT(sk_load_byte_positive)
        is_offset_in_header(1, byte)
        /* Offset within header boundaries */
        PTR_ADDU t1, $r_skb_data, offset
-        lb      $r_A, 0(t1)
+        lbu     $r_A, 0(t1)
        jr      $r_ra
         move   $r_ret, zero
        END(sk_load_byte)
@@ -139,6 +135,11 @@ FEXPORT(sk_load_byte_positive)
 * (void *to) is returned in r_s0
 *
 */
+#ifdef CONFIG_CPU_LITTLE_ENDIAN
+#define DS_OFFSET(SIZE) (4 * SZREG)
+#else
+#define DS_OFFSET(SIZE) ((4 * SZREG) + (4 - SIZE))
+#endif
 #define bpf_slow_path_common(SIZE)                              \
        /* Quick check. Are we within reasonable boundaries? */ \
        LONG_ADDIU      $r_s1, $r_skb_len, -SIZE;               \
@@ -150,7 +151,7 @@ FEXPORT(sk_load_byte_positive)
        PTR_LA          t0, skb_copy_bits;                      \
        PTR_S           $r_ra, (5 * SZREG)($r_sp);              \
        /* Assign low slot to a2 */                             \
-        move            a2, $r_sp;                              \
+        PTR_ADDIU       a2, $r_sp, DS_OFFSET(SIZE);             \
        jalr            t0;                                     \
        /* Reset our destination slot (DS but it's ok) */       \
         INT_S          zero, (4 * SZREG)($r_sp);               \
diff --git a/arch/mips/ralink/reset.c b/arch/mips/ralink/reset.c
index ee117c4bc4a3..8037a4bd84fd 100644
--- a/arch/mips/ralink/reset.c
+++ b/arch/mips/ralink/reset.c
@@ -96,16 +96,9 @@ static void ralink_restart(char *command)
        unreachable();
 }
-static void ralink_halt(void)
-{
-        local_irq_disable();
-        unreachable();
-}
 static int __init mips_reboot_setup(void)
 {
        _machine_restart = ralink_restart;
-        _machine_halt = ralink_halt;
        return 0;
 }
diff --git a/arch/mips/txx9/rbtx4939/setup.c b/arch/mips/txx9/rbtx4939/setup.c
index 37030409745c..586ca7ea3e7c 100644
--- a/arch/mips/txx9/rbtx4939/setup.c
+++ b/arch/mips/txx9/rbtx4939/setup.c
@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_pen(void)
 #define RBTX4939_MAX_7SEGLEDS   8
-#if IS_ENABLED(CONFIG_LEDS_CLASS)
+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
 static u8 led_val[RBTX4939_MAX_7SEGLEDS];
 struct rbtx4939_led_data {
        struct led_classdev cdev;
@@ -261,7 +261,7 @@ static inline void rbtx4939_led_setup(void)
 static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val)
 {
-#if IS_ENABLED(CONFIG_LEDS_CLASS)
+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
        unsigned long flags;
        local_irq_save(flags);
        /* bit7: reserved for LED class */
diff --git a/arch/mn10300/mm/misalignment.c b/arch/mn10300/mm/misalignment.c
index b9920b1edd5a..70cef54dc40f 100644
--- a/arch/mn10300/mm/misalignment.c
+++ b/arch/mn10300/mm/misalignment.c
@@ -437,7 +437,7 @@ transfer_failed:
        info.si_signo   = SIGSEGV;
        info.si_errno   = 0;
-        info.si_code    = 0;
+        info.si_code    = SEGV_MAPERR;
        info.si_addr    = (void *) regs->pc;
        force_sig_info(SIGSEGV, &info, current);
        return;
diff --git a/arch/openrisc/kernel/traps.c b/arch/openrisc/kernel/traps.c
index 3d3f6062f49c..605a284922fb 100644
--- a/arch/openrisc/kernel/traps.c
+++ b/arch/openrisc/kernel/traps.c
@@ -302,12 +302,12 @@ asmlinkage void do_unaligned_access(struct pt_regs *regs, unsigned long address)
        siginfo_t info;
        if (user_mode(regs)) {
-                /* Send a SIGSEGV */
+                /* Send a SIGBUS */
-                info.si_signo = SIGSEGV;
+                info.si_signo = SIGBUS;
                info.si_errno = 0;
-                /* info.si_code has been set above */
+                info.si_code = BUS_ADRALN;
-                info.si_addr = (void *)address;
+                info.si_addr = (void __user *)address;
-                force_sig_info(SIGSEGV, &info, current);
+                force_sig_info(SIGBUS, &info, current);
        } else {
                printk("KERNEL: Unaligned Access 0x%.8lx\n", address);
                show_registers(regs);
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index d2256fa97ea0..f7f89310a7a1 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -178,7 +178,7 @@ config PREFETCH
 config MLONGCALLS
        bool "Enable the -mlong-calls compiler option for big kernels"
-        def_bool y if (!MODULES)
+        default y
        depends on PA8X00
        help
          If you configure the kernel to include many drivers built-in instead
diff --git a/arch/parisc/include/asm/barrier.h b/arch/parisc/include/asm/barrier.h
new file mode 100644
index 000000000000..dbaaca84f27f
--- /dev/null
+++ b/arch/parisc/include/asm/barrier.h
@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __ASM_BARRIER_H
+#define __ASM_BARRIER_H
+#ifndef __ASSEMBLY__
+/* The synchronize caches instruction executes as a nop on systems in
+   which all memory references are performed in order. */
+#define synchronize_caches() __asm__ __volatile__ ("sync" : : : "memory")
+#if defined(CONFIG_SMP)
+#define mb()            do { synchronize_caches(); } while (0)
+#define rmb()           mb()
+#define wmb()           mb()
+#define dma_rmb()       mb()
+#define dma_wmb()       mb()
+#else
+#define mb()            barrier()
+#define rmb()           barrier()
+#define wmb()           barrier()
+#define dma_rmb()       barrier()
+#define dma_wmb()       barrier()
+#endif
+#define __smp_mb()      mb()
+#define __smp_rmb()     mb()
+#define __smp_wmb()     mb()
+#include <asm-generic/barrier.h>
+#endif /* !__ASSEMBLY__ */
+#endif /* __ASM_BARRIER_H */
diff --git a/arch/parisc/include/asm/futex.h b/arch/parisc/include/asm/futex.h
index 49df14805a9b..ae5b64981d72 100644
--- a/arch/parisc/include/asm/futex.h
+++ b/arch/parisc/include/asm/futex.h
@@ -32,20 +32,11 @@ _futex_spin_unlock_irqrestore(u32 __user *uaddr, unsigned long int *flags)
 }
 static inline int
-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
 {
        unsigned long int flags;
        u32 val;
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr)))
-                return -EFAULT;
        pagefault_disable();
@@ -98,17 +89,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
index dba508fe1683..4f7060ec6875 100644
--- a/arch/parisc/kernel/drivers.c
+++ b/arch/parisc/kernel/drivers.c
@@ -648,6 +648,10 @@ static int match_pci_device(struct device *dev, int index,
                                        (modpath->mod == PCI_FUNC(devfn)));
        }
+        /* index might be out of bounds for bc[] */
+        if (index >= 6)
+                return 0;
        id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
        return (modpath->bc[index] == id);
 }
diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
index 5dc831955de5..13cb2461fef5 100644
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -482,6 +482,8 @@
        .macro          tlb_unlock0     spc,tmp
 #ifdef CONFIG_SMP
        or,COND(=)      %r0,\spc,%r0
+        sync
+        or,COND(=)      %r0,\spc,%r0
        stw             \spc,0(\tmp)
 #endif
        .endm
diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
index 16073f472118..b3434a7fd3c9 100644
--- a/arch/parisc/kernel/pacache.S
+++ b/arch/parisc/kernel/pacache.S
@@ -354,6 +354,7 @@ ENDPROC(flush_data_cache_local)
        .macro  tlb_unlock      la,flags,tmp
 #ifdef CONFIG_SMP
        ldi             1,\tmp
+        sync
        stw             \tmp,0(\la)
        mtsm            \flags
 #endif
diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S
index 9f22195b90ed..f68eedc72484 100644
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -631,6 +631,7 @@ cas_action:
        sub,<>  %r28, %r25, %r0
 2:      stw,ma  %r24, 0(%r26)
        /* Free lock */
+        sync
        stw,ma  %r20, 0(%sr2,%r20)
 #if ENABLE_LWS_DEBUG
        /* Clear thread register indicator */
@@ -645,6 +646,7 @@ cas_action:
 3:              
        /* Error occurred on load or store */
        /* Free lock */
+        sync
        stw     %r20, 0(%sr2,%r20)
 #if ENABLE_LWS_DEBUG
        stw     %r0, 4(%sr2,%r20)
@@ -846,6 +848,7 @@ cas2_action:
 cas2_end:
        /* Free lock */
+        sync
        stw,ma  %r20, 0(%sr2,%r20)
        /* Enable interrupts */
        ssm     PSW_SM_I, %r0
@@ -856,6 +859,7 @@ cas2_end:
 22:
        /* Error occurred on load or store */
        /* Free lock */
+        sync
        stw     %r20, 0(%sr2,%r20)
        ssm     PSW_SM_I, %r0
        ldo     1(%r0),%r28
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index c628f47a9052..755eb1275dbb 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -129,13 +129,14 @@ config PPC
        select IRQ_FORCED_THREADING
        select HAVE_RCU_TABLE_FREE if SMP
        select HAVE_SYSCALL_TRACEPOINTS
-        select HAVE_BPF_JIT
+        select HAVE_BPF_JIT if CPU_BIG_ENDIAN
        select HAVE_ARCH_JUMP_LABEL
        select ARCH_HAVE_NMI_SAFE_CMPXCHG
        select ARCH_HAS_GCOV_PROFILE_ALL
        select GENERIC_SMP_IDLE_THREAD
        select GENERIC_CMOS_UPDATE
        select GENERIC_TIME_VSYSCALL_OLD
+        select GENERIC_CPU_VULNERABILITIES      if PPC_BOOK3S_64
        select GENERIC_CLOCKEVENTS
        select GENERIC_CLOCKEVENTS_BROADCAST if SMP
        select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
index 0eca6efc0631..b9e16855a037 100644
--- a/arch/powerpc/include/asm/barrier.h
+++ b/arch/powerpc/include/asm/barrier.h
@@ -36,7 +36,8 @@
 #define smp_store_mb(var, value)        do { WRITE_ONCE(var, value); mb(); } while (0)
-#ifdef __SUBARCH_HAS_LWSYNC
+/* The sub-arch has lwsync */
+#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
 #    define SMPWMB      LWSYNC
 #else
 #    define SMPWMB      eieio
diff --git a/arch/powerpc/include/asm/exception-64e.h b/arch/powerpc/include/asm/exception-64e.h
index a703452d67b6..555e22d5e07f 100644
--- a/arch/powerpc/include/asm/exception-64e.h
+++ b/arch/powerpc/include/asm/exception-64e.h
@@ -209,5 +209,11 @@ exc_##label##_book3e:
        ori     r3,r3,vector_offset@l;          \
        mtspr   SPRN_IVOR##vector_number,r3;
+#define RFI_TO_KERNEL                                                   \
+        rfi
+#define RFI_TO_USER                                                     \
+        rfi
 #endif /* _ASM_POWERPC_EXCEPTION_64E_H */
diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h
index 77f52b26dad6..9bddbec441b8 100644
--- a/arch/powerpc/include/asm/exception-64s.h
+++ b/arch/powerpc/include/asm/exception-64s.h
@@ -50,6 +50,59 @@
 #define EX_PPR          88      /* SMT thread status register (priority) */
 #define EX_CTR          96
+/*
+ * Macros for annotating the expected destination of (h)rfid
+ *
+ * The nop instructions allow us to insert one or more instructions to flush the
+ * L1-D cache when returning to userspace or a guest.
+ */
+#define RFI_FLUSH_SLOT                                                  \
+        RFI_FLUSH_FIXUP_SECTION;                                        \
+        nop;                                                            \
+        nop;                                                            \
+        nop
+#define RFI_TO_KERNEL                                                   \
+        rfid
+#define RFI_TO_USER                                                     \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define RFI_TO_USER_OR_KERNEL                                           \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define RFI_TO_GUEST                                                    \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define HRFI_TO_KERNEL                                                  \
+        hrfid
+#define HRFI_TO_USER                                                    \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_USER_OR_KERNEL                                          \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_GUEST                                                   \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_UNKNOWN                                                 \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
 #ifdef CONFIG_RELOCATABLE
 #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h)                    \
        ld      r12,PACAKBASE(r13);     /* get high part of &label */   \
@@ -191,7 +244,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
        mtspr   SPRN_##h##SRR0,r12;                                     \
        mfspr   r12,SPRN_##h##SRR1;     /* and SRR1 */                  \
        mtspr   SPRN_##h##SRR1,r10;                                     \
-        h##rfid;                                                        \
+        h##RFI_TO_KERNEL;                                               \
        b       .       /* prevent speculative execution */
 #define EXCEPTION_PROLOG_PSERIES_1(label, h)                            \
        __EXCEPTION_PROLOG_PSERIES_1(label, h)
diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h
index 9a67a38bf7b9..7068bafbb2d6 100644
--- a/arch/powerpc/include/asm/feature-fixups.h
+++ b/arch/powerpc/include/asm/feature-fixups.h
@@ -184,4 +184,19 @@ label##3:					       	\
        FTR_ENTRY_OFFSET label##1b-label##3b;           \
        .popsection;
+#define RFI_FLUSH_FIXUP_SECTION                         \
+951:                                                    \
+        .pushsection __rfi_flush_fixup,"a";             \
+        .align 2;                                       \
+952:                                                    \
+        FTR_ENTRY_OFFSET 951b-952b;                     \
+        .popsection;
+#ifndef __ASSEMBLY__
+extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
+#endif
 #endif /* __ASM_POWERPC_FEATURE_FIXUPS_H */
diff --git a/arch/powerpc/include/asm/firmware.h b/arch/powerpc/include/asm/firmware.h
index e05808a328db..b0629249778b 100644
--- a/arch/powerpc/include/asm/firmware.h
+++ b/arch/powerpc/include/asm/firmware.h
@@ -47,12 +47,10 @@
 #define FW_FEATURE_VPHN         ASM_CONST(0x0000000004000000)
 #define FW_FEATURE_XCMO         ASM_CONST(0x0000000008000000)
 #define FW_FEATURE_OPAL         ASM_CONST(0x0000000010000000)
-#define FW_FEATURE_OPALv2       ASM_CONST(0x0000000020000000)
 #define FW_FEATURE_SET_MODE     ASM_CONST(0x0000000040000000)
 #define FW_FEATURE_BEST_ENERGY  ASM_CONST(0x0000000080000000)
 #define FW_FEATURE_TYPE1_AFFINITY ASM_CONST(0x0000000100000000)
 #define FW_FEATURE_PRRN         ASM_CONST(0x0000000200000000)
-#define FW_FEATURE_OPALv3       ASM_CONST(0x0000000400000000)
 #ifndef __ASSEMBLY__
@@ -70,8 +68,7 @@ enum {
                FW_FEATURE_SET_MODE | FW_FEATURE_BEST_ENERGY |
                FW_FEATURE_TYPE1_AFFINITY | FW_FEATURE_PRRN,
        FW_FEATURE_PSERIES_ALWAYS = 0,
-        FW_FEATURE_POWERNV_POSSIBLE = FW_FEATURE_OPAL | FW_FEATURE_OPALv2 |
+        FW_FEATURE_POWERNV_POSSIBLE = FW_FEATURE_OPAL,
-                FW_FEATURE_OPALv3,
        FW_FEATURE_POWERNV_ALWAYS = 0,
        FW_FEATURE_PS3_POSSIBLE = FW_FEATURE_LPAR | FW_FEATURE_PS3_LV1,
        FW_FEATURE_PS3_ALWAYS = FW_FEATURE_LPAR | FW_FEATURE_PS3_LV1,
diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
index 2a9cf845473b..f4c7467f7465 100644
--- a/arch/powerpc/include/asm/futex.h
+++ b/arch/powerpc/include/asm/futex.h
@@ -31,18 +31,10 @@
        : "b" (uaddr), "i" (-EFAULT), "r" (oparg) \
        : "cr0", "memory")
-static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -68,17 +60,9 @@ static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index 85bc8c0d257b..449bbb87c257 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -239,6 +239,7 @@
 #define H_GET_HCA_INFO          0x1B8
 #define H_GET_PERF_COUNT        0x1BC
 #define H_MANAGE_TRACE          0x1C0
+#define H_GET_CPU_CHARACTERISTICS 0x1C8
 #define H_FREE_LOGICAL_LAN_BUFFER 0x1D4
 #define H_QUERY_INT_STATE       0x1E4
 #define H_POLL_PENDING          0x1D8
@@ -285,7 +286,19 @@
 #define H_SET_MODE_RESOURCE_ADDR_TRANS_MODE     3
 #define H_SET_MODE_RESOURCE_LE                  4
+/* H_GET_CPU_CHARACTERISTICS return values */
+#define H_CPU_CHAR_SPEC_BAR_ORI31       (1ull << 63) // IBM bit 0
+#define H_CPU_CHAR_BCCTRL_SERIALISED    (1ull << 62) // IBM bit 1
+#define H_CPU_CHAR_L1D_FLUSH_ORI30      (1ull << 61) // IBM bit 2
+#define H_CPU_CHAR_L1D_FLUSH_TRIG2      (1ull << 60) // IBM bit 3
+#define H_CPU_CHAR_L1D_THREAD_PRIV      (1ull << 59) // IBM bit 4
+#define H_CPU_BEHAV_FAVOUR_SECURITY     (1ull << 63) // IBM bit 0
+#define H_CPU_BEHAV_L1D_FLUSH_PR        (1ull << 62) // IBM bit 1
+#define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR   (1ull << 61) // IBM bit 2
 #ifndef __ASSEMBLY__
+#include <linux/types.h>
 /**
 * plpar_hcall_norets: - Make a pseries hypervisor call with no return arguments
@@ -423,6 +436,11 @@ extern long pseries_big_endian_exceptions(void);
 #endif /* CONFIG_PPC_PSERIES */
+struct h_cpu_char_result {
+        u64 character;
+        u64 behaviour;
+};
 #endif /* __ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* _ASM_POWERPC_HVCALL_H */
diff --git a/arch/powerpc/include/asm/irq_work.h b/arch/powerpc/include/asm/irq_work.h
index 744fd54de374..1bcc84903930 100644
--- a/arch/powerpc/include/asm/irq_work.h
+++ b/arch/powerpc/include/asm/irq_work.h
@@ -5,5 +5,6 @@ static inline bool arch_irq_work_has_interrupt(void)
 {
        return true;
 }
+extern void arch_irq_work_raise(void);
 #endif /* _ASM_POWERPC_IRQ_WORK_H */
diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
index 07a99e638449..bab3461115bb 100644
--- a/arch/powerpc/include/asm/opal.h
+++ b/arch/powerpc/include/asm/opal.h
@@ -21,6 +21,9 @@
 /* We calculate number of sg entries based on PAGE_SIZE */
 #define SG_ENTRIES_PER_NODE ((PAGE_SIZE - 16) / sizeof(struct opal_sg_entry))
+/* Default time to sleep or delay between OPAL_BUSY/OPAL_BUSY_EVENT loops */
+#define OPAL_BUSY_DELAY_MS      10
 /* /sys/firmware/opal */
 extern struct kobject *opal_kobj;
diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h
index 70bd4381f8e6..45e2aefece16 100644
--- a/arch/powerpc/include/asm/paca.h
+++ b/arch/powerpc/include/asm/paca.h
@@ -192,6 +192,16 @@ struct paca_struct {
 #endif
        struct kvmppc_host_state kvm_hstate;
 #endif
+#ifdef CONFIG_PPC_BOOK3S_64
+        /*
+         * rfi fallback flush must be in its own cacheline to prevent
+         * other paca data leaking into the L1d
+         */
+        u64 exrfi[13] __aligned(0x80);
+        void *rfi_flush_fallback_area;
+        u64 l1d_flush_congruence;
+        u64 l1d_flush_sets;
+#endif
 };
 extern struct paca_struct *paca;
diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
index 3140c19c448c..70b379ee6b7e 100644
--- a/arch/powerpc/include/asm/page.h
+++ b/arch/powerpc/include/asm/page.h
@@ -132,7 +132,19 @@ extern long long virt_phys_offset;
 #define virt_to_pfn(kaddr)      (__pa(kaddr) >> PAGE_SHIFT)
 #define virt_to_page(kaddr)     pfn_to_page(virt_to_pfn(kaddr))
 #define pfn_to_kaddr(pfn)       __va((pfn) << PAGE_SHIFT)
+#ifdef CONFIG_PPC_BOOK3S_64
+/*
+ * On hash the vmalloc and other regions alias to the kernel region when passed
+ * through __pa(), which virt_to_pfn() uses. That means virt_addr_valid() can
+ * return true for some vmalloc addresses, which is incorrect. So explicitly
+ * check that the address is in the kernel region.
+ */
+#define virt_addr_valid(kaddr) (REGION_ID(kaddr) == KERNEL_REGION_ID && \
+                                pfn_valid(virt_to_pfn(kaddr)))
+#else
 #define virt_addr_valid(kaddr)  pfn_valid(virt_to_pfn(kaddr))
+#endif
 /*
 * On Book-E parts we need __va to parse the device tree and we can't
diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h
index 67859edbf8fd..6e05cb397a5c 100644
--- a/arch/powerpc/include/asm/plpar_wrappers.h
+++ b/arch/powerpc/include/asm/plpar_wrappers.h
@@ -323,4 +323,18 @@ static inline long plapr_set_watchpoint0(unsigned long dawr0, unsigned long dawr
        return plpar_set_mode(0, H_SET_MODE_RESOURCE_SET_DAWR, dawr0, dawrx0);
 }
+static inline long plpar_get_cpu_characteristics(struct h_cpu_char_result *p)
+{
+        unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
+        long rc;
+        rc = plpar_hcall(H_GET_CPU_CHARACTERISTICS, retbuf);
+        if (rc == H_SUCCESS) {
+                p->character = retbuf[0];
+                p->behaviour = retbuf[1];
+        }
+        return rc;
+}
 #endif /* _ASM_POWERPC_PLPAR_WRAPPERS_H */
diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
index dd0fc18d8103..160bb2311bbb 100644
--- a/arch/powerpc/include/asm/ppc_asm.h
+++ b/arch/powerpc/include/asm/ppc_asm.h
@@ -224,6 +224,16 @@ name: \
        .globl name; \
 name:
+#define _KPROBE_TOC(name)                       \
+        .section ".kprobes.text","a";           \
+        .align 2 ;                              \
+        .type name,@function;                   \
+        .globl name;                            \
+name:                                           \
+0:      addis r2,r12,(.TOC.-0b)@ha;             \
+        addi r2,r2,(.TOC.-0b)@l;                \
+        .localentry name,.-name
 #define DOTSYM(a)       a
 #else
@@ -261,6 +271,8 @@ name: \
        .type GLUE(.,name),@function; \
 GLUE(.,name):
+#define _KPROBE_TOC(n)  _KPROBE(n)
 #define DOTSYM(a)       GLUE(.,a)
 #endif
diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
index e9d384cbd021..7916b56f2e60 100644
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -26,6 +26,19 @@ void initmem_init(void);
 void setup_panic(void);
 #define ARCH_PANIC_TIMEOUT 180
+void rfi_flush_enable(bool enable);
+/* These are bit flags */
+enum l1d_flush_type {
+        L1D_FLUSH_NONE          = 0x1,
+        L1D_FLUSH_FALLBACK      = 0x2,
+        L1D_FLUSH_ORI           = 0x4,
+        L1D_FLUSH_MTTRIG        = 0x8,
+};
+void __init setup_rfi_flush(enum l1d_flush_type, bool enable);
+void do_rfi_flush_fixups(enum l1d_flush_type types);
 #endif /* !__ASSEMBLY__ */
 #endif  /* _ASM_POWERPC_SETUP_H */
diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h
index c50868681f9e..e8d6a842f4bb 100644
--- a/arch/powerpc/include/asm/synch.h
+++ b/arch/powerpc/include/asm/synch.h
@@ -5,10 +5,6 @@
 #include <linux/stringify.h>
 #include <asm/feature-fixups.h>
-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
-#define __SUBARCH_HAS_LWSYNC
-#endif
 #ifndef __ASSEMBLY__
 extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup;
 extern void do_lwsync_fixups(unsigned long value, void *fixup_start,
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 40da69163d51..d92705e3a0c1 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -243,6 +243,10 @@ int main(void)
 #ifdef CONFIG_PPC_BOOK3S_64
        DEFINE(PACAMCEMERGSP, offsetof(struct paca_struct, mc_emergency_sp));
        DEFINE(PACA_IN_MCE, offsetof(struct paca_struct, in_mce));
+        DEFINE(PACA_RFI_FLUSH_FALLBACK_AREA, offsetof(struct paca_struct, rfi_flush_fallback_area));
+        DEFINE(PACA_EXRFI, offsetof(struct paca_struct, exrfi));
+        DEFINE(PACA_L1D_FLUSH_CONGRUENCE, offsetof(struct paca_struct, l1d_flush_congruence));
+        DEFINE(PACA_L1D_FLUSH_SETS, offsetof(struct paca_struct, l1d_flush_sets));
 #endif
        DEFINE(PACAHWCPUID, offsetof(struct paca_struct, hw_cpu_id));
        DEFINE(PACAKEXECSTATE, offsetof(struct paca_struct, kexec_state));
diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S
index 9c9b7411b28b..55eb3b752ca0 100644
--- a/arch/powerpc/kernel/cpu_setup_power.S
+++ b/arch/powerpc/kernel/cpu_setup_power.S
@@ -27,6 +27,7 @@ _GLOBAL(__setup_cpu_power7)
        beqlr
        li      r0,0
        mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
        mfspr   r3,SPRN_LPCR
        bl      __init_LPCR
        bl      __init_tlb_power7
@@ -40,6 +41,7 @@ _GLOBAL(__restore_cpu_power7)
        beqlr
        li      r0,0
        mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
        mfspr   r3,SPRN_LPCR
        bl      __init_LPCR
        bl      __init_tlb_power7
@@ -55,6 +57,7 @@ _GLOBAL(__setup_cpu_power8)
        beqlr
        li      r0,0
        mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
        mfspr   r3,SPRN_LPCR
        ori     r3, r3, LPCR_PECEDH
        bl      __init_LPCR
@@ -74,6 +77,7 @@ _GLOBAL(__restore_cpu_power8)
        beqlr
        li      r0,0
        mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
        mfspr   r3,SPRN_LPCR
        ori     r3, r3, LPCR_PECEDH
        bl      __init_LPCR
diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
index 98f81800e00c..304f07cfa262 100644
--- a/arch/powerpc/kernel/eeh_pe.c
+++ b/arch/powerpc/kernel/eeh_pe.c
@@ -788,7 +788,8 @@ static void eeh_restore_bridge_bars(struct eeh_dev *edev)
        eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]);
        /* PCI Command: 0x4 */
-        eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]);
+        eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] |
+                              PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
        /* Check the PCIe link is ready */
        eeh_bridge_check_link(edev);
diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index f6fd0332c3a2..59be96917369 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -36,6 +36,11 @@
 #include <asm/hw_irq.h>
 #include <asm/context_tracking.h>
 #include <asm/tm.h>
+#ifdef CONFIG_PPC_BOOK3S
+#include <asm/exception-64s.h>
+#else
+#include <asm/exception-64e.h>
+#endif
 /*
 * System calls.
@@ -225,13 +230,23 @@ END_FTR_SECTION_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
        ACCOUNT_CPU_USER_EXIT(r11, r12)
        HMT_MEDIUM_LOW_HAS_PPR
        ld      r13,GPR13(r1)   /* only restore r13 if returning to usermode */
+        ld      r2,GPR2(r1)
+        ld      r1,GPR1(r1)
+        mtlr    r4
+        mtcr    r5
+        mtspr   SPRN_SRR0,r7
+        mtspr   SPRN_SRR1,r8
+        RFI_TO_USER
+        b       .       /* prevent speculative execution */
+        /* exit to kernel */
 1:      ld      r2,GPR2(r1)
        ld      r1,GPR1(r1)
        mtlr    r4
        mtcr    r5
        mtspr   SPRN_SRR0,r7
        mtspr   SPRN_SRR1,r8
-        RFI
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 syscall_error:  
@@ -353,8 +368,7 @@ tabort_syscall:
        mtmsrd  r10, 1
        mtspr   SPRN_SRR0, r11
        mtspr   SPRN_SRR1, r12
+        RFI_TO_USER
-        rfid
        b       .       /* prevent speculative execution */
 #endif
@@ -560,6 +574,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT)
         * actually hit this code path.
         */
+        isync
        slbie   r6
        slbie   r6              /* Workaround POWER5 < DD2.1 issue */
        slbmte  r7,r0
@@ -887,7 +902,7 @@ BEGIN_FTR_SECTION
 END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ACCOUNT_CPU_USER_EXIT(r2, r4)
        REST_GPR(13, r1)
-1:
        mtspr   SPRN_SRR1,r3
        ld      r2,_CCR(r1)
@@ -900,8 +915,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ld      r3,GPR3(r1)
        ld      r4,GPR4(r1)
        ld      r1,GPR1(r1)
+        RFI_TO_USER
+        b       .       /* prevent speculative execution */
-        rfid
+1:      mtspr   SPRN_SRR1,r3
+        ld      r2,_CCR(r1)
+        mtcrf   0xFF,r2
+        ld      r2,_NIP(r1)
+        mtspr   SPRN_SRR0,r2
+        ld      r0,GPR0(r1)
+        ld      r2,GPR2(r1)
+        ld      r3,GPR3(r1)
+        ld      r4,GPR4(r1)
+        ld      r1,GPR1(r1)
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 #endif /* CONFIG_PPC_BOOK3E */
@@ -1077,7 +1106,7 @@ _GLOBAL(enter_rtas)
        
        mtspr   SPRN_SRR0,r5
        mtspr   SPRN_SRR1,r6
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 rtas_return_loc:
@@ -1102,7 +1131,7 @@ rtas_return_loc:
        mtspr   SPRN_SRR0,r3
        mtspr   SPRN_SRR1,r4
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
        .align  3
@@ -1173,7 +1202,7 @@ _GLOBAL(enter_prom)
        LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE)
        andc    r11,r11,r12
        mtsrr1  r11
-        rfid
+        RFI_TO_KERNEL
 #endif /* CONFIG_PPC_BOOK3E */
 1:      /* Return from OF */
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index b81ccc5fb32d..938a30fef031 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -46,7 +46,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE)				\
        mtspr   SPRN_SRR0,r10 ;                                 \
        ld      r10,PACAKMSR(r13) ;                             \
        mtspr   SPRN_SRR1,r10 ;                                 \
-        rfid ;                                                  \
+        RFI_TO_KERNEL ;                                                         \
        b       . ;     /* prevent speculative execution */
 #define SYSCALL_PSERIES_3                                       \
@@ -54,7 +54,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE)				\
 1:      mfspr   r12,SPRN_SRR1 ;                                 \
        xori    r12,r12,MSR_LE ;                                \
        mtspr   SPRN_SRR1,r12 ;                                 \
-        rfid ;          /* return to userspace */               \
+        RFI_TO_USER ;           /* return to userspace */               \
        b       . ;     /* prevent speculative execution */
 #if defined(CONFIG_RELOCATABLE)
@@ -507,7 +507,7 @@ BEGIN_FTR_SECTION
        LOAD_HANDLER(r12, machine_check_handle_early)
 1:      mtspr   SPRN_SRR0,r12
        mtspr   SPRN_SRR1,r11
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 2:
        /* Stack overflow. Stay on emergency stack and panic.
@@ -601,7 +601,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_CFAR)
        ld      r11,PACA_EXGEN+EX_R11(r13)
        ld      r12,PACA_EXGEN+EX_R12(r13)
        ld      r13,PACA_EXGEN+EX_R13(r13)
-        HRFID
+        HRFI_TO_UNKNOWN
        b       .
 #endif
@@ -666,7 +666,7 @@ masked_##_H##interrupt:					\
        ld      r10,PACA_EXGEN+EX_R10(r13);             \
        ld      r11,PACA_EXGEN+EX_R11(r13);             \
        GET_SCRATCH0(r13);                              \
-        ##_H##rfid;                                     \
+        ##_H##RFI_TO_KERNEL;                            \
        b       .
        
        MASKED_INTERRUPT()
@@ -756,7 +756,7 @@ kvmppc_skip_interrupt:
        addi    r13, r13, 4
        mtspr   SPRN_SRR0, r13
        GET_SCRATCH0(r13)
-        rfid
+        RFI_TO_KERNEL
        b       .
 kvmppc_skip_Hinterrupt:
@@ -768,7 +768,7 @@ kvmppc_skip_Hinterrupt:
        addi    r13, r13, 4
        mtspr   SPRN_HSRR0, r13
        GET_SCRATCH0(r13)
-        hrfid
+        HRFI_TO_KERNEL
        b       .
 #endif
@@ -1439,7 +1439,7 @@ machine_check_handle_early:
        li      r3,MSR_ME
        andc    r10,r10,r3              /* Turn off MSR_ME */
        mtspr   SPRN_SRR1,r10
-        rfid
+        RFI_TO_KERNEL
        b       .
 2:
        /*
@@ -1457,7 +1457,7 @@ machine_check_handle_early:
         */
        bl      machine_check_queue_event
        MACHINE_CHECK_HANDLER_WINDUP
-        rfid
+        RFI_TO_USER_OR_KERNEL
 9:
        /* Deliver the machine check to host kernel in V mode. */
        MACHINE_CHECK_HANDLER_WINDUP
@@ -1503,6 +1503,8 @@ slb_miss_realmode:
        andi.   r10,r12,MSR_RI  /* check for unrecoverable exception */
        beq-    2f
+        andi.   r10,r12,MSR_PR  /* check for user mode (PR != 0) */
+        bne     1f
 .machine        push
 .machine        "power4"
@@ -1516,7 +1518,23 @@ slb_miss_realmode:
        ld      r11,PACA_EXSLB+EX_R11(r13)
        ld      r12,PACA_EXSLB+EX_R12(r13)
        ld      r13,PACA_EXSLB+EX_R13(r13)
-        rfid
+        RFI_TO_KERNEL
+        b       .       /* prevent speculative execution */
+1:
+.machine        push
+.machine        "power4"
+        mtcrf   0x80,r9
+        mtcrf   0x01,r9         /* slb_allocate uses cr0 and cr7 */
+.machine        pop
+        RESTORE_PPR_PACA(PACA_EXSLB, r9)
+        ld      r9,PACA_EXSLB+EX_R9(r13)
+        ld      r10,PACA_EXSLB+EX_R10(r13)
+        ld      r11,PACA_EXSLB+EX_R11(r13)
+        ld      r12,PACA_EXSLB+EX_R12(r13)
+        ld      r13,PACA_EXSLB+EX_R13(r13)
+        RFI_TO_USER
        b       .       /* prevent speculative execution */
 2:      mfspr   r11,SPRN_SRR0
@@ -1525,7 +1543,7 @@ slb_miss_realmode:
        mtspr   SPRN_SRR0,r10
        ld      r10,PACAKMSR(r13)
        mtspr   SPRN_SRR1,r10
-        rfid
+        RFI_TO_KERNEL
        b       .
 unrecov_slb:
@@ -1546,6 +1564,92 @@ power4_fixup_nap:
        blr
 #endif
+        .globl rfi_flush_fallback
+rfi_flush_fallback:
+        SET_SCRATCH0(r13);
+        GET_PACA(r13);
+        std     r9,PACA_EXRFI+EX_R9(r13)
+        std     r10,PACA_EXRFI+EX_R10(r13)
+        std     r11,PACA_EXRFI+EX_R11(r13)
+        std     r12,PACA_EXRFI+EX_R12(r13)
+        std     r8,PACA_EXRFI+EX_R13(r13)
+        mfctr   r9
+        ld      r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
+        ld      r11,PACA_L1D_FLUSH_SETS(r13)
+        ld      r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
+        /*
+         * The load adresses are at staggered offsets within cachelines,
+         * which suits some pipelines better (on others it should not
+         * hurt).
+         */
+        addi    r12,r12,8
+        mtctr   r11
+        DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
+        /* order ld/st prior to dcbt stop all streams with flushing */
+        sync
+1:      li      r8,0
+        .rept   8 /* 8-way set associative */
+        ldx     r11,r10,r8
+        add     r8,r8,r12
+        xor     r11,r11,r11     // Ensure r11 is 0 even if fallback area is not
+        add     r8,r8,r11       // Add 0, this creates a dependency on the ldx
+        .endr
+        addi    r10,r10,128 /* 128 byte cache line */
+        bdnz    1b
+        mtctr   r9
+        ld      r9,PACA_EXRFI+EX_R9(r13)
+        ld      r10,PACA_EXRFI+EX_R10(r13)
+        ld      r11,PACA_EXRFI+EX_R11(r13)
+        ld      r12,PACA_EXRFI+EX_R12(r13)
+        ld      r8,PACA_EXRFI+EX_R13(r13)
+        GET_SCRATCH0(r13);
+        rfid
+        .globl hrfi_flush_fallback
+hrfi_flush_fallback:
+        SET_SCRATCH0(r13);
+        GET_PACA(r13);
+        std     r9,PACA_EXRFI+EX_R9(r13)
+        std     r10,PACA_EXRFI+EX_R10(r13)
+        std     r11,PACA_EXRFI+EX_R11(r13)
+        std     r12,PACA_EXRFI+EX_R12(r13)
+        std     r8,PACA_EXRFI+EX_R13(r13)
+        mfctr   r9
+        ld      r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
+        ld      r11,PACA_L1D_FLUSH_SETS(r13)
+        ld      r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
+        /*
+         * The load adresses are at staggered offsets within cachelines,
+         * which suits some pipelines better (on others it should not
+         * hurt).
+         */
+        addi    r12,r12,8
+        mtctr   r11
+        DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
+        /* order ld/st prior to dcbt stop all streams with flushing */
+        sync
+1:      li      r8,0
+        .rept   8 /* 8-way set associative */
+        ldx     r11,r10,r8
+        add     r8,r8,r12
+        xor     r11,r11,r11     // Ensure r11 is 0 even if fallback area is not
+        add     r8,r8,r11       // Add 0, this creates a dependency on the ldx
+        .endr
+        addi    r10,r10,128 /* 128 byte cache line */
+        bdnz    1b
+        mtctr   r9
+        ld      r9,PACA_EXRFI+EX_R9(r13)
+        ld      r10,PACA_EXRFI+EX_R10(r13)
+        ld      r11,PACA_EXRFI+EX_R11(r13)
+        ld      r12,PACA_EXRFI+EX_R12(r13)
+        ld      r8,PACA_EXRFI+EX_R13(r13)
+        GET_SCRATCH0(r13);
+        hrfid
 /*
 * Hash table stuff
 */
diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
index 26d091a1a54c..791d4c3329c3 100644
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
                init_fadump_mem_struct(&fdm,
                        be64_to_cpu(fdm_active->cpu_state_data.destination_address));
                fadump_invalidate_dump(&fdm);
+        } else if (fw_dump.dump_registered) {
+                /* Un-register Firmware-assisted dump if it was registered. */
+                fadump_unregister_dump(&fdm);
        }
 }
diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
index 78c1eba4c04a..01e274e6907b 100644
--- a/arch/powerpc/kernel/head_8xx.S
+++ b/arch/powerpc/kernel/head_8xx.S
@@ -720,7 +720,7 @@ start_here:
        tovirt(r6,r6)
        lis     r5, abatron_pteptrs@h
        ori     r5, r5, abatron_pteptrs@l
-        stw     r5, 0xf0(r0)    /* Must match your Abatron config file */
+        stw     r5, 0xf0(0)     /* Must match your Abatron config file */
        tophys(r5,r5)
        stw     r6, 0(r5)
diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c
index fdf48785d3e9..56e4571e3a02 100644
--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp)
        if (cpu_has_feature(CPU_FTR_DAWR)) {
                length_max = 512 ; /* 64 doublewords */
                /* DAWR region can't cross 512 boundary */
-                if ((bp->attr.bp_addr >> 10) != 
+                if ((bp->attr.bp_addr >> 9) !=
-                    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
+                    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
                        return -EINVAL;
        }
        if (info->len >
diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
index db475d41b57a..107588295b39 100644
--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -66,7 +66,7 @@ PPC64_CACHES:
 *   flush all bytes from start through stop-1 inclusive
 */
-_KPROBE(flush_icache_range)
+_KPROBE_TOC(flush_icache_range)
 BEGIN_FTR_SECTION
        PURGE_PREFETCHED_INS
        blr
@@ -117,7 +117,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
 *
 *    flush all bytes from start to stop-1 inclusive
 */
-_GLOBAL(flush_dcache_range)
+_GLOBAL_TOC(flush_dcache_range)
 /*
 * Flush the data cache to memory 
@@ -701,31 +701,3 @@ _GLOBAL(kexec_sequence)
        li      r5,0
        blr     /* image->start(physid, image->start, 0); */
 #endif /* CONFIG_KEXEC */
-#ifdef CONFIG_MODULES
-#if defined(_CALL_ELF) && _CALL_ELF == 2
-#ifdef CONFIG_MODVERSIONS
-.weak __crc_TOC.
-.section "___kcrctab+TOC.","a"
-.globl __kcrctab_TOC.
-__kcrctab_TOC.:
-        .llong  __crc_TOC.
-#endif
-/*
- * Export a fake .TOC. since both modpost and depmod will complain otherwise.
- * Both modpost and depmod strip the leading . so we do the same here.
- */
-.section "__ksymtab_strings","a"
-__kstrtab_TOC.:
-        .asciz "TOC."
-.section "___ksymtab+TOC.","a"
-/* This symbol name is important: it's used by modpost to find exported syms */
-.globl __ksymtab_TOC.
-__ksymtab_TOC.:
-        .llong 0 /* .value */
-        .llong __kstrtab_TOC.
-#endif /* ELFv2 */
-#endif /* MODULES */
diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
index e4f7d4eed20c..08b7a40de5f8 100644
--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -326,7 +326,10 @@ static void dedotify_versions(struct modversion_info *vers,
                }
 }
-/* Undefined symbols which refer to .funcname, hack to funcname (or .TOC.) */
+/*
+ * Undefined symbols which refer to .funcname, hack to funcname. Make .TOC.
+ * seem to be defined (value set later).
+ */
 static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
 {
        unsigned int i;
@@ -334,8 +337,11 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
        for (i = 1; i < numsyms; i++) {
                if (syms[i].st_shndx == SHN_UNDEF) {
                        char *name = strtab + syms[i].st_name;
-                        if (name[0] == '.')
+                        if (name[0] == '.') {
+                                if (strcmp(name+1, "TOC.") == 0)
+                                        syms[i].st_shndx = SHN_ABS;
                                syms[i].st_name++;
+                        }
                }
        }
 }
@@ -351,7 +357,7 @@ static Elf64_Sym *find_dot_toc(Elf64_Shdr *sechdrs,
        numsyms = sechdrs[symindex].sh_size / sizeof(Elf64_Sym);
        for (i = 1; i < numsyms; i++) {
-                if (syms[i].st_shndx == SHN_UNDEF
+                if (syms[i].st_shndx == SHN_ABS
                    && strcmp(strtab + syms[i].st_name, "TOC.") == 0)
                        return &syms[i];
        }
diff --git a/arch/powerpc/kernel/pci_32.c b/arch/powerpc/kernel/pci_32.c
index 1f7930037cb7..d9e41b77dd13 100644
--- a/arch/powerpc/kernel/pci_32.c
+++ b/arch/powerpc/kernel/pci_32.c
@@ -11,6 +11,7 @@
 #include <linux/sched.h>
 #include <linux/errno.h>
 #include <linux/bootmem.h>
+#include <linux/syscalls.h>
 #include <linux/irq.h>
 #include <linux/list.h>
 #include <linux/of.h>
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index cf788d7d7e56..a9b10812cbfd 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -209,7 +209,8 @@ void enable_kernel_vsx(void)
        WARN_ON(preemptible());
 #ifdef CONFIG_SMP
-        if (current->thread.regs && (current->thread.regs->msr & MSR_VSX))
+        if (current->thread.regs &&
+            (current->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP)))
                giveup_vsx(current);
        else
                giveup_vsx(NULL);       /* just enable vsx for kernel - force */
@@ -231,7 +232,7 @@ void flush_vsx_to_thread(struct task_struct *tsk)
 {
        if (tsk->thread.regs) {
                preempt_disable();
-                if (tsk->thread.regs->msr & MSR_VSX) {
+                if (tsk->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP)) {
 #ifdef CONFIG_SMP
                        BUG_ON(tsk != current);
 #endif
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index b38fd081b222..3b63655efa3c 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1004,6 +1004,7 @@ static int ptrace_set_debugreg(struct task_struct *task, unsigned long addr,
        /* Create a new breakpoint request if one doesn't exist already */
        hw_breakpoint_init(&attr);
        attr.bp_addr = hw_brk.address;
+        attr.bp_len = 8;
        arch_bp_generic_fields(hw_brk.type,
                               &attr.bp_type);
diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index 44c8d03558ac..318224784114 100644
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -217,14 +217,6 @@ static int show_cpuinfo(struct seq_file *m, void *v)
        unsigned short maj;
        unsigned short min;
-        /* We only show online cpus: disable preempt (overzealous, I
-         * knew) to prevent cpu going down. */
-        preempt_disable();
-        if (!cpu_online(cpu_id)) {
-                preempt_enable();
-                return 0;
-        }
 #ifdef CONFIG_SMP
        pvr = per_cpu(cpu_pvr, cpu_id);
 #else
@@ -329,9 +321,6 @@ static int show_cpuinfo(struct seq_file *m, void *v)
 #ifdef CONFIG_SMP
        seq_printf(m, "\n");
 #endif
-        preempt_enable();
        /* If this is the last cpu, print the summary */
        if (cpumask_next(cpu_id, cpu_online_mask) >= nr_cpu_ids)
                show_cpuinfo_summary(m);
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index a20823210ac0..9eb469bed22b 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -38,6 +38,7 @@
 #include <linux/hugetlb.h>
 #include <linux/memory.h>
 #include <linux/nmi.h>
+#include <linux/debugfs.h>
 #include <asm/io.h>
 #include <asm/kdump.h>
@@ -835,3 +836,141 @@ static int __init disable_hardlockup_detector(void)
 }
 early_initcall(disable_hardlockup_detector);
 #endif
+#ifdef CONFIG_PPC_BOOK3S_64
+static enum l1d_flush_type enabled_flush_types;
+static void *l1d_flush_fallback_area;
+static bool no_rfi_flush;
+bool rfi_flush;
+static int __init handle_no_rfi_flush(char *p)
+{
+        pr_info("rfi-flush: disabled on command line.");
+        no_rfi_flush = true;
+        return 0;
+}
+early_param("no_rfi_flush", handle_no_rfi_flush);
+/*
+ * The RFI flush is not KPTI, but because users will see doco that says to use
+ * nopti we hijack that option here to also disable the RFI flush.
+ */
+static int __init handle_no_pti(char *p)
+{
+        pr_info("rfi-flush: disabling due to 'nopti' on command line.\n");
+        handle_no_rfi_flush(NULL);
+        return 0;
+}
+early_param("nopti", handle_no_pti);
+static void do_nothing(void *unused)
+{
+        /*
+         * We don't need to do the flush explicitly, just enter+exit kernel is
+         * sufficient, the RFI exit handlers will do the right thing.
+         */
+}
+void rfi_flush_enable(bool enable)
+{
+        if (rfi_flush == enable)
+                return;
+        if (enable) {
+                do_rfi_flush_fixups(enabled_flush_types);
+                on_each_cpu(do_nothing, NULL, 1);
+        } else
+                do_rfi_flush_fixups(L1D_FLUSH_NONE);
+        rfi_flush = enable;
+}
+static void init_fallback_flush(void)
+{
+        u64 l1d_size, limit;
+        int cpu;
+        l1d_size = ppc64_caches.dsize;
+        limit = min(safe_stack_limit(), ppc64_rma_size);
+        /*
+         * Align to L1d size, and size it at 2x L1d size, to catch possible
+         * hardware prefetch runoff. We don't have a recipe for load patterns to
+         * reliably avoid the prefetcher.
+         */
+        l1d_flush_fallback_area = __va(memblock_alloc_base(l1d_size * 2, l1d_size, limit));
+        memset(l1d_flush_fallback_area, 0, l1d_size * 2);
+        for_each_possible_cpu(cpu) {
+                /*
+                 * The fallback flush is currently coded for 8-way
+                 * associativity. Different associativity is possible, but it
+                 * will be treated as 8-way and may not evict the lines as
+                 * effectively.
+                 *
+                 * 128 byte lines are mandatory.
+                 */
+                u64 c = l1d_size / 8;
+                paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area;
+                paca[cpu].l1d_flush_congruence = c;
+                paca[cpu].l1d_flush_sets = c / 128;
+        }
+}
+void __init setup_rfi_flush(enum l1d_flush_type types, bool enable)
+{
+        if (types & L1D_FLUSH_FALLBACK) {
+                pr_info("rfi-flush: Using fallback displacement flush\n");
+                init_fallback_flush();
+        }
+        if (types & L1D_FLUSH_ORI)
+                pr_info("rfi-flush: Using ori type flush\n");
+        if (types & L1D_FLUSH_MTTRIG)
+                pr_info("rfi-flush: Using mttrig type flush\n");
+        enabled_flush_types = types;
+        if (!no_rfi_flush)
+                rfi_flush_enable(enable);
+}
+#ifdef CONFIG_DEBUG_FS
+static int rfi_flush_set(void *data, u64 val)
+{
+        if (val == 1)
+                rfi_flush_enable(true);
+        else if (val == 0)
+                rfi_flush_enable(false);
+        else
+                return -EINVAL;
+        return 0;
+}
+static int rfi_flush_get(void *data, u64 *val)
+{
+        *val = rfi_flush ? 1 : 0;
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(fops_rfi_flush, rfi_flush_get, rfi_flush_set, "%llu\n");
+static __init int rfi_flush_debugfs_init(void)
+{
+        debugfs_create_file("rfi_flush", 0600, powerpc_debugfs_root, NULL, &fops_rfi_flush);
+        return 0;
+}
+device_initcall(rfi_flush_debugfs_init);
+#endif
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        if (rfi_flush)
+                return sprintf(buf, "Mitigation: RFI Flush\n");
+        return sprintf(buf, "Vulnerable\n");
+}
+#endif /* CONFIG_PPC_BOOK3S_64 */
diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
index 1be1092c7204..9baba9576e99 100644
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -686,12 +686,20 @@ static int __init get_freq(char *name, int cells, unsigned long *val)
 static void start_cpu_decrementer(void)
 {
 #if defined(CONFIG_BOOKE) || defined(CONFIG_40x)
+        unsigned int tcr;
        /* Clear any pending timer interrupts */
        mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS);
-        /* Enable decrementer interrupt */
+        tcr = mfspr(SPRN_TCR);
-        mtspr(SPRN_TCR, TCR_DIE);
+        /*
-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */
+         * The watchdog may have already been enabled by u-boot. So leave
+         * TRC[WP] (Watchdog Period) alone.
+         */
+        tcr &= TCR_WP_MASK;     /* Clear all bits except for TCR[WP] */
+        tcr |= TCR_DIE;         /* Enable decrementer */
+        mtspr(SPRN_TCR, tcr);
+#endif
 }
 void __init generic_calibrate_decr(void)
diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
index d41fd0af8980..072a23a17350 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -72,6 +72,15 @@ SECTIONS
        /* Read-only data */
        RODATA
+#ifdef CONFIG_PPC64
+        . = ALIGN(8);
+        __rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) {
+                __start___rfi_flush_fixup = .;
+                *(__rfi_flush_fixup)
+                __stop___rfi_flush_fixup = .;
+        }
+#endif
        EXCEPTION_TABLE(0)
        NOTES :kernel :notes
diff --git a/arch/powerpc/kvm/book3s_64_mmu_host.c b/arch/powerpc/kvm/book3s_64_mmu_host.c
index 79ad35abd196..ddec22828673 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_host.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_host.c
@@ -177,12 +177,15 @@ map_again:
        ret = ppc_md.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags,
                                 hpsize, hpsize, MMU_SEGSIZE_256M);
-        if (ret < 0) {
+        if (ret == -1) {
                /* If we couldn't map a primary PTE, try a secondary */
                hash = ~hash;
                vflags ^= HPTE_V_SECONDARY;
                attempt++;
                goto map_again;
+        } else if (ret < 0) {
+                r = -EIO;
+                goto out_unlock;
        } else {
                trace_kvm_book3s_64_mmu_map(rflags, hpteg,
                                            vpn, hpaddr, orig_pte);
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 428563b195c3..767ac1572c02 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -3002,15 +3002,17 @@ static int kvmppc_hv_setup_htab_rma(struct kvm_vcpu *vcpu)
                goto up_out;
        psize = vma_kernel_pagesize(vma);
-        porder = __ilog2(psize);
        up_read(&current->mm->mmap_sem);
        /* We can handle 4k, 64k or 16M pages in the VRMA */
-        err = -EINVAL;
+        if (psize >= 0x1000000)
-        if (!(psize == 0x1000 || psize == 0x10000 ||
+                psize = 0x1000000;
-              psize == 0x1000000))
+        else if (psize >= 0x10000)
-                goto out_srcu;
+                psize = 0x10000;
+        else
+                psize = 0x1000;
+        porder = __ilog2(psize);
        /* Update VRMASD field in the LPCR */
        senc = slb_pgsize_encoding(psize);
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index ffab9269bfe4..4463718ae614 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -64,7 +64,7 @@ _GLOBAL_TOC(kvmppc_hv_entry_trampoline)
        mtmsrd  r0,1            /* clear RI in MSR */
        mtsrr0  r5
        mtsrr1  r6
-        RFI
+        RFI_TO_KERNEL
 kvmppc_call_hv_entry:
        ld      r4, HSTATE_KVM_VCPU(r13)
@@ -170,7 +170,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
        mtsrr0  r8
        mtsrr1  r7
        beq     cr1, 13f                /* machine check */
-        RFI
+        RFI_TO_KERNEL
        /* On POWER7, we have external interrupts set to use HSRR0/1 */
 11:     mtspr   SPRN_HSRR0, r8
@@ -965,8 +965,7 @@ BEGIN_FTR_SECTION
 END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ld      r0, VCPU_GPR(R0)(r4)
        ld      r4, VCPU_GPR(R4)(r4)
+        HRFI_TO_GUEST
-        hrfid
        b       .
 secondary_too_late:
diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c
index 64891b081ad5..81313844d81c 100644
--- a/arch/powerpc/kvm/book3s_pr.c
+++ b/arch/powerpc/kvm/book3s_pr.c
@@ -625,7 +625,11 @@ int kvmppc_handle_pagefault(struct kvm_run *run, struct kvm_vcpu *vcpu,
                        kvmppc_mmu_unmap_page(vcpu, &pte);
                }
                /* The guest's PTE is not mapped yet. Map on the host */
-                kvmppc_mmu_map_page(vcpu, &pte, iswrite);
+                if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) {
+                        /* Exit KVM if mapping failed */
+                        run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+                        return RESUME_HOST;
+                }
                if (data)
                        vcpu->stat.sp_storage++;
                else if (vcpu->arch.mmu.is_dcbz32(vcpu) &&
diff --git a/arch/powerpc/kvm/book3s_pr_papr.c b/arch/powerpc/kvm/book3s_pr_papr.c
index f2c75a1e0536..0d91baf63fed 100644
--- a/arch/powerpc/kvm/book3s_pr_papr.c
+++ b/arch/powerpc/kvm/book3s_pr_papr.c
@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu)
        pteg_addr = get_pteg_addr(vcpu, pte_index);
        mutex_lock(&vcpu->kvm->arch.hpt_mutex);
-        copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
+        ret = H_FUNCTION;
+        if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)))
+                goto done;
        hpte = pteg;
        ret = H_PTEG_FULL;
@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu)
        hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6));
        hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7));
        pteg_addr += i * HPTE_SIZE;
-        copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
+        ret = H_FUNCTION;
+        if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE))
+                goto done;
        kvmppc_set_gpr(vcpu, 4, pte_index | i);
        ret = H_SUCCESS;
@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu)
        pteg = get_pteg_addr(vcpu, pte_index);
        mutex_lock(&vcpu->kvm->arch.hpt_mutex);
-        copy_from_user(pte, (void __user *)pteg, sizeof(pte));
+        ret = H_FUNCTION;
+        if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
+                goto done;
        pte[0] = be64_to_cpu((__force __be64)pte[0]);
        pte[1] = be64_to_cpu((__force __be64)pte[1]);
@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu)
            ((flags & H_ANDCOND) && (pte[0] & avpn) != 0))
                goto done;
-        copy_to_user((void __user *)pteg, &v, sizeof(v));
+        ret = H_FUNCTION;
+        if (copy_to_user((void __user *)pteg, &v, sizeof(v)))
+                goto done;
        rb = compute_tlbie_rb(pte[0], pte[1], pte_index);
        vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu)
                }
                pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX);
-                copy_from_user(pte, (void __user *)pteg, sizeof(pte));
+                if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) {
+                        ret = H_FUNCTION;
+                        break;
+                }
                pte[0] = be64_to_cpu((__force __be64)pte[0]);
                pte[1] = be64_to_cpu((__force __be64)pte[1]);
@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu)
                        tsh |= H_BULK_REMOVE_NOT_FOUND;
                } else {
                        /* Splat the pteg in (userland) hpt */
-                        copy_to_user((void __user *)pteg, &v, sizeof(v));
+                        if (copy_to_user((void __user *)pteg, &v, sizeof(v))) {
+                                ret = H_FUNCTION;
+                                break;
+                        }
                        rb = compute_tlbie_rb(pte[0], pte[1],
                                              tsh & H_BULK_REMOVE_PTEX);
@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu)
        pteg = get_pteg_addr(vcpu, pte_index);
        mutex_lock(&vcpu->kvm->arch.hpt_mutex);
-        copy_from_user(pte, (void __user *)pteg, sizeof(pte));
+        ret = H_FUNCTION;
+        if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
+                goto done;
        pte[0] = be64_to_cpu((__force __be64)pte[0]);
        pte[1] = be64_to_cpu((__force __be64)pte[1]);
@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu)
        vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
        pte[0] = (__force u64)cpu_to_be64(pte[0]);
        pte[1] = (__force u64)cpu_to_be64(pte[1]);
-        copy_to_user((void __user *)pteg, pte, sizeof(pte));
+        ret = H_FUNCTION;
+        if (copy_to_user((void __user *)pteg, pte, sizeof(pte)))
+                goto done;
        ret = H_SUCCESS;
 done:
diff --git a/arch/powerpc/kvm/book3s_rmhandlers.S b/arch/powerpc/kvm/book3s_rmhandlers.S
index 16c4d88ba27d..a328f99a887c 100644
--- a/arch/powerpc/kvm/book3s_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_rmhandlers.S
@@ -46,6 +46,9 @@
 #define FUNC(name)              name
+#define RFI_TO_KERNEL   RFI
+#define RFI_TO_GUEST    RFI
 .macro INTERRUPT_TRAMPOLINE intno
 .global kvmppc_trampoline_\intno
@@ -141,7 +144,7 @@ kvmppc_handler_skip_ins:
        GET_SCRATCH0(r13)
        /* And get back into the code */
-        RFI
+        RFI_TO_KERNEL
 #endif
 /*
@@ -164,6 +167,6 @@ _GLOBAL_TOC(kvmppc_entry_trampoline)
        ori     r5, r5, MSR_EE
        mtsrr0  r7
        mtsrr1  r6
-        RFI
+        RFI_TO_KERNEL
 #include "book3s_segment.S"
diff --git a/arch/powerpc/kvm/book3s_segment.S b/arch/powerpc/kvm/book3s_segment.S
index ca8f174289bb..7c982956d709 100644
--- a/arch/powerpc/kvm/book3s_segment.S
+++ b/arch/powerpc/kvm/book3s_segment.S
@@ -156,7 +156,7 @@ no_dcbz32_on:
        PPC_LL  r9, SVCPU_R9(r3)
        PPC_LL  r3, (SVCPU_R3)(r3)
-        RFI
+        RFI_TO_GUEST
 kvmppc_handler_trampoline_enter_end:
@@ -389,5 +389,5 @@ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
        cmpwi   r12, BOOK3S_INTERRUPT_DOORBELL
        beqa    BOOK3S_INTERRUPT_DOORBELL
-        RFI
+        RFI_TO_KERNEL
 kvmppc_handler_trampoline_exit_end:
diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
index 7ce3870d7ddd..3af014684872 100644
--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -20,6 +20,7 @@
 #include <asm/code-patching.h>
 #include <asm/page.h>
 #include <asm/sections.h>
+#include <asm/setup.h>
 struct fixup_entry {
@@ -52,7 +53,7 @@ static int patch_alt_instruction(unsigned int *src, unsigned int *dest,
                unsigned int *target = (unsigned int *)branch_target(src);
                /* Branch within the section doesn't need translating */
-                if (target < alt_start || target >= alt_end) {
+                if (target < alt_start || target > alt_end) {
                        instr = translate_branch(dest, src);
                        if (!instr)
                                return 1;
@@ -113,6 +114,47 @@ void do_feature_fixups(unsigned long value, void *fixup_start, void *fixup_end)
        }
 }
+#ifdef CONFIG_PPC_BOOK3S_64
+void do_rfi_flush_fixups(enum l1d_flush_type types)
+{
+        unsigned int instrs[3], *dest;
+        long *start, *end;
+        int i;
+        start = PTRRELOC(&__start___rfi_flush_fixup),
+        end = PTRRELOC(&__stop___rfi_flush_fixup);
+        instrs[0] = 0x60000000; /* nop */
+        instrs[1] = 0x60000000; /* nop */
+        instrs[2] = 0x60000000; /* nop */
+        if (types & L1D_FLUSH_FALLBACK)
+                /* b .+16 to fallback flush */
+                instrs[0] = 0x48000010;
+        i = 0;
+        if (types & L1D_FLUSH_ORI) {
+                instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
+                instrs[i++] = 0x63de0000; /* ori 30,30,0 L1d flush*/
+        }
+        if (types & L1D_FLUSH_MTTRIG)
+                instrs[i++] = 0x7c12dba6; /* mtspr TRIG2,r0 (SPR #882) */
+        for (i = 0; start < end; start++, i++) {
+                dest = (void *)start + *start;
+                pr_devel("patching dest %lx\n", (unsigned long)dest);
+                patch_instruction(dest, instrs[0]);
+                patch_instruction(dest + 1, instrs[1]);
+                patch_instruction(dest + 2, instrs[2]);
+        }
+        printk(KERN_DEBUG "rfi-flush: patched %d locations\n", i);
+}
+#endif /* CONFIG_PPC_BOOK3S_64 */
 void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)
 {
        long *start, *end;
diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index a67c6d781c52..d154e333f76b 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -294,7 +294,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
         * can result in fault, which will cause a deadlock when called with
         * mmap_sem held
         */
-        if (user_mode(regs))
+        if (!is_exec && user_mode(regs))
                store_update_sp = store_updates_sp(regs);
        if (user_mode(regs))
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index 669a15e7fa76..3c4faa4c2742 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -551,7 +551,7 @@ static int numa_setup_cpu(unsigned long lcpu)
        nid = of_node_to_nid_single(cpu);
 out_present:
-        if (nid < 0 || !node_online(nid))
+        if (nid < 0 || !node_possible(nid))
                nid = first_online_node;
        map_cpu_to_node(lcpu, nid);
@@ -951,6 +951,32 @@ static void __init setup_node_data(int nid, u64 start_pfn, u64 end_pfn)
        NODE_DATA(nid)->node_spanned_pages = spanned_pages;
 }
+static void __init find_possible_nodes(void)
+{
+        struct device_node *rtas;
+        u32 numnodes, i;
+        if (min_common_depth <= 0)
+                return;
+        rtas = of_find_node_by_path("/rtas");
+        if (!rtas)
+                return;
+        if (of_property_read_u32_index(rtas,
+                                "ibm,max-associativity-domains",
+                                min_common_depth, &numnodes))
+                goto out;
+        for (i = 0; i < numnodes; i++) {
+                if (!node_possible(i))
+                        node_set(i, node_possible_map);
+        }
+out:
+        of_node_put(rtas);
+}
 void __init initmem_init(void)
 {
        int nid, cpu;
@@ -966,12 +992,15 @@ void __init initmem_init(void)
        memblock_dump_all();
        /*
-         * Reduce the possible NUMA nodes to the online NUMA nodes,
+         * Modify the set of possible NUMA nodes to reflect information
-         * since we do not support node hotplug. This ensures that  we
+         * available about the set of online nodes, and the set of nodes
-         * lower the maximum NUMA node ID to what is actually present.
+         * that we expect to make use of for this platform's affinity
+         * calculations.
         */
        nodes_and(node_possible_map, node_possible_map, node_online_map);
+        find_possible_nodes();
        for_each_online_node(nid) {
                unsigned long start_pfn, end_pfn;
@@ -1304,6 +1333,40 @@ static long vphn_get_associativity(unsigned long cpu,
        return rc;
 }
+static inline int find_and_online_cpu_nid(int cpu)
+{
+        __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0};
+        int new_nid;
+        /* Use associativity from first thread for all siblings */
+        vphn_get_associativity(cpu, associativity);
+        new_nid = associativity_to_nid(associativity);
+        if (new_nid < 0 || !node_possible(new_nid))
+                new_nid = first_online_node;
+        if (NODE_DATA(new_nid) == NULL) {
+#ifdef CONFIG_MEMORY_HOTPLUG
+                /*
+                 * Need to ensure that NODE_DATA is initialized for a node from
+                 * available memory (see memblock_alloc_try_nid). If unable to
+                 * init the node, then default to nearest node that has memory
+                 * installed.
+                 */
+                if (try_online_node(new_nid))
+                        new_nid = first_online_node;
+#else
+                /*
+                 * Default to using the nearest node that has memory installed.
+                 * Otherwise, it would be necessary to patch the kernel MM code
+                 * to deal with more memoryless-node error conditions.
+                 */
+                new_nid = first_online_node;
+#endif
+        }
+        return new_nid;
+}
 /*
 * Update the CPU maps and sysfs entries for a single CPU when its NUMA
 * characteristics change. This function doesn't perform any locking and is
@@ -1369,7 +1432,6 @@ int arch_update_cpu_topology(void)
 {
        unsigned int cpu, sibling, changed = 0;
        struct topology_update_data *updates, *ud;
-        __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0};
        cpumask_t updated_cpus;
        struct device *dev;
        int weight, new_nid, i = 0;
@@ -1404,11 +1466,7 @@ int arch_update_cpu_topology(void)
                        continue;
                }
-                /* Use associativity from first thread for all siblings */
+                new_nid = find_and_online_cpu_nid(cpu);
-                vphn_get_associativity(cpu, associativity);
-                new_nid = associativity_to_nid(associativity);
-                if (new_nid < 0 || !node_online(new_nid))
-                        new_nid = first_online_node;
                if (new_nid == numa_cpu_lookup_table[cpu]) {
                        cpumask_andnot(&cpu_associativity_changes_mask,
diff --git a/arch/powerpc/mm/slb.c b/arch/powerpc/mm/slb.c
index 515730e499fe..309027208f7c 100644
--- a/arch/powerpc/mm/slb.c
+++ b/arch/powerpc/mm/slb.c
@@ -69,14 +69,14 @@ static inline void slb_shadow_update(unsigned long ea, int ssize,
         * updating it.  No write barriers are needed here, provided
         * we only update the current CPU's SLB shadow buffer.
         */
-        p->save_area[index].esid = 0;
+        WRITE_ONCE(p->save_area[index].esid, 0);
-        p->save_area[index].vsid = cpu_to_be64(mk_vsid_data(ea, ssize, flags));
+        WRITE_ONCE(p->save_area[index].vsid, cpu_to_be64(mk_vsid_data(ea, ssize, flags)));
-        p->save_area[index].esid = cpu_to_be64(mk_esid_data(ea, ssize, index));
+        WRITE_ONCE(p->save_area[index].esid, cpu_to_be64(mk_esid_data(ea, ssize, index)));
 }
 static inline void slb_shadow_clear(enum slb_index index)
 {
-        get_slb_shadow()->save_area[index].esid = 0;
+        WRITE_ONCE(get_slb_shadow()->save_area[index].esid, 0);
 }
 static inline void create_shadowed_slbe(unsigned long ea, int ssize,
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 2d66a8446198..345e255c06a2 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
                        BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4);
                        PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len));
                        break;
+                case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */
+                        PPC_LWZ_OFFS(r_A, r_skb, K);
+                        break;
                case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */
                        PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len));
                        break;
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
index b2ab164a8094..30e2e8efbe6b 100644
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -448,6 +448,16 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw)
                                /* invalid entry */
                                continue;
+                        /*
+                         * BHRB rolling buffer could very much contain the kernel
+                         * addresses at this point. Check the privileges before
+                         * exporting it to userspace (avoid exposure of regions
+                         * where we could have speculative execution)
+                         */
+                        if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) &&
+                                is_kernel_addr(addr))
+                                continue;
                        /* Branches are read most recent first (ie. mfbhrb 0 is
                         * the most recent branch).
                         * There are two types of valid entries:
@@ -1188,6 +1198,7 @@ static void power_pmu_disable(struct pmu *pmu)
                 */
                write_mmcr0(cpuhw, val);
                mb();
+                isync();
                /*
                 * Disable instruction sampling if it was enabled
@@ -1196,12 +1207,26 @@ static void power_pmu_disable(struct pmu *pmu)
                        mtspr(SPRN_MMCRA,
                              cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE);
                        mb();
+                        isync();
                }
                cpuhw->disabled = 1;
                cpuhw->n_added = 0;
                ebb_switch_out(mmcr0);
+#ifdef CONFIG_PPC64
+                /*
+                 * These are readable by userspace, may contain kernel
+                 * addresses and are not switched by context switch, so clear
+                 * them now to avoid leaking anything to userspace in general
+                 * including to another process.
+                 */
+                if (ppmu->flags & PPMU_ARCH_207S) {
+                        mtspr(SPRN_SDAR, 0);
+                        mtspr(SPRN_SIAR, 0);
+                }
+#endif
        }
        local_irq_restore(flags);
@@ -1381,7 +1406,7 @@ static int collect_events(struct perf_event *group, int max_count,
        int n = 0;
        struct perf_event *event;
-        if (!is_software_event(group)) {
+        if (group->pmu->task_ctx_nr == perf_hw_context) {
                if (n >= max_count)
                        return -1;
                ctrs[n] = group;
@@ -1389,7 +1414,7 @@ static int collect_events(struct perf_event *group, int max_count,
                events[n++] = group->hw.config;
        }
        list_for_each_entry(event, &group->sibling_list, group_entry) {
-                if (!is_software_event(event) &&
+                if (event->pmu->task_ctx_nr == perf_hw_context &&
                    event->state != PERF_EVENT_STATE_OFF) {
                        if (n >= max_count)
                                return -1;
diff --git a/arch/powerpc/platforms/cell/spufs/coredump.c b/arch/powerpc/platforms/cell/spufs/coredump.c
index be6212ddbf06..7e42e3ec2142 100644
--- a/arch/powerpc/platforms/cell/spufs/coredump.c
+++ b/arch/powerpc/platforms/cell/spufs/coredump.c
@@ -174,6 +174,8 @@ static int spufs_arch_write_note(struct spu_context *ctx, int i,
        if (!dump_skip(cprm,
                       roundup(cprm->written - total + sz, 4) - cprm->written))
                goto Eio;
+        rc = 0;
 out:
        free_page((unsigned long)buf);
        return rc;
diff --git a/arch/powerpc/platforms/chrp/time.c b/arch/powerpc/platforms/chrp/time.c
index f803f4b8ab6f..8608e358217f 100644
--- a/arch/powerpc/platforms/chrp/time.c
+++ b/arch/powerpc/platforms/chrp/time.c
@@ -27,6 +27,8 @@
 #include <asm/sections.h>
 #include <asm/time.h>
+#include <platforms/chrp/chrp.h>
 extern spinlock_t rtc_lock;
 #define NVRAM_AS0  0x74
@@ -62,7 +64,7 @@ long __init chrp_time_init(void)
        return 0;
 }
-int chrp_cmos_clock_read(int addr)
+static int chrp_cmos_clock_read(int addr)
 {
        if (nvram_as1 != 0)
                outb(addr>>8, nvram_as1);
@@ -70,7 +72,7 @@ int chrp_cmos_clock_read(int addr)
        return (inb(nvram_data));
 }
-void chrp_cmos_clock_write(unsigned long val, int addr)
+static void chrp_cmos_clock_write(unsigned long val, int addr)
 {
        if (nvram_as1 != 0)
                outb(addr>>8, nvram_as1);
diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
index 9b7975706bfc..9485f1024d46 100644
--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
+++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
@@ -35,6 +35,8 @@
 */
 #define HW_BROADWAY_ICR         0x00
 #define HW_BROADWAY_IMR         0x04
+#define HW_STARLET_ICR          0x08
+#define HW_STARLET_IMR          0x0c
 /*
@@ -74,6 +76,9 @@ static void hlwd_pic_unmask(struct irq_data *d)
        void __iomem *io_base = irq_data_get_irq_chip_data(d);
        setbits32(io_base + HW_BROADWAY_IMR, 1 << irq);
+        /* Make sure the ARM (aka. Starlet) doesn't handle this interrupt. */
+        clrbits32(io_base + HW_STARLET_IMR, 1 << irq);
 }
diff --git a/arch/powerpc/platforms/powermac/bootx_init.c b/arch/powerpc/platforms/powermac/bootx_init.c
index 76f5013c35e5..89237b84b096 100644
--- a/arch/powerpc/platforms/powermac/bootx_init.c
+++ b/arch/powerpc/platforms/powermac/bootx_init.c
@@ -467,7 +467,7 @@ void __init bootx_init(unsigned long r3, unsigned long r4)
        boot_infos_t *bi = (boot_infos_t *) r4;
        unsigned long hdr;
        unsigned long space;
-        unsigned long ptr, x;
+        unsigned long ptr;
        char *model;
        unsigned long offset = reloc_offset();
@@ -561,6 +561,8 @@ void __init bootx_init(unsigned long r3, unsigned long r4)
         * MMU switched OFF, so this should not be useful anymore.
         */
        if (bi->version < 4) {
+                unsigned long x __maybe_unused;
                bootx_printf("Touching pages...\n");
                /*
diff --git a/arch/powerpc/platforms/powermac/setup.c b/arch/powerpc/platforms/powermac/setup.c
index 8dd78f4e1af4..32fc56cf6261 100644
--- a/arch/powerpc/platforms/powermac/setup.c
+++ b/arch/powerpc/platforms/powermac/setup.c
@@ -359,6 +359,7 @@ static int pmac_late_init(void)
 }
 machine_late_initcall(powermac, pmac_late_init);
+void note_bootable_part(dev_t dev, int part, int goodness);
 /*
 * This is __init_refok because we check for "initializing" before
 * touching any of the __init sensitive things and "initializing"
diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c
index 92736851c795..3f653f5201e7 100644
--- a/arch/powerpc/platforms/powernv/eeh-powernv.c
+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c
@@ -48,8 +48,8 @@ static int pnv_eeh_init(void)
        struct pci_controller *hose;
        struct pnv_phb *phb;
-        if (!firmware_has_feature(FW_FEATURE_OPALv3)) {
+        if (!firmware_has_feature(FW_FEATURE_OPAL)) {
-                pr_warn("%s: OPALv3 is required !\n",
+                pr_warn("%s: OPAL is required !\n",
                        __func__);
                return -EINVAL;
        }
diff --git a/arch/powerpc/platforms/powernv/idle.c b/arch/powerpc/platforms/powernv/idle.c
index 59d735d2e5c0..15bfbcd5debc 100644
--- a/arch/powerpc/platforms/powernv/idle.c
+++ b/arch/powerpc/platforms/powernv/idle.c
@@ -242,7 +242,7 @@ static int __init pnv_init_idle_states(void)
        if (cpuidle_disable != IDLE_NO_OVERRIDE)
                goto out;
-        if (!firmware_has_feature(FW_FEATURE_OPALv3))
+        if (!firmware_has_feature(FW_FEATURE_OPAL))
                goto out;
        power_mgt = of_find_node_by_path("/ibm,opal/power-mgt");
diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c
index 9db4398ded5d..5584247f5029 100644
--- a/arch/powerpc/platforms/powernv/opal-nvram.c
+++ b/arch/powerpc/platforms/powernv/opal-nvram.c
@@ -11,6 +11,7 @@
 #define DEBUG
+#include <linux/delay.h>
 #include <linux/kernel.h>
 #include <linux/init.h>
 #include <linux/of.h>
@@ -43,6 +44,10 @@ static ssize_t opal_nvram_read(char *buf, size_t count, loff_t *index)
        return count;
 }
+/*
+ * This can be called in the panic path with interrupts off, so use
+ * mdelay in that case.
+ */
 static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index)
 {
        s64 rc = OPAL_BUSY;
@@ -56,9 +61,23 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index)
        while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
                rc = opal_write_nvram(__pa(buf), count, off);
-                if (rc == OPAL_BUSY_EVENT)
+                if (rc == OPAL_BUSY_EVENT) {
+                        if (in_interrupt() || irqs_disabled())
+                                mdelay(OPAL_BUSY_DELAY_MS);
+                        else
+                                msleep(OPAL_BUSY_DELAY_MS);
                        opal_poll_events(NULL);
+                } else if (rc == OPAL_BUSY) {
+                        if (in_interrupt() || irqs_disabled())
+                                mdelay(OPAL_BUSY_DELAY_MS);
+                        else
+                                msleep(OPAL_BUSY_DELAY_MS);
+                }
        }
+        if (rc)
+                return -EIO;
        *index += count;
        return count;
 }
diff --git a/arch/powerpc/platforms/powernv/opal-xscom.c b/arch/powerpc/platforms/powernv/opal-xscom.c
index 7634d1c62299..d0ac535cf5d7 100644
--- a/arch/powerpc/platforms/powernv/opal-xscom.c
+++ b/arch/powerpc/platforms/powernv/opal-xscom.c
@@ -126,7 +126,7 @@ static const struct scom_controller opal_scom_controller = {
 static int opal_xscom_init(void)
 {
-        if (firmware_has_feature(FW_FEATURE_OPALv3))
+        if (firmware_has_feature(FW_FEATURE_OPAL))
                scom_init(&opal_scom_controller);
        return 0;
 }
diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
index ae29eaf85e9e..e48826aa314c 100644
--- a/arch/powerpc/platforms/powernv/opal.c
+++ b/arch/powerpc/platforms/powernv/opal.c
@@ -98,16 +98,11 @@ int __init early_init_dt_scan_opal(unsigned long node,
        pr_debug("OPAL Entry = 0x%llx (sizep=%p runtimesz=%d)\n",
                 opal.size, sizep, runtimesz);
-        powerpc_firmware_features |= FW_FEATURE_OPAL;
        if (of_flat_dt_is_compatible(node, "ibm,opal-v3")) {
-                powerpc_firmware_features |= FW_FEATURE_OPALv2;
+                powerpc_firmware_features |= FW_FEATURE_OPAL;
-                powerpc_firmware_features |= FW_FEATURE_OPALv3;
+                pr_info("OPAL detected !\n");
-                pr_info("OPAL V3 detected !\n");
-        } else if (of_flat_dt_is_compatible(node, "ibm,opal-v2")) {
-                powerpc_firmware_features |= FW_FEATURE_OPALv2;
-                pr_info("OPAL V2 detected !\n");
        } else {
-                pr_info("OPAL V1 detected !\n");
+                panic("OPAL != V3 detected, no longer supported.\n");
        }
        /* Reinit all cores with the right endian */
@@ -352,17 +347,15 @@ int opal_put_chars(uint32_t vtermno, const char *data, int total_len)
         * enough room and be done with it
         */
        spin_lock_irqsave(&opal_write_lock, flags);
-        if (firmware_has_feature(FW_FEATURE_OPALv2)) {
+        rc = opal_console_write_buffer_space(vtermno, &olen);
-                rc = opal_console_write_buffer_space(vtermno, &olen);
+        len = be64_to_cpu(olen);
-                len = be64_to_cpu(olen);
+        if (rc || len < total_len) {
-                if (rc || len < total_len) {
+                spin_unlock_irqrestore(&opal_write_lock, flags);
-                        spin_unlock_irqrestore(&opal_write_lock, flags);
+                /* Closed -> drop characters */
-                        /* Closed -> drop characters */
+                if (rc)
-                        if (rc)
+                        return total_len;
-                                return total_len;
+                opal_poll_events(NULL);
-                        opal_poll_events(NULL);
+                return -EAGAIN;
-                        return -EAGAIN;
-                }
        }
        /* We still try to handle partial completions, though they
@@ -696,10 +689,7 @@ static int __init opal_init(void)
        }
        /* Register OPAL consoles if any ports */
-        if (firmware_has_feature(FW_FEATURE_OPALv2))
+        consoles = of_find_node_by_path("/ibm,opal/consoles");
-                consoles = of_find_node_by_path("/ibm,opal/consoles");
-        else
-                consoles = of_node_get(opal_node);
        if (consoles) {
                for_each_child_of_node(consoles, np) {
                        if (strcmp(np->name, "serial"))
diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c
index ecb7f3220355..eac3b7cc78c6 100644
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -344,7 +344,7 @@ static void __init pnv_ioda_parse_m64_window(struct pnv_phb *phb)
                return;
        }
-        if (!firmware_has_feature(FW_FEATURE_OPALv3)) {
+        if (!firmware_has_feature(FW_FEATURE_OPAL)) {
                pr_info("  Firmware too old to support M64 window\n");
                return;
        }
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index f48afc06ba14..c57afc619b20 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -35,13 +35,63 @@
 #include <asm/opal.h>
 #include <asm/kexec.h>
 #include <asm/smp.h>
+#include <asm/tm.h>
+#include <asm/setup.h>
 #include "powernv.h"
+static void pnv_setup_rfi_flush(void)
+{
+        struct device_node *np, *fw_features;
+        enum l1d_flush_type type;
+        int enable;
+        /* Default to fallback in case fw-features are not available */
+        type = L1D_FLUSH_FALLBACK;
+        enable = 1;
+        np = of_find_node_by_name(NULL, "ibm,opal");
+        fw_features = of_get_child_by_name(np, "fw-features");
+        of_node_put(np);
+        if (fw_features) {
+                np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
+                if (np && of_property_read_bool(np, "enabled"))
+                        type = L1D_FLUSH_MTTRIG;
+                of_node_put(np);
+                np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0");
+                if (np && of_property_read_bool(np, "enabled"))
+                        type = L1D_FLUSH_ORI;
+                of_node_put(np);
+                /* Enable unless firmware says NOT to */
+                enable = 2;
+                np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0");
+                if (np && of_property_read_bool(np, "disabled"))
+                        enable--;
+                of_node_put(np);
+                np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1");
+                if (np && of_property_read_bool(np, "disabled"))
+                        enable--;
+                of_node_put(np);
+                of_node_put(fw_features);
+        }
+        setup_rfi_flush(type, enable > 0);
+}
 static void __init pnv_setup_arch(void)
 {
        set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
+        pnv_setup_rfi_flush();
        /* Initialize SMP */
        pnv_smp_init();
@@ -90,12 +140,8 @@ static void pnv_show_cpuinfo(struct seq_file *m)
        if (root)
                model = of_get_property(root, "model", NULL);
        seq_printf(m, "machine\t\t: PowerNV %s\n", model);
-        if (firmware_has_feature(FW_FEATURE_OPALv3))
+        if (firmware_has_feature(FW_FEATURE_OPAL))
-                seq_printf(m, "firmware\t: OPAL v3\n");
+                seq_printf(m, "firmware\t: OPAL\n");
-        else if (firmware_has_feature(FW_FEATURE_OPALv2))
-                seq_printf(m, "firmware\t: OPAL v2\n");
-        else if (firmware_has_feature(FW_FEATURE_OPAL))
-                seq_printf(m, "firmware\t: OPAL v1\n");
        else
                seq_printf(m, "firmware\t: BML\n");
        of_node_put(root);
@@ -224,9 +270,9 @@ static void pnv_kexec_cpu_down(int crash_shutdown, int secondary)
 {
        xics_kexec_teardown_cpu(secondary);
-        /* On OPAL v3, we return all CPUs to firmware */
+        /* On OPAL, we return all CPUs to firmware */
-        if (!firmware_has_feature(FW_FEATURE_OPALv3))
+        if (!firmware_has_feature(FW_FEATURE_OPAL))
                return;
        if (secondary) {
diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c
index ca264833ee64..ad7b1a3dbed0 100644
--- a/arch/powerpc/platforms/powernv/smp.c
+++ b/arch/powerpc/platforms/powernv/smp.c
@@ -61,14 +61,15 @@ static int pnv_smp_kick_cpu(int nr)
        unsigned long start_here =
                        __pa(ppc_function_entry(generic_secondary_smp_init));
        long rc;
+        uint8_t status;
        BUG_ON(nr < 0 || nr >= NR_CPUS);
        /*
-         * If we already started or OPALv2 is not supported, we just
+         * If we already started or OPAL is not supported, we just
         * kick the CPU via the PACA
         */
-        if (paca[nr].cpu_start || !firmware_has_feature(FW_FEATURE_OPALv2))
+        if (paca[nr].cpu_start || !firmware_has_feature(FW_FEATURE_OPAL))
                goto kick;
        /*
@@ -77,55 +78,42 @@ static int pnv_smp_kick_cpu(int nr)
         * first time. OPAL v3 allows us to query OPAL to know if it
         * has the CPUs, so we do that
         */
-        if (firmware_has_feature(FW_FEATURE_OPALv3)) {
+        rc = opal_query_cpu_status(pcpu, &status);
-                uint8_t status;
+        if (rc != OPAL_SUCCESS) {
+                pr_warn("OPAL Error %ld querying CPU %d state\n", rc, nr);
-                rc = opal_query_cpu_status(pcpu, &status);
+                return -ENODEV;
-                if (rc != OPAL_SUCCESS) {
+        }
-                        pr_warn("OPAL Error %ld querying CPU %d state\n",
-                                rc, nr);
-                        return -ENODEV;
-                }
-                /*
+        /*
-                 * Already started, just kick it, probably coming from
+         * Already started, just kick it, probably coming from
-                 * kexec and spinning
+         * kexec and spinning
-                 */
+         */
-                if (status == OPAL_THREAD_STARTED)
+        if (status == OPAL_THREAD_STARTED)
-                        goto kick;
+                goto kick;
-                /*
+        /*
-                 * Available/inactive, let's kick it
+         * Available/inactive, let's kick it
-                 */
+         */
-                if (status == OPAL_THREAD_INACTIVE) {
+        if (status == OPAL_THREAD_INACTIVE) {
-                        pr_devel("OPAL: Starting CPU %d (HW 0x%x)...\n",
+                pr_devel("OPAL: Starting CPU %d (HW 0x%x)...\n", nr, pcpu);
-                                 nr, pcpu);
+                rc = opal_start_cpu(pcpu, start_here);
-                        rc = opal_start_cpu(pcpu, start_here);
+                if (rc != OPAL_SUCCESS) {
-                        if (rc != OPAL_SUCCESS) {
+                        pr_warn("OPAL Error %ld starting CPU %d\n", rc, nr);
-                                pr_warn("OPAL Error %ld starting CPU %d\n",
-                                        rc, nr);
-                                return -ENODEV;
-                        }
-                } else {
-                        /*
-                         * An unavailable CPU (or any other unknown status)
-                         * shouldn't be started. It should also
-                         * not be in the possible map but currently it can
-                         * happen
-                         */
-                        pr_devel("OPAL: CPU %d (HW 0x%x) is unavailable"
-                                 " (status %d)...\n", nr, pcpu, status);
                        return -ENODEV;
                }
        } else {
                /*
-                 * On OPAL v2, we just kick it and hope for the best,
+                 * An unavailable CPU (or any other unknown status)
-                 * we must not test the error from opal_start_cpu() or
+                 * shouldn't be started. It should also
-                 * we would fail to get CPUs from kexec.
+                 * not be in the possible map but currently it can
+                 * happen
                 */
-                opal_start_cpu(pcpu, start_here);
+                pr_devel("OPAL: CPU %d (HW 0x%x) is unavailable"
+                         " (status %d)...\n", nr, pcpu, status);
+                return -ENODEV;
        }
- kick:
+kick:
        return smp_generic_kick_cpu(nr);
 }
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index 36df46eaba24..dd2545fc9947 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -499,6 +499,39 @@ static void __init find_and_init_phbs(void)
        of_pci_check_probe_only();
 }
+static void pseries_setup_rfi_flush(void)
+{
+        struct h_cpu_char_result result;
+        enum l1d_flush_type types;
+        bool enable;
+        long rc;
+        /* Enable by default */
+        enable = true;
+        rc = plpar_get_cpu_characteristics(&result);
+        if (rc == H_SUCCESS) {
+                types = L1D_FLUSH_NONE;
+                if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
+                        types |= L1D_FLUSH_MTTRIG;
+                if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
+                        types |= L1D_FLUSH_ORI;
+                /* Use fallback if nothing set in hcall */
+                if (types == L1D_FLUSH_NONE)
+                        types = L1D_FLUSH_FALLBACK;
+                if (!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR))
+                        enable = false;
+        } else {
+                /* Default to fallback if case hcall is not available */
+                types = L1D_FLUSH_FALLBACK;
+        }
+        setup_rfi_flush(types, enable);
+}
 static void __init pSeries_setup_arch(void)
 {
        set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
@@ -515,7 +548,9 @@ static void __init pSeries_setup_arch(void)
        fwnmi_init();
-        /* By default, only probe PCI (can be overriden by rtas_pci) */
+        pseries_setup_rfi_flush();
+        /* By default, only probe PCI (can be overridden by rtas_pci) */
        pci_add_flags(PCI_PROBE_ONLY);
        /* Find and initialize PCI host bridges */
diff --git a/arch/powerpc/sysdev/mpic.c b/arch/powerpc/sysdev/mpic.c
index 2a0452e364ba..d11f931cac69 100644
--- a/arch/powerpc/sysdev/mpic.c
+++ b/arch/powerpc/sysdev/mpic.c
@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpumask)
        int i;
        u32 mask = 0;
-        for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1)
+        for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1)
                mask |= (cpumask & 1) << get_hard_smp_processor_id(i);
        return mask;
 }
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index c41094ca3b73..8862d043977a 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -114,6 +114,7 @@ config S390
        select GENERIC_CLOCKEVENTS
        select GENERIC_CPU_AUTOPROBE
        select GENERIC_CPU_DEVICES if !SMP
+        select GENERIC_CPU_VULNERABILITIES
        select GENERIC_FIND_FIRST_BIT
        select GENERIC_SMP_IDLE_THREAD
        select GENERIC_TIME_VSYSCALL
@@ -127,6 +128,7 @@ config S390
        select HAVE_ARCH_TRACEHOOK
        select HAVE_ARCH_TRANSPARENT_HUGEPAGE
        select HAVE_BPF_JIT if PACK_STACK && HAVE_MARCH_Z196_FEATURES
+        select HAVE_EBPF_JIT if PACK_STACK && HAVE_MARCH_Z196_FEATURES
        select HAVE_CMPXCHG_DOUBLE
        select HAVE_CMPXCHG_LOCAL
        select HAVE_DEBUG_KMEMLEAK
@@ -708,6 +710,51 @@ config SECCOMP
          If unsure, say Y.
+config KERNEL_NOBP
+        def_bool n
+        prompt "Enable modified branch prediction for the kernel by default"
+        help
+          If this option is selected the kernel will switch to a modified
+          branch prediction mode if the firmware interface is available.
+          The modified branch prediction mode improves the behaviour in
+          regard to speculative execution.
+          With the option enabled the kernel parameter "nobp=0" or "nospec"
+          can be used to run the kernel in the normal branch prediction mode.
+          With the option disabled the modified branch prediction mode is
+          enabled with the "nobp=1" kernel parameter.
+          If unsure, say N.
+config EXPOLINE
+        def_bool n
+        prompt "Avoid speculative indirect branches in the kernel"
+        help
+          Compile the kernel with the expoline compiler options to guard
+          against kernel-to-user data leaks by avoiding speculative indirect
+          branches.
+          Requires a compiler with -mindirect-branch=thunk support for full
+          protection. The kernel may run slower.
+          If unsure, say N.
+choice
+        prompt "Expoline default"
+        depends on EXPOLINE
+        default EXPOLINE_FULL
+config EXPOLINE_OFF
+        bool "spectre_v2=off"
+config EXPOLINE_AUTO
+        bool "spectre_v2=auto"
+config EXPOLINE_FULL
+        bool "spectre_v2=on"
+endchoice
 endmenu
 menu "Power Management"
@@ -757,6 +804,7 @@ config PFAULT
 config SHARED_KERNEL
        bool "VM shared kernel support"
        depends on !JUMP_LABEL
+        depends on !ALTERNATIVES
        help
          Select this option, if you want to share the text segment of the
          Linux kernel between different VM guests. This reduces memory
diff --git a/arch/s390/Makefile b/arch/s390/Makefile
index e8d4423e4f85..d924f9b6dc73 100644
--- a/arch/s390/Makefile
+++ b/arch/s390/Makefile
@@ -77,6 +77,16 @@ ifeq ($(call cc-option-yn,-mwarn-dynamicstack),y)
 cflags-$(CONFIG_WARN_DYNAMIC_STACK) += -mwarn-dynamicstack
 endif
+ifdef CONFIG_EXPOLINE
+  ifeq ($(call cc-option-yn,$(CC_FLAGS_MARCH) -mindirect-branch=thunk),y)
+    CC_FLAGS_EXPOLINE := -mindirect-branch=thunk
+    CC_FLAGS_EXPOLINE += -mfunction-return=thunk
+    CC_FLAGS_EXPOLINE += -mindirect-branch-table
+    export CC_FLAGS_EXPOLINE
+    cflags-y += $(CC_FLAGS_EXPOLINE) -DCC_USING_EXPOLINE
+  endif
+endif
 ifdef CONFIG_FUNCTION_TRACER
 # make use of hotpatch feature if the compiler supports it
 cc_hotpatch     := -mhotpatch=0,3
diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
index b2e5902bd8f4..c670279b33f0 100644
--- a/arch/s390/hypfs/inode.c
+++ b/arch/s390/hypfs/inode.c
@@ -318,7 +318,7 @@ static void hypfs_kill_super(struct super_block *sb)
        if (sb->s_root)
                hypfs_delete_tree(sb->s_root);
-        if (sb_info->update_file)
+        if (sb_info && sb_info->update_file)
                hypfs_remove(sb_info->update_file);
        kfree(sb->s_fs_info);
        sb->s_fs_info = NULL;
diff --git a/arch/s390/include/asm/alternative-asm.h b/arch/s390/include/asm/alternative-asm.h
new file mode 100644
index 000000000000..955d620db23e
--- /dev/null
+++ b/arch/s390/include/asm/alternative-asm.h
@@ -0,0 +1,108 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_S390_ALTERNATIVE_ASM_H
+#define _ASM_S390_ALTERNATIVE_ASM_H
+#ifdef __ASSEMBLY__
+/*
+ * Check the length of an instruction sequence. The length may not be larger
+ * than 254 bytes and it has to be divisible by 2.
+ */
+.macro alt_len_check start,end
+        .if ( \end - \start ) > 254
+        .error "cpu alternatives does not support instructions blocks > 254 bytes\n"
+        .endif
+        .if ( \end - \start ) % 2
+        .error "cpu alternatives instructions length is odd\n"
+        .endif
+.endm
+/*
+ * Issue one struct alt_instr descriptor entry (need to put it into
+ * the section .altinstructions, see below). This entry contains
+ * enough information for the alternatives patching code to patch an
+ * instruction. See apply_alternatives().
+ */
+.macro alt_entry orig_start, orig_end, alt_start, alt_end, feature
+        .long   \orig_start - .
+        .long   \alt_start - .
+        .word   \feature
+        .byte   \orig_end - \orig_start
+        .byte   \alt_end - \alt_start
+.endm
+/*
+ * Fill up @bytes with nops. The macro emits 6-byte nop instructions
+ * for the bulk of the area, possibly followed by a 4-byte and/or
+ * a 2-byte nop if the size of the area is not divisible by 6.
+ */
+.macro alt_pad_fill bytes
+        .fill   ( \bytes ) / 6, 6, 0xc0040000
+        .fill   ( \bytes ) % 6 / 4, 4, 0x47000000
+        .fill   ( \bytes ) % 6 % 4 / 2, 2, 0x0700
+.endm
+/*
+ * Fill up @bytes with nops. If the number of bytes is larger
+ * than 6, emit a jg instruction to branch over all nops, then
+ * fill an area of size (@bytes - 6) with nop instructions.
+ */
+.macro alt_pad bytes
+        .if ( \bytes > 0 )
+        .if ( \bytes > 6 )
+        jg      . + \bytes
+        alt_pad_fill \bytes - 6
+        .else
+        alt_pad_fill \bytes
+        .endif
+        .endif
+.endm
+/*
+ * Define an alternative between two instructions. If @feature is
+ * present, early code in apply_alternatives() replaces @oldinstr with
+ * @newinstr. ".skip" directive takes care of proper instruction padding
+ * in case @newinstr is longer than @oldinstr.
+ */
+.macro ALTERNATIVE oldinstr, newinstr, feature
+        .pushsection .altinstr_replacement,"ax"
+770:    \newinstr
+771:    .popsection
+772:    \oldinstr
+773:    alt_len_check 770b, 771b
+        alt_len_check 772b, 773b
+        alt_pad ( ( 771b - 770b ) - ( 773b - 772b ) )
+774:    .pushsection .altinstructions,"a"
+        alt_entry 772b, 774b, 770b, 771b, \feature
+        .popsection
+.endm
+/*
+ * Define an alternative between two instructions. If @feature is
+ * present, early code in apply_alternatives() replaces @oldinstr with
+ * @newinstr. ".skip" directive takes care of proper instruction padding
+ * in case @newinstr is longer than @oldinstr.
+ */
+.macro ALTERNATIVE_2 oldinstr, newinstr1, feature1, newinstr2, feature2
+        .pushsection .altinstr_replacement,"ax"
+770:    \newinstr1
+771:    \newinstr2
+772:    .popsection
+773:    \oldinstr
+774:    alt_len_check 770b, 771b
+        alt_len_check 771b, 772b
+        alt_len_check 773b, 774b
+        .if ( 771b - 770b > 772b - 771b )
+        alt_pad ( ( 771b - 770b ) - ( 774b - 773b ) )
+        .else
+        alt_pad ( ( 772b - 771b ) - ( 774b - 773b ) )
+        .endif
+775:    .pushsection .altinstructions,"a"
+        alt_entry 773b, 775b, 770b, 771b,\feature1
+        alt_entry 773b, 775b, 771b, 772b,\feature2
+        .popsection
+.endm
+#endif  /*  __ASSEMBLY__  */
+#endif /* _ASM_S390_ALTERNATIVE_ASM_H */
diff --git a/arch/s390/include/asm/alternative.h b/arch/s390/include/asm/alternative.h
new file mode 100644
index 000000000000..a72002056b54
--- /dev/null
+++ b/arch/s390/include/asm/alternative.h
@@ -0,0 +1,149 @@
+#ifndef _ASM_S390_ALTERNATIVE_H
+#define _ASM_S390_ALTERNATIVE_H
+#ifndef __ASSEMBLY__
+#include <linux/types.h>
+#include <linux/stddef.h>
+#include <linux/stringify.h>
+struct alt_instr {
+        s32 instr_offset;       /* original instruction */
+        s32 repl_offset;        /* offset to replacement instruction */
+        u16 facility;           /* facility bit set for replacement */
+        u8  instrlen;           /* length of original instruction */
+        u8  replacementlen;     /* length of new instruction */
+} __packed;
+void apply_alternative_instructions(void);
+void apply_alternatives(struct alt_instr *start, struct alt_instr *end);
+/*
+ * |661:       |662:      |6620      |663:
+ * +-----------+---------------------+
+ * | oldinstr  | oldinstr_padding    |
+ * |           +----------+----------+
+ * |           |          |          |
+ * |           | >6 bytes |6/4/2 nops|
+ * |           |6 bytes jg----------->
+ * +-----------+---------------------+
+ *               ^^ static padding ^^
+ *
+ * .altinstr_replacement section
+ * +---------------------+-----------+
+ * |6641:                            |6651:
+ * | alternative instr 1             |
+ * +-----------+---------+- - - - - -+
+ * |6642:                |6652:      |
+ * | alternative instr 2 | padding
+ * +---------------------+- - - - - -+
+ *                        ^ runtime ^
+ *
+ * .altinstructions section
+ * +---------------------------------+
+ * | alt_instr entries for each      |
+ * | alternative instr               |
+ * +---------------------------------+
+ */
+#define b_altinstr(num) "664"#num
+#define e_altinstr(num) "665"#num
+#define e_oldinstr_pad_end      "663"
+#define oldinstr_len            "662b-661b"
+#define oldinstr_total_len      e_oldinstr_pad_end"b-661b"
+#define altinstr_len(num)       e_altinstr(num)"b-"b_altinstr(num)"b"
+#define oldinstr_pad_len(num) \
+        "-(((" altinstr_len(num) ")-(" oldinstr_len ")) > 0) * " \
+        "((" altinstr_len(num) ")-(" oldinstr_len "))"
+#define INSTR_LEN_SANITY_CHECK(len)                                     \
+        ".if " len " > 254\n"                                           \
+        "\t.error \"cpu alternatives does not support instructions "    \
+                "blocks > 254 bytes\"\n"                                \
+        ".endif\n"                                                      \
+        ".if (" len ") %% 2\n"                                          \
+        "\t.error \"cpu alternatives instructions length is odd\"\n"    \
+        ".endif\n"
+#define OLDINSTR_PADDING(oldinstr, num)                                 \
+        ".if " oldinstr_pad_len(num) " > 6\n"                           \
+        "\tjg " e_oldinstr_pad_end "f\n"                                \
+        "6620:\n"                                                       \
+        "\t.fill (" oldinstr_pad_len(num) " - (6620b-662b)) / 2, 2, 0x0700\n" \
+        ".else\n"                                                       \
+        "\t.fill " oldinstr_pad_len(num) " / 6, 6, 0xc0040000\n"        \
+        "\t.fill " oldinstr_pad_len(num) " %% 6 / 4, 4, 0x47000000\n"   \
+        "\t.fill " oldinstr_pad_len(num) " %% 6 %% 4 / 2, 2, 0x0700\n"  \
+        ".endif\n"
+#define OLDINSTR(oldinstr, num)                                         \
+        "661:\n\t" oldinstr "\n662:\n"                                  \
+        OLDINSTR_PADDING(oldinstr, num)                                 \
+        e_oldinstr_pad_end ":\n"                                        \
+        INSTR_LEN_SANITY_CHECK(oldinstr_len)
+#define OLDINSTR_2(oldinstr, num1, num2)                                \
+        "661:\n\t" oldinstr "\n662:\n"                                  \
+        ".if " altinstr_len(num1) " < " altinstr_len(num2) "\n"         \
+        OLDINSTR_PADDING(oldinstr, num2)                                \
+        ".else\n"                                                       \
+        OLDINSTR_PADDING(oldinstr, num1)                                \
+        ".endif\n"                                                      \
+        e_oldinstr_pad_end ":\n"                                        \
+        INSTR_LEN_SANITY_CHECK(oldinstr_len)
+#define ALTINSTR_ENTRY(facility, num)                                   \
+        "\t.long 661b - .\n"                    /* old instruction */   \
+        "\t.long " b_altinstr(num)"b - .\n"     /* alt instruction */   \
+        "\t.word " __stringify(facility) "\n"   /* facility bit    */   \
+        "\t.byte " oldinstr_total_len "\n"      /* source len      */   \
+        "\t.byte " altinstr_len(num) "\n"       /* alt instruction len */
+#define ALTINSTR_REPLACEMENT(altinstr, num)     /* replacement */       \
+        b_altinstr(num)":\n\t" altinstr "\n" e_altinstr(num) ":\n"      \
+        INSTR_LEN_SANITY_CHECK(altinstr_len(num))
+/* alternative assembly primitive: */
+#define ALTERNATIVE(oldinstr, altinstr, facility) \
+        ".pushsection .altinstr_replacement, \"ax\"\n"                  \
+        ALTINSTR_REPLACEMENT(altinstr, 1)                               \
+        ".popsection\n"                                                 \
+        OLDINSTR(oldinstr, 1)                                           \
+        ".pushsection .altinstructions,\"a\"\n"                         \
+        ALTINSTR_ENTRY(facility, 1)                                     \
+        ".popsection\n"
+#define ALTERNATIVE_2(oldinstr, altinstr1, facility1, altinstr2, facility2)\
+        ".pushsection .altinstr_replacement, \"ax\"\n"                  \
+        ALTINSTR_REPLACEMENT(altinstr1, 1)                              \
+        ALTINSTR_REPLACEMENT(altinstr2, 2)                              \
+        ".popsection\n"                                                 \
+        OLDINSTR_2(oldinstr, 1, 2)                                      \
+        ".pushsection .altinstructions,\"a\"\n"                         \
+        ALTINSTR_ENTRY(facility1, 1)                                    \
+        ALTINSTR_ENTRY(facility2, 2)                                    \
+        ".popsection\n"
+/*
+ * Alternative instructions for different CPU types or capabilities.
+ *
+ * This allows to use optimized instructions even on generic binary
+ * kernels.
+ *
+ * oldinstr is padded with jump and nops at compile time if altinstr is
+ * longer. altinstr is padded with jump and nops at run-time during patching.
+ *
+ * For non barrier like inlines please define new variants
+ * without volatile and memory clobber.
+ */
+#define alternative(oldinstr, altinstr, facility)                       \
+        asm volatile(ALTERNATIVE(oldinstr, altinstr, facility) : : : "memory")
+#define alternative_2(oldinstr, altinstr1, facility1, altinstr2, facility2) \
+        asm volatile(ALTERNATIVE_2(oldinstr, altinstr1, facility1,          \
+                                   altinstr2, facility2) ::: "memory")
+#endif /* __ASSEMBLY__ */
+#endif /* _ASM_S390_ALTERNATIVE_H */
diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h
index d68e11e0df5e..e903b28e7358 100644
--- a/arch/s390/include/asm/barrier.h
+++ b/arch/s390/include/asm/barrier.h
@@ -53,4 +53,28 @@ do {									\
        ___p1;                                                          \
 })
+/**
+ * array_index_mask_nospec - generate a mask for array_idx() that is
+ * ~0UL when the bounds check succeeds and 0 otherwise
+ * @index: array element index
+ * @size: number of elements in array
+ */
+#define array_index_mask_nospec array_index_mask_nospec
+static inline unsigned long array_index_mask_nospec(unsigned long index,
+                                                    unsigned long size)
+{
+        unsigned long mask;
+        if (__builtin_constant_p(size) && size > 0) {
+                asm("   clgr    %2,%1\n"
+                    "   slbgr   %0,%0\n"
+                    :"=d" (mask) : "d" (size-1), "d" (index) :"cc");
+                return mask;
+        }
+        asm("   clgr    %1,%2\n"
+            "   slbgr   %0,%0\n"
+            :"=d" (mask) : "d" (size), "d" (index) :"cc");
+        return ~mask;
+}
 #endif /* __ASM_BARRIER_H */
diff --git a/arch/s390/include/asm/cpu_mf.h b/arch/s390/include/asm/cpu_mf.h
index 9dd04b9e9782..b2f8c52b3840 100644
--- a/arch/s390/include/asm/cpu_mf.h
+++ b/arch/s390/include/asm/cpu_mf.h
@@ -113,7 +113,7 @@ struct hws_basic_entry {
 struct hws_diag_entry {
        unsigned int def:16;        /* 0-15  Data Entry Format           */
-        unsigned int R:14;          /* 16-19 and 20-30 reserved          */
+        unsigned int R:15;          /* 16-19 and 20-30 reserved          */
        unsigned int I:1;           /* 31 entry valid or invalid         */
        u8           data[];        /* Machine-dependent sample data     */
 } __packed;
@@ -129,7 +129,9 @@ struct hws_trailer_entry {
                        unsigned int f:1;       /* 0 - Block Full Indicator   */
                        unsigned int a:1;       /* 1 - Alert request control  */
                        unsigned int t:1;       /* 2 - Timestamp format       */
-                        unsigned long long:61;  /* 3 - 63: Reserved           */
+                        unsigned int :29;       /* 3 - 31: Reserved           */
+                        unsigned int bsdes:16;  /* 32-47: size of basic SDE   */
+                        unsigned int dsdes:16;  /* 48-63: size of diagnostic SDE */
                };
                unsigned long long flags;       /* 0 - 63: All indicators     */
        };
diff --git a/arch/s390/include/asm/facility.h b/arch/s390/include/asm/facility.h
index 0aa6a7ed95a3..155fcc7bcba6 100644
--- a/arch/s390/include/asm/facility.h
+++ b/arch/s390/include/asm/facility.h
@@ -13,6 +13,24 @@
 #define MAX_FACILITY_BIT (256*8)        /* stfle_fac_list has 256 bytes */
+static inline void __set_facility(unsigned long nr, void *facilities)
+{
+        unsigned char *ptr = (unsigned char *) facilities;
+        if (nr >= MAX_FACILITY_BIT)
+                return;
+        ptr[nr >> 3] |= 0x80 >> (nr & 7);
+}
+static inline void __clear_facility(unsigned long nr, void *facilities)
+{
+        unsigned char *ptr = (unsigned char *) facilities;
+        if (nr >= MAX_FACILITY_BIT)
+                return;
+        ptr[nr >> 3] &= ~(0x80 >> (nr & 7));
+}
 static inline int __test_facility(unsigned long nr, void *facilities)
 {
        unsigned char *ptr;
diff --git a/arch/s390/include/asm/futex.h b/arch/s390/include/asm/futex.h
index a4811aa0304d..8f8eec9e1198 100644
--- a/arch/s390/include/asm/futex.h
+++ b/arch/s390/include/asm/futex.h
@@ -21,17 +21,12 @@
                : "0" (-EFAULT), "d" (oparg), "a" (uaddr),              \
                  "m" (*uaddr) : "cc");
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, newval, ret;
        load_kernel_asce();
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
        pagefault_disable();
        switch (op) {
@@ -60,17 +55,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        }
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index e9a983f40a24..7d9c5917da2b 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -136,7 +136,8 @@ struct kvm_s390_sie_block {
        __u16   ipa;                    /* 0x0056 */
        __u32   ipb;                    /* 0x0058 */
        __u32   scaoh;                  /* 0x005c */
-        __u8    reserved60;             /* 0x0060 */
+#define FPF_BPBC        0x20
+        __u8    fpf;                    /* 0x0060 */
        __u8    ecb;                    /* 0x0061 */
        __u8    ecb2;                   /* 0x0062 */
 #define ECB3_AES 0x04
diff --git a/arch/s390/include/asm/lowcore.h b/arch/s390/include/asm/lowcore.h
index afe1cfebf1a4..8520c23e419b 100644
--- a/arch/s390/include/asm/lowcore.h
+++ b/arch/s390/include/asm/lowcore.h
@@ -155,7 +155,9 @@ struct _lowcore {
        /* Per cpu primary space access list */
        __u32   paste[16];                      /* 0x0400 */
-        __u8    pad_0x04c0[0x0e00-0x0440];      /* 0x0440 */
+        /* br %r1 trampoline */
+        __u16   br_r1_trampoline;               /* 0x0440 */
+        __u8    pad_0x0442[0x0e00-0x0442];      /* 0x0442 */
        /*
         * 0xe00 contains the address of the IPL Parameter Information
@@ -170,7 +172,8 @@ struct _lowcore {
        __u8    pad_0x0e20[0x0f00-0x0e20];      /* 0x0e20 */
        /* Extended facility list */
-        __u64   stfle_fac_list[32];             /* 0x0f00 */
+        __u64   stfle_fac_list[16];             /* 0x0f00 */
+        __u64   alt_stfle_fac_list[16];         /* 0x0f80 */
        __u8    pad_0x1000[0x11b0-0x1000];      /* 0x1000 */
        /* Pointer to vector register save area */
diff --git a/arch/s390/include/asm/nospec-branch.h b/arch/s390/include/asm/nospec-branch.h
new file mode 100644
index 000000000000..b4bd8c41e9d3
--- /dev/null
+++ b/arch/s390/include/asm/nospec-branch.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_S390_EXPOLINE_H
+#define _ASM_S390_EXPOLINE_H
+#ifndef __ASSEMBLY__
+#include <linux/types.h>
+extern int nospec_disable;
+void nospec_init_branches(void);
+void nospec_auto_detect(void);
+void nospec_revert(s32 *start, s32 *end);
+#endif /* __ASSEMBLY__ */
+#endif /* _ASM_S390_EXPOLINE_H */
diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h
new file mode 100644
index 000000000000..9a56e738d645
--- /dev/null
+++ b/arch/s390/include/asm/nospec-insn.h
@@ -0,0 +1,195 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_S390_NOSPEC_ASM_H
+#define _ASM_S390_NOSPEC_ASM_H
+#include <asm/alternative-asm.h>
+#include <asm/asm-offsets.h>
+#ifdef __ASSEMBLY__
+#ifdef CONFIG_EXPOLINE
+_LC_BR_R1 = __LC_BR_R1
+/*
+ * The expoline macros are used to create thunks in the same format
+ * as gcc generates them. The 'comdat' section flag makes sure that
+ * the various thunks are merged into a single copy.
+ */
+        .macro __THUNK_PROLOG_NAME name
+        .pushsection .text.\name,"axG",@progbits,\name,comdat
+        .globl \name
+        .hidden \name
+        .type \name,@function
+\name:
+        .cfi_startproc
+        .endm
+        .macro __THUNK_EPILOG
+        .cfi_endproc
+        .popsection
+        .endm
+        .macro __THUNK_PROLOG_BR r1,r2
+        __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1
+        .endm
+        .macro __THUNK_PROLOG_BC d0,r1,r2
+        __THUNK_PROLOG_NAME __s390x_indirect_branch_\d0\()_\r2\()use_\r1
+        .endm
+        .macro __THUNK_BR r1,r2
+        jg      __s390x_indirect_jump_r\r2\()use_r\r1
+        .endm
+        .macro __THUNK_BC d0,r1,r2
+        jg      __s390x_indirect_branch_\d0\()_\r2\()use_\r1
+        .endm
+        .macro __THUNK_BRASL r1,r2,r3
+        brasl   \r1,__s390x_indirect_jump_r\r3\()use_r\r2
+        .endm
+        .macro  __DECODE_RR expand,reg,ruse
+        .set __decode_fail,1
+        .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \reg,%r\r1
+        .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \ruse,%r\r2
+        \expand \r1,\r2
+        .set __decode_fail,0
+        .endif
+        .endr
+        .endif
+        .endr
+        .if __decode_fail == 1
+        .error "__DECODE_RR failed"
+        .endif
+        .endm
+        .macro  __DECODE_RRR expand,rsave,rtarget,ruse
+        .set __decode_fail,1
+        .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \rsave,%r\r1
+        .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \rtarget,%r\r2
+        .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \ruse,%r\r3
+        \expand \r1,\r2,\r3
+        .set __decode_fail,0
+        .endif
+        .endr
+        .endif
+        .endr
+        .endif
+        .endr
+        .if __decode_fail == 1
+        .error "__DECODE_RRR failed"
+        .endif
+        .endm
+        .macro  __DECODE_DRR expand,disp,reg,ruse
+        .set __decode_fail,1
+        .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \reg,%r\r1
+        .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+        .ifc \ruse,%r\r2
+        \expand \disp,\r1,\r2
+        .set __decode_fail,0
+        .endif
+        .endr
+        .endif
+        .endr
+        .if __decode_fail == 1
+        .error "__DECODE_DRR failed"
+        .endif
+        .endm
+        .macro __THUNK_EX_BR reg,ruse
+        # Be very careful when adding instructions to this macro!
+        # The ALTERNATIVE replacement code has a .+10 which targets
+        # the "br \reg" after the code has been patched.
+#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
+        exrl    0,555f
+        j       .
+#else
+        .ifc \reg,%r1
+        ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35
+        j       .
+        .else
+        larl    \ruse,555f
+        ex      0,0(\ruse)
+        j       .
+        .endif
+#endif
+555:    br      \reg
+        .endm
+        .macro __THUNK_EX_BC disp,reg,ruse
+#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES
+        exrl    0,556f
+        j       .
+#else
+        larl    \ruse,556f
+        ex      0,0(\ruse)
+        j       .
+#endif
+556:    b       \disp(\reg)
+        .endm
+        .macro GEN_BR_THUNK reg,ruse=%r1
+        __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse
+        __THUNK_EX_BR \reg,\ruse
+        __THUNK_EPILOG
+        .endm
+        .macro GEN_B_THUNK disp,reg,ruse=%r1
+        __DECODE_DRR __THUNK_PROLOG_BC,\disp,\reg,\ruse
+        __THUNK_EX_BC \disp,\reg,\ruse
+        __THUNK_EPILOG
+        .endm
+        .macro BR_EX reg,ruse=%r1
+557:    __DECODE_RR __THUNK_BR,\reg,\ruse
+        .pushsection .s390_indirect_branches,"a",@progbits
+        .long   557b-.
+        .popsection
+        .endm
+         .macro B_EX disp,reg,ruse=%r1
+558:    __DECODE_DRR __THUNK_BC,\disp,\reg,\ruse
+        .pushsection .s390_indirect_branches,"a",@progbits
+        .long   558b-.
+        .popsection
+        .endm
+        .macro BASR_EX rsave,rtarget,ruse=%r1
+559:    __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse
+        .pushsection .s390_indirect_branches,"a",@progbits
+        .long   559b-.
+        .popsection
+        .endm
+#else
+        .macro GEN_BR_THUNK reg,ruse=%r1
+        .endm
+        .macro GEN_B_THUNK disp,reg,ruse=%r1
+        .endm
+         .macro BR_EX reg,ruse=%r1
+        br      \reg
+        .endm
+         .macro B_EX disp,reg,ruse=%r1
+        b       \disp(\reg)
+        .endm
+        .macro BASR_EX rsave,rtarget,ruse=%r1
+        basr    \rsave,\rtarget
+        .endm
+#endif
+#endif /* __ASSEMBLY__ */
+#endif /* _ASM_S390_NOSPEC_ASM_H */
diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
index c61ed7890cef..f915a0f1b0fc 100644
--- a/arch/s390/include/asm/processor.h
+++ b/arch/s390/include/asm/processor.h
@@ -69,6 +69,7 @@ extern void s390_adjust_jiffies(void);
 extern const struct seq_operations cpuinfo_op;
 extern int sysctl_ieee_emulation_warnings;
 extern void execve_tail(void);
+extern void __bpon(void);
 /*
 * User space process size: 2GB for 31 bit, 4TB or 8PT for 64 bit.
@@ -315,6 +316,9 @@ extern void memcpy_absolute(void *, void *, size_t);
        memcpy_absolute(&(dest), &__tmp, sizeof(__tmp));        \
 }
+extern int s390_isolate_bp(void);
+extern int s390_isolate_bp_guest(void);
 #endif /* __ASSEMBLY__ */
 #endif /* __ASM_S390_PROCESSOR_H */
diff --git a/arch/s390/include/asm/thread_info.h b/arch/s390/include/asm/thread_info.h
index 692b9247c019..b2504163c8fa 100644
--- a/arch/s390/include/asm/thread_info.h
+++ b/arch/s390/include/asm/thread_info.h
@@ -78,6 +78,8 @@ void arch_release_task_struct(struct task_struct *tsk);
 #define TIF_SECCOMP             5       /* secure computing */
 #define TIF_SYSCALL_TRACEPOINT  6       /* syscall tracepoint instrumentation */
 #define TIF_UPROBE              7       /* breakpointed or single-stepping */
+#define TIF_ISOLATE_BP          8       /* Run process with isolated BP */
+#define TIF_ISOLATE_BP_GUEST    9       /* Run KVM guests with isolated BP */
 #define TIF_31BIT               16      /* 32bit process */
 #define TIF_MEMDIE              17      /* is terminating due to OOM killer */
 #define TIF_RESTORE_SIGMASK     18      /* restore signal mask in do_signal() */
@@ -93,6 +95,8 @@ void arch_release_task_struct(struct task_struct *tsk);
 #define _TIF_SECCOMP            _BITUL(TIF_SECCOMP)
 #define _TIF_SYSCALL_TRACEPOINT _BITUL(TIF_SYSCALL_TRACEPOINT)
 #define _TIF_UPROBE             _BITUL(TIF_UPROBE)
+#define _TIF_ISOLATE_BP         _BITUL(TIF_ISOLATE_BP)
+#define _TIF_ISOLATE_BP_GUEST   _BITUL(TIF_ISOLATE_BP_GUEST)
 #define _TIF_31BIT              _BITUL(TIF_31BIT)
 #define _TIF_SINGLE_STEP        _BITUL(TIF_SINGLE_STEP)
diff --git a/arch/s390/include/uapi/asm/kvm.h b/arch/s390/include/uapi/asm/kvm.h
index ef1a5fcc6c66..beb508a9e72c 100644
--- a/arch/s390/include/uapi/asm/kvm.h
+++ b/arch/s390/include/uapi/asm/kvm.h
@@ -151,6 +151,7 @@ struct kvm_guest_debug_arch {
 #define KVM_SYNC_ARCH0  (1UL << 4)
 #define KVM_SYNC_PFAULT (1UL << 5)
 #define KVM_SYNC_VRS    (1UL << 6)
+#define KVM_SYNC_BPBC   (1UL << 10)
 /* definition of registers in kvm_run */
 struct kvm_sync_regs {
        __u64 prefix;   /* prefix register */
@@ -168,6 +169,8 @@ struct kvm_sync_regs {
        __u64 vrs[32][2];       /* vector registers */
        __u8  reserved[512];    /* for future vector expansion */
        __u32 fpc;      /* only valid with vector registers */
+        __u8 bpbc : 1;          /* bp mode */
+        __u8 reserved2 : 7;
 };
 #define KVM_REG_S390_TODPR      (KVM_REG_S390 | KVM_REG_SIZE_U32 | 0x1)
diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile
index dc167a23b920..c4d4d4ef5e58 100644
--- a/arch/s390/kernel/Makefile
+++ b/arch/s390/kernel/Makefile
@@ -44,10 +44,14 @@ obj-y	+= processor.o sys_s390.o ptrace.o signal.o cpcmd.o ebcdic.o nmi.o
 obj-y   += debug.o irq.o ipl.o dis.o diag.o sclp.o vdso.o
 obj-y   += sysinfo.o jump_label.o lgr.o os_info.o machine_kexec.o pgm_check.o
 obj-y   += runtime_instr.o cache.o dumpstack.o
-obj-y   += entry.o reipl.o relocate_kernel.o
+obj-y   += entry.o reipl.o relocate_kernel.o alternative.o
+obj-y   += nospec-branch.o
 extra-y                         += head.o head64.o vmlinux.lds
+obj-$(CONFIG_SYSFS)             += nospec-sysfs.o
+CFLAGS_REMOVE_nospec-branch.o   += $(CC_FLAGS_EXPOLINE)
 obj-$(CONFIG_MODULES)           += s390_ksyms.o module.o
 obj-$(CONFIG_SMP)               += smp.o
 obj-$(CONFIG_SCHED_BOOK)        += topology.o
diff --git a/arch/s390/kernel/alternative.c b/arch/s390/kernel/alternative.c
new file mode 100644
index 000000000000..b57b293998dc
--- /dev/null
+++ b/arch/s390/kernel/alternative.c
@@ -0,0 +1,112 @@
+#include <linux/module.h>
+#include <asm/alternative.h>
+#include <asm/facility.h>
+#include <asm/nospec-branch.h>
+#define MAX_PATCH_LEN (255 - 1)
+static int __initdata_or_module alt_instr_disabled;
+static int __init disable_alternative_instructions(char *str)
+{
+        alt_instr_disabled = 1;
+        return 0;
+}
+early_param("noaltinstr", disable_alternative_instructions);
+struct brcl_insn {
+        u16 opc;
+        s32 disp;
+} __packed;
+static u16 __initdata_or_module nop16 = 0x0700;
+static u32 __initdata_or_module nop32 = 0x47000000;
+static struct brcl_insn __initdata_or_module nop48 = {
+        0xc004, 0
+};
+static const void *nops[] __initdata_or_module = {
+        &nop16,
+        &nop32,
+        &nop48
+};
+static void __init_or_module add_jump_padding(void *insns, unsigned int len)
+{
+        struct brcl_insn brcl = {
+                0xc0f4,
+                len / 2
+        };
+        memcpy(insns, &brcl, sizeof(brcl));
+        insns += sizeof(brcl);
+        len -= sizeof(brcl);
+        while (len > 0) {
+                memcpy(insns, &nop16, 2);
+                insns += 2;
+                len -= 2;
+        }
+}
+static void __init_or_module add_padding(void *insns, unsigned int len)
+{
+        if (len > 6)
+                add_jump_padding(insns, len);
+        else if (len >= 2)
+                memcpy(insns, nops[len / 2 - 1], len);
+}
+static void __init_or_module __apply_alternatives(struct alt_instr *start,
+                                                  struct alt_instr *end)
+{
+        struct alt_instr *a;
+        u8 *instr, *replacement;
+        u8 insnbuf[MAX_PATCH_LEN];
+        /*
+         * The scan order should be from start to end. A later scanned
+         * alternative code can overwrite previously scanned alternative code.
+         */
+        for (a = start; a < end; a++) {
+                int insnbuf_sz = 0;
+                instr = (u8 *)&a->instr_offset + a->instr_offset;
+                replacement = (u8 *)&a->repl_offset + a->repl_offset;
+                if (!__test_facility(a->facility,
+                                     S390_lowcore.alt_stfle_fac_list))
+                        continue;
+                if (unlikely(a->instrlen % 2 || a->replacementlen % 2)) {
+                        WARN_ONCE(1, "cpu alternatives instructions length is "
+                                     "odd, skipping patching\n");
+                        continue;
+                }
+                memcpy(insnbuf, replacement, a->replacementlen);
+                insnbuf_sz = a->replacementlen;
+                if (a->instrlen > a->replacementlen) {
+                        add_padding(insnbuf + a->replacementlen,
+                                    a->instrlen - a->replacementlen);
+                        insnbuf_sz += a->instrlen - a->replacementlen;
+                }
+                s390_kernel_write(instr, insnbuf, insnbuf_sz);
+        }
+}
+void __init_or_module apply_alternatives(struct alt_instr *start,
+                                         struct alt_instr *end)
+{
+        if (!alt_instr_disabled)
+                __apply_alternatives(start, end);
+}
+extern struct alt_instr __alt_instructions[], __alt_instructions_end[];
+void __init apply_alternative_instructions(void)
+{
+        apply_alternatives(__alt_instructions, __alt_instructions_end);
+}
diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c
index dc6c9c604543..39572281e213 100644
--- a/arch/s390/kernel/asm-offsets.c
+++ b/arch/s390/kernel/asm-offsets.c
@@ -170,6 +170,7 @@ int main(void)
        OFFSET(__LC_MACHINE_FLAGS, _lowcore, machine_flags);
        OFFSET(__LC_GMAP, _lowcore, gmap);
        OFFSET(__LC_PASTE, _lowcore, paste);
+        OFFSET(__LC_BR_R1, _lowcore, br_r1_trampoline);
        /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */
        OFFSET(__LC_DUMP_REIPL, _lowcore, ipib);
        /* hardware defined lowcore locations 0x1000 - 0x18ff */
diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S
index 326f717df587..61fca549a93b 100644
--- a/arch/s390/kernel/base.S
+++ b/arch/s390/kernel/base.S
@@ -8,18 +8,22 @@
 #include <linux/linkage.h>
 #include <asm/asm-offsets.h>
+#include <asm/nospec-insn.h>
 #include <asm/ptrace.h>
 #include <asm/sigp.h>
+        GEN_BR_THUNK %r9
+        GEN_BR_THUNK %r14
 ENTRY(s390_base_mcck_handler)
        basr    %r13,0
 0:      lg      %r15,__LC_PANIC_STACK   # load panic stack
        aghi    %r15,-STACK_FRAME_OVERHEAD
        larl    %r1,s390_base_mcck_handler_fn
-        lg      %r1,0(%r1)
+        lg      %r9,0(%r1)
-        ltgr    %r1,%r1
+        ltgr    %r9,%r9
        jz      1f
-        basr    %r14,%r1
+        BASR_EX %r14,%r9
 1:      la      %r1,4095
        lmg     %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)
        lpswe   __LC_MCK_OLD_PSW
@@ -36,10 +40,10 @@ ENTRY(s390_base_ext_handler)
        basr    %r13,0
 0:      aghi    %r15,-STACK_FRAME_OVERHEAD
        larl    %r1,s390_base_ext_handler_fn
-        lg      %r1,0(%r1)
+        lg      %r9,0(%r1)
-        ltgr    %r1,%r1
+        ltgr    %r9,%r9
        jz      1f
-        basr    %r14,%r1
+        BASR_EX %r14,%r9
 1:      lmg     %r0,%r15,__LC_SAVE_AREA_ASYNC
        ni      __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit
        lpswe   __LC_EXT_OLD_PSW
@@ -56,10 +60,10 @@ ENTRY(s390_base_pgm_handler)
        basr    %r13,0
 0:      aghi    %r15,-STACK_FRAME_OVERHEAD
        larl    %r1,s390_base_pgm_handler_fn
-        lg      %r1,0(%r1)
+        lg      %r9,0(%r1)
-        ltgr    %r1,%r1
+        ltgr    %r9,%r9
        jz      1f
-        basr    %r14,%r1
+        BASR_EX %r14,%r9
        lmg     %r0,%r15,__LC_SAVE_AREA_SYNC
        lpswe   __LC_PGM_OLD_PSW
 1:      lpswe   disabled_wait_psw-0b(%r13)
@@ -116,7 +120,7 @@ ENTRY(diag308_reset)
        larl    %r4,.Lcontinue_psw      # Restore PSW flags
        lpswe   0(%r4)
 .Lcontinue:
-        br      %r14
+        BR_EX   %r14
 .align 16
 .Lrestart_psw:
        .long   0x00080000,0x80000000 + .Lrestart_part2
diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
index 0176ebc97bfd..86f934255eb6 100644
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -110,7 +110,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setregid16, u16, rgid, u16, egid)
 COMPAT_SYSCALL_DEFINE1(s390_setgid16, u16, gid)
 {
-        return sys_setgid((gid_t)gid);
+        return sys_setgid(low2highgid(gid));
 }
 COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
@@ -120,7 +120,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
 COMPAT_SYSCALL_DEFINE1(s390_setuid16, u16, uid)
 {
-        return sys_setuid((uid_t)uid);
+        return sys_setuid(low2highuid(uid));
 }
 COMPAT_SYSCALL_DEFINE3(s390_setresuid16, u16, ruid, u16, euid, u16, suid)
@@ -173,12 +173,12 @@ COMPAT_SYSCALL_DEFINE3(s390_getresgid16, u16 __user *, rgidp,
 COMPAT_SYSCALL_DEFINE1(s390_setfsuid16, u16, uid)
 {
-        return sys_setfsuid((uid_t)uid);
+        return sys_setfsuid(low2highuid(uid));
 }
 COMPAT_SYSCALL_DEFINE1(s390_setfsgid16, u16, gid)
 {
-        return sys_setfsgid((gid_t)gid);
+        return sys_setfsgid(low2highgid(gid));
 }
 static int groups16_to_user(u16 __user *grouplist, struct group_info *group_info)
diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
index ee7b8e7ca4f8..8eccead675d4 100644
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -279,6 +279,11 @@ static noinline __init void setup_facility_list(void)
 {
        stfle(S390_lowcore.stfle_fac_list,
              ARRAY_SIZE(S390_lowcore.stfle_fac_list));
+        memcpy(S390_lowcore.alt_stfle_fac_list,
+               S390_lowcore.stfle_fac_list,
+               sizeof(S390_lowcore.alt_stfle_fac_list));
+        if (!IS_ENABLED(CONFIG_KERNEL_NOBP))
+                __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
 }
 static __init void detect_diag9c(void)
diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
index 4612ed7ec2e5..4cad1adff16b 100644
--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -23,6 +23,7 @@
 #include <asm/vx-insn.h>
 #include <asm/setup.h>
 #include <asm/nmi.h>
+#include <asm/nospec-insn.h>
 __PT_R0      =  __PT_GPRS
 __PT_R1      =  __PT_GPRS + 8
@@ -104,6 +105,7 @@ _PIF_WORK	= (_PIF_PER_TRAP)
        j       3f
 1:      LAST_BREAK %r14
        UPDATE_VTIME %r14,%r15,\timer
+        BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP
 2:      lg      %r15,__LC_ASYNC_STACK   # load async stack
 3:      la      %r11,STACK_FRAME_OVERHEAD(%r15)
        .endm
@@ -162,8 +164,79 @@ _PIF_WORK	= (_PIF_PER_TRAP)
                tm      off+\addr, \mask
        .endm
+        .macro BPOFF
+        .pushsection .altinstr_replacement, "ax"
+660:    .long   0xb2e8c000
+        .popsection
+661:    .long   0x47000000
+        .pushsection .altinstructions, "a"
+        .long 661b - .
+        .long 660b - .
+        .word 82
+        .byte 4
+        .byte 4
+        .popsection
+        .endm
+        .macro BPON
+        .pushsection .altinstr_replacement, "ax"
+662:    .long   0xb2e8d000
+        .popsection
+663:    .long   0x47000000
+        .pushsection .altinstructions, "a"
+        .long 663b - .
+        .long 662b - .
+        .word 82
+        .byte 4
+        .byte 4
+        .popsection
+        .endm
+        .macro BPENTER tif_ptr,tif_mask
+        .pushsection .altinstr_replacement, "ax"
+662:    .word   0xc004, 0x0000, 0x0000  # 6 byte nop
+        .word   0xc004, 0x0000, 0x0000  # 6 byte nop
+        .popsection
+664:    TSTMSK  \tif_ptr,\tif_mask
+        jz      . + 8
+        .long   0xb2e8d000
+        .pushsection .altinstructions, "a"
+        .long 664b - .
+        .long 662b - .
+        .word 82
+        .byte 12
+        .byte 12
+        .popsection
+        .endm
+        .macro BPEXIT tif_ptr,tif_mask
+        TSTMSK  \tif_ptr,\tif_mask
+        .pushsection .altinstr_replacement, "ax"
+662:    jnz     . + 8
+        .long   0xb2e8d000
+        .popsection
+664:    jz      . + 8
+        .long   0xb2e8c000
+        .pushsection .altinstructions, "a"
+        .long 664b - .
+        .long 662b - .
+        .word 82
+        .byte 8
+        .byte 8
+        .popsection
+        .endm
+        GEN_BR_THUNK %r9
+        GEN_BR_THUNK %r14
+        GEN_BR_THUNK %r14,%r11
        .section .kprobes.text, "ax"
+ENTRY(__bpon)
+        .globl __bpon
+        BPON
+        BR_EX   %r14
 /*
 * Scheduler resume function, called by switch_to
 *  gpr2 = (task_struct *) prev
@@ -190,9 +263,9 @@ ENTRY(__switch_to)
        mvc     __LC_CURRENT_PID(4,%r0),__TASK_pid(%r3) # store pid of next
        lmg     %r6,%r15,__SF_GPRS(%r15)        # load gprs of next task
        TSTMSK  __LC_MACHINE_FLAGS,MACHINE_FLAG_LPP
-        bzr     %r14
+        jz      0f
        .insn   s,0xb2800000,__LC_LPP           # set program parameter
-        br      %r14
+0:      BR_EX   %r14
 .L__critical_start:
@@ -204,9 +277,11 @@ ENTRY(__switch_to)
 */
 ENTRY(sie64a)
        stmg    %r6,%r14,__SF_GPRS(%r15)        # save kernel registers
+        lg      %r12,__LC_CURRENT
        stg     %r2,__SF_EMPTY(%r15)            # save control block pointer
        stg     %r3,__SF_EMPTY+8(%r15)          # save guest register save area
        xc      __SF_EMPTY+16(8,%r15),__SF_EMPTY+16(%r15) # reason code = 0
+        mvc     __SF_EMPTY+24(8,%r15),__TI_flags(%r12) # copy thread flags
        TSTMSK  __LC_CPU_FLAGS,_CIF_FPU         # load guest fp/vx registers ?
        jno     .Lsie_load_guest_gprs
        brasl   %r14,load_fpu_regs              # load guest fp/vx regs
@@ -223,7 +298,11 @@ ENTRY(sie64a)
        jnz     .Lsie_skip
        TSTMSK  __LC_CPU_FLAGS,_CIF_FPU
        jo      .Lsie_skip                      # exit if fp/vx regs changed
+        BPEXIT  __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST)
        sie     0(%r14)
+.Lsie_exit:
+        BPOFF
+        BPENTER __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST)
 .Lsie_skip:
        ni      __SIE_PROG0C+3(%r14),0xfe       # no longer in SIE
        lctlg   %c1,%c1,__LC_USER_ASCE          # load primary asce
@@ -244,9 +323,15 @@ ENTRY(sie64a)
 sie_exit:
        lg      %r14,__SF_EMPTY+8(%r15)         # load guest register save area
        stmg    %r0,%r13,0(%r14)                # save guest gprs 0-13
+        xgr     %r0,%r0                         # clear guest registers to
+        xgr     %r1,%r1                         # prevent speculative use
+        xgr     %r2,%r2
+        xgr     %r3,%r3
+        xgr     %r4,%r4
+        xgr     %r5,%r5
        lmg     %r6,%r14,__SF_GPRS(%r15)        # restore kernel registers
        lg      %r2,__SF_EMPTY+16(%r15)         # return exit reason code
-        br      %r14
+        BR_EX   %r14
 .Lsie_fault:
        lghi    %r14,-EFAULT
        stg     %r14,__SF_EMPTY+16(%r15)        # set exit reason code
@@ -267,6 +352,7 @@ ENTRY(system_call)
        stpt    __LC_SYNC_ENTER_TIMER
 .Lsysc_stmg:
        stmg    %r8,%r15,__LC_SAVE_AREA_SYNC
+        BPOFF
        lg      %r10,__LC_LAST_BREAK
        lg      %r12,__LC_THREAD_INFO
        lghi    %r14,_PIF_SYSCALL
@@ -276,12 +362,15 @@ ENTRY(system_call)
        LAST_BREAK %r13
 .Lsysc_vtime:
        UPDATE_VTIME %r10,%r13,__LC_SYNC_ENTER_TIMER
+        BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP
        stmg    %r0,%r7,__PT_R0(%r11)
        mvc     __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
        mvc     __PT_PSW(16,%r11),__LC_SVC_OLD_PSW
        mvc     __PT_INT_CODE(4,%r11),__LC_SVC_ILC
        stg     %r14,__PT_FLAGS(%r11)
 .Lsysc_do_svc:
+        # clear user controlled register to prevent speculative use
+        xgr     %r0,%r0
        lg      %r10,__TI_sysc_table(%r12)      # address of system call table
        llgh    %r8,__PT_INT_CODE+2(%r11)
        slag    %r8,%r8,2                       # shift and test for svc 0
@@ -299,7 +388,7 @@ ENTRY(system_call)
        lgf     %r9,0(%r8,%r10)                 # get system call add.
        TSTMSK  __TI_flags(%r12),_TIF_TRACE
        jnz     .Lsysc_tracesys
-        basr    %r14,%r9                        # call sys_xxxx
+        BASR_EX %r14,%r9                        # call sys_xxxx
        stg     %r2,__PT_R2(%r11)               # store return value
 .Lsysc_return:
@@ -311,6 +400,7 @@ ENTRY(system_call)
        jnz     .Lsysc_work                     # check for work
        TSTMSK  __LC_CPU_FLAGS,_CIF_WORK
        jnz     .Lsysc_work
+        BPEXIT  __TI_flags(%r12),_TIF_ISOLATE_BP
 .Lsysc_restore:
        lg      %r14,__LC_VDSO_PER_CPU
        lmg     %r0,%r10,__PT_R0(%r11)
@@ -438,7 +528,7 @@ ENTRY(system_call)
        lmg     %r3,%r7,__PT_R3(%r11)
        stg     %r7,STACK_FRAME_OVERHEAD(%r15)
        lg      %r2,__PT_ORIG_GPR2(%r11)
-        basr    %r14,%r9                # call sys_xxx
+        BASR_EX %r14,%r9                # call sys_xxx
        stg     %r2,__PT_R2(%r11)       # store return value
 .Lsysc_tracenogo:
        TSTMSK  __TI_flags(%r12),_TIF_TRACE
@@ -462,7 +552,7 @@ ENTRY(ret_from_fork)
        lmg     %r9,%r10,__PT_R9(%r11)  # load gprs
 ENTRY(kernel_thread_starter)
        la      %r2,0(%r10)
-        basr    %r14,%r9
+        BASR_EX %r14,%r9
        j       .Lsysc_tracenogo
 /*
@@ -471,6 +561,7 @@ ENTRY(kernel_thread_starter)
 ENTRY(pgm_check_handler)
        stpt    __LC_SYNC_ENTER_TIMER
+        BPOFF
        stmg    %r8,%r15,__LC_SAVE_AREA_SYNC
        lg      %r10,__LC_LAST_BREAK
        lg      %r12,__LC_THREAD_INFO
@@ -495,6 +586,7 @@ ENTRY(pgm_check_handler)
        j       3f
 2:      LAST_BREAK %r14
        UPDATE_VTIME %r14,%r15,__LC_SYNC_ENTER_TIMER
+        BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP
        lg      %r15,__LC_KERNEL_STACK
        lg      %r14,__TI_task(%r12)
        aghi    %r14,__TASK_thread      # pointer to thread_struct
@@ -504,6 +596,15 @@ ENTRY(pgm_check_handler)
        mvc     __THREAD_trap_tdb(256,%r14),0(%r13)
 3:      la      %r11,STACK_FRAME_OVERHEAD(%r15)
        stmg    %r0,%r7,__PT_R0(%r11)
+        # clear user controlled registers to prevent speculative use
+        xgr     %r0,%r0
+        xgr     %r1,%r1
+        xgr     %r2,%r2
+        xgr     %r3,%r3
+        xgr     %r4,%r4
+        xgr     %r5,%r5
+        xgr     %r6,%r6
+        xgr     %r7,%r7
        mvc     __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
        stmg    %r8,%r9,__PT_PSW(%r11)
        mvc     __PT_INT_CODE(4,%r11),__LC_PGM_ILC
@@ -525,9 +626,9 @@ ENTRY(pgm_check_handler)
        nill    %r10,0x007f
        sll     %r10,2
        je      .Lpgm_return
-        lgf     %r1,0(%r10,%r1)         # load address of handler routine
+        lgf     %r9,0(%r10,%r1)         # load address of handler routine
        lgr     %r2,%r11                # pass pointer to pt_regs
-        basr    %r14,%r1                # branch to interrupt-handler
+        BASR_EX %r14,%r9                # branch to interrupt-handler
 .Lpgm_return:
        LOCKDEP_SYS_EXIT
        tm      __PT_PSW+1(%r11),0x01   # returning to user ?
@@ -560,6 +661,7 @@ ENTRY(pgm_check_handler)
 ENTRY(io_int_handler)
        STCK    __LC_INT_CLOCK
        stpt    __LC_ASYNC_ENTER_TIMER
+        BPOFF
        stmg    %r8,%r15,__LC_SAVE_AREA_ASYNC
        lg      %r10,__LC_LAST_BREAK
        lg      %r12,__LC_THREAD_INFO
@@ -567,6 +669,16 @@ ENTRY(io_int_handler)
        lmg     %r8,%r9,__LC_IO_OLD_PSW
        SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_ENTER_TIMER
        stmg    %r0,%r7,__PT_R0(%r11)
+        # clear user controlled registers to prevent speculative use
+        xgr     %r0,%r0
+        xgr     %r1,%r1
+        xgr     %r2,%r2
+        xgr     %r3,%r3
+        xgr     %r4,%r4
+        xgr     %r5,%r5
+        xgr     %r6,%r6
+        xgr     %r7,%r7
+        xgr     %r10,%r10
        mvc     __PT_R8(64,%r11),__LC_SAVE_AREA_ASYNC
        stmg    %r8,%r9,__PT_PSW(%r11)
        mvc     __PT_INT_CODE(12,%r11),__LC_SUBCHANNEL_ID
@@ -601,9 +713,13 @@ ENTRY(io_int_handler)
        lg      %r14,__LC_VDSO_PER_CPU
        lmg     %r0,%r10,__PT_R0(%r11)
        mvc     __LC_RETURN_PSW(16),__PT_PSW(%r11)
+        tm      __PT_PSW+1(%r11),0x01   # returning to user ?
+        jno     .Lio_exit_kernel
+        BPEXIT  __TI_flags(%r12),_TIF_ISOLATE_BP
 .Lio_exit_timer:
        stpt    __LC_EXIT_TIMER
        mvc     __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
+.Lio_exit_kernel:
        lmg     %r11,%r15,__PT_R11(%r11)
        lpswe   __LC_RETURN_PSW
 .Lio_done:
@@ -735,6 +851,7 @@ ENTRY(io_int_handler)
 ENTRY(ext_int_handler)
        STCK    __LC_INT_CLOCK
        stpt    __LC_ASYNC_ENTER_TIMER
+        BPOFF
        stmg    %r8,%r15,__LC_SAVE_AREA_ASYNC
        lg      %r10,__LC_LAST_BREAK
        lg      %r12,__LC_THREAD_INFO
@@ -742,6 +859,16 @@ ENTRY(ext_int_handler)
        lmg     %r8,%r9,__LC_EXT_OLD_PSW
        SWITCH_ASYNC __LC_SAVE_AREA_ASYNC,__LC_ASYNC_ENTER_TIMER
        stmg    %r0,%r7,__PT_R0(%r11)
+        # clear user controlled registers to prevent speculative use
+        xgr     %r0,%r0
+        xgr     %r1,%r1
+        xgr     %r2,%r2
+        xgr     %r3,%r3
+        xgr     %r4,%r4
+        xgr     %r5,%r5
+        xgr     %r6,%r6
+        xgr     %r7,%r7
+        xgr     %r10,%r10
        mvc     __PT_R8(64,%r11),__LC_SAVE_AREA_ASYNC
        stmg    %r8,%r9,__PT_PSW(%r11)
        lghi    %r1,__LC_EXT_PARAMS2
@@ -773,11 +900,12 @@ ENTRY(psw_idle)
        .insn   rsy,0xeb0000000017,%r1,5,__SF_EMPTY+16(%r15)
 .Lpsw_idle_stcctm:
 #endif
+        BPON
        STCK    __CLOCK_IDLE_ENTER(%r2)
        stpt    __TIMER_IDLE_ENTER(%r2)
 .Lpsw_idle_lpsw:
        lpswe   __SF_EMPTY(%r15)
-        br      %r14
+        BR_EX   %r14
 .Lpsw_idle_end:
 /*
@@ -791,7 +919,7 @@ ENTRY(save_fpu_regs)
        lg      %r2,__LC_CURRENT
        aghi    %r2,__TASK_thread
        TSTMSK  __LC_CPU_FLAGS,_CIF_FPU
-        bor     %r14
+        jo      .Lsave_fpu_regs_exit
        stfpc   __THREAD_FPU_fpc(%r2)
 .Lsave_fpu_regs_fpc_end:
        lg      %r3,__THREAD_FPU_regs(%r2)
@@ -821,7 +949,8 @@ ENTRY(save_fpu_regs)
        std     15,120(%r3)
 .Lsave_fpu_regs_done:
        oi      __LC_CPU_FLAGS+7,_CIF_FPU
-        br      %r14
+.Lsave_fpu_regs_exit:
+        BR_EX   %r14
 .Lsave_fpu_regs_end:
 /*
@@ -838,7 +967,7 @@ load_fpu_regs:
        lg      %r4,__LC_CURRENT
        aghi    %r4,__TASK_thread
        TSTMSK  __LC_CPU_FLAGS,_CIF_FPU
-        bnor    %r14
+        jno     .Lload_fpu_regs_exit
        lfpc    __THREAD_FPU_fpc(%r4)
        TSTMSK  __LC_MACHINE_FLAGS,MACHINE_FLAG_VX
        lg      %r4,__THREAD_FPU_regs(%r4)      # %r4 <- reg save area
@@ -867,7 +996,8 @@ load_fpu_regs:
        ld      15,120(%r4)
 .Lload_fpu_regs_done:
        ni      __LC_CPU_FLAGS+7,255-_CIF_FPU
-        br      %r14
+.Lload_fpu_regs_exit:
+        BR_EX   %r14
 .Lload_fpu_regs_end:
 .L__critical_end:
@@ -877,6 +1007,7 @@ load_fpu_regs:
 */
 ENTRY(mcck_int_handler)
        STCK    __LC_MCCK_CLOCK
+        BPOFF
        la      %r1,4095                # revalidate r1
        spt     __LC_CPU_TIMER_SAVE_AREA-4095(%r1)      # revalidate cpu timer
        lmg     %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1)# revalidate gprs
@@ -908,6 +1039,16 @@ ENTRY(mcck_int_handler)
 .Lmcck_skip:
        lghi    %r14,__LC_GPREGS_SAVE_AREA+64
        stmg    %r0,%r7,__PT_R0(%r11)
+        # clear user controlled registers to prevent speculative use
+        xgr     %r0,%r0
+        xgr     %r1,%r1
+        xgr     %r2,%r2
+        xgr     %r3,%r3
+        xgr     %r4,%r4
+        xgr     %r5,%r5
+        xgr     %r6,%r6
+        xgr     %r7,%r7
+        xgr     %r10,%r10
        mvc     __PT_R8(64,%r11),0(%r14)
        stmg    %r8,%r9,__PT_PSW(%r11)
        xc      __PT_FLAGS(8,%r11),__PT_FLAGS(%r11)
@@ -933,6 +1074,7 @@ ENTRY(mcck_int_handler)
        mvc     __LC_RETURN_MCCK_PSW(16),__PT_PSW(%r11) # move return PSW
        tm      __LC_RETURN_MCCK_PSW+1,0x01 # returning to user ?
        jno     0f
+        BPEXIT  __TI_flags(%r12),_TIF_ISOLATE_BP
        stpt    __LC_EXIT_TIMER
        mvc     __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
 0:      lmg     %r11,%r15,__PT_R11(%r11)
@@ -1028,7 +1170,7 @@ cleanup_critical:
        jl      0f
        clg     %r9,BASED(.Lcleanup_table+104)  # .Lload_fpu_regs_end
        jl      .Lcleanup_load_fpu_regs
-0:      br      %r14
+0:      BR_EX   %r14,%r11
        .align  8
 .Lcleanup_table:
@@ -1053,11 +1195,12 @@ cleanup_critical:
        .quad   .Lsie_done
 .Lcleanup_sie:
+        BPENTER __SF_EMPTY+24(%r15),(_TIF_ISOLATE_BP|_TIF_ISOLATE_BP_GUEST)
        lg      %r9,__SF_EMPTY(%r15)            # get control block pointer
        ni      __SIE_PROG0C+3(%r9),0xfe        # no longer in SIE
        lctlg   %c1,%c1,__LC_USER_ASCE          # load primary asce
        larl    %r9,sie_exit                    # skip forward to sie_exit
-        br      %r14
+        BR_EX   %r14,%r11
 #endif
 .Lcleanup_system_call:
@@ -1099,7 +1242,8 @@ cleanup_critical:
        srag    %r9,%r9,23
        jz      0f
        mvc     __TI_last_break(8,%r12),16(%r11)
-0:      # set up saved register r11
+0:      BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP
+        # set up saved register r11
        lg      %r15,__LC_KERNEL_STACK
        la      %r9,STACK_FRAME_OVERHEAD(%r15)
        stg     %r9,24(%r11)            # r11 pt_regs pointer
@@ -1114,7 +1258,7 @@ cleanup_critical:
        stg     %r15,56(%r11)           # r15 stack pointer
        # set new psw address and exit
        larl    %r9,.Lsysc_do_svc
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_system_call_insn:
        .quad   system_call
        .quad   .Lsysc_stmg
@@ -1124,7 +1268,7 @@ cleanup_critical:
 .Lcleanup_sysc_tif:
        larl    %r9,.Lsysc_tif
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_sysc_restore:
        # check if stpt has been executed
@@ -1141,14 +1285,14 @@ cleanup_critical:
        mvc     0(64,%r11),__PT_R8(%r9)
        lmg     %r0,%r7,__PT_R0(%r9)
 1:      lmg     %r8,%r9,__LC_RETURN_PSW
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_sysc_restore_insn:
        .quad   .Lsysc_exit_timer
        .quad   .Lsysc_done - 4
 .Lcleanup_io_tif:
        larl    %r9,.Lio_tif
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_io_restore:
        # check if stpt has been executed
@@ -1162,7 +1306,7 @@ cleanup_critical:
        mvc     0(64,%r11),__PT_R8(%r9)
        lmg     %r0,%r7,__PT_R0(%r9)
 1:      lmg     %r8,%r9,__LC_RETURN_PSW
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_io_restore_insn:
        .quad   .Lio_exit_timer
        .quad   .Lio_done - 4
@@ -1214,17 +1358,17 @@ cleanup_critical:
        # prepare return psw
        nihh    %r8,0xfcfd              # clear irq & wait state bits
        lg      %r9,48(%r11)            # return from psw_idle
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_idle_insn:
        .quad   .Lpsw_idle_lpsw
 .Lcleanup_save_fpu_regs:
        larl    %r9,save_fpu_regs
-        br      %r14
+        BR_EX   %r14,%r11
 .Lcleanup_load_fpu_regs:
        larl    %r9,load_fpu_regs
-        br      %r14
+        BR_EX   %r14,%r11
 /*
 * Integer constants
@@ -1240,7 +1384,6 @@ cleanup_critical:
 .Lsie_critical_length:
        .quad   .Lsie_done - .Lsie_gmap
 #endif
        .section .rodata, "a"
 #define SYSCALL(esame,emu)      .long esame
        .globl  sys_call_table
diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
index 42570d8fb265..837bb301023f 100644
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -563,6 +563,7 @@ static struct kset *ipl_kset;
 static void __ipl_run(void *unused)
 {
+        __bpon();
        diag308(DIAG308_IPL, NULL);
        if (MACHINE_IS_VM)
                __cpcmd("IPL", NULL, 0, NULL);
@@ -798,6 +799,7 @@ static ssize_t reipl_generic_loadparm_store(struct ipl_parameter_block *ipb,
        /* copy and convert to ebcdic */
        memcpy(ipb->hdr.loadparm, buf, lp_len);
        ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN);
+        ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID;
        return len;
 }
diff --git a/arch/s390/kernel/irq.c b/arch/s390/kernel/irq.c
index f41d5208aaf7..590e9394b4dd 100644
--- a/arch/s390/kernel/irq.c
+++ b/arch/s390/kernel/irq.c
@@ -173,10 +173,9 @@ void do_softirq_own_stack(void)
                new -= STACK_FRAME_OVERHEAD;
                ((struct stack_frame *) new)->back_chain = old;
                asm volatile("   la    15,0(%0)\n"
-                             "   basr  14,%2\n"
+                             "   brasl 14,__do_softirq\n"
                             "   la    15,0(%1)\n"
-                             : : "a" (new), "a" (old),
+                             : : "a" (new), "a" (old)
-                                 "a" (__do_softirq)
                             : "0", "1", "2", "3", "4", "5", "14",
                               "cc", "memory" );
        } else {
diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
index e499370fbccb..6c1c7d399bf9 100644
--- a/arch/s390/kernel/mcount.S
+++ b/arch/s390/kernel/mcount.S
@@ -8,12 +8,16 @@
 #include <linux/linkage.h>
 #include <asm/asm-offsets.h>
 #include <asm/ftrace.h>
+#include <asm/nospec-insn.h>
 #include <asm/ptrace.h>
+        GEN_BR_THUNK %r1
+        GEN_BR_THUNK %r14
        .section .kprobes.text, "ax"
 ENTRY(ftrace_stub)
-        br      %r14
+        BR_EX   %r14
 #define STACK_FRAME_SIZE  (STACK_FRAME_OVERHEAD + __PT_SIZE)
 #define STACK_PTREGS      (STACK_FRAME_OVERHEAD)
@@ -21,7 +25,7 @@ ENTRY(ftrace_stub)
 #define STACK_PTREGS_PSW  (STACK_PTREGS + __PT_PSW)
 ENTRY(_mcount)
-        br      %r14
+        BR_EX   %r14
 ENTRY(ftrace_caller)
        .globl  ftrace_regs_caller
@@ -49,7 +53,7 @@ ENTRY(ftrace_caller)
 #endif
        lgr     %r3,%r14
        la      %r5,STACK_PTREGS(%r15)
-        basr    %r14,%r1
+        BASR_EX %r14,%r1
 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
 # The j instruction gets runtime patched to a nop instruction.
 # See ftrace_enable_ftrace_graph_caller.
@@ -64,7 +68,7 @@ ftrace_graph_caller_end:
 #endif
        lg      %r1,(STACK_PTREGS_PSW+8)(%r15)
        lmg     %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15)
-        br      %r1
+        BR_EX   %r1
 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
@@ -77,6 +81,6 @@ ENTRY(return_to_handler)
        aghi    %r15,STACK_FRAME_OVERHEAD
        lgr     %r14,%r2
        lmg     %r2,%r5,32(%r15)
-        br      %r14
+        BR_EX   %r14
 #endif
diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
index 0c1a679314dd..9bd1933848b8 100644
--- a/arch/s390/kernel/module.c
+++ b/arch/s390/kernel/module.c
@@ -31,6 +31,9 @@
 #include <linux/kernel.h>
 #include <linux/moduleloader.h>
 #include <linux/bug.h>
+#include <asm/alternative.h>
+#include <asm/nospec-branch.h>
+#include <asm/facility.h>
 #if 0
 #define DEBUGP printk
@@ -163,7 +166,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
        me->arch.got_offset = me->core_size;
        me->core_size += me->arch.got_size;
        me->arch.plt_offset = me->core_size;
-        me->core_size += me->arch.plt_size;
+        if (me->arch.plt_size) {
+                if (IS_ENABLED(CONFIG_EXPOLINE) && !nospec_disable)
+                        me->arch.plt_size += PLT_ENTRY_SIZE;
+                me->core_size += me->arch.plt_size;
+        }
        return 0;
 }
@@ -317,9 +324,20 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
                        unsigned int *ip;
                        ip = me->module_core + me->arch.plt_offset +
                                info->plt_offset;
-                        ip[0] = 0x0d10e310; /* basr 1,0; lg 1,10(1); br 1 */
+                        ip[0] = 0x0d10e310;     /* basr 1,0  */
-                        ip[1] = 0x100a0004;
+                        ip[1] = 0x100a0004;     /* lg   1,10(1) */
-                        ip[2] = 0x07f10000;
+                        if (IS_ENABLED(CONFIG_EXPOLINE) && !nospec_disable) {
+                                unsigned int *ij;
+                                ij = me->module_core +
+                                        me->arch.plt_offset +
+                                        me->arch.plt_size - PLT_ENTRY_SIZE;
+                                ip[2] = 0xa7f40000 +    /* j __jump_r1 */
+                                        (unsigned int)(u16)
+                                        (((unsigned long) ij - 8 -
+                                          (unsigned long) ip) / 2);
+                        } else {
+                                ip[2] = 0x07f10000;     /* br %r1 */
+                        }
                        ip[3] = (unsigned int) (val >> 32);
                        ip[4] = (unsigned int) val;
                        info->plt_initialized = 1;
@@ -424,6 +442,45 @@ int module_finalize(const Elf_Ehdr *hdr,
                    const Elf_Shdr *sechdrs,
                    struct module *me)
 {
+        const Elf_Shdr *s;
+        char *secstrings, *secname;
+        void *aseg;
+        if (IS_ENABLED(CONFIG_EXPOLINE) &&
+            !nospec_disable && me->arch.plt_size) {
+                unsigned int *ij;
+                ij = me->module_core + me->arch.plt_offset +
+                        me->arch.plt_size - PLT_ENTRY_SIZE;
+                if (test_facility(35)) {
+                        ij[0] = 0xc6000000;     /* exrl %r0,.+10        */
+                        ij[1] = 0x0005a7f4;     /* j    .               */
+                        ij[2] = 0x000007f1;     /* br   %r1             */
+                } else {
+                        ij[0] = 0x44000000 | (unsigned int)
+                                offsetof(struct _lowcore, br_r1_trampoline);
+                        ij[1] = 0xa7f40000;     /* j    .               */
+                }
+        }
+        secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset;
+        for (s = sechdrs; s < sechdrs + hdr->e_shnum; s++) {
+                aseg = (void *) s->sh_addr;
+                secname = secstrings + s->sh_name;
+                if (!strcmp(".altinstructions", secname))
+                        /* patch .altinstructions */
+                        apply_alternatives(aseg, aseg + s->sh_size);
+                if (IS_ENABLED(CONFIG_EXPOLINE) &&
+                    (!strncmp(".s390_indirect", secname, 14)))
+                        nospec_revert(aseg, aseg + s->sh_size);
+                if (IS_ENABLED(CONFIG_EXPOLINE) &&
+                    (!strncmp(".s390_return", secname, 12)))
+                        nospec_revert(aseg, aseg + s->sh_size);
+        }
        jump_label_apply_nops(me);
        vfree(me->arch.syminfo);
        me->arch.syminfo = NULL;
diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c
new file mode 100644
index 000000000000..d5eed651b5ab
--- /dev/null
+++ b/arch/s390/kernel/nospec-branch.c
@@ -0,0 +1,166 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/module.h>
+#include <linux/device.h>
+#include <asm/facility.h>
+#include <asm/nospec-branch.h>
+static int __init nobp_setup_early(char *str)
+{
+        bool enabled;
+        int rc;
+        rc = kstrtobool(str, &enabled);
+        if (rc)
+                return rc;
+        if (enabled && test_facility(82)) {
+                /*
+                 * The user explicitely requested nobp=1, enable it and
+                 * disable the expoline support.
+                 */
+                __set_facility(82, S390_lowcore.alt_stfle_fac_list);
+                if (IS_ENABLED(CONFIG_EXPOLINE))
+                        nospec_disable = 1;
+        } else {
+                __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+        }
+        return 0;
+}
+early_param("nobp", nobp_setup_early);
+static int __init nospec_setup_early(char *str)
+{
+        __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+        return 0;
+}
+early_param("nospec", nospec_setup_early);
+static int __init nospec_report(void)
+{
+        if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
+                pr_info("Spectre V2 mitigation: execute trampolines.\n");
+        if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
+                pr_info("Spectre V2 mitigation: limited branch prediction.\n");
+        return 0;
+}
+arch_initcall(nospec_report);
+#ifdef CONFIG_EXPOLINE
+int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF);
+static int __init nospectre_v2_setup_early(char *str)
+{
+        nospec_disable = 1;
+        return 0;
+}
+early_param("nospectre_v2", nospectre_v2_setup_early);
+void __init nospec_auto_detect(void)
+{
+        if (IS_ENABLED(CC_USING_EXPOLINE)) {
+                /*
+                 * The kernel has been compiled with expolines.
+                 * Keep expolines enabled and disable nobp.
+                 */
+                nospec_disable = 0;
+                __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+        }
+        /*
+         * If the kernel has not been compiled with expolines the
+         * nobp setting decides what is done, this depends on the
+         * CONFIG_KERNEL_NP option and the nobp/nospec parameters.
+         */
+}
+static int __init spectre_v2_setup_early(char *str)
+{
+        if (str && !strncmp(str, "on", 2)) {
+                nospec_disable = 0;
+                __clear_facility(82, S390_lowcore.alt_stfle_fac_list);
+        }
+        if (str && !strncmp(str, "off", 3))
+                nospec_disable = 1;
+        if (str && !strncmp(str, "auto", 4))
+                nospec_auto_detect();
+        return 0;
+}
+early_param("spectre_v2", spectre_v2_setup_early);
+static void __init_or_module __nospec_revert(s32 *start, s32 *end)
+{
+        enum { BRCL_EXPOLINE, BRASL_EXPOLINE } type;
+        u8 *instr, *thunk, *br;
+        u8 insnbuf[6];
+        s32 *epo;
+        /* Second part of the instruction replace is always a nop */
+        for (epo = start; epo < end; epo++) {
+                instr = (u8 *) epo + *epo;
+                if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x04)
+                        type = BRCL_EXPOLINE;   /* brcl instruction */
+                else if (instr[0] == 0xc0 && (instr[1] & 0x0f) == 0x05)
+                        type = BRASL_EXPOLINE;  /* brasl instruction */
+                else
+                        continue;
+                thunk = instr + (*(int *)(instr + 2)) * 2;
+                if (thunk[0] == 0xc6 && thunk[1] == 0x00)
+                        /* exrl %r0,<target-br> */
+                        br = thunk + (*(int *)(thunk + 2)) * 2;
+                else if (thunk[0] == 0xc0 && (thunk[1] & 0x0f) == 0x00 &&
+                         thunk[6] == 0x44 && thunk[7] == 0x00 &&
+                         (thunk[8] & 0x0f) == 0x00 && thunk[9] == 0x00 &&
+                         (thunk[1] & 0xf0) == (thunk[8] & 0xf0))
+                        /* larl %rx,<target br> + ex %r0,0(%rx) */
+                        br = thunk + (*(int *)(thunk + 2)) * 2;
+                else
+                        continue;
+                /* Check for unconditional branch 0x07f? or 0x47f???? */
+                if ((br[0] & 0xbf) != 0x07 || (br[1] & 0xf0) != 0xf0)
+                        continue;
+                memcpy(insnbuf + 2, (char[]) { 0x47, 0x00, 0x07, 0x00 }, 4);
+                switch (type) {
+                case BRCL_EXPOLINE:
+                        insnbuf[0] = br[0];
+                        insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
+                        if (br[0] == 0x47) {
+                                /* brcl to b, replace with bc + nopr */
+                                insnbuf[2] = br[2];
+                                insnbuf[3] = br[3];
+                        } else {
+                                /* brcl to br, replace with bcr + nop */
+                        }
+                        break;
+                case BRASL_EXPOLINE:
+                        insnbuf[1] = (instr[1] & 0xf0) | (br[1] & 0x0f);
+                        if (br[0] == 0x47) {
+                                /* brasl to b, replace with bas + nopr */
+                                insnbuf[0] = 0x4d;
+                                insnbuf[2] = br[2];
+                                insnbuf[3] = br[3];
+                        } else {
+                                /* brasl to br, replace with basr + nop */
+                                insnbuf[0] = 0x0d;
+                        }
+                        break;
+                }
+                s390_kernel_write(instr, insnbuf, 6);
+        }
+}
+void __init_or_module nospec_revert(s32 *start, s32 *end)
+{
+        if (nospec_disable)
+                __nospec_revert(start, end);
+}
+extern s32 __nospec_call_start[], __nospec_call_end[];
+extern s32 __nospec_return_start[], __nospec_return_end[];
+void __init nospec_init_branches(void)
+{
+        nospec_revert(__nospec_call_start, __nospec_call_end);
+        nospec_revert(__nospec_return_start, __nospec_return_end);
+}
+#endif /* CONFIG_EXPOLINE */
diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c
new file mode 100644
index 000000000000..8affad5f18cb
--- /dev/null
+++ b/arch/s390/kernel/nospec-sysfs.c
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/device.h>
+#include <linux/cpu.h>
+#include <asm/facility.h>
+#include <asm/nospec-branch.h>
+ssize_t cpu_show_spectre_v1(struct device *dev,
+                            struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+}
+ssize_t cpu_show_spectre_v2(struct device *dev,
+                            struct device_attribute *attr, char *buf)
+{
+        if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable)
+                return sprintf(buf, "Mitigation: execute trampolines\n");
+        if (__test_facility(82, S390_lowcore.alt_stfle_fac_list))
+                return sprintf(buf, "Mitigation: limited branch prediction\n");
+        return sprintf(buf, "Vulnerable\n");
+}
diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index 3d8da1e742c2..b79d51459cf2 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -744,6 +744,10 @@ static int __hw_perf_event_init(struct perf_event *event)
         */
        rate = 0;
        if (attr->freq) {
+                if (!attr->sample_freq) {
+                        err = -EINVAL;
+                        goto out;
+                }
                rate = freq_to_sample_rate(&si, attr->sample_freq);
                rate = hw_limit_rate(&si, rate);
                attr->freq = 0;
diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c
index 7ce00e7a709a..ab236bd970bb 100644
--- a/arch/s390/kernel/processor.c
+++ b/arch/s390/kernel/processor.c
@@ -13,6 +13,7 @@
 #include <linux/cpu.h>
 #include <asm/diag.h>
 #include <asm/elf.h>
+#include <asm/facility.h>
 #include <asm/lowcore.h>
 #include <asm/param.h>
 #include <asm/smp.h>
@@ -113,3 +114,20 @@ const struct seq_operations cpuinfo_op = {
        .show   = show_cpuinfo,
 };
+int s390_isolate_bp(void)
+{
+        if (!test_facility(82))
+                return -EOPNOTSUPP;
+        set_thread_flag(TIF_ISOLATE_BP);
+        return 0;
+}
+EXPORT_SYMBOL(s390_isolate_bp);
+int s390_isolate_bp_guest(void)
+{
+        if (!test_facility(82))
+                return -EOPNOTSUPP;
+        set_thread_flag(TIF_ISOLATE_BP_GUEST);
+        return 0;
+}
+EXPORT_SYMBOL(s390_isolate_bp_guest);
diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S
index 52aab0bd84f8..6b1b91c17b40 100644
--- a/arch/s390/kernel/reipl.S
+++ b/arch/s390/kernel/reipl.S
@@ -6,8 +6,11 @@
 #include <linux/linkage.h>
 #include <asm/asm-offsets.h>
+#include <asm/nospec-insn.h>
 #include <asm/sigp.h>
+        GEN_BR_THUNK %r14
 #
 # store_status
 #
@@ -62,7 +65,7 @@ ENTRY(store_status)
        st      %r3,__LC_PSW_SAVE_AREA-SAVE_AREA_BASE + 4(%r1)
        larl    %r2,store_status
        stg     %r2,__LC_PSW_SAVE_AREA-SAVE_AREA_BASE + 8(%r1)
-        br      %r14
+        BR_EX   %r14
        .section .bss
        .align  8
diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
index d097d71685df..e7a43a30e3ff 100644
--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -63,6 +63,8 @@
 #include <asm/sclp.h>
 #include <asm/sysinfo.h>
 #include <asm/numa.h>
+#include <asm/alternative.h>
+#include <asm/nospec-branch.h>
 #include "entry.h"
 /*
@@ -333,7 +335,9 @@ static void __init setup_lowcore(void)
        lc->machine_flags = S390_lowcore.machine_flags;
        lc->stfl_fac_list = S390_lowcore.stfl_fac_list;
        memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list,
-               MAX_FACILITY_BIT/8);
+               sizeof(lc->stfle_fac_list));
+        memcpy(lc->alt_stfle_fac_list, S390_lowcore.alt_stfle_fac_list,
+               sizeof(lc->alt_stfle_fac_list));
        if (MACHINE_HAS_VX)
                lc->vector_save_area_addr =
                        (unsigned long) &lc->vector_save_area;
@@ -370,6 +374,7 @@ static void __init setup_lowcore(void)
 #ifdef CONFIG_SMP
        lc->spinlock_lockval = arch_spin_lockval(0);
 #endif
+        lc->br_r1_trampoline = 0x07f1;  /* br %r1 */
        set_prefix((u32)(unsigned long) lc);
        lowcore_ptr[0] = lc;
@@ -841,6 +846,9 @@ void __init setup_arch(char **cmdline_p)
        init_mm.end_data = (unsigned long) &_edata;
        init_mm.brk = (unsigned long) &_end;
+        if (IS_ENABLED(CONFIG_EXPOLINE_AUTO))
+                nospec_auto_detect();
        parse_early_param();
        os_info_init();
        setup_ipl();
@@ -893,6 +901,10 @@ void __init setup_arch(char **cmdline_p)
        conmode_default();
        set_preferred_console();
+        apply_alternative_instructions();
+        if (IS_ENABLED(CONFIG_EXPOLINE))
+                nospec_init_branches();
        /* Setup zfcpdump support */
        setup_zfcpdump();
diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
index 9062df575afe..77f4f334a465 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -200,6 +200,7 @@ static int pcpu_alloc_lowcore(struct pcpu *pcpu, int cpu)
        lc->panic_stack = panic_stack + PANIC_FRAME_OFFSET;
        lc->cpu_nr = cpu;
        lc->spinlock_lockval = arch_spin_lockval(cpu);
+        lc->br_r1_trampoline = 0x07f1;  /* br %r1 */
        if (MACHINE_HAS_VX)
                lc->vector_save_area_addr =
                        (unsigned long) &lc->vector_save_area;
@@ -250,7 +251,9 @@ static void pcpu_prepare_secondary(struct pcpu *pcpu, int cpu)
        __ctl_store(lc->cregs_save_area, 0, 15);
        save_access_regs((unsigned int *) lc->access_regs_save_area);
        memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list,
-               MAX_FACILITY_BIT/8);
+               sizeof(lc->stfle_fac_list));
+        memcpy(lc->alt_stfle_fac_list, S390_lowcore.alt_stfle_fac_list,
+               sizeof(lc->alt_stfle_fac_list));
 }
 static void pcpu_attach_task(struct pcpu *pcpu, struct task_struct *tsk)
@@ -299,6 +302,7 @@ static void pcpu_delegate(struct pcpu *pcpu, void (*func)(void *),
        mem_assign_absolute(lc->restart_fn, (unsigned long) func);
        mem_assign_absolute(lc->restart_data, (unsigned long) data);
        mem_assign_absolute(lc->restart_source, source_cpu);
+        __bpon();
        asm volatile(
                "0:     sigp    0,%0,%2 # sigp restart to target cpu\n"
                "       brc     2,0b    # busy, try again\n"
@@ -888,6 +892,7 @@ void __cpu_die(unsigned int cpu)
 void __noreturn cpu_die(void)
 {
        idle_task_exit();
+        __bpon();
        pcpu_sigp_retry(pcpu_devices + smp_processor_id(), SIGP_STOP, 0);
        for (;;) ;
 }
diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S
index 2d6b6e81f812..60a829c77378 100644
--- a/arch/s390/kernel/swsusp.S
+++ b/arch/s390/kernel/swsusp.S
@@ -12,6 +12,7 @@
 #include <asm/ptrace.h>
 #include <asm/thread_info.h>
 #include <asm/asm-offsets.h>
+#include <asm/nospec-insn.h>
 #include <asm/sigp.h>
 /*
@@ -23,6 +24,8 @@
 * (see below) in the resume process.
 * This function runs with disabled interrupts.
 */
+        GEN_BR_THUNK %r14
        .section .text
 ENTRY(swsusp_arch_suspend)
        stmg    %r6,%r15,__SF_GPRS(%r15)
@@ -102,7 +105,7 @@ ENTRY(swsusp_arch_suspend)
        spx     0x318(%r1)
        lmg     %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
        lghi    %r2,0
-        br      %r14
+        BR_EX   %r14
 /*
 * Restore saved memory image to correct place and restore register context.
@@ -196,11 +199,10 @@ pgm_check_entry:
        larl    %r15,init_thread_union
        ahi     %r15,1<<(PAGE_SHIFT+THREAD_ORDER)
        larl    %r2,.Lpanic_string
-        larl    %r3,_sclp_print_early
        lghi    %r1,0
        sam31
        sigp    %r1,%r0,SIGP_SET_ARCHITECTURE
-        basr    %r14,%r3
+        brasl   %r14,_sclp_print_early
        larl    %r3,.Ldisabled_wait_31
        lpsw    0(%r3)
 4:
@@ -266,7 +268,7 @@ restore_registers:
        /* Return 0 */
        lmg     %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15)
        lghi    %r2,0
-        br      %r14
+        BR_EX   %r14
        .section .data..nosave,"aw",@progbits
        .align  8
diff --git a/arch/s390/kernel/uprobes.c b/arch/s390/kernel/uprobes.c
index 66956c09d5bf..3d04dfdabc9f 100644
--- a/arch/s390/kernel/uprobes.c
+++ b/arch/s390/kernel/uprobes.c
@@ -147,6 +147,15 @@ unsigned long arch_uretprobe_hijack_return_addr(unsigned long trampoline,
        return orig;
 }
+bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx,
+                             struct pt_regs *regs)
+{
+        if (ctx == RP_CHECK_CHAIN_CALL)
+                return user_stack_pointer(regs) <= ret->stack;
+        else
+                return user_stack_pointer(regs) < ret->stack;
+}
 /* Instruction Emulation */
 static void adjust_psw_addr(psw_t *psw, unsigned long len)
diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
index 445657fe658c..a4ae08e416e6 100644
--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -21,8 +21,14 @@ SECTIONS
 {
        . = 0x00000000;
        .text : {
-        _text = .;              /* Text and read-only data */
+                /* Text and read-only data */
                HEAD_TEXT
+                /*
+                 * E.g. perf doesn't like symbols starting at address zero,
+                 * therefore skip the initial PSW and channel program located
+                 * at address zero and let _text start at 0x200.
+                 */
+        _text = 0x200;
                TEXT_TEXT
                SCHED_TEXT
                LOCK_TEXT
@@ -72,6 +78,43 @@ SECTIONS
                EXIT_DATA
        }
+        /*
+         * struct alt_inst entries. From the header (alternative.h):
+         * "Alternative instructions for different CPU types or capabilities"
+         * Think locking instructions on spinlocks.
+         * Note, that it is a part of __init region.
+         */
+        . = ALIGN(8);
+        .altinstructions : {
+                __alt_instructions = .;
+                *(.altinstructions)
+                __alt_instructions_end = .;
+        }
+        /*
+         * And here are the replacement instructions. The linker sticks
+         * them as binary blobs. The .altinstructions has enough data to
+         * get the address and the length of them to patch the kernel safely.
+         * Note, that it is a part of __init region.
+         */
+        .altinstr_replacement : {
+                *(.altinstr_replacement)
+        }
+        /*
+         * Table with the patch locations to undo expolines
+        */
+        .nospec_call_table : {
+                __nospec_call_start = . ;
+                *(.s390_indirect*)
+                __nospec_call_end = . ;
+        }
+        .nospec_return_table : {
+                __nospec_return_start = . ;
+                *(.s390_return*)
+                __nospec_return_end = . ;
+        }
        /* early.c uses stsi, which requires page aligned data. */
        . = ALIGN(PAGE_SIZE);
        INIT_DATA_SECTION(0x100)
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 23e3f5d77a24..5ddb1debba95 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -118,8 +118,8 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
 /* upper facilities limit for kvm */
 unsigned long kvm_s390_fac_list_mask[] = {
-        0xffe6fffbfcfdfc40UL,
+        0xffe6ffffffffffffUL,
-        0x005e800000000000UL,
+        0x005effffffffffffUL,
 };
 unsigned long kvm_s390_fac_list_mask_size(void)
@@ -257,6 +257,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
        case KVM_CAP_S390_VECTOR_REGISTERS:
                r = MACHINE_HAS_VX;
                break;
+        case KVM_CAP_S390_BPB:
+                r = test_facility(82);
+                break;
        default:
                r = 0;
        }
@@ -1264,6 +1267,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
                                    KVM_SYNC_PFAULT;
        if (test_kvm_facility(vcpu->kvm, 129))
                vcpu->run->kvm_valid_regs |= KVM_SYNC_VRS;
+        if (test_kvm_facility(vcpu->kvm, 82))
+                vcpu->run->kvm_valid_regs |= KVM_SYNC_BPBC;
        if (kvm_is_ucontrol(vcpu->kvm))
                return __kvm_ucontrol_vcpu_init(vcpu);
@@ -1327,6 +1332,7 @@ static void kvm_s390_vcpu_initial_reset(struct kvm_vcpu *vcpu)
        current->thread.fpu.fpc = 0;
        vcpu->arch.sie_block->gbea = 1;
        vcpu->arch.sie_block->pp = 0;
+        vcpu->arch.sie_block->fpf &= ~FPF_BPBC;
        vcpu->arch.pfault_token = KVM_S390_PFAULT_TOKEN_INVALID;
        kvm_clear_async_pf_completion_queue(vcpu);
        if (!kvm_s390_user_cpu_state_ctrl(vcpu->kvm))
@@ -2145,6 +2151,11 @@ static void sync_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                if (vcpu->arch.pfault_token == KVM_S390_PFAULT_TOKEN_INVALID)
                        kvm_clear_async_pf_completion_queue(vcpu);
        }
+        if ((kvm_run->kvm_dirty_regs & KVM_SYNC_BPBC) &&
+            test_kvm_facility(vcpu->kvm, 82)) {
+                vcpu->arch.sie_block->fpf &= ~FPF_BPBC;
+                vcpu->arch.sie_block->fpf |= kvm_run->s.regs.bpbc ? FPF_BPBC : 0;
+        }
        kvm_run->kvm_dirty_regs = 0;
 }
@@ -2162,6 +2173,7 @@ static void store_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        kvm_run->s.regs.pft = vcpu->arch.pfault_token;
        kvm_run->s.regs.pfs = vcpu->arch.pfault_select;
        kvm_run->s.regs.pfc = vcpu->arch.pfault_compare;
+        kvm_run->s.regs.bpbc = (vcpu->arch.sie_block->fpf & FPF_BPBC) == FPF_BPBC;
 }
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S
index c6d553e85ab1..16c5998b9792 100644
--- a/arch/s390/lib/mem.S
+++ b/arch/s390/lib/mem.S
@@ -5,6 +5,9 @@
 */
 #include <linux/linkage.h>
+#include <asm/nospec-insn.h>
+        GEN_BR_THUNK %r14
 /*
 * memset implementation
@@ -38,7 +41,7 @@ ENTRY(memset)
 .Lmemset_clear_rest:
        larl    %r3,.Lmemset_xc
        ex      %r4,0(%r3)
-        br      %r14
+        BR_EX   %r14
 .Lmemset_fill:
        stc     %r3,0(%r2)
        cghi    %r4,1
@@ -55,7 +58,7 @@ ENTRY(memset)
 .Lmemset_fill_rest:
        larl    %r3,.Lmemset_mvc
        ex      %r4,0(%r3)
-        br      %r14
+        BR_EX   %r14
 .Lmemset_xc:
        xc      0(1,%r1),0(%r1)
 .Lmemset_mvc:
@@ -77,7 +80,7 @@ ENTRY(memcpy)
 .Lmemcpy_rest:
        larl    %r5,.Lmemcpy_mvc
        ex      %r4,0(%r5)
-        br      %r14
+        BR_EX   %r14
 .Lmemcpy_loop:
        mvc     0(256,%r1),0(%r3)
        la      %r1,256(%r1)
diff --git a/arch/s390/net/bpf_jit.S b/arch/s390/net/bpf_jit.S
index a1c917d881ec..fa716f2a95a7 100644
--- a/arch/s390/net/bpf_jit.S
+++ b/arch/s390/net/bpf_jit.S
@@ -8,6 +8,7 @@
 */
 #include <linux/linkage.h>
+#include <asm/nospec-insn.h>
 #include "bpf_jit.h"
 /*
@@ -53,7 +54,7 @@ ENTRY(sk_load_##NAME##_pos);						\
        clg     %r3,STK_OFF_HLEN(%r15); /* Offset + SIZE > hlen? */     \
        jh      sk_load_##NAME##_slow;                                  \
        LOAD    %r14,-SIZE(%r3,%r12);   /* Get data from skb */         \
-        b       OFF_OK(%r6);            /* Return */                    \
+        B_EX    OFF_OK,%r6;             /* Return */                    \
                                                                        \
 sk_load_##NAME##_slow:;                                                 \
        lgr     %r2,%r7;                /* Arg1 = skb pointer */        \
@@ -63,11 +64,14 @@ sk_load_##NAME##_slow:;							\
        brasl   %r14,skb_copy_bits;     /* Get data from skb */         \
        LOAD    %r14,STK_OFF_TMP(%r15); /* Load from temp bufffer */    \
        ltgr    %r2,%r2;                /* Set cc to (%r2 != 0) */      \
-        br      %r6;                    /* Return */
+        BR_EX   %r6;                    /* Return */
 sk_load_common(word, 4, llgf)   /* r14 = *(u32 *) (skb->data+offset) */
 sk_load_common(half, 2, llgh)   /* r14 = *(u16 *) (skb->data+offset) */
+        GEN_BR_THUNK %r6
+        GEN_B_THUNK OFF_OK,%r6
 /*
 * Load 1 byte from SKB (optimized version)
 */
@@ -79,7 +83,7 @@ ENTRY(sk_load_byte_pos)
        clg     %r3,STK_OFF_HLEN(%r15)  # Offset >= hlen?
        jnl     sk_load_byte_slow
        llgc    %r14,0(%r3,%r12)        # Get byte from skb
-        b       OFF_OK(%r6)             # Return OK
+        B_EX    OFF_OK,%r6              # Return OK
 sk_load_byte_slow:
        lgr     %r2,%r7                 # Arg1 = skb pointer
@@ -89,7 +93,7 @@ sk_load_byte_slow:
        brasl   %r14,skb_copy_bits      # Get data from skb
        llgc    %r14,STK_OFF_TMP(%r15)  # Load result from temp buffer
        ltgr    %r2,%r2                 # Set cc to (%r2 != 0)
-        br      %r6                     # Return cc
+        BR_EX   %r6                     # Return cc
 #define sk_negative_common(NAME, SIZE, LOAD)                            \
 sk_load_##NAME##_slow_neg:;                                             \
@@ -103,7 +107,7 @@ sk_load_##NAME##_slow_neg:;						\
        jz      bpf_error;                                              \
        LOAD    %r14,0(%r2);            /* Get data from pointer */     \
        xr      %r3,%r3;                /* Set cc to zero */            \
-        br      %r6;                    /* Return cc */
+        BR_EX   %r6;                    /* Return cc */
 sk_negative_common(word, 4, llgf)
 sk_negative_common(half, 2, llgh)
@@ -112,4 +116,4 @@ sk_negative_common(byte, 1, llgc)
 bpf_error:
 # force a return 0 from jit handler
        ltgr    %r15,%r15       # Set condition code
-        br      %r6
+        BR_EX   %r6
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 1395eeb6005f..a26528afceb2 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -24,6 +24,8 @@
 #include <linux/bpf.h>
 #include <asm/cacheflush.h>
 #include <asm/dis.h>
+#include <asm/facility.h>
+#include <asm/nospec-branch.h>
 #include "bpf_jit.h"
 int bpf_jit_enable __read_mostly;
@@ -41,6 +43,8 @@ struct bpf_jit {
        int base_ip;            /* Base address for literal pool */
        int ret0_ip;            /* Address of return 0 */
        int exit_ip;            /* Address of exit */
+        int r1_thunk_ip;        /* Address of expoline thunk for 'br %r1' */
+        int r14_thunk_ip;       /* Address of expoline thunk for 'br %r14' */
        int tail_call_start;    /* Tail call start offset */
        int labels[1];          /* Labels for local jumps */
 };
@@ -248,6 +252,19 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
        REG_SET_SEEN(b2);                                       \
 })
+#define EMIT6_PCREL_RILB(op, b, target)                         \
+({                                                              \
+        int rel = (target - jit->prg) / 2;                      \
+        _EMIT6(op | reg_high(b) << 16 | rel >> 16, rel & 0xffff);       \
+        REG_SET_SEEN(b);                                        \
+})
+#define EMIT6_PCREL_RIL(op, target)                             \
+({                                                              \
+        int rel = (target - jit->prg) / 2;                      \
+        _EMIT6(op | rel >> 16, rel & 0xffff);                   \
+})
 #define _EMIT6_IMM(op, imm)                                     \
 ({                                                              \
        unsigned int __imm = (imm);                             \
@@ -475,8 +492,45 @@ static void bpf_jit_epilogue(struct bpf_jit *jit)
        EMIT4(0xb9040000, REG_2, BPF_REG_0);
        /* Restore registers */
        save_restore_regs(jit, REGS_RESTORE);
+        if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
+                jit->r14_thunk_ip = jit->prg;
+                /* Generate __s390_indirect_jump_r14 thunk */
+                if (test_facility(35)) {
+                        /* exrl %r0,.+10 */
+                        EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10);
+                } else {
+                        /* larl %r1,.+14 */
+                        EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
+                        /* ex 0,0(%r1) */
+                        EMIT4_DISP(0x44000000, REG_0, REG_1, 0);
+                }
+                /* j . */
+                EMIT4_PCREL(0xa7f40000, 0);
+        }
        /* br %r14 */
        _EMIT2(0x07fe);
+        if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable &&
+            (jit->seen & SEEN_FUNC)) {
+                jit->r1_thunk_ip = jit->prg;
+                /* Generate __s390_indirect_jump_r1 thunk */
+                if (test_facility(35)) {
+                        /* exrl %r0,.+10 */
+                        EMIT6_PCREL_RIL(0xc6000000, jit->prg + 10);
+                        /* j . */
+                        EMIT4_PCREL(0xa7f40000, 0);
+                        /* br %r1 */
+                        _EMIT2(0x07f1);
+                } else {
+                        /* larl %r1,.+14 */
+                        EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14);
+                        /* ex 0,S390_lowcore.br_r1_tampoline */
+                        EMIT4_DISP(0x44000000, REG_0, REG_0,
+                                   offsetof(struct _lowcore, br_r1_trampoline));
+                        /* j . */
+                        EMIT4_PCREL(0xa7f40000, 0);
+                }
+        }
 }
 /*
@@ -980,8 +1034,13 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
                /* lg %w1,<d(imm)>(%l) */
                EMIT6_DISP_LH(0xe3000000, 0x0004, REG_W1, REG_0, REG_L,
                              EMIT_CONST_U64(func));
-                /* basr %r14,%w1 */
+                if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) {
-                EMIT2(0x0d00, REG_14, REG_W1);
+                        /* brasl %r14,__s390_indirect_jump_r1 */
+                        EMIT6_PCREL_RILB(0xc0050000, REG_14, jit->r1_thunk_ip);
+                } else {
+                        /* basr %r14,%w1 */
+                        EMIT2(0x0d00, REG_14, REG_W1);
+                }
                /* lgr %b0,%r2: load return value into %b0 */
                EMIT4(0xb9040000, BPF_REG_0, REG_2);
                if (bpf_helper_changes_skb_data((void *)func)) {
diff --git a/arch/sh/boards/mach-se/770x/setup.c b/arch/sh/boards/mach-se/770x/setup.c
index 658326f44df8..5e0267624d8d 100644
--- a/arch/sh/boards/mach-se/770x/setup.c
+++ b/arch/sh/boards/mach-se/770x/setup.c
@@ -8,6 +8,7 @@
 */
 #include <linux/init.h>
 #include <linux/platform_device.h>
+#include <linux/sh_eth.h>
 #include <mach-se/mach/se.h>
 #include <mach-se/mach/mrshpc.h>
 #include <asm/machvec.h>
@@ -114,6 +115,11 @@ static struct platform_device heartbeat_device = {
 #if defined(CONFIG_CPU_SUBTYPE_SH7710) ||\
        defined(CONFIG_CPU_SUBTYPE_SH7712)
 /* SH771X Ethernet driver */
+static struct sh_eth_plat_data sh_eth_plat = {
+        .phy = PHY_ID,
+        .phy_interface = PHY_INTERFACE_MODE_MII,
+};
 static struct resource sh_eth0_resources[] = {
        [0] = {
                .start = SH_ETH0_BASE,
@@ -131,7 +137,7 @@ static struct platform_device sh_eth0_device = {
        .name = "sh771x-ether",
        .id = 0,
        .dev = {
-                .platform_data = PHY_ID,
+                .platform_data = &sh_eth_plat,
        },
        .num_resources = ARRAY_SIZE(sh_eth0_resources),
        .resource = sh_eth0_resources,
@@ -154,7 +160,7 @@ static struct platform_device sh_eth1_device = {
        .name = "sh771x-ether",
        .id = 1,
        .dev = {
-                .platform_data = PHY_ID,
+                .platform_data = &sh_eth_plat,
        },
        .num_resources = ARRAY_SIZE(sh_eth1_resources),
        .resource = sh_eth1_resources,
diff --git a/arch/sh/include/asm/futex.h b/arch/sh/include/asm/futex.h
index 7be39a646fbd..e05187d26d76 100644
--- a/arch/sh/include/asm/futex.h
+++ b/arch/sh/include/asm/futex.h
@@ -10,20 +10,11 @@
 /* XXX: UP variants, fix for SH-4A and SMP.. */
 #include <asm/futex-irq.h>
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
        switch (op) {
@@ -49,17 +40,8 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S
index 13047a4facd2..5a9017ba26ab 100644
--- a/arch/sh/kernel/entry-common.S
+++ b/arch/sh/kernel/entry-common.S
@@ -255,7 +255,7 @@ debug_trap:
        mov.l   @r8, r8
        jsr     @r8
         nop
-        bra     __restore_all
+        bra     ret_from_exception
         nop
        CFI_ENDPROC
diff --git a/arch/sh/kernel/sh_ksyms_32.c b/arch/sh/kernel/sh_ksyms_32.c
index d77f2f6c7ff0..0b30b9dfc87f 100644
--- a/arch/sh/kernel/sh_ksyms_32.c
+++ b/arch/sh/kernel/sh_ksyms_32.c
@@ -34,6 +34,9 @@ DECLARE_EXPORT(__sdivsi3);
 DECLARE_EXPORT(__lshrsi3);
 DECLARE_EXPORT(__ashrsi3);
 DECLARE_EXPORT(__ashlsi3);
+DECLARE_EXPORT(__lshrsi3_r0);
+DECLARE_EXPORT(__ashrsi3_r0);
+DECLARE_EXPORT(__ashlsi3_r0);
 DECLARE_EXPORT(__ashiftrt_r4_6);
 DECLARE_EXPORT(__ashiftrt_r4_7);
 DECLARE_EXPORT(__ashiftrt_r4_8);
diff --git a/arch/sh/kernel/traps_32.c b/arch/sh/kernel/traps_32.c
index ff639342a8be..c5b997757988 100644
--- a/arch/sh/kernel/traps_32.c
+++ b/arch/sh/kernel/traps_32.c
@@ -607,7 +607,8 @@ asmlinkage void do_divide_error(unsigned long r4)
                break;
        }
-        force_sig_info(SIGFPE, &info, current);
+        info.si_signo = SIGFPE;
+        force_sig_info(info.si_signo, &info, current);
 }
 #endif
diff --git a/arch/sh/lib/ashlsi3.S b/arch/sh/lib/ashlsi3.S
index bd47e9b403a5..70a6434945ab 100644
--- a/arch/sh/lib/ashlsi3.S
+++ b/arch/sh/lib/ashlsi3.S
@@ -54,21 +54,38 @@ Boston, MA 02110-1301, USA.  */
 !
 ! (none)
 !
+! __ashlsi3_r0
+!
+! Entry:
+!
+! r4: Value to shift
+! r0: Shifts
+!
+! Exit:
+!
+! r0: Result
+!
+! Destroys:
+!
+! (none)
        .global __ashlsi3
+        .global __ashlsi3_r0
        
        .align  2
 __ashlsi3:
-        mov     #31,r0
+        mov     r5,r0
-        and     r0,r5
+        .align  2
+__ashlsi3_r0:
+        and     #31,r0
+        mov.l   r4,@-r15
+        mov     r0,r4
        mova    ashlsi3_table,r0
-        mov.b   @(r0,r5),r5
+        mov.b   @(r0,r4),r4
-#ifdef __sh1__
+        add     r4,r0
-        add     r5,r0
        jmp     @r0
-#else
+        mov.l   @r15+,r0
-        braf    r5
-#endif
-        mov     r4,r0
        .align  2
 ashlsi3_table:
diff --git a/arch/sh/lib/ashrsi3.S b/arch/sh/lib/ashrsi3.S
index 6f3cf46b77c2..602599d80209 100644
--- a/arch/sh/lib/ashrsi3.S
+++ b/arch/sh/lib/ashrsi3.S
@@ -54,22 +54,37 @@ Boston, MA 02110-1301, USA.  */
 !
 ! (none)
 !
+! __ashrsi3_r0
+!
+! Entry:
+!
+! r4: Value to shift
+! r0: Shifts
+!
+! Exit:
+!
+! r0: Result
+!
+! Destroys:
+!
+! (none)
        .global __ashrsi3
+        .global __ashrsi3_r0
        
        .align  2
 __ashrsi3:
-        mov     #31,r0
+        mov     r5,r0
-        and     r0,r5
+        .align  2
+__ashrsi3_r0:
+        and     #31,r0
+        mov.l   r4,@-r15
+        mov     r0,r4
        mova    ashrsi3_table,r0
-        mov.b   @(r0,r5),r5
+        mov.b   @(r0,r4),r4
-#ifdef __sh1__
+        add     r4,r0
-        add     r5,r0
        jmp     @r0
-#else
+        mov.l   @r15+,r0
-        braf    r5
-#endif
-        mov     r4,r0
        .align  2
 ashrsi3_table:
diff --git a/arch/sh/lib/lshrsi3.S b/arch/sh/lib/lshrsi3.S
index 1e7aaa557130..f2a6959f526d 100644
--- a/arch/sh/lib/lshrsi3.S
+++ b/arch/sh/lib/lshrsi3.S
@@ -54,21 +54,37 @@ Boston, MA 02110-1301, USA.  */
 !
 ! (none)
 !
+! __lshrsi3_r0
+!
+! Entry:
+!
+! r0: Value to shift
+! r5: Shifts
+!
+! Exit:
+!
+! r0: Result
+!
+! Destroys:
+!
+! (none)
+!
        .global __lshrsi3
+        .global __lshrsi3_r0
        
        .align  2
 __lshrsi3:
-        mov     #31,r0
+        mov     r5,r0
-        and     r0,r5
+        .align  2
+__lshrsi3_r0:
+        and     #31,r0
+        mov.l   r4,@-r15
+        mov     r0,r4
        mova    lshrsi3_table,r0
-        mov.b   @(r0,r5),r5
+        mov.b   @(r0,r4),r4
-#ifdef __sh1__
+        add     r4,r0
-        add     r5,r0
        jmp     @r0
-#else
+        mov.l   @r15+,r0
-        braf    r5
-#endif
-        mov     r4,r0
        .align  2
 lshrsi3_table:
diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
index f2fbf9e16faf..29070c9a70f9 100644
--- a/arch/sparc/include/asm/atomic_64.h
+++ b/arch/sparc/include/asm/atomic_64.h
@@ -74,7 +74,11 @@ ATOMIC_OP(xor)
 #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
-#define atomic_xchg(v, new) (xchg(&((v)->counter), new))
+static inline int atomic_xchg(atomic_t *v, int new)
+{
+        return xchg(&v->counter, new);
+}
 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
 {
diff --git a/arch/sparc/include/asm/futex_64.h b/arch/sparc/include/asm/futex_64.h
index 4e899b0dabf7..1cfd89d92208 100644
--- a/arch/sparc/include/asm/futex_64.h
+++ b/arch/sparc/include/asm/futex_64.h
@@ -29,22 +29,14 @@
        : "r" (uaddr), "r" (oparg), "i" (-EFAULT)       \
        : "memory")
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret, tem;
-        if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
-                return -EFAULT;
        if (unlikely((((unsigned long) uaddr) & 0x3UL)))
                return -EINVAL;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
        pagefault_disable();
        switch (op) {
@@ -69,17 +61,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
index f87a55d77094..9b3f2e212b37 100644
--- a/arch/sparc/kernel/ds.c
+++ b/arch/sparc/kernel/ds.c
@@ -908,7 +908,7 @@ static int register_services(struct ds_info *dp)
                pbuf.req.handle = cp->handle;
                pbuf.req.major = 1;
                pbuf.req.minor = 0;
-                strcpy(pbuf.req.svc_id, cp->service_id);
+                strcpy(pbuf.id_buf, cp->service_id);
                err = __ds_send(lp, &pbuf, msg_len);
                if (err > 0)
diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
index 59d503866431..9cc600b2d68c 100644
--- a/arch/sparc/kernel/ldc.c
+++ b/arch/sparc/kernel/ldc.c
@@ -1733,9 +1733,14 @@ static int read_nonraw(struct ldc_channel *lp, void *buf, unsigned int size)
                lp->rcv_nxt = p->seqid;
+                /*
+                 * If this is a control-only packet, there is nothing
+                 * else to do but advance the rx queue since the packet
+                 * was already processed above.
+                 */
                if (!(p->type & LDC_DATA)) {
                        new = rx_advance(lp, new);
-                        goto no_data;
+                        break;
                }
                if (p->stype & (LDC_ACK | LDC_NACK)) {
                        err = data_ack_nack(lp, p);
diff --git a/arch/tile/include/asm/futex.h b/arch/tile/include/asm/futex.h
index 1a6ef1b69cb1..d96d9dab5c0b 100644
--- a/arch/tile/include/asm/futex.h
+++ b/arch/tile/include/asm/futex.h
@@ -106,12 +106,9 @@
        lock = __atomic_hashed_lock((int __force *)uaddr)
 #endif
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int uninitialized_var(val), ret;
        __futex_prolog();
@@ -119,12 +116,6 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        /* The 32-bit futex code makes this assumption, so validate it here. */
        BUILD_BUG_ON(sizeof(atomic_t) != sizeof(int));
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
        switch (op) {
        case FUTEX_OP_SET:
@@ -148,30 +139,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        }
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = val;
-                case FUTEX_OP_CMP_EQ:
-                        ret = (val == cmparg);
-                        break;
-                case FUTEX_OP_CMP_NE:
-                        ret = (val != cmparg);
-                        break;
-                case FUTEX_OP_CMP_LT:
-                        ret = (val < cmparg);
-                        break;
-                case FUTEX_OP_CMP_GE:
-                        ret = (val >= cmparg);
-                        break;
-                case FUTEX_OP_CMP_LE:
-                        ret = (val <= cmparg);
-                        break;
-                case FUTEX_OP_CMP_GT:
-                        ret = (val > cmparg);
-                        break;
-                default:
-                        ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/um/Makefile b/arch/um/Makefile
index e3abe6f3156d..9ccf462131c4 100644
--- a/arch/um/Makefile
+++ b/arch/um/Makefile
@@ -117,7 +117,7 @@ archheaders:
 archprepare: include/generated/user_constants.h
 LINK-$(CONFIG_LD_SCRIPT_STATIC) += -static
-LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib
+LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib $(call cc-option, -no-pie)
 CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \
        $(call cc-option, -fno-stack-protector,) \
diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
index c211153ca69a..56648f4f8b41 100644
--- a/arch/um/os-Linux/signal.c
+++ b/arch/um/os-Linux/signal.c
@@ -140,7 +140,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = {
 static void hard_handler(int sig, siginfo_t *si, void *p)
 {
-        struct ucontext *uc = p;
+        ucontext_t *uc = p;
        mcontext_t *mc = &uc->uc_mcontext;
        unsigned long pending = 1UL << sig;
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 76f0921181d8..9ddd716116ca 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -89,6 +89,8 @@ config X86
        select HAVE_ARCH_TRACEHOOK
        select HAVE_ARCH_TRANSPARENT_HUGEPAGE
        select HAVE_ARCH_WITHIN_STACK_FRAMES
+        select HAVE_BPF_JIT                     if X86_64
+        select HAVE_EBPF_JIT                    if X86_64
        select HAVE_CC_STACKPROTECTOR
        select HAVE_CMPXCHG_DOUBLE
        select HAVE_CMPXCHG_LOCAL
@@ -280,11 +282,6 @@ config X86_32_LAZY_GS
        def_bool y
        depends on X86_32 && !CC_STACKPROTECTOR
-config ARCH_HWEIGHT_CFLAGS
-        string
-        default "-fcall-saved-ecx -fcall-saved-edx" if X86_32
-        default "-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" if X86_64
 config ARCH_SUPPORTS_UPROBES
        def_bool y
@@ -354,6 +351,17 @@ config X86_FEATURE_NAMES
          If in doubt, say Y.
+config X86_FAST_FEATURE_TESTS
+        bool "Fast CPU feature tests" if EMBEDDED
+        default y
+        ---help---
+          Some fast-paths in the kernel depend on the capabilities of the CPU.
+          Say Y here for the kernel to patch in the appropriate code at runtime
+          based on the capabilities of the CPU. The infrastructure for patching
+          code at runtime takes up some additional space; space-constrained
+          embedded systems may wish to say N here to produce smaller, slightly
+          slower code.
 config X86_X2APIC
        bool "Support x2apic"
        depends on X86_LOCAL_APIC && X86_64 && (IRQ_REMAP || HYPERVISOR_GUEST)
@@ -1012,7 +1020,7 @@ config X86_MCE_THRESHOLD
        def_bool y
 config X86_MCE_INJECT
-        depends on X86_MCE
+        depends on X86_MCE && X86_LOCAL_APIC
        tristate "Machine check injector support"
        ---help---
          Provide support for injecting machine checks for testing purposes.
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 1f6c306a9a00..3cb8e179f2f2 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -355,16 +355,6 @@ config DEBUG_IMR_SELFTEST
          If unsure say N here.
-config X86_DEBUG_STATIC_CPU_HAS
-        bool "Debug alternatives"
-        depends on DEBUG_KERNEL
-        ---help---
-          This option causes additional code to be generated which
-          fails if static_cpu_has() is used before alternatives have
-          run.
-          If unsure, say N.
 config X86_DEBUG_FPU
        bool "Debug the x86 FPU code"
        depends on DEBUG_KERNEL
@@ -379,6 +369,7 @@ config X86_DEBUG_FPU
 config PUNIT_ATOM_DEBUG
        tristate "ATOM Punit debug driver"
+        depends on PCI
        select DEBUG_FS
        select IOSF_MBI
        ---help---
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 1f9caa041bf7..d2c663aeccba 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -179,6 +179,15 @@ KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr)
 LDFLAGS := -m elf_$(UTS_MACHINE)
+#
+# The 64-bit kernel must be aligned to 2MB.  Pass -z max-page-size=0x200000 to
+# the linker to force 2MB page size regardless of the default page size used
+# by the linker.
+#
+ifdef CONFIG_X86_64
+LDFLAGS += $(call ld-option, -z max-page-size=0x200000)
+endif
 # Speed up the build
 KBUILD_CFLAGS += -pipe
 # Workaround for a gcc prelease that unfortunately was shipped in a suse release
diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
index c0cc2a6be0bf..6da2cd0897f3 100644
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -64,12 +64,13 @@ GCOV_PROFILE := n
 $(obj)/bzImage: asflags-y  := $(SVGA_MODE)
 quiet_cmd_image = BUILD   $@
+silent_redirect_image = >/dev/null
 cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \
-                               $(obj)/zoffset.h $@
+                               $(obj)/zoffset.h $@ $($(quiet)redirect_image)
 $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE
        $(call if_changed,image)
-        @echo 'Kernel: $@ is ready' ' (#'`cat .version`')'
+        @$(kecho) 'Kernel: $@ is ready' ' (#'`cat .version`')'
 OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S
 $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 583d539a4197..2bc6651791cc 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -364,7 +364,8 @@ __setup_efi_pci32(efi_pci_io_protocol_32 *pci, struct pci_setup_rom **__rom)
        if (status != EFI_SUCCESS)
                goto free_struct;
-        memcpy(rom->romdata, pci->romimage, pci->romsize);
+        memcpy(rom->romdata, (void *)(unsigned long)pci->romimage,
+               pci->romsize);
        return status;
 free_struct:
@@ -470,7 +471,8 @@ __setup_efi_pci64(efi_pci_io_protocol_64 *pci, struct pci_setup_rom **__rom)
        if (status != EFI_SUCCESS)
                goto free_struct;
-        memcpy(rom->romdata, pci->romimage, pci->romsize);
+        memcpy(rom->romdata, (void *)(unsigned long)pci->romimage,
+               pci->romsize);
        return status;
 free_struct:
diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index 79dac1758e7c..16df89c30c20 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -366,6 +366,10 @@ static void parse_elf(void *output)
                switch (phdr->p_type) {
                case PT_LOAD:
+#ifdef CONFIG_X86_64
+                        if ((phdr->p_align % 0x200000) != 0)
+                                error("Alignment of LOAD segment isn't multiple of 2MB");
+#endif
 #ifdef CONFIG_RELOCATABLE
                        dest = output;
                        dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
diff --git a/arch/x86/boot/cpuflags.h b/arch/x86/boot/cpuflags.h
index ea97697e51e4..4cb404fd45ce 100644
--- a/arch/x86/boot/cpuflags.h
+++ b/arch/x86/boot/cpuflags.h
@@ -1,7 +1,7 @@
 #ifndef BOOT_CPUFLAGS_H
 #define BOOT_CPUFLAGS_H
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/processor-flags.h>
 struct cpu_features {
diff --git a/arch/x86/boot/mkcpustr.c b/arch/x86/boot/mkcpustr.c
index 637097e66a62..f72498dc90d2 100644
--- a/arch/x86/boot/mkcpustr.c
+++ b/arch/x86/boot/mkcpustr.c
@@ -17,7 +17,7 @@
 #include "../include/asm/required-features.h"
 #include "../include/asm/disabled-features.h"
-#include "../include/asm/cpufeature.h"
+#include "../include/asm/cpufeatures.h"
 #include "../kernel/cpu/capflags.c"
 int main(void)
diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
index 3633ad6145c5..c18806b5db2a 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -965,7 +965,7 @@ static int helper_rfc4106_encrypt(struct aead_request *req)
        if (sg_is_last(req->src) &&
            req->src->offset + req->src->length <= PAGE_SIZE &&
-            sg_is_last(req->dst) &&
+            sg_is_last(req->dst) && req->dst->length &&
            req->dst->offset + req->dst->length <= PAGE_SIZE) {
                one_entry_in_sg = 1;
                scatterwalk_start(&src_sg_walk, req->src);
diff --git a/arch/x86/crypto/cast5_avx_glue.c b/arch/x86/crypto/cast5_avx_glue.c
index 8648158f3916..f8fe11d24cde 100644
--- a/arch/x86/crypto/cast5_avx_glue.c
+++ b/arch/x86/crypto/cast5_avx_glue.c
@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk,
        void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
        int err;
-        fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
        err = blkcipher_walk_virt(desc, walk);
        desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk,
                /* Process multi-block batch */
                if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
+                        fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
                        do {
                                fn(ctx, wdst, wsrc);
diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c
index 722bacea040e..8baaff5af0b5 100644
--- a/arch/x86/crypto/chacha20_glue.c
+++ b/arch/x86/crypto/chacha20_glue.c
@@ -125,7 +125,7 @@ static struct crypto_alg alg = {
 static int __init chacha20_simd_mod_init(void)
 {
-        if (!cpu_has_ssse3)
+        if (!boot_cpu_has(X86_FEATURE_SSSE3))
                return -ENODEV;
 #ifdef CONFIG_AS_AVX2
diff --git a/arch/x86/crypto/crc32-pclmul_glue.c b/arch/x86/crypto/crc32-pclmul_glue.c
index 07d2c6c86a54..27226df3f7d8 100644
--- a/arch/x86/crypto/crc32-pclmul_glue.c
+++ b/arch/x86/crypto/crc32-pclmul_glue.c
@@ -33,7 +33,7 @@
 #include <linux/crc32.h>
 #include <crypto/internal/hash.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/cpu_device_id.h>
 #include <asm/fpu/api.h>
diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c
index 81a595d75cf5..715399b14ed7 100644
--- a/arch/x86/crypto/crc32c-intel_glue.c
+++ b/arch/x86/crypto/crc32c-intel_glue.c
@@ -30,7 +30,7 @@
 #include <linux/kernel.h>
 #include <crypto/internal/hash.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/cpu_device_id.h>
 #include <asm/fpu/internal.h>
@@ -58,16 +58,11 @@
 asmlinkage unsigned int crc_pcl(const u8 *buffer, int len,
                                unsigned int crc_init);
 static int crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_EAGERFPU;
-#if defined(X86_FEATURE_EAGER_FPU)
 #define set_pcl_breakeven_point()                                       \
 do {                                                                    \
        if (!use_eager_fpu())                                           \
                crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_NOEAGERFPU; \
 } while (0)
-#else
-#define set_pcl_breakeven_point()                                       \
-        (crc32c_pcl_breakeven = CRC32C_PCL_BREAKEVEN_NOEAGERFPU)
-#endif
 #endif /* CONFIG_X86_64 */
 static u32 crc32c_intel_le_hw_byte(u32 crc, unsigned char const *data, size_t length)
@@ -257,7 +252,7 @@ static int __init crc32c_intel_mod_init(void)
        if (!x86_match_cpu(crc32c_cpu_id))
                return -ENODEV;
 #ifdef CONFIG_X86_64
-        if (cpu_has_pclmulqdq) {
+        if (boot_cpu_has(X86_FEATURE_PCLMULQDQ)) {
                alg.update = crc32c_pcl_intel_update;
                alg.finup = crc32c_pcl_intel_finup;
                alg.digest = crc32c_pcl_intel_digest;
diff --git a/arch/x86/crypto/crct10dif-pclmul_glue.c b/arch/x86/crypto/crct10dif-pclmul_glue.c
index a3fcfc97a311..cd4df9322501 100644
--- a/arch/x86/crypto/crct10dif-pclmul_glue.c
+++ b/arch/x86/crypto/crct10dif-pclmul_glue.c
@@ -30,7 +30,7 @@
 #include <linux/string.h>
 #include <linux/kernel.h>
 #include <asm/fpu/api.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/cpu_device_id.h>
 asmlinkage __u16 crc_t10dif_pcl(__u16 crc, const unsigned char *buf,
diff --git a/arch/x86/crypto/poly1305_glue.c b/arch/x86/crypto/poly1305_glue.c
index 4264a3d59589..7c064887b783 100644
--- a/arch/x86/crypto/poly1305_glue.c
+++ b/arch/x86/crypto/poly1305_glue.c
@@ -164,7 +164,6 @@ static struct shash_alg alg = {
        .init           = poly1305_simd_init,
        .update         = poly1305_simd_update,
        .final          = crypto_poly1305_final,
-        .setkey         = crypto_poly1305_setkey,
        .descsize       = sizeof(struct poly1305_simd_desc_ctx),
        .base           = {
                .cra_name               = "poly1305",
diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
index 1c3b7ceb36d2..e7273a606a07 100644
--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
+++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
@@ -55,29 +55,31 @@
 #define RAB1bl %bl
 #define RAB2bl %cl
+#define CD0 0x0(%rsp)
+#define CD1 0x8(%rsp)
+#define CD2 0x10(%rsp)
+# used only before/after all rounds
 #define RCD0 %r8
 #define RCD1 %r9
 #define RCD2 %r10
-#define RCD0d %r8d
+# used only during rounds
-#define RCD1d %r9d
+#define RX0 %r8
-#define RCD2d %r10d
+#define RX1 %r9
+#define RX2 %r10
-#define RX0 %rbp
-#define RX1 %r11
-#define RX2 %r12
-#define RX0d %ebp
+#define RX0d %r8d
-#define RX1d %r11d
+#define RX1d %r9d
-#define RX2d %r12d
+#define RX2d %r10d
-#define RY0 %r13
+#define RY0 %r11
-#define RY1 %r14
+#define RY1 %r12
-#define RY2 %r15
+#define RY2 %r13
-#define RY0d %r13d
+#define RY0d %r11d
-#define RY1d %r14d
+#define RY1d %r12d
-#define RY2d %r15d
+#define RY2d %r13d
 #define RT0 %rdx
 #define RT1 %rsi
@@ -85,6 +87,8 @@
 #define RT0d %edx
 #define RT1d %esi
+#define RT1bl %sil
 #define do16bit_ror(rot, op1, op2, T0, T1, tmp1, tmp2, ab, dst) \
        movzbl ab ## bl,                tmp2 ## d; \
        movzbl ab ## bh,                tmp1 ## d; \
@@ -92,6 +96,11 @@
        op1##l T0(CTX, tmp2, 4),        dst ## d; \
        op2##l T1(CTX, tmp1, 4),        dst ## d;
+#define swap_ab_with_cd(ab, cd, tmp)    \
+        movq cd, tmp;                   \
+        movq ab, cd;                    \
+        movq tmp, ab;
 /*
 * Combined G1 & G2 function. Reordered with help of rotates to have moves
 * at begining.
@@ -110,15 +119,15 @@
        /* G1,2 && G2,2 */ \
        do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 0, x ## 0); \
        do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 0, y ## 0); \
-        xchgq cd ## 0, ab ## 0; \
+        swap_ab_with_cd(ab ## 0, cd ## 0, RT0); \
        \
        do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 1, x ## 1); \
        do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 1, y ## 1); \
-        xchgq cd ## 1, ab ## 1; \
+        swap_ab_with_cd(ab ## 1, cd ## 1, RT0); \
        \
        do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 2, x ## 2); \
        do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 2, y ## 2); \
-        xchgq cd ## 2, ab ## 2;
+        swap_ab_with_cd(ab ## 2, cd ## 2, RT0);
 #define enc_round_end(ab, x, y, n) \
        addl y ## d,                    x ## d; \
@@ -168,6 +177,16 @@
        decrypt_round3(ba, dc, (n*2)+1); \
        decrypt_round3(ba, dc, (n*2));
+#define push_cd()       \
+        pushq RCD2;     \
+        pushq RCD1;     \
+        pushq RCD0;
+#define pop_cd()        \
+        popq RCD0;      \
+        popq RCD1;      \
+        popq RCD2;
 #define inpack3(in, n, xy, m) \
        movq 4*(n)(in),                 xy ## 0; \
        xorq w+4*m(CTX),                xy ## 0; \
@@ -223,11 +242,8 @@ ENTRY(__twofish_enc_blk_3way)
         *      %rdx: src, RIO
         *      %rcx: bool, if true: xor output
         */
-        pushq %r15;
-        pushq %r14;
        pushq %r13;
        pushq %r12;
-        pushq %rbp;
        pushq %rbx;
        pushq %rcx; /* bool xor */
@@ -235,40 +251,36 @@ ENTRY(__twofish_enc_blk_3way)
        inpack_enc3();
-        encrypt_cycle3(RAB, RCD, 0);
+        push_cd();
-        encrypt_cycle3(RAB, RCD, 1);
+        encrypt_cycle3(RAB, CD, 0);
-        encrypt_cycle3(RAB, RCD, 2);
+        encrypt_cycle3(RAB, CD, 1);
-        encrypt_cycle3(RAB, RCD, 3);
+        encrypt_cycle3(RAB, CD, 2);
-        encrypt_cycle3(RAB, RCD, 4);
+        encrypt_cycle3(RAB, CD, 3);
-        encrypt_cycle3(RAB, RCD, 5);
+        encrypt_cycle3(RAB, CD, 4);
-        encrypt_cycle3(RAB, RCD, 6);
+        encrypt_cycle3(RAB, CD, 5);
-        encrypt_cycle3(RAB, RCD, 7);
+        encrypt_cycle3(RAB, CD, 6);
+        encrypt_cycle3(RAB, CD, 7);
+        pop_cd();
        popq RIO; /* dst */
-        popq %rbp; /* bool xor */
+        popq RT1; /* bool xor */
-        testb %bpl, %bpl;
+        testb RT1bl, RT1bl;
        jnz .L__enc_xor3;
        outunpack_enc3(mov);
        popq %rbx;
-        popq %rbp;
        popq %r12;
        popq %r13;
-        popq %r14;
-        popq %r15;
        ret;
 .L__enc_xor3:
        outunpack_enc3(xor);
        popq %rbx;
-        popq %rbp;
        popq %r12;
        popq %r13;
-        popq %r14;
-        popq %r15;
        ret;
 ENDPROC(__twofish_enc_blk_3way)
@@ -278,35 +290,31 @@ ENTRY(twofish_dec_blk_3way)
         *      %rsi: dst
         *      %rdx: src, RIO
         */
-        pushq %r15;
-        pushq %r14;
        pushq %r13;
        pushq %r12;
-        pushq %rbp;
        pushq %rbx;
        pushq %rsi; /* dst */
        inpack_dec3();
-        decrypt_cycle3(RAB, RCD, 7);
+        push_cd();
-        decrypt_cycle3(RAB, RCD, 6);
+        decrypt_cycle3(RAB, CD, 7);
-        decrypt_cycle3(RAB, RCD, 5);
+        decrypt_cycle3(RAB, CD, 6);
-        decrypt_cycle3(RAB, RCD, 4);
+        decrypt_cycle3(RAB, CD, 5);
-        decrypt_cycle3(RAB, RCD, 3);
+        decrypt_cycle3(RAB, CD, 4);
-        decrypt_cycle3(RAB, RCD, 2);
+        decrypt_cycle3(RAB, CD, 3);
-        decrypt_cycle3(RAB, RCD, 1);
+        decrypt_cycle3(RAB, CD, 2);
-        decrypt_cycle3(RAB, RCD, 0);
+        decrypt_cycle3(RAB, CD, 1);
+        decrypt_cycle3(RAB, CD, 0);
+        pop_cd();
        popq RIO; /* dst */
        outunpack_dec3();
        popq %rbx;
-        popq %rbp;
        popq %r12;
        popq %r13;
-        popq %r14;
-        popq %r15;
        ret;
 ENDPROC(twofish_dec_blk_3way)
diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index 1a4477cedc49..071582a3b5c0 100644
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -20,12 +20,14 @@
 #include <linux/export.h>
 #include <linux/context_tracking.h>
 #include <linux/user-return-notifier.h>
+#include <linux/nospec.h>
 #include <linux/uprobes.h>
 #include <asm/desc.h>
 #include <asm/traps.h>
 #include <asm/vdso.h>
 #include <asm/uaccess.h>
+#include <asm/cpufeature.h>
 #define CREATE_TRACE_POINTS
 #include <trace/events/syscalls.h>
@@ -381,6 +383,7 @@ __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs)
        }
        if (likely(nr < IA32_NR_syscalls)) {
+                nr = array_index_nospec(nr, IA32_NR_syscalls);
                /*
                 * It's possible that a 32-bit syscall implementation
                 * takes a 64-bit parameter but nonetheless assumes that
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index d437f3871e53..49a8c9f7a379 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -40,7 +40,7 @@
 #include <asm/processor-flags.h>
 #include <asm/ftrace.h>
 #include <asm/irq_vectors.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 #include <asm/asm.h>
 #include <asm/smap.h>
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index a03b22c615d9..92b840c94f17 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -178,12 +178,14 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
        jnz     tracesys
 entry_SYSCALL_64_fastpath:
 #if __SYSCALL_MASK == ~0
-        cmpq    $__NR_syscall_max, %rax
+        cmpq    $NR_syscalls, %rax
 #else
        andl    $__SYSCALL_MASK, %eax
-        cmpl    $__NR_syscall_max, %eax
+        cmpl    $NR_syscalls, %eax
 #endif
-        ja      1f                              /* return -ENOSYS (already in pt_regs->ax) */
+        jae     1f                              /* return -ENOSYS (already in pt_regs->ax) */
+        sbb     %rcx, %rcx                      /* array_index_mask_nospec() */
+        and     %rcx, %rax
        movq    %r10, %rcx
 #ifdef CONFIG_RETPOLINE
        movq    sys_call_table(, %rax, 8), %rax
@@ -276,12 +278,14 @@ tracesys_phase2:
        RESTORE_C_REGS_EXCEPT_RAX
        RESTORE_EXTRA_REGS
 #if __SYSCALL_MASK == ~0
-        cmpq    $__NR_syscall_max, %rax
+        cmpq    $NR_syscalls, %rax
 #else
        andl    $__SYSCALL_MASK, %eax
-        cmpl    $__NR_syscall_max, %eax
+        cmpl    $NR_syscalls, %eax
 #endif
-        ja      1f                              /* return -ENOSYS (already in pt_regs->ax) */
+        jae     1f                              /* return -ENOSYS (already in pt_regs->ax) */
+        sbb     %rcx, %rcx                      /* array_index_mask_nospec() */
+        and     %rcx, %rax
        movq    %r10, %rcx                      /* fixup for C */
 #ifdef CONFIG_RETPOLINE
        movq    sys_call_table(, %rax, 8), %rax
@@ -1014,7 +1018,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
 #endif /* CONFIG_HYPERV */
 idtentry debug                  do_debug                has_error_code=0        paranoid=1 shift_ist=DEBUG_STACK
-idtentry int3                   do_int3                 has_error_code=0        paranoid=1 shift_ist=DEBUG_STACK
+idtentry int3                   do_int3                 has_error_code=0
 idtentry stack_segment          do_stack_segment        has_error_code=1
 #ifdef CONFIG_XEN
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index d03bf0e28b8b..48c27c3fdfdb 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -79,24 +79,33 @@ ENTRY(entry_SYSENTER_compat)
        ASM_CLAC                        /* Clear AC after saving FLAGS */
        pushq   $__USER32_CS            /* pt_regs->cs */
-        xorq    %r8,%r8
+        pushq   $0                      /* pt_regs->ip = 0 (placeholder) */
-        pushq   %r8                     /* pt_regs->ip = 0 (placeholder) */
        pushq   %rax                    /* pt_regs->orig_ax */
        pushq   %rdi                    /* pt_regs->di */
        pushq   %rsi                    /* pt_regs->si */
        pushq   %rdx                    /* pt_regs->dx */
        pushq   %rcx                    /* pt_regs->cx */
        pushq   $-ENOSYS                /* pt_regs->ax */
-        pushq   %r8                     /* pt_regs->r8  = 0 */
+        pushq   $0                      /* pt_regs->r8  = 0 */
-        pushq   %r8                     /* pt_regs->r9  = 0 */
+        xorq    %r8, %r8                /* nospec   r8 */
-        pushq   %r8                     /* pt_regs->r10 = 0 */
+        pushq   $0                      /* pt_regs->r9  = 0 */
-        pushq   %r8                     /* pt_regs->r11 = 0 */
+        xorq    %r9, %r9                /* nospec   r9 */
+        pushq   $0                      /* pt_regs->r10 = 0 */
+        xorq    %r10, %r10              /* nospec   r10 */
+        pushq   $0                      /* pt_regs->r11 = 0 */
+        xorq    %r11, %r11              /* nospec   r11 */
        pushq   %rbx                    /* pt_regs->rbx */
+        xorl    %ebx, %ebx              /* nospec   rbx */
        pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
-        pushq   %r8                     /* pt_regs->r12 = 0 */
+        xorl    %ebp, %ebp              /* nospec   rbp */
-        pushq   %r8                     /* pt_regs->r13 = 0 */
+        pushq   $0                      /* pt_regs->r12 = 0 */
-        pushq   %r8                     /* pt_regs->r14 = 0 */
+        xorq    %r12, %r12              /* nospec   r12 */
-        pushq   %r8                     /* pt_regs->r15 = 0 */
+        pushq   $0                      /* pt_regs->r13 = 0 */
+        xorq    %r13, %r13              /* nospec   r13 */
+        pushq   $0                      /* pt_regs->r14 = 0 */
+        xorq    %r14, %r14              /* nospec   r14 */
+        pushq   $0                      /* pt_regs->r15 = 0 */
+        xorq    %r15, %r15              /* nospec   r15 */
        cld
        /*
@@ -185,17 +194,26 @@ ENTRY(entry_SYSCALL_compat)
        pushq   %rdx                    /* pt_regs->dx */
        pushq   %rbp                    /* pt_regs->cx (stashed in bp) */
        pushq   $-ENOSYS                /* pt_regs->ax */
-        xorq    %r8,%r8
+        pushq   $0                      /* pt_regs->r8  = 0 */
-        pushq   %r8                     /* pt_regs->r8  = 0 */
+        xorq    %r8, %r8                /* nospec   r8 */
-        pushq   %r8                     /* pt_regs->r9  = 0 */
+        pushq   $0                      /* pt_regs->r9  = 0 */
-        pushq   %r8                     /* pt_regs->r10 = 0 */
+        xorq    %r9, %r9                /* nospec   r9 */
-        pushq   %r8                     /* pt_regs->r11 = 0 */
+        pushq   $0                      /* pt_regs->r10 = 0 */
+        xorq    %r10, %r10              /* nospec   r10 */
+        pushq   $0                      /* pt_regs->r11 = 0 */
+        xorq    %r11, %r11              /* nospec   r11 */
        pushq   %rbx                    /* pt_regs->rbx */
+        xorl    %ebx, %ebx              /* nospec   rbx */
        pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
-        pushq   %r8                     /* pt_regs->r12 = 0 */
+        xorl    %ebp, %ebp              /* nospec   rbp */
-        pushq   %r8                     /* pt_regs->r13 = 0 */
+        pushq   $0                      /* pt_regs->r12 = 0 */
-        pushq   %r8                     /* pt_regs->r14 = 0 */
+        xorq    %r12, %r12              /* nospec   r12 */
-        pushq   %r8                     /* pt_regs->r15 = 0 */
+        pushq   $0                      /* pt_regs->r13 = 0 */
+        xorq    %r13, %r13              /* nospec   r13 */
+        pushq   $0                      /* pt_regs->r14 = 0 */
+        xorq    %r14, %r14              /* nospec   r14 */
+        pushq   $0                      /* pt_regs->r15 = 0 */
+        xorq    %r15, %r15              /* nospec   r15 */
        /*
         * User mode is traced as though IRQs are on, and SYSENTER
@@ -292,17 +310,26 @@ ENTRY(entry_INT80_compat)
        pushq   %rdx                    /* pt_regs->dx */
        pushq   %rcx                    /* pt_regs->cx */
        pushq   $-ENOSYS                /* pt_regs->ax */
-        xorq    %r8,%r8
+        pushq   $0                      /* pt_regs->r8  = 0 */
-        pushq   %r8                     /* pt_regs->r8  = 0 */
+        xorq    %r8, %r8                /* nospec   r8 */
-        pushq   %r8                     /* pt_regs->r9  = 0 */
+        pushq   $0                      /* pt_regs->r9  = 0 */
-        pushq   %r8                     /* pt_regs->r10 = 0 */
+        xorq    %r9, %r9                /* nospec   r9 */
-        pushq   %r8                     /* pt_regs->r11 = 0 */
+        pushq   $0                      /* pt_regs->r10 = 0 */
+        xorq    %r10, %r10              /* nospec   r10 */
+        pushq   $0                      /* pt_regs->r11 = 0 */
+        xorq    %r11, %r11              /* nospec   r11 */
        pushq   %rbx                    /* pt_regs->rbx */
+        xorl    %ebx, %ebx              /* nospec   rbx */
        pushq   %rbp                    /* pt_regs->rbp */
+        xorl    %ebp, %ebp              /* nospec   rbp */
        pushq   %r12                    /* pt_regs->r12 */
+        xorq    %r12, %r12              /* nospec   r12 */
        pushq   %r13                    /* pt_regs->r13 */
+        xorq    %r13, %r13              /* nospec   r13 */
        pushq   %r14                    /* pt_regs->r14 */
+        xorq    %r14, %r14              /* nospec   r14 */
        pushq   %r15                    /* pt_regs->r15 */
+        xorq    %r15, %r15              /* nospec   r15 */
        cld
        /*
diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c
index a7508d7e20b7..3f9d1a83891a 100644
--- a/arch/x86/entry/vdso/vdso32-setup.c
+++ b/arch/x86/entry/vdso/vdso32-setup.c
@@ -11,7 +11,6 @@
 #include <linux/kernel.h>
 #include <linux/mm_types.h>
-#include <asm/cpufeature.h>
 #include <asm/processor.h>
 #include <asm/vdso.h>
diff --git a/arch/x86/entry/vdso/vdso32/system_call.S b/arch/x86/entry/vdso/vdso32/system_call.S
index 3a1d9297074b..0109ac6cb79c 100644
--- a/arch/x86/entry/vdso/vdso32/system_call.S
+++ b/arch/x86/entry/vdso/vdso32/system_call.S
@@ -3,7 +3,7 @@
 */
 #include <asm/dwarf2.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 /*
diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
index b8f69e264ac4..6b46648588d8 100644
--- a/arch/x86/entry/vdso/vma.c
+++ b/arch/x86/entry/vdso/vma.c
@@ -20,6 +20,7 @@
 #include <asm/page.h>
 #include <asm/hpet.h>
 #include <asm/desc.h>
+#include <asm/cpufeature.h>
 #if defined(CONFIG_X86_64)
 unsigned int __read_mostly vdso64_enabled = 1;
@@ -254,7 +255,7 @@ static void vgetcpu_cpu_init(void *arg)
 #ifdef CONFIG_NUMA
        node = cpu_to_node(cpu);
 #endif
-        if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
+        if (static_cpu_has(X86_FEATURE_RDTSCP))
                write_rdtscp_aux((node << 12) | cpu);
        /*
diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index 112178b401a1..2d359991a273 100644
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
@@ -46,6 +46,7 @@ static enum { EMULATE, NATIVE, NONE } vsyscall_mode =
 #else
        EMULATE;
 #endif
+unsigned long vsyscall_pgprot = __PAGE_KERNEL_VSYSCALL;
 static int __init vsyscall_setup(char *str)
 {
@@ -336,11 +337,11 @@ void __init map_vsyscall(void)
        extern char __vsyscall_page;
        unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
+        if (vsyscall_mode != NATIVE)
+                vsyscall_pgprot = __PAGE_KERNEL_VVAR;
        if (vsyscall_mode != NONE)
                __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
-                             vsyscall_mode == NATIVE
+                             __pgprot(vsyscall_pgprot));
-                             ? PAGE_KERNEL_VSYSCALL
-                             : PAGE_KERNEL_VVAR);
        BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
                     (unsigned long)VSYSCALL_ADDR);
diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
index 215ea9214215..002fcd901f07 100644
--- a/arch/x86/include/asm/alternative.h
+++ b/arch/x86/include/asm/alternative.h
@@ -154,12 +154,6 @@ static inline int alternatives_text_reserved(void *start, void *end)
        ".popsection\n"
 /*
- * This must be included *after* the definition of ALTERNATIVE due to
- * <asm/arch_hweight.h>
- */
-#include <asm/cpufeature.h>
-/*
 * Alternative instructions for different CPU types or capabilities.
 *
 * This allows to use optimized instructions even on generic binary
diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
index 163769d82475..fd810a57ab1b 100644
--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -6,7 +6,6 @@
 #include <asm/alternative.h>
 #include <asm/cpufeature.h>
-#include <asm/processor.h>
 #include <asm/apicdef.h>
 #include <linux/atomic.h>
 #include <asm/fixmap.h>
diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
index 20370c6db74b..3d1ec41ae09a 100644
--- a/arch/x86/include/asm/apm.h
+++ b/arch/x86/include/asm/apm.h
@@ -6,6 +6,8 @@
 #ifndef _ASM_X86_MACH_DEFAULT_APM_H
 #define _ASM_X86_MACH_DEFAULT_APM_H
+#include <asm/nospec-branch.h>
 #ifdef APM_ZERO_SEGS
 #       define APM_DO_ZERO_SEGS \
                "pushl %%ds\n\t" \
@@ -31,6 +33,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
         * N.B. We do NOT need a cld after the BIOS call
         * because we always save and restore the flags.
         */
+        firmware_restrict_branch_speculation_start();
        __asm__ __volatile__(APM_DO_ZERO_SEGS
                "pushl %%edi\n\t"
                "pushl %%ebp\n\t"
@@ -43,6 +46,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
                  "=S" (*esi)
                : "a" (func), "b" (ebx_in), "c" (ecx_in)
                : "memory", "cc");
+        firmware_restrict_branch_speculation_end();
 }
 static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
@@ -55,6 +59,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
         * N.B. We do NOT need a cld after the BIOS call
         * because we always save and restore the flags.
         */
+        firmware_restrict_branch_speculation_start();
        __asm__ __volatile__(APM_DO_ZERO_SEGS
                "pushl %%edi\n\t"
                "pushl %%ebp\n\t"
@@ -67,6 +72,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
                  "=S" (si)
                : "a" (func), "b" (ebx_in), "c" (ecx_in)
                : "memory", "cc");
+        firmware_restrict_branch_speculation_end();
        return error;
 }
diff --git a/arch/x86/include/asm/arch_hweight.h b/arch/x86/include/asm/arch_hweight.h
index 259a7c1ef709..e7cd63175de4 100644
--- a/arch/x86/include/asm/arch_hweight.h
+++ b/arch/x86/include/asm/arch_hweight.h
@@ -1,9 +1,11 @@
 #ifndef _ASM_X86_HWEIGHT_H
 #define _ASM_X86_HWEIGHT_H
+#include <asm/cpufeatures.h>
 #ifdef CONFIG_64BIT
-/* popcnt %edi, %eax -- redundant REX prefix for alignment */
+/* popcnt %edi, %eax */
-#define POPCNT32 ".byte 0xf3,0x40,0x0f,0xb8,0xc7"
+#define POPCNT32 ".byte 0xf3,0x0f,0xb8,0xc7"
 /* popcnt %rdi, %rax */
 #define POPCNT64 ".byte 0xf3,0x48,0x0f,0xb8,0xc7"
 #define REG_IN "D"
@@ -15,19 +17,15 @@
 #define REG_OUT "a"
 #endif
-/*
+#define __HAVE_ARCH_SW_HWEIGHT
- * __sw_hweightXX are called from within the alternatives below
- * and callee-clobbered registers need to be taken care of. See
- * ARCH_HWEIGHT_CFLAGS in <arch/x86/Kconfig> for the respective
- * compiler switches.
- */
 static __always_inline unsigned int __arch_hweight32(unsigned int w)
 {
-        unsigned int res = 0;
+        unsigned int res;
        asm (ALTERNATIVE("call __sw_hweight32", POPCNT32, X86_FEATURE_POPCNT)
-                     : "="REG_OUT (res)
+                         : "="REG_OUT (res)
-                     : REG_IN (w));
+                         : REG_IN (w));
        return res;
 }
@@ -51,11 +49,11 @@ static inline unsigned long __arch_hweight64(__u64 w)
 #else
 static __always_inline unsigned long __arch_hweight64(__u64 w)
 {
-        unsigned long res = 0;
+        unsigned long res;
        asm (ALTERNATIVE("call __sw_hweight64", POPCNT64, X86_FEATURE_POPCNT)
-                     : "="REG_OUT (res)
+                         : "="REG_OUT (res)
-                     : REG_IN (w));
+                         : REG_IN (w));
        return res;
 }
diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
index b15aa4083dfd..5a25ada75aeb 100644
--- a/arch/x86/include/asm/asm-prototypes.h
+++ b/arch/x86/include/asm/asm-prototypes.h
@@ -37,5 +37,4 @@ INDIRECT_THUNK(dx)
 INDIRECT_THUNK(si)
 INDIRECT_THUNK(di)
 INDIRECT_THUNK(bp)
-INDIRECT_THUNK(sp)
 #endif /* CONFIG_RETPOLINE */
diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h
index b9c6c7a6f5a6..21e84a31d211 100644
--- a/arch/x86/include/asm/asm.h
+++ b/arch/x86/include/asm/asm.h
@@ -11,10 +11,12 @@
 # define __ASM_FORM_COMMA(x) " " #x ","
 #endif
-#ifdef CONFIG_X86_32
+#ifndef __x86_64__
+/* 32 bit */
 # define __ASM_SEL(a,b) __ASM_FORM(a)
 # define __ASM_SEL_RAW(a,b) __ASM_FORM_RAW(a)
 #else
+/* 64 bit */
 # define __ASM_SEL(a,b) __ASM_FORM(b)
 # define __ASM_SEL_RAW(a,b) __ASM_FORM_RAW(b)
 #endif
@@ -42,6 +44,65 @@
 #define _ASM_SI         __ASM_REG(si)
 #define _ASM_DI         __ASM_REG(di)
+#ifndef __x86_64__
+/* 32 bit */
+#define _ASM_ARG1       _ASM_AX
+#define _ASM_ARG2       _ASM_DX
+#define _ASM_ARG3       _ASM_CX
+#define _ASM_ARG1L      eax
+#define _ASM_ARG2L      edx
+#define _ASM_ARG3L      ecx
+#define _ASM_ARG1W      ax
+#define _ASM_ARG2W      dx
+#define _ASM_ARG3W      cx
+#define _ASM_ARG1B      al
+#define _ASM_ARG2B      dl
+#define _ASM_ARG3B      cl
+#else
+/* 64 bit */
+#define _ASM_ARG1       _ASM_DI
+#define _ASM_ARG2       _ASM_SI
+#define _ASM_ARG3       _ASM_DX
+#define _ASM_ARG4       _ASM_CX
+#define _ASM_ARG5       r8
+#define _ASM_ARG6       r9
+#define _ASM_ARG1Q      rdi
+#define _ASM_ARG2Q      rsi
+#define _ASM_ARG3Q      rdx
+#define _ASM_ARG4Q      rcx
+#define _ASM_ARG5Q      r8
+#define _ASM_ARG6Q      r9
+#define _ASM_ARG1L      edi
+#define _ASM_ARG2L      esi
+#define _ASM_ARG3L      edx
+#define _ASM_ARG4L      ecx
+#define _ASM_ARG5L      r8d
+#define _ASM_ARG6L      r9d
+#define _ASM_ARG1W      di
+#define _ASM_ARG2W      si
+#define _ASM_ARG3W      dx
+#define _ASM_ARG4W      cx
+#define _ASM_ARG5W      r8w
+#define _ASM_ARG6W      r9w
+#define _ASM_ARG1B      dil
+#define _ASM_ARG2B      sil
+#define _ASM_ARG3B      dl
+#define _ASM_ARG4B      cl
+#define _ASM_ARG5B      r8b
+#define _ASM_ARG6B      r9b
+#endif
 /* Exception table entry */
 #ifdef __ASSEMBLY__
 # define _ASM_EXTABLE(from,to)                                  \
diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
index ae5fb83e6d91..3e8674288198 100644
--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -3,7 +3,6 @@
 #include <linux/compiler.h>
 #include <linux/types.h>
-#include <asm/processor.h>
 #include <asm/alternative.h>
 #include <asm/cmpxchg.h>
 #include <asm/rmwcc.h>
diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
index a11c30b77fb5..a984111135b1 100644
--- a/arch/x86/include/asm/atomic64_32.h
+++ b/arch/x86/include/asm/atomic64_32.h
@@ -3,7 +3,6 @@
 #include <linux/compiler.h>
 #include <linux/types.h>
-#include <asm/processor.h>
 //#include <asm/cmpxchg.h>
 /* An 64bit atomic type */
diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
index 0681d2532527..7f5dcb64cedb 100644
--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
@@ -24,6 +24,34 @@
 #define wmb()   asm volatile("sfence" ::: "memory")
 #endif
+/**
+ * array_index_mask_nospec() - generate a mask that is ~0UL when the
+ *      bounds check succeeds and 0 otherwise
+ * @index: array element index
+ * @size: number of elements in array
+ *
+ * Returns:
+ *     0 - (index < size)
+ */
+static inline unsigned long array_index_mask_nospec(unsigned long index,
+                unsigned long size)
+{
+        unsigned long mask;
+        asm volatile ("cmp %1,%2; sbb %0,%0;"
+                        :"=r" (mask)
+                        :"g"(size),"r" (index)
+                        :"cc");
+        return mask;
+}
+/* Override the default implementation from linux/nospec.h. */
+#define array_index_mask_nospec array_index_mask_nospec
+/* Prevent speculative execution past this barrier. */
+#define barrier_nospec() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \
+                                           "lfence", X86_FEATURE_LFENCE_RDTSC)
 #ifdef CONFIG_X86_PPRO_FENCE
 #define dma_rmb()       rmb()
 #else
diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
index ad19841eddfe..9733361fed6f 100644
--- a/arch/x86/include/asm/cmpxchg.h
+++ b/arch/x86/include/asm/cmpxchg.h
@@ -2,6 +2,7 @@
 #define ASM_X86_CMPXCHG_H
 #include <linux/compiler.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative.h> /* Provides LOCK_PREFIX */
 /*
diff --git a/arch/x86/include/asm/cmpxchg_32.h b/arch/x86/include/asm/cmpxchg_32.h
index f7e142926481..e4959d023af8 100644
--- a/arch/x86/include/asm/cmpxchg_32.h
+++ b/arch/x86/include/asm/cmpxchg_32.h
@@ -109,6 +109,6 @@ static inline u64 __cmpxchg64_local(volatile u64 *ptr, u64 old, u64 new)
 #endif
-#define system_has_cmpxchg_double() cpu_has_cx8
+#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX8)
 #endif /* _ASM_X86_CMPXCHG_32_H */
diff --git a/arch/x86/include/asm/cmpxchg_64.h b/arch/x86/include/asm/cmpxchg_64.h
index 1af94697aae5..caa23a34c963 100644
--- a/arch/x86/include/asm/cmpxchg_64.h
+++ b/arch/x86/include/asm/cmpxchg_64.h
@@ -18,6 +18,6 @@ static inline void set_64bit(volatile u64 *ptr, u64 val)
        cmpxchg_local((ptr), (o), (n));                                 \
 })
-#define system_has_cmpxchg_double() cpu_has_cx16
+#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX16)
 #endif /* _ASM_X86_CMPXCHG_64_H */
diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
index 0fbc98568018..d72c1db64679 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -1,293 +1,36 @@
-/*
- * Defines x86 CPU feature bits
- */
 #ifndef _ASM_X86_CPUFEATURE_H
 #define _ASM_X86_CPUFEATURE_H
-#ifndef _ASM_X86_REQUIRED_FEATURES_H
+#include <asm/processor.h>
-#include <asm/required-features.h>
-#endif
-#ifndef _ASM_X86_DISABLED_FEATURES_H
-#include <asm/disabled-features.h>
-#endif
-#define NCAPINTS        14      /* N 32-bit words worth of info */
-#define NBUGINTS        1       /* N 32-bit bug flags */
-/*
- * Note: If the comment begins with a quoted string, that string is used
- * in /proc/cpuinfo instead of the macro name.  If the string is "",
- * this feature bit is not displayed in /proc/cpuinfo at all.
- */
-/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */
-#define X86_FEATURE_FPU         ( 0*32+ 0) /* Onboard FPU */
-#define X86_FEATURE_VME         ( 0*32+ 1) /* Virtual Mode Extensions */
-#define X86_FEATURE_DE          ( 0*32+ 2) /* Debugging Extensions */
-#define X86_FEATURE_PSE         ( 0*32+ 3) /* Page Size Extensions */
-#define X86_FEATURE_TSC         ( 0*32+ 4) /* Time Stamp Counter */
-#define X86_FEATURE_MSR         ( 0*32+ 5) /* Model-Specific Registers */
-#define X86_FEATURE_PAE         ( 0*32+ 6) /* Physical Address Extensions */
-#define X86_FEATURE_MCE         ( 0*32+ 7) /* Machine Check Exception */
-#define X86_FEATURE_CX8         ( 0*32+ 8) /* CMPXCHG8 instruction */
-#define X86_FEATURE_APIC        ( 0*32+ 9) /* Onboard APIC */
-#define X86_FEATURE_SEP         ( 0*32+11) /* SYSENTER/SYSEXIT */
-#define X86_FEATURE_MTRR        ( 0*32+12) /* Memory Type Range Registers */
-#define X86_FEATURE_PGE         ( 0*32+13) /* Page Global Enable */
-#define X86_FEATURE_MCA         ( 0*32+14) /* Machine Check Architecture */
-#define X86_FEATURE_CMOV        ( 0*32+15) /* CMOV instructions */
-                                          /* (plus FCMOVcc, FCOMI with FPU) */
-#define X86_FEATURE_PAT         ( 0*32+16) /* Page Attribute Table */
-#define X86_FEATURE_PSE36       ( 0*32+17) /* 36-bit PSEs */
-#define X86_FEATURE_PN          ( 0*32+18) /* Processor serial number */
-#define X86_FEATURE_CLFLUSH     ( 0*32+19) /* CLFLUSH instruction */
-#define X86_FEATURE_DS          ( 0*32+21) /* "dts" Debug Store */
-#define X86_FEATURE_ACPI        ( 0*32+22) /* ACPI via MSR */
-#define X86_FEATURE_MMX         ( 0*32+23) /* Multimedia Extensions */
-#define X86_FEATURE_FXSR        ( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */
-#define X86_FEATURE_XMM         ( 0*32+25) /* "sse" */
-#define X86_FEATURE_XMM2        ( 0*32+26) /* "sse2" */
-#define X86_FEATURE_SELFSNOOP   ( 0*32+27) /* "ss" CPU self snoop */
-#define X86_FEATURE_HT          ( 0*32+28) /* Hyper-Threading */
-#define X86_FEATURE_ACC         ( 0*32+29) /* "tm" Automatic clock control */
-#define X86_FEATURE_IA64        ( 0*32+30) /* IA-64 processor */
-#define X86_FEATURE_PBE         ( 0*32+31) /* Pending Break Enable */
-/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */
-/* Don't duplicate feature flags which are redundant with Intel! */
-#define X86_FEATURE_SYSCALL     ( 1*32+11) /* SYSCALL/SYSRET */
-#define X86_FEATURE_MP          ( 1*32+19) /* MP Capable. */
-#define X86_FEATURE_NX          ( 1*32+20) /* Execute Disable */
-#define X86_FEATURE_MMXEXT      ( 1*32+22) /* AMD MMX extensions */
-#define X86_FEATURE_FXSR_OPT    ( 1*32+25) /* FXSAVE/FXRSTOR optimizations */
-#define X86_FEATURE_GBPAGES     ( 1*32+26) /* "pdpe1gb" GB pages */
-#define X86_FEATURE_RDTSCP      ( 1*32+27) /* RDTSCP */
-#define X86_FEATURE_LM          ( 1*32+29) /* Long Mode (x86-64) */
-#define X86_FEATURE_3DNOWEXT    ( 1*32+30) /* AMD 3DNow! extensions */
-#define X86_FEATURE_3DNOW       ( 1*32+31) /* 3DNow! */
-/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */
-#define X86_FEATURE_RECOVERY    ( 2*32+ 0) /* CPU in recovery mode */
-#define X86_FEATURE_LONGRUN     ( 2*32+ 1) /* Longrun power control */
-#define X86_FEATURE_LRTI        ( 2*32+ 3) /* LongRun table interface */
-/* Other features, Linux-defined mapping, word 3 */
-/* This range is used for feature bits which conflict or are synthesized */
-#define X86_FEATURE_CXMMX       ( 3*32+ 0) /* Cyrix MMX extensions */
-#define X86_FEATURE_K6_MTRR     ( 3*32+ 1) /* AMD K6 nonstandard MTRRs */
-#define X86_FEATURE_CYRIX_ARR   ( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */
-#define X86_FEATURE_CENTAUR_MCR ( 3*32+ 3) /* Centaur MCRs (= MTRRs) */
-/* cpu types for specific tunings: */
-#define X86_FEATURE_K8          ( 3*32+ 4) /* "" Opteron, Athlon64 */
-#define X86_FEATURE_K7          ( 3*32+ 5) /* "" Athlon */
-#define X86_FEATURE_P3          ( 3*32+ 6) /* "" P3 */
-#define X86_FEATURE_P4          ( 3*32+ 7) /* "" P4 */
-#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */
-#define X86_FEATURE_UP          ( 3*32+ 9) /* smp kernel running on up */
-/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */
-#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */
-#define X86_FEATURE_PEBS        ( 3*32+12) /* Precise-Event Based Sampling */
-#define X86_FEATURE_BTS         ( 3*32+13) /* Branch Trace Store */
-#define X86_FEATURE_SYSCALL32   ( 3*32+14) /* "" syscall in ia32 userspace */
-#define X86_FEATURE_SYSENTER32  ( 3*32+15) /* "" sysenter in ia32 userspace */
-#define X86_FEATURE_REP_GOOD    ( 3*32+16) /* rep microcode works well */
-#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */
-#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */
-/* free, was #define X86_FEATURE_11AP   ( 3*32+19) * "" Bad local APIC aka 11AP */
-#define X86_FEATURE_NOPL        ( 3*32+20) /* The NOPL (0F 1F) instructions */
-#define X86_FEATURE_ALWAYS      ( 3*32+21) /* "" Always-present feature */
-#define X86_FEATURE_XTOPOLOGY   ( 3*32+22) /* cpu topology enum extensions */
-#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */
-#define X86_FEATURE_NONSTOP_TSC ( 3*32+24) /* TSC does not stop in C states */
-/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */
-#define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */
-#define X86_FEATURE_AMD_DCM     ( 3*32+27) /* multi-node processor */
-#define X86_FEATURE_APERFMPERF  ( 3*32+28) /* APERFMPERF */
-#define X86_FEATURE_EAGER_FPU   ( 3*32+29) /* "eagerfpu" Non lazy FPU restore */
-#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */
-/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
-#define X86_FEATURE_XMM3        ( 4*32+ 0) /* "pni" SSE-3 */
-#define X86_FEATURE_PCLMULQDQ   ( 4*32+ 1) /* PCLMULQDQ instruction */
-#define X86_FEATURE_DTES64      ( 4*32+ 2) /* 64-bit Debug Store */
-#define X86_FEATURE_MWAIT       ( 4*32+ 3) /* "monitor" Monitor/Mwait support */
-#define X86_FEATURE_DSCPL       ( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */
-#define X86_FEATURE_VMX         ( 4*32+ 5) /* Hardware virtualization */
-#define X86_FEATURE_SMX         ( 4*32+ 6) /* Safer mode */
-#define X86_FEATURE_EST         ( 4*32+ 7) /* Enhanced SpeedStep */
-#define X86_FEATURE_TM2         ( 4*32+ 8) /* Thermal Monitor 2 */
-#define X86_FEATURE_SSSE3       ( 4*32+ 9) /* Supplemental SSE-3 */
-#define X86_FEATURE_CID         ( 4*32+10) /* Context ID */
-#define X86_FEATURE_SDBG        ( 4*32+11) /* Silicon Debug */
-#define X86_FEATURE_FMA         ( 4*32+12) /* Fused multiply-add */
-#define X86_FEATURE_CX16        ( 4*32+13) /* CMPXCHG16B */
-#define X86_FEATURE_XTPR        ( 4*32+14) /* Send Task Priority Messages */
-#define X86_FEATURE_PDCM        ( 4*32+15) /* Performance Capabilities */
-#define X86_FEATURE_PCID        ( 4*32+17) /* Process Context Identifiers */
-#define X86_FEATURE_DCA         ( 4*32+18) /* Direct Cache Access */
-#define X86_FEATURE_XMM4_1      ( 4*32+19) /* "sse4_1" SSE-4.1 */
-#define X86_FEATURE_XMM4_2      ( 4*32+20) /* "sse4_2" SSE-4.2 */
-#define X86_FEATURE_X2APIC      ( 4*32+21) /* x2APIC */
-#define X86_FEATURE_MOVBE       ( 4*32+22) /* MOVBE instruction */
-#define X86_FEATURE_POPCNT      ( 4*32+23) /* POPCNT instruction */
-#define X86_FEATURE_TSC_DEADLINE_TIMER  ( 4*32+24) /* Tsc deadline timer */
-#define X86_FEATURE_AES         ( 4*32+25) /* AES instructions */
-#define X86_FEATURE_XSAVE       ( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
-#define X86_FEATURE_OSXSAVE     ( 4*32+27) /* "" XSAVE enabled in the OS */
-#define X86_FEATURE_AVX         ( 4*32+28) /* Advanced Vector Extensions */
-#define X86_FEATURE_F16C        ( 4*32+29) /* 16-bit fp conversions */
-#define X86_FEATURE_RDRAND      ( 4*32+30) /* The RDRAND instruction */
-#define X86_FEATURE_HYPERVISOR  ( 4*32+31) /* Running on a hypervisor */
-/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
-#define X86_FEATURE_XSTORE      ( 5*32+ 2) /* "rng" RNG present (xstore) */
-#define X86_FEATURE_XSTORE_EN   ( 5*32+ 3) /* "rng_en" RNG enabled */
-#define X86_FEATURE_XCRYPT      ( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
-#define X86_FEATURE_XCRYPT_EN   ( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
-#define X86_FEATURE_ACE2        ( 5*32+ 8) /* Advanced Cryptography Engine v2 */
-#define X86_FEATURE_ACE2_EN     ( 5*32+ 9) /* ACE v2 enabled */
-#define X86_FEATURE_PHE         ( 5*32+10) /* PadLock Hash Engine */
-#define X86_FEATURE_PHE_EN      ( 5*32+11) /* PHE enabled */
-#define X86_FEATURE_PMM         ( 5*32+12) /* PadLock Montgomery Multiplier */
-#define X86_FEATURE_PMM_EN      ( 5*32+13) /* PMM enabled */
-/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */
-#define X86_FEATURE_LAHF_LM     ( 6*32+ 0) /* LAHF/SAHF in long mode */
-#define X86_FEATURE_CMP_LEGACY  ( 6*32+ 1) /* If yes HyperThreading not valid */
-#define X86_FEATURE_SVM         ( 6*32+ 2) /* Secure virtual machine */
-#define X86_FEATURE_EXTAPIC     ( 6*32+ 3) /* Extended APIC space */
-#define X86_FEATURE_CR8_LEGACY  ( 6*32+ 4) /* CR8 in 32-bit mode */
-#define X86_FEATURE_ABM         ( 6*32+ 5) /* Advanced bit manipulation */
-#define X86_FEATURE_SSE4A       ( 6*32+ 6) /* SSE-4A */
-#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */
-#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */
-#define X86_FEATURE_OSVW        ( 6*32+ 9) /* OS Visible Workaround */
-#define X86_FEATURE_IBS         ( 6*32+10) /* Instruction Based Sampling */
-#define X86_FEATURE_XOP         ( 6*32+11) /* extended AVX instructions */
-#define X86_FEATURE_SKINIT      ( 6*32+12) /* SKINIT/STGI instructions */
-#define X86_FEATURE_WDT         ( 6*32+13) /* Watchdog timer */
-#define X86_FEATURE_LWP         ( 6*32+15) /* Light Weight Profiling */
-#define X86_FEATURE_FMA4        ( 6*32+16) /* 4 operands MAC instructions */
-#define X86_FEATURE_TCE         ( 6*32+17) /* translation cache extension */
-#define X86_FEATURE_NODEID_MSR  ( 6*32+19) /* NodeId MSR */
-#define X86_FEATURE_TBM         ( 6*32+21) /* trailing bit manipulations */
-#define X86_FEATURE_TOPOEXT     ( 6*32+22) /* topology extensions CPUID leafs */
-#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */
-#define X86_FEATURE_PERFCTR_NB  ( 6*32+24) /* NB performance counter extensions */
-#define X86_FEATURE_BPEXT       (6*32+26) /* data breakpoint extension */
-#define X86_FEATURE_PERFCTR_L2  ( 6*32+28) /* L2 performance counter extensions */
-#define X86_FEATURE_MWAITX      ( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
-/*
- * Auxiliary flags: Linux defined - For features scattered in various
- * CPUID levels like 0x6, 0xA etc, word 7
- */
-#define X86_FEATURE_IDA         ( 7*32+ 0) /* Intel Dynamic Acceleration */
-#define X86_FEATURE_ARAT        ( 7*32+ 1) /* Always Running APIC Timer */
-#define X86_FEATURE_CPB         ( 7*32+ 2) /* AMD Core Performance Boost */
-#define X86_FEATURE_EPB         ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */
-#define X86_FEATURE_PLN         ( 7*32+ 5) /* Intel Power Limit Notification */
-#define X86_FEATURE_PTS         ( 7*32+ 6) /* Intel Package Thermal Status */
-#define X86_FEATURE_DTHERM      ( 7*32+ 7) /* Digital Thermal Sensor */
-#define X86_FEATURE_HW_PSTATE   ( 7*32+ 8) /* AMD HW-PState */
-#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
-#define X86_FEATURE_HWP         ( 7*32+ 10) /* "hwp" Intel HWP */
-#define X86_FEATURE_HWP_NOTIFY  ( 7*32+ 11) /* Intel HWP_NOTIFY */
-#define X86_FEATURE_HWP_ACT_WINDOW ( 7*32+ 12) /* Intel HWP_ACT_WINDOW */
-#define X86_FEATURE_HWP_EPP     ( 7*32+13) /* Intel HWP_EPP */
-#define X86_FEATURE_HWP_PKG_REQ ( 7*32+14) /* Intel HWP_PKG_REQ */
-#define X86_FEATURE_INTEL_PT    ( 7*32+15) /* Intel Processor Trace */
-#define X86_FEATURE_RETPOLINE   ( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */
-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */
-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
-#define X86_FEATURE_KAISER      ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
-/* Virtualization flags: Linux defined, word 8 */
-#define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
-#define X86_FEATURE_VNMI        ( 8*32+ 1) /* Intel Virtual NMI */
-#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
-#define X86_FEATURE_EPT         ( 8*32+ 3) /* Intel Extended Page Table */
-#define X86_FEATURE_VPID        ( 8*32+ 4) /* Intel Virtual Processor ID */
-#define X86_FEATURE_NPT         ( 8*32+ 5) /* AMD Nested Page Table support */
-#define X86_FEATURE_LBRV        ( 8*32+ 6) /* AMD LBR Virtualization support */
-#define X86_FEATURE_SVML        ( 8*32+ 7) /* "svm_lock" AMD SVM locking MSR */
-#define X86_FEATURE_NRIPS       ( 8*32+ 8) /* "nrip_save" AMD SVM next_rip save */
-#define X86_FEATURE_TSCRATEMSR  ( 8*32+ 9) /* "tsc_scale" AMD TSC scaling support */
-#define X86_FEATURE_VMCBCLEAN   ( 8*32+10) /* "vmcb_clean" AMD VMCB clean bits support */
-#define X86_FEATURE_FLUSHBYASID ( 8*32+11) /* AMD flush-by-ASID support */
-#define X86_FEATURE_DECODEASSISTS ( 8*32+12) /* AMD Decode Assists support */
-#define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
-#define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
-#define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
-#define X86_FEATURE_XENPV       ( 8*32+16) /* "" Xen paravirtual guest */
-/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
-#define X86_FEATURE_FSGSBASE    ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
-#define X86_FEATURE_TSC_ADJUST  ( 9*32+ 1) /* TSC adjustment MSR 0x3b */
-#define X86_FEATURE_BMI1        ( 9*32+ 3) /* 1st group bit manipulation extensions */
-#define X86_FEATURE_HLE         ( 9*32+ 4) /* Hardware Lock Elision */
-#define X86_FEATURE_AVX2        ( 9*32+ 5) /* AVX2 instructions */
-#define X86_FEATURE_SMEP        ( 9*32+ 7) /* Supervisor Mode Execution Protection */
-#define X86_FEATURE_BMI2        ( 9*32+ 8) /* 2nd group bit manipulation extensions */
-#define X86_FEATURE_ERMS        ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
-#define X86_FEATURE_INVPCID     ( 9*32+10) /* Invalidate Processor Context ID */
-#define X86_FEATURE_RTM         ( 9*32+11) /* Restricted Transactional Memory */
-#define X86_FEATURE_CQM         ( 9*32+12) /* Cache QoS Monitoring */
-#define X86_FEATURE_MPX         ( 9*32+14) /* Memory Protection Extension */
-#define X86_FEATURE_AVX512F     ( 9*32+16) /* AVX-512 Foundation */
-#define X86_FEATURE_RDSEED      ( 9*32+18) /* The RDSEED instruction */
-#define X86_FEATURE_ADX         ( 9*32+19) /* The ADCX and ADOX instructions */
-#define X86_FEATURE_SMAP        ( 9*32+20) /* Supervisor Mode Access Prevention */
-#define X86_FEATURE_PCOMMIT     ( 9*32+22) /* PCOMMIT instruction */
-#define X86_FEATURE_CLFLUSHOPT  ( 9*32+23) /* CLFLUSHOPT instruction */
-#define X86_FEATURE_CLWB        ( 9*32+24) /* CLWB instruction */
-#define X86_FEATURE_AVX512PF    ( 9*32+26) /* AVX-512 Prefetch */
-#define X86_FEATURE_AVX512ER    ( 9*32+27) /* AVX-512 Exponential and Reciprocal */
-#define X86_FEATURE_AVX512CD    ( 9*32+28) /* AVX-512 Conflict Detection */
-#define X86_FEATURE_SHA_NI      ( 9*32+29) /* SHA1/SHA256 Instruction Extensions */
-/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */
-#define X86_FEATURE_XSAVEOPT    (10*32+ 0) /* XSAVEOPT */
-#define X86_FEATURE_XSAVEC      (10*32+ 1) /* XSAVEC */
-#define X86_FEATURE_XGETBV1     (10*32+ 2) /* XGETBV with ECX = 1 */
-#define X86_FEATURE_XSAVES      (10*32+ 3) /* XSAVES/XRSTORS */
-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */
-#define X86_FEATURE_CQM_LLC     (11*32+ 1) /* LLC QoS if 1 */
-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */
-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */
-/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
-#define X86_FEATURE_CLZERO      (13*32+0) /* CLZERO instruction */
-/*
- * BUG word(s)
- */
-#define X86_BUG(x)              (NCAPINTS*32 + (x))
-#define X86_BUG_F00F            X86_BUG(0) /* Intel F00F */
-#define X86_BUG_FDIV            X86_BUG(1) /* FPU FDIV */
-#define X86_BUG_COMA            X86_BUG(2) /* Cyrix 6x86 coma */
-#define X86_BUG_AMD_TLB_MMATCH  X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */
-#define X86_BUG_AMD_APIC_C1E    X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */
-#define X86_BUG_11AP            X86_BUG(5) /* Bad local APIC aka 11AP */
-#define X86_BUG_FXSAVE_LEAK     X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */
-#define X86_BUG_CLFLUSH_MONITOR X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */
-#define X86_BUG_SYSRET_SS_ATTRS X86_BUG(8) /* SYSRET doesn't fix up SS attrs */
-#define X86_BUG_CPU_MELTDOWN    X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
-#define X86_BUG_SPECTRE_V1      X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
-#define X86_BUG_SPECTRE_V2      X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
 #if defined(__KERNEL__) && !defined(__ASSEMBLY__)
 #include <asm/asm.h>
 #include <linux/bitops.h>
+enum cpuid_leafs
+{
+        CPUID_1_EDX             = 0,
+        CPUID_8000_0001_EDX,
+        CPUID_8086_0001_EDX,
+        CPUID_LNX_1,
+        CPUID_1_ECX,
+        CPUID_C000_0001_EDX,
+        CPUID_8000_0001_ECX,
+        CPUID_LNX_2,
+        CPUID_LNX_3,
+        CPUID_7_0_EBX,
+        CPUID_D_1_EAX,
+        CPUID_F_0_EDX,
+        CPUID_F_1_EDX,
+        CPUID_8000_0008_EBX,
+        CPUID_6_EAX,
+        CPUID_8000_000A_EDX,
+        CPUID_7_ECX,
+        CPUID_8000_0007_EBX,
+        CPUID_7_EDX,
+};
 #ifdef CONFIG_X86_FEATURE_NAMES
 extern const char * const x86_cap_flags[NCAPINTS*32];
 extern const char * const x86_power_flags[32];
@@ -307,29 +50,61 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 #define test_cpu_cap(c, bit)                                            \
         test_bit(bit, (unsigned long *)((c)->x86_capability))
-#define REQUIRED_MASK_BIT_SET(bit)                                      \
+/*
-         ( (((bit)>>5)==0 && (1UL<<((bit)&31) & REQUIRED_MASK0)) ||     \
+ * There are 32 bits/features in each mask word.  The high bits
-           (((bit)>>5)==1 && (1UL<<((bit)&31) & REQUIRED_MASK1)) ||     \
+ * (selected with (bit>>5) give us the word number and the low 5
-           (((bit)>>5)==2 && (1UL<<((bit)&31) & REQUIRED_MASK2)) ||     \
+ * bits give us the bit/feature number inside the word.
-           (((bit)>>5)==3 && (1UL<<((bit)&31) & REQUIRED_MASK3)) ||     \
+ * (1UL<<((bit)&31) gives us a mask for the feature_bit so we can
-           (((bit)>>5)==4 && (1UL<<((bit)&31) & REQUIRED_MASK4)) ||     \
+ * see if it is set in the mask word.
-           (((bit)>>5)==5 && (1UL<<((bit)&31) & REQUIRED_MASK5)) ||     \
+ */
-           (((bit)>>5)==6 && (1UL<<((bit)&31) & REQUIRED_MASK6)) ||     \
+#define CHECK_BIT_IN_MASK_WORD(maskname, word, bit)     \
-           (((bit)>>5)==7 && (1UL<<((bit)&31) & REQUIRED_MASK7)) ||     \
+        (((bit)>>5)==(word) && (1UL<<((bit)&31) & maskname##word ))
-           (((bit)>>5)==8 && (1UL<<((bit)&31) & REQUIRED_MASK8)) ||     \
-           (((bit)>>5)==9 && (1UL<<((bit)&31) & REQUIRED_MASK9)) )
+#define REQUIRED_MASK_BIT_SET(feature_bit)              \
+         ( CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  0, feature_bit) ||    \
-#define DISABLED_MASK_BIT_SET(bit)                                      \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  1, feature_bit) ||    \
-         ( (((bit)>>5)==0 && (1UL<<((bit)&31) & DISABLED_MASK0)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  2, feature_bit) ||    \
-           (((bit)>>5)==1 && (1UL<<((bit)&31) & DISABLED_MASK1)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  3, feature_bit) ||    \
-           (((bit)>>5)==2 && (1UL<<((bit)&31) & DISABLED_MASK2)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  4, feature_bit) ||    \
-           (((bit)>>5)==3 && (1UL<<((bit)&31) & DISABLED_MASK3)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  5, feature_bit) ||    \
-           (((bit)>>5)==4 && (1UL<<((bit)&31) & DISABLED_MASK4)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  6, feature_bit) ||    \
-           (((bit)>>5)==5 && (1UL<<((bit)&31) & DISABLED_MASK5)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  7, feature_bit) ||    \
-           (((bit)>>5)==6 && (1UL<<((bit)&31) & DISABLED_MASK6)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  8, feature_bit) ||    \
-           (((bit)>>5)==7 && (1UL<<((bit)&31) & DISABLED_MASK7)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  9, feature_bit) ||    \
-           (((bit)>>5)==8 && (1UL<<((bit)&31) & DISABLED_MASK8)) ||     \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 10, feature_bit) ||    \
-           (((bit)>>5)==9 && (1UL<<((bit)&31) & DISABLED_MASK9)) )
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 11, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 12, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 13, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 14, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) ||    \
+           REQUIRED_MASK_CHECK                                    ||    \
+           BUILD_BUG_ON_ZERO(NCAPINTS != 19))
+#define DISABLED_MASK_BIT_SET(feature_bit)                              \
+         ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  0, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  1, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  2, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  3, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  4, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  5, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  6, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  7, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  8, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  9, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 10, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 11, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 12, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 13, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 14, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) ||    \
+           CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) ||    \
+           DISABLED_MASK_CHECK                                    ||    \
+           BUILD_BUG_ON_ZERO(NCAPINTS != 19))
 #define cpu_has(c, bit)                                                 \
        (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :  \
@@ -348,8 +123,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 * is not relevant.
 */
 #define cpu_feature_enabled(bit)        \
-        (__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 :  \
+        (__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 : static_cpu_has(bit))
-         cpu_has(&boot_cpu_data, bit))
 #define boot_cpu_has(bit)       cpu_has(&boot_cpu_data, bit)
@@ -367,155 +141,39 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
 #define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit)
 #define cpu_has_fpu             boot_cpu_has(X86_FEATURE_FPU)
-#define cpu_has_de              boot_cpu_has(X86_FEATURE_DE)
 #define cpu_has_pse             boot_cpu_has(X86_FEATURE_PSE)
 #define cpu_has_tsc             boot_cpu_has(X86_FEATURE_TSC)
 #define cpu_has_pge             boot_cpu_has(X86_FEATURE_PGE)
 #define cpu_has_apic            boot_cpu_has(X86_FEATURE_APIC)
-#define cpu_has_sep             boot_cpu_has(X86_FEATURE_SEP)
-#define cpu_has_mtrr            boot_cpu_has(X86_FEATURE_MTRR)
-#define cpu_has_mmx             boot_cpu_has(X86_FEATURE_MMX)
 #define cpu_has_fxsr            boot_cpu_has(X86_FEATURE_FXSR)
 #define cpu_has_xmm             boot_cpu_has(X86_FEATURE_XMM)
 #define cpu_has_xmm2            boot_cpu_has(X86_FEATURE_XMM2)
-#define cpu_has_xmm3            boot_cpu_has(X86_FEATURE_XMM3)
-#define cpu_has_ssse3           boot_cpu_has(X86_FEATURE_SSSE3)
 #define cpu_has_aes             boot_cpu_has(X86_FEATURE_AES)
 #define cpu_has_avx             boot_cpu_has(X86_FEATURE_AVX)
 #define cpu_has_avx2            boot_cpu_has(X86_FEATURE_AVX2)
-#define cpu_has_ht              boot_cpu_has(X86_FEATURE_HT)
-#define cpu_has_nx              boot_cpu_has(X86_FEATURE_NX)
-#define cpu_has_xstore          boot_cpu_has(X86_FEATURE_XSTORE)
-#define cpu_has_xstore_enabled  boot_cpu_has(X86_FEATURE_XSTORE_EN)
-#define cpu_has_xcrypt          boot_cpu_has(X86_FEATURE_XCRYPT)
-#define cpu_has_xcrypt_enabled  boot_cpu_has(X86_FEATURE_XCRYPT_EN)
-#define cpu_has_ace2            boot_cpu_has(X86_FEATURE_ACE2)
-#define cpu_has_ace2_enabled    boot_cpu_has(X86_FEATURE_ACE2_EN)
-#define cpu_has_phe             boot_cpu_has(X86_FEATURE_PHE)
-#define cpu_has_phe_enabled     boot_cpu_has(X86_FEATURE_PHE_EN)
-#define cpu_has_pmm             boot_cpu_has(X86_FEATURE_PMM)
-#define cpu_has_pmm_enabled     boot_cpu_has(X86_FEATURE_PMM_EN)
-#define cpu_has_ds              boot_cpu_has(X86_FEATURE_DS)
-#define cpu_has_pebs            boot_cpu_has(X86_FEATURE_PEBS)
 #define cpu_has_clflush         boot_cpu_has(X86_FEATURE_CLFLUSH)
-#define cpu_has_bts             boot_cpu_has(X86_FEATURE_BTS)
 #define cpu_has_gbpages         boot_cpu_has(X86_FEATURE_GBPAGES)
 #define cpu_has_arch_perfmon    boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
 #define cpu_has_pat             boot_cpu_has(X86_FEATURE_PAT)
-#define cpu_has_xmm4_1          boot_cpu_has(X86_FEATURE_XMM4_1)
-#define cpu_has_xmm4_2          boot_cpu_has(X86_FEATURE_XMM4_2)
 #define cpu_has_x2apic          boot_cpu_has(X86_FEATURE_X2APIC)
 #define cpu_has_xsave           boot_cpu_has(X86_FEATURE_XSAVE)
-#define cpu_has_xsaveopt        boot_cpu_has(X86_FEATURE_XSAVEOPT)
 #define cpu_has_xsaves          boot_cpu_has(X86_FEATURE_XSAVES)
 #define cpu_has_osxsave         boot_cpu_has(X86_FEATURE_OSXSAVE)
 #define cpu_has_hypervisor      boot_cpu_has(X86_FEATURE_HYPERVISOR)
-#define cpu_has_pclmulqdq       boot_cpu_has(X86_FEATURE_PCLMULQDQ)
+/*
-#define cpu_has_perfctr_core    boot_cpu_has(X86_FEATURE_PERFCTR_CORE)
+ * Do not add any more of those clumsy macros - use static_cpu_has() for
-#define cpu_has_perfctr_nb      boot_cpu_has(X86_FEATURE_PERFCTR_NB)
+ * fast paths and boot_cpu_has() otherwise!
-#define cpu_has_perfctr_l2      boot_cpu_has(X86_FEATURE_PERFCTR_L2)
+ */
-#define cpu_has_cx8             boot_cpu_has(X86_FEATURE_CX8)
-#define cpu_has_cx16            boot_cpu_has(X86_FEATURE_CX16)
-#define cpu_has_eager_fpu       boot_cpu_has(X86_FEATURE_EAGER_FPU)
-#define cpu_has_topoext         boot_cpu_has(X86_FEATURE_TOPOEXT)
-#define cpu_has_bpext           boot_cpu_has(X86_FEATURE_BPEXT)
-#if __GNUC__ >= 4
-extern void warn_pre_alternatives(void);
-extern bool __static_cpu_has_safe(u16 bit);
+#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS)
 /*
 * Static testing of CPU features.  Used the same as boot_cpu_has().
- * These are only valid after alternatives have run, but will statically
+ * These will statically patch the target code for additional
- * patch the target code for additional performance.
+ * performance.
 */
-static __always_inline __pure bool __static_cpu_has(u16 bit)
+static __always_inline __pure bool _static_cpu_has(u16 bit)
 {
-#ifdef CC_HAVE_ASM_GOTO
+                asm_volatile_goto("1: jmp 6f\n"
-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
-                /*
-                 * Catch too early usage of this before alternatives
-                 * have run.
-                 */
-                asm_volatile_goto("1: jmp %l[t_warn]\n"
-                         "2:\n"
-                         ".section .altinstructions,\"a\"\n"
-                         " .long 1b - .\n"
-                         " .long 0\n"           /* no replacement */
-                         " .word %P0\n"         /* 1: do replace */
-                         " .byte 2b - 1b\n"     /* source len */
-                         " .byte 0\n"           /* replacement len */
-                         " .byte 0\n"           /* pad len */
-                         ".previous\n"
-                         /* skipping size check since replacement size = 0 */
-                         : : "i" (X86_FEATURE_ALWAYS) : : t_warn);
-#endif
-                asm_volatile_goto("1: jmp %l[t_no]\n"
-                         "2:\n"
-                         ".section .altinstructions,\"a\"\n"
-                         " .long 1b - .\n"
-                         " .long 0\n"           /* no replacement */
-                         " .word %P0\n"         /* feature bit */
-                         " .byte 2b - 1b\n"     /* source len */
-                         " .byte 0\n"           /* replacement len */
-                         " .byte 0\n"           /* pad len */
-                         ".previous\n"
-                         /* skipping size check since replacement size = 0 */
-                         : : "i" (bit) : : t_no);
-                return true;
-        t_no:
-                return false;
-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
-        t_warn:
-                warn_pre_alternatives();
-                return false;
-#endif
-#else /* CC_HAVE_ASM_GOTO */
-                u8 flag;
-                /* Open-coded due to __stringify() in ALTERNATIVE() */
-                asm volatile("1: movb $0,%0\n"
-                             "2:\n"
-                             ".section .altinstructions,\"a\"\n"
-                             " .long 1b - .\n"
-                             " .long 3f - .\n"
-                             " .word %P1\n"             /* feature bit */
-                             " .byte 2b - 1b\n"         /* source len */
-                             " .byte 4f - 3f\n"         /* replacement len */
-                             " .byte 0\n"               /* pad len */
-                             ".previous\n"
-                             ".section .discard,\"aw\",@progbits\n"
-                             " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
-                             ".previous\n"
-                             ".section .altinstr_replacement,\"ax\"\n"
-                             "3: movb $1,%0\n"
-                             "4:\n"
-                             ".previous\n"
-                             : "=qm" (flag) : "i" (bit));
-                return flag;
-#endif /* CC_HAVE_ASM_GOTO */
-}
-#define static_cpu_has(bit)                                     \
-(                                                               \
-        __builtin_constant_p(boot_cpu_has(bit)) ?               \
-                boot_cpu_has(bit) :                             \
-        __builtin_constant_p(bit) ?                             \
-                __static_cpu_has(bit) :                         \
-                boot_cpu_has(bit)                               \
-)
-static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
-{
-#ifdef CC_HAVE_ASM_GOTO
-                asm_volatile_goto("1: jmp %l[t_dynamic]\n"
                         "2:\n"
                         ".skip -(((5f-4f) - (2b-1b)) > 0) * "
                                 "((5f-4f) - (2b-1b)),0x90\n"
@@ -540,66 +198,34 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
                         " .byte 0\n"                   /* repl len */
                         " .byte 0\n"                   /* pad len */
                         ".previous\n"
-                         : : "i" (bit), "i" (X86_FEATURE_ALWAYS)
+                         ".section .altinstr_aux,\"ax\"\n"
-                         : : t_dynamic, t_no);
+                         "6:\n"
+                         " testb %[bitnum],%[cap_byte]\n"
+                         " jnz %l[t_yes]\n"
+                         " jmp %l[t_no]\n"
+                         ".previous\n"
+                         : : "i" (bit), "i" (X86_FEATURE_ALWAYS),
+                             [bitnum] "i" (1 << (bit & 7)),
+                             [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
+                         : : t_yes, t_no);
+        t_yes:
                return true;
        t_no:
                return false;
-        t_dynamic:
-                return __static_cpu_has_safe(bit);
-#else
-                u8 flag;
-                /* Open-coded due to __stringify() in ALTERNATIVE() */
-                asm volatile("1: movb $2,%0\n"
-                             "2:\n"
-                             ".section .altinstructions,\"a\"\n"
-                             " .long 1b - .\n"          /* src offset */
-                             " .long 3f - .\n"          /* repl offset */
-                             " .word %P2\n"             /* always replace */
-                             " .byte 2b - 1b\n"         /* source len */
-                             " .byte 4f - 3f\n"         /* replacement len */
-                             " .byte 0\n"               /* pad len */
-                             ".previous\n"
-                             ".section .discard,\"aw\",@progbits\n"
-                             " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
-                             ".previous\n"
-                             ".section .altinstr_replacement,\"ax\"\n"
-                             "3: movb $0,%0\n"
-                             "4:\n"
-                             ".previous\n"
-                             ".section .altinstructions,\"a\"\n"
-                             " .long 1b - .\n"          /* src offset */
-                             " .long 5f - .\n"          /* repl offset */
-                             " .word %P1\n"             /* feature bit */
-                             " .byte 4b - 3b\n"         /* src len */
-                             " .byte 6f - 5f\n"         /* repl len */
-                             " .byte 0\n"               /* pad len */
-                             ".previous\n"
-                             ".section .discard,\"aw\",@progbits\n"
-                             " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
-                             ".previous\n"
-                             ".section .altinstr_replacement,\"ax\"\n"
-                             "5: movb $1,%0\n"
-                             "6:\n"
-                             ".previous\n"
-                             : "=qm" (flag)
-                             : "i" (bit), "i" (X86_FEATURE_ALWAYS));
-                return (flag == 2 ? __static_cpu_has_safe(bit) : flag);
-#endif /* CC_HAVE_ASM_GOTO */
 }
-#define static_cpu_has_safe(bit)                                \
+#define static_cpu_has(bit)                                     \
 (                                                               \
        __builtin_constant_p(boot_cpu_has(bit)) ?               \
                boot_cpu_has(bit) :                             \
-                _static_cpu_has_safe(bit)                       \
+                _static_cpu_has(bit)                            \
 )
 #else
 /*
- * gcc 3.x is too stupid to do the static test; fall back to dynamic.
+ * Fall back to dynamic for gcc versions which don't support asm goto. Should be
+ * a minority now anyway.
 */
 #define static_cpu_has(bit)             boot_cpu_has(bit)
-#define static_cpu_has_safe(bit)        boot_cpu_has(bit)
 #endif
 #define cpu_has_bug(c, bit)             cpu_has(c, (bit))
@@ -607,7 +233,6 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
 #define clear_cpu_bug(c, bit)           clear_cpu_cap(c, (bit))
 #define static_cpu_has_bug(bit)         static_cpu_has((bit))
-#define static_cpu_has_bug_safe(bit)    static_cpu_has_safe((bit))
 #define boot_cpu_has_bug(bit)           cpu_has_bug(&boot_cpu_data, (bit))
 #define MAX_CPU_FEATURES                (NCAPINTS * 32)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
new file mode 100644
index 000000000000..dd2269dcbc47
--- /dev/null
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -0,0 +1,337 @@
+#ifndef _ASM_X86_CPUFEATURES_H
+#define _ASM_X86_CPUFEATURES_H
+#ifndef _ASM_X86_REQUIRED_FEATURES_H
+#include <asm/required-features.h>
+#endif
+#ifndef _ASM_X86_DISABLED_FEATURES_H
+#include <asm/disabled-features.h>
+#endif
+/*
+ * Defines x86 CPU feature bits
+ */
+#define NCAPINTS        19      /* N 32-bit words worth of info */
+#define NBUGINTS        1       /* N 32-bit bug flags */
+/*
+ * Note: If the comment begins with a quoted string, that string is used
+ * in /proc/cpuinfo instead of the macro name.  If the string is "",
+ * this feature bit is not displayed in /proc/cpuinfo at all.
+ */
+/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */
+#define X86_FEATURE_FPU         ( 0*32+ 0) /* Onboard FPU */
+#define X86_FEATURE_VME         ( 0*32+ 1) /* Virtual Mode Extensions */
+#define X86_FEATURE_DE          ( 0*32+ 2) /* Debugging Extensions */
+#define X86_FEATURE_PSE         ( 0*32+ 3) /* Page Size Extensions */
+#define X86_FEATURE_TSC         ( 0*32+ 4) /* Time Stamp Counter */
+#define X86_FEATURE_MSR         ( 0*32+ 5) /* Model-Specific Registers */
+#define X86_FEATURE_PAE         ( 0*32+ 6) /* Physical Address Extensions */
+#define X86_FEATURE_MCE         ( 0*32+ 7) /* Machine Check Exception */
+#define X86_FEATURE_CX8         ( 0*32+ 8) /* CMPXCHG8 instruction */
+#define X86_FEATURE_APIC        ( 0*32+ 9) /* Onboard APIC */
+#define X86_FEATURE_SEP         ( 0*32+11) /* SYSENTER/SYSEXIT */
+#define X86_FEATURE_MTRR        ( 0*32+12) /* Memory Type Range Registers */
+#define X86_FEATURE_PGE         ( 0*32+13) /* Page Global Enable */
+#define X86_FEATURE_MCA         ( 0*32+14) /* Machine Check Architecture */
+#define X86_FEATURE_CMOV        ( 0*32+15) /* CMOV instructions */
+                                          /* (plus FCMOVcc, FCOMI with FPU) */
+#define X86_FEATURE_PAT         ( 0*32+16) /* Page Attribute Table */
+#define X86_FEATURE_PSE36       ( 0*32+17) /* 36-bit PSEs */
+#define X86_FEATURE_PN          ( 0*32+18) /* Processor serial number */
+#define X86_FEATURE_CLFLUSH     ( 0*32+19) /* CLFLUSH instruction */
+#define X86_FEATURE_DS          ( 0*32+21) /* "dts" Debug Store */
+#define X86_FEATURE_ACPI        ( 0*32+22) /* ACPI via MSR */
+#define X86_FEATURE_MMX         ( 0*32+23) /* Multimedia Extensions */
+#define X86_FEATURE_FXSR        ( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */
+#define X86_FEATURE_XMM         ( 0*32+25) /* "sse" */
+#define X86_FEATURE_XMM2        ( 0*32+26) /* "sse2" */
+#define X86_FEATURE_SELFSNOOP   ( 0*32+27) /* "ss" CPU self snoop */
+#define X86_FEATURE_HT          ( 0*32+28) /* Hyper-Threading */
+#define X86_FEATURE_ACC         ( 0*32+29) /* "tm" Automatic clock control */
+#define X86_FEATURE_IA64        ( 0*32+30) /* IA-64 processor */
+#define X86_FEATURE_PBE         ( 0*32+31) /* Pending Break Enable */
+/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */
+/* Don't duplicate feature flags which are redundant with Intel! */
+#define X86_FEATURE_SYSCALL     ( 1*32+11) /* SYSCALL/SYSRET */
+#define X86_FEATURE_MP          ( 1*32+19) /* MP Capable. */
+#define X86_FEATURE_NX          ( 1*32+20) /* Execute Disable */
+#define X86_FEATURE_MMXEXT      ( 1*32+22) /* AMD MMX extensions */
+#define X86_FEATURE_FXSR_OPT    ( 1*32+25) /* FXSAVE/FXRSTOR optimizations */
+#define X86_FEATURE_GBPAGES     ( 1*32+26) /* "pdpe1gb" GB pages */
+#define X86_FEATURE_RDTSCP      ( 1*32+27) /* RDTSCP */
+#define X86_FEATURE_LM          ( 1*32+29) /* Long Mode (x86-64) */
+#define X86_FEATURE_3DNOWEXT    ( 1*32+30) /* AMD 3DNow! extensions */
+#define X86_FEATURE_3DNOW       ( 1*32+31) /* 3DNow! */
+/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */
+#define X86_FEATURE_RECOVERY    ( 2*32+ 0) /* CPU in recovery mode */
+#define X86_FEATURE_LONGRUN     ( 2*32+ 1) /* Longrun power control */
+#define X86_FEATURE_LRTI        ( 2*32+ 3) /* LongRun table interface */
+/* Other features, Linux-defined mapping, word 3 */
+/* This range is used for feature bits which conflict or are synthesized */
+#define X86_FEATURE_CXMMX       ( 3*32+ 0) /* Cyrix MMX extensions */
+#define X86_FEATURE_K6_MTRR     ( 3*32+ 1) /* AMD K6 nonstandard MTRRs */
+#define X86_FEATURE_CYRIX_ARR   ( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */
+#define X86_FEATURE_CENTAUR_MCR ( 3*32+ 3) /* Centaur MCRs (= MTRRs) */
+/* cpu types for specific tunings: */
+#define X86_FEATURE_K8          ( 3*32+ 4) /* "" Opteron, Athlon64 */
+#define X86_FEATURE_K7          ( 3*32+ 5) /* "" Athlon */
+#define X86_FEATURE_P3          ( 3*32+ 6) /* "" P3 */
+#define X86_FEATURE_P4          ( 3*32+ 7) /* "" P4 */
+#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */
+#define X86_FEATURE_UP          ( 3*32+ 9) /* smp kernel running on up */
+/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */
+#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */
+#define X86_FEATURE_PEBS        ( 3*32+12) /* Precise-Event Based Sampling */
+#define X86_FEATURE_BTS         ( 3*32+13) /* Branch Trace Store */
+#define X86_FEATURE_SYSCALL32   ( 3*32+14) /* "" syscall in ia32 userspace */
+#define X86_FEATURE_SYSENTER32  ( 3*32+15) /* "" sysenter in ia32 userspace */
+#define X86_FEATURE_REP_GOOD    ( 3*32+16) /* rep microcode works well */
+#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */
+#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */
+/* free, was #define X86_FEATURE_11AP   ( 3*32+19) * "" Bad local APIC aka 11AP */
+#define X86_FEATURE_NOPL        ( 3*32+20) /* The NOPL (0F 1F) instructions */
+#define X86_FEATURE_ALWAYS      ( 3*32+21) /* "" Always-present feature */
+#define X86_FEATURE_XTOPOLOGY   ( 3*32+22) /* cpu topology enum extensions */
+#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */
+#define X86_FEATURE_NONSTOP_TSC ( 3*32+24) /* TSC does not stop in C states */
+/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */
+#define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */
+#define X86_FEATURE_AMD_DCM     ( 3*32+27) /* multi-node processor */
+#define X86_FEATURE_APERFMPERF  ( 3*32+28) /* APERFMPERF */
+/* free, was #define X86_FEATURE_EAGER_FPU      ( 3*32+29) * "eagerfpu" Non lazy FPU restore */
+#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */
+/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
+#define X86_FEATURE_XMM3        ( 4*32+ 0) /* "pni" SSE-3 */
+#define X86_FEATURE_PCLMULQDQ   ( 4*32+ 1) /* PCLMULQDQ instruction */
+#define X86_FEATURE_DTES64      ( 4*32+ 2) /* 64-bit Debug Store */
+#define X86_FEATURE_MWAIT       ( 4*32+ 3) /* "monitor" Monitor/Mwait support */
+#define X86_FEATURE_DSCPL       ( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */
+#define X86_FEATURE_VMX         ( 4*32+ 5) /* Hardware virtualization */
+#define X86_FEATURE_SMX         ( 4*32+ 6) /* Safer mode */
+#define X86_FEATURE_EST         ( 4*32+ 7) /* Enhanced SpeedStep */
+#define X86_FEATURE_TM2         ( 4*32+ 8) /* Thermal Monitor 2 */
+#define X86_FEATURE_SSSE3       ( 4*32+ 9) /* Supplemental SSE-3 */
+#define X86_FEATURE_CID         ( 4*32+10) /* Context ID */
+#define X86_FEATURE_SDBG        ( 4*32+11) /* Silicon Debug */
+#define X86_FEATURE_FMA         ( 4*32+12) /* Fused multiply-add */
+#define X86_FEATURE_CX16        ( 4*32+13) /* CMPXCHG16B */
+#define X86_FEATURE_XTPR        ( 4*32+14) /* Send Task Priority Messages */
+#define X86_FEATURE_PDCM        ( 4*32+15) /* Performance Capabilities */
+#define X86_FEATURE_PCID        ( 4*32+17) /* Process Context Identifiers */
+#define X86_FEATURE_DCA         ( 4*32+18) /* Direct Cache Access */
+#define X86_FEATURE_XMM4_1      ( 4*32+19) /* "sse4_1" SSE-4.1 */
+#define X86_FEATURE_XMM4_2      ( 4*32+20) /* "sse4_2" SSE-4.2 */
+#define X86_FEATURE_X2APIC      ( 4*32+21) /* x2APIC */
+#define X86_FEATURE_MOVBE       ( 4*32+22) /* MOVBE instruction */
+#define X86_FEATURE_POPCNT      ( 4*32+23) /* POPCNT instruction */
+#define X86_FEATURE_TSC_DEADLINE_TIMER  ( 4*32+24) /* Tsc deadline timer */
+#define X86_FEATURE_AES         ( 4*32+25) /* AES instructions */
+#define X86_FEATURE_XSAVE       ( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
+#define X86_FEATURE_OSXSAVE     ( 4*32+27) /* "" XSAVE enabled in the OS */
+#define X86_FEATURE_AVX         ( 4*32+28) /* Advanced Vector Extensions */
+#define X86_FEATURE_F16C        ( 4*32+29) /* 16-bit fp conversions */
+#define X86_FEATURE_RDRAND      ( 4*32+30) /* The RDRAND instruction */
+#define X86_FEATURE_HYPERVISOR  ( 4*32+31) /* Running on a hypervisor */
+/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
+#define X86_FEATURE_XSTORE      ( 5*32+ 2) /* "rng" RNG present (xstore) */
+#define X86_FEATURE_XSTORE_EN   ( 5*32+ 3) /* "rng_en" RNG enabled */
+#define X86_FEATURE_XCRYPT      ( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
+#define X86_FEATURE_XCRYPT_EN   ( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
+#define X86_FEATURE_ACE2        ( 5*32+ 8) /* Advanced Cryptography Engine v2 */
+#define X86_FEATURE_ACE2_EN     ( 5*32+ 9) /* ACE v2 enabled */
+#define X86_FEATURE_PHE         ( 5*32+10) /* PadLock Hash Engine */
+#define X86_FEATURE_PHE_EN      ( 5*32+11) /* PHE enabled */
+#define X86_FEATURE_PMM         ( 5*32+12) /* PadLock Montgomery Multiplier */
+#define X86_FEATURE_PMM_EN      ( 5*32+13) /* PMM enabled */
+/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */
+#define X86_FEATURE_LAHF_LM     ( 6*32+ 0) /* LAHF/SAHF in long mode */
+#define X86_FEATURE_CMP_LEGACY  ( 6*32+ 1) /* If yes HyperThreading not valid */
+#define X86_FEATURE_SVM         ( 6*32+ 2) /* Secure virtual machine */
+#define X86_FEATURE_EXTAPIC     ( 6*32+ 3) /* Extended APIC space */
+#define X86_FEATURE_CR8_LEGACY  ( 6*32+ 4) /* CR8 in 32-bit mode */
+#define X86_FEATURE_ABM         ( 6*32+ 5) /* Advanced bit manipulation */
+#define X86_FEATURE_SSE4A       ( 6*32+ 6) /* SSE-4A */
+#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */
+#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */
+#define X86_FEATURE_OSVW        ( 6*32+ 9) /* OS Visible Workaround */
+#define X86_FEATURE_IBS         ( 6*32+10) /* Instruction Based Sampling */
+#define X86_FEATURE_XOP         ( 6*32+11) /* extended AVX instructions */
+#define X86_FEATURE_SKINIT      ( 6*32+12) /* SKINIT/STGI instructions */
+#define X86_FEATURE_WDT         ( 6*32+13) /* Watchdog timer */
+#define X86_FEATURE_LWP         ( 6*32+15) /* Light Weight Profiling */
+#define X86_FEATURE_FMA4        ( 6*32+16) /* 4 operands MAC instructions */
+#define X86_FEATURE_TCE         ( 6*32+17) /* translation cache extension */
+#define X86_FEATURE_NODEID_MSR  ( 6*32+19) /* NodeId MSR */
+#define X86_FEATURE_TBM         ( 6*32+21) /* trailing bit manipulations */
+#define X86_FEATURE_TOPOEXT     ( 6*32+22) /* topology extensions CPUID leafs */
+#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */
+#define X86_FEATURE_PERFCTR_NB  ( 6*32+24) /* NB performance counter extensions */
+#define X86_FEATURE_BPEXT       (6*32+26) /* data breakpoint extension */
+#define X86_FEATURE_PERFCTR_L2  ( 6*32+28) /* L2 performance counter extensions */
+#define X86_FEATURE_MWAITX      ( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
+/*
+ * Auxiliary flags: Linux defined - For features scattered in various
+ * CPUID levels like 0x6, 0xA etc, word 7.
+ *
+ * Reuse free bits when adding new feature flags!
+ */
+#define X86_FEATURE_CPB         ( 7*32+ 2) /* AMD Core Performance Boost */
+#define X86_FEATURE_EPB         ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */
+#define X86_FEATURE_HW_PSTATE   ( 7*32+ 8) /* AMD HW-PState */
+#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
+#define X86_FEATURE_RETPOLINE   ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
+#define X86_FEATURE_INTEL_PT    ( 7*32+15) /* Intel Processor Trace */
+#define X86_FEATURE_RSB_CTXSW   ( 7*32+19) /* "" Fill RSB on context switches */
+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
+#define X86_FEATURE_SSBD        ( 7*32+17) /* Speculative Store Bypass Disable */
+/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
+#define X86_FEATURE_KAISER      ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
+#define X86_FEATURE_USE_IBPB    ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE   ( 7*32+23) /* "" Disable Speculative Store Bypass. */
+#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */
+#define X86_FEATURE_IBRS        ( 7*32+25) /* Indirect Branch Restricted Speculation */
+#define X86_FEATURE_IBPB        ( 7*32+26) /* Indirect Branch Prediction Barrier */
+#define X86_FEATURE_STIBP       ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_ZEN         ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
+#define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+/* Virtualization flags: Linux defined, word 8 */
+#define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
+#define X86_FEATURE_VNMI        ( 8*32+ 1) /* Intel Virtual NMI */
+#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
+#define X86_FEATURE_EPT         ( 8*32+ 3) /* Intel Extended Page Table */
+#define X86_FEATURE_VPID        ( 8*32+ 4) /* Intel Virtual Processor ID */
+#define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
+#define X86_FEATURE_XENPV       ( 8*32+16) /* "" Xen paravirtual guest */
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
+#define X86_FEATURE_FSGSBASE    ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
+#define X86_FEATURE_TSC_ADJUST  ( 9*32+ 1) /* TSC adjustment MSR 0x3b */
+#define X86_FEATURE_BMI1        ( 9*32+ 3) /* 1st group bit manipulation extensions */
+#define X86_FEATURE_HLE         ( 9*32+ 4) /* Hardware Lock Elision */
+#define X86_FEATURE_AVX2        ( 9*32+ 5) /* AVX2 instructions */
+#define X86_FEATURE_SMEP        ( 9*32+ 7) /* Supervisor Mode Execution Protection */
+#define X86_FEATURE_BMI2        ( 9*32+ 8) /* 2nd group bit manipulation extensions */
+#define X86_FEATURE_ERMS        ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
+#define X86_FEATURE_INVPCID     ( 9*32+10) /* Invalidate Processor Context ID */
+#define X86_FEATURE_RTM         ( 9*32+11) /* Restricted Transactional Memory */
+#define X86_FEATURE_CQM         ( 9*32+12) /* Cache QoS Monitoring */
+#define X86_FEATURE_MPX         ( 9*32+14) /* Memory Protection Extension */
+#define X86_FEATURE_AVX512F     ( 9*32+16) /* AVX-512 Foundation */
+#define X86_FEATURE_RDSEED      ( 9*32+18) /* The RDSEED instruction */
+#define X86_FEATURE_ADX         ( 9*32+19) /* The ADCX and ADOX instructions */
+#define X86_FEATURE_SMAP        ( 9*32+20) /* Supervisor Mode Access Prevention */
+#define X86_FEATURE_PCOMMIT     ( 9*32+22) /* PCOMMIT instruction */
+#define X86_FEATURE_CLFLUSHOPT  ( 9*32+23) /* CLFLUSHOPT instruction */
+#define X86_FEATURE_CLWB        ( 9*32+24) /* CLWB instruction */
+#define X86_FEATURE_AVX512PF    ( 9*32+26) /* AVX-512 Prefetch */
+#define X86_FEATURE_AVX512ER    ( 9*32+27) /* AVX-512 Exponential and Reciprocal */
+#define X86_FEATURE_AVX512CD    ( 9*32+28) /* AVX-512 Conflict Detection */
+#define X86_FEATURE_SHA_NI      ( 9*32+29) /* SHA1/SHA256 Instruction Extensions */
+/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */
+#define X86_FEATURE_XSAVEOPT    (10*32+ 0) /* XSAVEOPT */
+#define X86_FEATURE_XSAVEC      (10*32+ 1) /* XSAVEC */
+#define X86_FEATURE_XGETBV1     (10*32+ 2) /* XGETBV with ECX = 1 */
+#define X86_FEATURE_XSAVES      (10*32+ 3) /* XSAVES/XRSTORS */
+/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */
+#define X86_FEATURE_CQM_LLC     (11*32+ 1) /* LLC QoS if 1 */
+/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */
+#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */
+/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
+#define X86_FEATURE_CLZERO      (13*32+0) /* CLZERO instruction */
+#define X86_FEATURE_AMD_IBPB    (13*32+12) /* Indirect Branch Prediction Barrier */
+#define X86_FEATURE_AMD_IBRS    (13*32+14) /* Indirect Branch Restricted Speculation */
+#define X86_FEATURE_AMD_STIBP   (13*32+15) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_VIRT_SSBD   (13*32+25) /* Virtualized Speculative Store Bypass Disable */
+/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
+#define X86_FEATURE_DTHERM      (14*32+ 0) /* Digital Thermal Sensor */
+#define X86_FEATURE_IDA         (14*32+ 1) /* Intel Dynamic Acceleration */
+#define X86_FEATURE_ARAT        (14*32+ 2) /* Always Running APIC Timer */
+#define X86_FEATURE_PLN         (14*32+ 4) /* Intel Power Limit Notification */
+#define X86_FEATURE_PTS         (14*32+ 6) /* Intel Package Thermal Status */
+#define X86_FEATURE_HWP         (14*32+ 7) /* Intel Hardware P-states */
+#define X86_FEATURE_HWP_NOTIFY  (14*32+ 8) /* HWP Notification */
+#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */
+#define X86_FEATURE_HWP_EPP     (14*32+10) /* HWP Energy Perf. Preference */
+#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */
+/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */
+#define X86_FEATURE_NPT         (15*32+ 0) /* Nested Page Table support */
+#define X86_FEATURE_LBRV        (15*32+ 1) /* LBR Virtualization support */
+#define X86_FEATURE_SVML        (15*32+ 2) /* "svm_lock" SVM locking MSR */
+#define X86_FEATURE_NRIPS       (15*32+ 3) /* "nrip_save" SVM next_rip save */
+#define X86_FEATURE_TSCRATEMSR  (15*32+ 4) /* "tsc_scale" TSC scaling support */
+#define X86_FEATURE_VMCBCLEAN   (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */
+#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */
+#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */
+#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */
+#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
+#define X86_FEATURE_PKU         (16*32+ 3) /* Protection Keys for Userspace */
+#define X86_FEATURE_OSPKE       (16*32+ 4) /* OS Protection Keys Enable */
+/* AMD-defined CPU features, CPUID level 0x80000007 (ebx), word 17 */
+#define X86_FEATURE_OVERFLOW_RECOV (17*32+0) /* MCA overflow recovery support */
+#define X86_FEATURE_SUCCOR      (17*32+1) /* Uncorrectable error containment and recovery */
+#define X86_FEATURE_SMCA        (17*32+3) /* Scalable MCA */
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
+#define X86_FEATURE_AVX512_4VNNIW       (18*32+ 2) /* AVX-512 Neural Network Instructions */
+#define X86_FEATURE_AVX512_4FMAPS       (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
+#define X86_FEATURE_SPEC_CTRL           (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
+#define X86_FEATURE_INTEL_STIBP         (18*32+27) /* "" Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_FLUSH_L1D           (18*32+28) /* Flush L1D cache */
+#define X86_FEATURE_ARCH_CAPABILITIES   (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
+#define X86_FEATURE_SPEC_CTRL_SSBD      (18*32+31) /* "" Speculative Store Bypass Disable */
+/*
+ * BUG word(s)
+ */
+#define X86_BUG(x)              (NCAPINTS*32 + (x))
+#define X86_BUG_F00F            X86_BUG(0) /* Intel F00F */
+#define X86_BUG_FDIV            X86_BUG(1) /* FPU FDIV */
+#define X86_BUG_COMA            X86_BUG(2) /* Cyrix 6x86 coma */
+#define X86_BUG_AMD_TLB_MMATCH  X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */
+#define X86_BUG_AMD_APIC_C1E    X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */
+#define X86_BUG_11AP            X86_BUG(5) /* Bad local APIC aka 11AP */
+#define X86_BUG_FXSAVE_LEAK     X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */
+#define X86_BUG_CLFLUSH_MONITOR X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */
+#define X86_BUG_SYSRET_SS_ATTRS X86_BUG(8) /* SYSRET doesn't fix up SS attrs */
+#define X86_BUG_CPU_MELTDOWN    X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
+#define X86_BUG_SPECTRE_V1      X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
+#define X86_BUG_SPECTRE_V2      X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
+#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */
+#define X86_BUG_L1TF            X86_BUG(18) /* CPU is affected by L1 Terminal Fault */
+#endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
index 8b17c2ad1048..1f8cca459c6c 100644
--- a/arch/x86/include/asm/disabled-features.h
+++ b/arch/x86/include/asm/disabled-features.h
@@ -30,6 +30,14 @@
 # define DISABLE_PCID           (1<<(X86_FEATURE_PCID & 31))
 #endif /* CONFIG_X86_64 */
+#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
+# define DISABLE_PKU            0
+# define DISABLE_OSPKE          0
+#else
+# define DISABLE_PKU            (1<<(X86_FEATURE_PKU & 31))
+# define DISABLE_OSPKE          (1<<(X86_FEATURE_OSPKE & 31))
+#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */
 /*
 * Make sure to add features to the correct mask
 */
@@ -43,5 +51,15 @@
 #define DISABLED_MASK7  0
 #define DISABLED_MASK8  0
 #define DISABLED_MASK9  (DISABLE_MPX)
+#define DISABLED_MASK10 0
+#define DISABLED_MASK11 0
+#define DISABLED_MASK12 0
+#define DISABLED_MASK13 0
+#define DISABLED_MASK14 0
+#define DISABLED_MASK15 0
+#define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE)
+#define DISABLED_MASK17 0
+#define DISABLED_MASK18 0
+#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
 #endif /* _ASM_X86_DISABLED_FEATURES_H */
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
index 08b1f2f6ea50..cfde088f8e95 100644
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -3,6 +3,7 @@
 #include <asm/fpu/api.h>
 #include <asm/pgtable.h>
+#include <asm/nospec-branch.h>
 /*
 * We map the EFI regions needed for runtime services non-contiguously,
@@ -41,8 +42,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...);
 ({                                                                      \
        efi_status_t __s;                                               \
        kernel_fpu_begin();                                             \
+        firmware_restrict_branch_speculation_start();                   \
        __s = ((efi_##f##_t __attribute__((regparm(0)))*)               \
                efi.systab->runtime->f)(args);                          \
+        firmware_restrict_branch_speculation_end();                     \
        kernel_fpu_end();                                               \
        __s;                                                            \
 })
@@ -51,8 +54,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...);
 #define __efi_call_virt(f, args...) \
 ({                                                                      \
        kernel_fpu_begin();                                             \
+        firmware_restrict_branch_speculation_start();                   \
        ((efi_##f##_t __attribute__((regparm(0)))*)                     \
                efi.systab->runtime->f)(args);                          \
+        firmware_restrict_branch_speculation_end();                     \
        kernel_fpu_end();                                               \
 })
@@ -73,7 +78,9 @@ extern u64 asmlinkage efi_call(void *fp, ...);
        efi_sync_low_kernel_mappings();                                 \
        preempt_disable();                                              \
        __kernel_fpu_begin();                                           \
+        firmware_restrict_branch_speculation_start();                   \
        __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__);    \
+        firmware_restrict_branch_speculation_end();                     \
        __kernel_fpu_end();                                             \
        preempt_enable();                                               \
        __s;                                                            \
diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
index 3c3550c3a4a3..ec2aedb6f92a 100644
--- a/arch/x86/include/asm/fpu/internal.h
+++ b/arch/x86/include/asm/fpu/internal.h
@@ -17,6 +17,7 @@
 #include <asm/user.h>
 #include <asm/fpu/api.h>
 #include <asm/fpu/xstate.h>
+#include <asm/cpufeature.h>
 /*
 * High level FPU state handling functions:
@@ -42,6 +43,7 @@ extern void fpu__init_cpu_xstate(void);
 extern void fpu__init_system(struct cpuinfo_x86 *c);
 extern void fpu__init_check_bugs(void);
 extern void fpu__resume_cpu(void);
+extern u64 fpu__get_supported_xfeatures_mask(void);
 /*
 * Debugging facility:
@@ -57,22 +59,22 @@ extern void fpu__resume_cpu(void);
 */
 static __always_inline __pure bool use_eager_fpu(void)
 {
-        return static_cpu_has_safe(X86_FEATURE_EAGER_FPU);
+        return true;
 }
 static __always_inline __pure bool use_xsaveopt(void)
 {
-        return static_cpu_has_safe(X86_FEATURE_XSAVEOPT);
+        return static_cpu_has(X86_FEATURE_XSAVEOPT);
 }
 static __always_inline __pure bool use_xsave(void)
 {
-        return static_cpu_has_safe(X86_FEATURE_XSAVE);
+        return static_cpu_has(X86_FEATURE_XSAVE);
 }
 static __always_inline __pure bool use_fxsr(void)
 {
-        return static_cpu_has_safe(X86_FEATURE_FXSR);
+        return static_cpu_has(X86_FEATURE_FXSR);
 }
 /*
@@ -224,18 +226,67 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
 #define XRSTOR          ".byte " REX_PREFIX "0x0f,0xae,0x2f"
 #define XRSTORS         ".byte " REX_PREFIX "0x0f,0xc7,0x1f"
-/* xstate instruction fault handler: */
+#define XSTATE_OP(op, st, lmask, hmask, err)                            \
-#define xstate_fault(__err)             \
+        asm volatile("1:" op "\n\t"                                     \
-                                        \
+                     "xor %[err], %[err]\n"                             \
-        ".section .fixup,\"ax\"\n"      \
+                     "2:\n\t"                                           \
-                                        \
+                     ".pushsection .fixup,\"ax\"\n\t"                   \
-        "3:  movl $-2,%[_err]\n"        \
+                     "3: movl $-2,%[err]\n\t"                           \
-        "    jmp  2b\n"                 \
+                     "jmp 2b\n\t"                                       \
-                                        \
+                     ".popsection\n\t"                                  \
-        ".previous\n"                   \
+                     _ASM_EXTABLE(1b, 3b)                               \
-                                        \
+                     : [err] "=r" (err)                                 \
-        _ASM_EXTABLE(1b, 3b)            \
+                     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)    \
-        : [_err] "=r" (__err)
+                     : "memory")
+/*
+ * If XSAVES is enabled, it replaces XSAVEOPT because it supports a compact
+ * format and supervisor states in addition to modified optimization in
+ * XSAVEOPT.
+ *
+ * Otherwise, if XSAVEOPT is enabled, XSAVEOPT replaces XSAVE because XSAVEOPT
+ * supports modified optimization which is not supported by XSAVE.
+ *
+ * We use XSAVE as a fallback.
+ *
+ * The 661 label is defined in the ALTERNATIVE* macros as the address of the
+ * original instruction which gets replaced. We need to use it here as the
+ * address of the instruction where we might get an exception at.
+ */
+#define XSTATE_XSAVE(st, lmask, hmask, err)                             \
+        asm volatile(ALTERNATIVE_2(XSAVE,                               \
+                                   XSAVEOPT, X86_FEATURE_XSAVEOPT,      \
+                                   XSAVES,   X86_FEATURE_XSAVES)        \
+                     "\n"                                               \
+                     "xor %[err], %[err]\n"                             \
+                     "3:\n"                                             \
+                     ".pushsection .fixup,\"ax\"\n"                     \
+                     "4: movl $-2, %[err]\n"                            \
+                     "jmp 3b\n"                                         \
+                     ".popsection\n"                                    \
+                     _ASM_EXTABLE(661b, 4b)                             \
+                     : [err] "=r" (err)                                 \
+                     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)    \
+                     : "memory")
+/*
+ * Use XRSTORS to restore context if it is enabled. XRSTORS supports compact
+ * XSAVE area format.
+ */
+#define XSTATE_XRESTORE(st, lmask, hmask, err)                          \
+        asm volatile(ALTERNATIVE(XRSTOR,                                \
+                                 XRSTORS, X86_FEATURE_XSAVES)           \
+                     "\n"                                               \
+                     "xor %[err], %[err]\n"                             \
+                     "3:\n"                                             \
+                     ".pushsection .fixup,\"ax\"\n"                     \
+                     "4: movl $-2, %[err]\n"                            \
+                     "jmp 3b\n"                                         \
+                     ".popsection\n"                                    \
+                     _ASM_EXTABLE(661b, 4b)                             \
+                     : [err] "=r" (err)                                 \
+                     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)    \
+                     : "memory")
 /*
 * This function is called only during boot time when x86 caps are not set
@@ -246,22 +297,14 @@ static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate)
        u64 mask = -1;
        u32 lmask = mask;
        u32 hmask = mask >> 32;
-        int err = 0;
+        int err;
        WARN_ON(system_state != SYSTEM_BOOTING);
-        if (boot_cpu_has(X86_FEATURE_XSAVES))
+        if (static_cpu_has(X86_FEATURE_XSAVES))
-                asm volatile("1:"XSAVES"\n\t"
+                XSTATE_OP(XSAVES, xstate, lmask, hmask, err);
-                        "2:\n\t"
-                             xstate_fault(err)
-                        : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
-                        : "memory");
        else
-                asm volatile("1:"XSAVE"\n\t"
+                XSTATE_OP(XSAVE, xstate, lmask, hmask, err);
-                        "2:\n\t"
-                             xstate_fault(err)
-                        : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
-                        : "memory");
        /* We should never fault when copying to a kernel buffer: */
        WARN_ON_FPU(err);
@@ -276,22 +319,14 @@ static inline void copy_kernel_to_xregs_booting(struct xregs_state *xstate)
        u64 mask = -1;
        u32 lmask = mask;
        u32 hmask = mask >> 32;
-        int err = 0;
+        int err;
        WARN_ON(system_state != SYSTEM_BOOTING);
-        if (boot_cpu_has(X86_FEATURE_XSAVES))
+        if (static_cpu_has(X86_FEATURE_XSAVES))
-                asm volatile("1:"XRSTORS"\n\t"
+                XSTATE_OP(XRSTORS, xstate, lmask, hmask, err);
-                        "2:\n\t"
-                             xstate_fault(err)
-                        : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
-                        : "memory");
        else
-                asm volatile("1:"XRSTOR"\n\t"
+                XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
-                        "2:\n\t"
-                             xstate_fault(err)
-                        : "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
-                        : "memory");
        /* We should never fault when copying from a kernel buffer: */
        WARN_ON_FPU(err);
@@ -305,33 +340,11 @@ static inline void copy_xregs_to_kernel(struct xregs_state *xstate)
        u64 mask = -1;
        u32 lmask = mask;
        u32 hmask = mask >> 32;
-        int err = 0;
+        int err;
        WARN_ON(!alternatives_patched);
-        /*
+        XSTATE_XSAVE(xstate, lmask, hmask, err);
-         * If xsaves is enabled, xsaves replaces xsaveopt because
-         * it supports compact format and supervisor states in addition to
-         * modified optimization in xsaveopt.
-         *
-         * Otherwise, if xsaveopt is enabled, xsaveopt replaces xsave
-         * because xsaveopt supports modified optimization which is not
-         * supported by xsave.
-         *
-         * If none of xsaves and xsaveopt is enabled, use xsave.
-         */
-        alternative_input_2(
-                "1:"XSAVE,
-                XSAVEOPT,
-                X86_FEATURE_XSAVEOPT,
-                XSAVES,
-                X86_FEATURE_XSAVES,
-                [xstate] "D" (xstate), "a" (lmask), "d" (hmask) :
-                "memory");
-        asm volatile("2:\n\t"
-                     xstate_fault(err)
-                     : "0" (err)
-                     : "memory");
        /* We should never fault when copying to a kernel buffer: */
        WARN_ON_FPU(err);
@@ -344,23 +357,9 @@ static inline void copy_kernel_to_xregs(struct xregs_state *xstate, u64 mask)
 {
        u32 lmask = mask;
        u32 hmask = mask >> 32;
-        int err = 0;
+        int err;
-        /*
+        XSTATE_XRESTORE(xstate, lmask, hmask, err);
-         * Use xrstors to restore context if it is enabled. xrstors supports
-         * compacted format of xsave area which is not supported by xrstor.
-         */
-        alternative_input(
-                "1: " XRSTOR,
-                XRSTORS,
-                X86_FEATURE_XSAVES,
-                "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask)
-                : "memory");
-        asm volatile("2:\n"
-                     xstate_fault(err)
-                     : "0" (err)
-                     : "memory");
        /* We should never fault when copying from a kernel buffer: */
        WARN_ON_FPU(err);
@@ -388,12 +387,10 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
        if (unlikely(err))
                return -EFAULT;
-        __asm__ __volatile__(ASM_STAC "\n"
+        stac();
-                             "1:"XSAVE"\n"
+        XSTATE_OP(XSAVE, buf, -1, -1, err);
-                             "2: " ASM_CLAC "\n"
+        clac();
-                             xstate_fault(err)
-                             : "D" (buf), "a" (-1), "d" (-1), "0" (err)
-                             : "memory");
        return err;
 }
@@ -405,14 +402,12 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
        struct xregs_state *xstate = ((__force struct xregs_state *)buf);
        u32 lmask = mask;
        u32 hmask = mask >> 32;
-        int err = 0;
+        int err;
-        __asm__ __volatile__(ASM_STAC "\n"
+        stac();
-                             "1:"XRSTOR"\n"
+        XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
-                             "2: " ASM_CLAC "\n"
+        clac();
-                             xstate_fault(err)
-                             : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err)
-                             : "memory");       /* memory required? */
        return err;
 }
@@ -466,7 +461,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate)
         * pending. Clear the x87 state here by setting it to fixed values.
         * "m" is a random variable that should be in L1.
         */
-        if (unlikely(static_cpu_has_bug_safe(X86_BUG_FXSAVE_LEAK))) {
+        if (unlikely(static_cpu_has_bug(X86_BUG_FXSAVE_LEAK))) {
                asm volatile(
                        "fnclex\n\t"
                        "emms\n\t"
@@ -595,7 +590,8 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
         * If the task has used the math, pre-load the FPU on xsave processors
         * or if the past 5 consecutive context-switches used math.
         */
-        fpu.preload = new_fpu->fpstate_active &&
+        fpu.preload = static_cpu_has(X86_FEATURE_FPU) &&
+                      new_fpu->fpstate_active &&
                      (use_eager_fpu() || new_fpu->counter > 5);
        if (old_fpu->fpregs_active) {
diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h
index 3a6c89b70307..f23cd8c80b1c 100644
--- a/arch/x86/include/asm/fpu/xstate.h
+++ b/arch/x86/include/asm/fpu/xstate.h
@@ -22,7 +22,7 @@
 #define XFEATURE_MASK_LAZY      (XFEATURE_MASK_FP | \
                                 XFEATURE_MASK_SSE | \
                                 XFEATURE_MASK_YMM | \
-                                 XFEATURE_MASK_OPMASK | \
+                                 XFEATURE_MASK_OPMASK | \
                                 XFEATURE_MASK_ZMM_Hi256 | \
                                 XFEATURE_MASK_Hi16_ZMM)
diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
index b4c1f5453436..f4dc9b63bdda 100644
--- a/arch/x86/include/asm/futex.h
+++ b/arch/x86/include/asm/futex.h
@@ -41,20 +41,11 @@
                       "+m" (*uaddr), "=&r" (tem)               \
                     : "r" (oparg), "i" (-EFAULT), "1" (0))
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret, tem;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
        switch (op) {
@@ -80,30 +71,9 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ:
-                        ret = (oldval == cmparg);
-                        break;
-                case FUTEX_OP_CMP_NE:
-                        ret = (oldval != cmparg);
-                        break;
-                case FUTEX_OP_CMP_LT:
-                        ret = (oldval < cmparg);
-                        break;
-                case FUTEX_OP_CMP_GE:
-                        ret = (oldval >= cmparg);
-                        break;
-                case FUTEX_OP_CMP_LE:
-                        ret = (oldval <= cmparg);
-                        break;
-                case FUTEX_OP_CMP_GT:
-                        ret = (oldval > cmparg);
-                        break;
-                default:
-                        ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
new file mode 100644
index 000000000000..e13ff5a14633
--- /dev/null
+++ b/arch/x86/include/asm/intel-family.h
@@ -0,0 +1,72 @@
+#ifndef _ASM_X86_INTEL_FAMILY_H
+#define _ASM_X86_INTEL_FAMILY_H
+/*
+ * "Big Core" Processors (Branded as Core, Xeon, etc...)
+ *
+ * The "_X" parts are generally the EP and EX Xeons, or the
+ * "Extreme" ones, like Broadwell-E.
+ *
+ * Things ending in "2" are usually because we have no better
+ * name for them.  There's no processor called "WESTMERE2".
+ */
+#define INTEL_FAM6_CORE_YONAH           0x0E
+#define INTEL_FAM6_CORE2_MEROM          0x0F
+#define INTEL_FAM6_CORE2_MEROM_L        0x16
+#define INTEL_FAM6_CORE2_PENRYN         0x17
+#define INTEL_FAM6_CORE2_DUNNINGTON     0x1D
+#define INTEL_FAM6_NEHALEM              0x1E
+#define INTEL_FAM6_NEHALEM_EP           0x1A
+#define INTEL_FAM6_NEHALEM_EX           0x2E
+#define INTEL_FAM6_WESTMERE             0x25
+#define INTEL_FAM6_WESTMERE2            0x1F
+#define INTEL_FAM6_WESTMERE_EP          0x2C
+#define INTEL_FAM6_WESTMERE_EX          0x2F
+#define INTEL_FAM6_SANDYBRIDGE          0x2A
+#define INTEL_FAM6_SANDYBRIDGE_X        0x2D
+#define INTEL_FAM6_IVYBRIDGE            0x3A
+#define INTEL_FAM6_IVYBRIDGE_X          0x3E
+#define INTEL_FAM6_HASWELL_CORE         0x3C
+#define INTEL_FAM6_HASWELL_X            0x3F
+#define INTEL_FAM6_HASWELL_ULT          0x45
+#define INTEL_FAM6_HASWELL_GT3E         0x46
+#define INTEL_FAM6_BROADWELL_CORE       0x3D
+#define INTEL_FAM6_BROADWELL_GT3E       0x47
+#define INTEL_FAM6_BROADWELL_X          0x4F
+#define INTEL_FAM6_BROADWELL_XEON_D     0x56
+#define INTEL_FAM6_SKYLAKE_MOBILE       0x4E
+#define INTEL_FAM6_SKYLAKE_DESKTOP      0x5E
+#define INTEL_FAM6_SKYLAKE_X            0x55
+#define INTEL_FAM6_KABYLAKE_MOBILE      0x8E
+#define INTEL_FAM6_KABYLAKE_DESKTOP     0x9E
+/* "Small Core" Processors (Atom) */
+#define INTEL_FAM6_ATOM_PINEVIEW        0x1C
+#define INTEL_FAM6_ATOM_LINCROFT        0x26
+#define INTEL_FAM6_ATOM_PENWELL         0x27
+#define INTEL_FAM6_ATOM_CLOVERVIEW      0x35
+#define INTEL_FAM6_ATOM_CEDARVIEW       0x36
+#define INTEL_FAM6_ATOM_SILVERMONT1     0x37 /* BayTrail/BYT / Valleyview */
+#define INTEL_FAM6_ATOM_SILVERMONT2     0x4D /* Avaton/Rangely */
+#define INTEL_FAM6_ATOM_AIRMONT         0x4C /* CherryTrail / Braswell */
+#define INTEL_FAM6_ATOM_MERRIFIELD      0x4A /* Tangier */
+#define INTEL_FAM6_ATOM_MOOREFIELD      0x5A /* Annidale */
+#define INTEL_FAM6_ATOM_GOLDMONT        0x5C
+#define INTEL_FAM6_ATOM_DENVERTON       0x5F /* Goldmont Microserver */
+#define INTEL_FAM6_ATOM_GEMINI_LAKE     0x7A
+/* Xeon Phi */
+#define INTEL_FAM6_XEON_PHI_KNL         0x57 /* Knights Landing */
+#define INTEL_FAM6_XEON_PHI_KNM         0x85 /* Knights Mill */
+#endif /* _ASM_X86_INTEL_FAMILY_H */
diff --git a/arch/x86/include/asm/irq_work.h b/arch/x86/include/asm/irq_work.h
index 78162f8e248b..d0afb05c84fc 100644
--- a/arch/x86/include/asm/irq_work.h
+++ b/arch/x86/include/asm/irq_work.h
@@ -1,7 +1,7 @@
 #ifndef _ASM_IRQ_WORK_H
 #define _ASM_IRQ_WORK_H
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 static inline bool arch_irq_work_has_interrupt(void)
 {
diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
index b77f5edb03b0..cb7f04981c6b 100644
--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
@@ -8,7 +8,9 @@
 * Interrupt control:
 */
-static inline unsigned long native_save_fl(void)
+/* Declaration required for gcc < 4.9 to prevent -Werror=missing-prototypes */
+extern inline unsigned long native_save_fl(void);
+extern inline unsigned long native_save_fl(void)
 {
        unsigned long flags;
diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index fc3c7e49c8e4..ae357d0afc91 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -105,11 +105,12 @@ struct x86_emulate_ops {
         *  @addr:  [IN ] Linear address from which to read.
         *  @val:   [OUT] Value read from memory, zero-extended to 'u_long'.
         *  @bytes: [IN ] Number of bytes to read from memory.
+         *  @system:[IN ] Whether the access is forced to be at CPL0.
         */
        int (*read_std)(struct x86_emulate_ctxt *ctxt,
                        unsigned long addr, void *val,
                        unsigned int bytes,
-                        struct x86_exception *fault);
+                        struct x86_exception *fault, bool system);
        /*
         * read_phys: Read bytes of standard (non-emulated/special) memory.
@@ -127,10 +128,11 @@ struct x86_emulate_ops {
         *  @addr:  [IN ] Linear address to which to write.
         *  @val:   [OUT] Value write to memory, zero-extended to 'u_long'.
         *  @bytes: [IN ] Number of bytes to write to memory.
+         *  @system:[IN ] Whether the access is forced to be at CPL0.
         */
        int (*write_std)(struct x86_emulate_ctxt *ctxt,
                         unsigned long addr, void *val, unsigned int bytes,
-                         struct x86_exception *fault);
+                         struct x86_exception *fault, bool system);
        /*
         * fetch: Read bytes of standard (non-emulated/special) memory.
         *        Used for instruction fetch.
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 9d2abb2a41d2..74fda1a453bd 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -998,7 +998,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
 static inline int emulate_instruction(struct kvm_vcpu *vcpu,
                        int emulation_type)
 {
-        return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
+        return x86_emulate_instruction(vcpu, 0,
+                        emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
 }
 void kvm_enable_efer_bits(u64);
diff --git a/arch/x86/include/asm/microcode_amd.h b/arch/x86/include/asm/microcode_amd.h
index adfc847a395e..fb163f02ebb1 100644
--- a/arch/x86/include/asm/microcode_amd.h
+++ b/arch/x86/include/asm/microcode_amd.h
@@ -59,7 +59,6 @@ static inline u16 find_equiv_id(struct equiv_cpu_entry *equiv_cpu_table,
 extern int __apply_microcode_amd(struct microcode_amd *mc_amd);
 extern int apply_microcode_amd(int cpu);
-extern enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t size);
 #define PATCH_MAX_SIZE PAGE_SIZE
 extern u8 amd_ucode_patch[PATCH_MAX_SIZE];
diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
index 7680b76adafc..3359dfedc7ee 100644
--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -3,12 +3,18 @@
 #include <linux/spinlock.h>
 #include <linux/mutex.h>
+#include <linux/atomic.h>
 /*
- * The x86 doesn't have a mmu context, but
+ * x86 has arch-specific MMU state beyond what lives in mm_struct.
- * we put the segment information here.
 */
 typedef struct {
+        /*
+         * ctx_id uniquely identifies this mm_struct.  A ctx_id will never
+         * be reused, and zero is not a valid ctx_id.
+         */
+        u64 ctx_id;
 #ifdef CONFIG_MODIFY_LDT_SYSCALL
        struct ldt_struct *ldt;
 #endif
@@ -24,6 +30,11 @@ typedef struct {
        atomic_t perf_rdpmc_allowed;    /* nonzero if rdpmc is allowed */
 } mm_context_t;
+#define INIT_MM_CONTEXT(mm)                                             \
+        .context = {                                                    \
+                .ctx_id = 1,                                            \
+        }
 void leave_mm(int cpu);
 #endif /* _ASM_X86_MMU_H */
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 9bfc5fd77015..effc12767cbf 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -11,6 +11,9 @@
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
 #include <asm/mpx.h>
+extern atomic64_t last_mm_ctx_id;
 #ifndef CONFIG_PARAVIRT
 static inline void paravirt_activate_mm(struct mm_struct *prev,
                                        struct mm_struct *next)
@@ -52,15 +55,15 @@ struct ldt_struct {
 /*
 * Used for LDT copy/destruction.
 */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm);
-void destroy_context(struct mm_struct *mm);
+void destroy_context_ldt(struct mm_struct *mm);
 #else   /* CONFIG_MODIFY_LDT_SYSCALL */
-static inline int init_new_context(struct task_struct *tsk,
+static inline int init_new_context_ldt(struct task_struct *tsk,
-                                   struct mm_struct *mm)
+                                       struct mm_struct *mm)
 {
        return 0;
 }
-static inline void destroy_context(struct mm_struct *mm) {}
+static inline void destroy_context_ldt(struct mm_struct *mm) {}
 #endif
 static inline void load_mm_ldt(struct mm_struct *mm)
@@ -102,6 +105,18 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
                this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
 }
+static inline int init_new_context(struct task_struct *tsk,
+                                   struct mm_struct *mm)
+{
+        mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
+        init_new_context_ldt(tsk, mm);
+        return 0;
+}
+static inline void destroy_context(struct mm_struct *mm)
+{
+        destroy_context_ldt(mm);
+}
 extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
                      struct task_struct *tsk);
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index b8911aecf035..caa00191e565 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -32,6 +32,15 @@
 #define EFER_FFXSR              (1<<_EFER_FFXSR)
 /* Intel MSRs. Some also available on other CPUs */
+#define MSR_IA32_SPEC_CTRL              0x00000048 /* Speculation Control */
+#define SPEC_CTRL_IBRS                  (1 << 0)   /* Indirect Branch Restricted Speculation */
+#define SPEC_CTRL_STIBP                 (1 << 1)   /* Single Thread Indirect Branch Predictors */
+#define SPEC_CTRL_SSBD_SHIFT            2          /* Speculative Store Bypass Disable bit */
+#define SPEC_CTRL_SSBD                  (1 << SPEC_CTRL_SSBD_SHIFT)   /* Speculative Store Bypass Disable */
+#define MSR_IA32_PRED_CMD               0x00000049 /* Prediction Command */
+#define PRED_CMD_IBPB                   (1 << 0)   /* Indirect Branch Prediction Barrier */
 #define MSR_IA32_PERFCTR0               0x000000c1
 #define MSR_IA32_PERFCTR1               0x000000c2
 #define MSR_FSB_FREQ                    0x000000cd
@@ -45,6 +54,16 @@
 #define SNB_C3_AUTO_UNDEMOTE            (1UL << 28)
 #define MSR_MTRRcap                     0x000000fe
+#define MSR_IA32_ARCH_CAPABILITIES      0x0000010a
+#define ARCH_CAP_RDCL_NO                (1 << 0)   /* Not susceptible to Meltdown */
+#define ARCH_CAP_IBRS_ALL               (1 << 1)   /* Enhanced IBRS support */
+#define ARCH_CAP_SSB_NO                 (1 << 4)   /*
+                                                    * Not susceptible to Speculative Store Bypass
+                                                    * attack, so no Speculative Store Bypass
+                                                    * control required.
+                                                    */
 #define MSR_IA32_BBL_CR_CTL             0x00000119
 #define MSR_IA32_BBL_CR_CTL3            0x0000011e
@@ -132,6 +151,7 @@
 /* DEBUGCTLMSR bits (others vary by model): */
 #define DEBUGCTLMSR_LBR                 (1UL <<  0) /* last branch recording */
+#define DEBUGCTLMSR_BTF_SHIFT           1
 #define DEBUGCTLMSR_BTF                 (1UL <<  1) /* single-step on branches */
 #define DEBUGCTLMSR_TR                  (1UL <<  6)
 #define DEBUGCTLMSR_BTS                 (1UL <<  7)
@@ -308,6 +328,8 @@
 #define MSR_AMD64_IBSOPDATA4            0xc001103d
 #define MSR_AMD64_IBS_REG_COUNT_MAX     8 /* includes MSR_AMD64_IBSBRTARGET */
+#define MSR_AMD64_VIRT_SPEC_CTRL        0xc001011f
 /* Fam 16h MSRs */
 #define MSR_F16H_L2I_PERF_CTL           0xc0010230
 #define MSR_F16H_L2I_PERF_CTR           0xc0010231
diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h
index 77d8b284e4a7..5a10ac8c131e 100644
--- a/arch/x86/include/asm/msr.h
+++ b/arch/x86/include/asm/msr.h
@@ -147,8 +147,7 @@ static __always_inline unsigned long long rdtsc_ordered(void)
         * that some other imaginary CPU is updating continuously with a
         * time stamp.
         */
-        alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC,
+        barrier_nospec();
-                          "lfence", X86_FEATURE_LFENCE_RDTSC);
        return rdtsc();
 }
diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
index c70689b5e5aa..0deeb2d26df7 100644
--- a/arch/x86/include/asm/mwait.h
+++ b/arch/x86/include/asm/mwait.h
@@ -3,6 +3,8 @@
 #include <linux/sched.h>
+#include <asm/cpufeature.h>
 #define MWAIT_SUBSTATE_MASK             0xf
 #define MWAIT_CSTATE_MASK               0xf
 #define MWAIT_SUBSTATE_SIZE             4
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 492370b9b35b..b4c74c24c890 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -1,11 +1,12 @@
 /* SPDX-License-Identifier: GPL-2.0 */
-#ifndef __NOSPEC_BRANCH_H__
+#ifndef _ASM_X86_NOSPEC_BRANCH_H_
-#define __NOSPEC_BRANCH_H__
+#define _ASM_X86_NOSPEC_BRANCH_H_
 #include <asm/alternative.h>
 #include <asm/alternative-asm.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
+#include <asm/msr-index.h>
 /*
 * Fill the CPU return stack buffer.
@@ -171,6 +172,14 @@ enum spectre_v2_mitigation {
        SPECTRE_V2_IBRS,
 };
+/* The Speculative Store Bypass disable variants */
+enum ssb_mitigation {
+        SPEC_STORE_BYPASS_NONE,
+        SPEC_STORE_BYPASS_DISABLE,
+        SPEC_STORE_BYPASS_PRCTL,
+        SPEC_STORE_BYPASS_SECCOMP,
+};
 extern char __indirect_thunk_start[];
 extern char __indirect_thunk_end[];
@@ -178,7 +187,7 @@ extern char __indirect_thunk_end[];
 * On VMEXIT we must ensure that no RSB predictions learned in the guest
 * can be followed in the host, by overwriting the RSB completely. Both
 * retpoline and IBRS mitigations for Spectre v2 need this; only on future
- * CPUs with IBRS_ATT *might* it be avoided.
+ * CPUs with IBRS_ALL *might* it be avoided.
 */
 static inline void vmexit_fill_RSB(void)
 {
@@ -194,5 +203,87 @@ static inline void vmexit_fill_RSB(void)
 #endif
 }
+static __always_inline
+void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
+{
+        asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
+                : : "c" (msr),
+                    "a" ((u32)val),
+                    "d" ((u32)(val >> 32)),
+                    [feature] "i" (feature)
+                : "memory");
+}
+static inline void indirect_branch_prediction_barrier(void)
+{
+        u64 val = PRED_CMD_IBPB;
+        alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
+}
+/* The Intel SPEC CTRL MSR base value cache */
+extern u64 x86_spec_ctrl_base;
+/*
+ * With retpoline, we must use IBRS to restrict branch prediction
+ * before calling into firmware.
+ *
+ * (Implemented as CPP macros due to header hell.)
+ */
+#define firmware_restrict_branch_speculation_start()                    \
+do {                                                                    \
+        u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS;                  \
+                                                                        \
+        preempt_disable();                                              \
+        alternative_msr_write(MSR_IA32_SPEC_CTRL, val,                  \
+                              X86_FEATURE_USE_IBRS_FW);                 \
+} while (0)
+#define firmware_restrict_branch_speculation_end()                      \
+do {                                                                    \
+        u64 val = x86_spec_ctrl_base;                                   \
+                                                                        \
+        alternative_msr_write(MSR_IA32_SPEC_CTRL, val,                  \
+                              X86_FEATURE_USE_IBRS_FW);                 \
+        preempt_enable();                                               \
+} while (0)
 #endif /* __ASSEMBLY__ */
-#endif /* __NOSPEC_BRANCH_H__ */
+/*
+ * Below is used in the eBPF JIT compiler and emits the byte sequence
+ * for the following assembly:
+ *
+ * With retpolines configured:
+ *
+ *    callq do_rop
+ *  spec_trap:
+ *    pause
+ *    lfence
+ *    jmp spec_trap
+ *  do_rop:
+ *    mov %rax,(%rsp)
+ *    retq
+ *
+ * Without retpolines configured:
+ *
+ *    jmp *%rax
+ */
+#ifdef CONFIG_RETPOLINE
+# define RETPOLINE_RAX_BPF_JIT_SIZE     17
+# define RETPOLINE_RAX_BPF_JIT()                                \
+        EMIT1_off32(0xE8, 7);    /* callq do_rop */             \
+        /* spec_trap: */                                        \
+        EMIT2(0xF3, 0x90);       /* pause */                    \
+        EMIT3(0x0F, 0xAE, 0xE8); /* lfence */                   \
+        EMIT2(0xEB, 0xF9);       /* jmp spec_trap */            \
+        /* do_rop: */                                           \
+        EMIT4(0x48, 0x89, 0x04, 0x24); /* mov %rax,(%rsp) */    \
+        EMIT1(0xC3);             /* retq */
+#else
+# define RETPOLINE_RAX_BPF_JIT_SIZE     2
+# define RETPOLINE_RAX_BPF_JIT()                                \
+        EMIT2(0xFF, 0xE0);       /* jmp *%rax */
+#endif
+#endif /* _ASM_X86_NOSPEC_BRANCH_H_ */
diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
index 3a52ee0e726d..bfceb5cc6347 100644
--- a/arch/x86/include/asm/page_32_types.h
+++ b/arch/x86/include/asm/page_32_types.h
@@ -27,8 +27,13 @@
 #define N_EXCEPTION_STACKS 1
 #ifdef CONFIG_X86_PAE
-/* 44=32+12, the limit we can fit into an unsigned long pfn */
+/*
-#define __PHYSICAL_MASK_SHIFT   44
+ * This is beyond the 44 bit limit imposed by the 32bit long pfns,
+ * but we need the full mask to make sure inverted PROT_NONE
+ * entries have all the host bits set in a guest.
+ * The real limit is still 44 bits.
+ */
+#define __PHYSICAL_MASK_SHIFT   52
 #define __VIRTUAL_MASK_SHIFT    32
 #else  /* !CONFIG_X86_PAE */
diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
index fd74a11959de..89c50332a71e 100644
--- a/arch/x86/include/asm/pgtable-2level.h
+++ b/arch/x86/include/asm/pgtable-2level.h
@@ -77,4 +77,21 @@ static inline unsigned long pte_bitop(unsigned long value, unsigned int rightshi
 #define __pte_to_swp_entry(pte)         ((swp_entry_t) { (pte).pte_low })
 #define __swp_entry_to_pte(x)           ((pte_t) { .pte = (x).val })
+/* No inverted PFNs on 2 level page tables */
+static inline u64 protnone_mask(u64 val)
+{
+        return 0;
+}
+static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask)
+{
+        return val;
+}
+static inline bool __pte_needs_invert(u64 val)
+{
+        return false;
+}
 #endif /* _ASM_X86_PGTABLE_2LEVEL_H */
diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
index cdaa58c9b39e..5c686382d84b 100644
--- a/arch/x86/include/asm/pgtable-3level.h
+++ b/arch/x86/include/asm/pgtable-3level.h
@@ -177,11 +177,44 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *pmdp)
 #endif
 /* Encode and de-code a swap entry */
+#define SWP_TYPE_BITS           5
+#define SWP_OFFSET_FIRST_BIT    (_PAGE_BIT_PROTNONE + 1)
+/* We always extract/encode the offset by shifting it all the way up, and then down again */
+#define SWP_OFFSET_SHIFT        (SWP_OFFSET_FIRST_BIT + SWP_TYPE_BITS)
 #define MAX_SWAPFILES_CHECK() BUILD_BUG_ON(MAX_SWAPFILES_SHIFT > 5)
 #define __swp_type(x)                   (((x).val) & 0x1f)
 #define __swp_offset(x)                 ((x).val >> 5)
 #define __swp_entry(type, offset)       ((swp_entry_t){(type) | (offset) << 5})
-#define __pte_to_swp_entry(pte)         ((swp_entry_t){ (pte).pte_high })
-#define __swp_entry_to_pte(x)           ((pte_t){ { .pte_high = (x).val } })
+/*
+ * Normally, __swp_entry() converts from arch-independent swp_entry_t to
+ * arch-dependent swp_entry_t, and __swp_entry_to_pte() just stores the result
+ * to pte. But here we have 32bit swp_entry_t and 64bit pte, and need to use the
+ * whole 64 bits. Thus, we shift the "real" arch-dependent conversion to
+ * __swp_entry_to_pte() through the following helper macro based on 64bit
+ * __swp_entry().
+ */
+#define __swp_pteval_entry(type, offset) ((pteval_t) { \
+        (~(pteval_t)(offset) << SWP_OFFSET_SHIFT >> SWP_TYPE_BITS) \
+        | ((pteval_t)(type) << (64 - SWP_TYPE_BITS)) })
+#define __swp_entry_to_pte(x)   ((pte_t){ .pte = \
+                __swp_pteval_entry(__swp_type(x), __swp_offset(x)) })
+/*
+ * Analogically, __pte_to_swp_entry() doesn't just extract the arch-dependent
+ * swp_entry_t, but also has to convert it from 64bit to the 32bit
+ * intermediate representation, using the following macros based on 64bit
+ * __swp_type() and __swp_offset().
+ */
+#define __pteval_swp_type(x) ((unsigned long)((x).pte >> (64 - SWP_TYPE_BITS)))
+#define __pteval_swp_offset(x) ((unsigned long)(~((x).pte) << SWP_TYPE_BITS >> SWP_OFFSET_SHIFT))
+#define __pte_to_swp_entry(pte) (__swp_entry(__pteval_swp_type(pte), \
+                                             __pteval_swp_offset(pte)))
+#include <asm/pgtable-invert.h>
 #endif /* _ASM_X86_PGTABLE_3LEVEL_H */
diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h
new file mode 100644
index 000000000000..a0c1525f1b6f
--- /dev/null
+++ b/arch/x86/include/asm/pgtable-invert.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_PGTABLE_INVERT_H
+#define _ASM_PGTABLE_INVERT_H 1
+#ifndef __ASSEMBLY__
+/*
+ * A clear pte value is special, and doesn't get inverted.
+ *
+ * Note that even users that only pass a pgprot_t (rather
+ * than a full pte) won't trigger the special zero case,
+ * because even PAGE_NONE has _PAGE_PROTNONE | _PAGE_ACCESSED
+ * set. So the all zero case really is limited to just the
+ * cleared page table entry case.
+ */
+static inline bool __pte_needs_invert(u64 val)
+{
+        return val && !(val & _PAGE_PRESENT);
+}
+/* Get a mask to xor with the page table entry to get the correct pfn. */
+static inline u64 protnone_mask(u64 val)
+{
+        return __pte_needs_invert(val) ?  ~0ull : 0;
+}
+static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask)
+{
+        /*
+         * When a PTE transitions from NONE to !NONE or vice-versa
+         * invert the PFN part to stop speculation.
+         * pte_pfn undoes this when needed.
+         */
+        if (__pte_needs_invert(oldval) != __pte_needs_invert(val))
+                val = (val & ~mask) | (~val & mask);
+        return val;
+}
+#endif /* __ASSEMBLY__ */
+#endif
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 84c62d950023..4de6c282c02a 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -148,19 +148,29 @@ static inline int pte_special(pte_t pte)
        return pte_flags(pte) & _PAGE_SPECIAL;
 }
+/* Entries that were set to PROT_NONE are inverted */
+static inline u64 protnone_mask(u64 val);
 static inline unsigned long pte_pfn(pte_t pte)
 {
-        return (pte_val(pte) & PTE_PFN_MASK) >> PAGE_SHIFT;
+        phys_addr_t pfn = pte_val(pte);
+        pfn ^= protnone_mask(pfn);
+        return (pfn & PTE_PFN_MASK) >> PAGE_SHIFT;
 }
 static inline unsigned long pmd_pfn(pmd_t pmd)
 {
-        return (pmd_val(pmd) & pmd_pfn_mask(pmd)) >> PAGE_SHIFT;
+        phys_addr_t pfn = pmd_val(pmd);
+        pfn ^= protnone_mask(pfn);
+        return (pfn & pmd_pfn_mask(pmd)) >> PAGE_SHIFT;
 }
 static inline unsigned long pud_pfn(pud_t pud)
 {
-        return (pud_val(pud) & pud_pfn_mask(pud)) >> PAGE_SHIFT;
+        phys_addr_t pfn = pud_val(pud);
+        pfn ^= protnone_mask(pfn);
+        return (pfn & pud_pfn_mask(pud)) >> PAGE_SHIFT;
 }
 #define pte_page(pte)   pfn_to_page(pte_pfn(pte))
@@ -305,11 +315,6 @@ static inline pmd_t pmd_mkwrite(pmd_t pmd)
        return pmd_set_flags(pmd, _PAGE_RW);
 }
-static inline pmd_t pmd_mknotpresent(pmd_t pmd)
-{
-        return pmd_clear_flags(pmd, _PAGE_PRESENT | _PAGE_PROTNONE);
-}
 #ifdef CONFIG_HAVE_ARCH_SOFT_DIRTY
 static inline int pte_soft_dirty(pte_t pte)
 {
@@ -359,19 +364,58 @@ static inline pgprotval_t massage_pgprot(pgprot_t pgprot)
 static inline pte_t pfn_pte(unsigned long page_nr, pgprot_t pgprot)
 {
-        return __pte(((phys_addr_t)page_nr << PAGE_SHIFT) |
+        phys_addr_t pfn = (phys_addr_t)page_nr << PAGE_SHIFT;
-                     massage_pgprot(pgprot));
+        pfn ^= protnone_mask(pgprot_val(pgprot));
+        pfn &= PTE_PFN_MASK;
+        return __pte(pfn | massage_pgprot(pgprot));
 }
 static inline pmd_t pfn_pmd(unsigned long page_nr, pgprot_t pgprot)
 {
-        return __pmd(((phys_addr_t)page_nr << PAGE_SHIFT) |
+        phys_addr_t pfn = (phys_addr_t)page_nr << PAGE_SHIFT;
-                     massage_pgprot(pgprot));
+        pfn ^= protnone_mask(pgprot_val(pgprot));
+        pfn &= PHYSICAL_PMD_PAGE_MASK;
+        return __pmd(pfn | massage_pgprot(pgprot));
+}
+static inline pud_t pfn_pud(unsigned long page_nr, pgprot_t pgprot)
+{
+        phys_addr_t pfn = page_nr << PAGE_SHIFT;
+        pfn ^= protnone_mask(pgprot_val(pgprot));
+        pfn &= PHYSICAL_PUD_PAGE_MASK;
+        return __pud(pfn | massage_pgprot(pgprot));
+}
+static inline pmd_t pmd_mknotpresent(pmd_t pmd)
+{
+        return pfn_pmd(pmd_pfn(pmd),
+                       __pgprot(pmd_flags(pmd) & ~(_PAGE_PRESENT|_PAGE_PROTNONE)));
 }
+static inline pud_t pud_set_flags(pud_t pud, pudval_t set)
+{
+        pudval_t v = native_pud_val(pud);
+        return __pud(v | set);
+}
+static inline pud_t pud_clear_flags(pud_t pud, pudval_t clear)
+{
+        pudval_t v = native_pud_val(pud);
+        return __pud(v & ~clear);
+}
+static inline pud_t pud_mkhuge(pud_t pud)
+{
+        return pud_set_flags(pud, _PAGE_PSE);
+}
+static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask);
 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
 {
-        pteval_t val = pte_val(pte);
+        pteval_t val = pte_val(pte), oldval = val;
        /*
         * Chop off the NX bit (if present), and add the NX portion of
@@ -379,17 +423,17 @@ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
         */
        val &= _PAGE_CHG_MASK;
        val |= massage_pgprot(newprot) & ~_PAGE_CHG_MASK;
+        val = flip_protnone_guard(oldval, val, PTE_PFN_MASK);
        return __pte(val);
 }
 static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
 {
-        pmdval_t val = pmd_val(pmd);
+        pmdval_t val = pmd_val(pmd), oldval = val;
        val &= _HPAGE_CHG_MASK;
        val |= massage_pgprot(newprot) & ~_HPAGE_CHG_MASK;
+        val = flip_protnone_guard(oldval, val, PHYSICAL_PMD_PAGE_MASK);
        return __pmd(val);
 }
@@ -926,6 +970,14 @@ static inline pte_t pte_swp_clear_soft_dirty(pte_t pte)
 }
 #endif
+#define __HAVE_ARCH_PFN_MODIFY_ALLOWED 1
+extern bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot);
+static inline bool arch_has_pfn_modify_check(void)
+{
+        return boot_cpu_has_bug(X86_BUG_L1TF);
+}
 #include <asm-generic/pgtable.h>
 #endif  /* __ASSEMBLY__ */
diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
index c810226e741a..221a32ed1372 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -163,18 +163,52 @@ static inline int pgd_large(pgd_t pgd) { return 0; }
 #define pte_offset_map(dir, address) pte_offset_kernel((dir), (address))
 #define pte_unmap(pte) ((void)(pte))/* NOP */
-/* Encode and de-code a swap entry */
+/*
-#define SWP_TYPE_BITS 5
+ * Encode and de-code a swap entry
-#define SWP_OFFSET_SHIFT (_PAGE_BIT_PROTNONE + 1)
+ *
+ * |     ...            | 11| 10|  9|8|7|6|5| 4| 3|2| 1|0| <- bit number
+ * |     ...            |SW3|SW2|SW1|G|L|D|A|CD|WT|U| W|P| <- bit names
+ * | TYPE (59-63) | ~OFFSET (9-58)  |0|0|X|X| X| X|X|SD|0| <- swp entry
+ *
+ * G (8) is aliased and used as a PROT_NONE indicator for
+ * !present ptes.  We need to start storing swap entries above
+ * there.  We also need to avoid using A and D because of an
+ * erratum where they can be incorrectly set by hardware on
+ * non-present PTEs.
+ *
+ * SD (1) in swp entry is used to store soft dirty bit, which helps us
+ * remember soft dirty over page migration
+ *
+ * Bit 7 in swp entry should be 0 because pmd_present checks not only P,
+ * but also L and G.
+ *
+ * The offset is inverted by a binary not operation to make the high
+ * physical bits set.
+ */
+#define SWP_TYPE_BITS           5
+#define SWP_OFFSET_FIRST_BIT    (_PAGE_BIT_PROTNONE + 1)
+/* We always extract/encode the offset by shifting it all the way up, and then down again */
+#define SWP_OFFSET_SHIFT        (SWP_OFFSET_FIRST_BIT+SWP_TYPE_BITS)
 #define MAX_SWAPFILES_CHECK() BUILD_BUG_ON(MAX_SWAPFILES_SHIFT > SWP_TYPE_BITS)
-#define __swp_type(x)                   (((x).val >> (_PAGE_BIT_PRESENT + 1)) \
+/* Extract the high bits for type */
-                                         & ((1U << SWP_TYPE_BITS) - 1))
+#define __swp_type(x) ((x).val >> (64 - SWP_TYPE_BITS))
-#define __swp_offset(x)                 ((x).val >> SWP_OFFSET_SHIFT)
-#define __swp_entry(type, offset)       ((swp_entry_t) { \
+/* Shift up (to get rid of type), then down to get value */
-                                         ((type) << (_PAGE_BIT_PRESENT + 1)) \
+#define __swp_offset(x) (~(x).val << SWP_TYPE_BITS >> SWP_OFFSET_SHIFT)
-                                         | ((offset) << SWP_OFFSET_SHIFT) })
+/*
+ * Shift the offset up "too far" by TYPE bits, then down again
+ * The offset is inverted by a binary not operation to make the high
+ * physical bits set.
+ */
+#define __swp_entry(type, offset) ((swp_entry_t) { \
+        (~(unsigned long)(offset) << SWP_OFFSET_SHIFT >> SWP_TYPE_BITS) \
+        | ((unsigned long)(type) << (64-SWP_TYPE_BITS)) })
 #define __pte_to_swp_entry(pte)         ((swp_entry_t) { pte_val((pte)) })
 #define __swp_entry_to_pte(x)           ((pte_t) { .pte = (x).val })
@@ -201,6 +235,8 @@ extern void cleanup_highmap(void);
 extern void init_extra_mapping_uc(unsigned long phys, unsigned long size);
 extern void init_extra_mapping_wb(unsigned long phys, unsigned long size);
+#include <asm/pgtable-invert.h>
 #endif /* !__ASSEMBLY__ */
 #endif /* _ASM_X86_PGTABLE_64_H */
diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
index 8dba273da25a..7572ce32055e 100644
--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -70,15 +70,15 @@
 /*
 * Tracking soft dirty bit when a page goes to a swap is tricky.
 * We need a bit which can be stored in pte _and_ not conflict
- * with swap entry format. On x86 bits 6 and 7 are *not* involved
+ * with swap entry format. On x86 bits 1-4 are *not* involved
- * into swap entry computation, but bit 6 is used for nonlinear
+ * into swap entry computation, but bit 7 is used for thp migration,
- * file mapping, so we borrow bit 7 for soft dirty tracking.
+ * so we borrow bit 1 for soft dirty tracking.
 *
 * Please note that this bit must be treated as swap dirty page
- * mark if and only if the PTE has present bit clear!
+ * mark if and only if the PTE/PMD has present bit clear!
 */
 #ifdef CONFIG_MEM_SOFT_DIRTY
-#define _PAGE_SWP_SOFT_DIRTY    _PAGE_PSE
+#define _PAGE_SWP_SOFT_DIRTY    _PAGE_RW
 #else
 #define _PAGE_SWP_SOFT_DIRTY    (_AT(pteval_t, 0))
 #endif
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index c124d6ab4bf9..a3a53955f01c 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -13,7 +13,7 @@ struct vm86;
 #include <asm/types.h>
 #include <uapi/asm/sigcontext.h>
 #include <asm/current.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/page.h>
 #include <asm/pgtable_types.h>
 #include <asm/percpu.h>
@@ -24,7 +24,6 @@ struct vm86;
 #include <asm/fpu/types.h>
 #include <linux/personality.h>
-#include <linux/cpumask.h>
 #include <linux/cache.h>
 #include <linux/threads.h>
 #include <linux/math64.h>
@@ -113,7 +112,7 @@ struct cpuinfo_x86 {
        char                    x86_vendor_id[16];
        char                    x86_model_id[64];
        /* in KB - valid for CPUS which support this call: */
-        int                     x86_cache_size;
+        unsigned int            x86_cache_size;
        int                     x86_cache_alignment;    /* In bytes */
        /* Cache QoS architectural values: */
        int                     x86_cache_max_rmid;     /* max index */
@@ -173,6 +172,11 @@ extern const struct seq_operations cpuinfo_op;
 extern void cpu_detect(struct cpuinfo_x86 *c);
+static inline unsigned long l1tf_pfn_limit(void)
+{
+        return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
+}
 extern void early_cpu_init(void);
 extern void identify_boot_cpu(void);
 extern void identify_secondary_cpu(struct cpuinfo_x86 *);
@@ -574,7 +578,7 @@ static inline void sync_core(void)
 {
        int tmp;
-#ifdef CONFIG_M486
+#ifdef CONFIG_X86_32
        /*
         * Do a CPUID if available, otherwise do a jump.  The jump
         * can conveniently enough be the jump around CPUID.
diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
index 5c6e4fb370f5..6847d85400a8 100644
--- a/arch/x86/include/asm/required-features.h
+++ b/arch/x86/include/asm/required-features.h
@@ -92,5 +92,15 @@
 #define REQUIRED_MASK7  0
 #define REQUIRED_MASK8  0
 #define REQUIRED_MASK9  0
+#define REQUIRED_MASK10 0
+#define REQUIRED_MASK11 0
+#define REQUIRED_MASK12 0
+#define REQUIRED_MASK13 0
+#define REQUIRED_MASK14 0
+#define REQUIRED_MASK15 0
+#define REQUIRED_MASK16 0
+#define REQUIRED_MASK17 0
+#define REQUIRED_MASK18 0
+#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
 #endif /* _ASM_X86_REQUIRED_FEATURES_H */
diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
index ba665ebd17bb..db333300bd4b 100644
--- a/arch/x86/include/asm/smap.h
+++ b/arch/x86/include/asm/smap.h
@@ -15,7 +15,7 @@
 #include <linux/stringify.h>
 #include <asm/nops.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 /* "Raw" instruction opcodes */
 #define __ASM_CLAC      .byte 0x0f,0x01,0xca
diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
index 222a6a3ca2b5..04d6eef5f8a5 100644
--- a/arch/x86/include/asm/smp.h
+++ b/arch/x86/include/asm/smp.h
@@ -16,20 +16,10 @@
 #endif
 #include <asm/thread_info.h>
 #include <asm/cpumask.h>
-#include <asm/cpufeature.h>
 extern int smp_num_siblings;
 extern unsigned int num_processors;
-static inline bool cpu_has_ht_siblings(void)
-{
-        bool has_siblings = false;
-#ifdef CONFIG_SMP
-        has_siblings = cpu_has_ht && smp_num_siblings > 1;
-#endif
-        return has_siblings;
-}
 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_sibling_map);
 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
 /* cpus sharing the last level cache: */
diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
new file mode 100644
index 000000000000..ae7c2c5cd7f0
--- /dev/null
+++ b/arch/x86/include/asm/spec-ctrl.h
@@ -0,0 +1,80 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_X86_SPECCTRL_H_
+#define _ASM_X86_SPECCTRL_H_
+#include <linux/thread_info.h>
+#include <asm/nospec-branch.h>
+/*
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
+ * the guest has, while on VMEXIT we restore the host view. This
+ * would be easier if SPEC_CTRL were architecturally maskable or
+ * shadowable for guests but this is not (currently) the case.
+ * Takes the guest view of SPEC_CTRL MSR as a parameter and also
+ * the guest's version of VIRT_SPEC_CTRL, if emulated.
+ */
+extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest);
+/**
+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
+ * @guest_spec_ctrl:            The guest content of MSR_SPEC_CTRL
+ * @guest_virt_spec_ctrl:       The guest controlled bits of MSR_VIRT_SPEC_CTRL
+ *                              (may get translated to MSR_AMD64_LS_CFG bits)
+ *
+ * Avoids writing to the MSR if the content/bits are the same
+ */
+static inline
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
+{
+        x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true);
+}
+/**
+ * x86_spec_ctrl_restore_host - Restore host speculation control registers
+ * @guest_spec_ctrl:            The guest content of MSR_SPEC_CTRL
+ * @guest_virt_spec_ctrl:       The guest controlled bits of MSR_VIRT_SPEC_CTRL
+ *                              (may get translated to MSR_AMD64_LS_CFG bits)
+ *
+ * Avoids writing to the MSR if the content/bits are the same
+ */
+static inline
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
+{
+        x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false);
+}
+/* AMD specific Speculative Store Bypass MSR data */
+extern u64 x86_amd_ls_cfg_base;
+extern u64 x86_amd_ls_cfg_ssbd_mask;
+static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
+{
+        BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
+        return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
+}
+static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
+{
+        BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
+        return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
+}
+static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
+{
+        return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
+}
+#ifdef CONFIG_SMP
+extern void speculative_store_bypass_ht_init(void);
+#else
+static inline void speculative_store_bypass_ht_init(void) { }
+#endif
+extern void speculative_store_bypass_update(unsigned long tif);
+static inline void speculative_store_bypass_update_current(void)
+{
+        speculative_store_bypass_update(current_thread_info()->flags);
+}
+#endif
diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
index 751bf4b7bf11..025ecfaba9c9 100644
--- a/arch/x86/include/asm/switch_to.h
+++ b/arch/x86/include/asm/switch_to.h
@@ -1,6 +1,8 @@
 #ifndef _ASM_X86_SWITCH_TO_H
 #define _ASM_X86_SWITCH_TO_H
+#include <asm/nospec-branch.h>
 struct task_struct; /* one of the stranger aspects of C forward declarations */
 __visible struct task_struct *__switch_to(struct task_struct *prev,
                                           struct task_struct *next);
@@ -24,6 +26,23 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
 #define __switch_canary_iparam
 #endif  /* CC_STACKPROTECTOR */
+#ifdef CONFIG_RETPOLINE
+        /*
+         * When switching from a shallower to a deeper call stack
+         * the RSB may either underflow or use entries populated
+         * with userspace addresses. On CPUs where those concerns
+         * exist, overwrite the RSB with entries which capture
+         * speculative execution to prevent attack.
+         */
+#define __retpoline_fill_return_buffer                                  \
+        ALTERNATIVE("jmp 910f",                                         \
+                __stringify(__FILL_RETURN_BUFFER(%%ebx, RSB_CLEAR_LOOPS, %%esp)),\
+                X86_FEATURE_RSB_CTXSW)                                  \
+        "910:\n\t"
+#else
+#define __retpoline_fill_return_buffer
+#endif
 /*
 * Saving eflags is important. It switches not only IOPL between tasks,
 * it also protects other tasks from NT leaking through sysenter etc.
@@ -46,6 +65,7 @@ do {									\
                     "movl $1f,%[prev_ip]\n\t"  /* save    EIP   */     \
                     "pushl %[next_ip]\n\t"     /* restore EIP   */     \
                     __switch_canary                                    \
+                     __retpoline_fill_return_buffer                     \
                     "jmp __switch_to\n"        /* regparm call  */     \
                     "1:\t"                                             \
                     "popl %%ebp\n\t"           /* restore EBP   */     \
@@ -100,6 +120,23 @@ do {									\
 #define __switch_canary_iparam
 #endif  /* CC_STACKPROTECTOR */
+#ifdef CONFIG_RETPOLINE
+        /*
+         * When switching from a shallower to a deeper call stack
+         * the RSB may either underflow or use entries populated
+         * with userspace addresses. On CPUs where those concerns
+         * exist, overwrite the RSB with entries which capture
+         * speculative execution to prevent attack.
+         */
+#define __retpoline_fill_return_buffer                                  \
+        ALTERNATIVE("jmp 910f",                                         \
+                __stringify(__FILL_RETURN_BUFFER(%%r12, RSB_CLEAR_LOOPS, %%rsp)),\
+                X86_FEATURE_RSB_CTXSW)                                  \
+        "910:\n\t"
+#else
+#define __retpoline_fill_return_buffer
+#endif
 /*
 * There is no need to save or restore flags, because flags are always
 * clean in kernel mode, with the possible exception of IOPL.  Kernel IOPL
@@ -112,6 +149,7 @@ do {									\
             "call __switch_to\n\t"                                       \
             "movq "__percpu_arg([current_task])",%%rsi\n\t"              \
             __switch_canary                                              \
+             __retpoline_fill_return_buffer                               \
             "movq %P[thread_info](%%rsi),%%r8\n\t"                       \
             "movq %%rax,%%rdi\n\t"                                       \
             "testl  %[_tif_fork],%P[ti_flags](%%r8)\n\t"                 \
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index c706b7796870..128a7105cbe2 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -49,7 +49,7 @@
 */
 #ifndef __ASSEMBLY__
 struct task_struct;
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <linux/atomic.h>
 struct thread_info {
@@ -92,6 +92,7 @@ struct thread_info {
 #define TIF_SIGPENDING          2       /* signal pending */
 #define TIF_NEED_RESCHED        3       /* rescheduling necessary */
 #define TIF_SINGLESTEP          4       /* reenable singlestep on user return*/
+#define TIF_SSBD                5       /* Reduced data speculation */
 #define TIF_SYSCALL_EMU         6       /* syscall emulation active */
 #define TIF_SYSCALL_AUDIT       7       /* syscall auditing active */
 #define TIF_SECCOMP             8       /* secure computing */
@@ -114,8 +115,9 @@ struct thread_info {
 #define _TIF_SYSCALL_TRACE      (1 << TIF_SYSCALL_TRACE)
 #define _TIF_NOTIFY_RESUME      (1 << TIF_NOTIFY_RESUME)
 #define _TIF_SIGPENDING         (1 << TIF_SIGPENDING)
-#define _TIF_SINGLESTEP         (1 << TIF_SINGLESTEP)
 #define _TIF_NEED_RESCHED       (1 << TIF_NEED_RESCHED)
+#define _TIF_SINGLESTEP         (1 << TIF_SINGLESTEP)
+#define _TIF_SSBD               (1 << TIF_SSBD)
 #define _TIF_SYSCALL_EMU        (1 << TIF_SYSCALL_EMU)
 #define _TIF_SYSCALL_AUDIT      (1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SECCOMP            (1 << TIF_SECCOMP)
@@ -147,7 +149,7 @@ struct thread_info {
 /* flags to check in __switch_to() */
 #define _TIF_WORK_CTXSW                                                 \
-        (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP)
+        (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD)
 #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
 #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
@@ -166,6 +168,17 @@ static inline struct thread_info *current_thread_info(void)
        return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
 }
+static inline unsigned long current_stack_pointer(void)
+{
+        unsigned long sp;
+#ifdef CONFIG_X86_64
+        asm("mov %%rsp,%0" : "=g" (sp));
+#else
+        asm("mov %%esp,%0" : "=g" (sp));
+#endif
+        return sp;
+}
 /*
 * Walks up the stack frames to make sure that the specified object is
 * entirely contained by a single stack frame.
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
index a691b66cc40a..72cfe3e53af1 100644
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -5,6 +5,7 @@
 #include <linux/sched.h>
 #include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/special_insns.h>
 #include <asm/smp.h>
@@ -67,6 +68,8 @@ static inline void invpcid_flush_all_nonglobals(void)
 struct tlb_state {
        struct mm_struct *active_mm;
        int state;
+        /* last user mm's ctx id */
+        u64 last_ctx_id;
        /*
         * Access to this CR4 shadow and to H/W CR4 is protected by
@@ -108,6 +111,16 @@ static inline void cr4_clear_bits(unsigned long mask)
        }
 }
+static inline void cr4_toggle_bits(unsigned long mask)
+{
+        unsigned long cr4;
+        cr4 = this_cpu_read(cpu_tlbstate.cr4);
+        cr4 ^= mask;
+        this_cpu_write(cpu_tlbstate.cr4, cr4);
+        __write_cr4(cr4);
+}
 /* Read the CR4 shadow. */
 static inline unsigned long cr4_read_shadow(void)
 {
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 2957c8237c28..ec9d2bcc8c24 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -8,7 +8,7 @@
 #include <linux/errno.h>
 #include <linux/lockdep.h>
 #include <asm/alternative.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/page.h>
 /*
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 14c63c7e8337..dd11f5cb4149 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -310,6 +310,7 @@ enum vmcs_field {
 #define INTR_TYPE_NMI_INTR              (2 << 8) /* NMI */
 #define INTR_TYPE_HARD_EXCEPTION        (3 << 8) /* processor exception */
 #define INTR_TYPE_SOFT_INTR             (4 << 8) /* software interrupt */
+#define INTR_TYPE_PRIV_SW_EXCEPTION     (5 << 8) /* ICE breakpoint - undocumented */
 #define INTR_TYPE_SOFT_EXCEPTION        (6 << 8) /* software exception */
 /* GUEST_INTERRUPTIBILITY_INFO flags. */
@@ -400,10 +401,11 @@ enum vmcs_field {
 #define IDENTITY_PAGETABLE_PRIVATE_MEMSLOT      (KVM_USER_MEM_SLOTS + 2)
 #define VMX_NR_VPIDS                            (1 << 16)
+#define VMX_VPID_EXTENT_INDIVIDUAL_ADDR         0
 #define VMX_VPID_EXTENT_SINGLE_CONTEXT          1
 #define VMX_VPID_EXTENT_ALL_CONTEXT             2
+#define VMX_VPID_EXTENT_SINGLE_NON_GLOBAL       3
-#define VMX_EPT_EXTENT_INDIVIDUAL_ADDR          0
 #define VMX_EPT_EXTENT_CONTEXT                  1
 #define VMX_EPT_EXTENT_GLOBAL                   2
 #define VMX_EPT_EXTENT_SHIFT                    24
@@ -420,8 +422,10 @@ enum vmcs_field {
 #define VMX_EPT_EXTENT_GLOBAL_BIT               (1ull << 26)
 #define VMX_VPID_INVVPID_BIT                    (1ull << 0) /* (32 - 32) */
+#define VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT     (1ull << 8) /* (40 - 32) */
 #define VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT      (1ull << 9) /* (41 - 32) */
 #define VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT      (1ull << 10) /* (42 - 32) */
+#define VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT   (1ull << 11) /* (43 - 32) */
 #define VMX_EPT_DEFAULT_GAW                     3
 #define VMX_EPT_MAX_GAW                         0x4
diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h
index 4865e10dbb55..62210da19a92 100644
--- a/arch/x86/include/asm/vsyscall.h
+++ b/arch/x86/include/asm/vsyscall.h
@@ -21,5 +21,6 @@ static inline bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 }
 static inline bool vsyscall_enabled(void) { return false; }
 #endif
+extern unsigned long vsyscall_pgprot;
 #endif /* _ASM_X86_VSYSCALL_H */
diff --git a/arch/x86/include/asm/xor_32.h b/arch/x86/include/asm/xor_32.h
index 5a08bc8bff33..c54beb44c4c1 100644
--- a/arch/x86/include/asm/xor_32.h
+++ b/arch/x86/include/asm/xor_32.h
@@ -553,7 +553,7 @@ do {							\
        if (cpu_has_xmm) {                              \
                xor_speed(&xor_block_pIII_sse);         \
                xor_speed(&xor_block_sse_pf64);         \
-        } else if (cpu_has_mmx) {                       \
+        } else if (boot_cpu_has(X86_FEATURE_MMX)) {     \
                xor_speed(&xor_block_pII_mmx);          \
                xor_speed(&xor_block_p5_mmx);           \
        } else {                                        \
diff --git a/arch/x86/include/uapi/asm/msgbuf.h b/arch/x86/include/uapi/asm/msgbuf.h
index 809134c644a6..90ab9a795b49 100644
--- a/arch/x86/include/uapi/asm/msgbuf.h
+++ b/arch/x86/include/uapi/asm/msgbuf.h
@@ -1 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef __ASM_X64_MSGBUF_H
+#define __ASM_X64_MSGBUF_H
+#if !defined(__x86_64__) || !defined(__ILP32__)
 #include <asm-generic/msgbuf.h>
+#else
+/*
+ * The msqid64_ds structure for x86 architecture with x32 ABI.
+ *
+ * On x86-32 and x86-64 we can just use the generic definition, but
+ * x32 uses the same binary layout as x86_64, which is differnet
+ * from other 32-bit architectures.
+ */
+struct msqid64_ds {
+        struct ipc64_perm msg_perm;
+        __kernel_time_t msg_stime;      /* last msgsnd time */
+        __kernel_time_t msg_rtime;      /* last msgrcv time */
+        __kernel_time_t msg_ctime;      /* last change time */
+        __kernel_ulong_t msg_cbytes;    /* current number of bytes on queue */
+        __kernel_ulong_t msg_qnum;      /* number of messages in queue */
+        __kernel_ulong_t msg_qbytes;    /* max number of bytes on queue */
+        __kernel_pid_t msg_lspid;       /* pid of last msgsnd */
+        __kernel_pid_t msg_lrpid;       /* last receive pid */
+        __kernel_ulong_t __unused4;
+        __kernel_ulong_t __unused5;
+};
+#endif
+#endif /* __ASM_GENERIC_MSGBUF_H */
diff --git a/arch/x86/include/uapi/asm/shmbuf.h b/arch/x86/include/uapi/asm/shmbuf.h
index 83c05fc2de38..644421f3823b 100644
--- a/arch/x86/include/uapi/asm/shmbuf.h
+++ b/arch/x86/include/uapi/asm/shmbuf.h
@@ -1 +1,43 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef __ASM_X86_SHMBUF_H
+#define __ASM_X86_SHMBUF_H
+#if !defined(__x86_64__) || !defined(__ILP32__)
 #include <asm-generic/shmbuf.h>
+#else
+/*
+ * The shmid64_ds structure for x86 architecture with x32 ABI.
+ *
+ * On x86-32 and x86-64 we can just use the generic definition, but
+ * x32 uses the same binary layout as x86_64, which is differnet
+ * from other 32-bit architectures.
+ */
+struct shmid64_ds {
+        struct ipc64_perm       shm_perm;       /* operation perms */
+        size_t                  shm_segsz;      /* size of segment (bytes) */
+        __kernel_time_t         shm_atime;      /* last attach time */
+        __kernel_time_t         shm_dtime;      /* last detach time */
+        __kernel_time_t         shm_ctime;      /* last change time */
+        __kernel_pid_t          shm_cpid;       /* pid of creator */
+        __kernel_pid_t          shm_lpid;       /* pid of last operator */
+        __kernel_ulong_t        shm_nattch;     /* no. of current attaches */
+        __kernel_ulong_t        __unused4;
+        __kernel_ulong_t        __unused5;
+};
+struct shminfo64 {
+        __kernel_ulong_t        shmmax;
+        __kernel_ulong_t        shmmin;
+        __kernel_ulong_t        shmmni;
+        __kernel_ulong_t        shmseg;
+        __kernel_ulong_t        shmall;
+        __kernel_ulong_t        __unused1;
+        __kernel_ulong_t        __unused2;
+        __kernel_ulong_t        __unused3;
+        __kernel_ulong_t        __unused4;
+};
+#endif
+#endif /* __ASM_X86_SHMBUF_H */
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index b1b78ffe01d0..7947cee61f61 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -41,6 +41,7 @@ obj-y			+= alternative.o i8253.o pci-nommu.o hw_breakpoint.o
 obj-y                   += tsc.o tsc_msr.o io_delay.o rtc.o
 obj-y                   += pci-iommu_table.o
 obj-y                   += resource.o
+obj-y                   += irqflags.o
 obj-y                           += process.o
 obj-y                           += fpu/
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index d6f375f1b928..89829c3d5a74 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -45,17 +45,6 @@ static int __init setup_noreplace_smp(char *str)
 }
 __setup("noreplace-smp", setup_noreplace_smp);
-#ifdef CONFIG_PARAVIRT
-static int __initdata_or_module noreplace_paravirt = 0;
-static int __init setup_noreplace_paravirt(char *str)
-{
-        noreplace_paravirt = 1;
-        return 1;
-}
-__setup("noreplace-paravirt", setup_noreplace_paravirt);
-#endif
 #define DPRINTK(fmt, args...)                                           \
 do {                                                                    \
        if (debug_alternative)                                          \
@@ -587,9 +576,6 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
        struct paravirt_patch_site *p;
        char insnbuf[MAX_PATCH_LEN];
-        if (noreplace_paravirt)
-                return;
        for (p = start; p < end; p++) {
                unsigned int used;
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index a3e1f8497f8c..deddc9b93299 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1368,7 +1368,7 @@ void setup_local_APIC(void)
         * TODO: set up through-local-APIC from through-I/O-APIC? --macro
         */
        value = apic_read(APIC_LVT0) & APIC_LVT_MASKED;
-        if (!cpu && (pic_mode || !value)) {
+        if (!cpu && (pic_mode || !value || skip_ioapic_setup)) {
                value = APIC_DM_EXTINT;
                apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu);
        } else {
diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c
index 2bd2292a316d..bac0805ea1d9 100644
--- a/arch/x86/kernel/apic/apic_numachip.c
+++ b/arch/x86/kernel/apic/apic_numachip.c
@@ -30,7 +30,7 @@ static unsigned int numachip1_get_apic_id(unsigned long x)
        unsigned long value;
        unsigned int id = (x >> 24) & 0xff;
-        if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
+        if (static_cpu_has(X86_FEATURE_NODEID_MSR)) {
                rdmsrl(MSR_FAM10H_NODE_ID, value);
                id |= (value << 2) & 0xff00;
        }
@@ -178,7 +178,7 @@ static void fixup_cpu_id(struct cpuinfo_x86 *c, int node)
        this_cpu_write(cpu_llc_id, node);
        /* Account for nodes per socket in multi-core-module processors */
-        if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
+        if (static_cpu_has(X86_FEATURE_NODEID_MSR)) {
                rdmsrl(MSR_FAM10H_NODE_ID, val);
                nodes = ((val >> 3) & 7) + 1;
        }
diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
index fc91c98bee01..fd945099fc95 100644
--- a/arch/x86/kernel/apic/io_apic.c
+++ b/arch/x86/kernel/apic/io_apic.c
@@ -2592,8 +2592,8 @@ static struct resource * __init ioapic_setup_resources(void)
                res[num].flags = IORESOURCE_MEM | IORESOURCE_BUSY;
                snprintf(mem, IOAPIC_RESOURCE_NAME_SIZE, "IOAPIC %u", i);
                mem += IOAPIC_RESOURCE_NAME_SIZE;
+                ioapics[i].iomem_res = &res[num];
                num++;
-                ioapics[i].iomem_res = res;
        }
        ioapic_resources = res;
diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
index a41e523536a2..592e260ba05b 100644
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -91,8 +91,12 @@ out_data:
        return NULL;
 }
-static void free_apic_chip_data(struct apic_chip_data *data)
+static void free_apic_chip_data(unsigned int virq, struct apic_chip_data *data)
 {
+#ifdef  CONFIG_X86_IO_APIC
+        if (virq  < nr_legacy_irqs())
+                legacy_irq_data[virq] = NULL;
+#endif
        if (data) {
                free_cpumask_var(data->domain);
                free_cpumask_var(data->old_domain);
@@ -316,11 +320,7 @@ static void x86_vector_free_irqs(struct irq_domain *domain,
                        apic_data = irq_data->chip_data;
                        irq_domain_reset_irq_data(irq_data);
                        raw_spin_unlock_irqrestore(&vector_lock, flags);
-                        free_apic_chip_data(apic_data);
+                        free_apic_chip_data(virq + i, apic_data);
-#ifdef  CONFIG_X86_IO_APIC
-                        if (virq + i < nr_legacy_irqs())
-                                legacy_irq_data[virq + i] = NULL;
-#endif
                }
        }
 }
@@ -361,7 +361,7 @@ static int x86_vector_alloc_irqs(struct irq_domain *domain, unsigned int virq,
                err = assign_irq_vector_policy(virq + i, node, data, info);
                if (err) {
                        irq_data->chip_data = NULL;
-                        free_apic_chip_data(data);
+                        free_apic_chip_data(virq + i, data);
                        goto error;
                }
        }
diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
index 8f184615053b..924b65794abd 100644
--- a/arch/x86/kernel/cpu/Makefile
+++ b/arch/x86/kernel/cpu/Makefile
@@ -62,7 +62,7 @@ ifdef CONFIG_X86_FEATURE_NAMES
 quiet_cmd_mkcapflags = MKCAP   $@
      cmd_mkcapflags = $(CONFIG_SHELL) $(srctree)/$(src)/mkcapflags.sh $< $@
-cpufeature = $(src)/../../include/asm/cpufeature.h
+cpufeature = $(src)/../../include/asm/cpufeatures.h
 targets += capflags.c
 $(obj)/capflags.c: $(cpufeature) $(src)/mkcapflags.sh FORCE
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 4bf9e77f3e05..9f6151884249 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -9,6 +9,7 @@
 #include <asm/processor.h>
 #include <asm/apic.h>
 #include <asm/cpu.h>
+#include <asm/spec-ctrl.h>
 #include <asm/smp.h>
 #include <asm/pci-direct.h>
 #include <asm/delay.h>
@@ -304,7 +305,7 @@ static void amd_get_topology(struct cpuinfo_x86 *c)
        int cpu = smp_processor_id();
        /* get information required for multi-node processors */
-        if (cpu_has_topoext) {
+        if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
                u32 eax, ebx, ecx, edx;
                cpuid(0x8000001e, &eax, &ebx, &ecx, &edx);
@@ -519,6 +520,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
        if (cpu_has(c, X86_FEATURE_MWAITX))
                use_mwaitx_delay();
+        if (c->x86 >= 0x15 && c->x86 <= 0x17) {
+                unsigned int bit;
+                switch (c->x86) {
+                case 0x15: bit = 54; break;
+                case 0x16: bit = 33; break;
+                case 0x17: bit = 10; break;
+                default: return;
+                }
+                /*
+                 * Try to cache the base value so further operations can
+                 * avoid RMW. If that faults, do not enable SSBD.
+                 */
+                if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
+                        setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD);
+                        setup_force_cpu_cap(X86_FEATURE_SSBD);
+                        x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
+                }
+        }
 }
 static void early_init_amd(struct cpuinfo_x86 *c)
@@ -692,6 +713,17 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
        }
 }
+static void init_amd_zn(struct cpuinfo_x86 *c)
+{
+        set_cpu_cap(c, X86_FEATURE_ZEN);
+        /*
+         * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
+         * all up to and including B1.
+         */
+        if (c->x86_model <= 1 && c->x86_mask <= 1)
+                set_cpu_cap(c, X86_FEATURE_CPB);
+}
 static void init_amd(struct cpuinfo_x86 *c)
 {
        u32 dummy;
@@ -722,6 +754,7 @@ static void init_amd(struct cpuinfo_x86 *c)
        case 0x10: init_amd_gh(c); break;
        case 0x12: init_amd_ln(c); break;
        case 0x15: init_amd_bd(c); break;
+        case 0x17: init_amd_zn(c); break;
        }
        /* Enable workaround for FXSAVE leak */
@@ -791,8 +824,9 @@ static void init_amd(struct cpuinfo_x86 *c)
                if (cpu_has(c, X86_FEATURE_3DNOW) || cpu_has(c, X86_FEATURE_LM))
                        set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH);
-        /* AMD CPUs don't reset SS attributes on SYSRET */
+        /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
-        set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
+        if (!cpu_has(c, X86_FEATURE_XENPV))
+                set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
 }
 #ifdef CONFIG_X86_32
@@ -954,7 +988,7 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
 void set_dr_addr_mask(unsigned long mask, int dr)
 {
-        if (!cpu_has_bpext)
+        if (!boot_cpu_has(X86_FEATURE_BPEXT))
                return;
        switch (dr) {
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49d25ddf0e9f..34e4aaaf03d2 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -10,8 +10,11 @@
 #include <linux/init.h>
 #include <linux/utsname.h>
 #include <linux/cpu.h>
+#include <linux/module.h>
+#include <linux/nospec.h>
+#include <linux/prctl.h>
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 #include <asm/cmdline.h>
 #include <asm/bugs.h>
 #include <asm/processor.h>
@@ -22,8 +25,32 @@
 #include <asm/alternative.h>
 #include <asm/pgtable.h>
 #include <asm/cacheflush.h>
+#include <asm/intel-family.h>
+#include <asm/e820.h>
 static void __init spectre_v2_select_mitigation(void);
+static void __init ssb_select_mitigation(void);
+static void __init l1tf_select_mitigation(void);
+/*
+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
+ * writes to SPEC_CTRL contain whatever reserved bits have been set.
+ */
+u64 x86_spec_ctrl_base;
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
+/*
+ * The vendor and possibly platform specific bits which can be modified in
+ * x86_spec_ctrl_base.
+ */
+static u64 x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
+/*
+ * AMD specific MSR info for Speculative Store Bypass control.
+ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
+ */
+u64 x86_amd_ls_cfg_base;
+u64 x86_amd_ls_cfg_ssbd_mask;
 void __init check_bugs(void)
 {
@@ -34,9 +61,29 @@ void __init check_bugs(void)
                print_cpu_info(&boot_cpu_data);
        }
+        /*
+         * Read the SPEC_CTRL MSR to account for reserved bits which may
+         * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
+         * init code as it is not enumerated and depends on the family.
+         */
+        if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+                rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+        /* Allow STIBP in MSR_SPEC_CTRL if supported */
+        if (boot_cpu_has(X86_FEATURE_STIBP))
+                x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
        /* Select the proper spectre mitigation before patching alternatives */
        spectre_v2_select_mitigation();
+        /*
+         * Select proper mitigation for any exposure to the Speculative Store
+         * Bypass vulnerability.
+         */
+        ssb_select_mitigation();
+        l1tf_select_mitigation();
 #ifdef CONFIG_X86_32
        /*
         * Check whether we are able to run this kernel safely on SMP.
@@ -88,20 +135,109 @@ static const char *spectre_v2_strings[] = {
 };
 #undef pr_fmt
-#define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
+#define pr_fmt(fmt)     "Spectre V2 : " fmt
 static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+void
+x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
+{
+        u64 msrval, guestval, hostval = x86_spec_ctrl_base;
+        struct thread_info *ti = current_thread_info();
+        /* Is MSR_SPEC_CTRL implemented ? */
+        if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
+                /*
+                 * Restrict guest_spec_ctrl to supported values. Clear the
+                 * modifiable bits in the host base value and or the
+                 * modifiable bits from the guest value.
+                 */
+                guestval = hostval & ~x86_spec_ctrl_mask;
+                guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
+                /* SSBD controlled in MSR_SPEC_CTRL */
+                if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
+                        hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
+                if (hostval != guestval) {
+                        msrval = setguest ? guestval : hostval;
+                        wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
+                }
+        }
+        /*
+         * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
+         * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
+         */
+        if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
+            !static_cpu_has(X86_FEATURE_VIRT_SSBD))
+                return;
+        /*
+         * If the host has SSBD mitigation enabled, force it in the host's
+         * virtual MSR value. If its not permanently enabled, evaluate
+         * current's TIF_SSBD thread flag.
+         */
+        if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
+                hostval = SPEC_CTRL_SSBD;
+        else
+                hostval = ssbd_tif_to_spec_ctrl(ti->flags);
+        /* Sanitize the guest value */
+        guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
+        if (hostval != guestval) {
+                unsigned long tif;
+                tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
+                                 ssbd_spec_ctrl_to_tif(hostval);
+                speculative_store_bypass_update(tif);
+        }
+}
+EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
+static void x86_amd_ssb_disable(void)
+{
+        u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
+        if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
+                wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
+        else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+                wrmsrl(MSR_AMD64_LS_CFG, msrval);
+}
+#ifdef RETPOLINE
+static bool spectre_v2_bad_module;
+bool retpoline_module_ok(bool has_retpoline)
+{
+        if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
+                return true;
+        pr_err("System may be vulnerable to spectre v2\n");
+        spectre_v2_bad_module = true;
+        return false;
+}
+static inline const char *spectre_v2_module_string(void)
+{
+        return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
+}
+#else
+static inline const char *spectre_v2_module_string(void) { return ""; }
+#endif
 static void __init spec2_print_if_insecure(const char *reason)
 {
        if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-                pr_info("%s\n", reason);
+                pr_info("%s selected on command line.\n", reason);
 }
 static void __init spec2_print_if_secure(const char *reason)
 {
        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-                pr_info("%s\n", reason);
+                pr_info("%s selected on command line.\n", reason);
 }
 static inline bool retp_compiler(void)
@@ -116,42 +252,65 @@ static inline bool match_option(const char *arg, int arglen, const char *opt)
        return len == arglen && !strncmp(arg, opt, len);
 }
+static const struct {
+        const char *option;
+        enum spectre_v2_mitigation_cmd cmd;
+        bool secure;
+} mitigation_options[] = {
+        { "off",               SPECTRE_V2_CMD_NONE,              false },
+        { "on",                SPECTRE_V2_CMD_FORCE,             true },
+        { "retpoline",         SPECTRE_V2_CMD_RETPOLINE,         false },
+        { "retpoline,amd",     SPECTRE_V2_CMD_RETPOLINE_AMD,     false },
+        { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
+        { "auto",              SPECTRE_V2_CMD_AUTO,              false },
+};
 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
 {
        char arg[20];
-        int ret;
+        int ret, i;
+        enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
-        ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
-                                  sizeof(arg));
+        if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
-        if (ret > 0)  {
+                return SPECTRE_V2_CMD_NONE;
-                if (match_option(arg, ret, "off")) {
+        else {
-                        goto disable;
+                ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
-                } else if (match_option(arg, ret, "on")) {
+                if (ret < 0)
-                        spec2_print_if_secure("force enabled on command line.");
+                        return SPECTRE_V2_CMD_AUTO;
-                        return SPECTRE_V2_CMD_FORCE;
-                } else if (match_option(arg, ret, "retpoline")) {
+                for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
-                        spec2_print_if_insecure("retpoline selected on command line.");
+                        if (!match_option(arg, ret, mitigation_options[i].option))
-                        return SPECTRE_V2_CMD_RETPOLINE;
+                                continue;
-                } else if (match_option(arg, ret, "retpoline,amd")) {
+                        cmd = mitigation_options[i].cmd;
-                        if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
+                        break;
-                                pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
+                }
-                                return SPECTRE_V2_CMD_AUTO;
-                        }
+                if (i >= ARRAY_SIZE(mitigation_options)) {
-                        spec2_print_if_insecure("AMD retpoline selected on command line.");
+                        pr_err("unknown option (%s). Switching to AUTO select\n", arg);
-                        return SPECTRE_V2_CMD_RETPOLINE_AMD;
-                } else if (match_option(arg, ret, "retpoline,generic")) {
-                        spec2_print_if_insecure("generic retpoline selected on command line.");
-                        return SPECTRE_V2_CMD_RETPOLINE_GENERIC;
-                } else if (match_option(arg, ret, "auto")) {
                        return SPECTRE_V2_CMD_AUTO;
                }
        }
-        if (!cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
+        if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
+             cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
+             cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
+            !IS_ENABLED(CONFIG_RETPOLINE)) {
+                pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
+                return SPECTRE_V2_CMD_AUTO;
+        }
+        if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD &&
+            boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
+                pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
                return SPECTRE_V2_CMD_AUTO;
-disable:
+        }
-        spec2_print_if_insecure("disabled on command line.");
-        return SPECTRE_V2_CMD_NONE;
+        if (mitigation_options[i].secure)
+                spec2_print_if_secure(mitigation_options[i].option);
+        else
+                spec2_print_if_insecure(mitigation_options[i].option);
+        return cmd;
 }
 static void __init spectre_v2_select_mitigation(void)
@@ -172,10 +331,10 @@ static void __init spectre_v2_select_mitigation(void)
                return;
        case SPECTRE_V2_CMD_FORCE:
-                /* FALLTRHU */
        case SPECTRE_V2_CMD_AUTO:
-                goto retpoline_auto;
+                if (IS_ENABLED(CONFIG_RETPOLINE))
+                        goto retpoline_auto;
+                break;
        case SPECTRE_V2_CMD_RETPOLINE_AMD:
                if (IS_ENABLED(CONFIG_RETPOLINE))
                        goto retpoline_amd;
@@ -189,14 +348,14 @@ static void __init spectre_v2_select_mitigation(void)
                        goto retpoline_auto;
                break;
        }
-        pr_err("kernel not compiled with retpoline; no mitigation available!");
+        pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
        return;
 retpoline_auto:
        if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
        retpoline_amd:
                if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
-                        pr_err("LFENCE not serializing. Switching to generic retpoline\n");
+                        pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
                        goto retpoline_generic;
                }
                mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
@@ -212,35 +371,357 @@ retpoline_auto:
        spectre_v2_enabled = mode;
        pr_info("%s\n", spectre_v2_strings[mode]);
+        /*
+         * If spectre v2 protection has been enabled, unconditionally fill
+         * RSB during a context switch; this protects against two independent
+         * issues:
+         *
+         *      - RSB underflow (and switch to BTB) on Skylake+
+         *      - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
+         */
+        setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
+        pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
+        /* Initialize Indirect Branch Prediction Barrier if supported */
+        if (boot_cpu_has(X86_FEATURE_IBPB)) {
+                setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
+                pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
+        }
+        /*
+         * Retpoline means the kernel is safe because it has no indirect
+         * branches. But firmware isn't, so use IBRS to protect that.
+         */
+        if (boot_cpu_has(X86_FEATURE_IBRS)) {
+                setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
+                pr_info("Enabling Restricted Speculation for firmware calls\n");
+        }
+}
+#undef pr_fmt
+#define pr_fmt(fmt)     "Speculative Store Bypass: " fmt
+static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE;
+/* The kernel command line selection */
+enum ssb_mitigation_cmd {
+        SPEC_STORE_BYPASS_CMD_NONE,
+        SPEC_STORE_BYPASS_CMD_AUTO,
+        SPEC_STORE_BYPASS_CMD_ON,
+        SPEC_STORE_BYPASS_CMD_PRCTL,
+        SPEC_STORE_BYPASS_CMD_SECCOMP,
+};
+static const char *ssb_strings[] = {
+        [SPEC_STORE_BYPASS_NONE]        = "Vulnerable",
+        [SPEC_STORE_BYPASS_DISABLE]     = "Mitigation: Speculative Store Bypass disabled",
+        [SPEC_STORE_BYPASS_PRCTL]       = "Mitigation: Speculative Store Bypass disabled via prctl",
+        [SPEC_STORE_BYPASS_SECCOMP]     = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
+};
+static const struct {
+        const char *option;
+        enum ssb_mitigation_cmd cmd;
+} ssb_mitigation_options[] = {
+        { "auto",       SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
+        { "on",         SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
+        { "off",        SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */
+        { "prctl",      SPEC_STORE_BYPASS_CMD_PRCTL },   /* Disable Speculative Store Bypass via prctl */
+        { "seccomp",    SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
+};
+static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
+{
+        enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
+        char arg[20];
+        int ret, i;
+        if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
+                return SPEC_STORE_BYPASS_CMD_NONE;
+        } else {
+                ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
+                                          arg, sizeof(arg));
+                if (ret < 0)
+                        return SPEC_STORE_BYPASS_CMD_AUTO;
+                for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
+                        if (!match_option(arg, ret, ssb_mitigation_options[i].option))
+                                continue;
+                        cmd = ssb_mitigation_options[i].cmd;
+                        break;
+                }
+                if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
+                        pr_err("unknown option (%s). Switching to AUTO select\n", arg);
+                        return SPEC_STORE_BYPASS_CMD_AUTO;
+                }
+        }
+        return cmd;
+}
+static enum ssb_mitigation __init __ssb_select_mitigation(void)
+{
+        enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
+        enum ssb_mitigation_cmd cmd;
+        if (!boot_cpu_has(X86_FEATURE_SSBD))
+                return mode;
+        cmd = ssb_parse_cmdline();
+        if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
+            (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
+             cmd == SPEC_STORE_BYPASS_CMD_AUTO))
+                return mode;
+        switch (cmd) {
+        case SPEC_STORE_BYPASS_CMD_AUTO:
+        case SPEC_STORE_BYPASS_CMD_SECCOMP:
+                /*
+                 * Choose prctl+seccomp as the default mode if seccomp is
+                 * enabled.
+                 */
+                if (IS_ENABLED(CONFIG_SECCOMP))
+                        mode = SPEC_STORE_BYPASS_SECCOMP;
+                else
+                        mode = SPEC_STORE_BYPASS_PRCTL;
+                break;
+        case SPEC_STORE_BYPASS_CMD_ON:
+                mode = SPEC_STORE_BYPASS_DISABLE;
+                break;
+        case SPEC_STORE_BYPASS_CMD_PRCTL:
+                mode = SPEC_STORE_BYPASS_PRCTL;
+                break;
+        case SPEC_STORE_BYPASS_CMD_NONE:
+                break;
+        }
+        /*
+         * We have three CPU feature flags that are in play here:
+         *  - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
+         *  - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
+         *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
+         */
+        if (mode == SPEC_STORE_BYPASS_DISABLE) {
+                setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
+                /*
+                 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
+                 * a completely different MSR and bit dependent on family.
+                 */
+                switch (boot_cpu_data.x86_vendor) {
+                case X86_VENDOR_INTEL:
+                        x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+                        x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
+                        wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+                        break;
+                case X86_VENDOR_AMD:
+                        x86_amd_ssb_disable();
+                        break;
+                }
+        }
+        return mode;
+}
+static void ssb_select_mitigation(void)
+{
+        ssb_mode = __ssb_select_mitigation();
+        if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
+                pr_info("%s\n", ssb_strings[ssb_mode]);
 }
 #undef pr_fmt
+#define pr_fmt(fmt)     "Speculation prctl: " fmt
+static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
+{
+        bool update;
+        if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
+            ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
+                return -ENXIO;
+        switch (ctrl) {
+        case PR_SPEC_ENABLE:
+                /* If speculation is force disabled, enable is not allowed */
+                if (task_spec_ssb_force_disable(task))
+                        return -EPERM;
+                task_clear_spec_ssb_disable(task);
+                update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        case PR_SPEC_DISABLE:
+                task_set_spec_ssb_disable(task);
+                update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        case PR_SPEC_FORCE_DISABLE:
+                task_set_spec_ssb_disable(task);
+                task_set_spec_ssb_force_disable(task);
+                update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        default:
+                return -ERANGE;
+        }
+        /*
+         * If being set on non-current task, delay setting the CPU
+         * mitigation until it is next scheduled.
+         */
+        if (task == current && update)
+                speculative_store_bypass_update_current();
+        return 0;
+}
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                             unsigned long ctrl)
+{
+        switch (which) {
+        case PR_SPEC_STORE_BYPASS:
+                return ssb_prctl_set(task, ctrl);
+        default:
+                return -ENODEV;
+        }
+}
+#ifdef CONFIG_SECCOMP
+void arch_seccomp_spec_mitigate(struct task_struct *task)
+{
+        if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
+                ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
+}
+#endif
+static int ssb_prctl_get(struct task_struct *task)
+{
+        switch (ssb_mode) {
+        case SPEC_STORE_BYPASS_DISABLE:
+                return PR_SPEC_DISABLE;
+        case SPEC_STORE_BYPASS_SECCOMP:
+        case SPEC_STORE_BYPASS_PRCTL:
+                if (task_spec_ssb_force_disable(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+                if (task_spec_ssb_disable(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
+                return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
+        default:
+                if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
+                        return PR_SPEC_ENABLE;
+                return PR_SPEC_NOT_AFFECTED;
+        }
+}
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
+{
+        switch (which) {
+        case PR_SPEC_STORE_BYPASS:
+                return ssb_prctl_get(task);
+        default:
+                return -ENODEV;
+        }
+}
+void x86_spec_ctrl_setup_ap(void)
+{
+        if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+                wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+        if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
+                x86_amd_ssb_disable();
+}
+#undef pr_fmt
+#define pr_fmt(fmt)     "L1TF: " fmt
+static void __init l1tf_select_mitigation(void)
+{
+        u64 half_pa;
+        if (!boot_cpu_has_bug(X86_BUG_L1TF))
+                return;
+#if CONFIG_PGTABLE_LEVELS == 2
+        pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
+        return;
+#endif
+        /*
+         * This is extremely unlikely to happen because almost all
+         * systems have far more MAX_PA/2 than RAM can be fit into
+         * DIMM slots.
+         */
+        half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
+        if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) {
+                pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
+                return;
+        }
+        setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
+}
+#undef pr_fmt
 #ifdef CONFIG_SYSFS
-ssize_t cpu_show_meltdown(struct device *dev,
-                          struct device_attribute *attr, char *buf)
+static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
+                               char *buf, unsigned int bug)
 {
-        if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
+        if (!boot_cpu_has_bug(bug))
                return sprintf(buf, "Not affected\n");
-        if (boot_cpu_has(X86_FEATURE_KAISER))
-                return sprintf(buf, "Mitigation: PTI\n");
+        switch (bug) {
+        case X86_BUG_CPU_MELTDOWN:
+                if (boot_cpu_has(X86_FEATURE_KAISER))
+                        return sprintf(buf, "Mitigation: PTI\n");
+                break;
+        case X86_BUG_SPECTRE_V1:
+                return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+        case X86_BUG_SPECTRE_V2:
+                return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+                               boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
+                               boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
+                               spectre_v2_module_string());
+        case X86_BUG_SPEC_STORE_BYPASS:
+                return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
+        case X86_BUG_L1TF:
+                if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
+                        return sprintf(buf, "Mitigation: Page Table Inversion\n");
+                break;
+        default:
+                break;
+        }
        return sprintf(buf, "Vulnerable\n");
 }
-ssize_t cpu_show_spectre_v1(struct device *dev,
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
-                            struct device_attribute *attr, char *buf)
 {
-        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
+        return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
-                return sprintf(buf, "Not affected\n");
-        return sprintf(buf, "Vulnerable\n");
 }
-ssize_t cpu_show_spectre_v2(struct device *dev,
+ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
-                            struct device_attribute *attr, char *buf)
 {
-        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
-                return sprintf(buf, "Not affected\n");
+}
-        return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
+}
+ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
+}
+ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
 }
 #endif
diff --git a/arch/x86/kernel/cpu/centaur.c b/arch/x86/kernel/cpu/centaur.c
index d8fba5c15fbd..6608c03c2126 100644
--- a/arch/x86/kernel/cpu/centaur.c
+++ b/arch/x86/kernel/cpu/centaur.c
@@ -1,7 +1,7 @@
 #include <linux/bitops.h>
 #include <linux/kernel.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/e820.h>
 #include <asm/mtrr.h>
 #include <asm/msr.h>
@@ -43,7 +43,7 @@ static void init_c3(struct cpuinfo_x86 *c)
                /* store Centaur Extended Feature Flags as
                 * word 5 of the CPU capability bit array
                 */
-                c->x86_capability[5] = cpuid_edx(0xC0000001);
+                c->x86_capability[CPUID_C000_0001_EDX] = cpuid_edx(0xC0000001);
        }
 #ifdef CONFIG_X86_32
        /* Cyrix III family needs CX8 & PGE explicitly enabled. */
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f7f2ad3687ee..4d3fa79c0f09 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -43,6 +43,8 @@
 #include <asm/pat.h>
 #include <asm/microcode.h>
 #include <asm/microcode_intel.h>
+#include <asm/intel-family.h>
+#include <asm/cpu_device_id.h>
 #ifdef CONFIG_X86_LOCAL_APIC
 #include <asm/uv/uv.h>
@@ -674,52 +676,86 @@ static void apply_forced_caps(struct cpuinfo_x86 *c)
        }
 }
+static void init_speculation_control(struct cpuinfo_x86 *c)
+{
+        /*
+         * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
+         * and they also have a different bit for STIBP support. Also,
+         * a hypervisor might have set the individual AMD bits even on
+         * Intel CPUs, for finer-grained selection of what's available.
+         */
+        if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
+                set_cpu_cap(c, X86_FEATURE_IBRS);
+                set_cpu_cap(c, X86_FEATURE_IBPB);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+        }
+        if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
+                set_cpu_cap(c, X86_FEATURE_STIBP);
+        if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD))
+                set_cpu_cap(c, X86_FEATURE_SSBD);
+        if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
+                set_cpu_cap(c, X86_FEATURE_IBRS);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+        }
+        if (cpu_has(c, X86_FEATURE_AMD_IBPB))
+                set_cpu_cap(c, X86_FEATURE_IBPB);
+        if (cpu_has(c, X86_FEATURE_AMD_STIBP)) {
+                set_cpu_cap(c, X86_FEATURE_STIBP);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+        }
+}
 void get_cpu_cap(struct cpuinfo_x86 *c)
 {
-        u32 tfms, xlvl;
+        u32 eax, ebx, ecx, edx;
-        u32 ebx;
        /* Intel-defined flags: level 0x00000001 */
        if (c->cpuid_level >= 0x00000001) {
-                u32 capability, excap;
+                cpuid(0x00000001, &eax, &ebx, &ecx, &edx);
-                cpuid(0x00000001, &tfms, &ebx, &excap, &capability);
+                c->x86_capability[CPUID_1_ECX] = ecx;
-                c->x86_capability[0] = capability;
+                c->x86_capability[CPUID_1_EDX] = edx;
-                c->x86_capability[4] = excap;
        }
+        /* Thermal and Power Management Leaf: level 0x00000006 (eax) */
+        if (c->cpuid_level >= 0x00000006)
+                c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
        /* Additional Intel-defined flags: level 0x00000007 */
        if (c->cpuid_level >= 0x00000007) {
-                u32 eax, ebx, ecx, edx;
                cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
+                c->x86_capability[CPUID_7_0_EBX] = ebx;
-                c->x86_capability[9] = ebx;
+                c->x86_capability[CPUID_7_ECX] = ecx;
+                c->x86_capability[CPUID_7_EDX] = edx;
        }
        /* Extended state features: level 0x0000000d */
        if (c->cpuid_level >= 0x0000000d) {
-                u32 eax, ebx, ecx, edx;
                cpuid_count(0x0000000d, 1, &eax, &ebx, &ecx, &edx);
-                c->x86_capability[10] = eax;
+                c->x86_capability[CPUID_D_1_EAX] = eax;
        }
        /* Additional Intel-defined flags: level 0x0000000F */
        if (c->cpuid_level >= 0x0000000F) {
-                u32 eax, ebx, ecx, edx;
                /* QoS sub-leaf, EAX=0Fh, ECX=0 */
                cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx);
-                c->x86_capability[11] = edx;
+                c->x86_capability[CPUID_F_0_EDX] = edx;
                if (cpu_has(c, X86_FEATURE_CQM_LLC)) {
                        /* will be overridden if occupancy monitoring exists */
                        c->x86_cache_max_rmid = ebx;
                        /* QoS sub-leaf, EAX=0Fh, ECX=1 */
                        cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx);
-                        c->x86_capability[12] = edx;
+                        c->x86_capability[CPUID_F_1_EDX] = edx;
                        if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) {
                                c->x86_cache_max_rmid = ecx;
                                c->x86_cache_occ_scale = ebx;
@@ -731,32 +767,49 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
        }
        /* AMD-defined flags: level 0x80000001 */
-        xlvl = cpuid_eax(0x80000000);
+        eax = cpuid_eax(0x80000000);
-        c->extended_cpuid_level = xlvl;
+        c->extended_cpuid_level = eax;
-        if ((xlvl & 0xffff0000) == 0x80000000) {
+        if ((eax & 0xffff0000) == 0x80000000) {
-                if (xlvl >= 0x80000001) {
+                if (eax >= 0x80000001) {
-                        c->x86_capability[1] = cpuid_edx(0x80000001);
+                        cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
-                        c->x86_capability[6] = cpuid_ecx(0x80000001);
+                        c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+                        c->x86_capability[CPUID_8000_0001_EDX] = edx;
                }
        }
+        if (c->extended_cpuid_level >= 0x80000007) {
+                cpuid(0x80000007, &eax, &ebx, &ecx, &edx);
+                c->x86_capability[CPUID_8000_0007_EBX] = ebx;
+                c->x86_power = edx;
+        }
        if (c->extended_cpuid_level >= 0x80000008) {
-                u32 eax = cpuid_eax(0x80000008);
+                cpuid(0x80000008, &eax, &ebx, &ecx, &edx);
                c->x86_virt_bits = (eax >> 8) & 0xff;
                c->x86_phys_bits = eax & 0xff;
-                c->x86_capability[13] = cpuid_ebx(0x80000008);
+                c->x86_capability[CPUID_8000_0008_EBX] = ebx;
        }
 #ifdef CONFIG_X86_32
        else if (cpu_has(c, X86_FEATURE_PAE) || cpu_has(c, X86_FEATURE_PSE36))
                c->x86_phys_bits = 36;
 #endif
-        if (c->extended_cpuid_level >= 0x80000007)
+        if (c->extended_cpuid_level >= 0x8000000a)
-                c->x86_power = cpuid_edx(0x80000007);
+                c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a);
        init_scattered_cpuid_features(c);
+        init_speculation_control(c);
+        /*
+         * Clear/Set all flags overridden by options, after probe.
+         * This needs to happen each time we re-probe, which may happen
+         * several times during CPU initialization.
+         */
+        apply_forced_caps(c);
 }
 static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
@@ -785,6 +838,95 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
 #endif
 }
+static const __initconst struct x86_cpu_id cpu_no_speculation[] = {
+        { X86_VENDOR_INTEL,     6, INTEL_FAM6_ATOM_CEDARVIEW,   X86_FEATURE_ANY },
+        { X86_VENDOR_INTEL,     6, INTEL_FAM6_ATOM_CLOVERVIEW,  X86_FEATURE_ANY },
+        { X86_VENDOR_INTEL,     6, INTEL_FAM6_ATOM_LINCROFT,    X86_FEATURE_ANY },
+        { X86_VENDOR_INTEL,     6, INTEL_FAM6_ATOM_PENWELL,     X86_FEATURE_ANY },
+        { X86_VENDOR_INTEL,     6, INTEL_FAM6_ATOM_PINEVIEW,    X86_FEATURE_ANY },
+        { X86_VENDOR_CENTAUR,   5 },
+        { X86_VENDOR_INTEL,     5 },
+        { X86_VENDOR_NSC,       5 },
+        { X86_VENDOR_ANY,       4 },
+        {}
+};
+static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
+        { X86_VENDOR_AMD },
+        {}
+};
+static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = {
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_PINEVIEW        },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_LINCROFT        },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_PENWELL         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_CLOVERVIEW      },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_CEDARVIEW       },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT1     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_AIRMONT         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT2     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_MERRIFIELD      },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_CORE_YONAH           },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNL         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNM         },
+        { X86_VENDOR_CENTAUR,   5,                                      },
+        { X86_VENDOR_INTEL,     5,                                      },
+        { X86_VENDOR_NSC,       5,                                      },
+        { X86_VENDOR_AMD,       0x12,                                   },
+        { X86_VENDOR_AMD,       0x11,                                   },
+        { X86_VENDOR_AMD,       0x10,                                   },
+        { X86_VENDOR_AMD,       0xf,                                    },
+        { X86_VENDOR_ANY,       4,                                      },
+        {}
+};
+static const __initconst struct x86_cpu_id cpu_no_l1tf[] = {
+        /* in addition to cpu_no_speculation */
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT1     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT2     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_AIRMONT         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_MERRIFIELD      },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_MOOREFIELD      },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_GOLDMONT        },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_DENVERTON       },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_GEMINI_LAKE     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNL         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNM         },
+        {}
+};
+static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+{
+        u64 ia32_cap = 0;
+        if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
+                rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
+        if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
+           !(ia32_cap & ARCH_CAP_SSB_NO))
+                setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+        if (x86_match_cpu(cpu_no_speculation))
+                return;
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+        if (x86_match_cpu(cpu_no_meltdown))
+                return;
+        /* Rogue Data Cache Load? No! */
+        if (ia32_cap & ARCH_CAP_RDCL_NO)
+                return;
+        setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
+        if (x86_match_cpu(cpu_no_l1tf))
+                return;
+        setup_force_cpu_bug(X86_BUG_L1TF);
+}
 /*
 * Do minimum CPU detection early.
 * Fields really needed: vendor, cpuid_level, family, model, mask,
@@ -831,11 +973,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
        setup_force_cpu_cap(X86_FEATURE_ALWAYS);
-        if (c->x86_vendor != X86_VENDOR_AMD)
+        cpu_set_bug_bits(c);
-                setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
-        setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
-        setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
        fpu__init_system(c);
@@ -955,7 +1093,7 @@ static void identify_cpu(struct cpuinfo_x86 *c)
        int i;
        c->loops_per_jiffy = loops_per_jiffy;
-        c->x86_cache_size = -1;
+        c->x86_cache_size = 0;
        c->x86_vendor = X86_VENDOR_UNKNOWN;
        c->x86_model = c->x86_mask = 0; /* So far unknown... */
        c->x86_vendor_id[0] = '\0'; /* Unset */
@@ -1124,6 +1262,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
        enable_sep_cpu();
 #endif
        mtrr_ap_init();
+        x86_spec_ctrl_setup_ap();
 }
 struct msr_range {
@@ -1539,7 +1678,9 @@ void cpu_init(void)
        printk(KERN_INFO "Initializing CPU#%d\n", cpu);
-        if (cpu_feature_enabled(X86_FEATURE_VME) || cpu_has_tsc || cpu_has_de)
+        if (cpu_feature_enabled(X86_FEATURE_VME) ||
+            cpu_has_tsc ||
+            boot_cpu_has(X86_FEATURE_DE))
                cr4_clear_bits(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
        load_current_idt();
@@ -1572,20 +1713,6 @@ void cpu_init(void)
 }
 #endif
-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
-void warn_pre_alternatives(void)
-{
-        WARN(1, "You're using static_cpu_has before alternatives have run!\n");
-}
-EXPORT_SYMBOL_GPL(warn_pre_alternatives);
-#endif
-inline bool __static_cpu_has_safe(u16 bit)
-{
-        return boot_cpu_has(bit);
-}
-EXPORT_SYMBOL_GPL(__static_cpu_has_safe);
 static void bsp_resume(void)
 {
        if (this_cpu->c_bsp_resume)
diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
index 2584265d4745..3b19d82f7932 100644
--- a/arch/x86/kernel/cpu/cpu.h
+++ b/arch/x86/kernel/cpu/cpu.h
@@ -46,4 +46,7 @@ extern const struct cpu_dev *const __x86_cpu_dev_start[],
 extern void get_cpu_cap(struct cpuinfo_x86 *c);
 extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
+extern void x86_spec_ctrl_setup_ap(void);
 #endif /* ARCH_X86_CPU_H */
diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
index aaf152e79637..15e47c1cd412 100644
--- a/arch/x86/kernel/cpu/cyrix.c
+++ b/arch/x86/kernel/cpu/cyrix.c
@@ -8,6 +8,7 @@
 #include <linux/timer.h>
 #include <asm/pci-direct.h>
 #include <asm/tsc.h>
+#include <asm/cpufeature.h>
 #include "cpu.h"
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 209ac1e7d1f0..4dce22d3cb06 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -8,11 +8,12 @@
 #include <linux/module.h>
 #include <linux/uaccess.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/pgtable.h>
 #include <asm/msr.h>
 #include <asm/bugs.h>
 #include <asm/cpu.h>
+#include <asm/intel-family.h>
 #ifdef CONFIG_X86_64
 #include <linux/topology.h>
@@ -25,6 +26,62 @@
 #include <asm/apic.h>
 #endif
+/*
+ * Early microcode releases for the Spectre v2 mitigation were broken.
+ * Information taken from;
+ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
+ * - https://kb.vmware.com/s/article/52345
+ * - Microcode revisions observed in the wild
+ * - Release note from 20180108 microcode release
+ */
+struct sku_microcode {
+        u8 model;
+        u8 stepping;
+        u32 microcode;
+};
+static const struct sku_microcode spectre_bad_microcodes[] = {
+        { INTEL_FAM6_KABYLAKE_DESKTOP,  0x0B,   0x80 },
+        { INTEL_FAM6_KABYLAKE_DESKTOP,  0x0A,   0x80 },
+        { INTEL_FAM6_KABYLAKE_DESKTOP,  0x09,   0x80 },
+        { INTEL_FAM6_KABYLAKE_MOBILE,   0x0A,   0x80 },
+        { INTEL_FAM6_KABYLAKE_MOBILE,   0x09,   0x80 },
+        { INTEL_FAM6_SKYLAKE_X,         0x03,   0x0100013e },
+        { INTEL_FAM6_SKYLAKE_X,         0x04,   0x0200003c },
+        { INTEL_FAM6_BROADWELL_CORE,    0x04,   0x28 },
+        { INTEL_FAM6_BROADWELL_GT3E,    0x01,   0x1b },
+        { INTEL_FAM6_BROADWELL_XEON_D,  0x02,   0x14 },
+        { INTEL_FAM6_BROADWELL_XEON_D,  0x03,   0x07000011 },
+        { INTEL_FAM6_BROADWELL_X,       0x01,   0x0b000025 },
+        { INTEL_FAM6_HASWELL_ULT,       0x01,   0x21 },
+        { INTEL_FAM6_HASWELL_GT3E,      0x01,   0x18 },
+        { INTEL_FAM6_HASWELL_CORE,      0x03,   0x23 },
+        { INTEL_FAM6_HASWELL_X,         0x02,   0x3b },
+        { INTEL_FAM6_HASWELL_X,         0x04,   0x10 },
+        { INTEL_FAM6_IVYBRIDGE_X,       0x04,   0x42a },
+        /* Observed in the wild */
+        { INTEL_FAM6_SANDYBRIDGE_X,     0x06,   0x61b },
+        { INTEL_FAM6_SANDYBRIDGE_X,     0x07,   0x712 },
+};
+static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
+{
+        int i;
+        /*
+         * We know that the hypervisor lie to us on the microcode version so
+         * we may as well hope that it is running the correct version.
+         */
+        if (cpu_has(c, X86_FEATURE_HYPERVISOR))
+                return false;
+        for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
+                if (c->x86_model == spectre_bad_microcodes[i].model &&
+                    c->x86_mask == spectre_bad_microcodes[i].stepping)
+                        return (c->microcode <= spectre_bad_microcodes[i].microcode);
+        }
+        return false;
+}
 static void early_init_intel(struct cpuinfo_x86 *c)
 {
        u64 misc_enable;
@@ -51,6 +108,22 @@ static void early_init_intel(struct cpuinfo_x86 *c)
                rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
        }
+        /* Now if any of them are set, check the blacklist and clear the lot */
+        if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
+             cpu_has(c, X86_FEATURE_INTEL_STIBP) ||
+             cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
+             cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
+                pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
+                setup_clear_cpu_cap(X86_FEATURE_IBRS);
+                setup_clear_cpu_cap(X86_FEATURE_IBPB);
+                setup_clear_cpu_cap(X86_FEATURE_STIBP);
+                setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
+                setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
+                setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
+                setup_clear_cpu_cap(X86_FEATURE_SSBD);
+                setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD);
+        }
        /*
         * Atom erratum AAE44/AAF40/AAG38/AAH41:
         *
@@ -445,7 +518,8 @@ static void init_intel(struct cpuinfo_x86 *c)
        if (cpu_has_xmm2)
                set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
-        if (cpu_has_ds) {
+        if (boot_cpu_has(X86_FEATURE_DS)) {
                unsigned int l1;
                rdmsr(MSR_IA32_MISC_ENABLE, l1, l2);
                if (!(l1 & (1<<11)))
diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
index e38d338a6447..3557b3ceab14 100644
--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
@@ -14,7 +14,7 @@
 #include <linux/sysfs.h>
 #include <linux/pci.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/amd_nb.h>
 #include <asm/smp.h>
@@ -591,7 +591,7 @@ cpuid4_cache_lookup_regs(int index, struct _cpuid4_info_regs *this_leaf)
        unsigned                edx;
        if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
-                if (cpu_has_topoext)
+                if (boot_cpu_has(X86_FEATURE_TOPOEXT))
                        cpuid_count(0x8000001d, index, &eax.full,
                                    &ebx.full, &ecx.full, &edx);
                else
@@ -637,7 +637,7 @@ static int find_num_cache_leaves(struct cpuinfo_x86 *c)
 void init_amd_cacheinfo(struct cpuinfo_x86 *c)
 {
-        if (cpu_has_topoext) {
+        if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
                num_cache_leaves = find_num_cache_leaves(c);
        } else if (c->extended_cpuid_level >= 0x80000006) {
                if (cpuid_edx(0x80000006) & 0xf000)
@@ -809,7 +809,7 @@ static int __cache_amd_cpumap_setup(unsigned int cpu, int index,
        struct cacheinfo *this_leaf;
        int i, sibling;
-        if (cpu_has_topoext) {
+        if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
                unsigned int apicid, nshared, first, last;
                this_leaf = this_cpu_ci->info_list + index;
@@ -934,6 +934,8 @@ static int __populate_cache_leaves(unsigned int cpu)
                ci_leaf_init(this_leaf++, &id4_regs);
                __cache_cpumap_setup(cpu, idx, &id4_regs);
        }
+        this_cpu_ci->cpu_map_populated = true;
        return 0;
 }
diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c
index afa9f0d487ea..fbb5e90557a5 100644
--- a/arch/x86/kernel/cpu/match.c
+++ b/arch/x86/kernel/cpu/match.c
@@ -1,5 +1,5 @@
 #include <asm/cpu_device_id.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <linux/cpu.h>
 #include <linux/module.h>
 #include <linux/slab.h>
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 4cfba4371a71..101bfae369e1 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -152,7 +152,6 @@ static void raise_mce(struct mce *m)
        if (context == MCJ_CTX_RANDOM)
                return;
-#ifdef CONFIG_X86_LOCAL_APIC
        if (m->inject_flags & (MCJ_IRQ_BROADCAST | MCJ_NMI_BROADCAST)) {
                unsigned long start;
                int cpu;
@@ -193,9 +192,7 @@ static void raise_mce(struct mce *m)
                raise_local();
                put_cpu();
                put_online_cpus();
-        } else
+        } else {
-#endif
-        {
                preempt_disable();
                raise_local();
                preempt_enable();
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index 364fbad72e60..7b8c8c838191 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -60,6 +60,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mutex);
        smp_load_acquire(&(p)); \
 })
+/* sysfs synchronization */
+static DEFINE_MUTEX(mce_sysfs_mutex);
 #define CREATE_TRACE_POINTS
 #include <trace/events/mce.h>
@@ -977,11 +980,12 @@ void do_machine_check(struct pt_regs *regs, long error_code)
        int i;
        int worst = 0;
        int severity;
        /*
         * Establish sequential order between the CPUs entering the machine
         * check handler.
         */
-        int order;
+        int order = -1;
        /*
         * If no_way_out gets set, there is no safe way to recover from this
         * MCE.  If mca_cfg.tolerant is cranked up, we'll try anyway.
@@ -997,7 +1001,12 @@ void do_machine_check(struct pt_regs *regs, long error_code)
        char *msg = "Unknown";
        u64 recover_paddr = ~0ull;
        int flags = MF_ACTION_REQUIRED;
-        int lmce = 0;
+        /*
+         * MCEs are always local on AMD. Same is determined by MCG_STATUS_LMCES
+         * on Intel.
+         */
+        int lmce = 1;
        /* If this CPU is offline, just bail out. */
        if (cpu_is_offline(smp_processor_id())) {
@@ -1036,17 +1045,23 @@ void do_machine_check(struct pt_regs *regs, long error_code)
                kill_it = 1;
        /*
-         * Check if this MCE is signaled to only this logical processor
+         * Check if this MCE is signaled to only this logical processor,
+         * on Intel only.
         */
-        if (m.mcgstatus & MCG_STATUS_LMCES)
+        if (m.cpuvendor == X86_VENDOR_INTEL)
-                lmce = 1;
+                lmce = m.mcgstatus & MCG_STATUS_LMCES;
-        else {
-                /*
+        /*
-                 * Go through all the banks in exclusion of the other CPUs.
+         * Local machine check may already know that we have to panic.
-                 * This way we don't report duplicated events on shared banks
+         * Broadcast machine check begins rendezvous in mce_start()
-                 * because the first one to see it will clear it.
+         * Go through all banks in exclusion of the other CPUs. This way we
-                 * If this is a Local MCE, then no need to perform rendezvous.
+         * don't report duplicated events on shared banks because the first one
-                 */
+         * to see it will clear it.
+         */
+        if (lmce) {
+                if (no_way_out)
+                        mce_panic("Fatal local machine check", &m, msg);
+        } else {
                order = mce_start(&no_way_out);
        }
@@ -1125,12 +1140,17 @@ void do_machine_check(struct pt_regs *regs, long error_code)
                        no_way_out = worst >= MCE_PANIC_SEVERITY;
        } else {
                /*
-                 * Local MCE skipped calling mce_reign()
+                 * If there was a fatal machine check we should have
-                 * If we found a fatal error, we need to panic here.
+                 * already called mce_panic earlier in this function.
+                 * Since we re-read the banks, we might have found
+                 * something new. Check again to see if we found a
+                 * fatal error. We call "mce_severity()" again to
+                 * make sure we have the right "msg".
                 */
-                 if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
+                if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) {
-                        mce_panic("Machine check from unknown source",
+                        mce_severity(&m, cfg->tolerant, &msg, true);
-                                NULL, NULL);
+                        mce_panic("Local fatal machine check!", &m, msg);
+                }
        }
        /*
@@ -2220,6 +2240,7 @@ static ssize_t set_ignore_ce(struct device *s,
        if (kstrtou64(buf, 0, &new) < 0)
                return -EINVAL;
+        mutex_lock(&mce_sysfs_mutex);
        if (mca_cfg.ignore_ce ^ !!new) {
                if (new) {
                        /* disable ce features */
@@ -2232,6 +2253,8 @@ static ssize_t set_ignore_ce(struct device *s,
                        on_each_cpu(mce_enable_ce, (void *)1, 1);
                }
        }
+        mutex_unlock(&mce_sysfs_mutex);
        return size;
 }
@@ -2244,6 +2267,7 @@ static ssize_t set_cmci_disabled(struct device *s,
        if (kstrtou64(buf, 0, &new) < 0)
                return -EINVAL;
+        mutex_lock(&mce_sysfs_mutex);
        if (mca_cfg.cmci_disabled ^ !!new) {
                if (new) {
                        /* disable cmci */
@@ -2255,6 +2279,8 @@ static ssize_t set_cmci_disabled(struct device *s,
                        on_each_cpu(mce_enable_ce, NULL, 1);
                }
        }
+        mutex_unlock(&mce_sysfs_mutex);
        return size;
 }
@@ -2262,8 +2288,16 @@ static ssize_t store_int_with_restart(struct device *s,
                                      struct device_attribute *attr,
                                      const char *buf, size_t size)
 {
-        ssize_t ret = device_store_int(s, attr, buf, size);
+        unsigned long old_check_interval = check_interval;
+        ssize_t ret = device_store_ulong(s, attr, buf, size);
+        if (check_interval == old_check_interval)
+                return ret;
+        mutex_lock(&mce_sysfs_mutex);
        mce_restart();
+        mutex_unlock(&mce_sysfs_mutex);
        return ret;
 }
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 2a0f44d225fe..6da6f9cd6d2d 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -131,6 +131,9 @@ static size_t compute_container_size(u8 *data, u32 total_size)
        return size;
 }
+static enum ucode_state
+load_microcode_amd(bool save, u8 family, const u8 *data, size_t size);
 /*
 * Early load occurs before we can vmalloc(). So we look for the microcode
 * patch container file in initrd, traverse equivalent cpu table, look for a
@@ -438,7 +441,7 @@ int __init save_microcode_in_initrd_amd(void)
        eax   = cpuid_eax(0x00000001);
        eax   = ((eax >> 8) & 0xf) + ((eax >> 20) & 0xff);
-        ret = load_microcode_amd(smp_processor_id(), eax, container, container_size);
+        ret = load_microcode_amd(true, eax, container, container_size);
        if (ret != UCODE_OK)
                retval = -EINVAL;
@@ -854,7 +857,8 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data,
        return UCODE_OK;
 }
-enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t size)
+static enum ucode_state
+load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
 {
        enum ucode_state ret;
@@ -868,8 +872,8 @@ enum ucode_state load_microcode_amd(int cpu, u8 family, const u8 *data, size_t s
 #ifdef CONFIG_X86_32
        /* save BSP's matching patch for early load */
-        if (cpu_data(cpu).cpu_index == boot_cpu_data.cpu_index) {
+        if (save) {
-                struct ucode_patch *p = find_patch(cpu);
+                struct ucode_patch *p = find_patch(0);
                if (p) {
                        memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
                        memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data),
@@ -901,11 +905,12 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device,
 {
        char fw_name[36] = "amd-ucode/microcode_amd.bin";
        struct cpuinfo_x86 *c = &cpu_data(cpu);
+        bool bsp = c->cpu_index == boot_cpu_data.cpu_index;
        enum ucode_state ret = UCODE_NFOUND;
        const struct firmware *fw;
        /* reload ucode container only on the boot cpu */
-        if (!refresh_fw || c->cpu_index != boot_cpu_data.cpu_index)
+        if (!refresh_fw || !bsp)
                return UCODE_OK;
        if (c->x86 >= 0x15)
@@ -922,7 +927,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device,
                goto fw_release;
        }
-        ret = load_microcode_amd(cpu, c->x86, fw->data, fw->size);
+        ret = load_microcode_amd(bsp, c->x86, fw->data, fw->size);
 fw_release:
        release_firmware(fw);
diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
index b3e94ef461fd..ce5f8a2e7ae6 100644
--- a/arch/x86/kernel/cpu/microcode/core.c
+++ b/arch/x86/kernel/cpu/microcode/core.c
@@ -44,7 +44,7 @@
 static struct microcode_ops     *microcode_ops;
-static bool dis_ucode_ldr;
+static bool dis_ucode_ldr = true;
 static int __init disable_loader(char *str)
 {
@@ -81,6 +81,7 @@ struct cpu_info_ctx {
 static bool __init check_loader_disabled_bsp(void)
 {
+        u32 a, b, c, d;
 #ifdef CONFIG_X86_32
        const char *cmdline = (const char *)__pa_nodebug(boot_command_line);
        const char *opt     = "dis_ucode_ldr";
@@ -93,8 +94,20 @@ static bool __init check_loader_disabled_bsp(void)
        bool *res = &dis_ucode_ldr;
 #endif
-        if (cmdline_find_option_bool(cmdline, option))
+        a = 1;
-                *res = true;
+        c = 0;
+        native_cpuid(&a, &b, &c, &d);
+        /*
+         * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not
+         * completely accurate as xen pv guests don't see that CPUID bit set but
+         * that's good enough as they don't land on the BSP path anyway.
+         */
+        if (c & BIT(31))
+                return *res;
+        if (cmdline_find_option_bool(cmdline, option) <= 0)
+                *res = false;
        return *res;
 }
@@ -122,9 +135,7 @@ void __init load_ucode_bsp(void)
 {
        int vendor;
        unsigned int family;
+        bool intel = true;
-        if (check_loader_disabled_bsp())
-                return;
        if (!have_cpuid_p())
                return;
@@ -134,16 +145,27 @@ void __init load_ucode_bsp(void)
        switch (vendor) {
        case X86_VENDOR_INTEL:
-                if (family >= 6)
+                if (family < 6)
-                        load_ucode_intel_bsp();
+                        return;
                break;
        case X86_VENDOR_AMD:
-                if (family >= 0x10)
+                if (family < 0x10)
-                        load_ucode_amd_bsp(family);
+                        return;
+                intel = false;
                break;
        default:
-                break;
+                return;
        }
+        if (check_loader_disabled_bsp())
+                return;
+        if (intel)
+                load_ucode_intel_bsp();
+        else
+                load_ucode_amd_bsp(family);
 }
 static bool check_loader_disabled_ap(void)
@@ -162,9 +184,6 @@ void load_ucode_ap(void)
        if (check_loader_disabled_ap())
                return;
-        if (!have_cpuid_p())
-                return;
        vendor = x86_vendor();
        family = x86_family();
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index b428a8174be1..2f38a99cdb98 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -39,6 +39,9 @@
 #include <asm/setup.h>
 #include <asm/msr.h>
+/* last level cache size per core */
+static int llc_size_per_core;
 static unsigned long mc_saved_in_initrd[MAX_UCODE_COUNT];
 static struct mc_saved_data {
        unsigned int mc_saved_count;
@@ -996,15 +999,18 @@ static bool is_blacklisted(unsigned int cpu)
        /*
         * Late loading on model 79 with microcode revision less than 0x0b000021
-         * may result in a system hang. This behavior is documented in item
+         * and LLC size per core bigger than 2.5MB may result in a system hang.
-         * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
+         * This behavior is documented in item BDF90, #334165 (Intel Xeon
+         * Processor E7-8800/4800 v4 Product Family).
         */
        if (c->x86 == 6 &&
            c->x86_model == 79 &&
            c->x86_mask == 0x01 &&
+            llc_size_per_core > 2621440 &&
            c->microcode < 0x0b000021) {
                pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
                pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
+                return true;
        }
        return false;
@@ -1067,6 +1073,15 @@ static struct microcode_ops microcode_intel_ops = {
        .microcode_fini_cpu               = microcode_fini_cpu,
 };
+static int __init calc_llc_size_per_core(struct cpuinfo_x86 *c)
+{
+        u64 llc_size = c->x86_cache_size * 1024ULL;
+        do_div(llc_size, c->x86_max_cores);
+        return (int)llc_size;
+}
 struct microcode_ops * __init init_intel_microcode(void)
 {
        struct cpuinfo_x86 *c = &boot_cpu_data;
@@ -1077,6 +1092,8 @@ struct microcode_ops * __init init_intel_microcode(void)
                return NULL;
        }
+        llc_size_per_core = calc_llc_size_per_core(c);
        return &microcode_intel_ops;
 }
diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
index 3f20710a5b23..6988c74409a8 100644
--- a/arch/x86/kernel/cpu/mkcapflags.sh
+++ b/arch/x86/kernel/cpu/mkcapflags.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeature.h
+# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
 #
 IN=$1
@@ -49,8 +49,8 @@ dump_array()
 trap 'rm "$OUT"' EXIT
 (
-        echo "#ifndef _ASM_X86_CPUFEATURE_H"
+        echo "#ifndef _ASM_X86_CPUFEATURES_H"
-        echo "#include <asm/cpufeature.h>"
+        echo "#include <asm/cpufeatures.h>"
        echo "#endif"
        echo ""
diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
index b5624fafa44a..136ae86f4f5f 100644
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs)
 void mtrr_save_fixed_ranges(void *info)
 {
-        if (cpu_has_mtrr)
+        if (boot_cpu_has(X86_FEATURE_MTRR))
                get_fixed_ranges(mtrr_state.fixed_ranges);
 }
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index fa77ac8291f0..49bd700d9b7f 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
+++ b/arch/x86/kernel/cpu/mtrr/main.c
@@ -47,7 +47,7 @@
 #include <linux/smp.h>
 #include <linux/syscore_ops.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/e820.h>
 #include <asm/mtrr.h>
 #include <asm/msr.h>
@@ -682,7 +682,7 @@ void __init mtrr_bp_init(void)
        phys_addr = 32;
-        if (cpu_has_mtrr) {
+        if (boot_cpu_has(X86_FEATURE_MTRR)) {
                mtrr_if = &generic_mtrr_ops;
                size_or_mask = SIZE_OR_MASK_BITS(36);
                size_and_mask = 0x00f00000;
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 5b2f2306fbcc..fbf2edc3eb35 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -25,6 +25,7 @@
 #include <linux/cpu.h>
 #include <linux/bitops.h>
 #include <linux/device.h>
+#include <linux/nospec.h>
 #include <asm/apic.h>
 #include <asm/stacktrace.h>
@@ -188,8 +189,8 @@ static void release_pmc_hardware(void) {}
 static bool check_hw_exists(void)
 {
-        u64 val, val_fail, val_new= ~0;
+        u64 val, val_fail = -1, val_new= ~0;
-        int i, reg, reg_fail, ret = 0;
+        int i, reg, reg_fail = -1, ret = 0;
        int bios_fail = 0;
        int reg_safe = -1;
@@ -297,17 +298,20 @@ set_ext_hw_attr(struct hw_perf_event *hwc, struct perf_event *event)
        config = attr->config;
-        cache_type = (config >>  0) & 0xff;
+        cache_type = (config >> 0) & 0xff;
        if (cache_type >= PERF_COUNT_HW_CACHE_MAX)
                return -EINVAL;
+        cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX);
        cache_op = (config >>  8) & 0xff;
        if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX)
                return -EINVAL;
+        cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX);
        cache_result = (config >> 16) & 0xff;
        if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX)
                return -EINVAL;
+        cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX);
        val = hw_cache_event_ids[cache_type][cache_op][cache_result];
@@ -404,6 +408,8 @@ int x86_setup_perfctr(struct perf_event *event)
        if (attr->config >= x86_pmu.max_events)
                return -EINVAL;
+        attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events);
        /*
         * The generic map:
         */
diff --git a/arch/x86/kernel/cpu/perf_event_amd.c b/arch/x86/kernel/cpu/perf_event_amd.c
index 1cee5d2d7ece..3ea177cb7366 100644
--- a/arch/x86/kernel/cpu/perf_event_amd.c
+++ b/arch/x86/kernel/cpu/perf_event_amd.c
@@ -160,7 +160,7 @@ static inline int amd_pmu_addr_offset(int index, bool eventsel)
        if (offset)
                return offset;
-        if (!cpu_has_perfctr_core)
+        if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
                offset = index;
        else
                offset = index << 1;
@@ -652,7 +652,7 @@ static __initconst const struct x86_pmu amd_pmu = {
 static int __init amd_core_pmu_init(void)
 {
-        if (!cpu_has_perfctr_core)
+        if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
                return 0;
        switch (boot_cpu_data.x86) {
diff --git a/arch/x86/kernel/cpu/perf_event_amd_uncore.c b/arch/x86/kernel/cpu/perf_event_amd_uncore.c
index cc6cedb8f25d..49742746a6c9 100644
--- a/arch/x86/kernel/cpu/perf_event_amd_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_amd_uncore.c
@@ -523,10 +523,10 @@ static int __init amd_uncore_init(void)
        if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
                goto fail_nodev;
-        if (!cpu_has_topoext)
+        if (!boot_cpu_has(X86_FEATURE_TOPOEXT))
                goto fail_nodev;
-        if (cpu_has_perfctr_nb) {
+        if (boot_cpu_has(X86_FEATURE_PERFCTR_NB)) {
                amd_uncore_nb = alloc_percpu(struct amd_uncore *);
                if (!amd_uncore_nb) {
                        ret = -ENOMEM;
@@ -540,7 +540,7 @@ static int __init amd_uncore_init(void)
                ret = 0;
        }
-        if (cpu_has_perfctr_l2) {
+        if (boot_cpu_has(X86_FEATURE_PERFCTR_L2)) {
                amd_uncore_l2 = alloc_percpu(struct amd_uncore *);
                if (!amd_uncore_l2) {
                        ret = -ENOMEM;
@@ -583,10 +583,11 @@ fail_online:
        /* amd_uncore_nb/l2 should have been freed by cleanup_cpu_online */
        amd_uncore_nb = amd_uncore_l2 = NULL;
-        if (cpu_has_perfctr_l2)
+        if (boot_cpu_has(X86_FEATURE_PERFCTR_L2))
                perf_pmu_unregister(&amd_l2_pmu);
 fail_l2:
-        if (cpu_has_perfctr_nb)
+        if (boot_cpu_has(X86_FEATURE_PERFCTR_NB))
                perf_pmu_unregister(&amd_nb_pmu);
        if (amd_uncore_l2)
                free_percpu(amd_uncore_l2);
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index 5cc2242d77c6..7b79c80ce029 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2716,7 +2716,7 @@ static unsigned bdw_limit_period(struct perf_event *event, unsigned left)
                        X86_CONFIG(.event=0xc0, .umask=0x01)) {
                if (left < 128)
                        left = 128;
-                left &= ~0x3fu;
+                left &= ~0x3fULL;
        }
        return left;
 }
diff --git a/arch/x86/kernel/cpu/perf_event_intel_bts.c b/arch/x86/kernel/cpu/perf_event_intel_bts.c
index 2cad71d1b14c..5af11c46d0b9 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_bts.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_bts.c
@@ -22,6 +22,7 @@
 #include <linux/debugfs.h>
 #include <linux/device.h>
 #include <linux/coredump.h>
+#include <linux/kaiser.h>
 #include <asm-generic/sizes.h>
 #include <asm/perf_event.h>
@@ -67,6 +68,23 @@ static size_t buf_size(struct page *page)
        return 1 << (PAGE_SHIFT + page_private(page));
 }
+static void bts_buffer_free_aux(void *data)
+{
+#ifdef CONFIG_PAGE_TABLE_ISOLATION
+        struct bts_buffer *buf = data;
+        int nbuf;
+        for (nbuf = 0; nbuf < buf->nr_bufs; nbuf++) {
+                struct page *page = buf->buf[nbuf].page;
+                void *kaddr = page_address(page);
+                size_t page_size = buf_size(page);
+                kaiser_remove_mapping((unsigned long)kaddr, page_size);
+        }
+#endif
+        kfree(data);
+}
 static void *
 bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite)
 {
@@ -103,29 +121,33 @@ bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite)
        buf->real_size = size - size % BTS_RECORD_SIZE;
        for (pg = 0, nbuf = 0, offset = 0, pad = 0; nbuf < buf->nr_bufs; nbuf++) {
-                unsigned int __nr_pages;
+                void *kaddr = pages[pg];
+                size_t page_size;
+                page = virt_to_page(kaddr);
+                page_size = buf_size(page);
+                if (kaiser_add_mapping((unsigned long)kaddr,
+                                        page_size, __PAGE_KERNEL) < 0) {
+                        buf->nr_bufs = nbuf;
+                        bts_buffer_free_aux(buf);
+                        return NULL;
+                }
-                page = virt_to_page(pages[pg]);
-                __nr_pages = PagePrivate(page) ? 1 << page_private(page) : 1;
                buf->buf[nbuf].page = page;
                buf->buf[nbuf].offset = offset;
                buf->buf[nbuf].displacement = (pad ? BTS_RECORD_SIZE - pad : 0);
-                buf->buf[nbuf].size = buf_size(page) - buf->buf[nbuf].displacement;
+                buf->buf[nbuf].size = page_size - buf->buf[nbuf].displacement;
                pad = buf->buf[nbuf].size % BTS_RECORD_SIZE;
                buf->buf[nbuf].size -= pad;
-                pg += __nr_pages;
+                pg += page_size >> PAGE_SHIFT;
-                offset += __nr_pages << PAGE_SHIFT;
+                offset += page_size;
        }
        return buf;
 }
-static void bts_buffer_free_aux(void *data)
-{
-        kfree(data);
-}
 static unsigned long bts_buffer_offset(struct bts_buffer *buf, unsigned int idx)
 {
        return buf->buf[idx].offset + buf->buf[idx].displacement;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_cstate.c b/arch/x86/kernel/cpu/perf_event_intel_cstate.c
index 75a38b5a2e26..5b8c90935270 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_cstate.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_cstate.c
@@ -88,6 +88,7 @@
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/perf_event.h>
+#include <linux/nospec.h>
 #include <asm/cpu_device_id.h>
 #include "perf_event.h"
@@ -409,6 +410,7 @@ static int cstate_pmu_event_init(struct perf_event *event)
        } else if (event->pmu == &cstate_pkg_pmu) {
                if (cfg >= PERF_CSTATE_PKG_EVENT_MAX)
                        return -EINVAL;
+                cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX);
                if (!pkg_msr[cfg].attr)
                        return -EINVAL;
                event->hw.event_base = pkg_msr[cfg].msr;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
index 61215a69b03d..b22e9c4dd111 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -229,7 +229,7 @@ void uncore_perf_event_update(struct intel_uncore_box *box, struct perf_event *e
        u64 prev_count, new_count, delta;
        int shift;
-        if (event->hw.idx >= UNCORE_PMC_IDX_FIXED)
+        if (event->hw.idx == UNCORE_PMC_IDX_FIXED)
                shift = 64 - uncore_fixed_ctr_bits(box);
        else
                shift = 64 - uncore_perf_ctr_bits(box);
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c
index 2749965afed0..83cadc2605a7 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c
@@ -240,7 +240,7 @@ static void nhmex_uncore_msr_enable_event(struct intel_uncore_box *box, struct p
 {
        struct hw_perf_event *hwc = &event->hw;
-        if (hwc->idx >= UNCORE_PMC_IDX_FIXED)
+        if (hwc->idx == UNCORE_PMC_IDX_FIXED)
                wrmsrl(hwc->config_base, NHMEX_PMON_CTL_EN_BIT0);
        else if (box->pmu->type->event_mask & NHMEX_PMON_CTL_EN_BIT0)
                wrmsrl(hwc->config_base, hwc->config | NHMEX_PMON_CTL_EN_BIT22);
diff --git a/arch/x86/kernel/cpu/perf_event_msr.c b/arch/x86/kernel/cpu/perf_event_msr.c
index ec863b9a9f78..067427384a63 100644
--- a/arch/x86/kernel/cpu/perf_event_msr.c
+++ b/arch/x86/kernel/cpu/perf_event_msr.c
@@ -1,4 +1,5 @@
 #include <linux/perf_event.h>
+#include <linux/nospec.h>
 enum perf_msr_id {
        PERF_MSR_TSC                    = 0,
@@ -115,9 +116,6 @@ static int msr_event_init(struct perf_event *event)
        if (event->attr.type != event->pmu->type)
                return -ENOENT;
-        if (cfg >= PERF_MSR_EVENT_MAX)
-                return -EINVAL;
        /* unsupported modes and filters */
        if (event->attr.exclude_user   ||
            event->attr.exclude_kernel ||
@@ -128,6 +126,11 @@ static int msr_event_init(struct perf_event *event)
            event->attr.sample_period) /* no sampling */
                return -EINVAL;
+        if (cfg >= PERF_MSR_EVENT_MAX)
+                return -EINVAL;
+        cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX);
        if (!msr[cfg].attr)
                return -EINVAL;
diff --git a/arch/x86/kernel/cpu/proc.c b/arch/x86/kernel/cpu/proc.c
index 18ca99f2798b..935225c0375f 100644
--- a/arch/x86/kernel/cpu/proc.c
+++ b/arch/x86/kernel/cpu/proc.c
@@ -87,8 +87,8 @@ static int show_cpuinfo(struct seq_file *m, void *v)
        }
        /* Cache size */
-        if (c->x86_cache_size >= 0)
+        if (c->x86_cache_size)
-                seq_printf(m, "cache size\t: %d KB\n", c->x86_cache_size);
+                seq_printf(m, "cache size\t: %u KB\n", c->x86_cache_size);
        show_cpuinfo_core(m, c, cpu);
        show_cpuinfo_misc(m, c);
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
index 608fb26c7254..8cb57df9398d 100644
--- a/arch/x86/kernel/cpu/scattered.c
+++ b/arch/x86/kernel/cpu/scattered.c
@@ -31,32 +31,12 @@ void init_scattered_cpuid_features(struct cpuinfo_x86 *c)
        const struct cpuid_bit *cb;
        static const struct cpuid_bit cpuid_bits[] = {
-                { X86_FEATURE_DTHERM,           CR_EAX, 0, 0x00000006, 0 },
-                { X86_FEATURE_IDA,              CR_EAX, 1, 0x00000006, 0 },
-                { X86_FEATURE_ARAT,             CR_EAX, 2, 0x00000006, 0 },
-                { X86_FEATURE_PLN,              CR_EAX, 4, 0x00000006, 0 },
-                { X86_FEATURE_PTS,              CR_EAX, 6, 0x00000006, 0 },
-                { X86_FEATURE_HWP,              CR_EAX, 7, 0x00000006, 0 },
-                { X86_FEATURE_HWP_NOTIFY,       CR_EAX, 8, 0x00000006, 0 },
-                { X86_FEATURE_HWP_ACT_WINDOW,   CR_EAX, 9, 0x00000006, 0 },
-                { X86_FEATURE_HWP_EPP,          CR_EAX,10, 0x00000006, 0 },
-                { X86_FEATURE_HWP_PKG_REQ,      CR_EAX,11, 0x00000006, 0 },
                { X86_FEATURE_INTEL_PT,         CR_EBX,25, 0x00000007, 0 },
                { X86_FEATURE_APERFMPERF,       CR_ECX, 0, 0x00000006, 0 },
                { X86_FEATURE_EPB,              CR_ECX, 3, 0x00000006, 0 },
                { X86_FEATURE_HW_PSTATE,        CR_EDX, 7, 0x80000007, 0 },
                { X86_FEATURE_CPB,              CR_EDX, 9, 0x80000007, 0 },
                { X86_FEATURE_PROC_FEEDBACK,    CR_EDX,11, 0x80000007, 0 },
-                { X86_FEATURE_NPT,              CR_EDX, 0, 0x8000000a, 0 },
-                { X86_FEATURE_LBRV,             CR_EDX, 1, 0x8000000a, 0 },
-                { X86_FEATURE_SVML,             CR_EDX, 2, 0x8000000a, 0 },
-                { X86_FEATURE_NRIPS,            CR_EDX, 3, 0x8000000a, 0 },
-                { X86_FEATURE_TSCRATEMSR,       CR_EDX, 4, 0x8000000a, 0 },
-                { X86_FEATURE_VMCBCLEAN,        CR_EDX, 5, 0x8000000a, 0 },
-                { X86_FEATURE_FLUSHBYASID,      CR_EDX, 6, 0x8000000a, 0 },
-                { X86_FEATURE_DECODEASSISTS,    CR_EDX, 7, 0x8000000a, 0 },
-                { X86_FEATURE_PAUSEFILTER,      CR_EDX,10, 0x8000000a, 0 },
-                { X86_FEATURE_PFTHRESHOLD,      CR_EDX,12, 0x8000000a, 0 },
                { 0, 0, 0, 0, 0 }
        };
diff --git a/arch/x86/kernel/cpu/transmeta.c b/arch/x86/kernel/cpu/transmeta.c
index 3fa0e5ad86b4..a19a663282b5 100644
--- a/arch/x86/kernel/cpu/transmeta.c
+++ b/arch/x86/kernel/cpu/transmeta.c
@@ -1,6 +1,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/msr.h>
 #include "cpu.h"
@@ -12,7 +12,7 @@ static void early_init_transmeta(struct cpuinfo_x86 *c)
        xlvl = cpuid_eax(0x80860000);
        if ((xlvl & 0xffff0000) == 0x80860000) {
                if (xlvl >= 0x80860001)
-                        c->x86_capability[2] = cpuid_edx(0x80860001);
+                        c->x86_capability[CPUID_8086_0001_EDX] = cpuid_edx(0x80860001);
        }
 }
@@ -82,7 +82,7 @@ static void init_transmeta(struct cpuinfo_x86 *c)
        /* Unhide possibly hidden capability flags */
        rdmsr(0x80860004, cap_mask, uk);
        wrmsr(0x80860004, ~0, uk);
-        c->x86_capability[0] = cpuid_edx(0x00000001);
+        c->x86_capability[CPUID_1_EDX] = cpuid_edx(0x00000001);
        wrmsr(0x80860004, cap_mask, uk);
        /* All Transmeta CPUs have a constant TSC */
diff --git a/arch/x86/kernel/devicetree.c b/arch/x86/kernel/devicetree.c
index 1f4acd68b98b..74b8dcd1bbdc 100644
--- a/arch/x86/kernel/devicetree.c
+++ b/arch/x86/kernel/devicetree.c
@@ -11,6 +11,7 @@
 #include <linux/of_address.h>
 #include <linux/of_platform.h>
 #include <linux/of_irq.h>
+#include <linux/libfdt.h>
 #include <linux/slab.h>
 #include <linux/pci.h>
 #include <linux/of_pci.h>
@@ -199,19 +200,22 @@ static struct of_ioapic_type of_ioapic_type[] =
 static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
                              unsigned int nr_irqs, void *arg)
 {
-        struct of_phandle_args *irq_data = (void *)arg;
+        struct irq_fwspec *fwspec = (struct irq_fwspec *)arg;
        struct of_ioapic_type *it;
        struct irq_alloc_info tmp;
+        int type_index;
-        if (WARN_ON(irq_data->args_count < 2))
+        if (WARN_ON(fwspec->param_count < 2))
                return -EINVAL;
-        if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type))
+        type_index = fwspec->param[1];
+        if (type_index >= ARRAY_SIZE(of_ioapic_type))
                return -EINVAL;
-        it = &of_ioapic_type[irq_data->args[1]];
+        it = &of_ioapic_type[type_index];
        ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity);
        tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain));
-        tmp.ioapic_pin = irq_data->args[0];
+        tmp.ioapic_pin = fwspec->param[0];
        return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp);
 }
@@ -276,14 +280,15 @@ static void __init x86_flattree_get_config(void)
        map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128);
-        initial_boot_params = dt = early_memremap(initial_dtb, map_len);
+        dt = early_memremap(initial_dtb, map_len);
-        size = of_get_flat_dt_size();
+        size = fdt_totalsize(dt);
        if (map_len < size) {
                early_memunmap(dt, map_len);
-                initial_boot_params = dt = early_memremap(initial_dtb, size);
+                dt = early_memremap(initial_dtb, size);
                map_len = size;
        }
+        early_init_dt_verify(dt);
        unflatten_and_copy_device_tree();
        early_memunmap(dt, map_len);
 }
diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
index 52a2526c3fbe..19bc19d5e174 100644
--- a/arch/x86/kernel/e820.c
+++ b/arch/x86/kernel/e820.c
@@ -24,6 +24,7 @@
 #include <asm/e820.h>
 #include <asm/proto.h>
 #include <asm/setup.h>
+#include <asm/cpufeature.h>
 /*
 * The e820 map is the map that gets modified e.g. with command line parameters
diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
index d25097c3fc1d..6aa0b519c851 100644
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -114,6 +114,10 @@ void __kernel_fpu_begin(void)
        kernel_fpu_disable();
        if (fpu->fpregs_active) {
+                /*
+                 * Ignore return value -- we don't care if reg state
+                 * is clobbered.
+                 */
                copy_fpregs_to_fpstate(fpu);
        } else {
                this_cpu_write(fpu_fpregs_owner_ctx, NULL);
@@ -189,8 +193,12 @@ void fpu__save(struct fpu *fpu)
        preempt_disable();
        if (fpu->fpregs_active) {
-                if (!copy_fpregs_to_fpstate(fpu))
+                if (!copy_fpregs_to_fpstate(fpu)) {
-                        fpregs_deactivate(fpu);
+                        if (use_eager_fpu())
+                                copy_kernel_to_fpregs(&fpu->state);
+                        else
+                                fpregs_deactivate(fpu);
+                }
        }
        preempt_enable();
 }
@@ -259,7 +267,11 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu)
        preempt_disable();
        if (!copy_fpregs_to_fpstate(dst_fpu)) {
                memcpy(&src_fpu->state, &dst_fpu->state, xstate_size);
-                fpregs_deactivate(src_fpu);
+                if (use_eager_fpu())
+                        copy_kernel_to_fpregs(&src_fpu->state);
+                else
+                        fpregs_deactivate(src_fpu);
        }
        preempt_enable();
 }
@@ -409,8 +421,10 @@ static inline void copy_init_fpstate_to_fpregs(void)
 {
        if (use_xsave())
                copy_kernel_to_xregs(&init_fpstate.xsave, -1);
-        else
+        else if (static_cpu_has(X86_FEATURE_FXSR))
                copy_kernel_to_fxregs(&init_fpstate.fxsave);
+        else
+                copy_kernel_to_fregs(&init_fpstate.fsave);
 }
 /*
@@ -423,7 +437,7 @@ void fpu__clear(struct fpu *fpu)
 {
        WARN_ON_FPU(fpu != &current->thread.fpu); /* Almost certainly an anomaly */
-        if (!use_eager_fpu()) {
+        if (!use_eager_fpu() || !static_cpu_has(X86_FEATURE_FPU)) {
                /* FPU state will be reallocated lazily at the first use. */
                fpu__drop(fpu);
        } else {
diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
index 1011c05b1bd5..954517285fa2 100644
--- a/arch/x86/kernel/fpu/init.c
+++ b/arch/x86/kernel/fpu/init.c
@@ -3,8 +3,11 @@
 */
 #include <asm/fpu/internal.h>
 #include <asm/tlbflush.h>
+#include <asm/setup.h>
+#include <asm/cmdline.h>
 #include <linux/sched.h>
+#include <linux/init.h>
 /*
 * Initialize the TS bit in CR0 according to the style of context-switches
@@ -12,10 +15,7 @@
 */
 static void fpu__init_cpu_ctx_switch(void)
 {
-        if (!cpu_has_eager_fpu)
+        clts();
-                stts();
-        else
-                clts();
 }
 /*
@@ -75,13 +75,15 @@ static void fpu__init_system_early_generic(struct cpuinfo_x86 *c)
        cr0 &= ~(X86_CR0_TS | X86_CR0_EM);
        write_cr0(cr0);
-        asm volatile("fninit ; fnstsw %0 ; fnstcw %1"
+        if (!test_bit(X86_FEATURE_FPU, (unsigned long *)cpu_caps_cleared)) {
-                     : "+m" (fsw), "+m" (fcw));
+                asm volatile("fninit ; fnstsw %0 ; fnstcw %1"
+                             : "+m" (fsw), "+m" (fcw));
-        if (fsw == 0 && (fcw & 0x103f) == 0x003f)
+                if (fsw == 0 && (fcw & 0x103f) == 0x003f)
-                set_cpu_cap(c, X86_FEATURE_FPU);
+                        set_cpu_cap(c, X86_FEATURE_FPU);
-        else
+                else
-                clear_cpu_cap(c, X86_FEATURE_FPU);
+                        clear_cpu_cap(c, X86_FEATURE_FPU);
+        }
 #ifndef CONFIG_MATH_EMULATION
        if (!cpu_has_fpu) {
@@ -130,7 +132,7 @@ static void __init fpu__init_system_generic(void)
         * Set up the legacy init FPU context. (xstate init might overwrite this
         * with a more modern format, if the CPU supports it.)
         */
-        fpstate_init_fxstate(&init_fpstate.fxsave);
+        fpstate_init(&init_fpstate);
        fpu__init_system_mxcsr();
 }
@@ -230,53 +232,16 @@ static void __init fpu__init_system_xstate_size_legacy(void)
 }
 /*
- * FPU context switching strategies:
+ * Find supported xfeatures based on cpu features and command-line input.
- *
+ * This must be called after fpu__init_parse_early_param() is called and
- * Against popular belief, we don't do lazy FPU saves, due to the
+ * xfeatures_mask is enumerated.
- * task migration complications it brings on SMP - we only do
- * lazy FPU restores.
- *
- * 'lazy' is the traditional strategy, which is based on setting
- * CR0::TS to 1 during context-switch (instead of doing a full
- * restore of the FPU state), which causes the first FPU instruction
- * after the context switch (whenever it is executed) to fault - at
- * which point we lazily restore the FPU state into FPU registers.
- *
- * Tasks are of course under no obligation to execute FPU instructions,
- * so it can easily happen that another context-switch occurs without
- * a single FPU instruction being executed. If we eventually switch
- * back to the original task (that still owns the FPU) then we have
- * not only saved the restores along the way, but we also have the
- * FPU ready to be used for the original task.
- *
- * 'eager' switching is used on modern CPUs, there we switch the FPU
- * state during every context switch, regardless of whether the task
- * has used FPU instructions in that time slice or not. This is done
- * because modern FPU context saving instructions are able to optimize
- * state saving and restoration in hardware: they can detect both
- * unused and untouched FPU state and optimize accordingly.
- *
- * [ Note that even in 'lazy' mode we might optimize context switches
- *   to use 'eager' restores, if we detect that a task is using the FPU
- *   frequently. See the fpu->counter logic in fpu/internal.h for that. ]
 */
-static enum { AUTO, ENABLE, DISABLE } eagerfpu = AUTO;
+u64 __init fpu__get_supported_xfeatures_mask(void)
-static int __init eager_fpu_setup(char *s)
 {
-        if (!strcmp(s, "on"))
+        return XCNTXT_MASK;
-                eagerfpu = ENABLE;
-        else if (!strcmp(s, "off"))
-                eagerfpu = DISABLE;
-        else if (!strcmp(s, "auto"))
-                eagerfpu = AUTO;
-        return 1;
 }
-__setup("eagerfpu=", eager_fpu_setup);
-/*
+/* Legacy code to initialize eager fpu mode. */
- * Pick the FPU context switching strategy:
- */
 static void __init fpu__init_system_ctx_switch(void)
 {
        static bool on_boot_cpu = 1;
@@ -286,25 +251,31 @@ static void __init fpu__init_system_ctx_switch(void)
        WARN_ON_FPU(current->thread.fpu.fpstate_active);
        current_thread_info()->status = 0;
+}
-        /* Auto enable eagerfpu for xsaveopt */
+/*
-        if (cpu_has_xsaveopt && eagerfpu != DISABLE)
+ * We parse fpu parameters early because fpu__init_system() is executed
-                eagerfpu = ENABLE;
+ * before parse_early_param().
+ */
-        if (xfeatures_mask & XFEATURE_MASK_EAGER) {
+static void __init fpu__init_parse_early_param(void)
-                if (eagerfpu == DISABLE) {
+{
-                        pr_err("x86/fpu: eagerfpu switching disabled, disabling the following xstate features: 0x%llx.\n",
+        if (cmdline_find_option_bool(boot_command_line, "no387"))
-                               xfeatures_mask & XFEATURE_MASK_EAGER);
+                setup_clear_cpu_cap(X86_FEATURE_FPU);
-                        xfeatures_mask &= ~XFEATURE_MASK_EAGER;
-                } else {
+        if (cmdline_find_option_bool(boot_command_line, "nofxsr")) {
-                        eagerfpu = ENABLE;
+                setup_clear_cpu_cap(X86_FEATURE_FXSR);
-                }
+                setup_clear_cpu_cap(X86_FEATURE_FXSR_OPT);
+                setup_clear_cpu_cap(X86_FEATURE_XMM);
        }
-        if (eagerfpu == ENABLE)
+        if (cmdline_find_option_bool(boot_command_line, "noxsave"))
-                setup_force_cpu_cap(X86_FEATURE_EAGER_FPU);
+                fpu__xstate_clear_all_cpu_caps();
+        if (cmdline_find_option_bool(boot_command_line, "noxsaveopt"))
+                setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
-        printk(KERN_INFO "x86/fpu: Using '%s' FPU context switches.\n", eagerfpu == ENABLE ? "eager" : "lazy");
+        if (cmdline_find_option_bool(boot_command_line, "noxsaves"))
+                setup_clear_cpu_cap(X86_FEATURE_XSAVES);
 }
 /*
@@ -313,6 +284,7 @@ static void __init fpu__init_system_ctx_switch(void)
 */
 void __init fpu__init_system(struct cpuinfo_x86 *c)
 {
+        fpu__init_parse_early_param();
        fpu__init_system_early_generic(c);
        /*
@@ -336,62 +308,3 @@ void __init fpu__init_system(struct cpuinfo_x86 *c)
        fpu__init_system_ctx_switch();
 }
-/*
- * Boot parameter to turn off FPU support and fall back to math-emu:
- */
-static int __init no_387(char *s)
-{
-        setup_clear_cpu_cap(X86_FEATURE_FPU);
-        return 1;
-}
-__setup("no387", no_387);
-/*
- * Disable all xstate CPU features:
- */
-static int __init x86_noxsave_setup(char *s)
-{
-        if (strlen(s))
-                return 0;
-        fpu__xstate_clear_all_cpu_caps();
-        return 1;
-}
-__setup("noxsave", x86_noxsave_setup);
-/*
- * Disable the XSAVEOPT instruction specifically:
- */
-static int __init x86_noxsaveopt_setup(char *s)
-{
-        setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
-        return 1;
-}
-__setup("noxsaveopt", x86_noxsaveopt_setup);
-/*
- * Disable the XSAVES instruction:
- */
-static int __init x86_noxsaves_setup(char *s)
-{
-        setup_clear_cpu_cap(X86_FEATURE_XSAVES);
-        return 1;
-}
-__setup("noxsaves", x86_noxsaves_setup);
-/*
- * Disable FX save/restore and SSE support:
- */
-static int __init x86_nofxsr_setup(char *s)
-{
-        setup_clear_cpu_cap(X86_FEATURE_FXSR);
-        setup_clear_cpu_cap(X86_FEATURE_FXSR_OPT);
-        setup_clear_cpu_cap(X86_FEATURE_XMM);
-        return 1;
-}
-__setup("nofxsr", x86_nofxsr_setup);
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 70fc312221fc..3fa200ecca62 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -632,8 +632,7 @@ void __init fpu__init_system_xstate(void)
                BUG();
        }
-        /* Support only the state known to the OS: */
+        xfeatures_mask &= fpu__get_supported_xfeatures_mask();
-        xfeatures_mask = xfeatures_mask & XCNTXT_MASK;
        /* Enable xstate instructions to be able to continue with initialization: */
        fpu__init_cpu_xstate();
diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
index 8f1a3f443f7d..1c0b49fd6365 100644
--- a/arch/x86/kernel/head_32.S
+++ b/arch/x86/kernel/head_32.S
@@ -19,7 +19,7 @@
 #include <asm/setup.h>
 #include <asm/processor-flags.h>
 #include <asm/msr-index.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/percpu.h>
 #include <asm/nops.h>
 #include <asm/bootparam.h>
@@ -669,14 +669,17 @@ __PAGE_ALIGNED_BSS
 initial_pg_pmd:
        .fill 1024*KPMDS,4,0
 #else
-ENTRY(initial_page_table)
+.globl initial_page_table
+initial_page_table:
        .fill 1024,4,0
 #endif
 initial_pg_fixmap:
        .fill 1024,4,0
-ENTRY(empty_zero_page)
+.globl empty_zero_page
+empty_zero_page:
        .fill 4096,1,0
-ENTRY(swapper_pg_dir)
+.globl swapper_pg_dir
+swapper_pg_dir:
        .fill 1024,4,0
 /*
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index 4034e905741a..734ba1d0f686 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -76,9 +76,7 @@ startup_64:
        subq    $_text - __START_KERNEL_map, %rbp
        /* Is the address not 2M aligned? */
-        movq    %rbp, %rax
+        testl   $~PMD_PAGE_MASK, %ebp
-        andl    $~PMD_PAGE_MASK, %eax
-        testl   %eax, %eax
        jnz     bad_address
        /*
diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
index f48eb8eeefe2..3fdc1e53aaac 100644
--- a/arch/x86/kernel/hpet.c
+++ b/arch/x86/kernel/hpet.c
@@ -12,6 +12,7 @@
 #include <linux/pm.h>
 #include <linux/io.h>
+#include <asm/cpufeature.h>
 #include <asm/irqdomain.h>
 #include <asm/fixmap.h>
 #include <asm/hpet.h>
diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index 50a3fad5b89f..2bcfb5f2bc44 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -300,6 +300,10 @@ static int arch_build_bp_info(struct perf_event *bp)
                        return -EINVAL;
                if (bp->attr.bp_addr & (bp->attr.bp_len - 1))
                        return -EINVAL;
+                if (!boot_cpu_has(X86_FEATURE_BPEXT))
+                        return -EOPNOTSUPP;
                /*
                 * It's impossible to use a range breakpoint to fake out
                 * user vs kernel detection because bp_len - 1 can't
@@ -307,8 +311,6 @@ static int arch_build_bp_info(struct perf_event *bp)
                 * breakpoints, then we'll have to check for kprobe-blacklisted
                 * addresses anywhere in the range.
                 */
-                if (!cpu_has_bpext)
-                        return -EOPNOTSUPP;
                info->mask = bp->attr.bp_len - 1;
                info->len = X86_BREAKPOINT_LEN_1;
        }
diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
index 64341aa485ae..d40ee8a38fed 100644
--- a/arch/x86/kernel/i386_ksyms_32.c
+++ b/arch/x86/kernel/i386_ksyms_32.c
@@ -42,3 +42,5 @@ EXPORT_SYMBOL(empty_zero_page);
 EXPORT_SYMBOL(___preempt_schedule);
 EXPORT_SYMBOL(___preempt_schedule_notrace);
 #endif
+EXPORT_SYMBOL(__sw_hweight32);
diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
index be22f5a2192e..4e3b8a587c88 100644
--- a/arch/x86/kernel/i8259.c
+++ b/arch/x86/kernel/i8259.c
@@ -418,6 +418,7 @@ struct legacy_pic default_legacy_pic = {
 };
 struct legacy_pic *legacy_pic = &default_legacy_pic;
+EXPORT_SYMBOL(legacy_pic);
 static int __init i8259A_init_ops(void)
 {
diff --git a/arch/x86/kernel/irqflags.S b/arch/x86/kernel/irqflags.S
new file mode 100644
index 000000000000..3817eb748eb4
--- /dev/null
+++ b/arch/x86/kernel/irqflags.S
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <asm/asm.h>
+#include <asm-generic/export.h>
+#include <linux/linkage.h>
+/*
+ * unsigned long native_save_fl(void)
+ */
+ENTRY(native_save_fl)
+        pushf
+        pop %_ASM_AX
+        ret
+ENDPROC(native_save_fl)
+EXPORT_SYMBOL(native_save_fl)
+/*
+ * void native_restore_fl(unsigned long flags)
+ * %eax/%rdi: flags
+ */
+ENTRY(native_restore_fl)
+        push %_ASM_ARG1
+        popf
+        ret
+ENDPROC(native_restore_fl)
+EXPORT_SYMBOL(native_restore_fl)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 99d293ea2b49..c6f466d6cc57 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -49,6 +49,7 @@
 #include <linux/kdebug.h>
 #include <linux/kallsyms.h>
 #include <linux/ftrace.h>
+#include <linux/moduleloader.h>
 #include <asm/cacheflush.h>
 #include <asm/desc.h>
@@ -196,6 +197,8 @@ retry:
                return (opcode != 0x62 && opcode != 0x67);
        case 0x70:
                return 0; /* can't boost conditional jump */
+        case 0x90:
+                return opcode != 0x9a;  /* can't boost call far */
        case 0xc0:
                /* can't boost software-interruptions */
                return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf;
@@ -390,7 +393,6 @@ int __copy_instruction(u8 *dest, u8 *src)
                newdisp = (u8 *) src + (s64) insn.displacement.value - (u8 *) dest;
                if ((s64) (s32) newdisp != newdisp) {
                        pr_err("Kprobes error: new displacement does not fit into s32 (%llx)\n", newdisp);
-                        pr_err("\tSrc: %p, Dest: %p, old disp: %x\n", src, dest, insn.displacement.value);
                        return 0;
                }
                disp = (u8 *) dest + insn_offset_displacement(&insn);
@@ -400,23 +402,48 @@ int __copy_instruction(u8 *dest, u8 *src)
        return length;
 }
+/* Recover page to RW mode before releasing it */
+void free_insn_page(void *page)
+{
+        set_memory_nx((unsigned long)page & PAGE_MASK, 1);
+        set_memory_rw((unsigned long)page & PAGE_MASK, 1);
+        module_memfree(page);
+}
+/* Prepare reljump right after instruction to boost */
+static void prepare_boost(struct kprobe *p, int length)
+{
+        if (can_boost(p->ainsn.insn, p->addr) &&
+            MAX_INSN_SIZE - length >= RELATIVEJUMP_SIZE) {
+                /*
+                 * These instructions can be executed directly if it
+                 * jumps back to correct address.
+                 */
+                synthesize_reljump(p->ainsn.insn + length, p->addr + length);
+                p->ainsn.boostable = 1;
+        } else {
+                p->ainsn.boostable = -1;
+        }
+}
 static int arch_copy_kprobe(struct kprobe *p)
 {
-        int ret;
+        int len;
+        set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
        /* Copy an instruction with recovering if other optprobe modifies it.*/
-        ret = __copy_instruction(p->ainsn.insn, p->addr);
+        len = __copy_instruction(p->ainsn.insn, p->addr);
-        if (!ret)
+        if (!len)
                return -EINVAL;
        /*
         * __copy_instruction can modify the displacement of the instruction,
         * but it doesn't affect boostable check.
         */
-        if (can_boost(p->ainsn.insn, p->addr))
+        prepare_boost(p, len);
-                p->ainsn.boostable = 0;
-        else
+        set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
-                p->ainsn.boostable = -1;
        /* Check whether the instruction modifies Interrupt Flag or not */
        p->ainsn.if_modifier = is_IF_modifier(p->ainsn.insn);
@@ -581,8 +608,7 @@ static int reenter_kprobe(struct kprobe *p, struct pt_regs *regs,
                 * Raise a BUG or we'll continue in an endless reentering loop
                 * and eventually a stack overflow.
                 */
-                printk(KERN_WARNING "Unrecoverable kprobe detected at %p.\n",
+                pr_err("Unrecoverable kprobe detected.\n");
-                       p->addr);
                dump_kprobe(p);
                BUG();
        default:
@@ -879,21 +905,6 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
                break;
        }
-        if (p->ainsn.boostable == 0) {
-                if ((regs->ip > copy_ip) &&
-                    (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) {
-                        /*
-                         * These instructions can be executed directly if it
-                         * jumps back to correct address.
-                         */
-                        synthesize_reljump((void *)regs->ip,
-                                (void *)orig_ip + (regs->ip - copy_ip));
-                        p->ainsn.boostable = 1;
-                } else {
-                        p->ainsn.boostable = -1;
-                }
-        }
        regs->ip += orig_ip - copy_ip;
 no_change:
diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index ea8e2b846101..7aba9d6475a5 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -370,6 +370,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
        }
        buf = (u8 *)op->optinsn.insn;
+        set_memory_rw((unsigned long)buf & PAGE_MASK, 1);
        /* Copy instructions into the out-of-line buffer */
        ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr);
@@ -392,6 +393,8 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
        synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
                           (u8 *)op->kp.addr + op->optinsn.size);
+        set_memory_ro((unsigned long)buf & PAGE_MASK, 1);
        flush_icache_range((unsigned long) buf,
                           (unsigned long) buf + TMPL_END_IDX +
                           op->optinsn.size + RELATIVEJUMP_SIZE);
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index bc429365b72a..8bc68cfc0d33 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -119,7 +119,7 @@ static void free_ldt_struct(struct ldt_struct *ldt)
 * we do not have to muck with descriptors here, that is
 * done in switch_mm() as needed.
 */
-int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
 {
        struct ldt_struct *new_ldt;
        struct mm_struct *old_mm;
@@ -160,7 +160,7 @@ out_unlock:
 *
 * 64bit: Don't touch the LDT register - we're already in the next thread.
 */
-void destroy_context(struct mm_struct *mm)
+void destroy_context_ldt(struct mm_struct *mm)
 {
        free_ldt_struct(mm->context.ldt);
        mm->context.ldt = NULL;
diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
index 469b23d6acc2..fd7e9937ddd6 100644
--- a/arch/x86/kernel/machine_kexec_32.c
+++ b/arch/x86/kernel/machine_kexec_32.c
@@ -71,12 +71,17 @@ static void load_segments(void)
 static void machine_kexec_free_page_tables(struct kimage *image)
 {
        free_page((unsigned long)image->arch.pgd);
+        image->arch.pgd = NULL;
 #ifdef CONFIG_X86_PAE
        free_page((unsigned long)image->arch.pmd0);
+        image->arch.pmd0 = NULL;
        free_page((unsigned long)image->arch.pmd1);
+        image->arch.pmd1 = NULL;
 #endif
        free_page((unsigned long)image->arch.pte0);
+        image->arch.pte0 = NULL;
        free_page((unsigned long)image->arch.pte1);
+        image->arch.pte1 = NULL;
 }
 static int machine_kexec_alloc_page_tables(struct kimage *image)
@@ -93,7 +98,6 @@ static int machine_kexec_alloc_page_tables(struct kimage *image)
            !image->arch.pmd0 || !image->arch.pmd1 ||
 #endif
            !image->arch.pte0 || !image->arch.pte1) {
-                machine_kexec_free_page_tables(image);
                return -ENOMEM;
        }
        return 0;
diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
index 64979821bc2e..2ddb850bceab 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -37,8 +37,11 @@ static struct kexec_file_ops *kexec_file_loaders[] = {
 static void free_transition_pgtable(struct kimage *image)
 {
        free_page((unsigned long)image->arch.pud);
+        image->arch.pud = NULL;
        free_page((unsigned long)image->arch.pmd);
+        image->arch.pmd = NULL;
        free_page((unsigned long)image->arch.pte);
+        image->arch.pte = NULL;
 }
 static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
@@ -79,7 +82,6 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
        set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
        return 0;
 err:
-        free_transition_pgtable(image);
        return result;
 }
@@ -519,6 +521,7 @@ int arch_kexec_apply_relocations_add(const Elf64_Ehdr *ehdr,
                                goto overflow;
                        break;
                case R_X86_64_PC32:
+                case R_X86_64_PLT32:
                        value -= (u64)address;
                        *(u32 *)location = value;
                        break;
diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
index 005c03e93fc5..94779f66bf49 100644
--- a/arch/x86/kernel/module.c
+++ b/arch/x86/kernel/module.c
@@ -170,19 +170,28 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
                case R_X86_64_NONE:
                        break;
                case R_X86_64_64:
+                        if (*(u64 *)loc != 0)
+                                goto invalid_relocation;
                        *(u64 *)loc = val;
                        break;
                case R_X86_64_32:
+                        if (*(u32 *)loc != 0)
+                                goto invalid_relocation;
                        *(u32 *)loc = val;
                        if (val != *(u32 *)loc)
                                goto overflow;
                        break;
                case R_X86_64_32S:
+                        if (*(s32 *)loc != 0)
+                                goto invalid_relocation;
                        *(s32 *)loc = val;
                        if ((s64)val != *(s32 *)loc)
                                goto overflow;
                        break;
                case R_X86_64_PC32:
+                case R_X86_64_PLT32:
+                        if (*(u32 *)loc != 0)
+                                goto invalid_relocation;
                        val -= (u64)loc;
                        *(u32 *)loc = val;
 #if 0
@@ -198,6 +207,11 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
        }
        return 0;
+invalid_relocation:
+        pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n",
+               (int)ELF64_R_TYPE(rel[i].r_info), loc, val);
+        return -ENOEXEC;
 overflow:
        pr_err("overflow in relocation type %d val %Lx\n",
               (int)ELF64_R_TYPE(rel[i].r_info), val);
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 113e70784854..f95ac5d435aa 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -40,7 +40,7 @@
 #include <linux/uaccess.h>
 #include <linux/gfp.h>
-#include <asm/processor.h>
+#include <asm/cpufeature.h>
 #include <asm/msr.h>
 static struct class *msr_class;
diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
index f534a0e3af53..632195b41688 100644
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -97,10 +97,12 @@ unsigned paravirt_patch_call(void *insnbuf,
        struct branch *b = insnbuf;
        unsigned long delta = (unsigned long)target - (addr+5);
-        if (tgt_clobbers & ~site_clobbers)
+        if (len < 5) {
-                return len;     /* target would clobber too much for this site */
+#ifdef CONFIG_RETPOLINE
-        if (len < 5)
+                WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr);
+#endif
                return len;     /* call too long for patch site */
+        }
        b->opcode = 0xe8; /* call */
        b->delta = delta;
@@ -115,8 +117,12 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target,
        struct branch *b = insnbuf;
        unsigned long delta = (unsigned long)target - (addr+5);
-        if (len < 5)
+        if (len < 5) {
+#ifdef CONFIG_RETPOLINE
+                WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr);
+#endif
                return len;     /* call too long for patch site */
+        }
        b->opcode = 0xe9;       /* jmp */
        b->delta = delta;
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 7c5c5dc90ffa..e18c8798c3a2 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -31,6 +31,7 @@
 #include <asm/tlbflush.h>
 #include <asm/mce.h>
 #include <asm/vm86.h>
+#include <asm/spec-ctrl.h>
 /*
 * per-CPU TSS segments. Threads are completely 'soft' on Linux,
@@ -130,11 +131,6 @@ void flush_thread(void)
        fpu__clear(&tsk->thread.fpu);
 }
-static void hard_disable_TSC(void)
-{
-        cr4_set_bits(X86_CR4_TSD);
-}
 void disable_TSC(void)
 {
        preempt_disable();
@@ -143,15 +139,10 @@ void disable_TSC(void)
                 * Must flip the CPU state synchronously with
                 * TIF_NOTSC in the current running context.
                 */
-                hard_disable_TSC();
+                cr4_set_bits(X86_CR4_TSD);
        preempt_enable();
 }
-static void hard_enable_TSC(void)
-{
-        cr4_clear_bits(X86_CR4_TSD);
-}
 static void enable_TSC(void)
 {
        preempt_disable();
@@ -160,7 +151,7 @@ static void enable_TSC(void)
                 * Must flip the CPU state synchronously with
                 * TIF_NOTSC in the current running context.
                 */
-                hard_enable_TSC();
+                cr4_clear_bits(X86_CR4_TSD);
        preempt_enable();
 }
@@ -188,48 +179,199 @@ int set_tsc_mode(unsigned int val)
        return 0;
 }
-void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
+static inline void switch_to_bitmap(struct tss_struct *tss,
-                      struct tss_struct *tss)
+                                    struct thread_struct *prev,
+                                    struct thread_struct *next,
+                                    unsigned long tifp, unsigned long tifn)
 {
-        struct thread_struct *prev, *next;
+        if (tifn & _TIF_IO_BITMAP) {
-        prev = &prev_p->thread;
-        next = &next_p->thread;
-        if (test_tsk_thread_flag(prev_p, TIF_BLOCKSTEP) ^
-            test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) {
-                unsigned long debugctl = get_debugctlmsr();
-                debugctl &= ~DEBUGCTLMSR_BTF;
-                if (test_tsk_thread_flag(next_p, TIF_BLOCKSTEP))
-                        debugctl |= DEBUGCTLMSR_BTF;
-                update_debugctlmsr(debugctl);
-        }
-        if (test_tsk_thread_flag(prev_p, TIF_NOTSC) ^
-            test_tsk_thread_flag(next_p, TIF_NOTSC)) {
-                /* prev and next are different */
-                if (test_tsk_thread_flag(next_p, TIF_NOTSC))
-                        hard_disable_TSC();
-                else
-                        hard_enable_TSC();
-        }
-        if (test_tsk_thread_flag(next_p, TIF_IO_BITMAP)) {
                /*
                 * Copy the relevant range of the IO bitmap.
                 * Normally this is 128 bytes or less:
                 */
                memcpy(tss->io_bitmap, next->io_bitmap_ptr,
                       max(prev->io_bitmap_max, next->io_bitmap_max));
-        } else if (test_tsk_thread_flag(prev_p, TIF_IO_BITMAP)) {
+        } else if (tifp & _TIF_IO_BITMAP) {
                /*
                 * Clear any possible leftover bits:
                 */
                memset(tss->io_bitmap, 0xff, prev->io_bitmap_max);
        }
+}
+#ifdef CONFIG_SMP
+struct ssb_state {
+        struct ssb_state        *shared_state;
+        raw_spinlock_t          lock;
+        unsigned int            disable_state;
+        unsigned long           local_state;
+};
+#define LSTATE_SSB      0
+static DEFINE_PER_CPU(struct ssb_state, ssb_state);
+void speculative_store_bypass_ht_init(void)
+{
+        struct ssb_state *st = this_cpu_ptr(&ssb_state);
+        unsigned int this_cpu = smp_processor_id();
+        unsigned int cpu;
+        st->local_state = 0;
+        /*
+         * Shared state setup happens once on the first bringup
+         * of the CPU. It's not destroyed on CPU hotunplug.
+         */
+        if (st->shared_state)
+                return;
+        raw_spin_lock_init(&st->lock);
+        /*
+         * Go over HT siblings and check whether one of them has set up the
+         * shared state pointer already.
+         */
+        for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) {
+                if (cpu == this_cpu)
+                        continue;
+                if (!per_cpu(ssb_state, cpu).shared_state)
+                        continue;
+                /* Link it to the state of the sibling: */
+                st->shared_state = per_cpu(ssb_state, cpu).shared_state;
+                return;
+        }
+        /*
+         * First HT sibling to come up on the core.  Link shared state of
+         * the first HT sibling to itself. The siblings on the same core
+         * which come up later will see the shared state pointer and link
+         * themself to the state of this CPU.
+         */
+        st->shared_state = st;
+}
+/*
+ * Logic is: First HT sibling enables SSBD for both siblings in the core
+ * and last sibling to disable it, disables it for the whole core. This how
+ * MSR_SPEC_CTRL works in "hardware":
+ *
+ *  CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
+ */
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
+{
+        struct ssb_state *st = this_cpu_ptr(&ssb_state);
+        u64 msr = x86_amd_ls_cfg_base;
+        if (!static_cpu_has(X86_FEATURE_ZEN)) {
+                msr |= ssbd_tif_to_amd_ls_cfg(tifn);
+                wrmsrl(MSR_AMD64_LS_CFG, msr);
+                return;
+        }
+        if (tifn & _TIF_SSBD) {
+                /*
+                 * Since this can race with prctl(), block reentry on the
+                 * same CPU.
+                 */
+                if (__test_and_set_bit(LSTATE_SSB, &st->local_state))
+                        return;
+                msr |= x86_amd_ls_cfg_ssbd_mask;
+                raw_spin_lock(&st->shared_state->lock);
+                /* First sibling enables SSBD: */
+                if (!st->shared_state->disable_state)
+                        wrmsrl(MSR_AMD64_LS_CFG, msr);
+                st->shared_state->disable_state++;
+                raw_spin_unlock(&st->shared_state->lock);
+        } else {
+                if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state))
+                        return;
+                raw_spin_lock(&st->shared_state->lock);
+                st->shared_state->disable_state--;
+                if (!st->shared_state->disable_state)
+                        wrmsrl(MSR_AMD64_LS_CFG, msr);
+                raw_spin_unlock(&st->shared_state->lock);
+        }
+}
+#else
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
+{
+        u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
+        wrmsrl(MSR_AMD64_LS_CFG, msr);
+}
+#endif
+static __always_inline void amd_set_ssb_virt_state(unsigned long tifn)
+{
+        /*
+         * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL,
+         * so ssbd_tif_to_spec_ctrl() just works.
+         */
+        wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn));
+}
+static __always_inline void intel_set_ssb_state(unsigned long tifn)
+{
+        u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
+        wrmsrl(MSR_IA32_SPEC_CTRL, msr);
+}
+static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
+{
+        if (static_cpu_has(X86_FEATURE_VIRT_SSBD))
+                amd_set_ssb_virt_state(tifn);
+        else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+                amd_set_core_ssb_state(tifn);
+        else
+                intel_set_ssb_state(tifn);
+}
+void speculative_store_bypass_update(unsigned long tif)
+{
+        preempt_disable();
+        __speculative_store_bypass_update(tif);
+        preempt_enable();
+}
+void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
+                      struct tss_struct *tss)
+{
+        struct thread_struct *prev, *next;
+        unsigned long tifp, tifn;
+        prev = &prev_p->thread;
+        next = &next_p->thread;
+        tifn = READ_ONCE(task_thread_info(next_p)->flags);
+        tifp = READ_ONCE(task_thread_info(prev_p)->flags);
+        switch_to_bitmap(tss, prev, next, tifp, tifn);
        propagate_user_return_notify(prev_p, next_p);
+        if ((tifp & _TIF_BLOCKSTEP || tifn & _TIF_BLOCKSTEP) &&
+            arch_has_block_step()) {
+                unsigned long debugctl, msk;
+                rdmsrl(MSR_IA32_DEBUGCTLMSR, debugctl);
+                debugctl &= ~DEBUGCTLMSR_BTF;
+                msk = tifn & _TIF_BLOCKSTEP;
+                debugctl |= (msk >> TIF_BLOCKSTEP) << DEBUGCTLMSR_BTF_SHIFT;
+                wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl);
+        }
+        if ((tifp ^ tifn) & _TIF_NOTSC)
+                cr4_toggle_bits(X86_CR4_TSD);
+        if ((tifp ^ tifn) & _TIF_SSBD)
+                __speculative_store_bypass_update(tifn);
 }
 /*
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index bbaae4cf9e8e..31c4bc0d3372 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -851,6 +851,12 @@ void __init setup_arch(char **cmdline_p)
        memblock_reserve(__pa_symbol(_text),
                         (unsigned long)__bss_stop - (unsigned long)_text);
+        /*
+         * Make sure page 0 is always reserved because on systems with
+         * L1TF its contents can be leaked to user processes.
+         */
+        memblock_reserve(0, PAGE_SIZE);
        early_reserve_initrd();
        /*
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index fe89f938e0f0..c017f1c71560 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -75,6 +75,7 @@
 #include <asm/i8259.h>
 #include <asm/realmode.h>
 #include <asm/misc.h>
+#include <asm/spec-ctrl.h>
 /* Number of siblings per CPU package */
 int smp_num_siblings = 1;
@@ -217,6 +218,8 @@ static void notrace start_secondary(void *unused)
         */
        check_tsc_sync_target();
+        speculative_store_bypass_ht_init();
        /*
         * Lock vector_lock and initialize the vectors on this cpu
         * before setting the cpu online. We must set it online with
@@ -295,7 +298,7 @@ do {									\
 static bool match_smt(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o)
 {
-        if (cpu_has_topoext) {
+        if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
                int cpu1 = c->cpu_index, cpu2 = o->cpu_index;
                if (c->phys_proc_id == o->phys_proc_id &&
@@ -1209,6 +1212,8 @@ void __init native_smp_prepare_cpus(unsigned int max_cpus)
        set_mtrr_aps_delayed_init();
        smp_quirk_init_udelay();
+        speculative_store_bypass_ht_init();
 }
 void arch_enable_nonboot_cpus_begin(void)
@@ -1344,6 +1349,7 @@ static void remove_siblinginfo(int cpu)
        cpumask_clear(topology_core_cpumask(cpu));
        c->phys_proc_id = 0;
        c->cpu_core_id = 0;
+        c->booted_cores = 0;
        cpumask_clear_cpu(cpu, cpu_sibling_setup_mask);
 }
@@ -1442,6 +1448,8 @@ static inline void mwait_play_dead(void)
        void *mwait_ptr;
        int i;
+        if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
+                return;
        if (!this_cpu_has(X86_FEATURE_MWAIT))
                return;
        if (!this_cpu_has(X86_FEATURE_CLFLUSH))
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index 91a4496db434..c77ab1f51fbe 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -140,6 +140,16 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
                return -1;
        set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
        pte_unmap(pte);
+        /*
+         * PTI poisons low addresses in the kernel page tables in the
+         * name of making them unusable for userspace.  To execute
+         * code at such a low address, the poison must be cleared.
+         *
+         * Note: 'pgd' actually gets set in pud_alloc().
+         */
+        pgd->pgd &= ~_PAGE_NX;
        return 0;
 }
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 22b81f35c500..8c73bf1492b8 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -480,7 +480,6 @@ do_general_protection(struct pt_regs *regs, long error_code)
 }
 NOKPROBE_SYMBOL(do_general_protection);
-/* May run on IST stack. */
 dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
 {
 #ifdef CONFIG_DYNAMIC_FTRACE
@@ -495,7 +494,15 @@ dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
        if (poke_int3_handler(regs))
                return;
+        /*
+         * Use ist_enter despite the fact that we don't use an IST stack.
+         * We can be called from a kprobe in non-CONTEXT_KERNEL kernel
+         * mode or even during context tracking state changes.
+         *
+         * This means that we can't schedule.  That's okay.
+         */
        ist_enter(regs);
        RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU");
 #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP
        if (kgdb_ll_trap(DIE_INT3, "int3", regs, error_code, X86_TRAP_BP,
@@ -512,15 +519,9 @@ dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
                        SIGTRAP) == NOTIFY_STOP)
                goto exit;
-        /*
-         * Let others (NMI) know that the debug stack is in use
-         * as we may switch to the interrupt stack.
-         */
-        debug_stack_usage_inc();
        preempt_conditional_sti(regs);
        do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);
        preempt_conditional_cli(regs);
-        debug_stack_usage_dec();
 exit:
        ist_exit(regs);
 }
@@ -750,7 +751,6 @@ dotraplinkage void
 do_device_not_available(struct pt_regs *regs, long error_code)
 {
        RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU");
-        BUG_ON(use_eager_fpu());
 #ifdef CONFIG_MATH_EMULATION
        if (read_cr0() & X86_CR0_EM) {
@@ -886,19 +886,16 @@ void __init trap_init(void)
        cpu_init();
        /*
-         * X86_TRAP_DB and X86_TRAP_BP have been set
+         * X86_TRAP_DB was installed in early_trap_init(). However,
-         * in early_trap_init(). However, ITS works only after
+         * IST works only after cpu_init() loads TSS. See comments
-         * cpu_init() loads TSS. See comments in early_trap_init().
+         * in early_trap_init().
         */
        set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
-        /* int3 can be called from all */
-        set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
        x86_init.irqs.trap_init();
 #ifdef CONFIG_X86_64
        memcpy(&debug_idt_table, &idt_table, IDT_ENTRIES * 16);
        set_nmi_gate(X86_TRAP_DB, &debug);
-        set_nmi_gate(X86_TRAP_BP, &int3);
 #endif
 }
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index c7c4d9c51e99..c42d4a3d9494 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -365,6 +365,8 @@ static int __init tsc_setup(char *str)
                tsc_clocksource_reliable = 1;
        if (!strncmp(str, "noirqtime", 9))
                no_sched_irq_time = 1;
+        if (!strcmp(str, "unstable"))
+                mark_tsc_unstable("boot parameter");
        return 1;
 }
@@ -406,7 +408,7 @@ static unsigned long calc_hpet_ref(u64 deltatsc, u64 hpet1, u64 hpet2)
        hpet2 -= hpet1;
        tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD));
        do_div(tmp, 1000000);
-        do_div(deltatsc, tmp);
+        deltatsc = div64_u64(deltatsc, tmp);
        return (unsigned long) deltatsc;
 }
diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index c6aace2bbe08..b8105289c60b 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -290,7 +290,7 @@ static int uprobe_init_insn(struct arch_uprobe *auprobe, struct insn *insn, bool
        insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64);
        /* has the side-effect of processing the entire instruction */
        insn_get_length(insn);
-        if (WARN_ON_ONCE(!insn_complete(insn)))
+        if (!insn_complete(insn))
                return -ENOEXEC;
        if (is_prefix_bad(insn))
diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
index 4cf401f581e7..b7c9db5deebe 100644
--- a/arch/x86/kernel/verify_cpu.S
+++ b/arch/x86/kernel/verify_cpu.S
@@ -30,7 +30,7 @@
 *      appropriately. Either display a message or halt.
 */
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/msr-index.h>
 verify_cpu:
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index 510e80da7de4..7f4839ef3608 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -357,8 +357,10 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
        tss = &per_cpu(cpu_tss, get_cpu());
        /* make room for real-mode segments */
        tsk->thread.sp0 += 16;
-        if (cpu_has_sep)
+        if (static_cpu_has(X86_FEATURE_SEP))
                tsk->thread.sysenter_cs = 0;
        load_sp0(tss, &tsk->thread);
        put_cpu();
@@ -715,7 +717,8 @@ void handle_vm86_fault(struct kernel_vm86_regs *regs, long error_code)
        return;
 check_vip:
-        if (VEFLAGS & X86_EFLAGS_VIP) {
+        if ((VEFLAGS & (X86_EFLAGS_VIP | X86_EFLAGS_VIF)) ==
+            (X86_EFLAGS_VIP | X86_EFLAGS_VIF)) {
                save_v86_state(regs, VM86_STI);
                return;
        }
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index cc468bd15430..59bce1e11f8f 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -199,6 +199,17 @@ SECTIONS
        :init
 #endif
+        /*
+         * Section for code used exclusively before alternatives are run. All
+         * references to such code must be patched out by alternatives, normally
+         * by using X86_FEATURE_ALWAYS CPU feature bit.
+         *
+         * See static_cpu_has() for an example.
+         */
+        .altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
+                *(.altinstr_aux)
+        }
        INIT_DATA_SECTION(16)
        .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
index a0695be19864..c7efd394c42b 100644
--- a/arch/x86/kernel/x8664_ksyms_64.c
+++ b/arch/x86/kernel/x8664_ksyms_64.c
@@ -42,6 +42,9 @@ EXPORT_SYMBOL(clear_page);
 EXPORT_SYMBOL(csum_partial);
+EXPORT_SYMBOL(__sw_hweight32);
+EXPORT_SYMBOL(__sw_hweight64);
 /*
 * Export string functions. We normally rely on gcc builtin for most of these,
 * but gcc sometimes decides not to inline them.
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 639a6e34500c..53b7f53f6207 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -22,7 +22,8 @@ config KVM
        depends on HAVE_KVM
        depends on HIGH_RES_TIMERS
        # for TASKSTATS/TASK_DELAY_ACCT:
-        depends on NET
+        depends on NET && MULTIUSER
+        depends on X86_LOCAL_APIC
        select PREEMPT_NOTIFIERS
        select MMU_NOTIFIER
        select ANON_INODES
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 00045499f6c2..f1507626ed36 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -26,6 +26,7 @@
 #include <asm/kvm_emulate.h>
 #include <linux/stringify.h>
 #include <asm/debugreg.h>
+#include <asm/nospec-branch.h>
 #include "x86.h"
 #include "tss.h"
@@ -789,6 +790,19 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
        return assign_eip_near(ctxt, ctxt->_eip + rel);
 }
+static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
+                              void *data, unsigned size)
+{
+        return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, true);
+}
+static int linear_write_system(struct x86_emulate_ctxt *ctxt,
+                               ulong linear, void *data,
+                               unsigned int size)
+{
+        return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, true);
+}
 static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
                              struct segmented_address addr,
                              void *data,
@@ -800,7 +814,7 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
        rc = linearize(ctxt, addr, size, false, &linear);
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
+        return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception, false);
 }
 static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
@@ -814,7 +828,7 @@ static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
        rc = linearize(ctxt, addr, size, true, &linear);
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
+        return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception, false);
 }
 /*
@@ -1000,8 +1014,8 @@ static u8 test_cc(unsigned int condition, unsigned long flags)
        void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf);
        flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF;
-        asm("push %[flags]; popf; call *%[fastop]"
+        asm("push %[flags]; popf; " CALL_NOSPEC
-            : "=a"(rc) : [fastop]"r"(fop), [flags]"r"(flags));
+            : "=a"(rc) : [thunk_target]"r"(fop), [flags]"r"(flags));
        return rc;
 }
@@ -1487,8 +1501,7 @@ static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
                return emulate_gp(ctxt, index << 3 | 0x2);
        addr = dt.address + index * 8;
-        return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
+        return linear_read_system(ctxt, addr, desc, sizeof *desc);
-                                   &ctxt->exception);
 }
 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
@@ -1551,8 +1564,7 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
+        return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
-                                   &ctxt->exception);
 }
 /* allowed just for 8 bytes segments */
@@ -1566,8 +1578,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
+        return linear_write_system(ctxt, addr, desc, sizeof *desc);
-                                    &ctxt->exception);
 }
 static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
@@ -1728,8 +1739,7 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                                return ret;
                }
        } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
-                ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
+                ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
-                                sizeof(base3), &ctxt->exception);
                if (ret != X86EMUL_CONTINUE)
                        return ret;
                if (is_noncanonical_address(get_desc_base(&seg_desc) |
@@ -2042,11 +2052,11 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
        eip_addr = dt.address + (irq << 2);
        cs_addr = dt.address + (irq << 2) + 2;
-        rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
+        rc = linear_read_system(ctxt, cs_addr, &cs, 2);
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
+        rc = linear_read_system(ctxt, eip_addr, &eip, 2);
        if (rc != X86EMUL_CONTINUE)
                return rc;
@@ -2890,12 +2900,12 @@ static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
 #ifdef CONFIG_X86_64
        base |= ((u64)base3) << 32;
 #endif
-        r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
+        r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL, true);
        if (r != X86EMUL_CONTINUE)
                return false;
        if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
                return false;
-        r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
+        r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL, true);
        if (r != X86EMUL_CONTINUE)
                return false;
        if ((perm >> bit_idx) & mask)
@@ -3024,35 +3034,30 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt,
                          u16 tss_selector, u16 old_tss_sel,
                          ulong old_tss_base, struct desc_struct *new_desc)
 {
-        const struct x86_emulate_ops *ops = ctxt->ops;
        struct tss_segment_16 tss_seg;
        int ret;
        u32 new_tss_base = get_desc_base(new_desc);
-        ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+        ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
-                            &ctxt->exception);
        if (ret != X86EMUL_CONTINUE)
                return ret;
        save_state_to_tss16(ctxt, &tss_seg);
-        ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+        ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
-                             &ctxt->exception);
        if (ret != X86EMUL_CONTINUE)
                return ret;
-        ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
+        ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
-                            &ctxt->exception);
        if (ret != X86EMUL_CONTINUE)
                return ret;
        if (old_tss_sel != 0xffff) {
                tss_seg.prev_task_link = old_tss_sel;
-                ret = ops->write_std(ctxt, new_tss_base,
+                ret = linear_write_system(ctxt, new_tss_base,
-                                     &tss_seg.prev_task_link,
+                                          &tss_seg.prev_task_link,
-                                     sizeof tss_seg.prev_task_link,
+                                          sizeof tss_seg.prev_task_link);
-                                     &ctxt->exception);
                if (ret != X86EMUL_CONTINUE)
                        return ret;
        }
@@ -3168,38 +3173,34 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt,
                          u16 tss_selector, u16 old_tss_sel,
                          ulong old_tss_base, struct desc_struct *new_desc)
 {
-        const struct x86_emulate_ops *ops = ctxt->ops;
        struct tss_segment_32 tss_seg;
        int ret;
        u32 new_tss_base = get_desc_base(new_desc);
        u32 eip_offset = offsetof(struct tss_segment_32, eip);
        u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
-        ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+        ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
-                            &ctxt->exception);
        if (ret != X86EMUL_CONTINUE)
                return ret;
        save_state_to_tss32(ctxt, &tss_seg);
        /* Only GP registers and segment selectors are saved */
-        ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
+        ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
-                             ldt_sel_offset - eip_offset, &ctxt->exception);
+                                  ldt_sel_offset - eip_offset);
        if (ret != X86EMUL_CONTINUE)
                return ret;
-        ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
+        ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
-                            &ctxt->exception);
        if (ret != X86EMUL_CONTINUE)
                return ret;
        if (old_tss_sel != 0xffff) {
                tss_seg.prev_task_link = old_tss_sel;
-                ret = ops->write_std(ctxt, new_tss_base,
+                ret = linear_write_system(ctxt, new_tss_base,
-                                     &tss_seg.prev_task_link,
+                                          &tss_seg.prev_task_link,
-                                     sizeof tss_seg.prev_task_link,
+                                          sizeof tss_seg.prev_task_link);
-                                     &ctxt->exception);
                if (ret != X86EMUL_CONTINUE)
                        return ret;
        }
@@ -4978,6 +4979,8 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
        bool op_prefix = false;
        bool has_seg_override = false;
        struct opcode opcode;
+        u16 dummy;
+        struct desc_struct desc;
        ctxt->memop.type = OP_NONE;
        ctxt->memopp = NULL;
@@ -4996,6 +4999,11 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
        switch (mode) {
        case X86EMUL_MODE_REAL:
        case X86EMUL_MODE_VM86:
+                def_op_bytes = def_ad_bytes = 2;
+                ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
+                if (desc.d)
+                        def_op_bytes = def_ad_bytes = 4;
+                break;
        case X86EMUL_MODE_PROT16:
                def_op_bytes = def_ad_bytes = 2;
                break;
@@ -5290,9 +5298,9 @@ static int fastop(struct x86_emulate_ctxt *ctxt, void (*fop)(struct fastop *))
        ulong flags = (ctxt->eflags & EFLAGS_MASK) | X86_EFLAGS_IF;
        if (!(ctxt->d & ByteOp))
                fop += __ffs(ctxt->dst.bytes) * FASTOP_SIZE;
-        asm("push %[flags]; popf; call *%[fastop]; pushf; pop %[flags]\n"
+        asm("push %[flags]; popf; " CALL_NOSPEC "; pushf; pop %[flags]\n"
            : "+a"(ctxt->dst.val), "+d"(ctxt->src.val), [flags]"+D"(flags),
-              [fastop]"+S"(fop)
+              [thunk_target]"+S"(fop)
            : "c"(ctxt->src2.val));
        ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
        if (!fop) /* exception is returned in fop variable */
diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
index 3aab53f8cad2..d380111351c0 100644
--- a/arch/x86/kvm/ioapic.c
+++ b/arch/x86/kvm/ioapic.c
@@ -247,8 +247,7 @@ void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
                    index == RTC_GSI) {
                        if (kvm_apic_match_dest(vcpu, NULL, 0,
                                     e->fields.dest_id, e->fields.dest_mode) ||
-                            (e->fields.trig_mode == IOAPIC_EDGE_TRIG &&
+                            kvm_apic_pending_eoi(vcpu, e->fields.vector))
-                             kvm_apic_pending_eoi(vcpu, e->fields.vector)))
                                __set_bit(e->fields.vector,
                                        (unsigned long *)eoi_exit_bitmap);
                }
@@ -269,6 +268,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
 {
        unsigned index;
        bool mask_before, mask_after;
+        int old_remote_irr, old_delivery_status;
        union kvm_ioapic_redirect_entry *e;
        switch (ioapic->ioregsel) {
@@ -291,14 +291,28 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
                        return;
                e = &ioapic->redirtbl[index];
                mask_before = e->fields.mask;
+                /* Preserve read-only fields */
+                old_remote_irr = e->fields.remote_irr;
+                old_delivery_status = e->fields.delivery_status;
                if (ioapic->ioregsel & 1) {
                        e->bits &= 0xffffffff;
                        e->bits |= (u64) val << 32;
                } else {
                        e->bits &= ~0xffffffffULL;
                        e->bits |= (u32) val;
-                        e->fields.remote_irr = 0;
                }
+                e->fields.remote_irr = old_remote_irr;
+                e->fields.delivery_status = old_delivery_status;
+                /*
+                 * Some OSes (Linux, Xen) assume that Remote IRR bit will
+                 * be cleared by IOAPIC hardware when the entry is configured
+                 * as edge-triggered. This behavior is used to simulate an
+                 * explicit EOI on IOAPICs that don't have the EOI register.
+                 */
+                if (e->fields.trig_mode == IOAPIC_EDGE_TRIG)
+                        e->fields.remote_irr = 0;
                mask_after = e->fields.mask;
                if (mask_before != mask_after)
                        kvm_fire_mask_notifiers(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index, mask_after);
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 1c96f09367ae..a1afd80a68aa 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -288,8 +288,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu)
        if (!kvm_vcpu_has_lapic(vcpu))
                return;
+        /*
+         * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
+         * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
+         * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
+         * version first and level-triggered interrupts never get EOIed in
+         * IOAPIC.
+         */
        feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
-        if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))))
+        if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
+            !ioapic_in_kernel(vcpu->kvm))
                v |= APIC_LVR_DIRECTED_EOI;
        apic_set_reg(apic, APIC_LVR, v);
 }
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 1049c3c9b877..2b71f2c03b9e 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -4503,7 +4503,7 @@ void kvm_mmu_setup(struct kvm_vcpu *vcpu)
 typedef bool (*slot_level_handler) (struct kvm *kvm, unsigned long *rmap);
 /* The caller should hold mmu-lock before calling this function. */
-static bool
+static __always_inline bool
 slot_handle_level_range(struct kvm *kvm, struct kvm_memory_slot *memslot,
                        slot_level_handler fn, int start_level, int end_level,
                        gfn_t start_gfn, gfn_t end_gfn, bool lock_flush_tlb)
@@ -4533,7 +4533,7 @@ slot_handle_level_range(struct kvm *kvm, struct kvm_memory_slot *memslot,
        return flush;
 }
-static bool
+static __always_inline bool
 slot_handle_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                  slot_level_handler fn, int start_level, int end_level,
                  bool lock_flush_tlb)
@@ -4544,7 +4544,7 @@ slot_handle_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                        lock_flush_tlb);
 }
-static bool
+static __always_inline bool
 slot_handle_all_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                      slot_level_handler fn, bool lock_flush_tlb)
 {
@@ -4552,7 +4552,7 @@ slot_handle_all_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                                 PT_MAX_HUGEPAGE_LEVEL, lock_flush_tlb);
 }
-static bool
+static __always_inline bool
 slot_handle_large_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                        slot_level_handler fn, bool lock_flush_tlb)
 {
@@ -4560,7 +4560,7 @@ slot_handle_large_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
                                 PT_MAX_HUGEPAGE_LEVEL, lock_flush_tlb);
 }
-static bool
+static __always_inline bool
 slot_handle_leaf(struct kvm *kvm, struct kvm_memory_slot *memslot,
                 slot_level_handler fn, bool lock_flush_tlb)
 {
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 2038e5bacce6..df7827a981dd 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -37,7 +37,7 @@
 #include <asm/desc.h>
 #include <asm/debugreg.h>
 #include <asm/kvm_para.h>
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 #include <asm/virtext.h>
 #include "trace.h"
@@ -1386,6 +1386,7 @@ static void svm_get_segment(struct kvm_vcpu *vcpu,
                 */
                if (var->unusable)
                        var->db = 0;
+                /* This is symmetric with svm_set_segment() */
                var->dpl = to_svm(vcpu)->vmcb->save.cpl;
                break;
        }
@@ -1531,18 +1532,14 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
        s->base = var->base;
        s->limit = var->limit;
        s->selector = var->selector;
-        if (var->unusable)
+        s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
-                s->attrib = 0;
+        s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
-        else {
+        s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
-                s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
+        s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
-                s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
+        s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
-                s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
+        s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
-                s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT;
+        s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
-                s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
+        s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
-                s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
-                s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
-                s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
-        }
        /*
         * This is always accurate, except if SYSRET returned to a segment
@@ -1551,7 +1548,8 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
         * would entail passing the CPL to userspace and back.
         */
        if (seg == VCPU_SREG_SS)
-                svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
+                /* This is symmetric with svm_get_segment() */
+                svm->vmcb->save.cpl = (var->dpl & 3);
        mark_dirty(svm->vmcb, VMCB_SEG);
 }
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 75d60e40c389..c5a4b1978cbf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -32,6 +32,7 @@
 #include <linux/slab.h>
 #include <linux/tboot.h>
 #include <linux/hrtimer.h>
+#include <linux/nospec.h>
 #include "kvm_cache_regs.h"
 #include "x86.h"
@@ -47,7 +48,7 @@
 #include <asm/kexec.h>
 #include <asm/apic.h>
 #include <asm/irq_remapping.h>
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 #include "trace.h"
 #include "pmu.h"
@@ -125,6 +126,12 @@ module_param_named(pml, enable_pml, bool, S_IRUGO);
 #define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5
+#define VMX_VPID_EXTENT_SUPPORTED_MASK          \
+        (VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT |  \
+        VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT |    \
+        VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT |    \
+        VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT)
 /*
 * These 2 parameters are used to config the controls for Pause-Loop Exiting:
 * ple_gap:    upper bound on the amount of time between two successive
@@ -827,21 +834,18 @@ static const unsigned short vmcs_field_to_offset_table[] = {
 static inline short vmcs_field_to_offset(unsigned long field)
 {
-        BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
+        const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table);
+        unsigned short offset;
-        if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
+        BUILD_BUG_ON(size > SHRT_MAX);
+        if (field >= size)
                return -ENOENT;
-        /*
+        field = array_index_nospec(field, size);
-         * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
+        offset = vmcs_field_to_offset_table[field];
-         * generic mechanism.
+        if (offset == 0)
-         */
-        asm("lfence");
-        if (vmcs_field_to_offset_table[field] == 0)
                return -ENOENT;
+        return offset;
-        return vmcs_field_to_offset_table[field];
 }
 static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
@@ -1007,6 +1011,13 @@ static inline bool is_machine_check(u32 intr_info)
                (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
 }
+/* Undocumented: icebp/int1 */
+static inline bool is_icebp(u32 intr_info)
+{
+        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
+                == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK);
+}
 static inline bool cpu_has_vmx_msr_bitmap(void)
 {
        return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
@@ -2308,6 +2319,8 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
                return;
        }
+        WARN_ON_ONCE(vmx->emulation_required);
        if (kvm_exception_is_soft(nr)) {
                vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
                             vmx->vcpu.arch.event_exit_inst_len);
@@ -2659,8 +2672,7 @@ static void nested_vmx_setup_ctls_msrs(struct vcpu_vmx *vmx)
         */
        if (enable_vpid)
                vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT |
-                                VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT |
+                        VMX_VPID_EXTENT_SUPPORTED_MASK;
-                                VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
        else
                vmx->nested.nested_vmx_vpid_caps = 0;
@@ -4514,7 +4526,7 @@ static int vmx_cpu_uses_apicv(struct kvm_vcpu *vcpu)
        return enable_apicv && lapic_in_kernel(vcpu);
 }
-static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
+static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        int max_irr;
@@ -4525,19 +4537,15 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
            vmx->nested.pi_pending) {
                vmx->nested.pi_pending = false;
                if (!pi_test_and_clear_on(vmx->nested.pi_desc))
-                        return 0;
+                        return;
                max_irr = find_last_bit(
                        (unsigned long *)vmx->nested.pi_desc->pir, 256);
                if (max_irr == 256)
-                        return 0;
+                        return;
                vapic_page = kmap(vmx->nested.virtual_apic_page);
-                if (!vapic_page) {
-                        WARN_ON(1);
-                        return -ENOMEM;
-                }
                __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page);
                kunmap(vmx->nested.virtual_apic_page);
@@ -4548,7 +4556,6 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
                        vmcs_write16(GUEST_INTR_STATUS, status);
                }
        }
-        return 0;
 }
 static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
@@ -4595,14 +4602,15 @@ static int vmx_deliver_nested_posted_interrupt(struct kvm_vcpu *vcpu,
        if (is_guest_mode(vcpu) &&
            vector == vmx->nested.posted_intr_nv) {
-                /* the PIR and ON have been set by L1. */
-                kvm_vcpu_trigger_posted_interrupt(vcpu);
                /*
                 * If a posted intr is not recognized by hardware,
                 * we will accomplish it in the next vmentry.
                 */
                vmx->nested.pi_pending = true;
                kvm_make_request(KVM_REQ_EVENT, vcpu);
+                /* the PIR and ON have been set by L1. */
+                if (!kvm_vcpu_trigger_posted_interrupt(vcpu))
+                        kvm_vcpu_kick(vcpu);
                return 0;
        }
        return -1;
@@ -4954,7 +4962,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
                vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
        }
-        vmcs_writel(GUEST_RFLAGS, 0x02);
+        kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
        kvm_rip_write(vcpu, 0xfff0);
        vmcs_writel(GUEST_GDTR_BASE, 0);
@@ -5334,7 +5342,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
                      (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
                        vcpu->arch.dr6 &= ~15;
                        vcpu->arch.dr6 |= dr6 | DR6_RTM;
-                        if (!(dr6 & ~DR6_RESERVED)) /* icebp */
+                        if (is_icebp(intr_info))
                                skip_emulated_instruction(vcpu);
                        kvm_queue_exception(vcpu, DB_VECTOR);
@@ -6023,7 +6031,7 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
                if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
                        return 1;
-                err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
+                err = emulate_instruction(vcpu, 0);
                if (err == EMULATE_USER_EXIT) {
                        ++vcpu->stat.mmio_exits;
@@ -6031,12 +6039,12 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
                        goto out;
                }
-                if (err != EMULATE_DONE) {
+                if (err != EMULATE_DONE)
-                        vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+                        goto emulation_error;
-                        vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
-                        vcpu->run->internal.ndata = 0;
+                if (vmx->emulation_required && !vmx->rmode.vm86_active &&
-                        return 0;
+                    vcpu->arch.exception.pending)
-                }
+                        goto emulation_error;
                if (vcpu->arch.halt_request) {
                        vcpu->arch.halt_request = 0;
@@ -6052,6 +6060,12 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
 out:
        return ret;
+emulation_error:
+        vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+        vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+        vcpu->run->internal.ndata = 0;
+        return 0;
 }
 static int __grow_ple_window(int val)
@@ -6678,8 +6692,7 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
                        vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva))
                return 1;
-        if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr,
+        if (kvm_read_guest_virt(vcpu, gva, &vmptr, sizeof(vmptr), &e)) {
-                                sizeof(vmptr), &e)) {
                kvm_inject_page_fault(vcpu, &e);
                return 1;
        }
@@ -6830,6 +6843,8 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
                     HRTIMER_MODE_REL);
        vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+        vmx->nested.vpid02 = allocate_vpid();
        vmx->nested.vmxon = true;
        skip_emulated_instruction(vcpu);
@@ -7197,8 +7212,8 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
                                vmx_instruction_info, true, &gva))
                        return 1;
                /* _system ok, as nested_vmx_check_permission verified cpl=0 */
-                kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
+                kvm_write_guest_virt_system(vcpu, gva, &field_value,
-                             &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
+                                            (is_long_mode(vcpu) ? 8 : 4), NULL);
        }
        nested_vmx_succeed(vcpu);
@@ -7233,8 +7248,8 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu)
                if (get_vmx_mem_address(vcpu, exit_qualification,
                                vmx_instruction_info, false, &gva))
                        return 1;
-                if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva,
+                if (kvm_read_guest_virt(vcpu, gva, &field_value,
-                           &field_value, (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
+                                        (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
                        kvm_inject_page_fault(vcpu, &e);
                        return 1;
                }
@@ -7324,9 +7339,9 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
                        vmx_instruction_info, true, &vmcs_gva))
                return 1;
        /* ok to use *_system, as nested_vmx_check_permission verified cpl=0 */
-        if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
+        if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
-                                 (void *)&to_vmx(vcpu)->nested.current_vmptr,
+                                        (void *)&to_vmx(vcpu)->nested.current_vmptr,
-                                 sizeof(u64), &e)) {
+                                        sizeof(u64), &e)) {
                kvm_inject_page_fault(vcpu, &e);
                return 1;
        }
@@ -7367,7 +7382,7 @@ static int handle_invept(struct kvm_vcpu *vcpu)
        types = (vmx->nested.nested_vmx_ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6;
-        if (!(types & (1UL << type))) {
+        if (type >= 32 || !(types & (1 << type))) {
                nested_vmx_failValid(vcpu,
                                VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
                skip_emulated_instruction(vcpu);
@@ -7380,8 +7395,7 @@ static int handle_invept(struct kvm_vcpu *vcpu)
        if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
                        vmx_instruction_info, false, &gva))
                return 1;
-        if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand,
+        if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) {
-                                sizeof(operand), &e)) {
                kvm_inject_page_fault(vcpu, &e);
                return 1;
        }
@@ -7424,9 +7438,10 @@ static int handle_invvpid(struct kvm_vcpu *vcpu)
        vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
        type = kvm_register_readl(vcpu, (vmx_instruction_info >> 28) & 0xf);
-        types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7;
+        types = (vmx->nested.nested_vmx_vpid_caps &
+                        VMX_VPID_EXTENT_SUPPORTED_MASK) >> 8;
-        if (!(types & (1UL << type))) {
+        if (type >= 32 || !(types & (1 << type))) {
                nested_vmx_failValid(vcpu,
                        VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
                skip_emulated_instruction(vcpu);
@@ -7439,28 +7454,33 @@ static int handle_invvpid(struct kvm_vcpu *vcpu)
        if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
                        vmx_instruction_info, false, &gva))
                return 1;
-        if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vpid,
+        if (kvm_read_guest_virt(vcpu, gva, &vpid, sizeof(u32), &e)) {
-                                sizeof(u32), &e)) {
                kvm_inject_page_fault(vcpu, &e);
                return 1;
        }
        switch (type) {
+        case VMX_VPID_EXTENT_INDIVIDUAL_ADDR:
        case VMX_VPID_EXTENT_SINGLE_CONTEXT:
-                /*
+        case VMX_VPID_EXTENT_SINGLE_NON_GLOBAL:
-                 * Old versions of KVM use the single-context version so we
+                if (!vpid) {
-                 * have to support it; just treat it the same as all-context.
+                        nested_vmx_failValid(vcpu,
-                 */
+                                VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
+                        skip_emulated_instruction(vcpu);
+                        return 1;
+                }
+                break;
        case VMX_VPID_EXTENT_ALL_CONTEXT:
-                __vmx_flush_tlb(vcpu, to_vmx(vcpu)->nested.vpid02);
-                nested_vmx_succeed(vcpu);
                break;
        default:
-                /* Trap individual address invalidation invvpid calls */
+                WARN_ON_ONCE(1);
-                BUG_ON(1);
+                skip_emulated_instruction(vcpu);
-                break;
+                return 1;
        }
+        __vmx_flush_tlb(vcpu, vmx->nested.vpid02);
+        nested_vmx_succeed(vcpu);
        skip_emulated_instruction(vcpu);
        return 1;
 }
@@ -7644,11 +7664,13 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
 {
        unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
        int cr = exit_qualification & 15;
-        int reg = (exit_qualification >> 8) & 15;
+        int reg;
-        unsigned long val = kvm_register_readl(vcpu, reg);
+        unsigned long val;
        switch ((exit_qualification >> 4) & 3) {
        case 0: /* mov to cr */
+                reg = (exit_qualification >> 8) & 15;
+                val = kvm_register_readl(vcpu, reg);
                switch (cr) {
                case 0:
                        if (vmcs12->cr0_guest_host_mask &
@@ -7703,6 +7725,7 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
                 * lmsw can change bits 1..3 of cr0, and only set bit 0 of
                 * cr0. Other attempted changes are ignored, with no exit.
                 */
+                val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
                if (vmcs12->cr0_guest_host_mask & 0xe &
                    (val ^ vmcs12->cr0_read_shadow))
                        return true;
@@ -8376,13 +8399,13 @@ static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
                        "pushf\n\t"
                        "orl $0x200, (%%" _ASM_SP ")\n\t"
                        __ASM_SIZE(push) " $%c[cs]\n\t"
-                        "call *%[entry]\n\t"
+                        CALL_NOSPEC
                        :
 #ifdef CONFIG_X86_64
                        [sp]"=&r"(tmp)
 #endif
                        :
-                        [entry]"r"(entry),
+                        THUNK_TARGET(entry),
                        [ss]"i"(__KERNEL_DS),
                        [cs]"i"(__KERNEL_CS)
                        );
@@ -8866,10 +8889,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
                        goto free_vmcs;
        }
-        if (nested) {
+        if (nested)
                nested_vmx_setup_ctls_msrs(vmx);
-                vmx->nested.vpid02 = allocate_vpid();
-        }
        vmx->nested.posted_intr_nv = -1;
        vmx->nested.current_vmptr = -1ull;
@@ -8878,7 +8899,6 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
        return &vmx->vcpu;
 free_vmcs:
-        free_vpid(vmx->nested.vpid02);
        free_loaded_vmcs(vmx->loaded_vmcs);
 free_msrs:
        kfree(vmx->guest_msrs);
@@ -9239,11 +9259,6 @@ static inline bool nested_vmx_merge_msr_bitmap(struct kvm_vcpu *vcpu,
                return false;
        }
        msr_bitmap = (unsigned long *)kmap(page);
-        if (!msr_bitmap) {
-                nested_release_page_clean(page);
-                WARN_ON(1);
-                return false;
-        }
        if (nested_cpu_has_virt_x2apic_mode(vmcs12)) {
                if (nested_cpu_has_apic_reg_virt(vmcs12))
@@ -10165,7 +10180,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool external_intr)
                return 0;
        }
-        return vmx_complete_nested_posted_interrupt(vcpu);
+        vmx_complete_nested_posted_interrupt(vcpu);
+        return 0;
 }
 static u32 vmx_get_preemption_timer_value(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index f973cfa8ff4f..53d43d22a84b 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2755,6 +2755,12 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
        kvm_x86_ops->vcpu_put(vcpu);
        kvm_put_guest_fpu(vcpu);
        vcpu->arch.last_host_tsc = rdtsc();
+        /*
+         * If userspace has set any breakpoints or watchpoints, dr6 is restored
+         * on every vmexit, but if not, we might have a stale dr6 from the
+         * guest. do_debug expects dr6 to be cleared after it runs, do the same.
+         */
+        set_debugreg(0, 6);
 }
 static int kvm_vcpu_ioctl_get_lapic(struct kvm_vcpu *vcpu,
@@ -3967,13 +3973,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
                mutex_unlock(&kvm->lock);
                break;
        case KVM_XEN_HVM_CONFIG: {
+                struct kvm_xen_hvm_config xhc;
                r = -EFAULT;
-                if (copy_from_user(&kvm->arch.xen_hvm_config, argp,
+                if (copy_from_user(&xhc, argp, sizeof(xhc)))
-                                   sizeof(struct kvm_xen_hvm_config)))
                        goto out;
                r = -EINVAL;
-                if (kvm->arch.xen_hvm_config.flags)
+                if (xhc.flags)
                        goto out;
+                memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc));
                r = 0;
                break;
        }
@@ -4238,11 +4245,10 @@ static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
        return X86EMUL_CONTINUE;
 }
-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
+int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
                               gva_t addr, void *val, unsigned int bytes,
                               struct x86_exception *exception)
 {
-        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
@@ -4250,12 +4256,17 @@ int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
 }
 EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
-static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+static int emulator_read_std(struct x86_emulate_ctxt *ctxt,
-                                      gva_t addr, void *val, unsigned int bytes,
+                             gva_t addr, void *val, unsigned int bytes,
-                                      struct x86_exception *exception)
+                             struct x86_exception *exception, bool system)
 {
        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
+        u32 access = 0;
+        if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
+                access |= PFERR_USER_MASK;
+        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception);
 }
 static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
@@ -4267,18 +4278,16 @@ static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
        return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
 }
-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
-                                       gva_t addr, void *val,
+                                      struct kvm_vcpu *vcpu, u32 access,
-                                       unsigned int bytes,
+                                      struct x86_exception *exception)
-                                       struct x86_exception *exception)
 {
-        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        void *data = val;
        int r = X86EMUL_CONTINUE;
        while (bytes) {
                gpa_t gpa =  vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
-                                                             PFERR_WRITE_MASK,
+                                                             access,
                                                             exception);
                unsigned offset = addr & (PAGE_SIZE-1);
                unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
@@ -4299,6 +4308,27 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
 out:
        return r;
 }
+static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val,
+                              unsigned int bytes, struct x86_exception *exception,
+                              bool system)
+{
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+        u32 access = PFERR_WRITE_MASK;
+        if (!system && kvm_x86_ops->get_cpl(vcpu) == 3)
+                access |= PFERR_USER_MASK;
+        return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
+                                           access, exception);
+}
+int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,
+                                unsigned int bytes, struct x86_exception *exception)
+{
+        return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
+                                           PFERR_WRITE_MASK, exception);
+}
 EXPORT_SYMBOL_GPL(kvm_write_guest_virt_system);
 static int vcpu_mmio_gva_to_gpa(struct kvm_vcpu *vcpu, unsigned long gva,
@@ -5018,8 +5048,8 @@ static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_fla
 static const struct x86_emulate_ops emulate_ops = {
        .read_gpr            = emulator_read_gpr,
        .write_gpr           = emulator_write_gpr,
-        .read_std            = kvm_read_guest_virt_system,
+        .read_std            = emulator_read_std,
-        .write_std           = kvm_write_guest_virt_system,
+        .write_std           = emulator_write_std,
        .read_phys           = kvm_read_guest_phys_system,
        .fetch               = kvm_fetch_guest_virt,
        .read_emulated       = emulator_read_emulated,
@@ -5153,7 +5183,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
                vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
                vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
                vcpu->run->internal.ndata = 0;
-                r = EMULATE_FAIL;
+                r = EMULATE_USER_EXIT;
        }
        kvm_queue_exception(vcpu, UD_VECTOR);
@@ -8204,6 +8234,13 @@ static int apf_put_user(struct kvm_vcpu *vcpu, u32 val)
                                      sizeof(val));
 }
+static int apf_get_user(struct kvm_vcpu *vcpu, u32 *val)
+{
+        return kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apf.data, val,
+                                      sizeof(u32));
+}
 void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu,
                                     struct kvm_async_pf *work)
 {
@@ -8230,6 +8267,7 @@ void kvm_arch_async_page_present(struct kvm_vcpu *vcpu,
                                 struct kvm_async_pf *work)
 {
        struct x86_exception fault;
+        u32 val;
        if (work->wakeup_all)
                work->arch.token = ~0; /* broadcast wakeup */
@@ -8237,14 +8275,24 @@ void kvm_arch_async_page_present(struct kvm_vcpu *vcpu,
                kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
        trace_kvm_async_pf_ready(work->arch.token, work->gva);
-        if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) &&
+        if (vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED &&
-            !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
+            !apf_get_user(vcpu, &val)) {
-                fault.vector = PF_VECTOR;
+                if (val == KVM_PV_REASON_PAGE_NOT_PRESENT &&
-                fault.error_code_valid = true;
+                    vcpu->arch.exception.pending &&
-                fault.error_code = 0;
+                    vcpu->arch.exception.nr == PF_VECTOR &&
-                fault.nested_page_fault = false;
+                    !apf_put_user(vcpu, 0)) {
-                fault.address = work->arch.token;
+                        vcpu->arch.exception.pending = false;
-                kvm_inject_page_fault(vcpu, &fault);
+                        vcpu->arch.exception.nr = 0;
+                        vcpu->arch.exception.has_error_code = false;
+                        vcpu->arch.exception.error_code = 0;
+                } else if (!apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
+                        fault.vector = PF_VECTOR;
+                        fault.error_code_valid = true;
+                        fault.error_code = 0;
+                        fault.nested_page_fault = false;
+                        fault.address = work->arch.token;
+                        kvm_inject_page_fault(vcpu, &fault);
+                }
        }
        vcpu->arch.apf.halted = false;
        vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index f2afa5fe48a6..53a750a10598 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -164,11 +164,11 @@ int kvm_inject_realmode_interrupt(struct kvm_vcpu *vcpu, int irq, int inc_eip);
 void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr);
-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
+int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
        gva_t addr, void *val, unsigned int bytes,
        struct x86_exception *exception);
-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu,
        gva_t addr, void *val, unsigned int bytes,
        struct x86_exception *exception);
diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
index 12a34d15b648..c0c8b0a49bb8 100644
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -23,7 +23,7 @@ lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
 lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o
 lib-$(CONFIG_RETPOLINE) += retpoline.o
-obj-y += msr.o msr-reg.o msr-reg-export.o
+obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
 ifeq ($(CONFIG_X86_32),y)
        obj-y += atomic64_32.o
diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
index a2fe51b00cce..65be7cfaf947 100644
--- a/arch/x86/lib/clear_page_64.S
+++ b/arch/x86/lib/clear_page_64.S
@@ -1,5 +1,5 @@
 #include <linux/linkage.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 /*
diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c
index a744506856b1..88ce150186c6 100644
--- a/arch/x86/lib/cmdline.c
+++ b/arch/x86/lib/cmdline.c
@@ -21,12 +21,14 @@ static inline int myisspace(u8 c)
 * @option: option string to look for
 *
 * Returns the position of that @option (starts counting with 1)
- * or 0 on not found.
+ * or 0 on not found.  @option will only be found if it is found
+ * as an entire word in @cmdline.  For instance, if @option="car"
+ * then a cmdline which contains "cart" will not match.
 */
 int cmdline_find_option_bool(const char *cmdline, const char *option)
 {
        char c;
-        int len, pos = 0, wstart = 0;
+        int pos = 0, wstart = 0;
        const char *opptr = NULL;
        enum {
                st_wordstart = 0,       /* Start of word/after whitespace */
@@ -37,11 +39,14 @@ int cmdline_find_option_bool(const char *cmdline, const char *option)
        if (!cmdline)
                return -1;      /* No command line */
-        len = min_t(int, strlen(cmdline), COMMAND_LINE_SIZE);
+        if (!strlen(cmdline))
-        if (!len)
                return 0;
-        while (len--) {
+        /*
+         * This 'pos' check ensures we do not overrun
+         * a non-NULL-terminated 'cmdline'
+         */
+        while (pos < COMMAND_LINE_SIZE) {
                c = *(char *)cmdline++;
                pos++;
@@ -58,17 +63,26 @@ int cmdline_find_option_bool(const char *cmdline, const char *option)
                        /* fall through */
                case st_wordcmp:
-                        if (!*opptr)
+                        if (!*opptr) {
+                                /*
+                                 * We matched all the way to the end of the
+                                 * option we were looking for.  If the
+                                 * command-line has a space _or_ ends, then
+                                 * we matched!
+                                 */
                                if (!c || myisspace(c))
                                        return wstart;
                                else
                                        state = st_wordskip;
-                        else if (!c)
+                        } else if (!c) {
+                                /*
+                                 * Hit the NULL terminator on the end of
+                                 * cmdline.
+                                 */
                                return 0;
-                        else if (c != *opptr++)
+                        } else if (c != *opptr++) {
                                state = st_wordskip;
-                        else if (!len)          /* last word and is matching */
+                        }
-                                return wstart;
                        break;
                case st_wordskip:
diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
index 009f98216b7e..24ef1c2104d4 100644
--- a/arch/x86/lib/copy_page_64.S
+++ b/arch/x86/lib/copy_page_64.S
@@ -1,7 +1,7 @@
 /* Written 2003 by Andi Kleen, based on a kernel by Evandro Menezes */
 #include <linux/linkage.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 /*
diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index 423644c230e7..accf7f2f557f 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -10,7 +10,7 @@
 #include <asm/current.h>
 #include <asm/asm-offsets.h>
 #include <asm/thread_info.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 #include <asm/asm.h>
 #include <asm/smap.h>
diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S
index 7e48807b2fa1..45a53dfe1859 100644
--- a/arch/x86/lib/csum-copy_64.S
+++ b/arch/x86/lib/csum-copy_64.S
@@ -55,7 +55,7 @@ ENTRY(csum_partial_copy_generic)
        movq  %r12, 3*8(%rsp)
        movq  %r14, 4*8(%rsp)
        movq  %r13, 5*8(%rsp)
-        movq  %rbp, 6*8(%rsp)
+        movq  %r15, 6*8(%rsp)
        movq  %r8, (%rsp)
        movq  %r9, 1*8(%rsp)
@@ -74,7 +74,7 @@ ENTRY(csum_partial_copy_generic)
        /* main loop. clear in 64 byte blocks */
        /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */
        /* r11: temp3, rdx: temp4, r12 loopcnt */
-        /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */
+        /* r10: temp5, r15: temp6, r14 temp7, r13 temp8 */
        .p2align 4
 .Lloop:
        source
@@ -89,7 +89,7 @@ ENTRY(csum_partial_copy_generic)
        source
        movq  32(%rdi), %r10
        source
-        movq  40(%rdi), %rbp
+        movq  40(%rdi), %r15
        source
        movq  48(%rdi), %r14
        source
@@ -103,7 +103,7 @@ ENTRY(csum_partial_copy_generic)
        adcq  %r11, %rax
        adcq  %rdx, %rax
        adcq  %r10, %rax
-        adcq  %rbp, %rax
+        adcq  %r15, %rax
        adcq  %r14, %rax
        adcq  %r13, %rax
@@ -121,7 +121,7 @@ ENTRY(csum_partial_copy_generic)
        dest
        movq %r10, 32(%rsi)
        dest
-        movq %rbp, 40(%rsi)
+        movq %r15, 40(%rsi)
        dest
        movq %r14, 48(%rsi)
        dest
@@ -203,7 +203,7 @@ ENTRY(csum_partial_copy_generic)
        movq 3*8(%rsp), %r12
        movq 4*8(%rsp), %r14
        movq 5*8(%rsp), %r13
-        movq 6*8(%rsp), %rbp
+        movq 6*8(%rsp), %r15
        addq $7*8, %rsp
        ret
diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
index e912b2f6d36e..45772560aceb 100644
--- a/arch/x86/lib/delay.c
+++ b/arch/x86/lib/delay.c
@@ -93,6 +93,13 @@ static void delay_mwaitx(unsigned long __loops)
 {
        u64 start, end, delay, loops = __loops;
+        /*
+         * Timer value of 0 causes MWAITX to wait indefinitely, unless there
+         * is a store on the memory monitored by MONITORX.
+         */
+        if (loops == 0)
+                return;
        start = rdtsc_ordered();
        for (;;) {
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index 46668cda4ffd..490b2ee4e4bb 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -38,6 +38,8 @@ ENTRY(__get_user_1)
        GET_THREAD_INFO(%_ASM_DX)
        cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
        jae bad_get_user
+        sbb %_ASM_DX, %_ASM_DX          /* array_index_mask_nospec() */
+        and %_ASM_DX, %_ASM_AX
        ASM_STAC
 1:      movzbl (%_ASM_AX),%edx
        xor %eax,%eax
@@ -51,6 +53,8 @@ ENTRY(__get_user_2)
        GET_THREAD_INFO(%_ASM_DX)
        cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
        jae bad_get_user
+        sbb %_ASM_DX, %_ASM_DX          /* array_index_mask_nospec() */
+        and %_ASM_DX, %_ASM_AX
        ASM_STAC
 2:      movzwl -1(%_ASM_AX),%edx
        xor %eax,%eax
@@ -64,6 +68,8 @@ ENTRY(__get_user_4)
        GET_THREAD_INFO(%_ASM_DX)
        cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
        jae bad_get_user
+        sbb %_ASM_DX, %_ASM_DX          /* array_index_mask_nospec() */
+        and %_ASM_DX, %_ASM_AX
        ASM_STAC
 3:      movl -3(%_ASM_AX),%edx
        xor %eax,%eax
@@ -78,6 +84,8 @@ ENTRY(__get_user_8)
        GET_THREAD_INFO(%_ASM_DX)
        cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
        jae bad_get_user
+        sbb %_ASM_DX, %_ASM_DX          /* array_index_mask_nospec() */
+        and %_ASM_DX, %_ASM_AX
        ASM_STAC
 4:      movq -7(%_ASM_AX),%rdx
        xor %eax,%eax
@@ -89,6 +97,8 @@ ENTRY(__get_user_8)
        GET_THREAD_INFO(%_ASM_DX)
        cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
        jae bad_get_user_8
+        sbb %_ASM_DX, %_ASM_DX          /* array_index_mask_nospec() */
+        and %_ASM_DX, %_ASM_AX
        ASM_STAC
 4:      movl -7(%_ASM_AX),%edx
 5:      movl -3(%_ASM_AX),%ecx
diff --git a/arch/x86/lib/hweight.S b/arch/x86/lib/hweight.S
new file mode 100644
index 000000000000..8a602a1e404a
--- /dev/null
+++ b/arch/x86/lib/hweight.S
@@ -0,0 +1,79 @@
+#include <linux/linkage.h>
+#include <asm/asm.h>
+/*
+ * unsigned int __sw_hweight32(unsigned int w)
+ * %rdi: w
+ */
+ENTRY(__sw_hweight32)
+#ifdef CONFIG_X86_64
+        movl %edi, %eax                         # w
+#endif
+        __ASM_SIZE(push,) %__ASM_REG(dx)
+        movl %eax, %edx                         # w -> t
+        shrl %edx                               # t >>= 1
+        andl $0x55555555, %edx                  # t &= 0x55555555
+        subl %edx, %eax                         # w -= t
+        movl %eax, %edx                         # w -> t
+        shrl $2, %eax                           # w_tmp >>= 2
+        andl $0x33333333, %edx                  # t     &= 0x33333333
+        andl $0x33333333, %eax                  # w_tmp &= 0x33333333
+        addl %edx, %eax                         # w = w_tmp + t
+        movl %eax, %edx                         # w -> t
+        shrl $4, %edx                           # t >>= 4
+        addl %edx, %eax                         # w_tmp += t
+        andl  $0x0f0f0f0f, %eax                 # w_tmp &= 0x0f0f0f0f
+        imull $0x01010101, %eax, %eax           # w_tmp *= 0x01010101
+        shrl $24, %eax                          # w = w_tmp >> 24
+        __ASM_SIZE(pop,) %__ASM_REG(dx)
+        ret
+ENDPROC(__sw_hweight32)
+ENTRY(__sw_hweight64)
+#ifdef CONFIG_X86_64
+        pushq   %rdi
+        pushq   %rdx
+        movq    %rdi, %rdx                      # w -> t
+        movabsq $0x5555555555555555, %rax
+        shrq    %rdx                            # t >>= 1
+        andq    %rdx, %rax                      # t &= 0x5555555555555555
+        movabsq $0x3333333333333333, %rdx
+        subq    %rax, %rdi                      # w -= t
+        movq    %rdi, %rax                      # w -> t
+        shrq    $2, %rdi                        # w_tmp >>= 2
+        andq    %rdx, %rax                      # t     &= 0x3333333333333333
+        andq    %rdi, %rdx                      # w_tmp &= 0x3333333333333333
+        addq    %rdx, %rax                      # w = w_tmp + t
+        movq    %rax, %rdx                      # w -> t
+        shrq    $4, %rdx                        # t >>= 4
+        addq    %rdx, %rax                      # w_tmp += t
+        movabsq $0x0f0f0f0f0f0f0f0f, %rdx
+        andq    %rdx, %rax                      # w_tmp &= 0x0f0f0f0f0f0f0f0f
+        movabsq $0x0101010101010101, %rdx
+        imulq   %rdx, %rax                      # w_tmp *= 0x0101010101010101
+        shrq    $56, %rax                       # w = w_tmp >> 56
+        popq    %rdx
+        popq    %rdi
+        ret
+#else /* CONFIG_X86_32 */
+        /* We're getting an u64 arg in (%eax,%edx): unsigned long hweight64(__u64 w) */
+        pushl   %ecx
+        call    __sw_hweight32
+        movl    %eax, %ecx                      # stash away result
+        movl    %edx, %eax                      # second part of input
+        call    __sw_hweight32
+        addl    %ecx, %eax                      # result
+        popl    %ecx
+        ret
+#endif
+ENDPROC(__sw_hweight64)
diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
index 16698bba87de..a0de849435ad 100644
--- a/arch/x86/lib/memcpy_64.S
+++ b/arch/x86/lib/memcpy_64.S
@@ -1,7 +1,7 @@
 /* Copyright 2002 Andi Kleen */
 #include <linux/linkage.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 /*
diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
index ca2afdd6d98e..90ce01bee00c 100644
--- a/arch/x86/lib/memmove_64.S
+++ b/arch/x86/lib/memmove_64.S
@@ -6,7 +6,7 @@
 *      - Copyright 2011 Fenghua Yu <fenghua.yu@intel.com>
 */
 #include <linux/linkage.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 #undef memmove
diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
index 2661fad05827..c9c81227ea37 100644
--- a/arch/x86/lib/memset_64.S
+++ b/arch/x86/lib/memset_64.S
@@ -1,7 +1,7 @@
 /* Copyright 2002 Andi Kleen, SuSE Labs */
 #include <linux/linkage.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 .weak memset
diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
index e611a124c442..7bbb853e36bd 100644
--- a/arch/x86/lib/retpoline.S
+++ b/arch/x86/lib/retpoline.S
@@ -3,7 +3,7 @@
 #include <linux/stringify.h>
 #include <linux/linkage.h>
 #include <asm/dwarf2.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/alternative-asm.h>
 #include <asm-generic/export.h>
 #include <asm/nospec-branch.h>
@@ -36,7 +36,6 @@ GENERATE_THUNK(_ASM_DX)
 GENERATE_THUNK(_ASM_SI)
 GENERATE_THUNK(_ASM_DI)
 GENERATE_THUNK(_ASM_BP)
-GENERATE_THUNK(_ASM_SP)
 #ifdef CONFIG_64BIT
 GENERATE_THUNK(r8)
 GENERATE_THUNK(r9)
diff --git a/arch/x86/math-emu/Makefile b/arch/x86/math-emu/Makefile
index 9b0c63b60302..1b2dac174321 100644
--- a/arch/x86/math-emu/Makefile
+++ b/arch/x86/math-emu/Makefile
@@ -5,8 +5,8 @@
 #DEBUG  = -DDEBUGGING
 DEBUG   =
 PARANOID = -DPARANOID
-EXTRA_CFLAGS    := $(PARANOID) $(DEBUG) -fno-builtin $(MATH_EMULATION)
+ccflags-y += $(PARANOID) $(DEBUG) -fno-builtin $(MATH_EMULATION)
-EXTRA_AFLAGS    := $(PARANOID)
+asflags-y += $(PARANOID)
 # From 'C' language sources:
 C_OBJS =fpu_entry.o errors.o \
diff --git a/arch/x86/math-emu/reg_compare.c b/arch/x86/math-emu/reg_compare.c
index b77360fdbf4a..19b33b50adfa 100644
--- a/arch/x86/math-emu/reg_compare.c
+++ b/arch/x86/math-emu/reg_compare.c
@@ -168,7 +168,7 @@ static int compare(FPU_REG const *b, int tagb)
 /* This function requires that st(0) is not empty */
 int FPU_compare_st_data(FPU_REG const *loaded_data, u_char loaded_tag)
 {
-        int f = 0, c;
+        int f, c;
        c = compare(loaded_data, loaded_tag);
@@ -189,12 +189,12 @@ int FPU_compare_st_data(FPU_REG const *loaded_data, u_char loaded_tag)
                case COMP_No_Comp:
                        f = SW_C3 | SW_C2 | SW_C0;
                        break;
-#ifdef PARANOID
                default:
+#ifdef PARANOID
                        EXCEPTION(EX_INTERNAL | 0x121);
+#endif /* PARANOID */
                        f = SW_C3 | SW_C2 | SW_C0;
                        break;
-#endif /* PARANOID */
                }
        setcc(f);
        if (c & COMP_Denormal) {
@@ -205,7 +205,7 @@ int FPU_compare_st_data(FPU_REG const *loaded_data, u_char loaded_tag)
 static int compare_st_st(int nr)
 {
-        int f = 0, c;
+        int f, c;
        FPU_REG *st_ptr;
        if (!NOT_EMPTY(0) || !NOT_EMPTY(nr)) {
@@ -235,12 +235,12 @@ static int compare_st_st(int nr)
                case COMP_No_Comp:
                        f = SW_C3 | SW_C2 | SW_C0;
                        break;
-#ifdef PARANOID
                default:
+#ifdef PARANOID
                        EXCEPTION(EX_INTERNAL | 0x122);
+#endif /* PARANOID */
                        f = SW_C3 | SW_C2 | SW_C0;
                        break;
-#endif /* PARANOID */
                }
        setcc(f);
        if (c & COMP_Denormal) {
@@ -283,12 +283,12 @@ static int compare_i_st_st(int nr)
        case COMP_No_Comp:
                f = X86_EFLAGS_ZF | X86_EFLAGS_PF | X86_EFLAGS_CF;
                break;
-#ifdef PARANOID
        default:
+#ifdef PARANOID
                EXCEPTION(EX_INTERNAL | 0x122);
+#endif /* PARANOID */
                f = 0;
                break;
-#endif /* PARANOID */
        }
        FPU_EFLAGS = (FPU_EFLAGS & ~(X86_EFLAGS_ZF | X86_EFLAGS_PF | X86_EFLAGS_CF)) | f;
        if (c & COMP_Denormal) {
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index e830c71a1323..e0a34b0d381e 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -287,7 +287,7 @@ static noinline int vmalloc_fault(unsigned long address)
        if (!pmd_k)
                return -1;
-        if (pmd_huge(*pmd_k))
+        if (pmd_large(*pmd_k))
                return 0;
        pte_k = pte_offset_kernel(pmd_k, address);
@@ -407,7 +407,7 @@ static noinline int vmalloc_fault(unsigned long address)
        if (pud_none(*pud) || pud_pfn(*pud) != pud_pfn(*pud_ref))
                BUG();
-        if (pud_huge(*pud))
+        if (pud_large(*pud))
                return 0;
        pmd = pmd_offset(pud, address);
@@ -418,7 +418,7 @@ static noinline int vmalloc_fault(unsigned long address)
        if (pmd_none(*pmd) || pmd_pfn(*pmd) != pmd_pfn(*pmd_ref))
                BUG();
-        if (pmd_huge(*pmd))
+        if (pmd_large(*pmd))
                return 0;
        pte_ref = pte_offset_kernel(pmd_ref, address);
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
index 151fd33e9043..4954a6cef50a 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -4,6 +4,8 @@
 #include <linux/swap.h>
 #include <linux/memblock.h>
 #include <linux/bootmem.h>      /* for max_low_pfn */
+#include <linux/swapfile.h>
+#include <linux/swapops.h>
 #include <asm/cacheflush.h>
 #include <asm/e820.h>
@@ -767,3 +769,26 @@ void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache)
        __cachemode2pte_tbl[cache] = __cm_idx2pte(entry);
        __pte2cachemode_tbl[entry] = cache;
 }
+#ifdef CONFIG_SWAP
+unsigned long max_swapfile_size(void)
+{
+        unsigned long pages;
+        pages = generic_max_swapfile_size();
+        if (boot_cpu_has_bug(X86_BUG_L1TF)) {
+                /* Limit the swap file size to MAX_PA/2 for L1TF workaround */
+                unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
+                /*
+                 * We encode swap offsets also with 3 bits below those for pfn
+                 * which makes the usable limit higher.
+                 */
+#if CONFIG_PGTABLE_LEVELS > 2
+                l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
+#endif
+                pages = min_t(unsigned long, l1tf_limit, pages);
+        }
+        return pages;
+}
+#endif
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index b9c78f3bcd67..53ab3f367472 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -348,11 +348,11 @@ void iounmap(volatile void __iomem *addr)
            (void __force *)addr < phys_to_virt(ISA_END_ADDRESS))
                return;
+        mmiotrace_iounmap(addr);
        addr = (volatile void __iomem *)
                (PAGE_MASK & (unsigned long __force)addr);
-        mmiotrace_iounmap(addr);
        /* Use the vm area unlocked, assuming the caller
           ensures there isn't another iounmap for the same address
           in parallel. Reuse of the virtual address is prevented by
diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
index 8af98513d36c..7a72e32e4806 100644
--- a/arch/x86/mm/kaiser.c
+++ b/arch/x86/mm/kaiser.c
@@ -345,7 +345,7 @@ void __init kaiser_init(void)
        if (vsyscall_enabled())
                kaiser_add_user_map_early((void *)VSYSCALL_ADDR,
                                          PAGE_SIZE,
-                                           __PAGE_KERNEL_VSYSCALL);
+                                          vsyscall_pgprot);
        for_each_possible_cpu(cpu) {
                void *percpu_vaddr = __per_cpu_user_mapped_start +
@@ -363,7 +363,7 @@ void __init kaiser_init(void)
        kaiser_add_user_map_ptrs_early(__entry_text_start, __entry_text_end,
                                       __PAGE_KERNEL_RX);
-#if defined(CONFIG_FUNCTION_GRAPH_TRACER) || defined(CONFIG_KASAN)
+#ifdef CONFIG_FUNCTION_GRAPH_TRACER
        kaiser_add_user_map_ptrs_early(__irqentry_text_start,
                                       __irqentry_text_end,
                                       __PAGE_KERNEL_RX);
diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c
index ddb2244b06a1..7bf14e74fc8f 100644
--- a/arch/x86/mm/kmmio.c
+++ b/arch/x86/mm/kmmio.c
@@ -125,24 +125,29 @@ static struct kmmio_fault_page *get_kmmio_fault_page(unsigned long addr)
 static void clear_pmd_presence(pmd_t *pmd, bool clear, pmdval_t *old)
 {
+        pmd_t new_pmd;
        pmdval_t v = pmd_val(*pmd);
        if (clear) {
-                *old = v & _PAGE_PRESENT;
+                *old = v;
-                v &= ~_PAGE_PRESENT;
+                new_pmd = pmd_mknotpresent(*pmd);
-        } else  /* presume this has been called with clear==true previously */
+        } else {
-                v |= *old;
+                /* Presume this has been called with clear==true previously */
-        set_pmd(pmd, __pmd(v));
+                new_pmd = __pmd(*old);
+        }
+        set_pmd(pmd, new_pmd);
 }
 static void clear_pte_presence(pte_t *pte, bool clear, pteval_t *old)
 {
        pteval_t v = pte_val(*pte);
        if (clear) {
-                *old = v & _PAGE_PRESENT;
+                *old = v;
-                v &= ~_PAGE_PRESENT;
+                /* Nothing should care about address */
-        } else  /* presume this has been called with clear==true previously */
+                pte_clear(&init_mm, 0, pte);
-                v |= *old;
+        } else {
-        set_pte_atomic(pte, __pte(v));
+                /* Presume this has been called with clear==true previously */
+                set_pte_atomic(pte, __pte(*old));
+        }
 }
 static int clear_page_presence(struct kmmio_fault_page *f, bool clear)
@@ -434,17 +439,18 @@ int register_kmmio_probe(struct kmmio_probe *p)
        unsigned long flags;
        int ret = 0;
        unsigned long size = 0;
+        unsigned long addr = p->addr & PAGE_MASK;
        const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK);
        unsigned int l;
        pte_t *pte;
        spin_lock_irqsave(&kmmio_lock, flags);
-        if (get_kmmio_probe(p->addr)) {
+        if (get_kmmio_probe(addr)) {
                ret = -EEXIST;
                goto out;
        }
-        pte = lookup_address(p->addr, &l);
+        pte = lookup_address(addr, &l);
        if (!pte) {
                ret = -EINVAL;
                goto out;
@@ -453,7 +459,7 @@ int register_kmmio_probe(struct kmmio_probe *p)
        kmmio_count++;
        list_add_rcu(&p->list, &kmmio_probes);
        while (size < size_lim) {
-                if (add_kmmio_fault_page(p->addr + size))
+                if (add_kmmio_fault_page(addr + size))
                        pr_err("Unable to set page fault.\n");
                size += page_level_size(l);
        }
@@ -527,19 +533,20 @@ void unregister_kmmio_probe(struct kmmio_probe *p)
 {
        unsigned long flags;
        unsigned long size = 0;
+        unsigned long addr = p->addr & PAGE_MASK;
        const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK);
        struct kmmio_fault_page *release_list = NULL;
        struct kmmio_delayed_release *drelease;
        unsigned int l;
        pte_t *pte;
-        pte = lookup_address(p->addr, &l);
+        pte = lookup_address(addr, &l);
        if (!pte)
                return;
        spin_lock_irqsave(&kmmio_lock, flags);
        while (size < size_lim) {
-                release_kmmio_fault_page(p->addr + size, &release_list);
+                release_kmmio_fault_page(addr + size, &release_list);
                size += page_level_size(l);
        }
        list_del_rcu(&p->list);
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 307f60ecfc6d..9a055ea279eb 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -121,3 +121,24 @@ const char *arch_vma_name(struct vm_area_struct *vma)
                return "[mpx]";
        return NULL;
 }
+/*
+ * Only allow root to set high MMIO mappings to PROT_NONE.
+ * This prevents an unpriv. user to set them to PROT_NONE and invert
+ * them, then pointing to valid memory for L1TF speculation.
+ *
+ * Note: for locked down kernels may want to disable the root override.
+ */
+bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot)
+{
+        if (!boot_cpu_has_bug(X86_BUG_L1TF))
+                return true;
+        if (!__pte_needs_invert(pgprot_val(prot)))
+                return true;
+        /* If it's real memory always allow */
+        if (pfn_valid(pfn))
+                return true;
+        if (pfn > l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN))
+                return false;
+        return true;
+}
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
index ac9c7797b632..53bd895576cc 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -1006,8 +1006,8 @@ static int populate_pmd(struct cpa_data *cpa,
                pmd = pmd_offset(pud, start);
-                set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE |
+                set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn,
-                                   massage_pgprot(pmd_pgprot)));
+                                        canon_pgprot(pmd_pgprot))));
                start     += PMD_SIZE;
                cpa->pfn  += PMD_SIZE;
@@ -1079,8 +1079,8 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
         * Map everything starting from the Gb boundary, possibly with 1G pages
         */
        while (end - start >= PUD_SIZE) {
-                set_pud(pud, __pud(cpa->pfn | _PAGE_PSE |
+                set_pud(pud, pud_mkhuge(pfn_pud(cpa->pfn,
-                                   massage_pgprot(pud_pgprot)));
+                                   canon_pgprot(pud_pgprot))));
                start     += PUD_SIZE;
                cpa->pfn  += PUD_SIZE;
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
index dbc27a2b4ad5..55c7446311a7 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -1,5 +1,6 @@
 #include <linux/mm.h>
 #include <linux/gfp.h>
+#include <linux/hugetlb.h>
 #include <asm/pgalloc.h>
 #include <asm/pgtable.h>
 #include <asm/tlb.h>
@@ -600,6 +601,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot)
            (mtrr != MTRR_TYPE_WRBACK))
                return 0;
+        /* Bail out if we are we on a populated non-leaf entry: */
+        if (pud_present(*pud) && !pud_huge(*pud))
+                return 0;
        prot = pgprot_4k_2_large(prot);
        set_pte((pte_t *)pud, pfn_pte(
@@ -628,6 +633,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot)
                return 0;
        }
+        /* Bail out if we are we on a populated non-leaf entry: */
+        if (pmd_present(*pmd) && !pmd_huge(*pmd))
+                return 0;
        prot = pgprot_4k_2_large(prot);
        set_pte((pte_t *)pmd, pfn_pte(
@@ -666,4 +675,97 @@ int pmd_clear_huge(pmd_t *pmd)
        return 0;
 }
+#ifdef CONFIG_X86_64
+/**
+ * pud_free_pmd_page - Clear pud entry and free pmd page.
+ * @pud: Pointer to a PUD.
+ * @addr: Virtual address associated with pud.
+ *
+ * Context: The pud range has been unmapped and TLB purged.
+ * Return: 1 if clearing the entry succeeded. 0 otherwise.
+ *
+ * NOTE: Callers must allow a single page allocation.
+ */
+int pud_free_pmd_page(pud_t *pud, unsigned long addr)
+{
+        pmd_t *pmd, *pmd_sv;
+        pte_t *pte;
+        int i;
+        if (pud_none(*pud))
+                return 1;
+        pmd = (pmd_t *)pud_page_vaddr(*pud);
+        pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL);
+        if (!pmd_sv)
+                return 0;
+        for (i = 0; i < PTRS_PER_PMD; i++) {
+                pmd_sv[i] = pmd[i];
+                if (!pmd_none(pmd[i]))
+                        pmd_clear(&pmd[i]);
+        }
+        pud_clear(pud);
+        /* INVLPG to clear all paging-structure caches */
+        flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1);
+        for (i = 0; i < PTRS_PER_PMD; i++) {
+                if (!pmd_none(pmd_sv[i])) {
+                        pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]);
+                        free_page((unsigned long)pte);
+                }
+        }
+        free_page((unsigned long)pmd_sv);
+        free_page((unsigned long)pmd);
+        return 1;
+}
+/**
+ * pmd_free_pte_page - Clear pmd entry and free pte page.
+ * @pmd: Pointer to a PMD.
+ * @addr: Virtual address associated with pmd.
+ *
+ * Context: The pmd range has been unmapped and TLB purged.
+ * Return: 1 if clearing the entry succeeded. 0 otherwise.
+ */
+int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
+{
+        pte_t *pte;
+        if (pmd_none(*pmd))
+                return 1;
+        pte = (pte_t *)pmd_page_vaddr(*pmd);
+        pmd_clear(pmd);
+        /* INVLPG to clear all paging-structure caches */
+        flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1);
+        free_page((unsigned long)pte);
+        return 1;
+}
+#else /* !CONFIG_X86_64 */
+int pud_free_pmd_page(pud_t *pud, unsigned long addr)
+{
+        return pud_none(*pud);
+}
+/*
+ * Disable free page handling on x86-PAE. This assures that ioremap()
+ * does not update sync'd pmd entries. See vmalloc_sync_one().
+ */
+int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
+{
+        return pmd_none(*pmd);
+}
+#endif /* CONFIG_X86_64 */
 #endif  /* CONFIG_HAVE_ARCH_HUGE_VMAP */
diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
index 90555bf60aa4..f65a33f505b6 100644
--- a/arch/x86/mm/setup_nx.c
+++ b/arch/x86/mm/setup_nx.c
@@ -4,6 +4,7 @@
 #include <asm/pgtable.h>
 #include <asm/proto.h>
+#include <asm/cpufeature.h>
 static int disable_nx;
@@ -31,7 +32,7 @@ early_param("noexec", noexec_setup);
 void x86_configure_nx(void)
 {
-        if (cpu_has_nx && !disable_nx)
+        if (boot_cpu_has(X86_FEATURE_NX) && !disable_nx)
                __supported_pte_mask |= _PAGE_NX;
        else
                __supported_pte_mask &= ~_PAGE_NX;
@@ -39,7 +40,7 @@ void x86_configure_nx(void)
 void __init x86_report_nx(void)
 {
-        if (!cpu_has_nx) {
+        if (!boot_cpu_has(X86_FEATURE_NX)) {
                printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
                       "missing in CPU!\n");
        } else {
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index 7cad01af6dcd..6d683bbb3502 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -10,6 +10,7 @@
 #include <asm/tlbflush.h>
 #include <asm/mmu_context.h>
+#include <asm/nospec-branch.h>
 #include <asm/cache.h>
 #include <asm/apic.h>
 #include <asm/uv/uv.h>
@@ -29,6 +30,8 @@
 *      Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
 */
+atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
 struct flush_tlb_info {
        struct mm_struct *flush_mm;
        unsigned long flush_start;
@@ -104,6 +107,36 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
        unsigned cpu = smp_processor_id();
        if (likely(prev != next)) {
+                u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id);
+                /*
+                 * Avoid user/user BTB poisoning by flushing the branch
+                 * predictor when switching between processes. This stops
+                 * one process from doing Spectre-v2 attacks on another.
+                 *
+                 * As an optimization, flush indirect branches only when
+                 * switching into processes that disable dumping. This
+                 * protects high value processes like gpg, without having
+                 * too high performance overhead. IBPB is *expensive*!
+                 *
+                 * This will not flush branches when switching into kernel
+                 * threads. It will also not flush if we switch to idle
+                 * thread and back to the same process. It will flush if we
+                 * switch to a different non-dumpable process.
+                 */
+                if (tsk && tsk->mm &&
+                    tsk->mm->context.ctx_id != last_ctx_id &&
+                    get_dumpable(tsk->mm) != SUID_DUMP_USER)
+                        indirect_branch_prediction_barrier();
+                /*
+                 * Record last user mm's context id, so we can avoid
+                 * flushing branch buffer with IBPB if we switch back
+                 * to the same user.
+                 */
+                if (next != &init_mm)
+                        this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id);
                this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
                this_cpu_write(cpu_tlbstate.active_mm, next);
                cpumask_set_cpu(cpu, mm_cpumask(next));
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 75991979f667..dd9a861fd526 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -12,6 +12,7 @@
 #include <linux/filter.h>
 #include <linux/if_vlan.h>
 #include <asm/cacheflush.h>
+#include <asm/nospec-branch.h>
 #include <linux/bpf.h>
 int bpf_jit_enable __read_mostly;
@@ -266,10 +267,10 @@ static void emit_bpf_tail_call(u8 **pprog)
        /* if (index >= array->map.max_entries)
         *   goto out;
         */
-        EMIT4(0x48, 0x8B, 0x46,                   /* mov rax, qword ptr [rsi + 16] */
+        EMIT2(0x89, 0xD2);                        /* mov edx, edx */
+        EMIT3(0x39, 0x56,                         /* cmp dword ptr [rsi + 16], edx */
              offsetof(struct bpf_array, map.max_entries));
-        EMIT3(0x48, 0x39, 0xD0);                  /* cmp rax, rdx */
+#define OFFSET1 (41 + RETPOLINE_RAX_BPF_JIT_SIZE) /* number of bytes to jump */
-#define OFFSET1 47 /* number of bytes to jump */
        EMIT2(X86_JBE, OFFSET1);                  /* jbe out */
        label1 = cnt;
@@ -278,22 +279,21 @@ static void emit_bpf_tail_call(u8 **pprog)
         */
        EMIT2_off32(0x8B, 0x85, -STACKSIZE + 36); /* mov eax, dword ptr [rbp - 516] */
        EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT);     /* cmp eax, MAX_TAIL_CALL_CNT */
-#define OFFSET2 36
+#define OFFSET2 (30 + RETPOLINE_RAX_BPF_JIT_SIZE)
        EMIT2(X86_JA, OFFSET2);                   /* ja out */
        label2 = cnt;
        EMIT3(0x83, 0xC0, 0x01);                  /* add eax, 1 */
        EMIT2_off32(0x89, 0x85, -STACKSIZE + 36); /* mov dword ptr [rbp - 516], eax */
        /* prog = array->ptrs[index]; */
-        EMIT4_off32(0x48, 0x8D, 0x84, 0xD6,       /* lea rax, [rsi + rdx * 8 + offsetof(...)] */
+        EMIT4_off32(0x48, 0x8B, 0x84, 0xD6,       /* mov rax, [rsi + rdx * 8 + offsetof(...)] */
                    offsetof(struct bpf_array, ptrs));
-        EMIT3(0x48, 0x8B, 0x00);                  /* mov rax, qword ptr [rax] */
        /* if (prog == NULL)
         *   goto out;
         */
-        EMIT4(0x48, 0x83, 0xF8, 0x00);            /* cmp rax, 0 */
+        EMIT3(0x48, 0x85, 0xC0);                  /* test rax,rax */
-#define OFFSET3 10
+#define OFFSET3 (8 + RETPOLINE_RAX_BPF_JIT_SIZE)
        EMIT2(X86_JE, OFFSET3);                   /* je out */
        label3 = cnt;
@@ -306,7 +306,7 @@ static void emit_bpf_tail_call(u8 **pprog)
         * rdi == ctx (1st arg)
         * rax == prog->bpf_func + prologue_size
         */
-        EMIT2(0xFF, 0xE0);                        /* jmp rax */
+        RETPOLINE_RAX_BPF_JIT();
        /* out: */
        BUILD_BUG_ON(cnt - label1 != OFFSET1);
@@ -1077,7 +1077,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
         * may converge on the last pass. In such case do one more
         * pass to emit the final image
         */
-        for (pass = 0; pass < 10 || image; pass++) {
+        for (pass = 0; pass < 20 || image; pass++) {
                proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
                if (proglen <= 0) {
                        image = NULL;
@@ -1100,6 +1100,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                                goto out;
                }
                oldproglen = proglen;
+                cond_resched();
        }
        if (bpf_jit_enable > 1)
diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
index 1d2e6392f5fa..f24bd7249536 100644
--- a/arch/x86/oprofile/nmi_int.c
+++ b/arch/x86/oprofile/nmi_int.c
@@ -471,7 +471,7 @@ static int nmi_setup(void)
                goto fail;
        for_each_possible_cpu(cpu) {
-                if (!cpu)
+                if (!IS_ENABLED(CONFIG_SMP) || !cpu)
                        continue;
                memcpy(per_cpu(cpu_msrs, cpu).counters,
diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
index 50d86c0e9ba4..660a83c8287b 100644
--- a/arch/x86/oprofile/op_model_amd.c
+++ b/arch/x86/oprofile/op_model_amd.c
@@ -24,7 +24,6 @@
 #include <asm/nmi.h>
 #include <asm/apic.h>
 #include <asm/processor.h>
-#include <asm/cpufeature.h>
 #include "op_x86_model.h"
 #include "op_counter.h"
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index a0ac0f9c307f..f5a8cd96bae4 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -40,6 +40,7 @@
 #include <asm/fixmap.h>
 #include <asm/realmode.h>
 #include <asm/time.h>
+#include <asm/nospec-branch.h>
 /*
 * We allocate runtime services regions bottom-up, starting from -4G, i.e.
@@ -347,6 +348,7 @@ extern efi_status_t efi64_thunk(u32, ...);
                                                                        \
        efi_sync_low_kernel_mappings();                                 \
        local_irq_save(flags);                                          \
+        firmware_restrict_branch_speculation_start();                   \
                                                                        \
        efi_scratch.prev_cr3 = read_cr3();                              \
        write_cr3((unsigned long)efi_scratch.efi_pgt);                  \
@@ -357,6 +359,7 @@ extern efi_status_t efi64_thunk(u32, ...);
                                                                        \
        write_cr3(efi_scratch.prev_cr3);                                \
        __flush_tlb_all();                                              \
+        firmware_restrict_branch_speculation_end();                     \
        local_irq_restore(flags);                                       \
                                                                        \
        __s;                                                            \
diff --git a/arch/x86/platform/olpc/olpc-xo15-sci.c b/arch/x86/platform/olpc/olpc-xo15-sci.c
index 55130846ac87..c0533fbc39e3 100644
--- a/arch/x86/platform/olpc/olpc-xo15-sci.c
+++ b/arch/x86/platform/olpc/olpc-xo15-sci.c
@@ -196,6 +196,7 @@ static int xo15_sci_remove(struct acpi_device *device)
        return 0;
 }
+#ifdef CONFIG_PM_SLEEP
 static int xo15_sci_resume(struct device *dev)
 {
        /* Enable all EC events */
@@ -207,6 +208,7 @@ static int xo15_sci_resume(struct device *dev)
        return 0;
 }
+#endif
 static SIMPLE_DEV_PM_OPS(xo15_sci_pm, NULL, xo15_sci_resume);
diff --git a/arch/x86/power/hibernate_32.c b/arch/x86/power/hibernate_32.c
index 291226b952a9..77ac4e4deb16 100644
--- a/arch/x86/power/hibernate_32.c
+++ b/arch/x86/power/hibernate_32.c
@@ -142,7 +142,7 @@ static inline void resume_init_first_level_page_table(pgd_t *pg_dir)
 #endif
 }
-int swsusp_arch_resume(void)
+asmlinkage int swsusp_arch_resume(void)
 {
        int error;
diff --git a/arch/x86/power/hibernate_64.c b/arch/x86/power/hibernate_64.c
index 009947d419a6..0e0c773edffc 100644
--- a/arch/x86/power/hibernate_64.c
+++ b/arch/x86/power/hibernate_64.c
@@ -78,7 +78,7 @@ static int set_up_temporary_mappings(void)
        return 0;
 }
-int swsusp_arch_resume(void)
+asmlinkage int swsusp_arch_resume(void)
 {
        int error;
diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
index 73eb7fd4aec4..5b6c8486a0be 100644
--- a/arch/x86/tools/relocs.c
+++ b/arch/x86/tools/relocs.c
@@ -769,9 +769,12 @@ static int do_reloc64(struct section *sec, Elf_Rel *rel, ElfW(Sym) *sym,
                break;
        case R_X86_64_PC32:
+        case R_X86_64_PLT32:
                /*
                 * PC relative relocations don't need to be adjusted unless
                 * referencing a percpu symbol.
+                 *
+                 * NB: R_X86_64_PLT32 can be treated as R_X86_64_PC32.
                 */
                if (is_percpu_sym(sym, symname))
                        add_reloc(&relocs32neg, offset);
diff --git a/arch/x86/um/asm/barrier.h b/arch/x86/um/asm/barrier.h
index 755481f14d90..764ac2fc53fe 100644
--- a/arch/x86/um/asm/barrier.h
+++ b/arch/x86/um/asm/barrier.h
@@ -3,7 +3,7 @@
 #include <asm/asm.h>
 #include <asm/segment.h>
-#include <asm/cpufeature.h>
+#include <asm/cpufeatures.h>
 #include <asm/cmpxchg.h>
 #include <asm/nops.h>
diff --git a/arch/x86/um/stub_segv.c b/arch/x86/um/stub_segv.c
index 1518d2805ae8..fd6825537b97 100644
--- a/arch/x86/um/stub_segv.c
+++ b/arch/x86/um/stub_segv.c
@@ -10,7 +10,7 @@
 void __attribute__ ((__section__ (".__syscall_stub")))
 stub_segv_handler(int sig, siginfo_t *info, void *p)
 {
-        struct ucontext *uc = p;
+        ucontext_t *uc = p;
        GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA),
                              &uc->uc_mcontext);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index cbef64b508e1..82fd84d5e1aa 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -460,6 +460,12 @@ static void __init xen_init_cpuid_mask(void)
                cpuid_leaf1_ecx_set_mask = (1 << (X86_FEATURE_MWAIT % 32));
 }
+static void __init xen_init_capabilities(void)
+{
+        if (xen_pv_domain())
+                setup_force_cpu_cap(X86_FEATURE_XENPV);
+}
 static void xen_set_debugreg(int reg, unsigned long val)
 {
        HYPERVISOR_set_debugreg(reg, val);
@@ -1587,6 +1593,7 @@ asmlinkage __visible void __init xen_start_kernel(void)
        xen_init_irq_ops();
        xen_init_cpuid_mask();
+        xen_init_capabilities();
 #ifdef CONFIG_X86_LOCAL_APIC
        /*
@@ -1883,14 +1890,6 @@ bool xen_hvm_need_lapic(void)
 }
 EXPORT_SYMBOL_GPL(xen_hvm_need_lapic);
-static void xen_set_cpu_features(struct cpuinfo_x86 *c)
-{
-        if (xen_pv_domain()) {
-                clear_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
-                set_cpu_cap(c, X86_FEATURE_XENPV);
-        }
-}
 const struct hypervisor_x86 x86_hyper_xen = {
        .name                   = "Xen",
        .detect                 = xen_platform,
@@ -1898,7 +1897,6 @@ const struct hypervisor_x86 x86_hyper_xen = {
        .init_platform          = xen_hvm_guest_init,
 #endif
        .x2apic_available       = xen_x2apic_para_available,
-        .set_cpu_features       = xen_set_cpu_features,
 };
 EXPORT_SYMBOL(x86_hyper_xen);
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
index 63146c378f1e..2b05f681a1fd 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -1316,8 +1316,6 @@ void xen_flush_tlb_all(void)
        struct mmuext_op *op;
        struct multicall_space mcs;
-        trace_xen_mmu_flush_tlb_all(0);
        preempt_disable();
        mcs = xen_mc_entry(sizeof(*op));
@@ -1335,8 +1333,6 @@ static void xen_flush_tlb(void)
        struct mmuext_op *op;
        struct multicall_space mcs;
-        trace_xen_mmu_flush_tlb(0);
        preempt_disable();
        mcs = xen_mc_entry(sizeof(*op));
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index 3f4ebf0261f2..29e50d1229bc 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -28,6 +28,7 @@
 #include <xen/interface/vcpu.h>
 #include <xen/interface/xenpmu.h>
+#include <asm/spec-ctrl.h>
 #include <asm/xen/interface.h>
 #include <asm/xen/hypercall.h>
@@ -87,6 +88,8 @@ static void cpu_bringup(void)
        cpu_data(cpu).x86_max_cores = 1;
        set_cpu_sibling_map(cpu);
+        speculative_store_bypass_ht_init();
        xen_setup_cpu_clockevents();
        notify_cpu_starting(cpu);
@@ -357,6 +360,8 @@ static void __init xen_smp_prepare_cpus(unsigned int max_cpus)
        }
        set_cpu_sibling_map(0);
+        speculative_store_bypass_ht_init();
        xen_pmu_init(0);
        if (xen_smp_intr_init(0))
diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
index 7f664c416faf..4ecd0de08557 100644
--- a/arch/x86/xen/suspend.c
+++ b/arch/x86/xen/suspend.c
@@ -1,11 +1,14 @@
 #include <linux/types.h>
 #include <linux/tick.h>
+#include <linux/percpu-defs.h>
 #include <xen/xen.h>
 #include <xen/interface/xen.h>
 #include <xen/grant_table.h>
 #include <xen/events.h>
+#include <asm/cpufeatures.h>
+#include <asm/msr-index.h>
 #include <asm/xen/hypercall.h>
 #include <asm/xen/page.h>
 #include <asm/fixmap.h>
@@ -68,6 +71,8 @@ static void xen_pv_post_suspend(int suspend_cancelled)
        xen_mm_unpin_all();
 }
+static DEFINE_PER_CPU(u64, spec_ctrl);
 void xen_arch_pre_suspend(void)
 {
        if (xen_pv_domain())
@@ -84,6 +89,9 @@ void xen_arch_post_suspend(int cancelled)
 static void xen_vcpu_notify_restore(void *data)
 {
+        if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL))
+                wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl));
        /* Boot processor notified via generic timekeeping_resume() */
        if (smp_processor_id() == 0)
                return;
@@ -93,7 +101,15 @@ static void xen_vcpu_notify_restore(void *data)
 static void xen_vcpu_notify_suspend(void *data)
 {
+        u64 tmp;
        tick_suspend_local();
+        if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
+                rdmsrl(MSR_IA32_SPEC_CTRL, tmp);
+                this_cpu_write(spec_ctrl, tmp);
+                wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+        }
 }
 void xen_arch_resume(void)
diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h
index b39531babec0..5bfbc1c401d4 100644
--- a/arch/xtensa/include/asm/futex.h
+++ b/arch/xtensa/include/asm/futex.h
@@ -44,18 +44,10 @@
        : "r" (uaddr), "I" (-EFAULT), "r" (oparg)       \
        : "memory")
-static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+                u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
 #if !XCHAL_HAVE_S32C1I
        return -ENOSYS;
@@ -89,19 +81,10 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (ret)
+        if (!ret)
-                return ret;
+                *oval = oldval;
-        switch (cmp) {
+        return ret;
-        case FUTEX_OP_CMP_EQ: return (oldval == cmparg);
-        case FUTEX_OP_CMP_NE: return (oldval != cmparg);
-        case FUTEX_OP_CMP_LT: return (oldval < cmparg);
-        case FUTEX_OP_CMP_GE: return (oldval >= cmparg);
-        case FUTEX_OP_CMP_LE: return (oldval <= cmparg);
-        case FUTEX_OP_CMP_GT: return (oldval > cmparg);
-        }
-        return -ENOSYS;
 }
 static inline int
@@ -109,7 +92,6 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
                              u32 oldval, u32 newval)
 {
        int ret = 0;
-        u32 prev;
        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
                return -EFAULT;
@@ -120,26 +102,24 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
        __asm__ __volatile__ (
        "       # futex_atomic_cmpxchg_inatomic\n"
-        "1:     l32i    %1, %3, 0\n"
+        "       wsr     %5, scompare1\n"
-        "       mov     %0, %5\n"
+        "1:     s32c1i  %1, %4, 0\n"
-        "       wsr     %1, scompare1\n"
+        "       s32i    %1, %6, 0\n"
-        "2:     s32c1i  %0, %3, 0\n"
+        "2:\n"
-        "3:\n"
        "       .section .fixup,\"ax\"\n"
        "       .align 4\n"
-        "4:     .long   3b\n"
+        "3:     .long   2b\n"
-        "5:     l32r    %1, 4b\n"
+        "4:     l32r    %1, 3b\n"
-        "       movi    %0, %6\n"
+        "       movi    %0, %7\n"
        "       jx      %1\n"
        "       .previous\n"
        "       .section __ex_table,\"a\"\n"
-        "       .long 1b,5b,2b,5b\n"
+        "       .long 1b,4b\n"
        "       .previous\n"
-        : "+r" (ret), "=&r" (prev), "+m" (*uaddr)
+        : "+r" (ret), "+r" (newval), "+m" (*uaddr), "+m" (*uval)
-        : "r" (uaddr), "r" (oldval), "r" (newval), "I" (-EFAULT)
+        : "r" (uaddr), "r" (oldval), "r" (uval), "I" (-EFAULT)
        : "memory");
-        *uval = prev;
        return ret;
 }
diff --git a/arch/xtensa/kernel/traps.c b/arch/xtensa/kernel/traps.c
index 42d441f7898b..1edce040f470 100644
--- a/arch/xtensa/kernel/traps.c
+++ b/arch/xtensa/kernel/traps.c
@@ -309,7 +309,7 @@ do_unaligned_user (struct pt_regs *regs)
        info.si_errno = 0;
        info.si_code = BUS_ADRALN;
        info.si_addr = (void *) regs->excvaddr;
-        force_sig_info(SIGSEGV, &info, current);
+        force_sig_info(SIGBUS, &info, current);
 }
 #endif
diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index f6325d573c10..6e091ccadcd4 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -175,6 +175,9 @@ bool bio_integrity_enabled(struct bio *bio)
        if (!bio_is_rw(bio))
                return false;
+        if (!bio_sectors(bio))
+                return false;
        /* Already protected? */
        if (bio_integrity(bio))
                return false;
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 8161090a1970..46ba2402c8f9 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1078,10 +1078,8 @@ int blkcg_init_queue(struct request_queue *q)
        if (preloaded)
                radix_tree_preload_end();
-        if (IS_ERR(blkg)) {
+        if (IS_ERR(blkg))
-                blkg_free(new_blkg);
                return PTR_ERR(blkg);
-        }
        q->root_blkg = blkg;
        q->root_rl.blkg = blkg;
diff --git a/block/blk-core.c b/block/blk-core.c
index f5f1a55703ae..50d77c90070d 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -651,21 +651,17 @@ EXPORT_SYMBOL(blk_alloc_queue);
 int blk_queue_enter(struct request_queue *q, gfp_t gfp)
 {
        while (true) {
-                int ret;
                if (percpu_ref_tryget_live(&q->q_usage_counter))
                        return 0;
                if (!gfpflags_allow_blocking(gfp))
                        return -EBUSY;
-                ret = wait_event_interruptible(q->mq_freeze_wq,
+                wait_event(q->mq_freeze_wq,
-                                !atomic_read(&q->mq_freeze_depth) ||
+                           !atomic_read(&q->mq_freeze_depth) ||
-                                blk_queue_dying(q));
+                           blk_queue_dying(q));
                if (blk_queue_dying(q))
                        return -ENODEV;
-                if (ret)
-                        return ret;
        }
 }
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 0d1af3e44efb..8649dbf06ce4 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1252,13 +1252,13 @@ static blk_qc_t blk_mq_make_request(struct request_queue *q, struct bio *bio)
        blk_queue_bounce(q, &bio);
+        blk_queue_split(q, &bio, q->bio_split);
        if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) {
                bio_io_error(bio);
                return BLK_QC_T_NONE;
        }
-        blk_queue_split(q, &bio, q->bio_split);
        if (!is_flush_fua && !blk_queue_nomerges(q) &&
            blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq))
                return BLK_QC_T_NONE;
@@ -1634,7 +1634,8 @@ static void blk_mq_exit_hctx(struct request_queue *q,
 {
        unsigned flush_start_tag = set->queue_depth;
-        blk_mq_tag_idle(hctx);
+        if (blk_mq_hw_queue_mapped(hctx))
+                blk_mq_tag_idle(hctx);
        if (set->ops->exit_request)
                set->ops->exit_request(set->driver_data,
diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index 2149a1ddbacf..17bdd6b55beb 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -505,6 +505,17 @@ static void throtl_dequeue_tg(struct throtl_grp *tg)
 static void throtl_schedule_pending_timer(struct throtl_service_queue *sq,
                                          unsigned long expires)
 {
+        unsigned long max_expire = jiffies + 8 * throtl_slice;
+        /*
+         * Since we are adjusting the throttle limit dynamically, the sleep
+         * time calculated according to previous limit might be invalid. It's
+         * possible the cgroup sleep time is very long and no other cgroups
+         * have IO running so notify the limit changes. Make sure the cgroup
+         * doesn't sleep too long to avoid the missed notification.
+         */
+        if (time_after(expires, max_expire))
+                expires = max_expire;
        mod_timer(&sq->pending_timer, expires);
        throtl_log(sq, "schedule timer. delay=%lu jiffies=%lu",
                   expires - jiffies, jiffies);
diff --git a/block/partition-generic.c b/block/partition-generic.c
index 3c062699f28b..29521753fb23 100644
--- a/block/partition-generic.c
+++ b/block/partition-generic.c
@@ -309,8 +309,10 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno,
        if (info) {
                struct partition_meta_info *pinfo = alloc_part_info(disk);
-                if (!pinfo)
+                if (!pinfo) {
+                        err = -ENOMEM;
                        goto out_free_stats;
+                }
                memcpy(pinfo, info, sizeof(*info));
                p->info = pinfo;
        }
diff --git a/block/partitions/msdos.c b/block/partitions/msdos.c
index 5610cd537da7..7d8d50c11ce7 100644
--- a/block/partitions/msdos.c
+++ b/block/partitions/msdos.c
@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_partitions *state,
                        continue;
                bsd_start = le32_to_cpu(p->p_offset);
                bsd_size = le32_to_cpu(p->p_size);
-                if (memcmp(flavour, "bsd\0", 4) == 0)
+                /* FreeBSD has relative offset if C partition offset is zero */
+                if (memcmp(flavour, "bsd\0", 4) == 0 &&
+                    le32_to_cpu(l->d_partitions[2].p_offset) == 0)
                        bsd_start += offset;
                if (offset == bsd_start && size == bsd_size)
                        /* full parent partition, we have it already */
diff --git a/certs/Makefile b/certs/Makefile
index 28ac694dd11a..2773c4afa24c 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -36,29 +36,34 @@ ifndef CONFIG_MODULE_SIG_HASH
 $(error Could not determine digest type to use from kernel config)
 endif
+redirect_openssl        = 2>&1
+quiet_redirect_openssl  = 2>&1
+silent_redirect_openssl = 2>/dev/null
 # We do it this way rather than having a boolean option for enabling an
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
 $(obj)/signing_key.pem: $(obj)/x509.genkey
-        @echo "###"
+        @$(kecho) "###"
-        @echo "### Now generating an X.509 key pair to be used for signing modules."
+        @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
-        @echo "###"
+        @$(kecho) "###"
-        @echo "### If this takes a long time, you might wish to run rngd in the"
+        @$(kecho) "### If this takes a long time, you might wish to run rngd in the"
-        @echo "### background to keep the supply of entropy topped up.  It"
+        @$(kecho) "### background to keep the supply of entropy topped up.  It"
-        @echo "### needs to be run as root, and uses a hardware random"
+        @$(kecho) "### needs to be run as root, and uses a hardware random"
-        @echo "### number generator if one is available."
+        @$(kecho) "### number generator if one is available."
-        @echo "###"
+        @$(kecho) "###"
-        openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
+        $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
                -batch -x509 -config $(obj)/x509.genkey \
                -outform PEM -out $(obj)/signing_key.pem \
-                -keyout $(obj)/signing_key.pem 2>&1
+                -keyout $(obj)/signing_key.pem \
-        @echo "###"
+                $($(quiet)redirect_openssl)
-        @echo "### Key pair generated."
+        @$(kecho) "###"
-        @echo "###"
+        @$(kecho) "### Key pair generated."
+        @$(kecho) "###"
 $(obj)/x509.genkey:
-        @echo Generating X.509 key generation config
+        @$(kecho) Generating X.509 key generation config
        @echo  >$@ "[ req ]"
        @echo >>$@ "default_bits = 4096"
        @echo >>$@ "distinguished_name = req_distinguished_name"
diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
index e5b5721809e2..149e7a7f04fe 100644
--- a/crypto/ablkcipher.c
+++ b/crypto/ablkcipher.c
@@ -73,11 +73,9 @@ static inline u8 *ablkcipher_get_spot(u8 *start, unsigned int len)
        return max(start, end_page);
 }
-static inline unsigned int ablkcipher_done_slow(struct ablkcipher_walk *walk,
+static inline void ablkcipher_done_slow(struct ablkcipher_walk *walk,
-                                                unsigned int bsize)
+                                        unsigned int n)
 {
-        unsigned int n = bsize;
        for (;;) {
                unsigned int len_this_page = scatterwalk_pagelen(&walk->out);
@@ -89,17 +87,13 @@ static inline unsigned int ablkcipher_done_slow(struct ablkcipher_walk *walk,
                n -= len_this_page;
                scatterwalk_start(&walk->out, sg_next(walk->out.sg));
        }
-        return bsize;
 }
-static inline unsigned int ablkcipher_done_fast(struct ablkcipher_walk *walk,
+static inline void ablkcipher_done_fast(struct ablkcipher_walk *walk,
-                                                unsigned int n)
+                                        unsigned int n)
 {
        scatterwalk_advance(&walk->in, n);
        scatterwalk_advance(&walk->out, n);
-        return n;
 }
 static int ablkcipher_walk_next(struct ablkcipher_request *req,
@@ -109,39 +103,40 @@ int ablkcipher_walk_done(struct ablkcipher_request *req,
                         struct ablkcipher_walk *walk, int err)
 {
        struct crypto_tfm *tfm = req->base.tfm;
-        unsigned int nbytes = 0;
+        unsigned int n; /* bytes processed */
+        bool more;
-        if (likely(err >= 0)) {
+        if (unlikely(err < 0))
-                unsigned int n = walk->nbytes - err;
+                goto finish;
-                if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))
+        n = walk->nbytes - err;
-                        n = ablkcipher_done_fast(walk, n);
+        walk->total -= n;
-                else if (WARN_ON(err)) {
+        more = (walk->total != 0);
-                        err = -EINVAL;
-                        goto err;
-                } else
-                        n = ablkcipher_done_slow(walk, n);
-                nbytes = walk->total - n;
+        if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW))) {
-                err = 0;
+                ablkcipher_done_fast(walk, n);
+        } else {
+                if (WARN_ON(err)) {
+                        /* unexpected case; didn't process all bytes */
+                        err = -EINVAL;
+                        goto finish;
+                }
+                ablkcipher_done_slow(walk, n);
        }
-        scatterwalk_done(&walk->in, 0, nbytes);
+        scatterwalk_done(&walk->in, 0, more);
-        scatterwalk_done(&walk->out, 1, nbytes);
+        scatterwalk_done(&walk->out, 1, more);
-err:
-        walk->total = nbytes;
-        walk->nbytes = nbytes;
-        if (nbytes) {
+        if (more) {
                crypto_yield(req->base.flags);
                return ablkcipher_walk_next(req, walk);
        }
+        err = 0;
+finish:
+        walk->nbytes = 0;
        if (walk->iv != req->info)
                memcpy(req->info, walk->iv, tfm->crt_ablkcipher.ivsize);
        kfree(walk->iv_buffer);
        return err;
 }
 EXPORT_SYMBOL_GPL(ablkcipher_walk_done);
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index f5e18c2a4852..b5953f1d1a18 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -149,7 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent);
 static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
-        const u32 forbidden = CRYPTO_ALG_INTERNAL;
+        const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
        struct sock *sk = sock->sk;
        struct alg_sock *ask = alg_sk(sk);
        struct sockaddr_alg *sa = (void *)uaddr;
@@ -163,6 +163,10 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if (addr_len != sizeof(*sa))
                return -EINVAL;
+        /* If caller uses non-allowed flag, return error. */
+        if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+                return -EINVAL;
        sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
        sa->salg_name[sizeof(sa->salg_name) - 1] = 0;
@@ -175,9 +179,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if (IS_ERR(type))
                return PTR_ERR(type);
-        private = type->bind(sa->salg_name,
+        private = type->bind(sa->salg_name, sa->salg_feat, sa->salg_mask);
-                             sa->salg_feat & ~forbidden,
-                             sa->salg_mask & ~forbidden);
        if (IS_ERR(private)) {
                module_put(type->owner);
                return PTR_ERR(private);
diff --git a/crypto/ahash.c b/crypto/ahash.c
index f9caf0f74199..6978ad86e516 100644
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
        if (nbytes && walk->offset & alignmask && !err) {
                walk->offset = ALIGN(walk->offset, alignmask + 1);
-                walk->data += walk->offset;
                nbytes = min(nbytes,
                             ((unsigned int)(PAGE_SIZE)) - walk->offset);
                walk->entrylen -= nbytes;
-                return nbytes;
+                if (nbytes) {
+                        walk->data += walk->offset;
+                        return nbytes;
+                }
        }
        if (walk->flags & CRYPTO_ALG_ASYNC)
@@ -637,5 +638,16 @@ struct hash_alg_common *ahash_attr_alg(struct rtattr *rta, u32 type, u32 mask)
 }
 EXPORT_SYMBOL_GPL(ahash_attr_alg);
+bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg)
+{
+        struct crypto_alg *alg = &halg->base;
+        if (alg->cra_type != &crypto_ahash_type)
+                return crypto_shash_alg_has_setkey(__crypto_shash_alg(alg));
+        return __crypto_ahash_alg(alg)->setkey != NULL;
+}
+EXPORT_SYMBOL_GPL(crypto_hash_alg_has_setkey);
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Asynchronous cryptographic hash type");
diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c
index 84f8d4d8b6bc..09f706b7b06e 100644
--- a/crypto/async_tx/async_pq.c
+++ b/crypto/async_tx/async_pq.c
@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *chan,
        dma_addr_t dma_dest[2];
        int src_off = 0;
-        if (submit->flags & ASYNC_TX_FENCE)
-                dma_flags |= DMA_PREP_FENCE;
        while (src_cnt > 0) {
                submit->flags = flags_orig;
                pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags));
@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *chan,
                        if (cb_fn_orig)
                                dma_flags |= DMA_PREP_INTERRUPT;
                }
+                if (submit->flags & ASYNC_TX_FENCE)
+                        dma_flags |= DMA_PREP_FENCE;
                /* Drivers force forward progress in case they can not provide
                 * a descriptor
diff --git a/crypto/authenc.c b/crypto/authenc.c
index 55a354d57251..b7290c5b1eaa 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -108,6 +108,7 @@ static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
                                       CRYPTO_TFM_RES_MASK);
 out:
+        memzero_explicit(&keys, sizeof(keys));
        return err;
 badkey:
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index 52154ef21b5e..fa0c4567f697 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -90,6 +90,7 @@ static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *
                                           CRYPTO_TFM_RES_MASK);
 out:
+        memzero_explicit(&keys, sizeof(keys));
        return err;
 badkey:
diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index dca7bc87dad9..2d08e59b3212 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -71,19 +71,18 @@ static inline u8 *blkcipher_get_spot(u8 *start, unsigned int len)
        return max(start, end_page);
 }
-static inline unsigned int blkcipher_done_slow(struct blkcipher_walk *walk,
+static inline void blkcipher_done_slow(struct blkcipher_walk *walk,
-                                               unsigned int bsize)
+                                       unsigned int bsize)
 {
        u8 *addr;
        addr = (u8 *)ALIGN((unsigned long)walk->buffer, walk->alignmask + 1);
        addr = blkcipher_get_spot(addr, bsize);
        scatterwalk_copychunks(addr, &walk->out, bsize, 1);
-        return bsize;
 }
-static inline unsigned int blkcipher_done_fast(struct blkcipher_walk *walk,
+static inline void blkcipher_done_fast(struct blkcipher_walk *walk,
-                                               unsigned int n)
+                                       unsigned int n)
 {
        if (walk->flags & BLKCIPHER_WALK_COPY) {
                blkcipher_map_dst(walk);
@@ -97,49 +96,48 @@ static inline unsigned int blkcipher_done_fast(struct blkcipher_walk *walk,
        scatterwalk_advance(&walk->in, n);
        scatterwalk_advance(&walk->out, n);
-        return n;
 }
 int blkcipher_walk_done(struct blkcipher_desc *desc,
                        struct blkcipher_walk *walk, int err)
 {
-        unsigned int nbytes = 0;
+        unsigned int n; /* bytes processed */
+        bool more;
-        if (likely(err >= 0)) {
+        if (unlikely(err < 0))
-                unsigned int n = walk->nbytes - err;
+                goto finish;
-                if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW)))
+        n = walk->nbytes - err;
-                        n = blkcipher_done_fast(walk, n);
+        walk->total -= n;
-                else if (WARN_ON(err)) {
+        more = (walk->total != 0);
-                        err = -EINVAL;
-                        goto err;
-                } else
-                        n = blkcipher_done_slow(walk, n);
-                nbytes = walk->total - n;
+        if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW))) {
-                err = 0;
+                blkcipher_done_fast(walk, n);
+        } else {
+                if (WARN_ON(err)) {
+                        /* unexpected case; didn't process all bytes */
+                        err = -EINVAL;
+                        goto finish;
+                }
+                blkcipher_done_slow(walk, n);
        }
-        scatterwalk_done(&walk->in, 0, nbytes);
+        scatterwalk_done(&walk->in, 0, more);
-        scatterwalk_done(&walk->out, 1, nbytes);
+        scatterwalk_done(&walk->out, 1, more);
-err:
-        walk->total = nbytes;
-        walk->nbytes = nbytes;
-        if (nbytes) {
+        if (more) {
                crypto_yield(desc->flags);
                return blkcipher_walk_next(desc, walk);
        }
+        err = 0;
+finish:
+        walk->nbytes = 0;
        if (walk->iv != desc->info)
                memcpy(desc->info, walk->iv, walk->ivsize);
        if (walk->buffer != walk->page)
                kfree(walk->buffer);
        if (walk->page)
                free_page((unsigned long)walk->page);
        return err;
 }
 EXPORT_SYMBOL_GPL(blkcipher_walk_done);
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 26a504db3f53..10a5a3eb675a 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -654,7 +654,8 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
        inst->alg.finup  = cryptd_hash_finup_enqueue;
        inst->alg.export = cryptd_hash_export;
        inst->alg.import = cryptd_hash_import;
-        inst->alg.setkey = cryptd_hash_setkey;
+        if (crypto_shash_alg_has_setkey(salg))
+                inst->alg.setkey = cryptd_hash_setkey;
        inst->alg.digest = cryptd_hash_digest_enqueue;
        err = ahash_register_instance(tmpl, inst);
diff --git a/crypto/poly1305_generic.c b/crypto/poly1305_generic.c
index 2df9835dfbc0..bca99238948f 100644
--- a/crypto/poly1305_generic.c
+++ b/crypto/poly1305_generic.c
@@ -51,17 +51,6 @@ int crypto_poly1305_init(struct shash_desc *desc)
 }
 EXPORT_SYMBOL_GPL(crypto_poly1305_init);
-int crypto_poly1305_setkey(struct crypto_shash *tfm,
-                           const u8 *key, unsigned int keylen)
-{
-        /* Poly1305 requires a unique key for each tag, which implies that
-         * we can't set it on the tfm that gets accessed by multiple users
-         * simultaneously. Instead we expect the key as the first 32 bytes in
-         * the update() call. */
-        return -ENOTSUPP;
-}
-EXPORT_SYMBOL_GPL(crypto_poly1305_setkey);
 static void poly1305_setrkey(struct poly1305_desc_ctx *dctx, const u8 *key)
 {
        /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
@@ -80,6 +69,11 @@ static void poly1305_setskey(struct poly1305_desc_ctx *dctx, const u8 *key)
        dctx->s[3] = le32_to_cpuvp(key + 12);
 }
+/*
+ * Poly1305 requires a unique key for each tag, which implies that we can't set
+ * it on the tfm that gets accessed by multiple users simultaneously. Instead we
+ * expect the key as the first 32 bytes in the update() call.
+ */
 unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
                                        const u8 *src, unsigned int srclen)
 {
@@ -285,7 +279,6 @@ static struct shash_alg poly1305_alg = {
        .init           = crypto_poly1305_init,
        .update         = crypto_poly1305_update,
        .final          = crypto_poly1305_final,
-        .setkey         = crypto_poly1305_setkey,
        .descsize       = sizeof(struct poly1305_desc_ctx),
        .base           = {
                .cra_name               = "poly1305",
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index f522828d45c9..1d92b5d2d6bd 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -291,11 +291,13 @@ static void sg_init_aead(struct scatterlist *sg, char *xbuf[XBUFSIZE],
        }
        sg_init_table(sg, np + 1);
-        np--;
+        if (rem)
+                np--;
        for (k = 0; k < np; k++)
                sg_set_buf(&sg[k + 1], xbuf[k], PAGE_SIZE);
-        sg_set_buf(&sg[k + 1], xbuf[k], rem);
+        if (rem)
+                sg_set_buf(&sg[k + 1], xbuf[k], rem);
 }
 static void test_aead_speed(const char *algo, int enc, unsigned int secs,
diff --git a/crypto/vmac.c b/crypto/vmac.c
index df76a816cfb2..bb2fc787d615 100644
--- a/crypto/vmac.c
+++ b/crypto/vmac.c
@@ -1,6 +1,10 @@
 /*
- * Modified to interface to the Linux kernel
+ * VMAC: Message Authentication Code using Universal Hashing
+ *
+ * Reference: https://tools.ietf.org/html/draft-krovetz-vmac-01
+ *
 * Copyright (c) 2009, Intel Corporation.
+ * Copyright (c) 2018, Google Inc.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -16,14 +20,15 @@
 * Place - Suite 330, Boston, MA 02111-1307 USA.
 */
-/* --------------------------------------------------------------------------
+/*
- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai.
+ * Derived from:
- * This implementation is herby placed in the public domain.
+ *      VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai.
- * The authors offers no warranty. Use at your own risk.
+ *      This implementation is herby placed in the public domain.
- * Please send bug reports to the authors.
+ *      The authors offers no warranty. Use at your own risk.
- * Last modified: 17 APR 08, 1700 PDT
+ *      Last modified: 17 APR 08, 1700 PDT
- * ----------------------------------------------------------------------- */
+ */
+#include <asm/unaligned.h>
 #include <linux/init.h>
 #include <linux/types.h>
 #include <linux/crypto.h>
@@ -31,10 +36,36 @@
 #include <linux/scatterlist.h>
 #include <asm/byteorder.h>
 #include <crypto/scatterwalk.h>
-#include <crypto/vmac.h>
 #include <crypto/internal/hash.h>
 /*
+ * User definable settings.
+ */
+#define VMAC_TAG_LEN    64
+#define VMAC_KEY_SIZE   128/* Must be 128, 192 or 256                   */
+#define VMAC_KEY_LEN    (VMAC_KEY_SIZE/8)
+#define VMAC_NHBYTES    128/* Must 2^i for any 3 < i < 13 Standard = 128*/
+/* per-transform (per-key) context */
+struct vmac_tfm_ctx {
+        struct crypto_cipher *cipher;
+        u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)];
+        u64 polykey[2*VMAC_TAG_LEN/64];
+        u64 l3key[2*VMAC_TAG_LEN/64];
+};
+/* per-request context */
+struct vmac_desc_ctx {
+        union {
+                u8 partial[VMAC_NHBYTES];       /* partial block */
+                __le64 partial_words[VMAC_NHBYTES / 8];
+        };
+        unsigned int partial_size;      /* size of the partial block */
+        bool first_block_processed;
+        u64 polytmp[2*VMAC_TAG_LEN/64]; /* running total of L2-hash */
+};
+/*
 * Constants and masks
 */
 #define UINT64_C(x) x##ULL
@@ -318,13 +349,6 @@ static void poly_step_func(u64 *ahi, u64 *alo,
        } while (0)
 #endif
-static void vhash_abort(struct vmac_ctx *ctx)
-{
-        ctx->polytmp[0] = ctx->polykey[0] ;
-        ctx->polytmp[1] = ctx->polykey[1] ;
-        ctx->first_block_processed = 0;
-}
 static u64 l3hash(u64 p1, u64 p2, u64 k1, u64 k2, u64 len)
 {
        u64 rh, rl, t, z = 0;
@@ -364,280 +388,209 @@ static u64 l3hash(u64 p1, u64 p2, u64 k1, u64 k2, u64 len)
        return rl;
 }
-static void vhash_update(const unsigned char *m,
+/* L1 and L2-hash one or more VMAC_NHBYTES-byte blocks */
-                        unsigned int mbytes, /* Pos multiple of VMAC_NHBYTES */
+static void vhash_blocks(const struct vmac_tfm_ctx *tctx,
-                        struct vmac_ctx *ctx)
+                         struct vmac_desc_ctx *dctx,
+                         const __le64 *mptr, unsigned int blocks)
 {
-        u64 rh, rl, *mptr;
+        const u64 *kptr = tctx->nhkey;
-        const u64 *kptr = (u64 *)ctx->nhkey;
+        const u64 pkh = tctx->polykey[0];
-        int i;
+        const u64 pkl = tctx->polykey[1];
-        u64 ch, cl;
+        u64 ch = dctx->polytmp[0];
-        u64 pkh = ctx->polykey[0];
+        u64 cl = dctx->polytmp[1];
-        u64 pkl = ctx->polykey[1];
+        u64 rh, rl;
-        if (!mbytes)
+        if (!dctx->first_block_processed) {
-                return;
+                dctx->first_block_processed = true;
-        BUG_ON(mbytes % VMAC_NHBYTES);
-        mptr = (u64 *)m;
-        i = mbytes / VMAC_NHBYTES;  /* Must be non-zero */
-        ch = ctx->polytmp[0];
-        cl = ctx->polytmp[1];
-        if (!ctx->first_block_processed) {
-                ctx->first_block_processed = 1;
                nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl);
                rh &= m62;
                ADD128(ch, cl, rh, rl);
                mptr += (VMAC_NHBYTES/sizeof(u64));
-                i--;
+                blocks--;
        }
-        while (i--) {
+        while (blocks--) {
                nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl);
                rh &= m62;
                poly_step(ch, cl, pkh, pkl, rh, rl);
                mptr += (VMAC_NHBYTES/sizeof(u64));
        }
-        ctx->polytmp[0] = ch;
+        dctx->polytmp[0] = ch;
-        ctx->polytmp[1] = cl;
+        dctx->polytmp[1] = cl;
 }
-static u64 vhash(unsigned char m[], unsigned int mbytes,
+static int vmac_setkey(struct crypto_shash *tfm,
-                        u64 *tagl, struct vmac_ctx *ctx)
+                       const u8 *key, unsigned int keylen)
 {
-        u64 rh, rl, *mptr;
+        struct vmac_tfm_ctx *tctx = crypto_shash_ctx(tfm);
-        const u64 *kptr = (u64 *)ctx->nhkey;
+        __be64 out[2];
-        int i, remaining;
+        u8 in[16] = { 0 };
-        u64 ch, cl;
+        unsigned int i;
-        u64 pkh = ctx->polykey[0];
+        int err;
-        u64 pkl = ctx->polykey[1];
-        mptr = (u64 *)m;
-        i = mbytes / VMAC_NHBYTES;
-        remaining = mbytes % VMAC_NHBYTES;
-        if (ctx->first_block_processed) {
-                ch = ctx->polytmp[0];
-                cl = ctx->polytmp[1];
-        } else if (i) {
-                nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, ch, cl);
-                ch &= m62;
-                ADD128(ch, cl, pkh, pkl);
-                mptr += (VMAC_NHBYTES/sizeof(u64));
-                i--;
-        } else if (remaining) {
-                nh_16(mptr, kptr, 2*((remaining+15)/16), ch, cl);
-                ch &= m62;
-                ADD128(ch, cl, pkh, pkl);
-                mptr += (VMAC_NHBYTES/sizeof(u64));
-                goto do_l3;
-        } else {/* Empty String */
-                ch = pkh; cl = pkl;
-                goto do_l3;
-        }
-        while (i--) {
-                nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl);
-                rh &= m62;
-                poly_step(ch, cl, pkh, pkl, rh, rl);
-                mptr += (VMAC_NHBYTES/sizeof(u64));
-        }
-        if (remaining) {
-                nh_16(mptr, kptr, 2*((remaining+15)/16), rh, rl);
-                rh &= m62;
-                poly_step(ch, cl, pkh, pkl, rh, rl);
-        }
-do_l3:
-        vhash_abort(ctx);
-        remaining *= 8;
-        return l3hash(ch, cl, ctx->l3key[0], ctx->l3key[1], remaining);
-}
-static u64 vmac(unsigned char m[], unsigned int mbytes,
+        if (keylen != VMAC_KEY_LEN) {
-                        const unsigned char n[16], u64 *tagl,
+                crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
-                        struct vmac_ctx_t *ctx)
+                return -EINVAL;
-{
-        u64 *in_n, *out_p;
-        u64 p, h;
-        int i;
-        in_n = ctx->__vmac_ctx.cached_nonce;
-        out_p = ctx->__vmac_ctx.cached_aes;
-        i = n[15] & 1;
-        if ((*(u64 *)(n+8) != in_n[1]) || (*(u64 *)(n) != in_n[0])) {
-                in_n[0] = *(u64 *)(n);
-                in_n[1] = *(u64 *)(n+8);
-                ((unsigned char *)in_n)[15] &= 0xFE;
-                crypto_cipher_encrypt_one(ctx->child,
-                        (unsigned char *)out_p, (unsigned char *)in_n);
-                ((unsigned char *)in_n)[15] |= (unsigned char)(1-i);
        }
-        p = be64_to_cpup(out_p + i);
-        h = vhash(m, mbytes, (u64 *)0, &ctx->__vmac_ctx);
-        return le64_to_cpu(p + h);
-}
-static int vmac_set_key(unsigned char user_key[], struct vmac_ctx_t *ctx)
+        err = crypto_cipher_setkey(tctx->cipher, key, keylen);
-{
-        u64 in[2] = {0}, out[2];
-        unsigned i;
-        int err = 0;
-        err = crypto_cipher_setkey(ctx->child, user_key, VMAC_KEY_LEN);
        if (err)
                return err;
        /* Fill nh key */
-        ((unsigned char *)in)[0] = 0x80;
+        in[0] = 0x80;
-        for (i = 0; i < sizeof(ctx->__vmac_ctx.nhkey)/8; i += 2) {
+        for (i = 0; i < ARRAY_SIZE(tctx->nhkey); i += 2) {
-                crypto_cipher_encrypt_one(ctx->child,
+                crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in);
-                        (unsigned char *)out, (unsigned char *)in);
+                tctx->nhkey[i] = be64_to_cpu(out[0]);
-                ctx->__vmac_ctx.nhkey[i] = be64_to_cpup(out);
+                tctx->nhkey[i+1] = be64_to_cpu(out[1]);
-                ctx->__vmac_ctx.nhkey[i+1] = be64_to_cpup(out+1);
+                in[15]++;
-                ((unsigned char *)in)[15] += 1;
        }
        /* Fill poly key */
-        ((unsigned char *)in)[0] = 0xC0;
+        in[0] = 0xC0;
-        in[1] = 0;
+        in[15] = 0;
-        for (i = 0; i < sizeof(ctx->__vmac_ctx.polykey)/8; i += 2) {
+        for (i = 0; i < ARRAY_SIZE(tctx->polykey); i += 2) {
-                crypto_cipher_encrypt_one(ctx->child,
+                crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in);
-                        (unsigned char *)out, (unsigned char *)in);
+                tctx->polykey[i] = be64_to_cpu(out[0]) & mpoly;
-                ctx->__vmac_ctx.polytmp[i] =
+                tctx->polykey[i+1] = be64_to_cpu(out[1]) & mpoly;
-                        ctx->__vmac_ctx.polykey[i] =
+                in[15]++;
-                                be64_to_cpup(out) & mpoly;
-                ctx->__vmac_ctx.polytmp[i+1] =
-                        ctx->__vmac_ctx.polykey[i+1] =
-                                be64_to_cpup(out+1) & mpoly;
-                ((unsigned char *)in)[15] += 1;
        }
        /* Fill ip key */
-        ((unsigned char *)in)[0] = 0xE0;
+        in[0] = 0xE0;
-        in[1] = 0;
+        in[15] = 0;
-        for (i = 0; i < sizeof(ctx->__vmac_ctx.l3key)/8; i += 2) {
+        for (i = 0; i < ARRAY_SIZE(tctx->l3key); i += 2) {
                do {
-                        crypto_cipher_encrypt_one(ctx->child,
+                        crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in);
-                                (unsigned char *)out, (unsigned char *)in);
+                        tctx->l3key[i] = be64_to_cpu(out[0]);
-                        ctx->__vmac_ctx.l3key[i] = be64_to_cpup(out);
+                        tctx->l3key[i+1] = be64_to_cpu(out[1]);
-                        ctx->__vmac_ctx.l3key[i+1] = be64_to_cpup(out+1);
+                        in[15]++;
-                        ((unsigned char *)in)[15] += 1;
+                } while (tctx->l3key[i] >= p64 || tctx->l3key[i+1] >= p64);
-                } while (ctx->__vmac_ctx.l3key[i] >= p64
-                        || ctx->__vmac_ctx.l3key[i+1] >= p64);
        }
-        /* Invalidate nonce/aes cache and reset other elements */
+        return 0;
-        ctx->__vmac_ctx.cached_nonce[0] = (u64)-1; /* Ensure illegal nonce */
-        ctx->__vmac_ctx.cached_nonce[1] = (u64)0;  /* Ensure illegal nonce */
-        ctx->__vmac_ctx.first_block_processed = 0;
-        return err;
 }
-static int vmac_setkey(struct crypto_shash *parent,
+static int vmac_init(struct shash_desc *desc)
-                const u8 *key, unsigned int keylen)
 {
-        struct vmac_ctx_t *ctx = crypto_shash_ctx(parent);
+        const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+        struct vmac_desc_ctx *dctx = shash_desc_ctx(desc);
-        if (keylen != VMAC_KEY_LEN) {
+        dctx->partial_size = 0;
-                crypto_shash_set_flags(parent, CRYPTO_TFM_RES_BAD_KEY_LEN);
+        dctx->first_block_processed = false;
-                return -EINVAL;
+        memcpy(dctx->polytmp, tctx->polykey, sizeof(dctx->polytmp));
-        }
-        return vmac_set_key((u8 *)key, ctx);
-}
-static int vmac_init(struct shash_desc *pdesc)
-{
        return 0;
 }
-static int vmac_update(struct shash_desc *pdesc, const u8 *p,
+static int vmac_update(struct shash_desc *desc, const u8 *p, unsigned int len)
-                unsigned int len)
 {
-        struct crypto_shash *parent = pdesc->tfm;
+        const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
-        struct vmac_ctx_t *ctx = crypto_shash_ctx(parent);
+        struct vmac_desc_ctx *dctx = shash_desc_ctx(desc);
-        int expand;
+        unsigned int n;
-        int min;
+        if (dctx->partial_size) {
-        expand = VMAC_NHBYTES - ctx->partial_size > 0 ?
+                n = min(len, VMAC_NHBYTES - dctx->partial_size);
-                        VMAC_NHBYTES - ctx->partial_size : 0;
+                memcpy(&dctx->partial[dctx->partial_size], p, n);
+                dctx->partial_size += n;
-        min = len < expand ? len : expand;
+                p += n;
+                len -= n;
-        memcpy(ctx->partial + ctx->partial_size, p, min);
+                if (dctx->partial_size == VMAC_NHBYTES) {
-        ctx->partial_size += min;
+                        vhash_blocks(tctx, dctx, dctx->partial_words, 1);
+                        dctx->partial_size = 0;
-        if (len < expand)
+                }
-                return 0;
+        }
-        vhash_update(ctx->partial, VMAC_NHBYTES, &ctx->__vmac_ctx);
-        ctx->partial_size = 0;
-        len -= expand;
-        p += expand;
-        if (len % VMAC_NHBYTES) {
+        if (len >= VMAC_NHBYTES) {
-                memcpy(ctx->partial, p + len - (len % VMAC_NHBYTES),
+                n = round_down(len, VMAC_NHBYTES);
-                        len % VMAC_NHBYTES);
+                /* TODO: 'p' may be misaligned here */
-                ctx->partial_size = len % VMAC_NHBYTES;
+                vhash_blocks(tctx, dctx, (const __le64 *)p, n / VMAC_NHBYTES);
+                p += n;
+                len -= n;
        }
-        vhash_update(p, len - len % VMAC_NHBYTES, &ctx->__vmac_ctx);
+        if (len) {
+                memcpy(dctx->partial, p, len);
+                dctx->partial_size = len;
+        }
        return 0;
 }
-static int vmac_final(struct shash_desc *pdesc, u8 *out)
+static u64 vhash_final(const struct vmac_tfm_ctx *tctx,
+                       struct vmac_desc_ctx *dctx)
 {
-        struct crypto_shash *parent = pdesc->tfm;
+        unsigned int partial = dctx->partial_size;
-        struct vmac_ctx_t *ctx = crypto_shash_ctx(parent);
+        u64 ch = dctx->polytmp[0];
-        vmac_t mac;
+        u64 cl = dctx->polytmp[1];
-        u8 nonce[16] = {};
+        /* L1 and L2-hash the final block if needed */
-        /* vmac() ends up accessing outside the array bounds that
+        if (partial) {
-         * we specify.  In appears to access up to the next 2-word
+                /* Zero-pad to next 128-bit boundary */
-         * boundary.  We'll just be uber cautious and zero the
+                unsigned int n = round_up(partial, 16);
-         * unwritten bytes in the buffer.
+                u64 rh, rl;
-         */
-        if (ctx->partial_size) {
+                memset(&dctx->partial[partial], 0, n - partial);
-                memset(ctx->partial + ctx->partial_size, 0,
+                nh_16(dctx->partial_words, tctx->nhkey, n / 8, rh, rl);
-                        VMAC_NHBYTES - ctx->partial_size);
+                rh &= m62;
+                if (dctx->first_block_processed)
+                        poly_step(ch, cl, tctx->polykey[0], tctx->polykey[1],
+                                  rh, rl);
+                else
+                        ADD128(ch, cl, rh, rl);
        }
-        mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx);
-        memcpy(out, &mac, sizeof(vmac_t));
+        /* L3-hash the 128-bit output of L2-hash */
-        memzero_explicit(&mac, sizeof(vmac_t));
+        return l3hash(ch, cl, tctx->l3key[0], tctx->l3key[1], partial * 8);
-        memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx));
+}
-        ctx->partial_size = 0;
+static int vmac_final(struct shash_desc *desc, u8 *out)
+{
+        const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+        struct vmac_desc_ctx *dctx = shash_desc_ctx(desc);
+        static const u8 nonce[16] = {}; /* TODO: this is insecure */
+        union {
+                u8 bytes[16];
+                __be64 pads[2];
+        } block;
+        int index;
+        u64 hash, pad;
+        /* Finish calculating the VHASH of the message */
+        hash = vhash_final(tctx, dctx);
+        /* Generate pseudorandom pad by encrypting the nonce */
+        memcpy(&block, nonce, 16);
+        index = block.bytes[15] & 1;
+        block.bytes[15] &= ~1;
+        crypto_cipher_encrypt_one(tctx->cipher, block.bytes, block.bytes);
+        pad = be64_to_cpu(block.pads[index]);
+        /* The VMAC is the sum of VHASH and the pseudorandom pad */
+        put_unaligned_le64(hash + pad, out);
        return 0;
 }
 static int vmac_init_tfm(struct crypto_tfm *tfm)
 {
-        struct crypto_cipher *cipher;
+        struct crypto_instance *inst = crypto_tfm_alg_instance(tfm);
-        struct crypto_instance *inst = (void *)tfm->__crt_alg;
        struct crypto_spawn *spawn = crypto_instance_ctx(inst);
-        struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm);
+        struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm);
+        struct crypto_cipher *cipher;
        cipher = crypto_spawn_cipher(spawn);
        if (IS_ERR(cipher))
                return PTR_ERR(cipher);
-        ctx->child = cipher;
+        tctx->cipher = cipher;
        return 0;
 }
 static void vmac_exit_tfm(struct crypto_tfm *tfm)
 {
-        struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm);
+        struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm);
-        crypto_free_cipher(ctx->child);
+        crypto_free_cipher(tctx->cipher);
 }
 static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb)
@@ -655,6 +608,10 @@ static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb)
        if (IS_ERR(alg))
                return PTR_ERR(alg);
+        err = -EINVAL;
+        if (alg->cra_blocksize != 16)
+                goto out_put_alg;
        inst = shash_alloc_instance("vmac", alg);
        err = PTR_ERR(inst);
        if (IS_ERR(inst))
@@ -670,11 +627,12 @@ static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb)
        inst->alg.base.cra_blocksize = alg->cra_blocksize;
        inst->alg.base.cra_alignmask = alg->cra_alignmask;
-        inst->alg.digestsize = sizeof(vmac_t);
+        inst->alg.base.cra_ctxsize = sizeof(struct vmac_tfm_ctx);
-        inst->alg.base.cra_ctxsize = sizeof(struct vmac_ctx_t);
        inst->alg.base.cra_init = vmac_init_tfm;
        inst->alg.base.cra_exit = vmac_exit_tfm;
+        inst->alg.descsize = sizeof(struct vmac_desc_ctx);
+        inst->alg.digestsize = VMAC_TAG_LEN / 8;
        inst->alg.init = vmac_init;
        inst->alg.update = vmac_update;
        inst->alg.final = vmac_final;
diff --git a/drivers/Makefile b/drivers/Makefile
index 1d70931d6752..2d3edaa16532 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -100,6 +100,7 @@ obj-$(CONFIG_TC)		+= tc/
 obj-$(CONFIG_UWB)               += uwb/
 obj-$(CONFIG_USB_PHY)           += usb/
 obj-$(CONFIG_USB)               += usb/
+obj-$(CONFIG_USB_SUPPORT)       += usb/
 obj-$(CONFIG_PCI)               += usb/
 obj-$(CONFIG_USB_GADGET)        += usb/
 obj-$(CONFIG_OF)                += usb/
diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c
index f9e0d09f7c66..8a0f77fb5181 100644
--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -154,10 +154,12 @@ static const struct lpss_device_desc lpt_sdio_dev_desc = {
 static const struct lpss_device_desc byt_pwm_dev_desc = {
        .flags = LPSS_SAVE_CTX,
+        .prv_offset = 0x800,
 };
 static const struct lpss_device_desc bsw_pwm_dev_desc = {
        .flags = LPSS_SAVE_CTX | LPSS_NO_D3_DELAY,
+        .prv_offset = 0x800,
 };
 static const struct lpss_device_desc byt_uart_dev_desc = {
diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c
index 8ea8211b2d58..f8bb0e4d035a 100644
--- a/drivers/acpi/acpi_pad.c
+++ b/drivers/acpi/acpi_pad.c
@@ -108,6 +108,7 @@ static void round_robin_cpu(unsigned int tsk_index)
                cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus);
        if (cpumask_empty(tmp)) {
                mutex_unlock(&round_robin_lock);
+                free_cpumask_var(tmp);
                return;
        }
        for_each_cpu(cpu, tmp) {
@@ -125,6 +126,8 @@ static void round_robin_cpu(unsigned int tsk_index)
        mutex_unlock(&round_robin_lock);
        set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu));
+        free_cpumask_var(tmp);
 }
 static void exit_round_robin(unsigned int tsk_index)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
index 9f77943653fb..b63a173786d5 100644
--- a/drivers/acpi/acpi_processor.c
+++ b/drivers/acpi/acpi_processor.c
@@ -331,15 +331,6 @@ static int acpi_processor_get_info(struct acpi_device *device)
                pr->throttling.duty_width = acpi_gbl_FADT.duty_width;
                pr->pblk = object.processor.pblk_address;
-                /*
-                 * We don't care about error returns - we just try to mark
-                 * these reserved so that nobody else is confused into thinking
-                 * that this region might be unused..
-                 *
-                 * (In particular, allocating the IO range for Cardbus)
-                 */
-                request_region(pr->throttling.address, 6, "ACPI CPU throttle");
        }
        /*
diff --git a/drivers/acpi/acpica/evevent.c b/drivers/acpi/acpica/evevent.c
index bf6873f95e72..0b5eedb60d04 100644
--- a/drivers/acpi/acpica/evevent.c
+++ b/drivers/acpi/acpica/evevent.c
@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void)
        u32 fixed_status;
        u32 fixed_enable;
        u32 i;
+        acpi_status status;
        ACPI_FUNCTION_NAME(ev_fixed_event_detect);
@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void)
         * Read the fixed feature status and enable registers, as all the cases
         * depend on their values. Ignore errors here.
         */
-        (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
+        status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status);
-        (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
+        status |=
+            acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable);
+        if (ACPI_FAILURE(status)) {
+                return (int_status);
+        }
        ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS,
                          "Fixed Event Block: Enable %08X Status %08X\n",
diff --git a/drivers/acpi/acpica/evxfevnt.c b/drivers/acpi/acpica/evxfevnt.c
index 10ce48e16ebf..d830705f8a18 100644
--- a/drivers/acpi/acpica/evxfevnt.c
+++ b/drivers/acpi/acpica/evxfevnt.c
@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event, u32 flags)
        ACPI_FUNCTION_TRACE(acpi_enable_event);
+        /* If Hardware Reduced flag is set, there are no fixed events */
+        if (acpi_gbl_reduced_hardware) {
+                return_ACPI_STATUS(AE_OK);
+        }
        /* Decode the Fixed Event */
        if (event > ACPI_EVENT_MAX) {
@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event, u32 flags)
        ACPI_FUNCTION_TRACE(acpi_disable_event);
+        /* If Hardware Reduced flag is set, there are no fixed events */
+        if (acpi_gbl_reduced_hardware) {
+                return_ACPI_STATUS(AE_OK);
+        }
        /* Decode the Fixed Event */
        if (event > ACPI_EVENT_MAX) {
@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event)
        ACPI_FUNCTION_TRACE(acpi_clear_event);
+        /* If Hardware Reduced flag is set, there are no fixed events */
+        if (acpi_gbl_reduced_hardware) {
+                return_ACPI_STATUS(AE_OK);
+        }
        /* Decode the Fixed Event */
        if (event > ACPI_EVENT_MAX) {
diff --git a/drivers/acpi/acpica/nseval.c b/drivers/acpi/acpica/nseval.c
index 7eba578d36f3..10262cae8a19 100644
--- a/drivers/acpi/acpica/nseval.c
+++ b/drivers/acpi/acpica/nseval.c
@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi_evaluate_info *info)
                /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
                status = AE_OK;
+        } else if (ACPI_FAILURE(status)) {
+                /* If return_object exists, delete it */
+                if (info->return_object) {
+                        acpi_ut_remove_reference(info->return_object);
+                        info->return_object = NULL;
+                }
        }
        ACPI_DEBUG_PRINT((ACPI_DB_NAMES,
diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c
index de325ae04ce1..3b3c5b90bd20 100644
--- a/drivers/acpi/acpica/nsutils.c
+++ b/drivers/acpi/acpica/nsutils.c
@@ -593,25 +593,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle)
 void acpi_ns_terminate(void)
 {
        acpi_status status;
+        union acpi_operand_object *prev;
+        union acpi_operand_object *next;
        ACPI_FUNCTION_TRACE(ns_terminate);
-#ifdef ACPI_EXEC_APP
+        /* Delete any module-level code blocks */
-        {
-                union acpi_operand_object *prev;
-                union acpi_operand_object *next;
-                /* Delete any module-level code blocks */
+        next = acpi_gbl_module_code_list;
+        while (next) {
-                next = acpi_gbl_module_code_list;
+                prev = next;
-                while (next) {
+                next = next->method.mutex;
-                        prev = next;
+                prev->method.mutex = NULL;      /* Clear the Mutex (cheated) field */
-                        next = next->method.mutex;
+                acpi_ut_remove_reference(prev);
-                        prev->method.mutex = NULL;      /* Clear the Mutex (cheated) field */
-                        acpi_ut_remove_reference(prev);
-                }
        }
-#endif
        /*
         * Free the entire namespace -- all nodes and all objects
diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c
index e54bc2aa7a88..a05b3b79b987 100644
--- a/drivers/acpi/acpica/psobject.c
+++ b/drivers/acpi/acpica/psobject.c
@@ -121,6 +121,9 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state)
                             (u32)(aml_offset +
                                   sizeof(struct acpi_table_header)));
+                        ACPI_ERROR((AE_INFO,
+                                    "Aborting disassembly, AML byte code is corrupt"));
                        /* Dump the context surrounding the invalid opcode */
                        acpi_ut_dump_buffer(((u8 *)walk_state->parser_state.
@@ -129,6 +132,14 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state)
                                             sizeof(struct acpi_table_header) -
                                             16));
                        acpi_os_printf(" */\n");
+                        /*
+                         * Just abort the disassembly, cannot continue because the
+                         * parser is essentially lost. The disassembler can then
+                         * randomly fail because an ill-constructed parse tree
+                         * can result.
+                         */
+                        return_ACPI_STATUS(AE_AML_BAD_OPCODE);
 #endif
                }
@@ -293,6 +304,9 @@ acpi_ps_create_op(struct acpi_walk_state *walk_state,
        if (status == AE_CTRL_PARSE_CONTINUE) {
                return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE);
        }
+        if (ACPI_FAILURE(status)) {
+                return_ACPI_STATUS(status);
+        }
        /* Create Op structure and append to parent's argument list */
diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
index b9afb47db7ed..1521d9a41d25 100644
--- a/drivers/acpi/device_sysfs.c
+++ b/drivers/acpi/device_sysfs.c
@@ -146,6 +146,10 @@ static int create_pnp_modalias(struct acpi_device *acpi_dev, char *modalias,
        int count;
        struct acpi_hardware_id *id;
+        /* Avoid unnecessarily loading modules for non present devices. */
+        if (!acpi_device_is_present(acpi_dev))
+                return 0;
        /*
         * Since we skip ACPI_DT_NAMESPACE_HID from the modalias below, 0 should
         * be returned if ACPI_DT_NAMESPACE_HID is the only ACPI/PNP ID in the
diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c
index 73c9c7fa9001..f06317d6fc38 100644
--- a/drivers/acpi/glue.c
+++ b/drivers/acpi/glue.c
@@ -99,13 +99,13 @@ static int find_child_checks(struct acpi_device *adev, bool check_children)
                return -ENODEV;
        /*
-         * If the device has a _HID (or _CID) returning a valid ACPI/PNP
+         * If the device has a _HID returning a valid ACPI/PNP device ID, it is
-         * device ID, it is better to make it look less attractive here, so that
+         * better to make it look less attractive here, so that the other device
-         * the other device with the same _ADR value (that may not have a valid
+         * with the same _ADR value (that may not have a valid device ID) can be
-         * device ID) can be matched going forward.  [This means a second spec
+         * matched going forward.  [This means a second spec violation in a row,
-         * violation in a row, so whatever we do here is best effort anyway.]
+         * so whatever we do here is best effort anyway.]
         */
-        return sta_present && list_empty(&adev->pnp.ids) ?
+        return sta_present && !adev->pnp.type.platform_id ?
                        FIND_CHILD_MAX_SCORE : FIND_CHILD_MIN_SCORE;
 }
diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c
index d176e0ece470..2946e2846573 100644
--- a/drivers/acpi/numa.c
+++ b/drivers/acpi/numa.c
@@ -103,25 +103,27 @@ int acpi_map_pxm_to_node(int pxm)
 */
 int acpi_map_pxm_to_online_node(int pxm)
 {
-        int node, n, dist, min_dist;
+        int node, min_node;
        node = acpi_map_pxm_to_node(pxm);
        if (node == NUMA_NO_NODE)
                node = 0;
+        min_node = node;
        if (!node_online(node)) {
-                min_dist = INT_MAX;
+                int min_dist = INT_MAX, dist, n;
                for_each_online_node(n) {
                        dist = node_distance(node, n);
                        if (dist < min_dist) {
                                min_dist = dist;
-                                node = n;
+                                min_node = n;
                        }
                }
        }
-        return node;
+        return min_node;
 }
 EXPORT_SYMBOL(acpi_map_pxm_to_online_node);
diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
index 8a10a7ae6a8a..c8e169e46673 100644
--- a/drivers/acpi/pci_irq.c
+++ b/drivers/acpi/pci_irq.c
@@ -131,9 +131,6 @@ static void do_prt_fixups(struct acpi_prt_entry *entry,
                quirk = &prt_quirks[i];
                /* All current quirks involve link devices, not GSIs */
-                if (!prt->source)
-                        continue;
                if (dmi_check_system(quirk->system) &&
                    entry->id.segment == quirk->segment &&
                    entry->id.bus == quirk->bus &&
diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
index ae3fe4e64203..3b0b4bd67b71 100644
--- a/drivers/acpi/pci_root.c
+++ b/drivers/acpi/pci_root.c
@@ -472,9 +472,11 @@ static void negotiate_os_control(struct acpi_pci_root *root, int *no_aspm)
        }
        control = OSC_PCI_EXPRESS_CAPABILITY_CONTROL
-                | OSC_PCI_EXPRESS_NATIVE_HP_CONTROL
                | OSC_PCI_EXPRESS_PME_CONTROL;
+        if (IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
+                control |= OSC_PCI_EXPRESS_NATIVE_HP_CONTROL;
        if (pci_aer_available()) {
                if (aer_acpi_firmware_first())
                        dev_info(&device->dev,
diff --git a/drivers/acpi/pmic/intel_pmic_xpower.c b/drivers/acpi/pmic/intel_pmic_xpower.c
index 6a082d4de12c..24a793957bc0 100644
--- a/drivers/acpi/pmic/intel_pmic_xpower.c
+++ b/drivers/acpi/pmic/intel_pmic_xpower.c
@@ -28,97 +28,97 @@ static struct pmic_table power_table[] = {
                .address = 0x00,
                .reg = 0x13,
                .bit = 0x05,
-        },
+        }, /* ALD1 */
        {
                .address = 0x04,
                .reg = 0x13,
                .bit = 0x06,
-        },
+        }, /* ALD2 */
        {
                .address = 0x08,
                .reg = 0x13,
                .bit = 0x07,
-        },
+        }, /* ALD3 */
        {
                .address = 0x0c,
                .reg = 0x12,
                .bit = 0x03,
-        },
+        }, /* DLD1 */
        {
                .address = 0x10,
                .reg = 0x12,
                .bit = 0x04,
-        },
+        }, /* DLD2 */
        {
                .address = 0x14,
                .reg = 0x12,
                .bit = 0x05,
-        },
+        }, /* DLD3 */
        {
                .address = 0x18,
                .reg = 0x12,
                .bit = 0x06,
-        },
+        }, /* DLD4 */
        {
                .address = 0x1c,
                .reg = 0x12,
                .bit = 0x00,
-        },
+        }, /* ELD1 */
        {
                .address = 0x20,
                .reg = 0x12,
                .bit = 0x01,
-        },
+        }, /* ELD2 */
        {
                .address = 0x24,
                .reg = 0x12,
                .bit = 0x02,
-        },
+        }, /* ELD3 */
        {
                .address = 0x28,
                .reg = 0x13,
                .bit = 0x02,
-        },
+        }, /* FLD1 */
        {
                .address = 0x2c,
                .reg = 0x13,
                .bit = 0x03,
-        },
+        }, /* FLD2 */
        {
                .address = 0x30,
                .reg = 0x13,
                .bit = 0x04,
-        },
+        }, /* FLD3 */
        {
-                .address = 0x38,
+                .address = 0x34,
                .reg = 0x10,
                .bit = 0x03,
-        },
+        }, /* BUC1 */
        {
-                .address = 0x3c,
+                .address = 0x38,
                .reg = 0x10,
                .bit = 0x06,
-        },
+        }, /* BUC2 */
        {
-                .address = 0x40,
+                .address = 0x3c,
                .reg = 0x10,
                .bit = 0x05,
-        },
+        }, /* BUC3 */
        {
-                .address = 0x44,
+                .address = 0x40,
                .reg = 0x10,
                .bit = 0x04,
-        },
+        }, /* BUC4 */
        {
-                .address = 0x48,
+                .address = 0x44,
                .reg = 0x10,
                .bit = 0x01,
-        },
+        }, /* BUC5 */
        {
-                .address = 0x4c,
+                .address = 0x48,
                .reg = 0x10,
                .bit = 0x00
-        },
+        }, /* BUC6 */
 };
 /* TMP0 - TMP5 are the same, all from GPADC */
diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
index 11154a330f07..c9bf74982688 100644
--- a/drivers/acpi/processor_driver.c
+++ b/drivers/acpi/processor_driver.c
@@ -259,6 +259,9 @@ static int __acpi_processor_start(struct acpi_device *device)
        if (ACPI_SUCCESS(status))
                return 0;
+        result = -ENODEV;
+        acpi_pss_perf_exit(pr, device);
 err_power_exit:
        acpi_processor_power_exit(pr);
        return result;
@@ -267,11 +270,16 @@ err_power_exit:
 static int acpi_processor_start(struct device *dev)
 {
        struct acpi_device *device = ACPI_COMPANION(dev);
+        int ret;
        if (!device)
                return -ENODEV;
-        return __acpi_processor_start(device);
+        /* Protect against concurrent CPU hotplug operations */
+        get_online_cpus();
+        ret = __acpi_processor_start(device);
+        put_online_cpus();
+        return ret;
 }
 static int acpi_processor_stop(struct device *dev)
diff --git a/drivers/acpi/processor_perflib.c b/drivers/acpi/processor_perflib.c
index bb01dea39fdc..9825780a1cd2 100644
--- a/drivers/acpi/processor_perflib.c
+++ b/drivers/acpi/processor_perflib.c
@@ -161,7 +161,7 @@ int acpi_processor_ppc_has_changed(struct acpi_processor *pr, int event_flag)
 {
        int ret;
-        if (ignore_ppc) {
+        if (ignore_ppc || !pr->performance) {
                /*
                 * Only when it is notification event, the _OST object
                 * will be evaluated. Otherwise it is skipped.
diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c
index f170d746336d..93d72413d844 100644
--- a/drivers/acpi/processor_throttling.c
+++ b/drivers/acpi/processor_throttling.c
@@ -62,8 +62,8 @@ struct acpi_processor_throttling_arg {
 #define THROTTLING_POSTCHANGE      (2)
 static int acpi_processor_get_throttling(struct acpi_processor *pr);
-int acpi_processor_set_throttling(struct acpi_processor *pr,
+static int __acpi_processor_set_throttling(struct acpi_processor *pr,
-                                                int state, bool force);
+                                           int state, bool force, bool direct);
 static int acpi_processor_update_tsd_coord(void)
 {
@@ -676,6 +676,15 @@ static int acpi_processor_get_throttling_fadt(struct acpi_processor *pr)
        if (!pr->flags.throttling)
                return -ENODEV;
+        /*
+         * We don't care about error returns - we just try to mark
+         * these reserved so that nobody else is confused into thinking
+         * that this region might be unused..
+         *
+         * (In particular, allocating the IO range for Cardbus)
+         */
+        request_region(pr->throttling.address, 6, "ACPI CPU throttle");
        pr->throttling.state = 0;
        duty_mask = pr->throttling.state_count - 1;
@@ -882,7 +891,8 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr)
                        ACPI_DEBUG_PRINT((ACPI_DB_INFO,
                                "Invalid throttling state, reset\n"));
                        state = 0;
-                        ret = acpi_processor_set_throttling(pr, state, true);
+                        ret = __acpi_processor_set_throttling(pr, state, true,
+                                                              true);
                        if (ret)
                                return ret;
                }
@@ -892,36 +902,31 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr)
        return 0;
 }
-static int acpi_processor_get_throttling(struct acpi_processor *pr)
+static long __acpi_processor_get_throttling(void *data)
 {
-        cpumask_var_t saved_mask;
+        struct acpi_processor *pr = data;
-        int ret;
+        return pr->throttling.acpi_processor_get_throttling(pr);
+}
+static int acpi_processor_get_throttling(struct acpi_processor *pr)
+{
        if (!pr)
                return -EINVAL;
        if (!pr->flags.throttling)
                return -ENODEV;
-        if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL))
-                return -ENOMEM;
        /*
-         * Migrate task to the cpu pointed by pr.
+         * This is either called from the CPU hotplug callback of
+         * processor_driver or via the ACPI probe function. In the latter
+         * case the CPU is not guaranteed to be online. Both call sites are
+         * protected against CPU hotplug.
         */
-        cpumask_copy(saved_mask, &current->cpus_allowed);
+        if (!cpu_online(pr->id))
-        /* FIXME: use work_on_cpu() */
-        if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) {
-                /* Can't migrate to the target pr->id CPU. Exit */
-                free_cpumask_var(saved_mask);
                return -ENODEV;
-        }
-        ret = pr->throttling.acpi_processor_get_throttling(pr);
-        /* restore the previous state */
-        set_cpus_allowed_ptr(current, saved_mask);
-        free_cpumask_var(saved_mask);
-        return ret;
+        return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr);
 }
 static int acpi_processor_get_fadt_info(struct acpi_processor *pr)
@@ -1071,8 +1076,15 @@ static long acpi_processor_throttling_fn(void *data)
                        arg->target_state, arg->force);
 }
-int acpi_processor_set_throttling(struct acpi_processor *pr,
+static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct)
-                                                int state, bool force)
+{
+        if (direct)
+                return fn(arg);
+        return work_on_cpu(cpu, fn, arg);
+}
+static int __acpi_processor_set_throttling(struct acpi_processor *pr,
+                                           int state, bool force, bool direct)
 {
        int ret = 0;
        unsigned int i;
@@ -1121,7 +1133,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
                arg.pr = pr;
                arg.target_state = state;
                arg.force = force;
-                ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg);
+                ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg,
+                                  direct);
        } else {
                /*
                 * When the T-state coordination is SW_ALL or HW_ALL,
@@ -1154,8 +1167,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
                        arg.pr = match_pr;
                        arg.target_state = state;
                        arg.force = force;
-                        ret = work_on_cpu(pr->id, acpi_processor_throttling_fn,
+                        ret = call_on_cpu(pr->id, acpi_processor_throttling_fn,
-                                &arg);
+                                          &arg, direct);
                }
        }
        /*
@@ -1173,6 +1186,12 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
        return ret;
 }
+int acpi_processor_set_throttling(struct acpi_processor *pr, int state,
+                                  bool force)
+{
+        return __acpi_processor_set_throttling(pr, state, force, false);
+}
 int acpi_processor_get_throttling_info(struct acpi_processor *pr)
 {
        int result = 0;
diff --git a/drivers/acpi/sbshc.c b/drivers/acpi/sbshc.c
index 2fa8304171e0..7a3431018e0a 100644
--- a/drivers/acpi/sbshc.c
+++ b/drivers/acpi/sbshc.c
@@ -275,8 +275,8 @@ static int acpi_smbus_hc_add(struct acpi_device *device)
        device->driver_data = hc;
        acpi_ec_add_query_handler(hc->ec, hc->query_bit, NULL, smbus_alarm, hc);
-        printk(KERN_INFO PREFIX "SBS HC: EC = 0x%p, offset = 0x%0x, query_bit = 0x%0x\n",
+        dev_info(&device->dev, "SBS HC: offset = 0x%0x, query_bit = 0x%0x\n",
-                hc->ec, hc->offset, hc->query_bit);
+                 hc->offset, hc->query_bit);
        return 0;
 }
diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
index b48ecbfc4498..8c5503c0bad7 100644
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -206,6 +206,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
                },
        },
        {
+         /* https://bugzilla.redhat.com/show_bug.cgi?id=1557060 */
+         .callback = video_detect_force_video,
+         .ident = "SAMSUNG 670Z5E",
+         .matches = {
+                DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
+                DMI_MATCH(DMI_PRODUCT_NAME, "670Z5E"),
+                },
+        },
+        {
         /* https://bugzilla.redhat.com/show_bug.cgi?id=1094948 */
         .callback = video_detect_force_video,
         .ident = "SAMSUNG 730U3E/740U3E",
diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
index f0099360039e..1accc01fb0ca 100644
--- a/drivers/amba/bus.c
+++ b/drivers/amba/bus.c
@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev,
                                    struct device_attribute *attr, char *buf)
 {
        struct amba_device *dev = to_amba_device(_dev);
+        ssize_t len;
-        if (!dev->driver_override)
+        device_lock(_dev);
-                return 0;
+        len = sprintf(buf, "%s\n", dev->driver_override);
+        device_unlock(_dev);
-        return sprintf(buf, "%s\n", dev->driver_override);
+        return len;
 }
 static ssize_t driver_override_store(struct device *_dev,
@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev,
                                     const char *buf, size_t count)
 {
        struct amba_device *dev = to_amba_device(_dev);
-        char *driver_override, *old = dev->driver_override, *cp;
+        char *driver_override, *old, *cp;
-        if (count > PATH_MAX)
+        /* We need to keep extra room for a newline */
+        if (count >= (PAGE_SIZE - 1))
                return -EINVAL;
        driver_override = kstrndup(buf, count, GFP_KERNEL);
@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev,
        if (cp)
                *cp = '\0';
+        device_lock(_dev);
+        old = dev->driver_override;
        if (strlen(driver_override)) {
                dev->driver_override = driver_override;
        } else {
               kfree(driver_override);
               dev->driver_override = NULL;
        }
+        device_unlock(_dev);
        kfree(old);
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 5531f020e561..260ce0e60187 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2622,6 +2622,10 @@ static unsigned int binder_poll(struct file *filp,
        binder_lock(__func__);
        thread = binder_get_thread(proc);
+        if (!thread) {
+                binder_unlock(__func__);
+                return POLLERR;
+        }
        wait_for_proc_work = thread->transaction_stack == NULL &&
                list_empty(&thread->todo) && thread->return_error == BR_OK;
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 60a15831c009..34fdaa6e99ba 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -260,9 +260,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
        { PCI_VDEVICE(INTEL, 0x3b23), board_ahci }, /* PCH AHCI */
        { PCI_VDEVICE(INTEL, 0x3b24), board_ahci }, /* PCH RAID */
        { PCI_VDEVICE(INTEL, 0x3b25), board_ahci }, /* PCH RAID */
-        { PCI_VDEVICE(INTEL, 0x3b29), board_ahci }, /* PCH AHCI */
+        { PCI_VDEVICE(INTEL, 0x3b29), board_ahci }, /* PCH M AHCI */
        { PCI_VDEVICE(INTEL, 0x3b2b), board_ahci }, /* PCH RAID */
-        { PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH RAID */
+        { PCI_VDEVICE(INTEL, 0x3b2c), board_ahci }, /* PCH M RAID */
        { PCI_VDEVICE(INTEL, 0x3b2f), board_ahci }, /* PCH AHCI */
        { PCI_VDEVICE(INTEL, 0x19b0), board_ahci }, /* DNV AHCI */
        { PCI_VDEVICE(INTEL, 0x19b1), board_ahci }, /* DNV AHCI */
@@ -285,9 +285,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
        { PCI_VDEVICE(INTEL, 0x19cE), board_ahci }, /* DNV AHCI */
        { PCI_VDEVICE(INTEL, 0x19cF), board_ahci }, /* DNV AHCI */
        { PCI_VDEVICE(INTEL, 0x1c02), board_ahci }, /* CPT AHCI */
-        { PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT AHCI */
+        { PCI_VDEVICE(INTEL, 0x1c03), board_ahci }, /* CPT M AHCI */
        { PCI_VDEVICE(INTEL, 0x1c04), board_ahci }, /* CPT RAID */
-        { PCI_VDEVICE(INTEL, 0x1c05), board_ahci }, /* CPT RAID */
+        { PCI_VDEVICE(INTEL, 0x1c05), board_ahci }, /* CPT M RAID */
        { PCI_VDEVICE(INTEL, 0x1c06), board_ahci }, /* CPT RAID */
        { PCI_VDEVICE(INTEL, 0x1c07), board_ahci }, /* CPT RAID */
        { PCI_VDEVICE(INTEL, 0x1d02), board_ahci }, /* PBG AHCI */
@@ -296,20 +296,20 @@ static const struct pci_device_id ahci_pci_tbl[] = {
        { PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* PBG RAID */
        { PCI_VDEVICE(INTEL, 0x2323), board_ahci }, /* DH89xxCC AHCI */
        { PCI_VDEVICE(INTEL, 0x1e02), board_ahci }, /* Panther Point AHCI */
-        { PCI_VDEVICE(INTEL, 0x1e03), board_ahci }, /* Panther Point AHCI */
+        { PCI_VDEVICE(INTEL, 0x1e03), board_ahci }, /* Panther Point M AHCI */
        { PCI_VDEVICE(INTEL, 0x1e04), board_ahci }, /* Panther Point RAID */
        { PCI_VDEVICE(INTEL, 0x1e05), board_ahci }, /* Panther Point RAID */
        { PCI_VDEVICE(INTEL, 0x1e06), board_ahci }, /* Panther Point RAID */
-        { PCI_VDEVICE(INTEL, 0x1e07), board_ahci }, /* Panther Point RAID */
+        { PCI_VDEVICE(INTEL, 0x1e07), board_ahci }, /* Panther Point M RAID */
        { PCI_VDEVICE(INTEL, 0x1e0e), board_ahci }, /* Panther Point RAID */
        { PCI_VDEVICE(INTEL, 0x8c02), board_ahci }, /* Lynx Point AHCI */
-        { PCI_VDEVICE(INTEL, 0x8c03), board_ahci }, /* Lynx Point AHCI */
+        { PCI_VDEVICE(INTEL, 0x8c03), board_ahci }, /* Lynx Point M AHCI */
        { PCI_VDEVICE(INTEL, 0x8c04), board_ahci }, /* Lynx Point RAID */
-        { PCI_VDEVICE(INTEL, 0x8c05), board_ahci }, /* Lynx Point RAID */
+        { PCI_VDEVICE(INTEL, 0x8c05), board_ahci }, /* Lynx Point M RAID */
        { PCI_VDEVICE(INTEL, 0x8c06), board_ahci }, /* Lynx Point RAID */
-        { PCI_VDEVICE(INTEL, 0x8c07), board_ahci }, /* Lynx Point RAID */
+        { PCI_VDEVICE(INTEL, 0x8c07), board_ahci }, /* Lynx Point M RAID */
        { PCI_VDEVICE(INTEL, 0x8c0e), board_ahci }, /* Lynx Point RAID */
-        { PCI_VDEVICE(INTEL, 0x8c0f), board_ahci }, /* Lynx Point RAID */
+        { PCI_VDEVICE(INTEL, 0x8c0f), board_ahci }, /* Lynx Point M RAID */
        { PCI_VDEVICE(INTEL, 0x9c02), board_ahci }, /* Lynx Point-LP AHCI */
        { PCI_VDEVICE(INTEL, 0x9c03), board_ahci }, /* Lynx Point-LP AHCI */
        { PCI_VDEVICE(INTEL, 0x9c04), board_ahci }, /* Lynx Point-LP RAID */
@@ -350,21 +350,21 @@ static const struct pci_device_id ahci_pci_tbl[] = {
        { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */
        { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */
        { PCI_VDEVICE(INTEL, 0x8c82), board_ahci }, /* 9 Series AHCI */
-        { PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series AHCI */
+        { PCI_VDEVICE(INTEL, 0x8c83), board_ahci }, /* 9 Series M AHCI */
        { PCI_VDEVICE(INTEL, 0x8c84), board_ahci }, /* 9 Series RAID */
-        { PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series RAID */
+        { PCI_VDEVICE(INTEL, 0x8c85), board_ahci }, /* 9 Series M RAID */
        { PCI_VDEVICE(INTEL, 0x8c86), board_ahci }, /* 9 Series RAID */
-        { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */
+        { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series M RAID */
        { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */
-        { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */
+        { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series M RAID */
        { PCI_VDEVICE(INTEL, 0x9d03), board_ahci }, /* Sunrise Point-LP AHCI */
        { PCI_VDEVICE(INTEL, 0x9d05), board_ahci }, /* Sunrise Point-LP RAID */
        { PCI_VDEVICE(INTEL, 0x9d07), board_ahci }, /* Sunrise Point-LP RAID */
        { PCI_VDEVICE(INTEL, 0xa102), board_ahci }, /* Sunrise Point-H AHCI */
-        { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
+        { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H M AHCI */
        { PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
        { PCI_VDEVICE(INTEL, 0xa106), board_ahci }, /* Sunrise Point-H RAID */
-        { PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
+        { PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H M RAID */
        { PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
        { PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
        { PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Lewisburg AHCI*/
@@ -382,6 +382,11 @@ static const struct pci_device_id ahci_pci_tbl[] = {
        { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
        { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
        { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
+        { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */
+        { PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
+        { PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
+        { PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
+        { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci }, /* Apollo Lake AHCI */
        /* JMicron 360/1/3/5/6, match class to avoid IDE function */
        { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
@@ -533,7 +538,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
          .driver_data = board_ahci_yes_fbs },
        { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
          .driver_data = board_ahci_yes_fbs },
-        { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642),
+        { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */
+          .driver_data = board_ahci_yes_fbs },
+        { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0645), /* highpoint rocketraid 644L */
          .driver_data = board_ahci_yes_fbs },
        /* Promise */
@@ -1222,6 +1229,59 @@ static bool ahci_broken_suspend(struct pci_dev *pdev)
        return strcmp(buf, dmi->driver_data) < 0;
 }
+static bool ahci_broken_lpm(struct pci_dev *pdev)
+{
+        static const struct dmi_system_id sysids[] = {
+                /* Various Lenovo 50 series have LPM issues with older BIOSen */
+                {
+                        .matches = {
+                                DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                                DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"),
+                        },
+                        .driver_data = "20180406", /* 1.31 */
+                },
+                {
+                        .matches = {
+                                DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                                DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"),
+                        },
+                        .driver_data = "20180420", /* 1.28 */
+                },
+                {
+                        .matches = {
+                                DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                                DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"),
+                        },
+                        .driver_data = "20180315", /* 1.33 */
+                },
+                {
+                        .matches = {
+                                DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                                DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"),
+                        },
+                        /*
+                         * Note date based on release notes, 2.35 has been
+                         * reported to be good, but I've been unable to get
+                         * a hold of the reporter to get the DMI BIOS date.
+                         * TODO: fix this.
+                         */
+                        .driver_data = "20180310", /* 2.35 */
+                },
+                { }     /* terminate list */
+        };
+        const struct dmi_system_id *dmi = dmi_first_match(sysids);
+        int year, month, date;
+        char buf[9];
+        if (!dmi)
+                return false;
+        dmi_get_date(DMI_BIOS_DATE, &year, &month, &date);
+        snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date);
+        return strcmp(buf, dmi->driver_data) < 0;
+}
 static bool ahci_broken_online(struct pci_dev *pdev)
 {
 #define ENCODE_BUSDEVFN(bus, slot, func)                        \
@@ -1581,6 +1641,12 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
                        "quirky BIOS, skipping spindown on poweroff\n");
        }
+        if (ahci_broken_lpm(pdev)) {
+                pi.flags |= ATA_FLAG_NO_LPM;
+                dev_warn(&pdev->dev,
+                         "BIOS update required for Link Power Management support\n");
+        }
        if (ahci_broken_suspend(pdev)) {
                hpriv->flags |= AHCI_HFLAG_NO_SUSPEND;
                dev_warn(&pdev->dev,
diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
index aaa761b9081c..cd2eab6aa92e 100644
--- a/drivers/ata/libahci_platform.c
+++ b/drivers/ata/libahci_platform.c
@@ -514,8 +514,9 @@ int ahci_platform_init_host(struct platform_device *pdev,
        irq = platform_get_irq(pdev, 0);
        if (irq <= 0) {
-                dev_err(dev, "no irq\n");
+                if (irq != -EPROBE_DEFER)
-                return -EINVAL;
+                        dev_err(dev, "no irq\n");
+                return irq;
        }
        hpriv->irq = irq;
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 69ec1c5d7152..ba514fa733de 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2209,6 +2209,9 @@ int ata_dev_configure(struct ata_device *dev)
            (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2)
                dev->horkage |= ATA_HORKAGE_NOLPM;
+        if (ap->flags & ATA_FLAG_NO_LPM)
+                dev->horkage |= ATA_HORKAGE_NOLPM;
        if (dev->horkage & ATA_HORKAGE_NOLPM) {
                ata_dev_warn(dev, "LPM support broken, forcing max_power\n");
                dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER;
@@ -4187,6 +4190,10 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
        /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */
        { "C300-CTFDDAC128MAG", "0001",         ATA_HORKAGE_NONCQ, },
+        /* Some Sandisk SSDs lock up hard with NCQ enabled.  Reported on
+           SD7SN6S256G and SD8SN8U256G */
+        { "SanDisk SD[78]SN*G", NULL,           ATA_HORKAGE_NONCQ, },
        /* devices which puke on READ_NATIVE_MAX */
        { "HDS724040KLSA80",    "KFAOA20N",     ATA_HORKAGE_BROKEN_HPA, },
        { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA },
@@ -4224,7 +4231,28 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
        { "PIONEER DVD-RW  DVR-212D",   NULL,   ATA_HORKAGE_NOSETXFER },
        { "PIONEER DVD-RW  DVR-216D",   NULL,   ATA_HORKAGE_NOSETXFER },
+        /* Crucial BX100 SSD 500GB has broken LPM support */
+        { "CT500BX100SSD1",             NULL,   ATA_HORKAGE_NOLPM },
+        /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */
+        { "Crucial_CT512MX100*",        "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM |
+                                                ATA_HORKAGE_NOLPM, },
+        /* 512GB MX100 with newer firmware has only LPM issues */
+        { "Crucial_CT512MX100*",        NULL,   ATA_HORKAGE_ZERO_AFTER_TRIM |
+                                                ATA_HORKAGE_NOLPM, },
+        /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */
+        { "Crucial_CT480M500*",         NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM |
+                                                ATA_HORKAGE_NOLPM, },
+        { "Crucial_CT960M500*",         NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM |
+                                                ATA_HORKAGE_NOLPM, },
        /* devices that don't properly handle queued TRIM commands */
+        { "Micron_M500IT_*",            "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
        { "Micron_M500_*",              NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
        { "Crucial_CT*M500*",           NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
@@ -4235,7 +4263,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
        { "Crucial_CT*MX100*",          "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
-        { "Samsung SSD 8*",             NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
+        { "Samsung SSD 840*",           NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
+        { "Samsung SSD 850*",           NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
        { "FCCT*M500*",                 NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
@@ -5077,8 +5107,7 @@ void ata_qc_issue(struct ata_queued_cmd *qc)
         * We guarantee to LLDs that they will have at least one
         * non-zero sg if the command is a data command.
         */
-        if (WARN_ON_ONCE(ata_is_data(prot) &&
+        if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes))
-                         (!qc->sg || !qc->n_elem || !qc->nbytes)))
                goto sys_err;
        if (ata_is_dma(prot) || (ata_is_pio(prot) &&
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 75cced210b2a..7db76b5c7ada 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -2198,12 +2198,16 @@ static void ata_eh_link_autopsy(struct ata_link *link)
                if (qc->err_mask & ~AC_ERR_OTHER)
                        qc->err_mask &= ~AC_ERR_OTHER;
-                /* SENSE_VALID trumps dev/unknown error and revalidation */
+                /*
+                 * SENSE_VALID trumps dev/unknown error and revalidation. Upper
+                 * layers will determine whether the command is worth retrying
+                 * based on the sense data and device class/type. Otherwise,
+                 * determine directly if the command is worth retrying using its
+                 * error mask and flags.
+                 */
                if (qc->flags & ATA_QCFLAG_SENSE_VALID)
                        qc->err_mask &= ~(AC_ERR_DEV | AC_ERR_OTHER);
+                else if (ata_eh_worth_retry(qc))
-                /* determine whether the command is worth retrying */
-                if (ata_eh_worth_retry(qc))
                        qc->flags |= ATA_QCFLAG_RETRY;
                /* accumulate error info */
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index 5b2aee83d776..4a267347a6d9 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3472,7 +3472,9 @@ static inline int __ata_scsi_queuecmd(struct scsi_cmnd *scmd,
                if (likely((scsi_op != ATA_16) || !atapi_passthru16)) {
                        /* relay SCSI command to ATAPI device */
                        int len = COMMAND_SIZE(scsi_op);
-                        if (unlikely(len > scmd->cmd_len || len > dev->cdb_len))
+                        if (unlikely(len > scmd->cmd_len ||
+                                     len > dev->cdb_len ||
+                                     scmd->cmd_len > ATAPI_CDB_LEN))
                                goto bad_cdb_len;
                        xlat_func = atapi_xlat;
diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
index f3a65a3140d3..0ad96c647541 100644
--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -34,7 +34,7 @@ struct zpodd {
 static int eject_tray(struct ata_device *dev)
 {
        struct ata_taskfile tf;
-        const char cdb[] = {  GPCMD_START_STOP_UNIT,
+        static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,
                0, 0, 0,
                0x02,     /* LoEj */
                0, 0, 0, 0, 0, 0, 0,
@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
        unsigned int ret;
        struct rm_feature_desc *desc = (void *)(buf + 8);
        struct ata_taskfile tf;
-        char cdb[] = {  GPCMD_GET_CONFIGURATION,
+        static const char cdb[] = {  GPCMD_GET_CONFIGURATION,
                        2,      /* only 1 feature descriptor requested */
                        0, 3,   /* 3, removable medium feature */
                        0, 0, 0,/* reserved */
diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
index cecfb943762f..94712e1c5cf9 100644
--- a/drivers/atm/zatm.c
+++ b/drivers/atm/zatm.c
@@ -23,6 +23,7 @@
 #include <linux/bitops.h>
 #include <linux/wait.h>
 #include <linux/slab.h>
+#include <linux/nospec.h>
 #include <asm/byteorder.h>
 #include <asm/string.h>
 #include <asm/io.h>
@@ -1148,8 +1149,8 @@ static void eprom_get_byte(struct zatm_dev *zatm_dev, unsigned char *byte,
 }
-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd,
+static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset,
-                                   int offset, int swap)
+                         int swap)
 {
        unsigned char buf[ZEPROM_SIZE];
        struct zatm_dev *zatm_dev;
@@ -1456,6 +1457,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
                                        return -EFAULT;
                                if (pool < 0 || pool > ZATM_LAST_POOL)
                                        return -EINVAL;
+                                pool = array_index_nospec(pool,
+                                                          ZATM_LAST_POOL + 1);
                                spin_lock_irqsave(&zatm_dev->lock, flags);
                                info = zatm_dev->pool_info[pool];
                                if (cmd == ZATM_GETPOOLZ) {
@@ -1478,6 +1481,8 @@ static int zatm_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
                                        return -EFAULT;
                                if (pool < 0 || pool > ZATM_LAST_POOL)
                                        return -EINVAL;
+                                pool = array_index_nospec(pool,
+                                                          ZATM_LAST_POOL + 1);
                                if (copy_from_user(&info,
                                    &((struct zatm_pool_req __user *) arg)->info,
                                    sizeof(info))) return -EFAULT;
diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
index e9fd32e91668..70e13cf06ed0 100644
--- a/drivers/base/cacheinfo.c
+++ b/drivers/base/cacheinfo.c
@@ -16,6 +16,7 @@
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
+#include <linux/acpi.h>
 #include <linux/bitops.h>
 #include <linux/cacheinfo.h>
 #include <linux/compiler.h>
@@ -104,9 +105,16 @@ static int cache_shared_cpu_map_setup(unsigned int cpu)
        struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu);
        struct cacheinfo *this_leaf, *sib_leaf;
        unsigned int index;
-        int ret;
+        int ret = 0;
+        if (this_cpu_ci->cpu_map_populated)
+                return 0;
-        ret = cache_setup_of_node(cpu);
+        if (of_have_populated_dt())
+                ret = cache_setup_of_node(cpu);
+        else if (!acpi_disabled)
+                /* No cache property/hierarchy support yet in ACPI */
+                ret = -ENOTSUPP;
        if (ret)
                return ret;
@@ -203,8 +211,7 @@ static int detect_cache_attributes(unsigned int cpu)
         */
        ret = cache_shared_cpu_map_setup(cpu);
        if (ret) {
-                pr_warn("Unable to detect cache hierarchy from DT for CPU %d\n",
+                pr_warn("Unable to detect cache hierarchy for CPU %d\n", cpu);
-                        cpu);
                goto free_ci;
        }
        return 0;
diff --git a/drivers/base/core.c b/drivers/base/core.c
index afe045792796..049ccc070ce5 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -759,7 +759,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
        dir = kzalloc(sizeof(*dir), GFP_KERNEL);
        if (!dir)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
        dir->class = class;
        kobject_init(&dir->kobj, &class_dir_ktype);
@@ -769,7 +769,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
        retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
        if (retval < 0) {
                kobject_put(&dir->kobj);
-                return NULL;
+                return ERR_PTR(retval);
        }
        return &dir->kobj;
 }
@@ -1076,6 +1076,10 @@ int device_add(struct device *dev)
        parent = get_device(dev->parent);
        kobj = get_device_parent(dev, parent);
+        if (IS_ERR(kobj)) {
+                error = PTR_ERR(kobj);
+                goto parent_error;
+        }
        if (kobj)
                dev->kobj.parent = kobj;
@@ -1174,6 +1178,7 @@ done:
        kobject_del(&dev->kobj);
 Error:
        cleanup_glue_dir(dev, glue_dir);
+parent_error:
        put_device(parent);
 name_error:
        kfree(dev->p);
@@ -1990,6 +1995,11 @@ int device_move(struct device *dev, struct device *new_parent,
        device_pm_lock();
        new_parent = get_device(new_parent);
        new_parent_kobj = get_device_parent(dev, new_parent);
+        if (IS_ERR(new_parent_kobj)) {
+                error = PTR_ERR(new_parent_kobj);
+                put_device(new_parent);
+                goto out;
+        }
        pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
                 __func__, new_parent ? dev_name(new_parent) : "<NULL>");
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index 3db71afbba93..41090ef5facb 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -518,14 +518,30 @@ ssize_t __weak cpu_show_spectre_v2(struct device *dev,
        return sprintf(buf, "Not affected\n");
 }
+ssize_t __weak cpu_show_spec_store_bypass(struct device *dev,
+                                          struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+ssize_t __weak cpu_show_l1tf(struct device *dev,
+                             struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
 static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
+static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
 static struct attribute *cpu_root_vulnerabilities_attrs[] = {
        &dev_attr_meltdown.attr,
        &dev_attr_spectre_v1.attr,
        &dev_attr_spectre_v2.attr,
+        &dev_attr_spec_store_bypass.attr,
+        &dev_attr_l1tf.attr,
        NULL
 };
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index a641cf3ccad6..1dffb018a7fe 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -304,14 +304,6 @@ static int really_probe(struct device *dev, struct device_driver *drv)
                        goto probe_failed;
        }
-        /*
-         * Ensure devices are listed in devices_kset in correct order
-         * It's important to move Dev to the end of devices_kset before
-         * calling .probe, because it could be recursive and parent Dev
-         * should always go first
-         */
-        devices_kset_move_last(dev);
        if (dev->bus->probe) {
                ret = dev->bus->probe(dev);
                if (ret)
diff --git a/drivers/base/power/trace.c b/drivers/base/power/trace.c
index a311cfa4c5bd..a6975795e7f3 100644
--- a/drivers/base/power/trace.c
+++ b/drivers/base/power/trace.c
@@ -166,14 +166,14 @@ void generate_pm_trace(const void *tracedata, unsigned int user)
 }
 EXPORT_SYMBOL(generate_pm_trace);
-extern char __tracedata_start, __tracedata_end;
+extern char __tracedata_start[], __tracedata_end[];
 static int show_file_hash(unsigned int value)
 {
        int match;
        char *tracedata;
        match = 0;
-        for (tracedata = &__tracedata_start ; tracedata < &__tracedata_end ;
+        for (tracedata = __tracedata_start ; tracedata < __tracedata_end ;
                        tracedata += 2 + sizeof(unsigned long)) {
                unsigned short lineno = *(unsigned short *)tracedata;
                const char *file = *(const char **)(tracedata + 2);
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 4ac63c0e50c7..fd377b956199 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1582,7 +1582,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg,
                return -EINVAL;
        if (val_len % map->format.val_bytes)
                return -EINVAL;
-        if (map->max_raw_write && map->max_raw_write > val_len)
+        if (map->max_raw_write && map->max_raw_write < val_len)
                return -E2BIG;
        map->lock(map->lock_arg);
diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
index 5578c1477ba6..8bfd4fd7e9ec 100644
--- a/drivers/block/drbd/drbd_worker.c
+++ b/drivers/block/drbd/drbd_worker.c
@@ -256,8 +256,8 @@ void drbd_request_endio(struct bio *bio)
        } else
                what = COMPLETED_OK;
-        bio_put(req->private_bio);
        req->private_bio = ERR_PTR(bio->bi_error);
+        bio_put(bio);
        /* not req_mod(), we need irqsave here! */
        spin_lock_irqsave(&device->resource->req_lock, flags);
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index cec36d5c24f5..da3902ac16c8 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -263,7 +263,7 @@ static int lo_write_bvec(struct file *file, struct bio_vec *bvec, loff_t *ppos)
        struct iov_iter i;
        ssize_t bw;
-        iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
+        iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len);
        file_start_write(file);
        bw = vfs_iter_write(file, &i, ppos);
@@ -623,6 +623,9 @@ static int loop_switch(struct loop_device *lo, struct file *file)
 */
 static int loop_flush(struct loop_device *lo)
 {
+        /* loop not yet configured, no running thread, nothing to flush */
+        if (lo->lo_state != Lo_bound)
+                return 0;
        return loop_switch(lo, NULL);
 }
@@ -648,6 +651,36 @@ static void loop_reread_partitions(struct loop_device *lo,
                        __func__, lo->lo_number, lo->lo_file_name, rc);
 }
+static inline int is_loop_device(struct file *file)
+{
+        struct inode *i = file->f_mapping->host;
+        return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
+}
+static int loop_validate_file(struct file *file, struct block_device *bdev)
+{
+        struct inode    *inode = file->f_mapping->host;
+        struct file     *f = file;
+        /* Avoid recursion */
+        while (is_loop_device(f)) {
+                struct loop_device *l;
+                if (f->f_mapping->host->i_bdev == bdev)
+                        return -EBADF;
+                l = f->f_mapping->host->i_bdev->bd_disk->private_data;
+                if (l->lo_state == Lo_unbound) {
+                        return -EINVAL;
+                }
+                f = l->lo_backing_file;
+        }
+        if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
+                return -EINVAL;
+        return 0;
+}
 /*
 * loop_change_fd switched the backing store of a loopback device to
 * a new file. This is useful for operating system installers to free up
@@ -677,14 +710,15 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
        if (!file)
                goto out;
+        error = loop_validate_file(file, bdev);
+        if (error)
+                goto out_putf;
        inode = file->f_mapping->host;
        old_file = lo->lo_backing_file;
        error = -EINVAL;
-        if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
-                goto out_putf;
        /* size of the new backing store needs to be the same */
        if (get_loop_size(lo, file) != get_loop_size(lo, old_file))
                goto out_putf;
@@ -705,13 +739,6 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
        return error;
 }
-static inline int is_loop_device(struct file *file)
-{
-        struct inode *i = file->f_mapping->host;
-        return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
-}
 /* loop sysfs attributes */
 static ssize_t loop_attr_show(struct device *dev, char *page,
@@ -808,16 +835,17 @@ static struct attribute_group loop_attribute_group = {
        .attrs= loop_attrs,
 };
-static int loop_sysfs_init(struct loop_device *lo)
+static void loop_sysfs_init(struct loop_device *lo)
 {
-        return sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj,
+        lo->sysfs_inited = !sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj,
-                                  &loop_attribute_group);
+                                                &loop_attribute_group);
 }
 static void loop_sysfs_exit(struct loop_device *lo)
 {
-        sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj,
+        if (lo->sysfs_inited)
-                           &loop_attribute_group);
+                sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj,
+                                   &loop_attribute_group);
 }
 static void loop_config_discard(struct loop_device *lo)
@@ -869,7 +897,7 @@ static int loop_prepare_queue(struct loop_device *lo)
 static int loop_set_fd(struct loop_device *lo, fmode_t mode,
                       struct block_device *bdev, unsigned int arg)
 {
-        struct file     *file, *f;
+        struct file     *file;
        struct inode    *inode;
        struct address_space *mapping;
        unsigned lo_blocksize;
@@ -889,29 +917,13 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
        if (lo->lo_state != Lo_unbound)
                goto out_putf;
-        /* Avoid recursion */
+        error = loop_validate_file(file, bdev);
-        f = file;
+        if (error)
-        while (is_loop_device(f)) {
+                goto out_putf;
-                struct loop_device *l;
-                if (f->f_mapping->host->i_bdev == bdev)
-                        goto out_putf;
-                l = f->f_mapping->host->i_bdev->bd_disk->private_data;
-                if (l->lo_state == Lo_unbound) {
-                        error = -EINVAL;
-                        goto out_putf;
-                }
-                f = l->lo_backing_file;
-        }
        mapping = file->f_mapping;
        inode = mapping->host;
-        error = -EINVAL;
-        if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
-                goto out_putf;
        if (!(file->f_mode & FMODE_WRITE) || !(mode & FMODE_WRITE) ||
            !file->f_op->write_iter)
                lo_flags |= LO_FLAGS_READ_ONLY;
@@ -1118,11 +1130,15 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
        if (info->lo_encrypt_type) {
                unsigned int type = info->lo_encrypt_type;
-                if (type >= MAX_LO_CRYPT)
+                if (type >= MAX_LO_CRYPT) {
-                        return -EINVAL;
+                        err = -EINVAL;
+                        goto exit;
+                }
                xfer = xfer_funcs[type];
-                if (xfer == NULL)
+                if (xfer == NULL) {
-                        return -EINVAL;
+                        err = -EINVAL;
+                        goto exit;
+                }
        } else
                xfer = NULL;
@@ -1569,9 +1585,8 @@ out:
        return err;
 }
-static void lo_release(struct gendisk *disk, fmode_t mode)
+static void __lo_release(struct loop_device *lo)
 {
-        struct loop_device *lo = disk->private_data;
        int err;
        if (atomic_dec_return(&lo->lo_refcnt))
@@ -1597,6 +1612,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
        mutex_unlock(&lo->lo_ctl_mutex);
 }
+static void lo_release(struct gendisk *disk, fmode_t mode)
+{
+        mutex_lock(&loop_index_mutex);
+        __lo_release(disk->private_data);
+        mutex_unlock(&loop_index_mutex);
+}
 static const struct block_device_operations lo_fops = {
        .owner =        THIS_MODULE,
        .open =         lo_open,
diff --git a/drivers/block/loop.h b/drivers/block/loop.h
index fb2237c73e61..60f0fd2c0c65 100644
--- a/drivers/block/loop.h
+++ b/drivers/block/loop.h
@@ -59,6 +59,7 @@ struct loop_device {
        struct kthread_worker   worker;
        struct task_struct      *worker_task;
        bool                    use_dio;
+        bool                    sysfs_inited;
        struct request_queue    *lo_queue;
        struct blk_mq_tag_set   tag_set;
diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
index 93362362aa55..8474a1b0740f 100644
--- a/drivers/block/paride/pcd.c
+++ b/drivers/block/paride/pcd.c
@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_device *bdev, fmode_t mode)
        struct pcd_unit *cd = bdev->bd_disk->private_data;
        int ret;
+        check_disk_change(bdev);
        mutex_lock(&pcd_mutex);
        ret = cdrom_open(&cd->info, bdev, mode);
        mutex_unlock(&pcd_mutex);
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index d06c62eccdf0..156968a6655d 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2779,7 +2779,7 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev)
        pd->pkt_dev = MKDEV(pktdev_major, idx);
        ret = pkt_new_dev(pd, dev);
        if (ret)
-                goto out_new_dev;
+                goto out_mem2;
        /* inherit events of the host device */
        disk->events = pd->bdev->bd_disk->events;
@@ -2797,8 +2797,6 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev)
        mutex_unlock(&ctl_mutex);
        return 0;
-out_new_dev:
-        blk_cleanup_queue(disk->queue);
 out_mem2:
        put_disk(disk);
 out_mem:
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
index 7b624423a7e8..89ccb604045c 100644
--- a/drivers/bluetooth/btsdio.c
+++ b/drivers/bluetooth/btsdio.c
@@ -31,6 +31,7 @@
 #include <linux/errno.h>
 #include <linux/skbuff.h>
+#include <linux/mmc/host.h>
 #include <linux/mmc/sdio_ids.h>
 #include <linux/mmc/sdio_func.h>
@@ -291,6 +292,14 @@ static int btsdio_probe(struct sdio_func *func,
                tuple = tuple->next;
        }
+        /* BCM43341 devices soldered onto the PCB (non-removable) use an
+         * uart connection for bluetooth, ignore the BT SDIO interface.
+         */
+        if (func->vendor == SDIO_VENDOR_ID_BROADCOM &&
+            func->device == SDIO_DEVICE_ID_BROADCOM_43341 &&
+            !mmc_card_is_removable(func->card->host))
+                return -ENODEV;
        data = devm_kzalloc(&func->dev, sizeof(*data), GFP_KERNEL);
        if (!data)
                return -ENOMEM;
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 1ccad79ce77c..4a899b41145e 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -23,6 +23,7 @@
 #include <linux/module.h>
 #include <linux/usb.h>
+#include <linux/usb/quirks.h>
 #include <linux/firmware.h>
 #include <asm/unaligned.h>
@@ -335,6 +336,12 @@ static const struct usb_device_id blacklist_table[] = {
        { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
        { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
+        /* Additional Realtek 8723BU Bluetooth devices */
+        { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
+        /* Additional Realtek 8723DE Bluetooth devices */
+        { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK },
        /* Additional Realtek 8821AE Bluetooth devices */
        { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
        { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
@@ -342,6 +349,9 @@ static const struct usb_device_id blacklist_table[] = {
        { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
        { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
+        /* Additional Realtek 8822BE Bluetooth devices */
+        { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
        /* Silicon Wave based devices */
        { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
@@ -360,8 +370,8 @@ static const struct usb_device_id blacklist_table[] = {
 #define BTUSB_FIRMWARE_LOADED   7
 #define BTUSB_FIRMWARE_FAILED   8
 #define BTUSB_BOOTING           9
-#define BTUSB_RESET_RESUME      10
+#define BTUSB_DIAG_RUNNING      10
-#define BTUSB_DIAG_RUNNING      11
+#define BTUSB_OOB_WAKE_ENABLED  11
 struct btusb_data {
        struct hci_dev       *hdev;
@@ -2972,9 +2982,9 @@ static int btusb_probe(struct usb_interface *intf,
                /* QCA Rome devices lose their updated firmware over suspend,
                 * but the USB hub doesn't notice any status change.
-                 * Explicitly request a device reset on resume.
+                 * explicitly request a device reset on resume.
                 */
-                set_bit(BTUSB_RESET_RESUME, &data->flags);
+                interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME;
        }
 #ifdef CONFIG_BT_HCIBTUSB_RTL
@@ -2985,7 +2995,7 @@ static int btusb_probe(struct usb_interface *intf,
                 * but the USB hub doesn't notice any status change.
                 * Explicitly request a device reset on resume.
                 */
-                set_bit(BTUSB_RESET_RESUME, &data->flags);
+                interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME;
        }
 #endif
@@ -3142,14 +3152,6 @@ static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
        btusb_stop_traffic(data);
        usb_kill_anchored_urbs(&data->tx_anchor);
-        /* Optionally request a device reset on resume, but only when
-         * wakeups are disabled. If wakeups are enabled we assume the
-         * device will stay powered up throughout suspend.
-         */
-        if (test_bit(BTUSB_RESET_RESUME, &data->flags) &&
-            !device_may_wakeup(&data->udev->dev))
-                data->udev->reset_resume = 1;
        return 0;
 }
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 71325e443e46..ecfb9ed2cff6 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -884,7 +884,7 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
         */
        set_current_state(TASK_UNINTERRUPTIBLE);
        schedule_timeout(msecs_to_jiffies(BAUDRATE_SETTLE_TIMEOUT_MS));
-        set_current_state(TASK_INTERRUPTIBLE);
+        set_current_state(TASK_RUNNING);
        return 0;
 }
@@ -936,6 +936,15 @@ static int qca_setup(struct hci_uart *hu)
        if (!ret) {
                set_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags);
                qca_debugfs_init(hdev);
+        } else if (ret == -ENOENT) {
+                /* No patch/nvm-config found, run with original fw/config */
+                ret = 0;
+        } else if (ret == -EAGAIN) {
+                /*
+                 * Userspace firmware loader will return -EAGAIN in case no
+                 * patch/nvm-config is found, so run with original fw/config.
+                 */
+                ret = 0;
        }
        /* Setup bdaddr */
diff --git a/drivers/bus/brcmstb_gisb.c b/drivers/bus/brcmstb_gisb.c
index f364fa4d24eb..f59183018280 100644
--- a/drivers/bus/brcmstb_gisb.c
+++ b/drivers/bus/brcmstb_gisb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Broadcom Corporation
+ * Copyright (C) 2014-2017 Broadcom
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -33,8 +33,6 @@
 #define  ARB_ERR_CAP_CLEAR              (1 << 0)
 #define  ARB_ERR_CAP_STATUS_TIMEOUT     (1 << 12)
 #define  ARB_ERR_CAP_STATUS_TEA         (1 << 11)
-#define  ARB_ERR_CAP_STATUS_BS_SHIFT    (1 << 2)
-#define  ARB_ERR_CAP_STATUS_BS_MASK     0x3c
 #define  ARB_ERR_CAP_STATUS_WRITE       (1 << 1)
 #define  ARB_ERR_CAP_STATUS_VALID       (1 << 0)
@@ -43,7 +41,6 @@ enum {
        ARB_ERR_CAP_CLR,
        ARB_ERR_CAP_HI_ADDR,
        ARB_ERR_CAP_ADDR,
-        ARB_ERR_CAP_DATA,
        ARB_ERR_CAP_STATUS,
        ARB_ERR_CAP_MASTER,
 };
@@ -53,7 +50,6 @@ static const int gisb_offsets_bcm7038[] = {
        [ARB_ERR_CAP_CLR]       = 0x0c4,
        [ARB_ERR_CAP_HI_ADDR]   = -1,
        [ARB_ERR_CAP_ADDR]      = 0x0c8,
-        [ARB_ERR_CAP_DATA]      = 0x0cc,
        [ARB_ERR_CAP_STATUS]    = 0x0d0,
        [ARB_ERR_CAP_MASTER]    = -1,
 };
@@ -63,7 +59,6 @@ static const int gisb_offsets_bcm7400[] = {
        [ARB_ERR_CAP_CLR]       = 0x0c8,
        [ARB_ERR_CAP_HI_ADDR]   = -1,
        [ARB_ERR_CAP_ADDR]      = 0x0cc,
-        [ARB_ERR_CAP_DATA]      = 0x0d0,
        [ARB_ERR_CAP_STATUS]    = 0x0d4,
        [ARB_ERR_CAP_MASTER]    = 0x0d8,
 };
@@ -73,7 +68,6 @@ static const int gisb_offsets_bcm7435[] = {
        [ARB_ERR_CAP_CLR]       = 0x168,
        [ARB_ERR_CAP_HI_ADDR]   = -1,
        [ARB_ERR_CAP_ADDR]      = 0x16c,
-        [ARB_ERR_CAP_DATA]      = 0x170,
        [ARB_ERR_CAP_STATUS]    = 0x174,
        [ARB_ERR_CAP_MASTER]    = 0x178,
 };
@@ -83,7 +77,6 @@ static const int gisb_offsets_bcm7445[] = {
        [ARB_ERR_CAP_CLR]       = 0x7e4,
        [ARB_ERR_CAP_HI_ADDR]   = 0x7e8,
        [ARB_ERR_CAP_ADDR]      = 0x7ec,
-        [ARB_ERR_CAP_DATA]      = 0x7f0,
        [ARB_ERR_CAP_STATUS]    = 0x7f4,
        [ARB_ERR_CAP_MASTER]    = 0x7f8,
 };
@@ -105,9 +98,13 @@ static u32 gisb_read(struct brcmstb_gisb_arb_device *gdev, int reg)
 {
        int offset = gdev->gisb_offsets[reg];
-        /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
+        if (offset < 0) {
-        if (offset == -1)
+                /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
-                return 1;
+                if (reg == ARB_ERR_CAP_MASTER)
+                        return 1;
+                else
+                        return 0;
+        }
        if (gdev->big_endian)
                return ioread32be(gdev->base + offset);
@@ -115,6 +112,16 @@ static u32 gisb_read(struct brcmstb_gisb_arb_device *gdev, int reg)
                return ioread32(gdev->base + offset);
 }
+static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev)
+{
+        u64 value;
+        value = gisb_read(gdev, ARB_ERR_CAP_ADDR);
+        value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
+        return value;
+}
 static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg)
 {
        int offset = gdev->gisb_offsets[reg];
@@ -123,9 +130,9 @@ static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg)
                return;
        if (gdev->big_endian)
-                iowrite32be(val, gdev->base + reg);
+                iowrite32be(val, gdev->base + offset);
        else
-                iowrite32(val, gdev->base + reg);
+                iowrite32(val, gdev->base + offset);
 }
 static ssize_t gisb_arb_get_timeout(struct device *dev,
@@ -181,7 +188,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
                                        const char *reason)
 {
        u32 cap_status;
-        unsigned long arb_addr;
+        u64 arb_addr;
        u32 master;
        const char *m_name;
        char m_fmt[11];
@@ -193,10 +200,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
                return 1;
        /* Read the address and master */
-        arb_addr = gisb_read(gdev, ARB_ERR_CAP_ADDR) & 0xffffffff;
+        arb_addr = gisb_read_address(gdev);
-#if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT))
-        arb_addr |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
-#endif
        master = gisb_read(gdev, ARB_ERR_CAP_MASTER);
        m_name = brcmstb_gisb_master_to_str(gdev, master);
@@ -205,7 +209,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
                m_name = m_fmt;
        }
-        pr_crit("%s: %s at 0x%lx [%c %s], core: %s\n",
+        pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n",
                __func__, reason, arb_addr,
                cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R',
                cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "",
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index c206ccda899b..0151039bff05 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -1154,9 +1154,6 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev,
        cd_dbg(CD_OPEN, "entering cdrom_open\n");
-        /* open is event synchronization point, check events first */
-        check_disk_change(bdev);
        /* if this was a O_NONBLOCK open and we should honor the flags,
         * do a quick open without drive/disc integrity checks. */
        cdi->use_count++;
@@ -2358,7 +2355,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
        if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
                return media_changed(cdi, 1);
-        if ((unsigned int)arg >= cdi->capacity)
+        if (arg >= cdi->capacity)
                return -EINVAL;
        info = kmalloc(sizeof(*info), GFP_KERNEL);
diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
index 584bc3126403..e2808fefbb78 100644
--- a/drivers/cdrom/gdrom.c
+++ b/drivers/cdrom/gdrom.c
@@ -497,6 +497,9 @@ static struct cdrom_device_ops gdrom_ops = {
 static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
 {
        int ret;
+        check_disk_change(bdev);
        mutex_lock(&gdrom_mutex);
        ret = cdrom_open(gd.cd_info, bdev, mode);
        mutex_unlock(&gdrom_mutex);
diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
index 1341a94cc779..76afc841232c 100644
--- a/drivers/char/agp/intel-gtt.c
+++ b/drivers/char/agp/intel-gtt.c
@@ -859,6 +859,8 @@ void intel_gtt_insert_sg_entries(struct sg_table *st,
                }
        }
        wmb();
+        if (intel_private.driver->chipset_flush)
+                intel_private.driver->chipset_flush();
 }
 EXPORT_SYMBOL(intel_gtt_insert_sg_entries);
diff --git a/drivers/char/hw_random/exynos-rng.c b/drivers/char/hw_random/exynos-rng.c
index 7845a38b6604..7ba0ae060d61 100644
--- a/drivers/char/hw_random/exynos-rng.c
+++ b/drivers/char/hw_random/exynos-rng.c
@@ -155,8 +155,7 @@ static int exynos_rng_probe(struct platform_device *pdev)
        return ret;
 }
-#ifdef CONFIG_PM
+static int __maybe_unused exynos_rng_runtime_suspend(struct device *dev)
-static int exynos_rng_runtime_suspend(struct device *dev)
 {
        struct platform_device *pdev = to_platform_device(dev);
        struct exynos_rng *exynos_rng = platform_get_drvdata(pdev);
@@ -166,7 +165,7 @@ static int exynos_rng_runtime_suspend(struct device *dev)
        return 0;
 }
-static int exynos_rng_runtime_resume(struct device *dev)
+static int __maybe_unused exynos_rng_runtime_resume(struct device *dev)
 {
        struct platform_device *pdev = to_platform_device(dev);
        struct exynos_rng *exynos_rng = platform_get_drvdata(pdev);
@@ -174,12 +173,12 @@ static int exynos_rng_runtime_resume(struct device *dev)
        return clk_prepare_enable(exynos_rng->clk);
 }
-static int exynos_rng_suspend(struct device *dev)
+static int __maybe_unused exynos_rng_suspend(struct device *dev)
 {
        return pm_runtime_force_suspend(dev);
 }
-static int exynos_rng_resume(struct device *dev)
+static int __maybe_unused exynos_rng_resume(struct device *dev)
 {
        struct platform_device *pdev = to_platform_device(dev);
        struct exynos_rng *exynos_rng = platform_get_drvdata(pdev);
@@ -191,7 +190,6 @@ static int exynos_rng_resume(struct device *dev)
        return exynos_rng_configure(exynos_rng);
 }
-#endif
 static const struct dev_pm_ops exynos_rng_pm_ops = {
        SET_SYSTEM_SLEEP_PM_OPS(exynos_rng_suspend, exynos_rng_resume)
diff --git a/drivers/char/hw_random/stm32-rng.c b/drivers/char/hw_random/stm32-rng.c
index 92a810648bd0..530aacca3eb8 100644
--- a/drivers/char/hw_random/stm32-rng.c
+++ b/drivers/char/hw_random/stm32-rng.c
@@ -21,6 +21,7 @@
 #include <linux/of_address.h>
 #include <linux/of_platform.h>
 #include <linux/pm_runtime.h>
+#include <linux/reset.h>
 #include <linux/slab.h>
 #define RNG_CR 0x00
@@ -46,6 +47,7 @@ struct stm32_rng_private {
        struct hwrng rng;
        void __iomem *base;
        struct clk *clk;
+        struct reset_control *rst;
 };
 static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platform_device *ofdev)
        if (IS_ERR(priv->clk))
                return PTR_ERR(priv->clk);
+        priv->rst = devm_reset_control_get(&ofdev->dev, NULL);
+        if (!IS_ERR(priv->rst)) {
+                reset_control_assert(priv->rst);
+                udelay(2);
+                reset_control_deassert(priv->rst);
+        }
        dev_set_drvdata(dev, priv);
        priv->rng.name = dev_driver_string(dev),
diff --git a/drivers/char/hw_random/via-rng.c b/drivers/char/hw_random/via-rng.c
index 0c98a9d51a24..44ce80606944 100644
--- a/drivers/char/hw_random/via-rng.c
+++ b/drivers/char/hw_random/via-rng.c
@@ -140,7 +140,7 @@ static int via_rng_init(struct hwrng *rng)
         * RNG configuration like it used to be the case in this
         * register */
        if ((c->x86 == 6) && (c->x86_model >= 0x0f)) {
-                if (!cpu_has_xstore_enabled) {
+                if (!boot_cpu_has(X86_FEATURE_XSTORE_EN)) {
                        pr_err(PFX "can't enable hardware RNG "
                                "if XSTORE is not enabled\n");
                        return -ENODEV;
@@ -200,8 +200,9 @@ static int __init mod_init(void)
 {
        int err;
-        if (!cpu_has_xstore)
+        if (!boot_cpu_has(X86_FEATURE_XSTORE))
                return -ENODEV;
        pr_info("VIA RNG detected\n");
        err = hwrng_register(&via_rng);
        if (err) {
diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c
index feafdab734ae..4835b588b783 100644
--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct si_sm_data *bt, long time)
                if (status & BT_H_BUSY)         /* clear a leftover H_BUSY */
                        BT_CONTROL(BT_H_BUSY);
+                bt->timeout = bt->BT_CAP_req2rsp;
                /* Read BT capabilities if it hasn't been done yet */
                if (!bt->BT_CAP_outreqs)
                        BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
                                        SI_SM_CALL_WITHOUT_DELAY);
-                bt->timeout = bt->BT_CAP_req2rsp;
                BT_SI_SM_RETURN(SI_SM_IDLE);
        case BT_STATE_XACTION_START:
diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c
index 6e658aa114f1..a70518a4fcec 100644
--- a/drivers/char/ipmi/ipmi_powernv.c
+++ b/drivers/char/ipmi/ipmi_powernv.c
@@ -251,8 +251,9 @@ static int ipmi_powernv_probe(struct platform_device *pdev)
                ipmi->irq = opal_event_request(prop);
        }
-        if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH,
+        rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH,
-                                "opal-ipmi", ipmi)) {
+                         "opal-ipmi", ipmi);
+        if (rc) {
                dev_warn(dev, "Unable to request irq\n");
                goto err_dispose;
        }
diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
index f53e8ba2c718..d6d166fe49a3 100644
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -409,6 +409,7 @@ static void start_event_fetch(struct ssif_info *ssif_info, unsigned long *flags)
        msg = ipmi_alloc_smi_msg();
        if (!msg) {
                ssif_info->ssif_state = SSIF_NORMAL;
+                ipmi_ssif_unlock_cond(ssif_info, flags);
                return;
        }
@@ -431,6 +432,7 @@ static void start_recv_msg_fetch(struct ssif_info *ssif_info,
        msg = ipmi_alloc_smi_msg();
        if (!msg) {
                ssif_info->ssif_state = SSIF_NORMAL;
+                ipmi_ssif_unlock_cond(ssif_info, flags);
                return;
        }
@@ -755,7 +757,7 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
                        ssif_info->ssif_state = SSIF_NORMAL;
                        ipmi_ssif_unlock_cond(ssif_info, flags);
                        pr_warn(PFX "Error getting flags: %d %d, %x\n",
-                               result, len, data[2]);
+                               result, len, (len >= 3) ? data[2] : 0);
                } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
                           || data[1] != IPMI_GET_MSG_FLAGS_CMD) {
                        /*
@@ -777,7 +779,7 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
                if ((result < 0) || (len < 3) || (data[2] != 0)) {
                        /* Error clearing flags */
                        pr_warn(PFX "Error clearing flags: %d %d, %x\n",
-                               result, len, data[2]);
+                               result, len, (len >= 3) ? data[2] : 0);
                } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2
                           || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) {
                        pr_warn(PFX "Invalid response clearing flags: %x %x\n",
diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
index 40d400fe5bb7..4ada103945f0 100644
--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -515,7 +515,7 @@ static void panic_halt_ipmi_heartbeat(void)
        msg.cmd = IPMI_WDOG_RESET_TIMER;
        msg.data = NULL;
        msg.data_len = 0;
-        atomic_add(2, &panic_done_count);
+        atomic_add(1, &panic_done_count);
        rv = ipmi_request_supply_msgs(watchdog_user,
                                      (struct ipmi_addr *) &addr,
                                      0,
@@ -525,7 +525,7 @@ static void panic_halt_ipmi_heartbeat(void)
                                      &panic_halt_heartbeat_recv_msg,
                                      1);
        if (rv)
-                atomic_sub(2, &panic_done_count);
+                atomic_sub(1, &panic_done_count);
 }
 static struct ipmi_smi_msg panic_halt_smi_msg = {
@@ -549,12 +549,12 @@ static void panic_halt_ipmi_set_timeout(void)
        /* Wait for the messages to be free. */
        while (atomic_read(&panic_done_count) != 0)
                ipmi_poll_interface(watchdog_user);
-        atomic_add(2, &panic_done_count);
+        atomic_add(1, &panic_done_count);
        rv = i_ipmi_set_timeout(&panic_halt_smi_msg,
                                &panic_halt_recv_msg,
                                &send_heartbeat_now);
        if (rv) {
-                atomic_sub(2, &panic_done_count);
+                atomic_sub(1, &panic_done_count);
                printk(KERN_WARNING PFX
                       "Unable to extend the watchdog timeout.");
        } else {
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 1822472dffab..2916d08ee30e 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -724,7 +724,7 @@ retry:
 static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
 {
-        const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+        const int nbits_max = r->poolinfo->poolwords * 32;
        if (nbits < 0)
                return -EINVAL;
@@ -886,12 +886,16 @@ static void add_interrupt_bench(cycles_t start)
 static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
 {
        __u32 *ptr = (__u32 *) regs;
+        unsigned int idx;
        if (regs == NULL)
                return 0;
-        if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32))
+        idx = READ_ONCE(f->reg_idx);
-                f->reg_idx = 0;
+        if (idx >= sizeof(struct pt_regs) / sizeof(__u32))
-        return *(ptr + f->reg_idx++);
+                idx = 0;
+        ptr += idx++;
+        WRITE_ONCE(f->reg_idx, idx);
+        return *ptr;
 }
 void add_interrupt_randomness(int irq, int irq_flags)
@@ -1499,14 +1503,22 @@ static int
 write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 {
        size_t bytes;
-        __u32 buf[16];
+        __u32 t, buf[16];
        const char __user *p = buffer;
        while (count > 0) {
+                int b, i = 0;
                bytes = min(count, sizeof(buf));
                if (copy_from_user(&buf, p, bytes))
                        return -EFAULT;
+                for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
+                        if (!arch_get_random_int(&t))
+                                break;
+                        buf[i] ^= t;
+                }
                count -= bytes;
                p += bytes;
diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c
index 8d626784cd8d..49e4040eeb55 100644
--- a/drivers/char/tpm/st33zp24/st33zp24.c
+++ b/drivers/char/tpm/st33zp24/st33zp24.c
@@ -485,7 +485,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
                            size_t count)
 {
        int size = 0;
-        int expected;
+        u32 expected;
        if (!chip)
                return -EBUSY;
@@ -502,7 +502,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
        }
        expected = be32_to_cpu(*(__be32 *)(buf + 2));
-        if (expected > count) {
+        if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }
diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index a0d9ac6b6cc9..e759100e41a7 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -26,6 +26,7 @@
 #include <linux/spinlock.h>
 #include <linux/freezer.h>
 #include <linux/major.h>
+#include <linux/of.h>
 #include "tpm.h"
 #include "tpm_eventlog.h"
@@ -324,8 +325,20 @@ static void tpm1_chip_unregister(struct tpm_chip *chip)
 */
 int tpm_chip_register(struct tpm_chip *chip)
 {
+#ifdef CONFIG_OF
+        struct device_node *np;
+#endif
        int rc;
+#ifdef CONFIG_OF
+        np = of_find_node_by_name(NULL, "vtpm");
+        if (np) {
+                if (of_property_read_bool(np, "powered-while-suspended"))
+                        chip->flags |= TPM_CHIP_FLAG_ALWAYS_POWERED;
+        }
+        of_node_put(np);
+#endif
        rc = tpm1_chip_register(chip);
        if (rc)
                return rc;
diff --git a/drivers/char/tpm/tpm-dev.c b/drivers/char/tpm/tpm-dev.c
index 912ad30be585..4719aa781bf2 100644
--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -25,7 +25,7 @@ struct file_priv {
        struct tpm_chip *chip;
        /* Data passed to and from the tpm via the read/write calls */
-        atomic_t data_pending;
+        size_t data_pending;
        struct mutex buffer_mutex;
        struct timer_list user_read_timer;      /* user needs to claim result */
@@ -46,7 +46,7 @@ static void timeout_work(struct work_struct *work)
        struct file_priv *priv = container_of(work, struct file_priv, work);
        mutex_lock(&priv->buffer_mutex);
-        atomic_set(&priv->data_pending, 0);
+        priv->data_pending = 0;
        memset(priv->data_buffer, 0, sizeof(priv->data_buffer));
        mutex_unlock(&priv->buffer_mutex);
 }
@@ -72,7 +72,6 @@ static int tpm_open(struct inode *inode, struct file *file)
        }
        priv->chip = chip;
-        atomic_set(&priv->data_pending, 0);
        mutex_init(&priv->buffer_mutex);
        setup_timer(&priv->user_read_timer, user_reader_timeout,
                        (unsigned long)priv);
@@ -86,28 +85,24 @@ static ssize_t tpm_read(struct file *file, char __user *buf,
                        size_t size, loff_t *off)
 {
        struct file_priv *priv = file->private_data;
-        ssize_t ret_size;
+        ssize_t ret_size = 0;
        int rc;
        del_singleshot_timer_sync(&priv->user_read_timer);
        flush_work(&priv->work);
-        ret_size = atomic_read(&priv->data_pending);
+        mutex_lock(&priv->buffer_mutex);
-        if (ret_size > 0) {     /* relay data */
-                ssize_t orig_ret_size = ret_size;
-                if (size < ret_size)
-                        ret_size = size;
-                mutex_lock(&priv->buffer_mutex);
+        if (priv->data_pending) {
+                ret_size = min_t(ssize_t, size, priv->data_pending);
                rc = copy_to_user(buf, priv->data_buffer, ret_size);
-                memset(priv->data_buffer, 0, orig_ret_size);
+                memset(priv->data_buffer, 0, priv->data_pending);
                if (rc)
                        ret_size = -EFAULT;
-                mutex_unlock(&priv->buffer_mutex);
+                priv->data_pending = 0;
        }
-        atomic_set(&priv->data_pending, 0);
+        mutex_unlock(&priv->buffer_mutex);
        return ret_size;
 }
@@ -118,18 +113,20 @@ static ssize_t tpm_write(struct file *file, const char __user *buf,
        size_t in_size = size;
        ssize_t out_size;
-        /* cannot perform a write until the read has cleared
-           either via tpm_read or a user_read_timer timeout.
-           This also prevents splitted buffered writes from blocking here.
-        */
-        if (atomic_read(&priv->data_pending) != 0)
-                return -EBUSY;
        if (in_size > TPM_BUFSIZE)
                return -E2BIG;
        mutex_lock(&priv->buffer_mutex);
+        /* Cannot perform a write until the read has cleared either via
+         * tpm_read or a user_read_timer timeout. This also prevents split
+         * buffered writes from blocking here.
+         */
+        if (priv->data_pending != 0) {
+                mutex_unlock(&priv->buffer_mutex);
+                return -EBUSY;
+        }
        if (copy_from_user
            (priv->data_buffer, (void __user *) buf, in_size)) {
                mutex_unlock(&priv->buffer_mutex);
@@ -153,7 +150,7 @@ static ssize_t tpm_write(struct file *file, const char __user *buf,
                return out_size;
        }
-        atomic_set(&priv->data_pending, out_size);
+        priv->data_pending = out_size;
        mutex_unlock(&priv->buffer_mutex);
        /* Set a timeout by which the reader must come claim the result */
@@ -172,7 +169,7 @@ static int tpm_release(struct inode *inode, struct file *file)
        del_singleshot_timer_sync(&priv->user_read_timer);
        flush_work(&priv->work);
        file->private_data = NULL;
-        atomic_set(&priv->data_pending, 0);
+        priv->data_pending = 0;
        clear_bit(0, &priv->chip->is_open);
        kfree(priv);
        return 0;
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index aaa5fa95dede..95a40ec854ad 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -787,6 +787,10 @@ int tpm_do_selftest(struct tpm_chip *chip)
        loops = jiffies_to_msecs(duration) / delay_msec;
        rc = tpm_continue_selftest(chip);
+        if (rc == TPM_ERR_INVALID_POSTINIT) {
+                chip->flags |= TPM_CHIP_FLAG_ALWAYS_POWERED;
+                dev_info(&chip->dev, "TPM not ready (%d)\n", rc);
+        }
        /* This may fail if there was no TPM driver during a suspend/resume
         * cycle; some may return 10 (BAD_ORDINAL), others 28 (FAILEDSELFTEST)
         */
@@ -931,6 +935,9 @@ int tpm_pm_suspend(struct device *dev)
        if (chip == NULL)
                return -ENODEV;
+        if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED)
+                return 0;
        if (chip->flags & TPM_CHIP_FLAG_TPM2) {
                tpm2_shutdown(chip, TPM2_SU_STATE);
                return 0;
@@ -1040,6 +1047,11 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
                        break;
                recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
+                if (recd > num_bytes) {
+                        total = -EFAULT;
+                        break;
+                }
                memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
                dest += recd;
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 772d99b3a8e4..36e1abda00f9 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -168,6 +168,7 @@ struct tpm_vendor_specific {
 enum tpm_chip_flags {
        TPM_CHIP_FLAG_REGISTERED        = BIT(0),
        TPM_CHIP_FLAG_TPM2              = BIT(1),
+        TPM_CHIP_FLAG_ALWAYS_POWERED    = BIT(5),
 };
 struct tpm_chip {
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 286bd090a488..389a009b83f2 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -622,6 +622,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
        if (!rc) {
                data_len = be16_to_cpup(
                        (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
+                if (data_len < MIN_KEY_SIZE ||  data_len > MAX_KEY_SIZE + 1) {
+                        rc = -EFAULT;
+                        goto out;
+                }
                data = &buf.data[TPM_HEADER_SIZE + 6];
                memcpy(payload->key, data, data_len - 1);
@@ -629,6 +634,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
                payload->migratable = data[data_len - 1];
        }
+out:
        tpm_buf_destroy(&buf);
        return rc;
 }
diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
index f2aa99e34b4b..9f12ad74a09b 100644
--- a/drivers/char/tpm/tpm_i2c_infineon.c
+++ b/drivers/char/tpm/tpm_i2c_infineon.c
@@ -436,7 +436,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
 static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 {
        int size = 0;
-        int expected, status;
+        int status;
+        u32 expected;
        if (count < TPM_HEADER_SIZE) {
                size = -EIO;
@@ -451,7 +452,7 @@ static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
        }
        expected = be32_to_cpu(*(__be32 *)(buf + 2));
-        if ((size_t) expected > count) {
+        if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) {
                size = -EIO;
                goto out;
        }
diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
index a1e1474dda30..aedf726cbab6 100644
--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -267,7 +267,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
        struct device *dev = chip->dev.parent;
        struct i2c_client *client = to_i2c_client(dev);
        s32 rc;
-        int expected, status, burst_count, retries, size = 0;
+        int status;
+        int burst_count;
+        int retries;
+        int size = 0;
+        u32 expected;
        if (count < TPM_HEADER_SIZE) {
                i2c_nuvoton_ready(chip);    /* return to idle */
@@ -309,7 +313,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
                 * to machine native
                 */
                expected = be32_to_cpu(*(__be32 *) (buf + 2));
-                if (expected > count) {
+                if (expected > count || expected < size) {
                        dev_err(dev, "%s() expected > count\n", __func__);
                        size = -EIO;
                        continue;
diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index 7f13221aeb30..9dd93a209ef2 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -283,7 +283,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
 static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
 {
        int size = 0;
-        int expected, status;
+        int status;
+        u32 expected;
        if (count < TPM_HEADER_SIZE) {
                size = -EIO;
@@ -298,7 +299,7 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
        }
        expected = be32_to_cpu(*(__be32 *) (buf + 2));
-        if (expected > count) {
+        if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index be0b09a0fb44..2aca689061e1 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id)
 {
        char debugfs_name[16];
        struct port *port;
-        struct port_buffer *buf;
        dev_t devt;
        unsigned int nr_added_bufs;
        int err;
@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id)
        return 0;
 free_inbufs:
-        while ((buf = virtqueue_detach_unused_buf(port->in_vq)))
-                free_buf(buf, true);
 free_device:
        device_destroy(pdrvdata.class, port->dev->devt);
 free_cdev:
@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref)
 static void remove_port_data(struct port *port)
 {
-        struct port_buffer *buf;
        spin_lock_irq(&port->inbuf_lock);
        /* Remove unused data this port might have received. */
        discard_port_data(port);
        spin_unlock_irq(&port->inbuf_lock);
-        /* Remove buffers we queued up for the Host to send us data in. */
-        do {
-                spin_lock_irq(&port->inbuf_lock);
-                buf = virtqueue_detach_unused_buf(port->in_vq);
-                spin_unlock_irq(&port->inbuf_lock);
-                if (buf)
-                        free_buf(buf, true);
-        } while (buf);
        spin_lock_irq(&port->outvq_lock);
        reclaim_consumed_buffers(port);
        spin_unlock_irq(&port->outvq_lock);
-        /* Free pending buffers from the out-queue. */
-        do {
-                spin_lock_irq(&port->outvq_lock);
-                buf = virtqueue_detach_unused_buf(port->out_vq);
-                spin_unlock_irq(&port->outvq_lock);
-                if (buf)
-                        free_buf(buf, true);
-        } while (buf);
 }
 /*
@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work)
        spin_unlock(&portdev->c_ivq_lock);
 }
+static void flush_bufs(struct virtqueue *vq, bool can_sleep)
+{
+        struct port_buffer *buf;
+        unsigned int len;
+        while ((buf = virtqueue_get_buf(vq, &len)))
+                free_buf(buf, can_sleep);
+}
 static void out_intr(struct virtqueue *vq)
 {
        struct port *port;
        port = find_port_by_vq(vq->vdev->priv, vq);
-        if (!port)
+        if (!port) {
+                flush_bufs(vq, false);
                return;
+        }
        wake_up_interruptible(&port->waitqueue);
 }
@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq)
        unsigned long flags;
        port = find_port_by_vq(vq->vdev->priv, vq);
-        if (!port)
+        if (!port) {
+                flush_bufs(vq, false);
                return;
+        }
        spin_lock_irqsave(&port->inbuf_lock, flags);
        port->inbuf = get_inbuf(port);
@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = {
 static void remove_vqs(struct ports_device *portdev)
 {
+        struct virtqueue *vq;
+        virtio_device_for_each_vq(portdev->vdev, vq) {
+                struct port_buffer *buf;
+                flush_bufs(vq, true);
+                while ((buf = virtqueue_detach_unused_buf(vq)))
+                        free_buf(buf, true);
+        }
        portdev->vdev->config->del_vqs(portdev->vdev);
        kfree(portdev->in_vqs);
        kfree(portdev->out_vqs);
diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
index 35ab89fe9d7b..d56ba46e6b78 100644
--- a/drivers/clk/bcm/clk-bcm2835.c
+++ b/drivers/clk/bcm/clk-bcm2835.c
@@ -891,9 +891,7 @@ static void bcm2835_pll_off(struct clk_hw *hw)
        const struct bcm2835_pll_data *data = pll->data;
        spin_lock(&cprman->regs_lock);
-        cprman_write(cprman, data->cm_ctrl_reg,
+        cprman_write(cprman, data->cm_ctrl_reg, CM_PLL_ANARST);
-                     cprman_read(cprman, data->cm_ctrl_reg) |
-                     CM_PLL_ANARST);
        cprman_write(cprman, data->a2w_ctrl_reg,
                     cprman_read(cprman, data->a2w_ctrl_reg) |
                     A2W_PLL_CTRL_PWRDN);
@@ -912,8 +910,10 @@ static int bcm2835_pll_on(struct clk_hw *hw)
                     ~A2W_PLL_CTRL_PWRDN);
        /* Take the PLL out of reset. */
+        spin_lock(&cprman->regs_lock);
        cprman_write(cprman, data->cm_ctrl_reg,
                     cprman_read(cprman, data->cm_ctrl_reg) & ~CM_PLL_ANARST);
+        spin_unlock(&cprman->regs_lock);
        /* Wait for the PLL to lock. */
        timeout = ktime_add_ns(ktime_get(), LOCK_TIMEOUT_NS);
@@ -927,6 +927,10 @@ static int bcm2835_pll_on(struct clk_hw *hw)
                cpu_relax();
        }
+        cprman_write(cprman, data->a2w_ctrl_reg,
+                     cprman_read(cprman, data->a2w_ctrl_reg) |
+                     A2W_PLL_CTRL_PRST_DISABLE);
        return 0;
 }
@@ -997,9 +1001,11 @@ static int bcm2835_pll_set_rate(struct clk_hw *hw,
        }
        /* Unmask the reference clock from the oscillator. */
+        spin_lock(&cprman->regs_lock);
        cprman_write(cprman, A2W_XOSC_CTRL,
                     cprman_read(cprman, A2W_XOSC_CTRL) |
                     data->reference_enable_mask);
+        spin_unlock(&cprman->regs_lock);
        if (do_ana_setup_first)
                bcm2835_pll_write_ana(cprman, data->ana_reg_base, ana);
diff --git a/drivers/clk/bcm/clk-ns2.c b/drivers/clk/bcm/clk-ns2.c
index a564e9248814..adc14145861a 100644
--- a/drivers/clk/bcm/clk-ns2.c
+++ b/drivers/clk/bcm/clk-ns2.c
@@ -103,7 +103,7 @@ CLK_OF_DECLARE(ns2_genpll_src_clk, "brcm,ns2-genpll-scr",
 static const struct iproc_pll_ctrl genpll_sw = {
        .flags = IPROC_CLK_AON | IPROC_CLK_PLL_SPLIT_STAT_CTRL,
-        .aon = AON_VAL(0x0, 2, 9, 8),
+        .aon = AON_VAL(0x0, 1, 11, 10),
        .reset = RESET_VAL(0x4, 2, 1),
        .dig_filter = DF_VAL(0x0, 9, 3, 5, 4, 2, 3),
        .ndiv_int = REG_VAL(0x8, 4, 10),
diff --git a/drivers/clk/clk-conf.c b/drivers/clk/clk-conf.c
index 43a218f35b19..4ad32ce428cf 100644
--- a/drivers/clk/clk-conf.c
+++ b/drivers/clk/clk-conf.c
@@ -106,7 +106,7 @@ static int __set_clk_rates(struct device_node *node, bool clk_supplier)
                        rc = clk_set_rate(clk, rate);
                        if (rc < 0)
-                                pr_err("clk: couldn't set %s clk rate to %d (%d), current rate: %ld\n",
+                                pr_err("clk: couldn't set %s clk rate to %u (%d), current rate: %lu\n",
                                       __clk_get_name(clk), rate, rc,
                                       clk_get_rate(clk));
                        clk_put(clk);
diff --git a/drivers/clk/clk-scpi.c b/drivers/clk/clk-scpi.c
index cd0f2726f5e0..c40445488d3a 100644
--- a/drivers/clk/clk-scpi.c
+++ b/drivers/clk/clk-scpi.c
@@ -71,15 +71,15 @@ static const struct clk_ops scpi_clk_ops = {
 };
 /* find closest match to given frequency in OPP table */
-static int __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate)
+static long __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate)
 {
        int idx;
-        u32 fmin = 0, fmax = ~0, ftmp;
+        unsigned long fmin = 0, fmax = ~0, ftmp;
        const struct scpi_opp *opp = clk->info->opps;
        for (idx = 0; idx < clk->info->count; idx++, opp++) {
                ftmp = opp->freq;
-                if (ftmp >= (u32)rate) {
+                if (ftmp >= rate) {
                        if (ftmp <= fmax)
                                fmax = ftmp;
                        break;
diff --git a/drivers/clk/clk-si5351.c b/drivers/clk/clk-si5351.c
index e346b223199d..a01ee9a3ed6d 100644
--- a/drivers/clk/clk-si5351.c
+++ b/drivers/clk/clk-si5351.c
@@ -72,7 +72,7 @@ static const char * const si5351_input_names[] = {
        "xtal", "clkin"
 };
 static const char * const si5351_pll_names[] = {
-        "plla", "pllb", "vxco"
+        "si5351_plla", "si5351_pllb", "si5351_vxco"
 };
 static const char * const si5351_msynth_names[] = {
        "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7"
diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 28ae80d71328..3f28b8682258 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -1975,6 +1975,9 @@ static int clk_core_get_phase(struct clk_core *core)
        int ret;
        clk_prepare_lock();
+        /* Always try to update cached phase if possible */
+        if (core->ops->get_phase)
+                core->phase = core->ops->get_phase(core->hw);
        ret = core->phase;
        clk_prepare_unlock();
diff --git a/drivers/clk/mvebu/armada-38x.c b/drivers/clk/mvebu/armada-38x.c
index 8bccf4ecdab6..9ff4ea63932d 100644
--- a/drivers/clk/mvebu/armada-38x.c
+++ b/drivers/clk/mvebu/armada-38x.c
@@ -46,10 +46,11 @@ static u32 __init armada_38x_get_tclk_freq(void __iomem *sar)
 }
 static const u32 armada_38x_cpu_frequencies[] __initconst = {
-        0, 0, 0, 0,
+        666 * 1000 * 1000,  0, 800 * 1000 * 1000, 0,
-        1066 * 1000 * 1000, 0, 0, 0,
+        1066 * 1000 * 1000, 0, 1200 * 1000 * 1000, 0,
        1332 * 1000 * 1000, 0, 0, 0,
-        1600 * 1000 * 1000,
+        1600 * 1000 * 1000, 0, 0, 0,
+        1866 * 1000 * 1000, 0, 0, 2000 * 1000 * 1000,
 };
 static u32 __init armada_38x_get_cpu_freq(void __iomem *sar)
@@ -75,11 +76,11 @@ static const struct coreclk_ratio armada_38x_coreclk_ratios[] __initconst = {
 };
 static const int armada_38x_cpu_l2_ratios[32][2] __initconst = {
-        {0, 1}, {0, 1}, {0, 1}, {0, 1},
+        {1, 2}, {0, 1}, {1, 2}, {0, 1},
-        {1, 2}, {0, 1}, {0, 1}, {0, 1},
+        {1, 2}, {0, 1}, {1, 2}, {0, 1},
        {1, 2}, {0, 1}, {0, 1}, {0, 1},
        {1, 2}, {0, 1}, {0, 1}, {0, 1},
-        {0, 1}, {0, 1}, {0, 1}, {0, 1},
+        {1, 2}, {0, 1}, {0, 1}, {1, 2},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
@@ -90,7 +91,7 @@ static const int armada_38x_cpu_ddr_ratios[32][2] __initconst = {
        {1, 2}, {0, 1}, {0, 1}, {0, 1},
        {1, 2}, {0, 1}, {0, 1}, {0, 1},
        {1, 2}, {0, 1}, {0, 1}, {0, 1},
-        {0, 1}, {0, 1}, {0, 1}, {0, 1},
+        {1, 2}, {0, 1}, {0, 1}, {7, 15},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
        {0, 1}, {0, 1}, {0, 1}, {0, 1},
diff --git a/drivers/clk/qcom/gcc-msm8916.c b/drivers/clk/qcom/gcc-msm8916.c
index 2e7f03d50f4e..95a4dd290f35 100644
--- a/drivers/clk/qcom/gcc-msm8916.c
+++ b/drivers/clk/qcom/gcc-msm8916.c
@@ -1437,6 +1437,7 @@ static const struct freq_tbl ftbl_codec_clk[] = {
 static struct clk_rcg2 codec_digcodec_clk_src = {
        .cmd_rcgr = 0x1c09c,
+        .mnd_width = 8,
        .hid_width = 5,
        .parent_map = gcc_xo_gpll1_emclk_sleep_map,
        .freq_tbl = ftbl_codec_clk,
diff --git a/drivers/clk/rockchip/clk-mmc-phase.c b/drivers/clk/rockchip/clk-mmc-phase.c
index 33c20c6b45af..b840e4ace623 100644
--- a/drivers/clk/rockchip/clk-mmc-phase.c
+++ b/drivers/clk/rockchip/clk-mmc-phase.c
@@ -60,6 +60,12 @@ static int rockchip_mmc_get_phase(struct clk_hw *hw)
        u16 degrees;
        u32 delay_num = 0;
+        /* See the comment for rockchip_mmc_set_phase below */
+        if (!rate) {
+                pr_err("%s: invalid clk rate\n", __func__);
+                return -EINVAL;
+        }
        raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
        degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90;
@@ -86,6 +92,23 @@ static int rockchip_mmc_set_phase(struct clk_hw *hw, int degrees)
        u32 raw_value;
        u32 delay;
+        /*
+         * The below calculation is based on the output clock from
+         * MMC host to the card, which expects the phase clock inherits
+         * the clock rate from its parent, namely the output clock
+         * provider of MMC host. However, things may go wrong if
+         * (1) It is orphan.
+         * (2) It is assigned to the wrong parent.
+         *
+         * This check help debug the case (1), which seems to be the
+         * most likely problem we often face and which makes it difficult
+         * for people to debug unstable mmc tuning results.
+         */
+        if (!rate) {
+                pr_err("%s: invalid clk rate\n", __func__);
+                return -EINVAL;
+        }
        nineties = degrees / 90;
        remainder = (degrees % 90);
diff --git a/drivers/clk/samsung/clk-exynos3250.c b/drivers/clk/samsung/clk-exynos3250.c
index fdd41b17a24f..294efaef5b82 100644
--- a/drivers/clk/samsung/clk-exynos3250.c
+++ b/drivers/clk/samsung/clk-exynos3250.c
@@ -683,7 +683,7 @@ static struct samsung_pll_rate_table exynos3250_epll_rates[] = {
        PLL_36XX_RATE(144000000,  96, 2, 3,     0),
        PLL_36XX_RATE( 96000000, 128, 2, 4,     0),
        PLL_36XX_RATE( 84000000, 112, 2, 4,     0),
-        PLL_36XX_RATE( 80000004, 106, 2, 4, 43691),
+        PLL_36XX_RATE( 80000003, 106, 2, 4, 43691),
        PLL_36XX_RATE( 73728000,  98, 2, 4, 19923),
        PLL_36XX_RATE( 67737598, 270, 3, 5, 62285),
        PLL_36XX_RATE( 65535999, 174, 2, 5, 49982),
@@ -719,7 +719,7 @@ static struct samsung_pll_rate_table exynos3250_vpll_rates[] = {
        PLL_36XX_RATE(148352005,  98, 2, 3, 59070),
        PLL_36XX_RATE(108000000, 144, 2, 4,     0),
        PLL_36XX_RATE( 74250000,  99, 2, 4,     0),
-        PLL_36XX_RATE( 74176002,  98, 3, 4, 59070),
+        PLL_36XX_RATE( 74176002,  98, 2, 4, 59070),
        PLL_36XX_RATE( 54054000, 216, 3, 5, 14156),
        PLL_36XX_RATE( 54000000, 144, 2, 5,     0),
        { /* sentinel */ }
diff --git a/drivers/clk/samsung/clk-exynos5250.c b/drivers/clk/samsung/clk-exynos5250.c
index 5bebf8cb0d70..f0b564c7c9c1 100644
--- a/drivers/clk/samsung/clk-exynos5250.c
+++ b/drivers/clk/samsung/clk-exynos5250.c
@@ -711,13 +711,13 @@ static struct samsung_pll_rate_table epll_24mhz_tbl[] __initdata = {
        /* sorted in descending order */
        /* PLL_36XX_RATE(rate, m, p, s, k) */
        PLL_36XX_RATE(192000000, 64, 2, 2, 0),
-        PLL_36XX_RATE(180633600, 90, 3, 2, 20762),
+        PLL_36XX_RATE(180633605, 90, 3, 2, 20762),
        PLL_36XX_RATE(180000000, 90, 3, 2, 0),
        PLL_36XX_RATE(73728000, 98, 2, 4, 19923),
-        PLL_36XX_RATE(67737600, 90, 2, 4, 20762),
+        PLL_36XX_RATE(67737602, 90, 2, 4, 20762),
        PLL_36XX_RATE(49152000, 98, 3, 4, 19923),
-        PLL_36XX_RATE(45158400, 90, 3, 4, 20762),
+        PLL_36XX_RATE(45158401, 90, 3, 4, 20762),
-        PLL_36XX_RATE(32768000, 131, 3, 5, 4719),
+        PLL_36XX_RATE(32768001, 131, 3, 5, 4719),
        { },
 };
diff --git a/drivers/clk/samsung/clk-exynos5260.c b/drivers/clk/samsung/clk-exynos5260.c
index d1a29f6c1084..7027e77bf859 100644
--- a/drivers/clk/samsung/clk-exynos5260.c
+++ b/drivers/clk/samsung/clk-exynos5260.c
@@ -65,7 +65,7 @@ static struct samsung_pll_rate_table pll2650_24mhz_tbl[] __initdata = {
        PLL_36XX_RATE(480000000, 160, 2, 2, 0),
        PLL_36XX_RATE(432000000, 144, 2, 2, 0),
        PLL_36XX_RATE(400000000, 200, 3, 2, 0),
-        PLL_36XX_RATE(394073130, 459, 7, 2, 49282),
+        PLL_36XX_RATE(394073128, 459, 7, 2, 49282),
        PLL_36XX_RATE(333000000, 111, 2, 2, 0),
        PLL_36XX_RATE(300000000, 100, 2, 2, 0),
        PLL_36XX_RATE(266000000, 266, 3, 3, 0),
diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c
index cee062c588de..91c89ac193b9 100644
--- a/drivers/clk/samsung/clk-exynos5433.c
+++ b/drivers/clk/samsung/clk-exynos5433.c
@@ -747,7 +747,7 @@ static struct samsung_pll_rate_table exynos5443_pll_rates[] = {
        PLL_35XX_RATE(800000000U,  400, 6,  1),
        PLL_35XX_RATE(733000000U,  733, 12, 1),
        PLL_35XX_RATE(700000000U,  175, 3,  1),
-        PLL_35XX_RATE(667000000U,  222, 4,  1),
+        PLL_35XX_RATE(666000000U,  222, 4,  1),
        PLL_35XX_RATE(633000000U,  211, 4,  1),
        PLL_35XX_RATE(600000000U,  500, 5,  2),
        PLL_35XX_RATE(552000000U,  460, 5,  2),
@@ -773,12 +773,12 @@ static struct samsung_pll_rate_table exynos5443_pll_rates[] = {
 /* AUD_PLL */
 static struct samsung_pll_rate_table exynos5443_aud_pll_rates[] = {
        PLL_36XX_RATE(400000000U, 200, 3, 2,      0),
-        PLL_36XX_RATE(393216000U, 197, 3, 2, -25690),
+        PLL_36XX_RATE(393216003U, 197, 3, 2, -25690),
        PLL_36XX_RATE(384000000U, 128, 2, 2,      0),
-        PLL_36XX_RATE(368640000U, 246, 4, 2, -15729),
+        PLL_36XX_RATE(368639991U, 246, 4, 2, -15729),
-        PLL_36XX_RATE(361507200U, 181, 3, 2, -16148),
+        PLL_36XX_RATE(361507202U, 181, 3, 2, -16148),
-        PLL_36XX_RATE(338688000U, 113, 2, 2,  -6816),
+        PLL_36XX_RATE(338687988U, 113, 2, 2,  -6816),
-        PLL_36XX_RATE(294912000U,  98, 1, 3,  19923),
+        PLL_36XX_RATE(294912002U,  98, 1, 3,  19923),
        PLL_36XX_RATE(288000000U,  96, 1, 3,      0),
        PLL_36XX_RATE(252000000U,  84, 1, 3,      0),
        { /* sentinel */ }
diff --git a/drivers/clk/samsung/clk-s3c2410.c b/drivers/clk/samsung/clk-s3c2410.c
index 0945a8852299..69e3e848716a 100644
--- a/drivers/clk/samsung/clk-s3c2410.c
+++ b/drivers/clk/samsung/clk-s3c2410.c
@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = {
        PLL_35XX_RATE(226000000, 105, 1, 1),
        PLL_35XX_RATE(210000000, 132, 2, 1),
        /* 2410 common */
-        PLL_35XX_RATE(203000000, 161, 3, 1),
+        PLL_35XX_RATE(202800000, 161, 3, 1),
        PLL_35XX_RATE(192000000, 88, 1, 1),
        PLL_35XX_RATE(186000000, 85, 1, 1),
        PLL_35XX_RATE(180000000, 82, 1, 1),
@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll_s3c2410_12mhz_tbl[] __initdata = {
        PLL_35XX_RATE(147000000, 90, 2, 1),
        PLL_35XX_RATE(135000000, 82, 2, 1),
        PLL_35XX_RATE(124000000, 116, 1, 2),
-        PLL_35XX_RATE(118000000, 150, 2, 2),
+        PLL_35XX_RATE(118500000, 150, 2, 2),
        PLL_35XX_RATE(113000000, 105, 1, 2),
-        PLL_35XX_RATE(101000000, 127, 2, 2),
+        PLL_35XX_RATE(101250000, 127, 2, 2),
        PLL_35XX_RATE(90000000, 112, 2, 2),
-        PLL_35XX_RATE(85000000, 105, 2, 2),
+        PLL_35XX_RATE(84750000, 105, 2, 2),
        PLL_35XX_RATE(79000000, 71, 1, 2),
-        PLL_35XX_RATE(68000000, 82, 2, 2),
+        PLL_35XX_RATE(67500000, 82, 2, 2),
-        PLL_35XX_RATE(56000000, 142, 2, 3),
+        PLL_35XX_RATE(56250000, 142, 2, 3),
        PLL_35XX_RATE(48000000, 120, 2, 3),
-        PLL_35XX_RATE(51000000, 161, 3, 3),
+        PLL_35XX_RATE(50700000, 161, 3, 3),
        PLL_35XX_RATE(45000000, 82, 1, 3),
-        PLL_35XX_RATE(34000000, 82, 2, 3),
+        PLL_35XX_RATE(33750000, 82, 2, 3),
        { /* sentinel */ },
 };
diff --git a/drivers/clk/tegra/clk-tegra30.c b/drivers/clk/tegra/clk-tegra30.c
index 8c41c6fcb9ee..acf83569f86f 100644
--- a/drivers/clk/tegra/clk-tegra30.c
+++ b/drivers/clk/tegra/clk-tegra30.c
@@ -333,11 +333,11 @@ static struct pdiv_map pllu_p[] = {
 };
 static struct tegra_clk_pll_freq_table pll_u_freq_table[] = {
-        { 12000000, 480000000, 960, 12, 0, 12},
+        { 12000000, 480000000, 960, 12, 2, 12 },
-        { 13000000, 480000000, 960, 13, 0, 12},
+        { 13000000, 480000000, 960, 13, 2, 12 },
-        { 16800000, 480000000, 400, 7,  0, 5},
+        { 16800000, 480000000, 400,  7, 2,  5 },
-        { 19200000, 480000000, 200, 4,  0, 3},
+        { 19200000, 480000000, 200,  4, 2,  3 },
-        { 26000000, 480000000, 960, 26, 0, 12},
+        { 26000000, 480000000, 960, 26, 2, 12 },
        { 0, 0, 0, 0, 0, 0 },
 };
@@ -1372,6 +1372,7 @@ static struct tegra_clk_init_table init_table[] __initdata = {
        {TEGRA30_CLK_GR2D, TEGRA30_CLK_PLL_C, 300000000, 0},
        {TEGRA30_CLK_GR3D, TEGRA30_CLK_PLL_C, 300000000, 0},
        {TEGRA30_CLK_GR3D2, TEGRA30_CLK_PLL_C, 300000000, 0},
+        { TEGRA30_CLK_PLL_U, TEGRA30_CLK_CLK_MAX, 480000000, 0 },
        {TEGRA30_CLK_CLK_MAX, TEGRA30_CLK_CLK_MAX, 0, 0}, /* This MUST be the last entry. */
 };
diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/fsl_ftm_timer.c
index 517e1c7624d4..a00209702f39 100644
--- a/drivers/clocksource/fsl_ftm_timer.c
+++ b/drivers/clocksource/fsl_ftm_timer.c
@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct device_node *np, char *cnt_name,
 static unsigned long __init ftm_clk_init(struct device_node *np)
 {
-        unsigned long freq;
+        long freq;
        freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt");
        if (freq <= 0)
diff --git a/drivers/cpufreq/Kconfig b/drivers/cpufreq/Kconfig
index 659879a56dba..949610360b14 100644
--- a/drivers/cpufreq/Kconfig
+++ b/drivers/cpufreq/Kconfig
@@ -236,6 +236,7 @@ endif
 if MIPS
 config LOONGSON2_CPUFREQ
        tristate "Loongson2 CPUFreq Driver"
+        depends on LEMOTE_MACH2F
        help
          This option adds a CPUFreq driver for loongson processors which
          support software configurable cpu frequency.
@@ -248,6 +249,7 @@ config LOONGSON2_CPUFREQ
 config LOONGSON1_CPUFREQ
        tristate "Loongson1 CPUFreq Driver"
+        depends on LOONGSON1_LS1B
        help
          This option adds a CPUFreq driver for loongson1 processors which
          support software configurable cpu frequency.
diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
index 7c0bdfb1a2ca..0dcbf951ad1b 100644
--- a/drivers/cpufreq/cppc_cpufreq.c
+++ b/drivers/cpufreq/cppc_cpufreq.c
@@ -100,9 +100,19 @@ static int cppc_cpufreq_cpu_init(struct cpufreq_policy *policy)
        policy->cpuinfo.max_freq = policy->max;
        policy->shared_type = cpu->shared_type;
-        if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY)
+        if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) {
+                int i;
                cpumask_copy(policy->cpus, cpu->shared_cpu_map);
-        else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
+                for_each_cpu(i, policy->cpus) {
+                        if (unlikely(i == policy->cpu))
+                                continue;
+                        memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps,
+                               sizeof(cpu->perf_caps));
+                }
+        } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) {
                /* Support only SW_ANY for now. */
                pr_debug("Unsupported CPU co-ord type\n");
                return -EFAULT;
@@ -166,8 +176,13 @@ static int __init cppc_cpufreq_init(void)
        return ret;
 out:
-        for_each_possible_cpu(i)
+        for_each_possible_cpu(i) {
-                kfree(all_cpu_data[i]);
+                cpu = all_cpu_data[i];
+                if (!cpu)
+                        break;
+                free_cpumask_var(cpu->shared_cpu_map);
+                kfree(cpu);
+        }
        kfree(all_cpu_data);
        return -ENODEV;
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index ebed319657e7..68b604ad8413 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -603,6 +603,8 @@ static ssize_t store_##file_name					\
        struct cpufreq_policy new_policy;                               \
                                                                        \
        memcpy(&new_policy, policy, sizeof(*policy));                   \
+        new_policy.min = policy->user_policy.min;                       \
+        new_policy.max = policy->user_policy.max;                       \
                                                                        \
        ret = sscanf(buf, "%u", &new_policy.object);                    \
        if (ret != 1)                                                   \
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 7ff8b15a3422..88728d997088 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1361,6 +1361,11 @@ static inline bool intel_pstate_platform_pwr_mgmt_exists(void) { return false; }
 static inline bool intel_pstate_has_acpi_ppc(void) { return false; }
 #endif /* CONFIG_ACPI */
+static const struct x86_cpu_id hwp_support_ids[] __initconst = {
+        { X86_VENDOR_INTEL, 6, X86_MODEL_ANY, X86_FEATURE_HWP },
+        {}
+};
 static int __init intel_pstate_init(void)
 {
        int cpu, rc = 0;
@@ -1370,17 +1375,16 @@ static int __init intel_pstate_init(void)
        if (no_load)
                return -ENODEV;
+        if (x86_match_cpu(hwp_support_ids) && !no_hwp) {
+                copy_cpu_funcs(&core_params.funcs);
+                hwp_active++;
+                goto hwp_cpu_matched;
+        }
        id = x86_match_cpu(intel_pstate_cpu_ids);
        if (!id)
                return -ENODEV;
-        /*
-         * The Intel pstate driver will be ignored if the platform
-         * firmware has its own power management modes.
-         */
-        if (intel_pstate_platform_pwr_mgmt_exists())
-                return -ENODEV;
        cpu_def = (struct cpu_defaults *)id->driver_data;
        copy_pid_params(&cpu_def->pid_policy);
@@ -1389,17 +1393,20 @@ static int __init intel_pstate_init(void)
        if (intel_pstate_msrs_not_valid())
                return -ENODEV;
+hwp_cpu_matched:
+        /*
+         * The Intel pstate driver will be ignored if the platform
+         * firmware has its own power management modes.
+         */
+        if (intel_pstate_platform_pwr_mgmt_exists())
+                return -ENODEV;
        pr_info("Intel P-state driver initializing.\n");
        all_cpu_data = vzalloc(sizeof(void *) * num_possible_cpus());
        if (!all_cpu_data)
                return -ENOMEM;
-        if (static_cpu_has_safe(X86_FEATURE_HWP) && !no_hwp) {
-                pr_info("intel_pstate: HWP enabled\n");
-                hwp_active++;
-        }
        if (!hwp_active && hwp_only)
                goto out;
@@ -1410,6 +1417,9 @@ static int __init intel_pstate_init(void)
        intel_pstate_debug_expose_params();
        intel_pstate_sysfs_expose_params();
+        if (hwp_active)
+                pr_info("intel_pstate: HWP enabled\n");
        return rc;
 out:
        get_online_cpus();
diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
index c4b0ef65988c..57e6c45724e7 100644
--- a/drivers/cpufreq/powernv-cpufreq.c
+++ b/drivers/cpufreq/powernv-cpufreq.c
@@ -592,7 +592,7 @@ static int __init powernv_cpufreq_init(void)
        int rc = 0;
        /* Don't probe on pseries (guest) platforms */
-        if (!firmware_has_feature(FW_FEATURE_OPALv3))
+        if (!firmware_has_feature(FW_FEATURE_OPAL))
                return -ENODEV;
        /* Discover pstates from device tree and init */
diff --git a/drivers/cpufreq/s3c24xx-cpufreq.c b/drivers/cpufreq/s3c24xx-cpufreq.c
index 68ef8fd9482f..f5c4e009113c 100644
--- a/drivers/cpufreq/s3c24xx-cpufreq.c
+++ b/drivers/cpufreq/s3c24xx-cpufreq.c
@@ -364,7 +364,13 @@ struct clk *s3c_cpufreq_clk_get(struct device *dev, const char *name)
 static int s3c_cpufreq_init(struct cpufreq_policy *policy)
 {
        policy->clk = clk_arm;
-        return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency);
+        policy->cpuinfo.transition_latency = cpu_cur.info->latency;
+        if (ftab)
+                return cpufreq_table_validate_and_show(policy, ftab);
+        return 0;
 }
 static int __init s3c_cpufreq_initclks(void)
diff --git a/drivers/cpufreq/sh-cpufreq.c b/drivers/cpufreq/sh-cpufreq.c
index 86628e22b2a3..719c3d9f07fb 100644
--- a/drivers/cpufreq/sh-cpufreq.c
+++ b/drivers/cpufreq/sh-cpufreq.c
@@ -30,54 +30,63 @@
 static DEFINE_PER_CPU(struct clk, sh_cpuclk);
+struct cpufreq_target {
+        struct cpufreq_policy   *policy;
+        unsigned int            freq;
+};
 static unsigned int sh_cpufreq_get(unsigned int cpu)
 {
        return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000;
 }
-/*
+static long __sh_cpufreq_target(void *arg)
- * Here we notify other drivers of the proposed change and the final change.
- */
-static int sh_cpufreq_target(struct cpufreq_policy *policy,
-                             unsigned int target_freq,
-                             unsigned int relation)
 {
-        unsigned int cpu = policy->cpu;
+        struct cpufreq_target *target = arg;
+        struct cpufreq_policy *policy = target->policy;
+        int cpu = policy->cpu;
        struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu);
-        cpumask_t cpus_allowed;
        struct cpufreq_freqs freqs;
        struct device *dev;
        long freq;
-        cpus_allowed = current->cpus_allowed;
+        if (smp_processor_id() != cpu)
-        set_cpus_allowed_ptr(current, cpumask_of(cpu));
+                return -ENODEV;
-        BUG_ON(smp_processor_id() != cpu);
        dev = get_cpu_device(cpu);
        /* Convert target_freq from kHz to Hz */
-        freq = clk_round_rate(cpuclk, target_freq * 1000);
+        freq = clk_round_rate(cpuclk, target->freq * 1000);
        if (freq < (policy->min * 1000) || freq > (policy->max * 1000))
                return -EINVAL;
-        dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000);
+        dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000);
        freqs.old       = sh_cpufreq_get(cpu);
        freqs.new       = (freq + 500) / 1000;
        freqs.flags     = 0;
-        cpufreq_freq_transition_begin(policy, &freqs);
+        cpufreq_freq_transition_begin(target->policy, &freqs);
-        set_cpus_allowed_ptr(current, &cpus_allowed);
        clk_set_rate(cpuclk, freq);
-        cpufreq_freq_transition_end(policy, &freqs, 0);
+        cpufreq_freq_transition_end(target->policy, &freqs, 0);
        dev_dbg(dev, "set frequency %lu Hz\n", freq);
        return 0;
 }
+/*
+ * Here we notify other drivers of the proposed change and the final change.
+ */
+static int sh_cpufreq_target(struct cpufreq_policy *policy,
+                             unsigned int target_freq,
+                             unsigned int relation)
+{
+        struct cpufreq_target data = { .policy = policy, .freq = target_freq };
+        return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data);
+}
 static int sh_cpufreq_verify(struct cpufreq_policy *policy)
 {
        struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu);
diff --git a/drivers/cpuidle/coupled.c b/drivers/cpuidle/coupled.c
index 344058f8501a..d5657d50ac40 100644
--- a/drivers/cpuidle/coupled.c
+++ b/drivers/cpuidle/coupled.c
@@ -119,7 +119,6 @@ struct cpuidle_coupled {
 #define CPUIDLE_COUPLED_NOT_IDLE        (-1)
-static DEFINE_MUTEX(cpuidle_coupled_lock);
 static DEFINE_PER_CPU(struct call_single_data, cpuidle_coupled_poke_cb);
 /*
diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c
index d5c5a476360f..44ebda8bbc84 100644
--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -29,9 +29,31 @@ struct cpuidle_driver powernv_idle_driver = {
 static int max_idle_state;
 static struct cpuidle_state *cpuidle_state_table;
-static u64 snooze_timeout;
+static u64 default_snooze_timeout;
 static bool snooze_timeout_en;
+static u64 get_snooze_timeout(struct cpuidle_device *dev,
+                              struct cpuidle_driver *drv,
+                              int index)
+{
+        int i;
+        if (unlikely(!snooze_timeout_en))
+                return default_snooze_timeout;
+        for (i = index + 1; i < drv->state_count; i++) {
+                struct cpuidle_state *s = &drv->states[i];
+                struct cpuidle_state_usage *su = &dev->states_usage[i];
+                if (s->disabled || su->disable)
+                        continue;
+                return s->target_residency * tb_ticks_per_usec;
+        }
+        return default_snooze_timeout;
+}
 static int snooze_loop(struct cpuidle_device *dev,
                        struct cpuidle_driver *drv,
                        int index)
@@ -41,7 +63,7 @@ static int snooze_loop(struct cpuidle_device *dev,
        local_irq_enable();
        set_thread_flag(TIF_POLLING_NRFLAG);
-        snooze_exit_time = get_tb() + snooze_timeout;
+        snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index);
        ppc64_runlatch_off();
        while (!need_resched()) {
                HMT_low();
@@ -282,15 +304,13 @@ static int powernv_idle_probe(void)
        if (cpuidle_disable != IDLE_NO_OVERRIDE)
                return -ENODEV;
-        if (firmware_has_feature(FW_FEATURE_OPALv3)) {
+        if (firmware_has_feature(FW_FEATURE_OPAL)) {
                cpuidle_state_table = powernv_states;
                /* Device tree can indicate more idle states */
                max_idle_state = powernv_add_idle_states();
-                if (max_idle_state > 1) {
+                default_snooze_timeout = TICK_USEC * tb_ticks_per_usec;
+                if (max_idle_state > 1)
                        snooze_timeout_en = true;
-                        snooze_timeout = powernv_states[1].target_residency *
-                                         tb_ticks_per_usec;
-                }
        } else
                return -ENODEV;
diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
index a5c111b67f37..ea11a33e7fff 100644
--- a/drivers/cpuidle/dt_idle_states.c
+++ b/drivers/cpuidle/dt_idle_states.c
@@ -174,8 +174,10 @@ int dt_init_idle_driver(struct cpuidle_driver *drv,
                if (!state_node)
                        break;
-                if (!of_device_is_available(state_node))
+                if (!of_device_is_available(state_node)) {
+                        of_node_put(state_node);
                        continue;
+                }
                if (!idle_state_valid(state_node, i, cpumask)) {
                        pr_warn("%s idle state not valid, bailing out\n",
diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c
index 58a630e55d5d..78d0722feacb 100644
--- a/drivers/crypto/amcc/crypto4xx_core.c
+++ b/drivers/crypto/amcc/crypto4xx_core.c
@@ -207,7 +207,7 @@ static u32 crypto4xx_build_pdr(struct crypto4xx_device *dev)
                                  dev->pdr_pa);
                return -ENOMEM;
        }
-        memset(dev->pdr, 0,  sizeof(struct ce_pd) * PPC4XX_NUM_PD);
+        memset(dev->pdr, 0, sizeof(struct ce_pd) * PPC4XX_NUM_PD);
        dev->shadow_sa_pool = dma_alloc_coherent(dev->core_dev->device,
                                   256 * PPC4XX_NUM_PD,
                                   &dev->shadow_sa_pool_pa,
@@ -240,13 +240,15 @@ static u32 crypto4xx_build_pdr(struct crypto4xx_device *dev)
 static void crypto4xx_destroy_pdr(struct crypto4xx_device *dev)
 {
-        if (dev->pdr != NULL)
+        if (dev->pdr)
                dma_free_coherent(dev->core_dev->device,
                                  sizeof(struct ce_pd) * PPC4XX_NUM_PD,
                                  dev->pdr, dev->pdr_pa);
        if (dev->shadow_sa_pool)
                dma_free_coherent(dev->core_dev->device, 256 * PPC4XX_NUM_PD,
                                  dev->shadow_sa_pool, dev->shadow_sa_pool_pa);
        if (dev->shadow_sr_pool)
                dma_free_coherent(dev->core_dev->device,
                        sizeof(struct sa_state_record) * PPC4XX_NUM_PD,
@@ -416,12 +418,12 @@ static u32 crypto4xx_build_sdr(struct crypto4xx_device *dev)
 static void crypto4xx_destroy_sdr(struct crypto4xx_device *dev)
 {
-        if (dev->sdr != NULL)
+        if (dev->sdr)
                dma_free_coherent(dev->core_dev->device,
                                  sizeof(struct ce_sd) * PPC4XX_NUM_SD,
                                  dev->sdr, dev->sdr_pa);
-        if (dev->scatter_buffer_va != NULL)
+        if (dev->scatter_buffer_va)
                dma_free_coherent(dev->core_dev->device,
                                  dev->scatter_buffer_size * PPC4XX_NUM_SD,
                                  dev->scatter_buffer_va,
@@ -1029,12 +1031,10 @@ int crypto4xx_register_alg(struct crypto4xx_device *sec_dev,
                        break;
                }
-                if (rc) {
+                if (rc)
-                        list_del(&alg->entry);
                        kfree(alg);
-                } else {
+                else
                        list_add_tail(&alg->entry, &sec_dev->alg_list);
-                }
        }
        return 0;
@@ -1188,7 +1188,7 @@ static int crypto4xx_probe(struct platform_device *ofdev)
        rc = crypto4xx_build_gdr(core_dev->dev);
        if (rc)
-                goto err_build_gdr;
+                goto err_build_pdr;
        rc = crypto4xx_build_sdr(core_dev->dev);
        if (rc)
@@ -1230,12 +1230,11 @@ err_iomap:
 err_request_irq:
        irq_dispose_mapping(core_dev->irq);
        tasklet_kill(&core_dev->tasklet);
-        crypto4xx_destroy_sdr(core_dev->dev);
 err_build_sdr:
+        crypto4xx_destroy_sdr(core_dev->dev);
        crypto4xx_destroy_gdr(core_dev->dev);
-err_build_gdr:
-        crypto4xx_destroy_pdr(core_dev->dev);
 err_build_pdr:
+        crypto4xx_destroy_pdr(core_dev->dev);
        kfree(core_dev->dev);
 err_alloc_dev:
        kfree(core_dev);
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 53e61459c69f..ee87eb77095c 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -224,12 +224,16 @@ static int instantiate_rng(struct device *ctrldev, int state_handle_mask,
                 * without any error (HW optimizations for later
                 * CAAM eras), then try again.
                 */
+                if (ret)
+                        break;
                rdsta_val = rd_reg32(&ctrl->r4tst[0].rdsta) & RDSTA_IFMASK;
                if ((status && status != JRSTA_SSRC_JUMP_HALT_CC) ||
-                    !(rdsta_val & (1 << sh_idx)))
+                    !(rdsta_val & (1 << sh_idx))) {
                        ret = -EAGAIN;
-                if (ret)
                        break;
+                }
                dev_info(ctrldev, "Instantiated RNG4 SH%d\n", sh_idx);
                /* Clear the contents before recreating the descriptor */
                memset(desc, 0x00, CAAM_CMD_SZ * 7);
diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
index da2d6777bd09..047ef69b7e65 100644
--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key,
                return;
        }
+        count -= initial;
        if (initial)
                asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"       /* rep xcryptecb */
                              : "+S"(input), "+D"(output)
@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key,
        asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"       /* rep xcryptecb */
                      : "+S"(input), "+D"(output)
-                      : "d"(control_word), "b"(key), "c"(count - initial));
+                      : "d"(control_word), "b"(key), "c"(count));
 }
 static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
        if (count < cbc_fetch_blocks)
                return cbc_crypt(input, output, key, iv, control_word, count);
+        count -= initial;
        if (initial)
                asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"       /* rep xcryptcbc */
                              : "+S" (input), "+D" (output), "+a" (iv)
@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
        asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"       /* rep xcryptcbc */
                      : "+S" (input), "+D" (output), "+a" (iv)
-                      : "d" (control_word), "b" (key), "c" (count-initial));
+                      : "d" (control_word), "b" (key), "c" (count));
        return iv;
 }
@@ -515,7 +519,7 @@ static int __init padlock_init(void)
        if (!x86_match_cpu(padlock_cpu_id))
                return -ENODEV;
-        if (!cpu_has_xcrypt_enabled) {
+        if (!boot_cpu_has(X86_FEATURE_XCRYPT_EN)) {
                printk(KERN_NOTICE PFX "VIA PadLock detected, but not enabled. Hmm, strange...\n");
                return -ENODEV;
        }
diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
index 4e154c9b9206..8c5f90647b7a 100644
--- a/drivers/crypto/padlock-sha.c
+++ b/drivers/crypto/padlock-sha.c
@@ -540,7 +540,7 @@ static int __init padlock_init(void)
        struct shash_alg *sha1;
        struct shash_alg *sha256;
-        if (!x86_match_cpu(padlock_sha_ids) || !cpu_has_phe_enabled)
+        if (!x86_match_cpu(padlock_sha_ids) || !boot_cpu_has(X86_FEATURE_PHE_EN))
                return -ENODEV;
        /* Register the newly added algorithm module if on *
diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c
index fd39893079d5..45ea8957a73a 100644
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -401,16 +401,21 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode)
        uint32_t                    aes_control;
        int                         err;
        unsigned long               flags;
+        u8 *iv;
        aes_control = SSS_AES_KEY_CHANGE_MODE;
        if (mode & FLAGS_AES_DECRYPT)
                aes_control |= SSS_AES_MODE_DECRYPT;
-        if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC)
+        if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC) {
                aes_control |= SSS_AES_CHAIN_MODE_CBC;
-        else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR)
+                iv = req->info;
+        } else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR) {
                aes_control |= SSS_AES_CHAIN_MODE_CTR;
+                iv = req->info;
+        } else {
+                iv = NULL; /* AES_ECB */
+        }
        if (dev->ctx->keylen == AES_KEYSIZE_192)
                aes_control |= SSS_AES_KEY_SIZE_192;
        else if (dev->ctx->keylen == AES_KEYSIZE_256)
@@ -440,7 +445,7 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode)
                goto outdata_error;
        SSS_AES_WRITE(dev, AES_CONTROL, aes_control);
-        s5p_set_aes(dev, dev->ctx->aes_key, req->info, dev->ctx->keylen);
+        s5p_set_aes(dev, dev->ctx->aes_key, iv, dev->ctx->keylen);
        s5p_set_dma_indata(dev,  req->src);
        s5p_set_dma_outdata(dev, req->dst);
diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
index 107cd2a41cae..24651d3217cd 100644
--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c
+++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c
@@ -422,6 +422,7 @@ static struct platform_driver sun4i_ss_driver = {
 module_platform_driver(sun4i_ss_driver);
+MODULE_ALIAS("platform:sun4i-ss");
 MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator");
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>");
diff --git a/drivers/crypto/vmx/aes.c b/drivers/crypto/vmx/aes.c
index 263af709e536..b907e4b1bbe2 100644
--- a/drivers/crypto/vmx/aes.c
+++ b/drivers/crypto/vmx/aes.c
@@ -53,8 +53,6 @@ static int p8_aes_init(struct crypto_tfm *tfm)
                       alg, PTR_ERR(fallback));
                return PTR_ERR(fallback);
        }
-        printk(KERN_INFO "Using '%s' as fallback implementation.\n",
-               crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback));
        crypto_cipher_set_flags(fallback,
                                crypto_cipher_get_flags((struct
diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c
index 3f8bb9a40df1..9506e8693c81 100644
--- a/drivers/crypto/vmx/aes_cbc.c
+++ b/drivers/crypto/vmx/aes_cbc.c
@@ -55,8 +55,6 @@ static int p8_aes_cbc_init(struct crypto_tfm *tfm)
                       alg, PTR_ERR(fallback));
                return PTR_ERR(fallback);
        }
-        printk(KERN_INFO "Using '%s' as fallback implementation.\n",
-               crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback));
        crypto_blkcipher_set_flags(
                fallback,
diff --git a/drivers/crypto/vmx/aes_ctr.c b/drivers/crypto/vmx/aes_ctr.c
index d83ab4bac8b1..7d070201b3d3 100644
--- a/drivers/crypto/vmx/aes_ctr.c
+++ b/drivers/crypto/vmx/aes_ctr.c
@@ -53,8 +53,6 @@ static int p8_aes_ctr_init(struct crypto_tfm *tfm)
                       alg, PTR_ERR(fallback));
                return PTR_ERR(fallback);
        }
-        printk(KERN_INFO "Using '%s' as fallback implementation.\n",
-               crypto_tfm_alg_driver_name((struct crypto_tfm *) fallback));
        crypto_blkcipher_set_flags(
                fallback,
diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c
index 9cb3a0b715e2..84b9389bf1ed 100644
--- a/drivers/crypto/vmx/ghash.c
+++ b/drivers/crypto/vmx/ghash.c
@@ -64,8 +64,6 @@ static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
                       alg, PTR_ERR(fallback));
                return PTR_ERR(fallback);
        }
-        printk(KERN_INFO "Using '%s' as fallback implementation.\n",
-               crypto_tfm_alg_driver_name(crypto_shash_tfm(fallback)));
        crypto_shash_set_flags(fallback,
                               crypto_shash_get_flags((struct crypto_shash
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index ca848cc6a8fd..4f6fc1cfd7da 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -583,7 +583,7 @@ struct devfreq *devm_devfreq_add_device(struct device *dev,
        devfreq = devfreq_add_device(dev, profile, governor_name, data);
        if (IS_ERR(devfreq)) {
                devres_free(ptr);
-                return ERR_PTR(-ENOMEM);
+                return devfreq;
        }
        *ptr = devfreq;
diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
index 53d22eb73b56..be26f625bb3e 100644
--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -716,7 +716,7 @@ atc_prep_dma_interleaved(struct dma_chan *chan,
                         unsigned long flags)
 {
        struct at_dma_chan      *atchan = to_at_dma_chan(chan);
-        struct data_chunk       *first = xt->sgl;
+        struct data_chunk       *first;
        struct at_desc          *desc = NULL;
        size_t                  xfer_count;
        unsigned int            dwidth;
@@ -728,6 +728,8 @@ atc_prep_dma_interleaved(struct dma_chan *chan,
        if (unlikely(!xt || xt->numf != 1 || !xt->frame_size))
                return NULL;
+        first = xt->sgl;
        dev_info(chan2dev(chan),
                 "%s: src=%pad, dest=%pad, numf=%d, frame_size=%d, flags=0x%lx\n",
                __func__, &xt->src_start, &xt->dst_start, xt->numf,
diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
index 66c073fc8afc..82a7c89caae2 100644
--- a/drivers/dma/at_xdmac.c
+++ b/drivers/dma/at_xdmac.c
@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie,
        for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) {
                check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
                rmb();
-                initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
-                rmb();
                cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC);
                rmb();
+                initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
+                rmb();
                cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
                rmb();
diff --git a/drivers/dma/dma-jz4740.c b/drivers/dma/dma-jz4740.c
index 7638b24ce8d0..35fc58f4bf4b 100644
--- a/drivers/dma/dma-jz4740.c
+++ b/drivers/dma/dma-jz4740.c
@@ -557,7 +557,7 @@ static int jz4740_dma_probe(struct platform_device *pdev)
        ret = dma_async_device_register(dd);
        if (ret)
-                return ret;
+                goto err_clk;
        irq = platform_get_irq(pdev, 0);
        ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev);
@@ -570,6 +570,8 @@ static int jz4740_dma_probe(struct platform_device *pdev)
 err_unregister:
        dma_async_device_unregister(dd);
+err_clk:
+        clk_disable_unprepare(dmadev->clk);
        return ret;
 }
diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
index 7254c20007f8..6796eb1a8a4c 100644
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -329,7 +329,7 @@ static void dmatest_callback(void *arg)
 {
        struct dmatest_done *done = arg;
        struct dmatest_thread *thread =
-                container_of(arg, struct dmatest_thread, done_wait);
+                container_of(done, struct dmatest_thread, test_done);
        if (!thread->done) {
                done->done = true;
                wake_up_all(done->wait);
diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
index 0f6fd42f55ca..48d4dddf4941 100644
--- a/drivers/dma/imx-sdma.c
+++ b/drivers/dma/imx-sdma.c
@@ -911,6 +911,21 @@ static int sdma_disable_channel(struct dma_chan *chan)
        return 0;
 }
+static int sdma_disable_channel_with_delay(struct dma_chan *chan)
+{
+        sdma_disable_channel(chan);
+        /*
+         * According to NXP R&D team a delay of one BD SDMA cost time
+         * (maximum is 1ms) should be added after disable of the channel
+         * bit, to ensure SDMA core has really been stopped after SDMA
+         * clients call .device_terminate_all.
+         */
+        mdelay(1);
+        return 0;
+}
 static void sdma_set_watermarklevel_for_p2p(struct sdma_channel *sdmac)
 {
        struct sdma_engine *sdma = sdmac->sdma;
@@ -1707,17 +1722,24 @@ static int sdma_probe(struct platform_device *pdev)
        if (IS_ERR(sdma->clk_ahb))
                return PTR_ERR(sdma->clk_ahb);
-        clk_prepare(sdma->clk_ipg);
+        ret = clk_prepare(sdma->clk_ipg);
-        clk_prepare(sdma->clk_ahb);
+        if (ret)
+                return ret;
+        ret = clk_prepare(sdma->clk_ahb);
+        if (ret)
+                goto err_clk;
        ret = devm_request_irq(&pdev->dev, irq, sdma_int_handler, 0, "sdma",
                               sdma);
        if (ret)
-                return ret;
+                goto err_irq;
        sdma->script_addrs = kzalloc(sizeof(*sdma->script_addrs), GFP_KERNEL);
-        if (!sdma->script_addrs)
+        if (!sdma->script_addrs) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto err_irq;
+        }
        /* initially no scripts available */
        saddr_arr = (s32 *)sdma->script_addrs;
@@ -1793,7 +1815,7 @@ static int sdma_probe(struct platform_device *pdev)
        sdma->dma_device.device_prep_slave_sg = sdma_prep_slave_sg;
        sdma->dma_device.device_prep_dma_cyclic = sdma_prep_dma_cyclic;
        sdma->dma_device.device_config = sdma_config;
-        sdma->dma_device.device_terminate_all = sdma_disable_channel;
+        sdma->dma_device.device_terminate_all = sdma_disable_channel_with_delay;
        sdma->dma_device.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
        sdma->dma_device.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
        sdma->dma_device.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
@@ -1832,6 +1854,10 @@ err_register:
        dma_async_device_unregister(&sdma->dma_device);
 err_init:
        kfree(sdma->script_addrs);
+err_irq:
+        clk_unprepare(sdma->clk_ahb);
+err_clk:
+        clk_unprepare(sdma->clk_ipg);
        return ret;
 }
@@ -1842,6 +1868,8 @@ static int sdma_remove(struct platform_device *pdev)
        dma_async_device_unregister(&sdma->dma_device);
        kfree(sdma->script_addrs);
+        clk_unprepare(sdma->clk_ahb);
+        clk_unprepare(sdma->clk_ipg);
        /* Kill the tasklet */
        for (i = 0; i < MAX_DMA_CHANNELS; i++) {
                struct sdma_channel *sdmac = &sdma->channel[i];
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index abb75ebd65ea..ac8c28968422 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -395,7 +395,7 @@ static int ioat_dma_self_test(struct ioatdma_device *ioat_dma)
        if (memcmp(src, dest, IOAT_TEST_SIZE)) {
                dev_err(dev, "Self-test copy failed compare, disabling\n");
                err = -ENODEV;
-                goto free_resources;
+                goto unmap_dma;
        }
 unmap_dma:
diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index 66d84bcf9bbf..8db791ef2027 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -1533,7 +1533,7 @@ static void pl330_dotask(unsigned long data)
 /* Returns 1 if state was updated, 0 otherwise */
 static int pl330_update(struct pl330_dmac *pl330)
 {
-        struct dma_pl330_desc *descdone, *tmp;
+        struct dma_pl330_desc *descdone;
        unsigned long flags;
        void __iomem *regs;
        u32 val;
@@ -1611,7 +1611,9 @@ static int pl330_update(struct pl330_dmac *pl330)
        }
        /* Now that we are in no hurry, do the callbacks */
-        list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) {
+        while (!list_empty(&pl330->req_done)) {
+                descdone = list_first_entry(&pl330->req_done,
+                                            struct dma_pl330_desc, rqd);
                list_del(&descdone->rqd);
                spin_unlock_irqrestore(&pl330->lock, flags);
                dma_pl330_rqcb(descdone, PL330_ERR_NONE);
diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
index 55f5d33f6dc7..4251e9ac0373 100644
--- a/drivers/dma/pxa_dma.c
+++ b/drivers/dma/pxa_dma.c
@@ -1321,7 +1321,7 @@ static int pxad_init_phys(struct platform_device *op,
        return 0;
 }
-static const struct of_device_id const pxad_dt_ids[] = {
+static const struct of_device_id pxad_dt_ids[] = {
        { .compatible = "marvell,pdma-1.0", },
        {}
 };
diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
index 7820d07e7bee..2b36d1c63aa5 100644
--- a/drivers/dma/sh/rcar-dmac.c
+++ b/drivers/dma/sh/rcar-dmac.c
@@ -851,7 +851,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_chan *chan, struct scatterlist *sgl,
        rcar_dmac_chan_configure_desc(chan, desc);
-        max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift;
+        max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift;
        /*
         * Allocate and fill the transfer chunk descriptors. We own the only
diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c
index 56410ea75ac5..6682b3eec2b6 100644
--- a/drivers/dma/sh/usb-dmac.c
+++ b/drivers/dma/sh/usb-dmac.c
@@ -448,7 +448,7 @@ usb_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
 static int usb_dmac_chan_terminate_all(struct dma_chan *chan)
 {
        struct usb_dmac_chan *uchan = to_usb_dmac_chan(chan);
-        struct usb_dmac_desc *desc;
+        struct usb_dmac_desc *desc, *_desc;
        unsigned long flags;
        LIST_HEAD(head);
        LIST_HEAD(list);
@@ -459,7 +459,7 @@ static int usb_dmac_chan_terminate_all(struct dma_chan *chan)
        if (uchan->desc)
                uchan->desc = NULL;
        list_splice_init(&uchan->desc_got, &list);
-        list_for_each_entry(desc, &list, node)
+        list_for_each_entry_safe(desc, _desc, &list, node)
                list_move_tail(&desc->node, &uchan->desc_freed);
        spin_unlock_irqrestore(&uchan->vc.lock, flags);
        vchan_dma_desc_free_list(&uchan->vc, &head);
diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c
index c0d1e5e423db..9a6b07f68951 100644
--- a/drivers/dma/ti-dma-crossbar.c
+++ b/drivers/dma/ti-dma-crossbar.c
@@ -50,7 +50,15 @@ struct ti_am335x_xbar_map {
 static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val)
 {
-        writeb_relaxed(val, iomem + event);
+        /*
+         * TPCC_EVT_MUX_60_63 register layout is different than the
+         * rest, in the sense, that event 63 is mapped to lowest byte
+         * and event 60 is mapped to highest, handle it separately.
+         */
+        if (event >= 60 && event <= 63)
+                writeb_relaxed(val, iomem + (63 - event % 4));
+        else
+                writeb_relaxed(val, iomem + event);
 }
 static void ti_am335x_xbar_free(struct device *dev, void *route_data)
diff --git a/drivers/dma/zx296702_dma.c b/drivers/dma/zx296702_dma.c
index 6059d81e701a..8e55403847b2 100644
--- a/drivers/dma/zx296702_dma.c
+++ b/drivers/dma/zx296702_dma.c
@@ -26,7 +26,7 @@
 #define DRIVER_NAME             "zx-dma"
 #define DMA_ALIGN               4
-#define DMA_MAX_SIZE            (0x10000 - PAGE_SIZE)
+#define DMA_MAX_SIZE            (0x10000 - 512)
 #define LLI_BLOCK_SIZE          (4 * PAGE_SIZE)
 #define REG_ZX_SRC_ADDR                 0x00
diff --git a/drivers/edac/mv64x60_edac.c b/drivers/edac/mv64x60_edac.c
index 0574e1bbe45c..3ce5609b4611 100644
--- a/drivers/edac/mv64x60_edac.c
+++ b/drivers/edac/mv64x60_edac.c
@@ -763,7 +763,7 @@ static int mv64x60_mc_err_probe(struct platform_device *pdev)
                /* Non-ECC RAM? */
                printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__);
                res = -ENODEV;
-                goto err2;
+                goto err;
        }
        edac_dbg(3, "init mci\n");
diff --git a/drivers/edac/octeon_edac-lmc.c b/drivers/edac/octeon_edac-lmc.c
index cda6dab5067a..6b65a102b49d 100644
--- a/drivers/edac/octeon_edac-lmc.c
+++ b/drivers/edac/octeon_edac-lmc.c
@@ -79,6 +79,7 @@ static void octeon_lmc_edac_poll_o2(struct mem_ctl_info *mci)
        if (!pvt->inject)
                int_reg.u64 = cvmx_read_csr(CVMX_LMCX_INT(mci->mc_idx));
        else {
+                int_reg.u64 = 0;
                if (pvt->error_type == 1)
                        int_reg.s.sec_err = 1;
                if (pvt->error_type == 2)
diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
index c2f5117fd8cb..5545a7f3a98f 100644
--- a/drivers/firewire/ohci.c
+++ b/drivers/firewire/ohci.c
@@ -1130,7 +1130,13 @@ static int context_add_buffer(struct context *ctx)
                return -ENOMEM;
        offset = (void *)&desc->buffer - (void *)desc;
-        desc->buffer_size = PAGE_SIZE - offset;
+        /*
+         * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads
+         * for descriptors, even 0x10-byte ones. This can cause page faults when
+         * an IOMMU is in use and the oversized read crosses a page boundary.
+         * Work around this by always leaving at least 0x10 bytes of padding.
+         */
+        desc->buffer_size = PAGE_SIZE - offset - 0x10;
        desc->buffer_bus = bus_addr + offset;
        desc->used = 0;
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
index 0e08e665f715..053a23a7be94 100644
--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -18,7 +18,7 @@ EXPORT_SYMBOL_GPL(dmi_kobj);
 * of and an antecedent to, SMBIOS, which stands for System
 * Management BIOS.  See further: http://www.dmtf.org/standards
 */
-static const char dmi_empty_string[] = "        ";
+static const char dmi_empty_string[] = "";
 static u32 dmi_ver __initdata;
 static u32 dmi_len;
@@ -44,25 +44,21 @@ static int dmi_memdev_nr;
 static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s)
 {
        const u8 *bp = ((u8 *) dm) + dm->length;
+        const u8 *nsp;
        if (s) {
-                s--;
+                while (--s > 0 && *bp)
-                while (s > 0 && *bp) {
                        bp += strlen(bp) + 1;
-                        s--;
-                }
-                if (*bp != 0) {
-                        size_t len = strlen(bp)+1;
-                        size_t cmp_len = len > 8 ? 8 : len;
-                        if (!memcmp(bp, dmi_empty_string, cmp_len))
+                /* Strings containing only spaces are considered empty */
-                                return dmi_empty_string;
+                nsp = bp;
+                while (*nsp == ' ')
+                        nsp++;
+                if (*nsp != '\0')
                        return bp;
-                }
        }
-        return "";
+        return dmi_empty_string;
 }
 static const char * __init dmi_string(const struct dmi_header *dm, u8 s)
diff --git a/drivers/gpio/gpio-ath79.c b/drivers/gpio/gpio-ath79.c
index 5eaea8b812cf..089a78983b39 100644
--- a/drivers/gpio/gpio-ath79.c
+++ b/drivers/gpio/gpio-ath79.c
@@ -203,3 +203,6 @@ static struct platform_driver ath79_gpio_driver = {
 };
 module_platform_driver(ath79_gpio_driver);
+MODULE_DESCRIPTION("Atheros AR71XX/AR724X/AR913X GPIO API support");
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/gpio/gpio-intel-mid.c b/drivers/gpio/gpio-intel-mid.c
index c50e930d97d3..297121acc57d 100644
--- a/drivers/gpio/gpio-intel-mid.c
+++ b/drivers/gpio/gpio-intel-mid.c
@@ -326,7 +326,7 @@ static void intel_mid_irq_init_hw(struct intel_mid_gpio *priv)
        }
 }
-static int intel_gpio_runtime_idle(struct device *dev)
+static int __maybe_unused intel_gpio_runtime_idle(struct device *dev)
 {
        int err = pm_schedule_suspend(dev, 500);
        return err ?: -EBUSY;
diff --git a/drivers/gpio/gpio-iop.c b/drivers/gpio/gpio-iop.c
index 2ed0237a8baf..304e68633d29 100644
--- a/drivers/gpio/gpio-iop.c
+++ b/drivers/gpio/gpio-iop.c
@@ -129,3 +129,7 @@ static int __init iop3xx_gpio_init(void)
        return platform_driver_register(&iop3xx_gpio_driver);
 }
 arch_initcall(iop3xx_gpio_init);
+MODULE_DESCRIPTION("GPIO handling for Intel IOP3xx processors");
+MODULE_AUTHOR("Lennert Buytenhek <buytenh@wantstofly.org>");
+MODULE_LICENSE("GPL");
diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c
index 2a8122444614..9ba4aaa9f755 100644
--- a/drivers/gpio/gpio-rcar.c
+++ b/drivers/gpio/gpio-rcar.c
@@ -200,6 +200,48 @@ static int gpio_rcar_irq_set_wake(struct irq_data *d, unsigned int on)
        return 0;
 }
+static void gpio_rcar_irq_bus_lock(struct irq_data *d)
+{
+        struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+        struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv,
+                                                gpio_chip);
+        pm_runtime_get_sync(&p->pdev->dev);
+}
+static void gpio_rcar_irq_bus_sync_unlock(struct irq_data *d)
+{
+        struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+        struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv,
+                                                gpio_chip);
+        pm_runtime_put(&p->pdev->dev);
+}
+static int gpio_rcar_irq_request_resources(struct irq_data *d)
+{
+        struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+        struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv,
+                                                gpio_chip);
+        int error;
+        error = pm_runtime_get_sync(&p->pdev->dev);
+        if (error < 0)
+                return error;
+        return 0;
+}
+static void gpio_rcar_irq_release_resources(struct irq_data *d)
+{
+        struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+        struct gpio_rcar_priv *p = container_of(gc, struct gpio_rcar_priv,
+                                                gpio_chip);
+        pm_runtime_put(&p->pdev->dev);
+}
 static irqreturn_t gpio_rcar_irq_handler(int irq, void *dev_id)
 {
        struct gpio_rcar_priv *p = dev_id;
@@ -460,6 +502,10 @@ static int gpio_rcar_probe(struct platform_device *pdev)
        irq_chip->irq_unmask = gpio_rcar_irq_enable;
        irq_chip->irq_set_type = gpio_rcar_irq_set_type;
        irq_chip->irq_set_wake = gpio_rcar_irq_set_wake;
+        irq_chip->irq_bus_lock = gpio_rcar_irq_bus_lock;
+        irq_chip->irq_bus_sync_unlock = gpio_rcar_irq_bus_sync_unlock;
+        irq_chip->irq_request_resources = gpio_rcar_irq_request_resources;
+        irq_chip->irq_release_resources = gpio_rcar_irq_release_resources;
        irq_chip->flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_MASK_ON_SUSPEND;
        ret = gpiochip_add(gpio_chip);
diff --git a/drivers/gpio/gpio-xgene.c b/drivers/gpio/gpio-xgene.c
index 18a8182d4fec..7f1f32324504 100644
--- a/drivers/gpio/gpio-xgene.c
+++ b/drivers/gpio/gpio-xgene.c
@@ -42,9 +42,7 @@ struct xgene_gpio {
        struct gpio_chip        chip;
        void __iomem            *base;
        spinlock_t              lock;
-#ifdef CONFIG_PM
        u32                     set_dr_val[XGENE_MAX_GPIO_BANKS];
-#endif
 };
 static inline struct xgene_gpio *to_xgene_gpio(struct gpio_chip *chip)
@@ -132,8 +130,7 @@ static int xgene_gpio_dir_out(struct gpio_chip *gc,
        return 0;
 }
-#ifdef CONFIG_PM
+static __maybe_unused int xgene_gpio_suspend(struct device *dev)
-static int xgene_gpio_suspend(struct device *dev)
 {
        struct xgene_gpio *gpio = dev_get_drvdata(dev);
        unsigned long bank_offset;
@@ -146,7 +143,7 @@ static int xgene_gpio_suspend(struct device *dev)
        return 0;
 }
-static int xgene_gpio_resume(struct device *dev)
+static __maybe_unused int xgene_gpio_resume(struct device *dev)
 {
        struct xgene_gpio *gpio = dev_get_drvdata(dev);
        unsigned long bank_offset;
@@ -160,10 +157,6 @@ static int xgene_gpio_resume(struct device *dev)
 }
 static SIMPLE_DEV_PM_OPS(xgene_gpio_pm, xgene_gpio_suspend, xgene_gpio_resume);
-#define XGENE_GPIO_PM_OPS       (&xgene_gpio_pm)
-#else
-#define XGENE_GPIO_PM_OPS       NULL
-#endif
 static int xgene_gpio_probe(struct platform_device *pdev)
 {
@@ -230,7 +223,7 @@ static struct platform_driver xgene_gpio_driver = {
        .driver = {
                .name = "xgene-gpio",
                .of_match_table = xgene_gpio_of_match,
-                .pm     = XGENE_GPIO_PM_OPS,
+                .pm     = &xgene_gpio_pm,
        },
        .probe = xgene_gpio_probe,
        .remove = xgene_gpio_remove,
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 06d345b087f8..fe89fd56eabf 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2117,6 +2117,8 @@ struct gpio_desc *__must_check gpiod_get_index(struct device *dev,
        struct gpio_desc *desc = NULL;
        int status;
        enum gpio_lookup_flags lookupflags = 0;
+        /* Maybe we have a device name, maybe not */
+        const char *devname = dev ? dev_name(dev) : "?";
        dev_dbg(dev, "GPIO lookup for consumer %s\n", con_id);
@@ -2145,7 +2147,11 @@ struct gpio_desc *__must_check gpiod_get_index(struct device *dev,
                return desc;
        }
-        status = gpiod_request(desc, con_id);
+        /*
+         * If a connection label was passed use that, else attempt to use
+         * the device name as label
+         */
+        status = gpiod_request(desc, con_id ? con_id : devname);
        if (status < 0)
                return ERR_PTR(status);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
index a142d5ae148d..5c40d6d710af 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
@@ -585,6 +585,9 @@ int amdgpu_acpi_pcie_performance_request(struct amdgpu_device *adev,
        size_t size;
        u32 retry = 3;
+        if (amdgpu_acpi_pcie_notify_device_ready(adev))
+                return -EINVAL;
        /* Get the device handle */
        handle = ACPI_HANDLE(&adev->pdev->dev);
        if (!handle)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
index 0e1376317683..b233cf8436b0 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v7.c
@@ -367,29 +367,50 @@ static int kgd_hqd_sdma_load(struct kgd_dev *kgd, void *mqd)
 {
        struct amdgpu_device *adev = get_amdgpu_device(kgd);
        struct cik_sdma_rlc_registers *m;
+        unsigned long end_jiffies;
        uint32_t sdma_base_addr;
+        uint32_t data;
        m = get_sdma_mqd(mqd);
        sdma_base_addr = get_sdma_base_addr(m);
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
-                        m->sdma_rlc_virtual_addr);
+                m->sdma_rlc_rb_cntl & (~SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK));
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE,
+        end_jiffies = msecs_to_jiffies(2000) + jiffies;
-                        m->sdma_rlc_rb_base);
+        while (true) {
+                data = RREG32(sdma_base_addr + mmSDMA0_RLC0_CONTEXT_STATUS);
+                if (data & SDMA0_RLC0_CONTEXT_STATUS__IDLE_MASK)
+                        break;
+                if (time_after(jiffies, end_jiffies))
+                        return -ETIME;
+                usleep_range(500, 1000);
+        }
+        if (m->sdma_engine_id) {
+                data = RREG32(mmSDMA1_GFX_CONTEXT_CNTL);
+                data = REG_SET_FIELD(data, SDMA1_GFX_CONTEXT_CNTL,
+                                RESUME_CTX, 0);
+                WREG32(mmSDMA1_GFX_CONTEXT_CNTL, data);
+        } else {
+                data = RREG32(mmSDMA0_GFX_CONTEXT_CNTL);
+                data = REG_SET_FIELD(data, SDMA0_GFX_CONTEXT_CNTL,
+                                RESUME_CTX, 0);
+                WREG32(mmSDMA0_GFX_CONTEXT_CNTL, data);
+        }
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
+                                m->sdma_rlc_doorbell);
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_VIRTUAL_ADDR,
+                                m->sdma_rlc_virtual_addr);
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, m->sdma_rlc_rb_base);
        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE_HI,
                        m->sdma_rlc_rb_base_hi);
        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_LO,
                        m->sdma_rlc_rb_rptr_addr_lo);
        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR_ADDR_HI,
                        m->sdma_rlc_rb_rptr_addr_hi);
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL,
-                        m->sdma_rlc_doorbell);
        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
                        m->sdma_rlc_rb_cntl);
@@ -492,9 +513,9 @@ static int kgd_hqd_sdma_destroy(struct kgd_dev *kgd, void *mqd,
        }
        WREG32(sdma_base_addr + mmSDMA0_RLC0_DOORBELL, 0);
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_RPTR, 0);
+        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL,
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_WPTR, 0);
+                RREG32(sdma_base_addr + mmSDMA0_RLC0_RB_CNTL) |
-        WREG32(sdma_base_addr + mmSDMA0_RLC0_RB_BASE, 0);
+                SDMA0_RLC0_RB_CNTL__RB_ENABLE_MASK);
        return 0;
 }
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 930083336968..1f0e6ede120c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -69,25 +69,18 @@ void amdgpu_connector_hotplug(struct drm_connector *connector)
                /* don't do anything if sink is not display port, i.e.,
                 * passive dp->(dvi|hdmi) adaptor
                 */
-                if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) {
+                if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT &&
-                        int saved_dpms = connector->dpms;
+                    amdgpu_display_hpd_sense(adev, amdgpu_connector->hpd.hpd) &&
-                        /* Only turn off the display if it's physically disconnected */
+                    amdgpu_atombios_dp_needs_link_train(amdgpu_connector)) {
-                        if (!amdgpu_display_hpd_sense(adev, amdgpu_connector->hpd.hpd)) {
+                        /* Don't start link training before we have the DPCD */
-                                drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
+                        if (amdgpu_atombios_dp_get_dpcd(amdgpu_connector))
-                        } else if (amdgpu_atombios_dp_needs_link_train(amdgpu_connector)) {
+                                return;
-                                /* Don't try to start link training before we
-                                 * have the dpcd */
+                        /* Turn the connector off and back on immediately, which
-                                if (amdgpu_atombios_dp_get_dpcd(amdgpu_connector))
+                         * will trigger link training
-                                        return;
+                         */
+                        drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
-                                /* set it to OFF so that drm_helper_connector_dpms()
+                        drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
-                                 * won't return immediately since the current state
-                                 * is ON at this point.
-                                 */
-                                connector->dpms = DRM_MODE_DPMS_OFF;
-                                drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
-                        }
-                        connector->dpms = saved_dpms;
                }
        }
 }
@@ -739,9 +732,11 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        int r;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (encoder) {
                struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder);
@@ -760,8 +755,12 @@ amdgpu_connector_lvds_detect(struct drm_connector *connector, bool force)
        /* check acpi lid status ??? */
        amdgpu_connector_update_scratch_regs(connector, ret);
-        pm_runtime_mark_last_busy(connector->dev->dev);
-        pm_runtime_put_autosuspend(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -862,9 +861,11 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        int r;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        encoder = amdgpu_connector_best_single_encoder(connector);
        if (!encoder)
@@ -918,8 +919,10 @@ amdgpu_connector_vga_detect(struct drm_connector *connector, bool force)
        amdgpu_connector_update_scratch_regs(connector, ret);
 out:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -981,9 +984,11 @@ amdgpu_connector_dvi_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        bool dret = false, broken_edid = false;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) {
                ret = connector->status;
@@ -1108,8 +1113,10 @@ out:
        amdgpu_connector_update_scratch_regs(connector, ret);
 exit:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -1351,9 +1358,11 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force)
        struct drm_encoder *encoder = amdgpu_connector_best_single_encoder(connector);
        int r;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) {
                ret = connector->status;
@@ -1421,8 +1430,10 @@ amdgpu_connector_dp_detect(struct drm_connector *connector, bool force)
        amdgpu_connector_update_scratch_regs(connector, ret);
 out:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index fc9f14747f70..a36230d1331c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -1467,8 +1467,6 @@ int amdgpu_device_init(struct amdgpu_device *adev,
         * ignore it */
        vga_client_register(adev->pdev, adev, NULL, amdgpu_vga_set_decode);
-        if (amdgpu_runtime_pm == 1)
-                runtime = true;
        if (amdgpu_device_is_px(ddev))
                runtime = true;
        vga_switcheroo_register_client(adev->pdev, &amdgpu_switcheroo_ops, runtime);
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index 82903ca78529..c555781685ea 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -560,6 +560,12 @@ amdgpu_user_framebuffer_create(struct drm_device *dev,
                return ERR_PTR(-ENOENT);
        }
+        /* Handle is imported dma-buf, so cannot be migrated to VRAM for scanout */
+        if (obj->import_attach) {
+                DRM_DEBUG_KMS("Cannot create framebuffer from imported dma_buf\n");
+                return ERR_PTR(-EINVAL);
+        }
        amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
        if (amdgpu_fb == NULL) {
                drm_gem_object_unreference_unlocked(obj);
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
index b57fffc2d4af..0a91261b6f5b 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
@@ -2104,34 +2104,8 @@ static void gfx_v7_0_gpu_init(struct amdgpu_device *adev)
        case CHIP_KAVERI:
                adev->gfx.config.max_shader_engines = 1;
                adev->gfx.config.max_tile_pipes = 4;
-                if ((adev->pdev->device == 0x1304) ||
+                adev->gfx.config.max_cu_per_sh = 8;
-                    (adev->pdev->device == 0x1305) ||
+                adev->gfx.config.max_backends_per_se = 2;
-                    (adev->pdev->device == 0x130C) ||
-                    (adev->pdev->device == 0x130F) ||
-                    (adev->pdev->device == 0x1310) ||
-                    (adev->pdev->device == 0x1311) ||
-                    (adev->pdev->device == 0x131C)) {
-                        adev->gfx.config.max_cu_per_sh = 8;
-                        adev->gfx.config.max_backends_per_se = 2;
-                } else if ((adev->pdev->device == 0x1309) ||
-                           (adev->pdev->device == 0x130A) ||
-                           (adev->pdev->device == 0x130D) ||
-                           (adev->pdev->device == 0x1313) ||
-                           (adev->pdev->device == 0x131D)) {
-                        adev->gfx.config.max_cu_per_sh = 6;
-                        adev->gfx.config.max_backends_per_se = 2;
-                } else if ((adev->pdev->device == 0x1306) ||
-                           (adev->pdev->device == 0x1307) ||
-                           (adev->pdev->device == 0x130B) ||
-                           (adev->pdev->device == 0x130E) ||
-                           (adev->pdev->device == 0x1315) ||
-                           (adev->pdev->device == 0x131B)) {
-                        adev->gfx.config.max_cu_per_sh = 4;
-                        adev->gfx.config.max_backends_per_se = 1;
-                } else {
-                        adev->gfx.config.max_cu_per_sh = 3;
-                        adev->gfx.config.max_backends_per_se = 1;
-                }
                adev->gfx.config.max_sh_per_se = 1;
                adev->gfx.config.max_texture_channel_caches = 4;
                adev->gfx.config.max_gprs = 256;
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
index d83de985e88c..8577a563600f 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
@@ -215,8 +215,8 @@ static int update_mqd_sdma(struct mqd_manager *mm, void *mqd,
        BUG_ON(!mm || !mqd || !q);
        m = get_sdma_mqd(mqd);
-        m->sdma_rlc_rb_cntl = ffs(q->queue_size / sizeof(unsigned int)) <<
+        m->sdma_rlc_rb_cntl = (ffs(q->queue_size / sizeof(unsigned int)) - 1)
-                        SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
+                        << SDMA0_RLC0_RB_CNTL__RB_SIZE__SHIFT |
                        q->vmid << SDMA0_RLC0_RB_CNTL__RB_VMID__SHIFT |
                        1 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_ENABLE__SHIFT |
                        6 << SDMA0_RLC0_RB_CNTL__RPTR_WRITEBACK_TIMER__SHIFT;
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 7b69070f7ecc..aa41b840048f 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -205,6 +205,24 @@ int pqm_create_queue(struct process_queue_manager *pqm,
        switch (type) {
        case KFD_QUEUE_TYPE_SDMA:
+                if (dev->dqm->queue_count >=
+                        CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) {
+                        pr_err("Over-subscription is not allowed for SDMA.\n");
+                        retval = -EPERM;
+                        goto err_create_queue;
+                }
+                retval = create_cp_queue(pqm, dev, &q, properties, f, *qid);
+                if (retval != 0)
+                        goto err_create_queue;
+                pqn->q = q;
+                pqn->kq = NULL;
+                retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
+                                                &q->properties.vmid);
+                pr_debug("DQM returned %d for create_queue\n", retval);
+                print_queue(q);
+                break;
        case KFD_QUEUE_TYPE_COMPUTE:
                /* check if there is over subscription */
                if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) &&
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
index 74909e72a009..2acbd43f9a53 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
@@ -519,11 +519,17 @@ static ssize_t sysprops_show(struct kobject *kobj, struct attribute *attr,
        return ret;
 }
+static void kfd_topology_kobj_release(struct kobject *kobj)
+{
+        kfree(kobj);
+}
 static const struct sysfs_ops sysprops_ops = {
        .show = sysprops_show,
 };
 static struct kobj_type sysprops_type = {
+        .release = kfd_topology_kobj_release,
        .sysfs_ops = &sysprops_ops,
 };
@@ -559,6 +565,7 @@ static const struct sysfs_ops iolink_ops = {
 };
 static struct kobj_type iolink_type = {
+        .release = kfd_topology_kobj_release,
        .sysfs_ops = &iolink_ops,
 };
@@ -586,6 +593,7 @@ static const struct sysfs_ops mem_ops = {
 };
 static struct kobj_type mem_type = {
+        .release = kfd_topology_kobj_release,
        .sysfs_ops = &mem_ops,
 };
@@ -625,6 +633,7 @@ static const struct sysfs_ops cache_ops = {
 };
 static struct kobj_type cache_type = {
+        .release = kfd_topology_kobj_release,
        .sysfs_ops = &cache_ops,
 };
@@ -747,6 +756,7 @@ static const struct sysfs_ops node_ops = {
 };
 static struct kobj_type node_type = {
+        .release = kfd_topology_kobj_release,
        .sysfs_ops = &node_ops,
 };
diff --git a/drivers/gpu/drm/armada/armada_crtc.c b/drivers/gpu/drm/armada/armada_crtc.c
index cebcab560626..5d68189176cc 100644
--- a/drivers/gpu/drm/armada/armada_crtc.c
+++ b/drivers/gpu/drm/armada/armada_crtc.c
@@ -1182,17 +1182,13 @@ static int armada_drm_crtc_create(struct drm_device *drm, struct device *dev,
        ret = devm_request_irq(dev, irq, armada_drm_irq, 0, "armada_drm_crtc",
                               dcrtc);
-        if (ret < 0) {
+        if (ret < 0)
-                kfree(dcrtc);
+                goto err_crtc;
-                return ret;
-        }
        if (dcrtc->variant->init) {
                ret = dcrtc->variant->init(dcrtc, dev);
-                if (ret) {
+                if (ret)
-                        kfree(dcrtc);
+                        goto err_crtc;
-                        return ret;
-                }
        }
        /* Ensure AXI pipeline is enabled */
@@ -1203,13 +1199,15 @@ static int armada_drm_crtc_create(struct drm_device *drm, struct device *dev,
        dcrtc->crtc.port = port;
        primary = kzalloc(sizeof(*primary), GFP_KERNEL);
-        if (!primary)
+        if (!primary) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto err_crtc;
+        }
        ret = armada_drm_plane_init(primary);
        if (ret) {
                kfree(primary);
-                return ret;
+                goto err_crtc;
        }
        ret = drm_universal_plane_init(drm, &primary->base, 0,
@@ -1219,7 +1217,7 @@ static int armada_drm_crtc_create(struct drm_device *drm, struct device *dev,
                                       DRM_PLANE_TYPE_PRIMARY);
        if (ret) {
                kfree(primary);
-                return ret;
+                goto err_crtc;
        }
        ret = drm_crtc_init_with_planes(drm, &dcrtc->crtc, &primary->base, NULL,
@@ -1238,6 +1236,9 @@ static int armada_drm_crtc_create(struct drm_device *drm, struct device *dev,
 err_crtc_init:
        primary->base.funcs->destroy(&primary->base);
+err_crtc:
+        kfree(dcrtc);
        return ret;
 }
diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index 4ce52c69dfb3..76eace9ff6ab 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -1044,7 +1044,9 @@ drm_atomic_set_crtc_for_plane(struct drm_plane_state *plane_state,
 {
        struct drm_plane *plane = plane_state->plane;
        struct drm_crtc_state *crtc_state;
+        /* Nothing to do for same crtc*/
+        if (plane_state->crtc == crtc)
+                return 0;
        if (plane_state->crtc) {
                crtc_state = drm_atomic_get_crtc_state(plane_state->state,
                                                       plane_state->crtc);
diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index c0106fd9fae9..724f7cf52253 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -106,6 +106,9 @@ static struct edid_quirk {
        /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
        { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+        /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */
+        { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC },
        /* Belinea 10 15 55 */
        { "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
        { "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
@@ -3216,8 +3219,7 @@ monitor_name(struct detailed_timing *t, void *data)
 * @edid: EDID to parse
 *
 * Fill the ELD (EDID-Like Data) buffer for passing to the audio driver. The
- * Conn_Type, HDCP and Port_ID ELD fields are left for the graphics driver to
+ * HDCP and Port_ID ELD fields are left for the graphics driver to fill in.
- * fill in.
 */
 void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid)
 {
@@ -3290,6 +3292,12 @@ void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid)
        }
        eld[5] |= sad_count << 4;
+        if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort ||
+            connector->connector_type == DRM_MODE_CONNECTOR_eDP)
+                eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_DP;
+        else
+                eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_HDMI;
        eld[DRM_ELD_BASELINE_ELD_LEN] =
                DIV_ROUND_UP(drm_eld_calc_baseline_block_size(eld), 4);
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index 6b5625e66119..88ceac091454 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -209,6 +209,7 @@ static int drm_open_helper(struct file *filp, struct drm_minor *minor)
                return -ENOMEM;
        filp->private_data = priv;
+        filp->f_mode |= FMODE_UNSIGNED_OFFSET;
        priv->filp = filp;
        priv->uid = current_euid();
        priv->pid = get_pid(task_pid(current));
diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index 8090989185b2..4ddbc49125cd 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -1271,9 +1271,9 @@ void drm_vblank_put(struct drm_device *dev, unsigned int pipe)
        if (atomic_dec_and_test(&vblank->refcount)) {
                if (drm_vblank_offdelay == 0)
                        return;
-                else if (dev->vblank_disable_immediate || drm_vblank_offdelay < 0)
+                else if (drm_vblank_offdelay < 0)
                        vblank_disable_fn((unsigned long)vblank);
-                else
+                else if (!dev->vblank_disable_immediate)
                        mod_timer(&vblank->disable_timer,
                                  jiffies + ((drm_vblank_offdelay * HZ)/1000));
        }
@@ -1902,6 +1902,16 @@ bool drm_handle_vblank(struct drm_device *dev, unsigned int pipe)
        wake_up(&vblank->queue);
        drm_handle_vblank_events(dev, pipe);
+        /* With instant-off, we defer disabling the interrupt until after
+         * we finish processing the following vblank. The disable has to
+         * be last (after drm_handle_vblank_events) so that the timestamp
+         * is always accurate.
+         */
+        if (dev->vblank_disable_immediate &&
+            drm_vblank_offdelay > 0 &&
+            !atomic_read(&vblank->refcount))
+                vblank_disable_fn((unsigned long)vblank);
        spin_unlock_irqrestore(&dev->event_lock, irqflags);
        return true;
diff --git a/drivers/gpu/drm/drm_modeset_lock.c b/drivers/gpu/drm/drm_modeset_lock.c
index c2f5971146ba..220eee1c1ef7 100644
--- a/drivers/gpu/drm/drm_modeset_lock.c
+++ b/drivers/gpu/drm/drm_modeset_lock.c
@@ -76,7 +76,7 @@ void drm_modeset_lock_all(struct drm_device *dev)
        struct drm_modeset_acquire_ctx *ctx;
        int ret;
-        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL | __GFP_NOFAIL);
        if (WARN_ON(!ctx))
                return;
diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c
index 5c1633419cf7..57af40b44423 100644
--- a/drivers/gpu/drm/drm_probe_helper.c
+++ b/drivers/gpu/drm/drm_probe_helper.c
@@ -418,6 +418,26 @@ out:
 }
 /**
+ * drm_kms_helper_is_poll_worker - is %current task an output poll worker?
+ *
+ * Determine if %current task is an output poll worker.  This can be used
+ * to select distinct code paths for output polling versus other contexts.
+ *
+ * One use case is to avoid a deadlock between the output poll worker and
+ * the autosuspend worker wherein the latter waits for polling to finish
+ * upon calling drm_kms_helper_poll_disable(), while the former waits for
+ * runtime suspend to finish upon calling pm_runtime_get_sync() in a
+ * connector ->detect hook.
+ */
+bool drm_kms_helper_is_poll_worker(void)
+{
+        struct work_struct *work = current_work();
+        return work && work->func == output_poll_execute;
+}
+EXPORT_SYMBOL(drm_kms_helper_is_poll_worker);
+/**
 * drm_kms_helper_poll_disable - disable output polling
 * @dev: drm_device
 *
diff --git a/drivers/gpu/drm/exynos/regs-fimc.h b/drivers/gpu/drm/exynos/regs-fimc.h
index 30496134a3d0..d7cbe53c4c01 100644
--- a/drivers/gpu/drm/exynos/regs-fimc.h
+++ b/drivers/gpu/drm/exynos/regs-fimc.h
@@ -569,7 +569,7 @@
 #define EXYNOS_CIIMGEFF_FIN_EMBOSSING           (4 << 26)
 #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE          (5 << 26)
 #define EXYNOS_CIIMGEFF_FIN_MASK                        (7 << 26)
-#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK           ((0xff < 13) | (0xff < 0))
+#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK           ((0xff << 13) | (0xff << 0))
 /* Real input DMA size register */
 #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE     (1 << 31)
diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
index d4813e03f5ee..00275c3856ce 100644
--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
+++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
@@ -821,14 +821,18 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder,
        struct drm_device *dev = dsi_config->dev;
        struct drm_psb_private *dev_priv = dev->dev_private;
        int pipe = mdfld_dsi_encoder_get_pipe(dsi_encoder);
        u32 pipeconf_reg = PIPEACONF;
        u32 dspcntr_reg = DSPACNTR;
+        u32 pipeconf, dspcntr;
-        u32 pipeconf = dev_priv->pipeconf[pipe];
-        u32 dspcntr = dev_priv->dspcntr[pipe];
        u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX;
+        if (WARN_ON(pipe < 0))
+                return;
+        pipeconf = dev_priv->pipeconf[pipe];
+        dspcntr = dev_priv->dspcntr[pipe];
        if (pipe) {
                pipeconf_reg = PIPECCONF;
                dspcntr_reg = DSPCCNTR;
diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_output.c b/drivers/gpu/drm/gma500/mdfld_dsi_output.c
index 89f705c3a5eb..910a2f253990 100644
--- a/drivers/gpu/drm/gma500/mdfld_dsi_output.c
+++ b/drivers/gpu/drm/gma500/mdfld_dsi_output.c
@@ -382,16 +382,6 @@ static int mdfld_dsi_connector_mode_valid(struct drm_connector *connector,
        return MODE_OK;
 }
-static void mdfld_dsi_connector_dpms(struct drm_connector *connector, int mode)
-{
-        if (mode == connector->dpms)
-                return;
-        /*first, execute dpms*/
-        drm_helper_connector_dpms(connector, mode);
-}
 static struct drm_encoder *mdfld_dsi_connector_best_encoder(
                                struct drm_connector *connector)
 {
@@ -404,7 +394,7 @@ static struct drm_encoder *mdfld_dsi_connector_best_encoder(
 /*DSI connector funcs*/
 static const struct drm_connector_funcs mdfld_dsi_connector_funcs = {
-        .dpms = /*drm_helper_connector_dpms*/mdfld_dsi_connector_dpms,
+        .dpms = drm_helper_connector_dpms,
        .save = mdfld_dsi_connector_save,
        .restore = mdfld_dsi_connector_restore,
        .detect = mdfld_dsi_connector_detect,
diff --git a/drivers/gpu/drm/gma500/psb_intel_drv.h b/drivers/gpu/drm/gma500/psb_intel_drv.h
index 860dd2177ca1..283570080d47 100644
--- a/drivers/gpu/drm/gma500/psb_intel_drv.h
+++ b/drivers/gpu/drm/gma500/psb_intel_drv.h
@@ -252,7 +252,7 @@ extern int intelfb_remove(struct drm_device *dev,
 extern bool psb_intel_lvds_mode_fixup(struct drm_encoder *encoder,
                                      const struct drm_display_mode *mode,
                                      struct drm_display_mode *adjusted_mode);
-extern int psb_intel_lvds_mode_valid(struct drm_connector *connector,
+extern enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector,
                                     struct drm_display_mode *mode);
 extern int psb_intel_lvds_set_property(struct drm_connector *connector,
                                        struct drm_property *property,
diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
index 61e3a097a478..ccd1b8bf0fd5 100644
--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -343,7 +343,7 @@ static void psb_intel_lvds_restore(struct drm_connector *connector)
        }
 }
-int psb_intel_lvds_mode_valid(struct drm_connector *connector,
+enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector,
                                 struct drm_display_mode *mode)
 {
        struct drm_psb_private *dev_priv = connector->dev->dev_private;
diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c
index 7f39b8ad88ae..de6710fe3ff4 100644
--- a/drivers/gpu/drm/i915/intel_lvds.c
+++ b/drivers/gpu/drm/i915/intel_lvds.c
@@ -768,6 +768,14 @@ static const struct dmi_system_id intel_no_lvds[] = {
                        DMI_EXACT_MATCH(DMI_BOARD_NAME, "D525MW"),
                },
        },
+        {
+                .callback = intel_no_lvds_dmi_callback,
+                .ident = "Radiant P845",
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "Radiant Systems Inc"),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "P845"),
+                },
+        },
        { }     /* terminating entry */
 };
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index c76cc853b08a..644faf3ae93a 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -89,14 +89,17 @@ static struct page **get_pages(struct drm_gem_object *obj)
                        return p;
                }
+                msm_obj->pages = p;
                msm_obj->sgt = drm_prime_pages_to_sg(p, npages);
                if (IS_ERR(msm_obj->sgt)) {
+                        void *ptr = ERR_CAST(msm_obj->sgt);
                        dev_err(dev->dev, "failed to allocate sgt\n");
-                        return ERR_CAST(msm_obj->sgt);
+                        msm_obj->sgt = NULL;
+                        return ptr;
                }
-                msm_obj->pages = p;
                /* For non-cached buffers, ensure the new pages are clean
                 * because display controller, GPU, etc. are not coherent:
                 */
@@ -119,7 +122,10 @@ static void put_pages(struct drm_gem_object *obj)
                if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
                        dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
                                        msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
-                sg_free_table(msm_obj->sgt);
+                if (msm_obj->sgt)
+                        sg_free_table(msm_obj->sgt);
                kfree(msm_obj->sgt);
                if (use_pages(obj))
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
index 2a5ed7460354..ababdaabe870 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -253,9 +253,15 @@ nouveau_connector_detect(struct drm_connector *connector, bool force)
                nv_connector->edid = NULL;
        }
-        ret = pm_runtime_get_sync(connector->dev->dev);
+        /* Outputs are only polled while runtime active, so acquiring a
-        if (ret < 0 && ret != -EACCES)
+         * runtime PM ref here is unnecessary (and would deadlock upon
-                return conn_status;
+         * runtime suspend because it waits for polling to finish).
+         */
+        if (!drm_kms_helper_is_poll_worker()) {
+                ret = pm_runtime_get_sync(connector->dev->dev);
+                if (ret < 0 && ret != -EACCES)
+                        return conn_status;
+        }
        nv_encoder = nouveau_connector_ddc_detect(connector);
        if (nv_encoder && (i2c = nv_encoder->i2c) != NULL) {
@@ -323,8 +329,10 @@ detect_analog:
 out:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return conn_status;
 }
diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c
index 00de1bf81519..9dfc2471ea09 100644
--- a/drivers/gpu/drm/nouveau/nouveau_display.c
+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
@@ -104,7 +104,7 @@ nouveau_display_scanoutpos_head(struct drm_crtc *crtc, int *vpos, int *hpos,
        };
        struct nouveau_display *disp = nouveau_display(crtc->dev);
        struct drm_vblank_crtc *vblank = &crtc->dev->vblank[drm_crtc_index(crtc)];
-        int ret, retry = 1;
+        int ret, retry = 20;
        do {
                ret = nvif_mthd(&disp->disp, 0, &args, sizeof(args));
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index a0865c49ec83..495c279da200 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -370,7 +370,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
        struct nouveau_cli *cli = nouveau_cli(file_priv);
        struct drm_device *dev = chan->drm->dev;
        int trycnt = 0;
-        int ret, i;
+        int ret = -EINVAL, i;
        struct nouveau_bo *res_bo = NULL;
        LIST_HEAD(gart_list);
        LIST_HEAD(vram_list);
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c
index 4896474da320..3021fcd0a3df 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c
@@ -127,6 +127,13 @@ nvkm_pci_init(struct nvkm_subdev *subdev)
                return ret;
        pci->irq = pdev->irq;
+        /* Ensure MSI interrupts are armed, for the case where there are
+         * already interrupts pending (for whatever reason) at load time.
+         */
+        if (pci->msi)
+                pci->func->msi_rearm(pci);
        return ret;
 }
diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
index 652c5651d327..26d6ff06cd99 100644
--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
@@ -794,7 +794,8 @@ static int omap_dmm_probe(struct platform_device *dev)
                match = of_match_node(dmm_of_match, dev->dev.of_node);
                if (!match) {
                        dev_err(&dev->dev, "failed to find matching device node\n");
-                        return -ENODEV;
+                        ret = -ENODEV;
+                        goto fail;
                }
                omap_dmm->plat_data = match->data;
diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c
index c4a552637c93..3ff7689835dc 100644
--- a/drivers/gpu/drm/qxl/qxl_fb.c
+++ b/drivers/gpu/drm/qxl/qxl_fb.c
@@ -494,9 +494,11 @@ static const struct drm_fb_helper_funcs qxl_fb_helper_funcs = {
 int qxl_fbdev_init(struct qxl_device *qdev)
 {
+        int ret = 0;
+#ifdef CONFIG_DRM_FBDEV_EMULATION
        struct qxl_fbdev *qfbdev;
        int bpp_sel = 32; /* TODO: parameter from somewhere? */
-        int ret;
        qfbdev = kzalloc(sizeof(struct qxl_fbdev), GFP_KERNEL);
        if (!qfbdev)
@@ -531,6 +533,8 @@ fini:
        drm_fb_helper_fini(&qfbdev->helper);
 free:
        kfree(qfbdev);
+#endif
        return ret;
 }
@@ -546,6 +550,9 @@ void qxl_fbdev_fini(struct qxl_device *qdev)
 void qxl_fbdev_set_suspend(struct qxl_device *qdev, int state)
 {
+        if (!qdev->mode_info.qfbdev)
+                return;
        drm_fb_helper_set_suspend(&qdev->mode_info.qfbdev->helper, state);
 }
diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
index 134874cab4c7..80b6d6e4721a 100644
--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -3599,35 +3599,8 @@ static void cik_gpu_init(struct radeon_device *rdev)
        case CHIP_KAVERI:
                rdev->config.cik.max_shader_engines = 1;
                rdev->config.cik.max_tile_pipes = 4;
-                if ((rdev->pdev->device == 0x1304) ||
+                rdev->config.cik.max_cu_per_sh = 8;
-                    (rdev->pdev->device == 0x1305) ||
+                rdev->config.cik.max_backends_per_se = 2;
-                    (rdev->pdev->device == 0x130C) ||
-                    (rdev->pdev->device == 0x130F) ||
-                    (rdev->pdev->device == 0x1310) ||
-                    (rdev->pdev->device == 0x1311) ||
-                    (rdev->pdev->device == 0x131C)) {
-                        rdev->config.cik.max_cu_per_sh = 8;
-                        rdev->config.cik.max_backends_per_se = 2;
-                } else if ((rdev->pdev->device == 0x1309) ||
-                           (rdev->pdev->device == 0x130A) ||
-                           (rdev->pdev->device == 0x130D) ||
-                           (rdev->pdev->device == 0x1313) ||
-                           (rdev->pdev->device == 0x131D)) {
-                        rdev->config.cik.max_cu_per_sh = 6;
-                        rdev->config.cik.max_backends_per_se = 2;
-                } else if ((rdev->pdev->device == 0x1306) ||
-                           (rdev->pdev->device == 0x1307) ||
-                           (rdev->pdev->device == 0x130B) ||
-                           (rdev->pdev->device == 0x130E) ||
-                           (rdev->pdev->device == 0x1315) ||
-                           (rdev->pdev->device == 0x1318) ||
-                           (rdev->pdev->device == 0x131B)) {
-                        rdev->config.cik.max_cu_per_sh = 4;
-                        rdev->config.cik.max_backends_per_se = 1;
-                } else {
-                        rdev->config.cik.max_cu_per_sh = 3;
-                        rdev->config.cik.max_backends_per_se = 1;
-                }
                rdev->config.cik.max_sh_per_se = 1;
                rdev->config.cik.max_texture_channel_caches = 4;
                rdev->config.cik.max_gprs = 256;
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 30f00748ed37..c6bf378534f8 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -89,25 +89,18 @@ void radeon_connector_hotplug(struct drm_connector *connector)
                /* don't do anything if sink is not display port, i.e.,
                 * passive dp->(dvi|hdmi) adaptor
                 */
-                if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) {
+                if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT &&
-                        int saved_dpms = connector->dpms;
+                    radeon_hpd_sense(rdev, radeon_connector->hpd.hpd) &&
-                        /* Only turn off the display if it's physically disconnected */
+                    radeon_dp_needs_link_train(radeon_connector)) {
-                        if (!radeon_hpd_sense(rdev, radeon_connector->hpd.hpd)) {
+                        /* Don't start link training before we have the DPCD */
-                                drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
+                        if (!radeon_dp_getdpcd(radeon_connector))
-                        } else if (radeon_dp_needs_link_train(radeon_connector)) {
+                                return;
-                                /* Don't try to start link training before we
-                                 * have the dpcd */
+                        /* Turn the connector off and back on immediately, which
-                                if (!radeon_dp_getdpcd(radeon_connector))
+                         * will trigger link training
-                                        return;
+                         */
+                        drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
-                                /* set it to OFF so that drm_helper_connector_dpms()
+                        drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
-                                 * won't return immediately since the current state
-                                 * is ON at this point.
-                                 */
-                                connector->dpms = DRM_MODE_DPMS_OFF;
-                                drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
-                        }
-                        connector->dpms = saved_dpms;
                }
        }
 }
@@ -851,7 +844,7 @@ static int radeon_lvds_get_modes(struct drm_connector *connector)
        return ret;
 }
-static int radeon_lvds_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status radeon_lvds_mode_valid(struct drm_connector *connector,
                                  struct drm_display_mode *mode)
 {
        struct drm_encoder *encoder = radeon_best_single_encoder(connector);
@@ -891,9 +884,11 @@ radeon_lvds_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        int r;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (encoder) {
                struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
@@ -916,8 +911,12 @@ radeon_lvds_detect(struct drm_connector *connector, bool force)
        /* check acpi lid status ??? */
        radeon_connector_update_scratch_regs(connector, ret);
-        pm_runtime_mark_last_busy(connector->dev->dev);
-        pm_runtime_put_autosuspend(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -994,7 +993,7 @@ static int radeon_vga_get_modes(struct drm_connector *connector)
        return ret;
 }
-static int radeon_vga_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status radeon_vga_mode_valid(struct drm_connector *connector,
                                  struct drm_display_mode *mode)
 {
        struct drm_device *dev = connector->dev;
@@ -1020,9 +1019,11 @@ radeon_vga_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        int r;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        encoder = radeon_best_single_encoder(connector);
        if (!encoder)
@@ -1089,8 +1090,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force)
        radeon_connector_update_scratch_regs(connector, ret);
 out:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -1133,7 +1136,7 @@ static int radeon_tv_get_modes(struct drm_connector *connector)
        return 1;
 }
-static int radeon_tv_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status radeon_tv_mode_valid(struct drm_connector *connector,
                                struct drm_display_mode *mode)
 {
        if ((mode->hdisplay > 1024) || (mode->vdisplay > 768))
@@ -1153,9 +1156,11 @@ radeon_tv_detect(struct drm_connector *connector, bool force)
        if (!radeon_connector->dac_load_detect)
                return ret;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        encoder = radeon_best_single_encoder(connector);
        if (!encoder)
@@ -1167,8 +1172,12 @@ radeon_tv_detect(struct drm_connector *connector, bool force)
        if (ret == connector_status_connected)
                ret = radeon_connector_analog_encoder_conflict_solve(connector, encoder, ret, false);
        radeon_connector_update_scratch_regs(connector, ret);
-        pm_runtime_mark_last_busy(connector->dev->dev);
-        pm_runtime_put_autosuspend(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -1230,9 +1239,11 @@ radeon_dvi_detect(struct drm_connector *connector, bool force)
        enum drm_connector_status ret = connector_status_disconnected;
        bool dret = false, broken_edid = false;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (radeon_connector->detected_hpd_without_ddc) {
                force = true;
@@ -1415,8 +1426,10 @@ out:
        }
 exit:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
@@ -1464,7 +1477,7 @@ static void radeon_dvi_force(struct drm_connector *connector)
                radeon_connector->use_digital = true;
 }
-static int radeon_dvi_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status radeon_dvi_mode_valid(struct drm_connector *connector,
                                  struct drm_display_mode *mode)
 {
        struct drm_device *dev = connector->dev;
@@ -1666,9 +1679,11 @@ radeon_dp_detect(struct drm_connector *connector, bool force)
        if (radeon_dig_connector->is_mst)
                return connector_status_disconnected;
-        r = pm_runtime_get_sync(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        if (r < 0)
+                r = pm_runtime_get_sync(connector->dev->dev);
-                return connector_status_disconnected;
+                if (r < 0)
+                        return connector_status_disconnected;
+        }
        if (!force && radeon_check_hpd_status_unchanged(connector)) {
                ret = connector->status;
@@ -1755,13 +1770,15 @@ radeon_dp_detect(struct drm_connector *connector, bool force)
        }
 out:
-        pm_runtime_mark_last_busy(connector->dev->dev);
+        if (!drm_kms_helper_is_poll_worker()) {
-        pm_runtime_put_autosuspend(connector->dev->dev);
+                pm_runtime_mark_last_busy(connector->dev->dev);
+                pm_runtime_put_autosuspend(connector->dev->dev);
+        }
        return ret;
 }
-static int radeon_dp_mode_valid(struct drm_connector *connector,
+static enum drm_mode_status radeon_dp_mode_valid(struct drm_connector *connector,
                                  struct drm_display_mode *mode)
 {
        struct drm_device *dev = connector->dev;
diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
index 3645b223aa37..446d99062306 100644
--- a/drivers/gpu/drm/radeon/radeon_display.c
+++ b/drivers/gpu/drm/radeon/radeon_display.c
@@ -1374,6 +1374,12 @@ radeon_user_framebuffer_create(struct drm_device *dev,
                return ERR_PTR(-ENOENT);
        }
+        /* Handle is imported dma-buf, so cannot be migrated to VRAM for scanout */
+        if (obj->import_attach) {
+                DRM_DEBUG_KMS("Cannot create framebuffer from imported dma_buf\n");
+                return ERR_PTR(-EINVAL);
+        }
        radeon_fb = kzalloc(sizeof(*radeon_fb), GFP_KERNEL);
        if (radeon_fb == NULL) {
                drm_gem_object_unreference_unlocked(obj);
diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c
index fb6ad143873f..83aee9e814ba 100644
--- a/drivers/gpu/drm/radeon/radeon_object.c
+++ b/drivers/gpu/drm/radeon/radeon_object.c
@@ -238,9 +238,10 @@ int radeon_bo_create(struct radeon_device *rdev,
         * may be slow
         * See https://bugs.freedesktop.org/show_bug.cgi?id=88758
         */
+#ifndef CONFIG_COMPILE_TEST
 #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
         thanks to write-combining
+#endif
        if (bo->flags & RADEON_GEM_GTT_WC)
                DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for "
diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c
index 6edcb5485092..b35ebabd6a9f 100644
--- a/drivers/gpu/drm/radeon/radeon_uvd.c
+++ b/drivers/gpu/drm/radeon/radeon_uvd.c
@@ -946,7 +946,7 @@ int radeon_uvd_calc_upll_dividers(struct radeon_device *rdev,
                /* calc dclk divider with current vco freq */
                dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk,
                                                         pd_min, pd_even);
-                if (vclk_div > pd_max)
+                if (dclk_div > pd_max)
                        break; /* vco is too big, it has to stop */
                /* calc score with current vco freq */
diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
index d9007cc37be1..892d0a71d766 100644
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -5964,9 +5964,9 @@ static void si_set_pcie_lane_width_in_smc(struct radeon_device *rdev,
 {
        u32 lane_width;
        u32 new_lane_width =
-                (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
+                ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
        u32 current_lane_width =
-                (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
+                ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
        if (new_lane_width != current_lane_width) {
                radeon_set_pcie_lanes(rdev, new_lane_width);
diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
index 9befd624a5f0..6fab07935d16 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
@@ -371,6 +371,31 @@ static void rcar_du_crtc_start(struct rcar_du_crtc *rcrtc)
        rcrtc->started = true;
 }
+static void rcar_du_crtc_disable_planes(struct rcar_du_crtc *rcrtc)
+{
+        struct rcar_du_device *rcdu = rcrtc->group->dev;
+        struct drm_crtc *crtc = &rcrtc->crtc;
+        u32 status;
+        /* Make sure vblank interrupts are enabled. */
+        drm_crtc_vblank_get(crtc);
+        /*
+         * Disable planes and calculate how many vertical blanking interrupts we
+         * have to wait for. If a vertical blanking interrupt has been triggered
+         * but not processed yet, we don't know whether it occurred before or
+         * after the planes got disabled. We thus have to wait for two vblank
+         * interrupts in that case.
+         */
+        spin_lock_irq(&rcrtc->vblank_lock);
+        rcar_du_group_write(rcrtc->group, rcrtc->index % 2 ? DS2PR : DS1PR, 0);
+        status = rcar_du_crtc_read(rcrtc, DSSR);
+        rcrtc->vblank_count = status & DSSR_VBK ? 2 : 1;
+        spin_unlock_irq(&rcrtc->vblank_lock);
+        if (!wait_event_timeout(rcrtc->vblank_wait, rcrtc->vblank_count == 0,
+                                msecs_to_jiffies(100)))
+                dev_warn(rcdu->dev, "vertical blanking timeout\n");
+        drm_crtc_vblank_put(crtc);
+}
 static void rcar_du_crtc_stop(struct rcar_du_crtc *rcrtc)
 {
        struct drm_crtc *crtc = &rcrtc->crtc;
@@ -379,17 +404,16 @@ static void rcar_du_crtc_stop(struct rcar_du_crtc *rcrtc)
                return;
        /* Disable all planes and wait for the change to take effect. This is
-         * required as the DSnPR registers are updated on vblank, and no vblank
+         * required as the plane enable registers are updated on vblank, and no
-         * will occur once the CRTC is stopped. Disabling planes when starting
+         * vblank will occur once the CRTC is stopped. Disabling planes when
-         * the CRTC thus wouldn't be enough as it would start scanning out
+         * starting the CRTC thus wouldn't be enough as it would start scanning
-         * immediately from old frame buffers until the next vblank.
+         * out immediately from old frame buffers until the next vblank.
         *
         * This increases the CRTC stop delay, especially when multiple CRTCs
         * are stopped in one operation as we now wait for one vblank per CRTC.
         * Whether this can be improved needs to be researched.
         */
-        rcar_du_group_write(rcrtc->group, rcrtc->index % 2 ? DS2PR : DS1PR, 0);
+        rcar_du_crtc_disable_planes(rcrtc);
-        drm_crtc_wait_one_vblank(crtc);
        /* Disable vertical blanking interrupt reporting. We first need to wait
         * for page flip completion before stopping the CRTC as userspace
@@ -528,10 +552,26 @@ static irqreturn_t rcar_du_crtc_irq(int irq, void *arg)
        irqreturn_t ret = IRQ_NONE;
        u32 status;
+        spin_lock(&rcrtc->vblank_lock);
        status = rcar_du_crtc_read(rcrtc, DSSR);
        rcar_du_crtc_write(rcrtc, DSRCR, status & DSRCR_MASK);
-        if (status & DSSR_FRM) {
+        if (status & DSSR_VBK) {
+                /*
+                 * Wake up the vblank wait if the counter reaches 0. This must
+                 * be protected by the vblank_lock to avoid races in
+                 * rcar_du_crtc_disable_planes().
+                 */
+                if (rcrtc->vblank_count) {
+                        if (--rcrtc->vblank_count == 0)
+                                wake_up(&rcrtc->vblank_wait);
+                }
+        }
+        spin_unlock(&rcrtc->vblank_lock);
+        if (status & DSSR_VBK) {
                drm_handle_vblank(rcrtc->crtc.dev, rcrtc->index);
                rcar_du_crtc_finish_page_flip(rcrtc);
                ret = IRQ_HANDLED;
@@ -585,6 +625,8 @@ int rcar_du_crtc_create(struct rcar_du_group *rgrp, unsigned int index)
        }
        init_waitqueue_head(&rcrtc->flip_wait);
+        init_waitqueue_head(&rcrtc->vblank_wait);
+        spin_lock_init(&rcrtc->vblank_lock);
        rcrtc->group = rgrp;
        rcrtc->mmio_offset = mmio_offsets[index];
diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.h b/drivers/gpu/drm/rcar-du/rcar_du_crtc.h
index 2bbe3f5aab65..be22ce33b70a 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.h
+++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.h
@@ -15,6 +15,7 @@
 #define __RCAR_DU_CRTC_H__
 #include <linux/mutex.h>
+#include <linux/spinlock.h>
 #include <linux/wait.h>
 #include <drm/drmP.h>
@@ -32,6 +33,9 @@ struct rcar_du_group;
 * @started: whether the CRTC has been started and is running
 * @event: event to post when the pending page flip completes
 * @flip_wait: wait queue used to signal page flip completion
+ * @vblank_lock: protects vblank_wait and vblank_count
+ * @vblank_wait: wait queue used to signal vertical blanking
+ * @vblank_count: number of vertical blanking interrupts to wait for
 * @outputs: bitmask of the outputs (enum rcar_du_output) driven by this CRTC
 * @enabled: whether the CRTC is enabled, used to control system resume
 * @group: CRTC group this CRTC belongs to
@@ -48,6 +52,10 @@ struct rcar_du_crtc {
        struct drm_pending_vblank_event *event;
        wait_queue_head_t flip_wait;
+        spinlock_t vblank_lock;
+        wait_queue_head_t vblank_wait;
+        unsigned int vblank_count;
        unsigned int outputs;
        bool enabled;
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
index d908321b94ce..e6d07680eb05 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
@@ -67,7 +67,6 @@ static int rockchip_drm_gem_object_mmap(struct drm_gem_object *obj,
         * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap().
         */
        vma->vm_flags &= ~VM_PFNMAP;
-        vma->vm_pgoff = 0;
        ret = dma_mmap_attrs(drm->dev, vma, rk_obj->kvaddr, rk_obj->dma_addr,
                             obj->size, &rk_obj->dma_attrs);
@@ -99,6 +98,12 @@ int rockchip_gem_mmap(struct file *filp, struct vm_area_struct *vma)
        if (ret)
                return ret;
+        /*
+         * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the
+         * whole buffer from the start.
+         */
+        vma->vm_pgoff = 0;
        obj = vma->vm_private_data;
        return rockchip_drm_gem_object_mmap(obj, vma);
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index 5d8dfe027b30..75d51ec98e06 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -818,6 +818,8 @@ int ttm_page_alloc_init(struct ttm_mem_global *glob, unsigned max_pages)
        pr_info("Initializing pool allocator\n");
        _manager = kzalloc(sizeof(*_manager), GFP_KERNEL);
+        if (!_manager)
+                return -ENOMEM;
        ttm_page_pool_init_locked(&_manager->wc_pool, GFP_HIGHUSER, "wc");
diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index 391e7eeefbf5..f2a51922ac10 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
        unsigned long start = vma->vm_start;
        unsigned long size = vma->vm_end - vma->vm_start;
-        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+        unsigned long offset;
        unsigned long page, pos;
-        if (offset + size > info->fix.smem_len)
+        if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+                return -EINVAL;
+        offset = vma->vm_pgoff << PAGE_SHIFT;
+        if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
                return -EINVAL;
        pos = (unsigned long)info->fix.smem_start + offset;
diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
index b4de18e65db8..6296e9f270ca 100644
--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
@@ -208,6 +208,9 @@ static int virtio_gpu_getparam_ioctl(struct drm_device *dev, void *data,
        case VIRTGPU_PARAM_3D_FEATURES:
                value = vgdev->has_virgl_3d == true ? 1 : 0;
                break;
+        case VIRTGPU_PARAM_CAPSET_QUERY_FIX:
+                value = 1;
+                break;
        default:
                return -EINVAL;
        }
@@ -483,7 +486,7 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
 {
        struct virtio_gpu_device *vgdev = dev->dev_private;
        struct drm_virtgpu_get_caps *args = data;
-        int size;
+        unsigned size, host_caps_size;
        int i;
        int found_valid = -1;
        int ret;
@@ -492,6 +495,10 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
        if (vgdev->num_capsets == 0)
                return -ENOSYS;
+        /* don't allow userspace to pass 0 */
+        if (args->size == 0)
+                return -EINVAL;
        spin_lock(&vgdev->display_info_lock);
        for (i = 0; i < vgdev->num_capsets; i++) {
                if (vgdev->capsets[i].id == args->cap_set_id) {
@@ -507,11 +514,9 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev,
                return -EINVAL;
        }
-        size = vgdev->capsets[found_valid].max_size;
+        host_caps_size = vgdev->capsets[found_valid].max_size;
-        if (args->size > size) {
+        /* only copy to user the minimum of the host caps size or the guest caps size */
-                spin_unlock(&vgdev->display_info_lock);
+        size = min(args->size, host_caps_size);
-                return -EINVAL;
-        }
        list_for_each_entry(cache_ent, &vgdev->cap_cache, head) {
                if (cache_ent->id == args->cap_set_id &&
diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
index 5a0f8a745b9d..52436b3c01bb 100644
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -324,7 +324,7 @@ retry:
        ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC);
        if (ret == -ENOSPC) {
                spin_unlock(&vgdev->ctrlq.qlock);
-                wait_event(vgdev->ctrlq.ack_queue, vq->num_free);
+                wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt);
                spin_lock(&vgdev->ctrlq.qlock);
                goto retry;
        } else {
@@ -399,7 +399,7 @@ retry:
        ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC);
        if (ret == -ENOSPC) {
                spin_unlock(&vgdev->cursorq.qlock);
-                wait_event(vgdev->cursorq.ack_queue, vq->num_free);
+                wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt);
                spin_lock(&vgdev->cursorq.qlock);
                goto retry;
        } else {
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c
index 67cebb23c940..aa04fb0159a7 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf.c
@@ -293,13 +293,10 @@ static int vmw_cmdbuf_header_submit(struct vmw_cmdbuf_header *header)
        struct vmw_cmdbuf_man *man = header->man;
        u32 val;
-        if (sizeof(header->handle) > 4)
+        val = upper_32_bits(header->handle);
-                val = (header->handle >> 32);
-        else
-                val = 0;
        vmw_write(man->dev_priv, SVGA_REG_COMMAND_HIGH, val);
-        val = (header->handle & 0xFFFFFFFFULL);
+        val = lower_32_bits(header->handle);
        val |= header->cb_context & SVGA_CB_CONTEXT_MASK;
        vmw_write(man->dev_priv, SVGA_REG_COMMAND_LOW, val);
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
index d2d93959b119..aec6e9eef489 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -433,7 +433,7 @@ static int vmw_fb_kms_detach(struct vmw_fb_par *par,
                set.y = 0;
                set.mode = NULL;
                set.fb = NULL;
-                set.num_connectors = 1;
+                set.num_connectors = 0;
                set.connectors = &par->con;
                ret = drm_mode_set_config_internal(&set);
                if (ret) {
@@ -821,7 +821,9 @@ int vmw_fb_off(struct vmw_private *vmw_priv)
        flush_delayed_work(&par->local_work);
        mutex_lock(&par->bo_mutex);
+        drm_modeset_lock_all(vmw_priv->dev);
        (void) vmw_fb_kms_detach(par, true, false);
+        drm_modeset_unlock_all(vmw_priv->dev);
        mutex_unlock(&par->bo_mutex);
        return 0;
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 060e5c6f4446..9b97f70fbb3d 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -27,7 +27,6 @@
 #include "vmwgfx_kms.h"
 /* Might need a hrtimer here? */
 #define VMWGFX_PRESENT_RATE ((HZ / 60 > 0) ? HZ / 60 : 1)
@@ -1910,9 +1909,12 @@ void vmw_kms_helper_buffer_finish(struct vmw_private *dev_priv,
 * Helper to be used if an error forces the caller to undo the actions of
 * vmw_kms_helper_resource_prepare.
 */
-void vmw_kms_helper_resource_revert(struct vmw_resource *res)
+void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx)
 {
-        vmw_kms_helper_buffer_revert(res->backup);
+        struct vmw_resource *res = ctx->res;
+        vmw_kms_helper_buffer_revert(ctx->buf);
+        vmw_dmabuf_unreference(&ctx->buf);
        vmw_resource_unreserve(res, false, NULL, 0);
        mutex_unlock(&res->dev_priv->cmdbuf_mutex);
 }
@@ -1929,10 +1931,14 @@ void vmw_kms_helper_resource_revert(struct vmw_resource *res)
 * interrupted by a signal.
 */
 int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
-                                    bool interruptible)
+                                    bool interruptible,
+                                    struct vmw_validation_ctx *ctx)
 {
        int ret = 0;
+        ctx->buf = NULL;
+        ctx->res = res;
        if (interruptible)
                ret = mutex_lock_interruptible(&res->dev_priv->cmdbuf_mutex);
        else
@@ -1951,6 +1957,8 @@ int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
                                                    res->dev_priv->has_mob);
                if (ret)
                        goto out_unreserve;
+                ctx->buf = vmw_dmabuf_reference(res->backup);
        }
        ret = vmw_resource_validate(res);
        if (ret)
@@ -1958,7 +1966,7 @@ int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
        return 0;
 out_revert:
-        vmw_kms_helper_buffer_revert(res->backup);
+        vmw_kms_helper_buffer_revert(ctx->buf);
 out_unreserve:
        vmw_resource_unreserve(res, false, NULL, 0);
 out_unlock:
@@ -1974,13 +1982,16 @@ out_unlock:
 * @out_fence: Optional pointer to a fence pointer. If non-NULL, a
 * ref-counted fence pointer is returned here.
 */
-void vmw_kms_helper_resource_finish(struct vmw_resource *res,
+void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx,
-                             struct vmw_fence_obj **out_fence)
+                                    struct vmw_fence_obj **out_fence)
 {
-        if (res->backup || out_fence)
+        struct vmw_resource *res = ctx->res;
-                vmw_kms_helper_buffer_finish(res->dev_priv, NULL, res->backup,
+        if (ctx->buf || out_fence)
+                vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf,
                                             out_fence, NULL);
+        vmw_dmabuf_unreference(&ctx->buf);
        vmw_resource_unreserve(res, false, NULL, 0);
        mutex_unlock(&res->dev_priv->cmdbuf_mutex);
 }
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
index edd81503516d..63b05d5ee50a 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
@@ -180,6 +180,11 @@ struct vmw_display_unit {
        bool is_implicit;
 };
+struct vmw_validation_ctx {
+        struct vmw_resource *res;
+        struct vmw_dma_buffer *buf;
+};
 #define vmw_crtc_to_du(x) \
        container_of(x, struct vmw_display_unit, crtc)
 #define vmw_connector_to_du(x) \
@@ -230,9 +235,10 @@ void vmw_kms_helper_buffer_finish(struct vmw_private *dev_priv,
                                  struct drm_vmw_fence_rep __user *
                                  user_fence_rep);
 int vmw_kms_helper_resource_prepare(struct vmw_resource *res,
-                                    bool interruptible);
+                                    bool interruptible,
-void vmw_kms_helper_resource_revert(struct vmw_resource *res);
+                                    struct vmw_validation_ctx *ctx);
-void vmw_kms_helper_resource_finish(struct vmw_resource *res,
+void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx);
+void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx,
                                    struct vmw_fence_obj **out_fence);
 int vmw_kms_readback(struct vmw_private *dev_priv,
                     struct drm_file *file_priv,
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
index 13926ff192e3..f50fcd213413 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
@@ -841,12 +841,13 @@ int vmw_kms_sou_do_surface_dirty(struct vmw_private *dev_priv,
        struct vmw_framebuffer_surface *vfbs =
                container_of(framebuffer, typeof(*vfbs), base);
        struct vmw_kms_sou_surface_dirty sdirty;
+        struct vmw_validation_ctx ctx;
        int ret;
        if (!srf)
                srf = &vfbs->surface->res;
-        ret = vmw_kms_helper_resource_prepare(srf, true);
+        ret = vmw_kms_helper_resource_prepare(srf, true, &ctx);
        if (ret)
                return ret;
@@ -865,7 +866,7 @@ int vmw_kms_sou_do_surface_dirty(struct vmw_private *dev_priv,
        ret = vmw_kms_helper_dirty(dev_priv, framebuffer, clips, vclips,
                                   dest_x, dest_y, num_clips, inc,
                                   &sdirty.base);
-        vmw_kms_helper_resource_finish(srf, out_fence);
+        vmw_kms_helper_resource_finish(&ctx, out_fence);
        return ret;
 }
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
index f823fc3efed7..3184a9ae22c1 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
@@ -1003,12 +1003,13 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv,
        struct vmw_framebuffer_surface *vfbs =
                container_of(framebuffer, typeof(*vfbs), base);
        struct vmw_stdu_dirty sdirty;
+        struct vmw_validation_ctx ctx;
        int ret;
        if (!srf)
                srf = &vfbs->surface->res;
-        ret = vmw_kms_helper_resource_prepare(srf, true);
+        ret = vmw_kms_helper_resource_prepare(srf, true, &ctx);
        if (ret)
                return ret;
@@ -1031,7 +1032,7 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv,
                                   dest_x, dest_y, num_clips, inc,
                                   &sdirty.base);
 out_finish:
-        vmw_kms_helper_resource_finish(srf, out_fence);
+        vmw_kms_helper_resource_finish(&ctx, out_fence);
        return ret;
 }
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 3ba486d0ec6f..e4541c6bf3d3 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1331,7 +1331,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
         * of implement() working on 8 byte chunks
         */
-        int len = hid_report_len(report) + 7;
+        u32 len = hid_report_len(report) + 7;
        return kmalloc(len, flags);
 }
@@ -1396,7 +1396,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report,
 {
        char *buf;
        int ret;
-        int len;
+        u32 len;
        buf = hid_alloc_report_buf(report, GFP_KERNEL);
        if (!buf)
@@ -1422,14 +1422,14 @@ out:
 }
 EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
                int interrupt)
 {
        struct hid_report_enum *report_enum = hid->report_enum + type;
        struct hid_report *report;
        struct hid_driver *hdrv;
        unsigned int a;
-        int rsize, csize = size;
+        u32 rsize, csize = size;
        u8 *cdata = data;
        int ret = 0;
@@ -1487,7 +1487,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event);
 *
 * This is data entry for lower layers.
 */
-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt)
+int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt)
 {
        struct hid_report_enum *report_enum;
        struct hid_driver *hdrv;
@@ -2308,7 +2308,6 @@ static const struct hid_device_id hid_ignore_list[] = {
        { HID_USB_DEVICE(USB_VENDOR_ID_DREAM_CHEEKY, 0x0004) },
        { HID_USB_DEVICE(USB_VENDOR_ID_DREAM_CHEEKY, 0x000a) },
        { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, 0x0400) },
-        { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, 0x0401) },
        { HID_USB_DEVICE(USB_VENDOR_ID_ESSENTIAL_REALITY, USB_DEVICE_ID_ESSENTIAL_REALITY_P5) },
        { HID_USB_DEVICE(USB_VENDOR_ID_ETT, USB_DEVICE_ID_TC5UH) },
        { HID_USB_DEVICE(USB_VENDOR_ID_ETT, USB_DEVICE_ID_TC4UM) },
@@ -2387,6 +2386,9 @@ static const struct hid_device_id hid_ignore_list[] = {
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
+        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
+        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
+        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
        { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
@@ -2578,6 +2580,17 @@ bool hid_ignore(struct hid_device *hdev)
                        strncmp(hdev->name, "www.masterkit.ru MA901", 22) == 0)
                        return true;
                break;
+        case USB_VENDOR_ID_ELAN:
+                /*
+                 * Many Elan devices have a product id of 0x0401 and are handled
+                 * by the elan_i2c input driver. But the ACPI HID ELAN0800 dev
+                 * is not (and cannot be) handled by that driver ->
+                 * Ignore all 0x0401 devs except for the ELAN0800 dev.
+                 */
+                if (hdev->product == 0x0401 &&
+                    strncmp(hdev->name, "ELAN0800", 8) != 0)
+                        return true;
+                break;
        }
        if (hdev->type == HID_TYPE_USBMOUSE &&
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
index 2886b645ced7..6c60f4b63d21 100644
--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
@@ -1152,6 +1152,8 @@ copy_rest:
                        goto out;
                if (list->tail > list->head) {
                        len = list->tail - list->head;
+                        if (len > count)
+                                len = count;
                        if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
                                ret = -EFAULT;
@@ -1161,6 +1163,8 @@ copy_rest:
                        list->head += len;
                } else {
                        len = HID_DEBUG_BUFSIZE - list->head;
+                        if (len > count)
+                                len = count;
                        if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
                                ret = -EFAULT;
@@ -1168,7 +1172,9 @@ copy_rest:
                        }
                        list->head = 0;
                        ret += len;
-                        goto copy_rest;
+                        count -= len;
+                        if (count > 0)
+                                goto copy_rest;
                }
        }
diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c
index 0cd4f7216239..5eea6fe0d7bd 100644
--- a/drivers/hid/hid-elo.c
+++ b/drivers/hid/hid-elo.c
@@ -42,6 +42,12 @@ static int elo_input_configured(struct hid_device *hdev,
 {
        struct input_dev *input = hidinput->input;
+        /*
+         * ELO devices have one Button usage in GenDesk field, which makes
+         * hid-input map it to BTN_LEFT; that confuses userspace, which then
+         * considers the device to be a mouse/touchpad instead of touchscreen.
+         */
+        clear_bit(BTN_LEFT, input->keybit);
        set_bit(BTN_TOUCH, input->keybit);
        set_bit(ABS_PRESSURE, input->absbit);
        input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0);
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index b554d17c9156..60e2c9faa95f 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -512,6 +512,9 @@
 #define USB_VENDOR_ID_IRTOUCHSYSTEMS    0x6615
 #define USB_DEVICE_ID_IRTOUCH_INFRARED_USB      0x0070
+#define USB_VENDOR_ID_INNOMEDIA                 0x1292
+#define USB_DEVICE_ID_INNEX_GENESIS_ATARI       0x4745
 #define USB_VENDOR_ID_ITE               0x048d
 #define USB_DEVICE_ID_ITE_LENOVO_YOGA   0x8386
 #define USB_DEVICE_ID_ITE_LENOVO_YOGA2  0x8350
@@ -570,6 +573,9 @@
 #define USB_DEVICE_ID_LD_MICROCASSYTIME         0x1033
 #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE  0x1035
 #define USB_DEVICE_ID_LD_MICROCASSYPH           0x1038
+#define USB_DEVICE_ID_LD_POWERANALYSERCASSY     0x1040
+#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY       0x1042
+#define USB_DEVICE_ID_LD_MACHINETESTCASSY       0x1043
 #define USB_DEVICE_ID_LD_JWM            0x1080
 #define USB_DEVICE_ID_LD_DMMP           0x1081
 #define USB_DEVICE_ID_LD_UMIP           0x1090
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 2ba6bf69b7d0..8d74e691ac90 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1128,18 +1128,26 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct
        /*
         * Ignore out-of-range values as per HID specification,
-         * section 5.10 and 6.2.25.
+         * section 5.10 and 6.2.25, when NULL state bit is present.
+         * When it's not, clamp the value to match Microsoft's input
+         * driver as mentioned in "Required HID usages for digitizers":
+         * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp
         *
         * The logical_minimum < logical_maximum check is done so that we
         * don't unintentionally discard values sent by devices which
         * don't specify logical min and max.
         */
        if ((field->flags & HID_MAIN_ITEM_VARIABLE) &&
-            (field->logical_minimum < field->logical_maximum) &&
+            (field->logical_minimum < field->logical_maximum)) {
-            (value < field->logical_minimum ||
+                if (field->flags & HID_MAIN_ITEM_NULL_STATE &&
-             value > field->logical_maximum)) {
+                    (value < field->logical_minimum ||
-                dbg_hid("Ignoring out-of-range value %x\n", value);
+                     value > field->logical_maximum)) {
-                return;
+                        dbg_hid("Ignoring out-of-range value %x\n", value);
+                        return;
+                }
+                value = clamp(value,
+                              field->logical_minimum,
+                              field->logical_maximum);
        }
        /*
@@ -1250,7 +1258,8 @@ static void hidinput_led_worker(struct work_struct *work)
                                              led_work);
        struct hid_field *field;
        struct hid_report *report;
-        int len, ret;
+        int ret;
+        u32 len;
        __u8 *buf;
        field = hidinput_get_led_field(hid);
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index f62a9d6601cc..9de379c1b3fd 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -314,7 +314,8 @@ static struct attribute_group mt_attribute_group = {
 static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
 {
        struct mt_device *td = hid_get_drvdata(hdev);
-        int ret, size = hid_report_len(report);
+        int ret;
+        u32 size = hid_report_len(report);
        u8 *buf;
        /*
@@ -919,7 +920,7 @@ static void mt_set_input_mode(struct hid_device *hdev)
        struct hid_report_enum *re;
        struct mt_class *cls = &td->mtclass;
        char *buf;
-        int report_len;
+        u32 report_len;
        if (td->inputmode < 0)
                return;
diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
index febb21ee190e..584b10d3fc3d 100644
--- a/drivers/hid/hid-plantronics.c
+++ b/drivers/hid/hid-plantronics.c
@@ -2,7 +2,7 @@
 *  Plantronics USB HID Driver
 *
 *  Copyright (c) 2014 JD Cole <jd.cole@plantronics.com>
- *  Copyright (c) 2015 Terry Junge <terry.junge@plantronics.com>
+ *  Copyright (c) 2015-2018 Terry Junge <terry.junge@plantronics.com>
 */
 /*
@@ -48,6 +48,10 @@ static int plantronics_input_mapping(struct hid_device *hdev,
        unsigned short mapped_key;
        unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev);
+        /* special case for PTT products */
+        if (field->application == HID_GD_JOYSTICK)
+                goto defaulted;
        /* handle volume up/down mapping */
        /* non-standard types or multi-HID interfaces - plt_type is PID */
        if (!(plt_type & HID_USAGE_PAGE)) {
diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
index 67cd059a8f46..41a4a2af9db1 100644
--- a/drivers/hid/hid-rmi.c
+++ b/drivers/hid/hid-rmi.c
@@ -110,8 +110,8 @@ struct rmi_data {
        u8 *writeReport;
        u8 *readReport;
-        int input_report_size;
+        u32 input_report_size;
-        int output_report_size;
+        u32 output_report_size;
        unsigned long flags;
diff --git a/drivers/hid/hid-roccat-kovaplus.c b/drivers/hid/hid-roccat-kovaplus.c
index 966047711fbf..1073c0d1fae5 100644
--- a/drivers/hid/hid-roccat-kovaplus.c
+++ b/drivers/hid/hid-roccat-kovaplus.c
@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(uint value)
 static void kovaplus_profile_activated(struct kovaplus_device *kovaplus,
                uint new_profile_index)
 {
+        if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings))
+                return;
        kovaplus->actual_profile = new_profile_index;
        kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level;
        kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x;
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index 9c2d7c23f296..c0c4df198725 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct file *file, char __user *buffer, size_t
        int ret = 0, len;
        unsigned char report_number;
+        if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+                ret = -ENODEV;
+                goto out;
+        }
        dev = hidraw_table[minor]->hid;
        if (!dev->ll_driver->raw_request) {
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 312aa1e33fb2..4248d253c32a 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -137,10 +137,10 @@ struct i2c_hid {
                                                   * register of the HID
                                                   * descriptor. */
        unsigned int            bufsize;        /* i2c buffer size */
-        char                    *inbuf;         /* Input buffer */
+        u8                      *inbuf;         /* Input buffer */
-        char                    *rawbuf;        /* Raw Input buffer */
+        u8                      *rawbuf;        /* Raw Input buffer */
-        char                    *cmdbuf;        /* Command buffer */
+        u8                      *cmdbuf;        /* Command buffer */
-        char                    *argsbuf;       /* Command arguments buffer */
+        u8                      *argsbuf;       /* Command arguments buffer */
        unsigned long           flags;          /* device flags */
@@ -387,7 +387,8 @@ static int i2c_hid_hwreset(struct i2c_client *client)
 static void i2c_hid_get_input(struct i2c_hid *ihid)
 {
-        int ret, ret_size;
+        int ret;
+        u32 ret_size;
        int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
        if (size > ihid->bufsize)
@@ -412,7 +413,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
                return;
        }
-        if (ret_size > size) {
+        if ((ret_size > size) || (ret_size < 2)) {
                dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
                        __func__, size, ret_size);
                return;
@@ -1016,6 +1017,14 @@ static int i2c_hid_probe(struct i2c_client *client,
        pm_runtime_set_active(&client->dev);
        pm_runtime_enable(&client->dev);
+        /* Make sure there is something at this address */
+        ret = i2c_smbus_read_byte(client);
+        if (ret < 0) {
+                dev_dbg(&client->dev, "nothing at this address: %d\n", ret);
+                ret = -ENXIO;
+                goto err_pm;
+        }
        ret = i2c_hid_fetch_hid_descriptor(ihid);
        if (ret < 0)
                goto err_pm;
diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
index ce1543d69acb..c9a11315493b 100644
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -152,6 +152,7 @@ static const struct hid_blacklist {
        { USB_VENDOR_ID_MULTIPLE_1781, USB_DEVICE_ID_RAPHNET_4NES4SNES_OLD, HID_QUIRK_MULTI_INPUT },
        { USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES, HID_QUIRK_MULTI_INPUT },
        { USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES, HID_QUIRK_MULTI_INPUT },
+        { USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI, HID_QUIRK_MULTI_INPUT },
        { 0, 0 }
 };
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 700145b15088..b59b15d4caa9 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -35,6 +35,7 @@
 #include <linux/hiddev.h>
 #include <linux/compat.h>
 #include <linux/vmalloc.h>
+#include <linux/nospec.h>
 #include "usbhid.h"
 #ifdef CONFIG_USB_DYNAMIC_MINORS
@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
                if (uref->field_index >= report->maxfield)
                        goto inval;
+                uref->field_index = array_index_nospec(uref->field_index,
+                                                       report->maxfield);
                field = report->field[uref->field_index];
                if (uref->usage_index >= field->maxusage)
                        goto inval;
+                uref->usage_index = array_index_nospec(uref->usage_index,
+                                                       field->maxusage);
                uref->usage_code = field->usage[uref->usage_index].hid;
@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
                        if (uref->field_index >= report->maxfield)
                                goto inval;
+                        uref->field_index = array_index_nospec(uref->field_index,
+                                                               report->maxfield);
                        field = report->field[uref->field_index];
@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                if (finfo.field_index >= report->maxfield)
                        break;
+                finfo.field_index = array_index_nospec(finfo.field_index,
+                                                       report->maxfield);
                field = report->field[finfo.field_index];
                memset(&finfo, 0, sizeof(finfo));
@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                if (cinfo.index >= hid->maxcollection)
                        break;
+                cinfo.index = array_index_nospec(cinfo.index,
+                                                 hid->maxcollection);
                cinfo.type = hid->collection[cinfo.index].type;
                cinfo.usage = hid->collection[cinfo.index].usage;
diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
index a38af68cf326..0a0628d11c0b 100644
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev)
                goto drop;
        /* Pad to 32-bits - FIXME: Revisit*/
        if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
-                goto drop;
+                goto inc_dropped;
        /*
         * Modem sends Phonet messages over SSI with its own endianess...
@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev)
 drop2:
        hsi_free_msg(msg);
 drop:
-        dev->stats.tx_dropped++;
        dev_kfree_skb(skb);
+inc_dropped:
+        dev->stats.tx_dropped++;
        return 0;
 }
diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
index d415a804fd26..9a8976a79b29 100644
--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -195,9 +195,7 @@ int hv_init(void)
 {
        int max_leaf;
        union hv_x64_msr_hypercall_contents hypercall_msr;
-        union hv_x64_msr_hypercall_contents tsc_msr;
        void *virtaddr = NULL;
-        void *va_tsc = NULL;
        memset(hv_context.synic_event_page, 0, sizeof(void *) * NR_CPUS);
        memset(hv_context.synic_message_page, 0,
@@ -243,6 +241,9 @@ int hv_init(void)
 #ifdef CONFIG_X86_64
        if (ms_hyperv.features & HV_X64_MSR_REFERENCE_TSC_AVAILABLE) {
+                union hv_x64_msr_hypercall_contents tsc_msr;
+                void *va_tsc;
                va_tsc = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL);
                if (!va_tsc)
                        goto cleanup;
diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
index b24f1d3045f0..ac63e562071f 100644
--- a/drivers/hwmon/ina2xx.c
+++ b/drivers/hwmon/ina2xx.c
@@ -94,18 +94,20 @@ enum ina2xx_ids { ina219, ina226 };
 struct ina2xx_config {
        u16 config_default;
-        int calibration_factor;
+        int calibration_value;
        int registers;
        int shunt_div;
        int bus_voltage_shift;
        int bus_voltage_lsb;    /* uV */
-        int power_lsb;          /* uW */
+        int power_lsb_factor;
 };
 struct ina2xx_data {
        const struct ina2xx_config *config;
        long rshunt;
+        long current_lsb_uA;
+        long power_lsb_uW;
        struct mutex config_lock;
        struct regmap *regmap;
@@ -115,21 +117,21 @@ struct ina2xx_data {
 static const struct ina2xx_config ina2xx_config[] = {
        [ina219] = {
                .config_default = INA219_CONFIG_DEFAULT,
-                .calibration_factor = 40960000,
+                .calibration_value = 4096,
                .registers = INA219_REGISTERS,
                .shunt_div = 100,
                .bus_voltage_shift = 3,
                .bus_voltage_lsb = 4000,
-                .power_lsb = 20000,
+                .power_lsb_factor = 20,
        },
        [ina226] = {
                .config_default = INA226_CONFIG_DEFAULT,
-                .calibration_factor = 5120000,
+                .calibration_value = 2048,
                .registers = INA226_REGISTERS,
                .shunt_div = 400,
                .bus_voltage_shift = 0,
                .bus_voltage_lsb = 1250,
-                .power_lsb = 25000,
+                .power_lsb_factor = 25,
        },
 };
@@ -168,12 +170,16 @@ static u16 ina226_interval_to_reg(int interval)
        return INA226_SHIFT_AVG(avg_bits);
 }
+/*
+ * Calibration register is set to the best value, which eliminates
+ * truncation errors on calculating current register in hardware.
+ * According to datasheet (eq. 3) the best values are 2048 for
+ * ina226 and 4096 for ina219. They are hardcoded as calibration_value.
+ */
 static int ina2xx_calibrate(struct ina2xx_data *data)
 {
-        u16 val = DIV_ROUND_CLOSEST(data->config->calibration_factor,
+        return regmap_write(data->regmap, INA2XX_CALIBRATION,
-                                    data->rshunt);
+                            data->config->calibration_value);
-        return regmap_write(data->regmap, INA2XX_CALIBRATION, val);
 }
 /*
@@ -186,10 +192,6 @@ static int ina2xx_init(struct ina2xx_data *data)
        if (ret < 0)
                return ret;
-        /*
-         * Set current LSB to 1mA, shunt is in uOhms
-         * (equation 13 in datasheet).
-         */
        return ina2xx_calibrate(data);
 }
@@ -267,15 +269,15 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg,
                val = DIV_ROUND_CLOSEST(val, 1000);
                break;
        case INA2XX_POWER:
-                val = regval * data->config->power_lsb;
+                val = regval * data->power_lsb_uW;
                break;
        case INA2XX_CURRENT:
-                /* signed register, LSB=1mA (selected), in mA */
+                /* signed register, result in mA */
-                val = (s16)regval;
+                val = regval * data->current_lsb_uA;
+                val = DIV_ROUND_CLOSEST(val, 1000);
                break;
        case INA2XX_CALIBRATION:
-                val = DIV_ROUND_CLOSEST(data->config->calibration_factor,
+                val = regval;
-                                        regval);
                break;
        default:
                /* programmer goofed */
@@ -303,9 +305,32 @@ static ssize_t ina2xx_show_value(struct device *dev,
                        ina2xx_get_value(data, attr->index, regval));
 }
-static ssize_t ina2xx_set_shunt(struct device *dev,
+/*
-                                struct device_attribute *da,
+ * In order to keep calibration register value fixed, the product
-                                const char *buf, size_t count)
+ * of current_lsb and shunt_resistor should also be fixed and equal
+ * to shunt_voltage_lsb = 1 / shunt_div multiplied by 10^9 in order
+ * to keep the scale.
+ */
+static int ina2xx_set_shunt(struct ina2xx_data *data, long val)
+{
+        unsigned int dividend = DIV_ROUND_CLOSEST(1000000000,
+                                                  data->config->shunt_div);
+        if (val <= 0 || val > dividend)
+                return -EINVAL;
+        mutex_lock(&data->config_lock);
+        data->rshunt = val;
+        data->current_lsb_uA = DIV_ROUND_CLOSEST(dividend, val);
+        data->power_lsb_uW = data->config->power_lsb_factor *
+                             data->current_lsb_uA;
+        mutex_unlock(&data->config_lock);
+        return 0;
+}
+static ssize_t ina2xx_store_shunt(struct device *dev,
+                                  struct device_attribute *da,
+                                  const char *buf, size_t count)
 {
        unsigned long val;
        int status;
@@ -315,18 +340,9 @@ static ssize_t ina2xx_set_shunt(struct device *dev,
        if (status < 0)
                return status;
-        if (val == 0 ||
+        status = ina2xx_set_shunt(data, val);
-            /* Values greater than the calibration factor make no sense. */
-            val > data->config->calibration_factor)
-                return -EINVAL;
-        mutex_lock(&data->config_lock);
-        data->rshunt = val;
-        status = ina2xx_calibrate(data);
-        mutex_unlock(&data->config_lock);
        if (status < 0)
                return status;
        return count;
 }
@@ -386,7 +402,7 @@ static SENSOR_DEVICE_ATTR(power1_input, S_IRUGO, ina2xx_show_value, NULL,
 /* shunt resistance */
 static SENSOR_DEVICE_ATTR(shunt_resistor, S_IRUGO | S_IWUSR,
-                          ina2xx_show_value, ina2xx_set_shunt,
+                          ina2xx_show_value, ina2xx_store_shunt,
                          INA2XX_CALIBRATION);
 /* update interval (ina226 only) */
@@ -431,6 +447,7 @@ static int ina2xx_probe(struct i2c_client *client,
        /* set the device type */
        data->config = &ina2xx_config[id->driver_data];
+        mutex_init(&data->config_lock);
        if (of_property_read_u32(dev->of_node, "shunt-resistor", &val) < 0) {
                struct ina2xx_platform_data *pdata = dev_get_platdata(dev);
@@ -441,10 +458,7 @@ static int ina2xx_probe(struct i2c_client *client,
                        val = INA2XX_RSHUNT_DEFAULT;
        }
-        if (val <= 0 || val > data->config->calibration_factor)
+        ina2xx_set_shunt(data, val);
-                return -ENODEV;
-        data->rshunt = val;
        ina2xx_regmap_config.max_register = data->config->registers;
@@ -460,8 +474,6 @@ static int ina2xx_probe(struct i2c_client *client,
                return -ENODEV;
        }
-        mutex_init(&data->config_lock);
        data->groups[group++] = &ina2xx_group;
        if (id->driver_data == ina226)
                data->groups[group++] = &ina226_group;
diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
index d7ebdf8651f5..d3c6115f16b9 100644
--- a/drivers/hwmon/nct6775.c
+++ b/drivers/hwmon/nct6775.c
@@ -1390,7 +1390,7 @@ static void nct6775_update_pwm(struct device *dev)
                duty_is_dc = data->REG_PWM_MODE[i] &&
                  (nct6775_read_value(data, data->REG_PWM_MODE[i])
                   & data->PWM_MODE_MASK[i]);
-                data->pwm_mode[i] = duty_is_dc;
+                data->pwm_mode[i] = !duty_is_dc;
                fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]);
                for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) {
@@ -2267,7 +2267,7 @@ show_pwm_mode(struct device *dev, struct device_attribute *attr, char *buf)
        struct nct6775_data *data = nct6775_update_device(dev);
        struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr);
-        return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]);
+        return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]);
 }
 static ssize_t
@@ -2288,9 +2288,9 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr,
        if (val > 1)
                return -EINVAL;
-        /* Setting DC mode is not supported for all chips/channels */
+        /* Setting DC mode (0) is not supported for all chips/channels */
        if (data->REG_PWM_MODE[nr] == 0) {
-                if (val)
+                if (!val)
                        return -EINVAL;
                return count;
        }
@@ -2299,7 +2299,7 @@ store_pwm_mode(struct device *dev, struct device_attribute *attr,
        data->pwm_mode[nr] = val;
        reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]);
        reg &= ~data->PWM_MODE_MASK[nr];
-        if (val)
+        if (!val)
                reg |= data->PWM_MODE_MASK[nr];
        nct6775_write_value(data, data->REG_PWM_MODE[nr], reg);
        mutex_unlock(&data->update_lock);
diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c
index 188af4c89f40..c3f4c9ef6705 100644
--- a/drivers/hwmon/pmbus/adm1275.c
+++ b/drivers/hwmon/pmbus/adm1275.c
@@ -95,8 +95,8 @@ static const struct coefficients adm1075_coefficients[] = {
        [0] = { 27169, 0, -1 },         /* voltage */
        [1] = { 806, 20475, -1 },       /* current, irange25 */
        [2] = { 404, 20475, -1 },       /* current, irange50 */
-        [3] = { 0, -1, 8549 },          /* power, irange25 */
+        [3] = { 8549, 0, -1 },          /* power, irange25 */
-        [4] = { 0, -1, 4279 },          /* power, irange50 */
+        [4] = { 4279, 0, -1 },          /* power, irange50 */
 };
 static const struct coefficients adm1275_coefficients[] = {
@@ -141,7 +141,7 @@ static int adm1275_read_word_data(struct i2c_client *client, int page, int reg)
        const struct adm1275_data *data = to_adm1275_data(info);
        int ret = 0;
-        if (page)
+        if (page > 0)
                return -ENXIO;
        switch (reg) {
@@ -218,7 +218,7 @@ static int adm1275_write_word_data(struct i2c_client *client, int page, int reg,
        const struct adm1275_data *data = to_adm1275_data(info);
        int ret;
-        if (page)
+        if (page > 0)
                return -ENXIO;
        switch (reg) {
diff --git a/drivers/hwmon/pmbus/max8688.c b/drivers/hwmon/pmbus/max8688.c
index dd4883a19045..e951f9b87abb 100644
--- a/drivers/hwmon/pmbus/max8688.c
+++ b/drivers/hwmon/pmbus/max8688.c
@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct i2c_client *client, int page, int reg)
 {
        int ret;
-        if (page)
+        if (page > 0)
                return -ENXIO;
        switch (reg) {
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index ba59eaef2e07..d013acf3f83a 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -20,6 +20,7 @@
 */
 #include <linux/kernel.h>
+#include <linux/math64.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/err.h>
@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct pmbus_data *data,
 static long pmbus_reg2data_direct(struct pmbus_data *data,
                                  struct pmbus_sensor *sensor)
 {
-        long val = (s16) sensor->data;
+        s64 b, val = (s16)sensor->data;
-        long m, b, R;
+        s32 m, R;
        m = data->info->m[sensor->class];
        b = data->info->b[sensor->class];
@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct pmbus_data *data,
                R--;
        }
        while (R < 0) {
-                val = DIV_ROUND_CLOSEST(val, 10);
+                val = div_s64(val + 5LL, 10L);  /* round closest */
                R++;
        }
-        return (val - b) / m;
+        val = div_s64(val - b, m);
+        return clamp_val(val, LONG_MIN, LONG_MAX);
 }
 /*
@@ -629,7 +631,8 @@ static u16 pmbus_data2reg_linear(struct pmbus_data *data,
 static u16 pmbus_data2reg_direct(struct pmbus_data *data,
                                 struct pmbus_sensor *sensor, long val)
 {
-        long m, b, R;
+        s64 b, val64 = val;
+        s32 m, R;
        m = data->info->m[sensor->class];
        b = data->info->b[sensor->class];
@@ -646,18 +649,18 @@ static u16 pmbus_data2reg_direct(struct pmbus_data *data,
                R -= 3;         /* Adjust R and b for data in milli-units */
                b *= 1000;
        }
-        val = val * m + b;
+        val64 = val64 * m + b;
        while (R > 0) {
-                val *= 10;
+                val64 *= 10;
                R--;
        }
        while (R < 0) {
-                val = DIV_ROUND_CLOSEST(val, 10);
+                val64 = div_s64(val64 + 5LL, 10L);  /* round closest */
                R++;
        }
-        return val;
+        return (u16)clamp_val(val64, S16_MIN, S16_MAX);
 }
 static u16 pmbus_data2reg_vid(struct pmbus_data *data,
diff --git a/drivers/hwtracing/coresight/coresight-tpiu.c b/drivers/hwtracing/coresight/coresight-tpiu.c
index 4e471e2e9d89..b71793ba2483 100644
--- a/drivers/hwtracing/coresight/coresight-tpiu.c
+++ b/drivers/hwtracing/coresight/coresight-tpiu.c
@@ -46,8 +46,11 @@
 #define TPIU_ITATBCTR0          0xef8
 /** register definition **/
+/* FFSR - 0x300 */
+#define FFSR_FT_STOPPED         BIT(1)
 /* FFCR - 0x304 */
 #define FFCR_FON_MAN            BIT(6)
+#define FFCR_STOP_FI            BIT(12)
 /**
 * @base:       memory mapped base address for this component.
@@ -85,10 +88,14 @@ static void tpiu_disable_hw(struct tpiu_drvdata *drvdata)
 {
        CS_UNLOCK(drvdata->base);
-        /* Clear formatter controle reg. */
+        /* Clear formatter and stop on flush */
-        writel_relaxed(0x0, drvdata->base + TPIU_FFCR);
+        writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR);
        /* Generate manual flush */
-        writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
+        writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
+        /* Wait for flush to complete */
+        coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0);
+        /* Wait for formatter to stop */
+        coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1);
        CS_LOCK(drvdata->base);
 }
diff --git a/drivers/hwtracing/coresight/of_coresight.c b/drivers/hwtracing/coresight/of_coresight.c
index b68da1888fd5..d2c0158d4b78 100644
--- a/drivers/hwtracing/coresight/of_coresight.c
+++ b/drivers/hwtracing/coresight/of_coresight.c
@@ -149,7 +149,7 @@ struct coresight_platform_data *of_get_coresight_platform_data(
                                continue;
                        /* The local out port number */
-                        pdata->outports[i] = endpoint.id;
+                        pdata->outports[i] = endpoint.port;
                        /*
                         * Get a handle on the remote port and parent
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index cb07713aceda..129fcf1c06d9 100644
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -26,6 +26,7 @@
 #include <linux/stm.h>
 #include <linux/fs.h>
 #include <linux/mm.h>
+#include <linux/vmalloc.h>
 #include "stm.h"
 #include <uapi/linux/stm.h>
@@ -650,7 +651,7 @@ static void stm_device_release(struct device *dev)
 {
        struct stm_device *stm = to_stm_device(dev);
-        kfree(stm);
+        vfree(stm);
 }
 int stm_register_device(struct device *parent, struct stm_data *stm_data,
@@ -667,7 +668,7 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data,
                return -EINVAL;
        nmasters = stm_data->sw_end - stm_data->sw_start;
-        stm = kzalloc(sizeof(*stm) + nmasters * sizeof(void *), GFP_KERNEL);
+        stm = vzalloc(sizeof(*stm) + nmasters * sizeof(void *));
        if (!stm)
                return -ENOMEM;
@@ -709,7 +710,7 @@ err_device:
        /* matches device_initialize() above */
        put_device(&stm->dev);
 err_free:
-        kfree(stm);
+        vfree(stm);
        return err;
 }
diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index d4d853680ae4..a4abf7dc9576 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -382,6 +382,7 @@ static int i2c_imx_dma_xfer(struct imx_i2c_struct *i2c_imx,
                goto err_desc;
        }
+        reinit_completion(&dma->cmd_complete);
        txdesc->callback = i2c_imx_dma_callback;
        txdesc->callback_param = i2c_imx;
        if (dma_submit_error(dmaengine_submit(txdesc))) {
@@ -631,7 +632,6 @@ static int i2c_imx_dma_write(struct imx_i2c_struct *i2c_imx,
         * The first byte must be transmitted by the CPU.
         */
        imx_i2c_write_reg(msgs->addr << 1, i2c_imx, IMX_I2C_I2DR);
-        reinit_completion(&i2c_imx->dma->cmd_complete);
        time_left = wait_for_completion_timeout(
                                &i2c_imx->dma->cmd_complete,
                                msecs_to_jiffies(DMA_TIMEOUT));
@@ -690,7 +690,6 @@ static int i2c_imx_dma_read(struct imx_i2c_struct *i2c_imx,
        if (result)
                return result;
-        reinit_completion(&i2c_imx->dma->cmd_complete);
        time_left = wait_for_completion_timeout(
                                &i2c_imx->dma->cmd_complete,
                                msecs_to_jiffies(DMA_TIMEOUT));
diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 1111cb966a44..fa2b58142cde 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -587,7 +587,7 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
        /* unmap the data buffer */
        if (dma_size != 0)
-                dma_unmap_single(&adap->dev, dma_addr, dma_size, dma_direction);
+                dma_unmap_single(dev, dma_addr, dma_size, dma_direction);
        if (unlikely(!time_left)) {
                dev_err(dev, "completion wait timed out\n");
diff --git a/drivers/i2c/busses/i2c-mv64xxx.c b/drivers/i2c/busses/i2c-mv64xxx.c
index 43207f52e5a3..332d32c53c41 100644
--- a/drivers/i2c/busses/i2c-mv64xxx.c
+++ b/drivers/i2c/busses/i2c-mv64xxx.c
@@ -856,12 +856,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_data *drv_data,
         */
        if (of_device_is_compatible(np, "marvell,mv78230-i2c")) {
                drv_data->offload_enabled = true;
-                drv_data->errata_delay = true;
+                /* The delay is only needed in standard mode (100kHz) */
+                if (bus_freq <= 100000)
+                        drv_data->errata_delay = true;
        }
        if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) {
                drv_data->offload_enabled = false;
-                drv_data->errata_delay = true;
+                /* The delay is only needed in standard mode (100kHz) */
+                if (bus_freq <= 100000)
+                        drv_data->errata_delay = true;
        }
        if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c"))
diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
index 599c0d7bd906..dfe1a53ce4ad 100644
--- a/drivers/i2c/busses/i2c-rcar.c
+++ b/drivers/i2c/busses/i2c-rcar.c
@@ -33,7 +33,6 @@
 #include <linux/platform_device.h>
 #include <linux/pm_runtime.h>
 #include <linux/slab.h>
-#include <linux/spinlock.h>
 /* register offsets */
 #define ICSCR   0x00    /* slave ctrl */
@@ -84,6 +83,7 @@
 #define RCAR_BUS_PHASE_START    (MDBS | MIE | ESG)
 #define RCAR_BUS_PHASE_DATA     (MDBS | MIE)
+#define RCAR_BUS_MASK_DATA      (~(ESG | FSB) & 0xFF)
 #define RCAR_BUS_PHASE_STOP     (MDBS | MIE | FSB)
 #define RCAR_IRQ_SEND   (MNR | MAL | MST | MAT | MDE)
@@ -94,7 +94,6 @@
 #define RCAR_IRQ_ACK_RECV       (~(MAT | MDR) & 0xFF)
 #define ID_LAST_MSG     (1 << 0)
-#define ID_IOERROR      (1 << 1)
 #define ID_DONE         (1 << 2)
 #define ID_ARBLOST      (1 << 3)
 #define ID_NACK         (1 << 4)
@@ -108,10 +107,10 @@ enum rcar_i2c_type {
 struct rcar_i2c_priv {
        void __iomem *io;
        struct i2c_adapter adap;
-        struct i2c_msg  *msg;
+        struct i2c_msg *msg;
+        int msgs_left;
        struct clk *clk;
-        spinlock_t lock;
        wait_queue_head_t wait;
        int pos;
@@ -144,9 +143,10 @@ static void rcar_i2c_init(struct rcar_i2c_priv *priv)
 {
        /* reset master mode */
        rcar_i2c_write(priv, ICMIER, 0);
-        rcar_i2c_write(priv, ICMCR, 0);
+        rcar_i2c_write(priv, ICMCR, MDBS);
        rcar_i2c_write(priv, ICMSR, 0);
-        rcar_i2c_write(priv, ICMAR, 0);
+        /* start clock */
+        rcar_i2c_write(priv, ICCCR, priv->icccr);
 }
 static int rcar_i2c_bus_barrier(struct rcar_i2c_priv *priv)
@@ -257,16 +257,28 @@ static void rcar_i2c_prepare_msg(struct rcar_i2c_priv *priv)
 {
        int read = !!rcar_i2c_is_recv(priv);
+        priv->pos = 0;
+        priv->flags = 0;
+        if (priv->msgs_left == 1)
+                rcar_i2c_flags_set(priv, ID_LAST_MSG);
        rcar_i2c_write(priv, ICMAR, (priv->msg->addr << 1) | read);
        rcar_i2c_write(priv, ICMSR, 0);
        rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_START);
        rcar_i2c_write(priv, ICMIER, read ? RCAR_IRQ_RECV : RCAR_IRQ_SEND);
 }
+static void rcar_i2c_next_msg(struct rcar_i2c_priv *priv)
+{
+        priv->msg++;
+        priv->msgs_left--;
+        rcar_i2c_prepare_msg(priv);
+}
 /*
 *              interrupt functions
 */
-static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr)
+static void rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr)
 {
        struct i2c_msg *msg = priv->msg;
@@ -276,14 +288,7 @@ static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr)
         * Do nothing
         */
        if (!(msr & MDE))
-                return 0;
+                return;
-        /*
-         * If address transfer phase finished,
-         * goto data phase.
-         */
-        if (msr & MAT)
-                rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_DATA);
        if (priv->pos < msg->len) {
                /*
@@ -305,29 +310,23 @@ static int rcar_i2c_irq_send(struct rcar_i2c_priv *priv, u32 msr)
                 * [ICRXTX] -> [SHIFT] -> [I2C bus]
                 */
-                if (priv->flags & ID_LAST_MSG)
+                if (priv->flags & ID_LAST_MSG) {
                        /*
                         * If current msg is the _LAST_ msg,
                         * prepare stop condition here.
                         * ID_DONE will be set on STOP irq.
                         */
                        rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP);
-                else
+                } else {
-                        /*
+                        rcar_i2c_next_msg(priv);
-                         * If current msg is _NOT_ last msg,
+                        return;
-                         * it doesn't call stop phase.
+                }
-                         * thus, there is no STOP irq.
-                         * return ID_DONE here.
-                         */
-                        return ID_DONE;
        }
        rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_SEND);
-        return 0;
 }
-static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr)
+static void rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr)
 {
        struct i2c_msg *msg = priv->msg;
@@ -337,14 +336,10 @@ static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr)
         * Do nothing
         */
        if (!(msr & MDR))
-                return 0;
+                return;
        if (msr & MAT) {
-                /*
+                /* Address transfer phase finished, but no data at this point. */
-                 * Address transfer phase finished,
-                 * but, there is no data at this point.
-                 * Do nothing.
-                 */
        } else if (priv->pos < msg->len) {
                /*
                 * get received data
@@ -360,12 +355,11 @@ static int rcar_i2c_irq_recv(struct rcar_i2c_priv *priv, u32 msr)
         */
        if (priv->pos + 1 >= msg->len)
                rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP);
-        else
-                rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_DATA);
-        rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_RECV);
-        return 0;
+        if (priv->pos == msg->len && !(priv->flags & ID_LAST_MSG))
+                rcar_i2c_next_msg(priv);
+        else
+                rcar_i2c_write(priv, ICMSR, RCAR_IRQ_ACK_RECV);
 }
 static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv)
@@ -426,22 +420,21 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv)
 static irqreturn_t rcar_i2c_irq(int irq, void *ptr)
 {
        struct rcar_i2c_priv *priv = ptr;
-        irqreturn_t result = IRQ_HANDLED;
+        u32 msr, val;
-        u32 msr;
-        /*-------------- spin lock -----------------*/
+        /* Clear START or STOP as soon as we can */
-        spin_lock(&priv->lock);
+        val = rcar_i2c_read(priv, ICMCR);
+        rcar_i2c_write(priv, ICMCR, val & RCAR_BUS_MASK_DATA);
-        if (rcar_i2c_slave_irq(priv))
-                goto exit;
        msr = rcar_i2c_read(priv, ICMSR);
        /* Only handle interrupts that are currently enabled */
        msr &= rcar_i2c_read(priv, ICMIER);
        if (!msr) {
-                result = IRQ_NONE;
+                if (rcar_i2c_slave_irq(priv))
-                goto exit;
+                        return IRQ_HANDLED;
+                return IRQ_NONE;
        }
        /* Arbitration lost */
@@ -452,8 +445,7 @@ static irqreturn_t rcar_i2c_irq(int irq, void *ptr)
        /* Nack */
        if (msr & MNR) {
-                /* go to stop phase */
+                /* HW automatically sends STOP after received NACK */
-                rcar_i2c_write(priv, ICMCR, RCAR_BUS_PHASE_STOP);
                rcar_i2c_write(priv, ICMIER, RCAR_IRQ_STOP);
                rcar_i2c_flags_set(priv, ID_NACK);
                goto out;
@@ -461,14 +453,15 @@ static irqreturn_t rcar_i2c_irq(int irq, void *ptr)
        /* Stop */
        if (msr & MST) {
+                priv->msgs_left--; /* The last message also made it */
                rcar_i2c_flags_set(priv, ID_DONE);
                goto out;
        }
        if (rcar_i2c_is_recv(priv))
-                rcar_i2c_flags_set(priv, rcar_i2c_irq_recv(priv, msr));
+                rcar_i2c_irq_recv(priv, msr);
        else
-                rcar_i2c_flags_set(priv, rcar_i2c_irq_send(priv, msr));
+                rcar_i2c_irq_send(priv, msr);
 out:
        if (rcar_i2c_flags_has(priv, ID_DONE)) {
@@ -477,11 +470,7 @@ out:
                wake_up(&priv->wait);
        }
-exit:
+        return IRQ_HANDLED;
-        spin_unlock(&priv->lock);
-        /*-------------- spin unlock -----------------*/
-        return result;
 }
 static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
@@ -490,21 +479,12 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
 {
        struct rcar_i2c_priv *priv = i2c_get_adapdata(adap);
        struct device *dev = rcar_i2c_priv_to_dev(priv);
-        unsigned long flags;
        int i, ret;
-        long timeout;
+        long time_left;
        pm_runtime_get_sync(dev);
-        /*-------------- spin lock -----------------*/
-        spin_lock_irqsave(&priv->lock, flags);
        rcar_i2c_init(priv);
-        /* start clock */
-        rcar_i2c_write(priv, ICCCR, priv->icccr);
-        spin_unlock_irqrestore(&priv->lock, flags);
-        /*-------------- spin unlock -----------------*/
        ret = rcar_i2c_bus_barrier(priv);
        if (ret < 0)
@@ -514,48 +494,28 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
                /* This HW can't send STOP after address phase */
                if (msgs[i].len == 0) {
                        ret = -EOPNOTSUPP;
-                        break;
+                        goto out;
-                }
-                /*-------------- spin lock -----------------*/
-                spin_lock_irqsave(&priv->lock, flags);
-                /* init each data */
-                priv->msg       = &msgs[i];
-                priv->pos       = 0;
-                priv->flags     = 0;
-                if (i == num - 1)
-                        rcar_i2c_flags_set(priv, ID_LAST_MSG);
-                rcar_i2c_prepare_msg(priv);
-                spin_unlock_irqrestore(&priv->lock, flags);
-                /*-------------- spin unlock -----------------*/
-                timeout = wait_event_timeout(priv->wait,
-                                             rcar_i2c_flags_has(priv, ID_DONE),
-                                             adap->timeout);
-                if (!timeout) {
-                        ret = -ETIMEDOUT;
-                        break;
-                }
-                if (rcar_i2c_flags_has(priv, ID_NACK)) {
-                        ret = -ENXIO;
-                        break;
-                }
-                if (rcar_i2c_flags_has(priv, ID_ARBLOST)) {
-                        ret = -EAGAIN;
-                        break;
-                }
-                if (rcar_i2c_flags_has(priv, ID_IOERROR)) {
-                        ret = -EIO;
-                        break;
                }
+        }
-                ret = i + 1; /* The number of transfer */
+        /* init data */
+        priv->msg = msgs;
+        priv->msgs_left = num;
+        rcar_i2c_prepare_msg(priv);
+        time_left = wait_event_timeout(priv->wait,
+                                     rcar_i2c_flags_has(priv, ID_DONE),
+                                     num * adap->timeout);
+        if (!time_left) {
+                rcar_i2c_init(priv);
+                ret = -ETIMEDOUT;
+        } else if (rcar_i2c_flags_has(priv, ID_NACK)) {
+                ret = -ENXIO;
+        } else if (rcar_i2c_flags_has(priv, ID_ARBLOST)) {
+                ret = -EAGAIN;
+        } else {
+                ret = num - priv->msgs_left; /* The number of transfer */
        }
 out:
        pm_runtime_put(dev);
@@ -650,23 +610,26 @@ static int rcar_i2c_probe(struct platform_device *pdev)
                return PTR_ERR(priv->clk);
        }
+        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+        priv->io = devm_ioremap_resource(dev, res);
+        if (IS_ERR(priv->io))
+                return PTR_ERR(priv->io);
        bus_speed = 100000; /* default 100 kHz */
        of_property_read_u32(dev->of_node, "clock-frequency", &bus_speed);
        priv->devtype = (enum rcar_i2c_type)of_match_device(rcar_i2c_dt_ids, dev)->data;
+        pm_runtime_enable(dev);
+        pm_runtime_get_sync(dev);
        ret = rcar_i2c_clock_calculate(priv, bus_speed, dev);
        if (ret < 0)
-                return ret;
+                goto out_pm_put;
-        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+        pm_runtime_put(dev);
-        priv->io = devm_ioremap_resource(dev, res);
-        if (IS_ERR(priv->io))
-                return PTR_ERR(priv->io);
        irq = platform_get_irq(pdev, 0);
        init_waitqueue_head(&priv->wait);
-        spin_lock_init(&priv->lock);
        adap = &priv->adap;
        adap->nr = pdev->id;
@@ -682,22 +645,26 @@ static int rcar_i2c_probe(struct platform_device *pdev)
                               dev_name(dev), priv);
        if (ret < 0) {
                dev_err(dev, "cannot get irq %d\n", irq);
-                return ret;
+                goto out_pm_disable;
        }
-        pm_runtime_enable(dev);
        platform_set_drvdata(pdev, priv);
        ret = i2c_add_numbered_adapter(adap);
        if (ret < 0) {
                dev_err(dev, "reg adap failed: %d\n", ret);
-                pm_runtime_disable(dev);
+                goto out_pm_disable;
-                return ret;
        }
        dev_info(dev, "probed\n");
        return 0;
+ out_pm_put:
+        pm_runtime_put(dev);
+ out_pm_disable:
+        pm_runtime_disable(dev);
+        return ret;
 }
 static int rcar_i2c_remove(struct platform_device *pdev)
diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c
index dfc98df7b1b6..7aa7b9cb6203 100644
--- a/drivers/i2c/busses/i2c-scmi.c
+++ b/drivers/i2c/busses/i2c-scmi.c
@@ -18,6 +18,9 @@
 #define ACPI_SMBUS_HC_CLASS             "smbus"
 #define ACPI_SMBUS_HC_DEVICE_NAME       "cmi"
+/* SMBUS HID definition as supported by Microsoft Windows */
+#define ACPI_SMBUS_MS_HID               "SMB0001"
 ACPI_MODULE_NAME("smbus_cmi");
 struct smbus_methods_t {
@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_smbus_methods = {
 static const struct acpi_device_id acpi_smbus_cmi_ids[] = {
        {"SMBUS01", (kernel_ulong_t)&smbus_methods},
        {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods},
+        {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods},
        {"", 0}
 };
 MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids);
diff --git a/drivers/i2c/i2c-boardinfo.c b/drivers/i2c/i2c-boardinfo.c
index 90e322959303..42c25aed671d 100644
--- a/drivers/i2c/i2c-boardinfo.c
+++ b/drivers/i2c/i2c-boardinfo.c
@@ -56,9 +56,7 @@ EXPORT_SYMBOL_GPL(__i2c_first_dynamic_bus_num);
 * The board info passed can safely be __initdata, but be careful of embedded
 * pointers (for platform_data, functions, etc) since that won't be copied.
 */
-int __init
+int i2c_register_board_info(int busnum, struct i2c_board_info const *info, unsigned len)
-i2c_register_board_info(int busnum,
-        struct i2c_board_info const *info, unsigned len)
 {
        int status;
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
index ef907fd5ba98..08a21d635d0d 100644
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -1593,6 +1593,8 @@ static int idecd_open(struct block_device *bdev, fmode_t mode)
        struct cdrom_info *info;
        int rc = -ENXIO;
+        check_disk_change(bdev);
        mutex_lock(&ide_cd_mutex);
        info = ide_cd_get(bdev->bd_disk);
        if (!info)
diff --git a/drivers/idle/Kconfig b/drivers/idle/Kconfig
index 4732dfc15447..331adc509f3a 100644
--- a/drivers/idle/Kconfig
+++ b/drivers/idle/Kconfig
@@ -17,6 +17,7 @@ config I7300_IDLE_IOAT_CHANNEL
 config I7300_IDLE
        tristate "Intel chipset idle memory power saving driver"
+        depends on PCI
        select I7300_IDLE_IOAT_CHANNEL
        help
          Enable memory power savings when idle with certain Intel server
diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c
index 197a08b4e2f3..b4136d3bf6b7 100644
--- a/drivers/iio/accel/st_accel_core.c
+++ b/drivers/iio/accel/st_accel_core.c
@@ -628,6 +628,8 @@ static const struct iio_trigger_ops st_accel_trigger_ops = {
 int st_accel_common_probe(struct iio_dev *indio_dev)
 {
        struct st_sensor_data *adata = iio_priv(indio_dev);
+        struct st_sensors_platform_data *pdata =
+                (struct st_sensors_platform_data *)adata->dev->platform_data;
        int irq = adata->get_irq_data_ready(indio_dev);
        int err;
@@ -652,11 +654,10 @@ int st_accel_common_probe(struct iio_dev *indio_dev)
                                        &adata->sensor_settings->fs.fs_avl[0];
        adata->odr = adata->sensor_settings->odr.odr_avl[0].hz;
-        if (!adata->dev->platform_data)
+        if (!pdata)
-                adata->dev->platform_data =
+                pdata = (struct st_sensors_platform_data *)&default_accel_pdata;
-                        (struct st_sensors_platform_data *)&default_accel_pdata;
-        err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data);
+        err = st_sensors_init_sensor(indio_dev, pdata);
        if (err < 0)
                return err;
diff --git a/drivers/iio/adc/axp288_adc.c b/drivers/iio/adc/axp288_adc.c
index f684fe31f832..64799ad7ebad 100644
--- a/drivers/iio/adc/axp288_adc.c
+++ b/drivers/iio/adc/axp288_adc.c
@@ -44,7 +44,7 @@ struct axp288_adc_info {
        struct regmap *regmap;
 };
-static const struct iio_chan_spec const axp288_adc_channels[] = {
+static const struct iio_chan_spec axp288_adc_channels[] = {
        {
                .indexed = 1,
                .type = IIO_TEMP,
diff --git a/drivers/iio/adc/hi8435.c b/drivers/iio/adc/hi8435.c
index c73c6c62a6ac..7401f102dff4 100644
--- a/drivers/iio/adc/hi8435.c
+++ b/drivers/iio/adc/hi8435.c
@@ -121,10 +121,21 @@ static int hi8435_write_event_config(struct iio_dev *idev,
                                     enum iio_event_direction dir, int state)
 {
        struct hi8435_priv *priv = iio_priv(idev);
+        int ret;
+        u32 tmp;
+        if (state) {
+                ret = hi8435_readl(priv, HI8435_SO31_0_REG, &tmp);
+                if (ret < 0)
+                        return ret;
+                if (tmp & BIT(chan->channel))
+                        priv->event_prev_val |= BIT(chan->channel);
+                else
+                        priv->event_prev_val &= ~BIT(chan->channel);
-        priv->event_scan_mask &= ~BIT(chan->channel);
-        if (state)
                priv->event_scan_mask |= BIT(chan->channel);
+        } else
+                priv->event_scan_mask &= ~BIT(chan->channel);
        return 0;
 }
@@ -442,13 +453,15 @@ static int hi8435_probe(struct spi_device *spi)
        priv->spi = spi;
        reset_gpio = devm_gpiod_get(&spi->dev, NULL, GPIOD_OUT_LOW);
-        if (IS_ERR(reset_gpio)) {
+        if (!IS_ERR(reset_gpio)) {
-                /* chip s/w reset if h/w reset failed */
+                /* need >=100ns low pulse to reset chip */
+                gpiod_set_raw_value_cansleep(reset_gpio, 0);
+                udelay(1);
+                gpiod_set_raw_value_cansleep(reset_gpio, 1);
+        } else {
+                /* s/w reset chip if h/w reset is not available */
                hi8435_writeb(priv, HI8435_CTRL_REG, HI8435_CTRL_SRST);
                hi8435_writeb(priv, HI8435_CTRL_REG, 0);
-        } else {
-                udelay(5);
-                gpiod_set_value(reset_gpio, 1);
        }
        spi_set_drvdata(spi, idev);
diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
index c5b999f0c519..e44181f9eb36 100644
--- a/drivers/iio/buffer/kfifo_buf.c
+++ b/drivers/iio/buffer/kfifo_buf.c
@@ -19,11 +19,18 @@ struct iio_kfifo {
 #define iio_to_kfifo(r) container_of(r, struct iio_kfifo, buffer)
 static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
-                                int bytes_per_datum, int length)
+                        size_t bytes_per_datum, unsigned int length)
 {
        if ((length == 0) || (bytes_per_datum == 0))
                return -EINVAL;
+        /*
+         * Make sure we don't overflow an unsigned int after kfifo rounds up to
+         * the next power of 2.
+         */
+        if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
+                return -EINVAL;
        return __kfifo_alloc((struct __kfifo *)&buf->kf, length,
                             bytes_per_datum, GFP_KERNEL);
 }
@@ -64,7 +71,7 @@ static int iio_set_bytes_per_datum_kfifo(struct iio_buffer *r, size_t bpd)
        return 0;
 }
-static int iio_set_length_kfifo(struct iio_buffer *r, int length)
+static int iio_set_length_kfifo(struct iio_buffer *r, unsigned int length)
 {
        /* Avoid an invalid state */
        if (length < 2)
diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
index f53e9a803a0e..93b99bd93738 100644
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev)
        if (adis->trig == NULL)
                return -ENOMEM;
+        adis->trig->dev.parent = &adis->spi->dev;
+        adis->trig->ops = &adis_trigger_ops;
+        iio_trigger_set_drvdata(adis->trig, adis);
        ret = request_irq(adis->spi->irq,
                          &iio_trigger_generic_data_rdy_poll,
                          IRQF_TRIGGER_RISING,
@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev)
        if (ret)
                goto error_free_trig;
-        adis->trig->dev.parent = &adis->spi->dev;
-        adis->trig->ops = &adis_trigger_ops;
-        iio_trigger_set_drvdata(adis->trig, adis);
        ret = iio_trigger_register(adis->trig);
        indio_dev->trig = iio_trigger_get(adis->trig);
diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 32bb036069eb..961afb5588be 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -174,7 +174,7 @@ unsigned int iio_buffer_poll(struct file *filp,
        struct iio_dev *indio_dev = filp->private_data;
        struct iio_buffer *rb = indio_dev->buffer;
-        if (!indio_dev->info)
+        if (!indio_dev->info || rb == NULL)
                return 0;
        poll_wait(filp, &rb->pollq, wait);
diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c
index 6325e7dc8e03..f3cb4dc05391 100644
--- a/drivers/iio/magnetometer/st_magn_spi.c
+++ b/drivers/iio/magnetometer/st_magn_spi.c
@@ -48,8 +48,6 @@ static int st_magn_spi_remove(struct spi_device *spi)
 }
 static const struct spi_device_id st_magn_id_table[] = {
-        { LSM303DLHC_MAGN_DEV_NAME },
-        { LSM303DLM_MAGN_DEV_NAME },
        { LIS3MDL_MAGN_DEV_NAME },
        { LSM303AGR_MAGN_DEV_NAME },
        {},
diff --git a/drivers/iio/pressure/st_pressure_core.c b/drivers/iio/pressure/st_pressure_core.c
index 5056bd68573f..ba282ff3892d 100644
--- a/drivers/iio/pressure/st_pressure_core.c
+++ b/drivers/iio/pressure/st_pressure_core.c
@@ -436,6 +436,8 @@ static const struct iio_trigger_ops st_press_trigger_ops = {
 int st_press_common_probe(struct iio_dev *indio_dev)
 {
        struct st_sensor_data *press_data = iio_priv(indio_dev);
+        struct st_sensors_platform_data *pdata =
+                (struct st_sensors_platform_data *)press_data->dev->platform_data;
        int irq = press_data->get_irq_data_ready(indio_dev);
        int err;
@@ -464,12 +466,10 @@ int st_press_common_probe(struct iio_dev *indio_dev)
        press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz;
        /* Some devices don't support a data ready pin. */
-        if (!press_data->dev->platform_data &&
+        if (!pdata && press_data->sensor_settings->drdy_irq.addr)
-                                press_data->sensor_settings->drdy_irq.addr)
+                pdata = (struct st_sensors_platform_data *)&default_press_pdata;
-                press_data->dev->platform_data =
-                        (struct st_sensors_platform_data *)&default_press_pdata;
-        err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data);
+        err = st_sensors_init_sensor(indio_dev, pdata);
        if (err < 0)
                return err;
diff --git a/drivers/infiniband/Kconfig b/drivers/infiniband/Kconfig
index aa26f3c3416b..c151bb625179 100644
--- a/drivers/infiniband/Kconfig
+++ b/drivers/infiniband/Kconfig
@@ -33,6 +33,18 @@ config INFINIBAND_USER_ACCESS
          libibverbs, libibcm and a hardware driver library from
          <http://www.openfabrics.org/git/>.
+config INFINIBAND_USER_ACCESS_UCM
+        bool "Userspace CM (UCM, DEPRECATED)"
+        depends on BROKEN
+        depends on INFINIBAND_USER_ACCESS
+        help
+          The UCM module has known security flaws, which no one is
+          interested to fix. The user-space part of this code was
+          dropped from the upstream a long time ago.
+          This option is DEPRECATED and planned to be removed.
 config INFINIBAND_USER_MEM
        bool
        depends on INFINIBAND_USER_ACCESS != n
diff --git a/drivers/infiniband/core/Makefile b/drivers/infiniband/core/Makefile
index d43a8994ac5c..737612a442be 100644
--- a/drivers/infiniband/core/Makefile
+++ b/drivers/infiniband/core/Makefile
@@ -5,8 +5,8 @@ obj-$(CONFIG_INFINIBAND) +=		ib_core.o ib_mad.o ib_sa.o \
                                        ib_cm.o iw_cm.o ib_addr.o \
                                        $(infiniband-y)
 obj-$(CONFIG_INFINIBAND_USER_MAD) +=    ib_umad.o
-obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o ib_ucm.o \
+obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o $(user_access-y)
-                                        $(user_access-y)
+obj-$(CONFIG_INFINIBAND_USER_ACCESS_UCM) += ib_ucm.o $(user_access-y)
 ib_core-y :=                    packer.o ud_header.o verbs.o sysfs.o \
                                device.o fmr_pool.o cache.o netlink.o \
diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 6a8024d9d742..864a7c8d82d3 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -86,6 +86,22 @@ int rdma_addr_size(struct sockaddr *addr)
 }
 EXPORT_SYMBOL(rdma_addr_size);
+int rdma_addr_size_in6(struct sockaddr_in6 *addr)
+{
+        int ret = rdma_addr_size((struct sockaddr *) addr);
+        return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_in6);
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
+{
+        int ret = rdma_addr_size((struct sockaddr *) addr);
+        return ret <= sizeof(*addr) ? ret : 0;
+}
+EXPORT_SYMBOL(rdma_addr_size_kss);
 static struct rdma_addr_client self;
 void rdma_addr_register_client(struct rdma_addr_client *client)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index e354358db77b..d57a78ec7425 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -626,6 +626,7 @@ struct rdma_cm_id *rdma_create_id(struct net *net,
        INIT_LIST_HEAD(&id_priv->mc_list);
        get_random_bytes(&id_priv->seq_num, sizeof id_priv->seq_num);
        id_priv->id.route.addr.dev_addr.net = get_net(net);
+        id_priv->seq_num &= 0x00ffffff;
        return &id_priv->id;
 }
@@ -3742,6 +3743,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr,
        struct cma_multicast *mc;
        int ret;
+        if (!id->device)
+                return -EINVAL;
        id_priv = container_of(id, struct rdma_id_private, id);
        if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&
            !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))
@@ -4006,7 +4010,7 @@ static int cma_get_id_stats(struct sk_buff *skb, struct netlink_callback *cb)
                                          RDMA_NL_RDMA_CM_ATTR_SRC_ADDR))
                                goto out;
                        if (ibnl_put_attr(skb, nlh,
-                                          rdma_addr_size(cma_src_addr(id_priv)),
+                                          rdma_addr_size(cma_dst_addr(id_priv)),
                                          cma_dst_addr(id_priv),
                                          RDMA_NL_RDMA_CM_ATTR_DST_ADDR))
                                goto out;
diff --git a/drivers/infiniband/core/iwpm_util.c b/drivers/infiniband/core/iwpm_util.c
index fb43a242847b..8d7d110d0721 100644
--- a/drivers/infiniband/core/iwpm_util.c
+++ b/drivers/infiniband/core/iwpm_util.c
@@ -663,6 +663,7 @@ int iwpm_send_mapinfo(u8 nl_client, int iwpm_pid)
        }
        skb_num++;
        spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
+        ret = -EINVAL;
        for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) {
                hlist_for_each_entry(map_info, &iwpm_hash_bucket[i],
                                     hlist_node) {
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 8d84c563ba75..616173b7a5e8 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1548,7 +1548,8 @@ static int add_oui_reg_req(struct ib_mad_reg_req *mad_reg_req,
                            mad_reg_req->oui, 3)) {
                        method = &(*vendor_table)->vendor_class[
                                                vclass]->method_table[i];
-                        BUG_ON(!*method);
+                        if (!*method)
+                                goto error3;
                        goto check_in_use;
                }
        }
@@ -1558,10 +1559,12 @@ static int add_oui_reg_req(struct ib_mad_reg_req *mad_reg_req,
                                vclass]->oui[i])) {
                        method = &(*vendor_table)->vendor_class[
                                vclass]->method_table[i];
-                        BUG_ON(*method);
                        /* Allocate method table for this OUI */
-                        if ((ret = allocate_method_table(method)))
+                        if (!*method) {
-                                goto error3;
+                                ret = allocate_method_table(method);
+                                if (ret)
+                                        goto error3;
+                        }
                        memcpy((*vendor_table)->vendor_class[vclass]->oui[i],
                               mad_reg_req->oui, 3);
                        goto check_in_use;
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 886f61ea6cc7..55aa8d3d752f 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -131,7 +131,7 @@ static inline struct ucma_context *_ucma_find_context(int id,
        ctx = idr_find(&ctx_idr, id);
        if (!ctx)
                ctx = ERR_PTR(-ENOENT);
-        else if (ctx->file != file)
+        else if (ctx->file != file || !ctx->cm_id)
                ctx = ERR_PTR(-EINVAL);
        return ctx;
 }
@@ -217,7 +217,7 @@ static struct ucma_multicast* ucma_alloc_multicast(struct ucma_context *ctx)
                return NULL;
        mutex_lock(&mut);
-        mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL);
+        mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL);
        mutex_unlock(&mut);
        if (mc->id < 0)
                goto error;
@@ -453,6 +453,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
        struct rdma_ucm_create_id cmd;
        struct rdma_ucm_create_id_resp resp;
        struct ucma_context *ctx;
+        struct rdma_cm_id *cm_id;
        enum ib_qp_type qp_type;
        int ret;
@@ -473,10 +474,10 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
                return -ENOMEM;
        ctx->uid = cmd.uid;
-        ctx->cm_id = rdma_create_id(current->nsproxy->net_ns,
+        cm_id = rdma_create_id(current->nsproxy->net_ns,
-                                    ucma_event_handler, ctx, cmd.ps, qp_type);
+                               ucma_event_handler, ctx, cmd.ps, qp_type);
-        if (IS_ERR(ctx->cm_id)) {
+        if (IS_ERR(cm_id)) {
-                ret = PTR_ERR(ctx->cm_id);
+                ret = PTR_ERR(cm_id);
                goto err1;
        }
@@ -486,14 +487,19 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
                ret = -EFAULT;
                goto err2;
        }
+        ctx->cm_id = cm_id;
        return 0;
 err2:
-        rdma_destroy_id(ctx->cm_id);
+        rdma_destroy_id(cm_id);
 err1:
        mutex_lock(&mut);
        idr_remove(&ctx_idr, ctx->id);
        mutex_unlock(&mut);
+        mutex_lock(&file->mut);
+        list_del(&ctx->list);
+        mutex_unlock(&file->mut);
        kfree(ctx);
        return ret;
 }
@@ -623,6 +629,9 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const char __user *inbuf,
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
+        if (!rdma_addr_size_in6(&cmd.addr))
+                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd.id);
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
@@ -636,22 +645,21 @@ static ssize_t ucma_bind(struct ucma_file *file, const char __user *inbuf,
                         int in_len, int out_len)
 {
        struct rdma_ucm_bind cmd;
-        struct sockaddr *addr;
        struct ucma_context *ctx;
        int ret;
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
-        addr = (struct sockaddr *) &cmd.addr;
+        if (cmd.reserved || !cmd.addr_size ||
-        if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr)))
+            cmd.addr_size != rdma_addr_size_kss(&cmd.addr))
                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd.id);
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
-        ret = rdma_bind_addr(ctx->cm_id, addr);
+        ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
        ucma_put_ctx(ctx);
        return ret;
 }
@@ -667,13 +675,16 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file,
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
+        if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
+            !rdma_addr_size_in6(&cmd.dst_addr))
+                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd.id);
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
        ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
-                                (struct sockaddr *) &cmd.dst_addr,
+                                (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
-                                cmd.timeout_ms);
        ucma_put_ctx(ctx);
        return ret;
 }
@@ -683,24 +694,23 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file,
                                 int in_len, int out_len)
 {
        struct rdma_ucm_resolve_addr cmd;
-        struct sockaddr *src, *dst;
        struct ucma_context *ctx;
        int ret;
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
-        src = (struct sockaddr *) &cmd.src_addr;
+        if (cmd.reserved ||
-        dst = (struct sockaddr *) &cmd.dst_addr;
+            (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) ||
-        if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) ||
+            !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr)))
-            !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd.id);
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
-        ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
+        ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
+                                (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
        ucma_put_ctx(ctx);
        return ret;
 }
@@ -1138,10 +1148,18 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
+        if (cmd.qp_state > IB_QPS_ERR)
+                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd.id);
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
+        if (!ctx->cm_id->device) {
+                ret = -EINVAL;
+                goto out;
+        }
        resp.qp_attr_mask = 0;
        memset(&qp_attr, 0, sizeof qp_attr);
        qp_attr.qp_state = cmd.qp_state;
@@ -1212,6 +1230,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx,
        if (!optlen)
                return -EINVAL;
+        if (!ctx->cm_id->device)
+                return -EINVAL;
        memset(&sa_path, 0, sizeof(sa_path));
        ib_sa_unpack_path(path_data->path_rec, &sa_path);
@@ -1274,6 +1295,9 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
+        if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
+                return -EINVAL;
        optval = memdup_user((void __user *) (unsigned long) cmd.optval,
                             cmd.optlen);
        if (IS_ERR(optval)) {
@@ -1295,7 +1319,7 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf,
 {
        struct rdma_ucm_notify cmd;
        struct ucma_context *ctx;
-        int ret;
+        int ret = -EINVAL;
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
@@ -1304,7 +1328,9 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf,
        if (IS_ERR(ctx))
                return PTR_ERR(ctx);
-        ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event);
+        if (ctx->cm_id->device)
+                ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
        ucma_put_ctx(ctx);
        return ret;
 }
@@ -1322,7 +1348,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
                return -ENOSPC;
        addr = (struct sockaddr *) &cmd->addr;
-        if (cmd->reserved || !cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))
+        if (cmd->reserved || (cmd->addr_size != rdma_addr_size(addr)))
                return -EINVAL;
        ctx = ucma_get_ctx(file, cmd->id);
@@ -1349,6 +1375,10 @@ static ssize_t ucma_process_join(struct ucma_file *file,
                goto err3;
        }
+        mutex_lock(&mut);
+        idr_replace(&multicast_idr, mc, mc->id);
+        mutex_unlock(&mut);
        mutex_unlock(&file->mut);
        ucma_put_ctx(ctx);
        return 0;
@@ -1381,7 +1411,10 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file,
        join_cmd.response = cmd.response;
        join_cmd.uid = cmd.uid;
        join_cmd.id = cmd.id;
-        join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
+        join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr);
+        if (!join_cmd.addr_size)
+                return -EINVAL;
        join_cmd.reserved = 0;
        memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
@@ -1397,6 +1430,9 @@ static ssize_t ucma_join_multicast(struct ucma_file *file,
        if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
                return -EFAULT;
+        if (!rdma_addr_size_kss(&cmd.addr))
+                return -EINVAL;
        return ucma_process_join(file, &cmd, out_len);
 }
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 0ae337bec4f2..98fd9a594841 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -122,16 +122,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
        umem->address   = addr;
        umem->page_size = PAGE_SIZE;
        umem->pid       = get_task_pid(current, PIDTYPE_PID);
-        /*
+        umem->writable   = ib_access_writable(access);
-         * We ask for writable memory if any of the following
-         * access flags are set.  "Local write" and "remote write"
-         * obviously require write access.  "Remote atomic" can do
-         * things like fetch and add, which will modify memory, and
-         * "MW bind" can change permissions by binding a window.
-         */
-        umem->writable  = !!(access &
-                (IB_ACCESS_LOCAL_WRITE   | IB_ACCESS_REMOTE_WRITE |
-                 IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND));
        if (access & IB_ACCESS_ON_DEMAND) {
                put_pid(umem->pid);
@@ -354,7 +345,7 @@ int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offset,
                return -EINVAL;
        }
-        ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length,
+        ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length,
                                 offset + ib_umem_offset(umem));
        if (ret < 0)
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index b7a73f1a8beb..3eb967521917 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2436,9 +2436,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_uverbs_file *file,
 static void *alloc_wr(size_t wr_size, __u32 num_sge)
 {
+        if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) /
+                       sizeof (struct ib_sge))
+                return NULL;
        return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) +
                         num_sge * sizeof (struct ib_sge), GFP_KERNEL);
-};
+}
 ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
                            struct ib_device *ib_dev,
@@ -2665,6 +2669,13 @@ static struct ib_recv_wr *ib_uverbs_unmarshall_recv(const char __user *buf,
                        goto err;
                }
+                if (user_wr->num_sge >=
+                    (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) /
+                    sizeof (struct ib_sge)) {
+                        ret = -EINVAL;
+                        goto err;
+                }
                next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
                               user_wr->num_sge * sizeof (struct ib_sge),
                               GFP_KERNEL);
diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c
index 58fce1742b8d..337b1a5eb41c 100644
--- a/drivers/infiniband/hw/cxgb4/device.c
+++ b/drivers/infiniband/hw/cxgb4/device.c
@@ -809,10 +809,9 @@ static int c4iw_rdev_open(struct c4iw_rdev *rdev)
             rdev->lldi.vr->qp.size,
             rdev->lldi.vr->cq.start,
             rdev->lldi.vr->cq.size);
-        PDBG("udb len 0x%x udb base %p db_reg %p gts_reg %p "
+        PDBG("udb %pR db_reg %p gts_reg %p "
             "qpmask 0x%x cqmask 0x%x\n",
-             (unsigned)pci_resource_len(rdev->lldi.pdev, 2),
+                &rdev->lldi.pdev->resource[2],
-             (void *)pci_resource_start(rdev->lldi.pdev, 2),
             rdev->lldi.db_reg, rdev->lldi.gts_reg,
             rdev->qpmask, rdev->cqmask);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
index e1629ab58db7..8218d714fa01 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
+++ b/drivers/infiniband/hw/cxgb4/mem.c
@@ -926,7 +926,7 @@ static int c4iw_set_page(struct ib_mr *ibmr, u64 addr)
 {
        struct c4iw_mr *mhp = to_c4iw_mr(ibmr);
-        if (unlikely(mhp->mpl_len == mhp->max_mpl_len))
+        if (unlikely(mhp->mpl_len == mhp->attr.pbl_size))
                return -ENOMEM;
        mhp->mpl[mhp->mpl_len++] = addr;
diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
index d862b9b7910e..199a9cdd0d12 100644
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1780,7 +1780,6 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work)
                                               "buf:%lld\n", wc.wr_id);
                                break;
                        default:
-                                BUG_ON(1);
                                break;
                        }
                } else  {
diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
index 8763fb832b01..67c4c73343d4 100644
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1041,7 +1041,7 @@ static void mlx4_ib_disassociate_ucontext(struct ib_ucontext *ibcontext)
        /* need to protect from a race on closing the vma as part of
         * mlx4_ib_vma_close().
         */
-        down_read(&owning_mm->mmap_sem);
+        down_write(&owning_mm->mmap_sem);
        for (i = 0; i < HW_BAR_COUNT; i++) {
                vma = context->hw_bar_info[i].vma;
                if (!vma)
@@ -1055,11 +1055,13 @@ static void mlx4_ib_disassociate_ucontext(struct ib_ucontext *ibcontext)
                        BUG_ON(1);
                }
+                context->hw_bar_info[i].vma->vm_flags &=
+                        ~(VM_SHARED | VM_MAYSHARE);
                /* context going to be destroyed, should not access ops any more */
                context->hw_bar_info[i].vma->vm_ops = NULL;
        }
-        up_read(&owning_mm->mmap_sem);
+        up_write(&owning_mm->mmap_sem);
        mmput(owning_mm);
        put_task_struct(owning_process);
 }
@@ -2483,9 +2485,8 @@ err_steer_free_bitmap:
        kfree(ibdev->ib_uc_qpns_bitmap);
 err_steer_qp_release:
-        if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED)
+        mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
-                mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+                              ibdev->steer_qpn_count);
-                                      ibdev->steer_qpn_count);
 err_counter:
        for (i = 0; i < ibdev->num_ports; ++i)
                mlx4_ib_delete_counters_table(ibdev, &ibdev->counters_table[i]);
@@ -2586,11 +2587,9 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
                ibdev->iboe.nb.notifier_call = NULL;
        }
-        if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED) {
+        mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
-                mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
+                              ibdev->steer_qpn_count);
-                                      ibdev->steer_qpn_count);
+        kfree(ibdev->ib_uc_qpns_bitmap);
-                kfree(ibdev->ib_uc_qpns_bitmap);
-        }
        iounmap(ibdev->uar_map);
        for (p = 0; p < ibdev->num_ports; ++p)
diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c
index 4d1e1c632603..bf52e35dd506 100644
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -130,6 +130,40 @@ out:
        return err;
 }
+static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start,
+                                        u64 length, u64 virt_addr,
+                                        int access_flags)
+{
+        /*
+         * Force registering the memory as writable if the underlying pages
+         * are writable.  This is so rereg can change the access permissions
+         * from readable to writable without having to run through ib_umem_get
+         * again
+         */
+        if (!ib_access_writable(access_flags)) {
+                struct vm_area_struct *vma;
+                down_read(&current->mm->mmap_sem);
+                /*
+                 * FIXME: Ideally this would iterate over all the vmas that
+                 * cover the memory, but for now it requires a single vma to
+                 * entirely cover the MR to support RO mappings.
+                 */
+                vma = find_vma(current->mm, start);
+                if (vma && vma->vm_end >= start + length &&
+                    vma->vm_start <= start) {
+                        if (vma->vm_flags & VM_WRITE)
+                                access_flags |= IB_ACCESS_LOCAL_WRITE;
+                } else {
+                        access_flags |= IB_ACCESS_LOCAL_WRITE;
+                }
+                up_read(&current->mm->mmap_sem);
+        }
+        return ib_umem_get(context, start, length, access_flags, 0);
+}
 struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
                                  u64 virt_addr, int access_flags,
                                  struct ib_udata *udata)
@@ -144,10 +178,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
        if (!mr)
                return ERR_PTR(-ENOMEM);
-        /* Force registering the memory as writable. */
+        mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length,
-        /* Used for memory re-registeration. HCA protects the access */
+                                    virt_addr, access_flags);
-        mr->umem = ib_umem_get(pd->uobject->context, start, length,
-                               access_flags | IB_ACCESS_LOCAL_WRITE, 0);
        if (IS_ERR(mr->umem)) {
                err = PTR_ERR(mr->umem);
                goto err_free;
@@ -214,6 +246,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags,
        }
        if (flags & IB_MR_REREG_ACCESS) {
+                if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
+                        return -EPERM;
                err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
                                               convert_access(mr_access_flags));
@@ -227,10 +262,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags,
                mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr);
                ib_umem_release(mmr->umem);
-                mmr->umem = ib_umem_get(mr->uobject->context, start, length,
+                mmr->umem =
-                                        mr_access_flags |
+                        mlx4_get_umem_mr(mr->uobject->context, start, length,
-                                        IB_ACCESS_LOCAL_WRITE,
+                                         virt_addr, mr_access_flags);
-                                        0);
                if (IS_ERR(mmr->umem)) {
                        err = PTR_ERR(mmr->umem);
                        /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */
@@ -424,7 +458,6 @@ struct ib_mr *mlx4_ib_alloc_mr(struct ib_pd *pd,
                goto err_free_mr;
        mr->max_pages = max_num_sg;
        err = mlx4_mr_enable(dev->dev, &mr->mmr);
        if (err)
                goto err_free_pl;
@@ -435,6 +468,7 @@ struct ib_mr *mlx4_ib_alloc_mr(struct ib_pd *pd,
        return &mr->ibmr;
 err_free_pl:
+        mr->ibmr.device = pd->device;
        mlx4_free_priv_pages(mr);
 err_free_mr:
        (void) mlx4_mr_free(dev->dev, &mr->mmr);
diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
index 02c8deab1fff..4a4ab433062f 100644
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -972,7 +972,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
        if (ucmd.reserved0 || ucmd.reserved1)
                return -EINVAL;
-        umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+        /* check multiplication overflow */
+        if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+                return -EINVAL;
+        umem = ib_umem_get(context, ucmd.buf_addr,
+                           (size_t)ucmd.cqe_size * entries,
                           IB_ACCESS_LOCAL_WRITE, 1);
        if (IS_ERR(umem)) {
                err = PTR_ERR(umem);
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index cfcfbb6b84d7..43d277a931c2 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -231,7 +231,11 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct ib_qp_cap *cap,
        } else {
                if (ucmd) {
                        qp->rq.wqe_cnt = ucmd->rq_wqe_count;
+                        if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
+                                return -EINVAL;
                        qp->rq.wqe_shift = ucmd->rq_wqe_shift;
+                        if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
+                                return -EINVAL;
                        qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
                        qp->rq.max_post = qp->rq.wqe_cnt;
                } else {
@@ -1348,18 +1352,18 @@ enum {
 static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate)
 {
-        if (rate == IB_RATE_PORT_CURRENT) {
+        if (rate == IB_RATE_PORT_CURRENT)
                return 0;
-        } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) {
+        if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS)
                return -EINVAL;
-        } else {
-                while (rate != IB_RATE_2_5_GBPS &&
-                       !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
-                         MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
-                        --rate;
-        }
-        return rate + MLX5_STAT_RATE_OFFSET;
+        while (rate != IB_RATE_PORT_CURRENT &&
+               !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
+                 MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
+                --rate;
+        return rate ? rate + MLX5_STAT_RATE_OFFSET : rate;
 }
 static int mlx5_set_path(struct mlx5_ib_dev *dev, const struct ib_ah_attr *ah,
@@ -3157,12 +3161,9 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd *xrcd)
        int err;
        err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn);
-        if (err) {
+        if (err)
                mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn);
-                return err;
-        }
        kfree(xrcd);
        return 0;
 }
diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
index 86c303a620c1..40242ead096f 100644
--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
@@ -643,7 +643,7 @@ static ssize_t ocrdma_dbgfs_ops_write(struct file *filp,
        struct ocrdma_stats *pstats = filp->private_data;
        struct ocrdma_dev *dev = pstats->dev;
-        if (count > 32)
+        if (*ppos != 0 || count == 0 || count > sizeof(tmp_str))
                goto err;
        if (copy_from_user(tmp_str, buffer, count))
@@ -834,7 +834,7 @@ void ocrdma_add_port_stats(struct ocrdma_dev *dev)
        dev->reset_stats.type = OCRDMA_RESET_STATS;
        dev->reset_stats.dev = dev;
-        if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir,
+        if (!debugfs_create_file("reset_stats", 0200, dev->dir,
                                &dev->reset_stats, &ocrdma_dbg_ops))
                goto err;
diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
index 7df16f74bb45..c6c75b99cf2c 100644
--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1451,8 +1451,7 @@ u64 qib_sps_ints(void);
 /*
 * dma_addr wrappers - all 0's invalid for hw
 */
-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
+int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
-                          size_t, int);
 const char *qib_get_unit_name(int unit);
 /*
diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
index 24f4a782e0f4..5908fd3af00d 100644
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
                goto done;
        }
        for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
+                dma_addr_t daddr;
                for (; ntids--; tid++) {
                        if (tid == tidcnt)
                                tid = 0;
@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
                        ret = -ENOMEM;
                        break;
                }
+                ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
+                if (ret)
+                        break;
                tidlist[i] = tid + tidoff;
                /* we "know" system pages and TID pages are same size */
                dd->pageshadow[ctxttid + tid] = pagep[i];
-                dd->physshadow[ctxttid + tid] =
+                dd->physshadow[ctxttid + tid] = daddr;
-                        qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
-                                     PCI_DMA_FROMDEVICE);
                /*
                 * don't need atomic or it's overhead
                 */
diff --git a/drivers/infiniband/hw/qib/qib_user_pages.c b/drivers/infiniband/hw/qib/qib_user_pages.c
index 74f90b2619f6..ab1588ae1c85 100644
--- a/drivers/infiniband/hw/qib/qib_user_pages.c
+++ b/drivers/infiniband/hw/qib/qib_user_pages.c
@@ -98,23 +98,27 @@ bail:
 *
 * I'm sure we won't be so lucky with other iommu's, so FIXME.
 */
-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
+int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
-                        unsigned long offset, size_t size, int direction)
 {
        dma_addr_t phys;
-        phys = pci_map_page(hwdev, page, offset, size, direction);
+        phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+        if (pci_dma_mapping_error(hwdev, phys))
+                return -ENOMEM;
-        if (phys == 0) {
+        if (!phys) {
-                pci_unmap_page(hwdev, phys, size, direction);
+                pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
-                phys = pci_map_page(hwdev, page, offset, size, direction);
+                phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
+                                    PCI_DMA_FROMDEVICE);
+                if (pci_dma_mapping_error(hwdev, phys))
+                        return -ENOMEM;
                /*
                 * FIXME: If we get 0 again, we should keep this page,
                 * map another, then free the 0 page.
                 */
        }
+        *daddr = phys;
-        return phys;
+        return 0;
 }
 /**
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
index d3f0a384faad..f6b06729f4ea 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -945,6 +945,19 @@ static inline int update_parent_pkey(struct ipoib_dev_priv *priv)
                 */
                priv->dev->broadcast[8] = priv->pkey >> 8;
                priv->dev->broadcast[9] = priv->pkey & 0xff;
+                /*
+                 * Update the broadcast address in the priv->broadcast object,
+                 * in case it already exists, otherwise no one will do that.
+                 */
+                if (priv->broadcast) {
+                        spin_lock_irq(&priv->lock);
+                        memcpy(priv->broadcast->mcmember.mgid.raw,
+                               priv->dev->broadcast + 4,
+                        sizeof(union ib_gid));
+                        spin_unlock_irq(&priv->lock);
+                }
                return 0;
        }
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index bad76eed06b3..fcb18b11db75 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -724,6 +724,22 @@ static void path_rec_completion(int status,
        spin_lock_irqsave(&priv->lock, flags);
        if (!IS_ERR_OR_NULL(ah)) {
+                /*
+                 * pathrec.dgid is used as the database key from the LLADDR,
+                 * it must remain unchanged even if the SA returns a different
+                 * GID to use in the AH.
+                 */
+                if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw,
+                           sizeof(union ib_gid))) {
+                        ipoib_dbg(
+                                priv,
+                                "%s got PathRec for gid %pI6 while asked for %pI6\n",
+                                dev->name, pathrec->dgid.raw,
+                                path->pathrec.dgid.raw);
+                        memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw,
+                               sizeof(union ib_gid));
+                }
                path->pathrec = *pathrec;
                old_ah   = path->ah;
@@ -844,8 +860,8 @@ static int path_rec_start(struct net_device *dev,
        return 0;
 }
-static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+static struct ipoib_neigh *neigh_add_path(struct sk_buff *skb, u8 *daddr,
-                           struct net_device *dev)
+                                          struct net_device *dev)
 {
        struct ipoib_dev_priv *priv = netdev_priv(dev);
        struct ipoib_path *path;
@@ -858,7 +874,15 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
                spin_unlock_irqrestore(&priv->lock, flags);
                ++dev->stats.tx_dropped;
                dev_kfree_skb_any(skb);
-                return;
+                return NULL;
+        }
+        /* To avoid race condition, make sure that the
+         * neigh will be added only once.
+         */
+        if (unlikely(!list_empty(&neigh->list))) {
+                spin_unlock_irqrestore(&priv->lock, flags);
+                return neigh;
        }
        path = __path_find(dev, daddr + 4);
@@ -896,7 +920,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
                        spin_unlock_irqrestore(&priv->lock, flags);
                        ipoib_send(dev, skb, path->ah, IPOIB_QPN(daddr));
                        ipoib_neigh_put(neigh);
-                        return;
+                        return NULL;
                }
        } else {
                neigh->ah  = NULL;
@@ -913,7 +937,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
        spin_unlock_irqrestore(&priv->lock, flags);
        ipoib_neigh_put(neigh);
-        return;
+        return NULL;
 err_path:
        ipoib_neigh_free(neigh);
@@ -923,6 +947,8 @@ err_drop:
        spin_unlock_irqrestore(&priv->lock, flags);
        ipoib_neigh_put(neigh);
+        return NULL;
 }
 static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
@@ -1028,8 +1054,9 @@ static int ipoib_start_xmit(struct sk_buff *skb, struct net_device *dev)
        case htons(ETH_P_TIPC):
                neigh = ipoib_neigh_get(dev, phdr->hwaddr);
                if (unlikely(!neigh)) {
-                        neigh_add_path(skb, phdr->hwaddr, dev);
+                        neigh = neigh_add_path(skb, phdr->hwaddr, dev);
-                        return NETDEV_TX_OK;
+                        if (likely(!neigh))
+                                return NETDEV_TX_OK;
                }
                break;
        case htons(ETH_P_ARP):
@@ -1926,6 +1953,9 @@ static struct net_device *ipoib_add_port(const char *format,
                goto event_failed;
        }
+        /* call event handler to ensure pkey in sync */
+        queue_work(ipoib_workqueue, &priv->flush_heavy);
        result = register_netdev(priv->dev);
        if (result) {
                printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n",
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 5580ab0b5781..21e688d55da6 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -473,6 +473,9 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast)
            !test_bit(IPOIB_FLAG_OPER_UP, &priv->flags))
                return -EINVAL;
+        init_completion(&mcast->done);
+        set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
        ipoib_dbg_mcast(priv, "joining MGID %pI6\n", mcast->mcmember.mgid.raw);
        rec.mgid     = mcast->mcmember.mgid;
@@ -631,8 +634,6 @@ void ipoib_mcast_join_task(struct work_struct *work)
                        if (mcast->backoff == 1 ||
                            time_after_eq(jiffies, mcast->delay_until)) {
                                /* Found the next unjoined group */
-                                init_completion(&mcast->done);
-                                set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
                                if (ipoib_mcast_join(dev, mcast)) {
                                        spin_unlock_irq(&priv->lock);
                                        return;
@@ -652,11 +653,9 @@ out:
                queue_delayed_work(priv->wq, &priv->mcast_task,
                                   delay_until - jiffies);
        }
-        if (mcast) {
+        if (mcast)
-                init_completion(&mcast->done);
-                set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags);
                ipoib_mcast_join(dev, mcast);
-        }
        spin_unlock_irq(&priv->lock);
 }
@@ -775,7 +774,10 @@ void ipoib_mcast_send(struct net_device *dev, u8 *daddr, struct sk_buff *skb)
                spin_lock_irqsave(&priv->lock, flags);
                if (!neigh) {
                        neigh = ipoib_neigh_alloc(daddr, dev);
-                        if (neigh) {
+                        /* Make sure that the neigh will be added only
+                         * once to mcast list.
+                         */
+                        if (neigh && list_empty(&neigh->list)) {
                                kref_get(&mcast->ah->ref);
                                neigh->ah       = mcast->ah;
                                list_add_tail(&neigh->list, &mcast->neigh_list);
diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
index 9a99cee2665a..4fd2892613dd 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -2581,9 +2581,11 @@ static int srp_abort(struct scsi_cmnd *scmnd)
                ret = FAST_IO_FAIL;
        else
                ret = FAILED;
-        srp_free_req(ch, req, scmnd, 0);
+        if (ret == SUCCESS) {
-        scmnd->result = DID_ABORT << 16;
+                srp_free_req(ch, req, scmnd, 0);
-        scmnd->scsi_done(scmnd);
+                scmnd->result = DID_ABORT << 16;
+                scmnd->scsi_done(scmnd);
+        }
        return ret;
 }
@@ -3309,12 +3311,10 @@ static ssize_t srp_create_target(struct device *dev,
                                      num_online_nodes());
                const int ch_end = ((node_idx + 1) * target->ch_count /
                                    num_online_nodes());
-                const int cv_start = (node_idx * ibdev->num_comp_vectors /
+                const int cv_start = node_idx * ibdev->num_comp_vectors /
-                                      num_online_nodes() + target->comp_vector)
+                                     num_online_nodes();
-                                     % ibdev->num_comp_vectors;
+                const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors /
-                const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors /
+                                   num_online_nodes();
-                                    num_online_nodes() + target->comp_vector)
-                                   % ibdev->num_comp_vectors;
                int cpu_idx = 0;
                for_each_online_cpu(cpu) {
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index a73874508c3a..cb3a8623ff54 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -2974,12 +2974,8 @@ static void srpt_queue_response(struct se_cmd *cmd)
        }
        spin_unlock_irqrestore(&ioctx->spinlock, flags);
-        if (unlikely(transport_check_aborted_status(&ioctx->cmd, false)
+        if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT)))
-                     || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) {
-                atomic_inc(&ch->req_lim_delta);
-                srpt_abort_cmd(ioctx);
                return;
-        }
        dir = ioctx->cmd.data_direction;
diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c
index 766bf2660116..5f04b2d94635 100644
--- a/drivers/input/input-leds.c
+++ b/drivers/input/input-leds.c
@@ -88,6 +88,7 @@ static int input_leds_connect(struct input_handler *handler,
                              const struct input_device_id *id)
 {
        struct input_leds *leds;
+        struct input_led *led;
        unsigned int num_leds;
        unsigned int led_code;
        int led_no;
@@ -119,14 +120,13 @@ static int input_leds_connect(struct input_handler *handler,
        led_no = 0;
        for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
-                struct input_led *led = &leds->leds[led_no];
+                if (!input_led_info[led_code].name)
+                        continue;
+                led = &leds->leds[led_no];
                led->handle = &leds->handle;
                led->code = led_code;
-                if (!input_led_info[led_code].name)
-                        continue;
                led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
                                           dev_name(&dev->dev),
                                           input_led_info[led_code].name);
diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
index fe02f9fc8ecd..d9af20dfb392 100644
--- a/drivers/input/keyboard/matrix_keypad.c
+++ b/drivers/input/keyboard/matrix_keypad.c
@@ -217,8 +217,10 @@ static void matrix_keypad_stop(struct input_dev *dev)
 {
        struct matrix_keypad *keypad = input_get_drvdata(dev);
+        spin_lock_irq(&keypad->lock);
        keypad->stopped = true;
-        mb();
+        spin_unlock_irq(&keypad->lock);
        flush_work(&keypad->work.work);
        /*
         * matrix_keypad_scan() will leave IRQs enabled;
diff --git a/drivers/input/keyboard/qt1070.c b/drivers/input/keyboard/qt1070.c
index 5a5778729e37..76bb51309a78 100644
--- a/drivers/input/keyboard/qt1070.c
+++ b/drivers/input/keyboard/qt1070.c
@@ -274,9 +274,18 @@ static const struct i2c_device_id qt1070_id[] = {
 };
 MODULE_DEVICE_TABLE(i2c, qt1070_id);
+#ifdef CONFIG_OF
+static const struct of_device_id qt1070_of_match[] = {
+        { .compatible = "qt1070", },
+        { },
+};
+MODULE_DEVICE_TABLE(of, qt1070_of_match);
+#endif
 static struct i2c_driver qt1070_driver = {
        .driver = {
                .name   = "qt1070",
+                .of_match_table = of_match_ptr(qt1070_of_match),
                .pm     = &qt1070_pm_ops,
        },
        .id_table       = qt1070_id,
diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c
index 9002298698fc..a5e8998047fe 100644
--- a/drivers/input/keyboard/tca8418_keypad.c
+++ b/drivers/input/keyboard/tca8418_keypad.c
@@ -164,11 +164,18 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data)
        int error, col, row;
        u8 reg, state, code;
-        /* Initial read of the key event FIFO */
+        do {
-        error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
+                error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
+                if (error < 0) {
+                        dev_err(&keypad_data->client->dev,
+                                "unable to read REG_KEY_EVENT_A\n");
+                        break;
+                }
+                /* Assume that key code 0 signifies empty FIFO */
+                if (reg <= 0)
+                        break;
-        /* Assume that key code 0 signifies empty FIFO */
-        while (error >= 0 && reg > 0) {
                state = reg & KEY_EVENT_VALUE;
                code  = reg & KEY_EVENT_CODE;
@@ -182,13 +189,7 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data)
                input_event(input, EV_MSC, MSC_SCAN, code);
                input_report_key(input, keymap[code], state);
-                /* Read for next loop */
+        } while (1);
-                error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
-        }
-        if (error < 0)
-                dev_err(&keypad_data->client->dev,
-                        "unable to read REG_KEY_EVENT_A\n");
        input_sync(input);
 }
diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c
index 930424e55439..251d64ca41ce 100644
--- a/drivers/input/misc/drv260x.c
+++ b/drivers/input/misc/drv260x.c
@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_client *client,
        if (!haptics)
                return -ENOMEM;
-        haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
+        haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
        haptics->rated_voltage = DRV260X_DEF_RATED_VOLT;
        if (pdata) {
diff --git a/drivers/input/misc/twl4030-pwrbutton.c b/drivers/input/misc/twl4030-pwrbutton.c
index 603fc2fadf05..12b20840fb74 100644
--- a/drivers/input/misc/twl4030-pwrbutton.c
+++ b/drivers/input/misc/twl4030-pwrbutton.c
@@ -70,7 +70,7 @@ static int twl4030_pwrbutton_probe(struct platform_device *pdev)
        pwr->phys = "twl4030_pwrbutton/input0";
        pwr->dev.parent = &pdev->dev;
-        err = devm_request_threaded_irq(&pwr->dev, irq, NULL, powerbutton_irq,
+        err = devm_request_threaded_irq(&pdev->dev, irq, NULL, powerbutton_irq,
                        IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING |
                        IRQF_ONESHOT,
                        "twl4030_pwrbutton", pwr);
diff --git a/drivers/input/mouse/elan_i2c.h b/drivers/input/mouse/elan_i2c.h
index c0ec26118732..83dd0ce3ad2a 100644
--- a/drivers/input/mouse/elan_i2c.h
+++ b/drivers/input/mouse/elan_i2c.h
@@ -27,6 +27,8 @@
 #define ETP_DISABLE_POWER       0x0001
 #define ETP_PRESSURE_OFFSET     25
+#define ETP_CALIBRATE_MAX_LEN   3
 /* IAP Firmware handling */
 #define ETP_PRODUCT_ID_FORMAT_STRING    "%d.0"
 #define ETP_FW_NAME             "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
index c9d491bc85e0..a716482774db 100644
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -595,7 +595,7 @@ static ssize_t calibrate_store(struct device *dev,
        int tries = 20;
        int retval;
        int error;
-        u8 val[3];
+        u8 val[ETP_CALIBRATE_MAX_LEN];
        retval = mutex_lock_interruptible(&data->sysfs_mutex);
        if (retval)
@@ -1082,6 +1082,13 @@ static int elan_probe(struct i2c_client *client,
                return error;
        }
+        /* Make sure there is something at this address */
+        error = i2c_smbus_read_byte(client);
+        if (error < 0) {
+                dev_dbg(&client->dev, "nothing at this address: %d\n", error);
+                return -ENXIO;
+        }
        /* Initialize the touchpad. */
        error = elan_initialize(data);
        if (error)
@@ -1242,6 +1249,10 @@ static const struct acpi_device_id elan_acpi_id[] = {
        { "ELAN060B", 0 },
        { "ELAN060C", 0 },
        { "ELAN0611", 0 },
+        { "ELAN0612", 0 },
+        { "ELAN0618", 0 },
+        { "ELAN061D", 0 },
+        { "ELAN0622", 0 },
        { "ELAN1000", 0 },
        { }
 };
diff --git a/drivers/input/mouse/elan_i2c_i2c.c b/drivers/input/mouse/elan_i2c_i2c.c
index a679e56c44cd..765879dcaf85 100644
--- a/drivers/input/mouse/elan_i2c_i2c.c
+++ b/drivers/input/mouse/elan_i2c_i2c.c
@@ -557,7 +557,14 @@ static int elan_i2c_finish_fw_update(struct i2c_client *client,
        long ret;
        int error;
        int len;
-        u8 buffer[ETP_I2C_INF_LENGTH];
+        u8 buffer[ETP_I2C_REPORT_LEN];
+        len = i2c_master_recv(client, buffer, ETP_I2C_REPORT_LEN);
+        if (len != ETP_I2C_REPORT_LEN) {
+                error = len < 0 ? len : -EIO;
+                dev_warn(dev, "failed to read I2C data after FW WDT reset: %d (%d)\n",
+                        error, len);
+        }
        reinit_completion(completion);
        enable_irq(client->irq);
diff --git a/drivers/input/mouse/elan_i2c_smbus.c b/drivers/input/mouse/elan_i2c_smbus.c
index cb6aecbc1dc2..2ac85f5cbf31 100644
--- a/drivers/input/mouse/elan_i2c_smbus.c
+++ b/drivers/input/mouse/elan_i2c_smbus.c
@@ -56,7 +56,7 @@
 static int elan_smbus_initialize(struct i2c_client *client)
 {
        u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
-        u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
+        u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
        int len, error;
        /* Get hello packet */
@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i2c_client *client)
 static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val)
 {
        int error;
+        u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
+        BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
        error = i2c_smbus_read_block_data(client,
-                                          ETP_SMBUS_CALIBRATE_QUERY, val);
+                                          ETP_SMBUS_CALIBRATE_QUERY, buf);
        if (error < 0)
                return error;
+        memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
        return 0;
 }
@@ -130,7 +134,7 @@ static int elan_smbus_get_baseline_data(struct i2c_client *client,
                                        bool max_baseline, u8 *value)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          max_baseline ?
@@ -149,7 +153,7 @@ static int elan_smbus_get_version(struct i2c_client *client,
                                  bool iap, u8 *version)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          iap ? ETP_SMBUS_IAP_VERSION_CMD :
@@ -169,7 +173,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client,
                                     u8 *ic_type, u8 *version)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          ETP_SMBUS_SM_VERSION_CMD, val);
@@ -186,7 +190,7 @@ static int elan_smbus_get_sm_version(struct i2c_client *client,
 static int elan_smbus_get_product_id(struct i2c_client *client, u16 *id)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          ETP_SMBUS_UNIQUEID_CMD, val);
@@ -203,7 +207,7 @@ static int elan_smbus_get_checksum(struct i2c_client *client,
                                   bool iap, u16 *csum)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          iap ? ETP_SMBUS_FW_CHECKSUM_CMD :
@@ -223,7 +227,7 @@ static int elan_smbus_get_max(struct i2c_client *client,
                              unsigned int *max_x, unsigned int *max_y)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client, ETP_SMBUS_RANGE_CMD, val);
        if (error) {
@@ -241,7 +245,7 @@ static int elan_smbus_get_resolution(struct i2c_client *client,
                                     u8 *hw_res_x, u8 *hw_res_y)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          ETP_SMBUS_RESOLUTION_CMD, val);
@@ -261,7 +265,7 @@ static int elan_smbus_get_num_traces(struct i2c_client *client,
                                     unsigned int *y_traces)
 {
        int error;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client,
                                          ETP_SMBUS_XY_TRACENUM_CMD, val);
@@ -288,7 +292,7 @@ static int elan_smbus_iap_get_mode(struct i2c_client *client,
 {
        int error;
        u16 constant;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        error = i2c_smbus_read_block_data(client, ETP_SMBUS_IAP_CTRL_CMD, val);
        if (error < 0) {
@@ -339,7 +343,7 @@ static int elan_smbus_prepare_fw_update(struct i2c_client *client)
        int len;
        int error;
        enum tp_mode mode;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        u8 cmd[4] = {0x0F, 0x78, 0x00, 0x06};
        u16 password;
@@ -413,7 +417,7 @@ static int elan_smbus_write_fw_block(struct i2c_client *client,
        struct device *dev = &client->dev;
        int error;
        u16 result;
-        u8 val[3];
+        u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
        /*
         * Due to the limitation of smbus protocol limiting
@@ -466,6 +470,8 @@ static int elan_smbus_get_report(struct i2c_client *client, u8 *report)
 {
        int len;
+        BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
        len = i2c_smbus_read_block_data(client,
                                        ETP_SMBUS_PACKET_QUERY,
                                        &report[ETP_SMBUS_REPORT_OFFSET]);
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
index 51b96e9bf793..174bb52c578b 100644
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -804,7 +804,7 @@ static int elantech_packet_check_v4(struct psmouse *psmouse)
        else if (ic_version == 7 && etd->samples[1] == 0x2A)
                sanity_check = ((packet[3] & 0x1c) == 0x10);
        else
-                sanity_check = ((packet[0] & 0x0c) == 0x04 &&
+                sanity_check = ((packet[0] & 0x08) == 0x00 &&
                                (packet[3] & 0x1c) == 0x10);
        if (!sanity_check)
@@ -1177,6 +1177,12 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = {
        { }
 };
+static const char * const middle_button_pnp_ids[] = {
+        "LEN2131", /* ThinkPad P52 w/ NFC */
+        "LEN2132", /* ThinkPad P52 */
+        NULL
+};
 /*
 * Set the appropriate event bits for the input subsystem
 */
@@ -1196,7 +1202,8 @@ static int elantech_set_input_params(struct psmouse *psmouse)
        __clear_bit(EV_REL, dev->evbit);
        __set_bit(BTN_LEFT, dev->keybit);
-        if (dmi_check_system(elantech_dmi_has_middle_button))
+        if (dmi_check_system(elantech_dmi_has_middle_button) ||
+                        psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids))
                __set_bit(BTN_MIDDLE, dev->keybit);
        __set_bit(BTN_RIGHT, dev->keybit);
@@ -1715,6 +1722,17 @@ int elantech_init(struct psmouse *psmouse)
                             etd->samples[0], etd->samples[1], etd->samples[2]);
        }
+        if (etd->samples[1] == 0x74 && etd->hw_version == 0x03) {
+                /*
+                 * This module has a bug which makes absolute mode
+                 * unusable, so let's abort so we'll be using standard
+                 * PS/2 protocol.
+                 */
+                psmouse_info(psmouse,
+                             "absolute mode broken, forcing standard PS/2 protocol\n");
+                goto init_fail;
+        }
        if (elantech_set_absolute_mode(psmouse)) {
                psmouse_err(psmouse,
                            "failed to put touchpad into absolute mode.\n");
diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c
index 7e2dc5e56632..0b49f29bf0da 100644
--- a/drivers/input/mouse/trackpoint.c
+++ b/drivers/input/mouse/trackpoint.c
@@ -383,6 +383,9 @@ int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
        if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) {
                psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
                button_info = 0x33;
+        } else if (!button_info) {
+                psmouse_warn(psmouse, "got 0 in extended button data, assuming 3 buttons\n");
+                button_info = 0x33;
        }
        psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
index b604564dec5c..30328e57fdda 100644
--- a/drivers/input/mousedev.c
+++ b/drivers/input/mousedev.c
@@ -15,6 +15,7 @@
 #define MOUSEDEV_MINORS         31
 #define MOUSEDEV_MIX            63
+#include <linux/bitops.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/poll.h>
@@ -103,7 +104,7 @@ struct mousedev_client {
        spinlock_t packet_lock;
        int pos_x, pos_y;
-        signed char ps2[6];
+        u8 ps2[6];
        unsigned char ready, buffer, bufsiz;
        unsigned char imexseq, impsseq;
        enum mousedev_emul mode;
@@ -291,11 +292,10 @@ static void mousedev_notify_readers(struct mousedev *mousedev,
                }
                client->pos_x += packet->dx;
-                client->pos_x = client->pos_x < 0 ?
+                client->pos_x = clamp_val(client->pos_x, 0, xres);
-                        0 : (client->pos_x >= xres ? xres : client->pos_x);
                client->pos_y += packet->dy;
-                client->pos_y = client->pos_y < 0 ?
+                client->pos_y = clamp_val(client->pos_y, 0, yres);
-                        0 : (client->pos_y >= yres ? yres : client->pos_y);
                p->dx += packet->dx;
                p->dy += packet->dy;
@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *inode, struct file *file)
        return error;
 }
-static inline int mousedev_limit_delta(int delta, int limit)
+static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data)
-{
-        return delta > limit ? limit : (delta < -limit ? -limit : delta);
-}
-static void mousedev_packet(struct mousedev_client *client,
-                            signed char *ps2_data)
 {
        struct mousedev_motion *p = &client->packets[client->tail];
+        s8 dx, dy, dz;
+        dx = clamp_val(p->dx, -127, 127);
+        p->dx -= dx;
+        dy = clamp_val(p->dy, -127, 127);
+        p->dy -= dy;
-        ps2_data[0] = 0x08 |
+        ps2_data[0] = BIT(3);
-                ((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07);
+        ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2);
-        ps2_data[1] = mousedev_limit_delta(p->dx, 127);
+        ps2_data[0] |= p->buttons & 0x07;
-        ps2_data[2] = mousedev_limit_delta(p->dy, 127);
+        ps2_data[1] = dx;
-        p->dx -= ps2_data[1];
+        ps2_data[2] = dy;
-        p->dy -= ps2_data[2];
        switch (client->mode) {
        case MOUSEDEV_EMUL_EXPS:
-                ps2_data[3] = mousedev_limit_delta(p->dz, 7);
+                dz = clamp_val(p->dz, -7, 7);
-                p->dz -= ps2_data[3];
+                p->dz -= dz;
-                ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1);
+                ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1);
                client->bufsiz = 4;
                break;
        case MOUSEDEV_EMUL_IMPS:
-                ps2_data[0] |=
+                dz = clamp_val(p->dz, -127, 127);
-                        ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
+                p->dz -= dz;
-                ps2_data[3] = mousedev_limit_delta(p->dz, 127);
-                p->dz -= ps2_data[3];
+                ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
+                               ((p->buttons & 0x08) >> 1);
+                ps2_data[3] = dz;
                client->bufsiz = 4;
                break;
        case MOUSEDEV_EMUL_PS2:
        default:
-                ps2_data[0] |=
-                        ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
                p->dz = 0;
+                ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
+                               ((p->buttons & 0x08) >> 1);
                client->bufsiz = 3;
                break;
        }
@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
 {
        struct mousedev_client *client = file->private_data;
        struct mousedev *mousedev = client->mousedev;
-        signed char data[sizeof(client->ps2)];
+        u8 data[sizeof(client->ps2)];
        int retval = 0;
        if (!client->ready && !client->buffer && mousedev->exist &&
diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
index d1051e3ce819..34be09651ee8 100644
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -527,6 +527,27 @@ static const struct dmi_system_id __initconst i8042_dmi_nomux_table[] = {
                        DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
                },
        },
+        {
+                /* Lenovo LaVie Z */
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                        DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"),
+                },
+        },
+        { }
+};
+static const struct dmi_system_id i8042_dmi_forcemux_table[] __initconst = {
+        {
+                /*
+                 * Sony Vaio VGN-CS series require MUX or the touch sensor
+                 * buttons will disturb touchpad operation
+                 */
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"),
+                },
+        },
        { }
 };
@@ -693,6 +714,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
                },
        },
        {
+                /* Lenovo ThinkPad L460 */
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+                        DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"),
+                },
+        },
+        {
                /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
                .matches = {
                        DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
@@ -1223,6 +1251,9 @@ static int __init i8042_platform_init(void)
        if (dmi_check_system(i8042_dmi_nomux_table))
                i8042_nomux = true;
+        if (dmi_check_system(i8042_dmi_forcemux_table))
+                i8042_nomux = false;
        if (dmi_check_system(i8042_dmi_notimeout_table))
                i8042_notimeout = true;
diff --git a/drivers/input/touchscreen/ar1021_i2c.c b/drivers/input/touchscreen/ar1021_i2c.c
index 71b5a634cf6d..e7bb155911d0 100644
--- a/drivers/input/touchscreen/ar1021_i2c.c
+++ b/drivers/input/touchscreen/ar1021_i2c.c
@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_resume(struct device *dev)
 static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume);
 static const struct i2c_device_id ar1021_i2c_id[] = {
-        { "MICROCHIP_AR1021_I2C", 0 },
+        { "ar1021", 0 },
        { },
 };
 MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id);
diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
index 2d5794ec338b..88dfe3008cf4 100644
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -2523,6 +2523,15 @@ static const struct dmi_system_id mxt_dmi_table[] = {
                .driver_data = samus_platform_data,
        },
        {
+                /* Samsung Chromebook Pro */
+                .ident = "Samsung Chromebook Pro",
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "Google"),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"),
+                },
+                .driver_data = samus_platform_data,
+        },
+        {
                /* Other Google Chromebooks */
                .ident = "Chromebook",
                .matches = {
diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c
index a27f0d7107af..eef7caa9e625 100644
--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -846,6 +846,7 @@ MODULE_DEVICE_TABLE(i2c, goodix_ts_id);
 #ifdef CONFIG_ACPI
 static const struct acpi_device_id goodix_acpi_match[] = {
        { "GDIX1001", 0 },
+        { "GDIX1002", 0 },
        { }
 };
 MODULE_DEVICE_TABLE(acpi, goodix_acpi_match);
diff --git a/drivers/input/touchscreen/tsc2007.c b/drivers/input/touchscreen/tsc2007.c
index 5d0cd51c6f41..a4b7b4c3d27b 100644
--- a/drivers/input/touchscreen/tsc2007.c
+++ b/drivers/input/touchscreen/tsc2007.c
@@ -455,6 +455,14 @@ static int tsc2007_probe(struct i2c_client *client,
        tsc2007_stop(ts);
+        /* power down the chip (TSC2007_SETUP does not ACK on I2C) */
+        err = tsc2007_xfer(ts, PWRDOWN);
+        if (err < 0) {
+                dev_err(&client->dev,
+                        "Failed to setup chip: %d\n", err);
+                return err;     /* usually, chip does not respond */
+        }
        err = input_register_device(input_dev);
        if (err) {
                dev_err(&client->dev,
diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
index f929879ecae6..10068a481e22 100644
--- a/drivers/iommu/intel-svm.c
+++ b/drivers/iommu/intel-svm.c
@@ -127,6 +127,7 @@ int intel_svm_enable_prq(struct intel_iommu *iommu)
                pr_err("IOMMU: %s: Failed to request IRQ for page request queue\n",
                       iommu->name);
                dmar_free_hwirq(irq);
+                iommu->pr_irq = 0;
                goto err;
        }
        dmar_writeq(iommu->reg + DMAR_PQH_REG, 0ULL);
@@ -142,9 +143,11 @@ int intel_svm_finish_prq(struct intel_iommu *iommu)
        dmar_writeq(iommu->reg + DMAR_PQT_REG, 0ULL);
        dmar_writeq(iommu->reg + DMAR_PQA_REG, 0ULL);
-        free_irq(iommu->pr_irq, iommu);
+        if (iommu->pr_irq) {
-        dmar_free_hwirq(iommu->pr_irq);
+                free_irq(iommu->pr_irq, iommu);
-        iommu->pr_irq = 0;
+                dmar_free_hwirq(iommu->pr_irq);
+                iommu->pr_irq = 0;
+        }
        free_pages((unsigned long)iommu->prq, PRQ_ORDER);
        iommu->prq = NULL;
@@ -386,6 +389,7 @@ int intel_svm_bind_mm(struct device *dev, int *pasid, int flags, struct svm_dev_
                                pasid_max - 1, GFP_KERNEL);
                if (ret < 0) {
                        kfree(svm);
+                        kfree(sdev);
                        goto out;
                }
                svm->pasid = ret;
diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
index e9b241b1c9dd..ac596928f6b4 100644
--- a/drivers/iommu/intel_irq_remapping.c
+++ b/drivers/iommu/intel_irq_remapping.c
@@ -753,7 +753,7 @@ static inline void set_irq_posting_cap(void)
                 * should have X86_FEATURE_CX16 support, this has been confirmed
                 * with Intel hardware guys.
                 */
-                if ( cpu_has_cx16 )
+                if (boot_cpu_has(X86_FEATURE_CX16))
                        intel_irq_remap_ops.capability |= 1 << IRQ_POSTING_CAP;
                for_each_iommu(iommu, drhd)
diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index fa0adef32bd6..62739766b60b 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -126,7 +126,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
                                break;  /* found a free slot */
                }
 adjust_limit_pfn:
-                limit_pfn = curr_iova->pfn_lo - 1;
+                limit_pfn = curr_iova->pfn_lo ? (curr_iova->pfn_lo - 1) : 0;
 move_left:
                prev = curr;
                curr = rb_prev(curr);
diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
index 4cb603e5ba70..0120366efcf1 100644
--- a/drivers/iommu/omap-iommu.c
+++ b/drivers/iommu/omap-iommu.c
@@ -1689,6 +1689,7 @@ static int __init omap_iommu_init(void)
        const unsigned long flags = SLAB_HWCACHE_ALIGN;
        size_t align = 1 << 10; /* L2 pagetable alignement */
        struct device_node *np;
+        int ret;
        np = of_find_matching_node(NULL, omap_iommu_of_match);
        if (!np)
@@ -1702,11 +1703,25 @@ static int __init omap_iommu_init(void)
                return -ENOMEM;
        iopte_cachep = p;
-        bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
        omap_iommu_debugfs_init();
-        return platform_driver_register(&omap_iommu_driver);
+        ret = platform_driver_register(&omap_iommu_driver);
+        if (ret) {
+                pr_err("%s: failed to register driver\n", __func__);
+                goto fail_driver;
+        }
+        ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
+        if (ret)
+                goto fail_bus;
+        return 0;
+fail_bus:
+        platform_driver_unregister(&omap_iommu_driver);
+fail_driver:
+        kmem_cache_destroy(iopte_cachep);
+        return ret;
 }
 subsys_initcall(omap_iommu_init);
 /* must be ready before omap3isp is probed */
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index c5f1757ac61d..82e00e3ad0e0 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -663,7 +663,7 @@ static struct irq_chip its_irq_chip = {
 * This gives us (((1UL << id_bits) - 8192) >> 5) possible allocations.
 */
 #define IRQS_PER_CHUNK_SHIFT    5
-#define IRQS_PER_CHUNK          (1 << IRQS_PER_CHUNK_SHIFT)
+#define IRQS_PER_CHUNK          (1UL << IRQS_PER_CHUNK_SHIFT)
 static unsigned long *lpi_bitmap;
 static u32 lpi_chunks;
@@ -1168,11 +1168,10 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id,
        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
        /*
-         * At least one bit of EventID is being used, hence a minimum
+         * We allocate at least one chunk worth of LPIs bet device,
-         * of two entries. No, the architecture doesn't let you
+         * and thus that many ITEs. The device may require less though.
-         * express an ITT with a single entry.
         */
-        nr_ites = max(2UL, roundup_pow_of_two(nvecs));
+        nr_ites = max(IRQS_PER_CHUNK, roundup_pow_of_two(nvecs));
        sz = nr_ites * its->ite_size;
        sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
        itt = kzalloc(sz, GFP_KERNEL);
diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
index 5a1490b046ac..9ab424b9b281 100644
--- a/drivers/irqchip/irq-gic-v3.c
+++ b/drivers/irqchip/irq-gic-v3.c
@@ -589,7 +589,7 @@ static void gic_send_sgi(u64 cluster_id, u16 tlist, unsigned int irq)
               MPIDR_TO_SGI_AFFINITY(cluster_id, 1)     |
               tlist << ICC_SGI1R_TARGET_LIST_SHIFT);
-        pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val);
+        pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val);
        gic_write_sgi1r(val);
 }
@@ -604,7 +604,7 @@ static void gic_raise_softirq(const struct cpumask *mask, unsigned int irq)
         * Ensure that stores to Normal memory are visible to the
         * other CPUs before issuing the IPI.
         */
-        smp_wmb();
+        wmb();
        for_each_cpu(cpu, mask) {
                unsigned long cluster_id = cpu_logical_map(cpu) & ~0xffUL;
diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c
index d91dd580e978..37aaea88a6ad 100644
--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -387,10 +387,10 @@ void divasa_xdi_driver_unload(void)
 **  Receive and process command from user mode utility
 */
 void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
-                            int length,
+                            int length, void *mptr,
                            divas_xdi_copy_from_user_fn_t cp_fn)
 {
-        diva_xdi_um_cfg_cmd_t msg;
+        diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
        diva_os_xdi_adapter_t *a = NULL;
        diva_os_spin_lock_magic_t old_irql;
        struct list_head *tmp;
@@ -400,21 +400,21 @@ void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
                         length, sizeof(diva_xdi_um_cfg_cmd_t)))
                        return NULL;
        }
-        if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) {
+        if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) {
                DBG_ERR(("A: A(?) open, write error"))
                        return NULL;
        }
        diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter");
        list_for_each(tmp, &adapter_queue) {
                a = list_entry(tmp, diva_os_xdi_adapter_t, link);
-                if (a->controller == (int)msg.adapter)
+                if (a->controller == (int)msg->adapter)
                        break;
                a = NULL;
        }
        diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter");
        if (!a) {
-                DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter))
+                DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter))
                        }
        return (a);
@@ -436,8 +436,10 @@ void diva_xdi_close_adapter(void *adapter, void *os_handle)
 int
 diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
-               int length, divas_xdi_copy_from_user_fn_t cp_fn)
+               int length, void *mptr,
+               divas_xdi_copy_from_user_fn_t cp_fn)
 {
+        diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
        diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter;
        void *data;
@@ -458,7 +460,13 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
                        return (-2);
        }
-        length = (*cp_fn) (os_handle, data, src, length);
+        if (msg) {
+                *(diva_xdi_um_cfg_cmd_t *)data = *msg;
+                length = (*cp_fn) (os_handle, (char *)data + sizeof(*msg),
+                                   src + sizeof(*msg), length - sizeof(*msg));
+        } else {
+                length = (*cp_fn) (os_handle, data, src, length);
+        }
        if (length > 0) {
                if ((*(a->interface.cmd_proc))
                    (a, (diva_xdi_um_cfg_cmd_t *) data, length)) {
diff --git a/drivers/isdn/hardware/eicon/diva.h b/drivers/isdn/hardware/eicon/diva.h
index e979085d1b89..a0a607c0c32e 100644
--- a/drivers/isdn/hardware/eicon/diva.h
+++ b/drivers/isdn/hardware/eicon/diva.h
@@ -19,10 +19,11 @@ int diva_xdi_read(void *adapter, void *os_handle, void __user *dst,
                  int max_length, divas_xdi_copy_to_user_fn_t cp_fn);
 int diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
-                   int length, divas_xdi_copy_from_user_fn_t cp_fn);
+                   int length, void *msg,
+                   divas_xdi_copy_from_user_fn_t cp_fn);
 void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
-                            int length,
+                            int length, void *msg,
                            divas_xdi_copy_from_user_fn_t cp_fn);
 void diva_xdi_close_adapter(void *adapter, void *os_handle);
diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c
index a2e0ed6c9a4d..91bd2ba0bdd8 100644
--- a/drivers/isdn/hardware/eicon/divasmain.c
+++ b/drivers/isdn/hardware/eicon/divasmain.c
@@ -591,19 +591,22 @@ static int divas_release(struct inode *inode, struct file *file)
 static ssize_t divas_write(struct file *file, const char __user *buf,
                           size_t count, loff_t *ppos)
 {
+        diva_xdi_um_cfg_cmd_t msg;
        int ret = -EINVAL;
        if (!file->private_data) {
                file->private_data = diva_xdi_open_adapter(file, buf,
-                                                           count,
+                                                           count, &msg,
                                                           xdi_copy_from_user);
-        }
+                if (!file->private_data)
-        if (!file->private_data) {
+                        return (-ENODEV);
-                return (-ENODEV);
+                ret = diva_xdi_write(file->private_data, file,
+                                     buf, count, &msg, xdi_copy_from_user);
+        } else {
+                ret = diva_xdi_write(file->private_data, file,
+                                     buf, count, NULL, xdi_copy_from_user);
        }
-        ret = diva_xdi_write(file->private_data, file,
-                             buf, count, xdi_copy_from_user);
        switch (ret) {
        case -1:                /* Message should be removed from rx mailbox first */
                ret = -EBUSY;
@@ -622,11 +625,12 @@ static ssize_t divas_write(struct file *file, const char __user *buf,
 static ssize_t divas_read(struct file *file, char __user *buf,
                          size_t count, loff_t *ppos)
 {
+        diva_xdi_um_cfg_cmd_t msg;
        int ret = -EINVAL;
        if (!file->private_data) {
                file->private_data = diva_xdi_open_adapter(file, buf,
-                                                           count,
+                                                           count, &msg,
                                                           xdi_copy_from_user);
        }
        if (!file->private_data) {
diff --git a/drivers/isdn/hardware/eicon/message.c b/drivers/isdn/hardware/eicon/message.c
index 7b4ddf0a39ec..2d28530b7e82 100644
--- a/drivers/isdn/hardware/eicon/message.c
+++ b/drivers/isdn/hardware/eicon/message.c
@@ -147,7 +147,7 @@ static word plci_remove_check(PLCI *);
 static void listen_check(DIVA_CAPI_ADAPTER *);
 static byte AddInfo(byte **, byte **, byte *, byte *);
 static byte getChannel(API_PARSE *);
-static void IndParse(PLCI *, word *, byte **, byte);
+static void IndParse(PLCI *, const word *, byte **, byte);
 static byte ie_compare(byte *, byte *);
 static word find_cip(DIVA_CAPI_ADAPTER *, byte *, byte *);
 static word CPN_filter_ok(byte *cpn, DIVA_CAPI_ADAPTER *, word);
@@ -4860,7 +4860,7 @@ static void sig_ind(PLCI *plci)
        /* included before the ESC_MSGTYPE and MAXPARMSIDS has to be incremented */
        /* SMSG is situated at the end because its 0 (for compatibility reasons */
        /* (see Info_Mask Bit 4, first IE. then the message type)           */
-        word parms_id[] =
+        static const word parms_id[] =
                {MAXPARMSIDS, CPN, 0xff, DSA, OSA, BC, LLC, HLC, ESC_CAUSE, DSP, DT, CHA,
                 UUI, CONG_RR, CONG_RNR, ESC_CHI, KEY, CHI, CAU, ESC_LAW,
                 RDN, RDX, CONN_NR, RIN, NI, CAI, ESC_CR,
@@ -4868,12 +4868,12 @@ static void sig_ind(PLCI *plci)
        /* 14 FTY repl by ESC_CHI */
        /* 18 PI  repl by ESC_LAW */
        /* removed OAD changed to 0xff for future use, OAD is multiIE now */
-        word multi_fac_id[] = {1, FTY};
+        static const word multi_fac_id[] = {1, FTY};
-        word multi_pi_id[]  = {1, PI};
+        static const word multi_pi_id[]  = {1, PI};
-        word multi_CiPN_id[]  = {1, OAD};
+        static const word multi_CiPN_id[]  = {1, OAD};
-        word multi_ssext_id[]  = {1, ESC_SSEXT};
+        static const word multi_ssext_id[]  = {1, ESC_SSEXT};
-        word multi_vswitch_id[]  = {1, ESC_VSWITCH};
+        static const word multi_vswitch_id[]  = {1, ESC_VSWITCH};
        byte *cau;
        word ncci;
@@ -8926,7 +8926,7 @@ static void listen_check(DIVA_CAPI_ADAPTER *a)
 /* functions for all parameters sent in INDs                        */
 /*------------------------------------------------------------------*/
-static void IndParse(PLCI *plci, word *parms_id, byte **parms, byte multiIEsize)
+static void IndParse(PLCI *plci, const word *parms_id, byte **parms, byte multiIEsize)
 {
        word ploc;            /* points to current location within packet */
        byte w;
diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
index 358a574d9e8b..46d957c34be1 100644
--- a/drivers/isdn/icn/icn.c
+++ b/drivers/isdn/icn/icn.c
@@ -718,7 +718,7 @@ icn_sendbuf(int channel, int ack, struct sk_buff *skb, icn_card *card)
                        return 0;
                if (card->sndcount[channel] > ICN_MAX_SQUEUE)
                        return 0;
-#warning TODO test headroom or use skb->nb to flag ACK
+                /* TODO test headroom or use skb->nb to flag ACK */
                nskb = skb_clone(skb, GFP_ATOMIC);
                if (nskb) {
                        /* Push ACK flag as one
diff --git a/drivers/isdn/mISDN/stack.c b/drivers/isdn/mISDN/stack.c
index 9cb4b621fbc3..b92a19a594a1 100644
--- a/drivers/isdn/mISDN/stack.c
+++ b/drivers/isdn/mISDN/stack.c
@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl, struct sk_buff *skb)
                if (sk->sk_state != MISDN_BOUND)
                        continue;
                if (!cskb)
-                        cskb = skb_copy(skb, GFP_KERNEL);
+                        cskb = skb_copy(skb, GFP_ATOMIC);
                if (!cskb) {
                        printk(KERN_WARNING "%s no skb\n", __func__);
                        break;
diff --git a/drivers/isdn/sc/init.c b/drivers/isdn/sc/init.c
index 3597ef47b28a..09fc129ef2fa 100644
--- a/drivers/isdn/sc/init.c
+++ b/drivers/isdn/sc/init.c
@@ -441,6 +441,7 @@ static int identify_board(unsigned long rambase, unsigned int iobase)
        RspMessage rcvmsg;
        ReqMessage sndmsg;
        HWConfig_pl hwci;
+        void __iomem *rambase_sig = (void __iomem *)rambase + SIG_OFFSET;
        int x;
        pr_debug("Attempting to identify adapter @ 0x%lx io 0x%x\n",
@@ -481,7 +482,7 @@ static int identify_board(unsigned long rambase, unsigned int iobase)
         */
        outb(PRI_BASEPG_VAL, pgport);
        msleep_interruptible(1000);
-        sig = readl(rambase + SIG_OFFSET);
+        sig = readl(rambase_sig);
        pr_debug("Looking for a signature, got 0x%lx\n", sig);
        if (sig == SIGNATURE)
                return PRI_BOARD;
@@ -491,7 +492,7 @@ static int identify_board(unsigned long rambase, unsigned int iobase)
         */
        outb(BRI_BASEPG_VAL, pgport);
        msleep_interruptible(1000);
-        sig = readl(rambase + SIG_OFFSET);
+        sig = readl(rambase_sig);
        pr_debug("Looking for a signature, got 0x%lx\n", sig);
        if (sig == SIGNATURE)
                return BRI_BOARD;
@@ -501,7 +502,7 @@ static int identify_board(unsigned long rambase, unsigned int iobase)
        /*
         * Try to spot a card
         */
-        sig = readl(rambase + SIG_OFFSET);
+        sig = readl(rambase_sig);
        pr_debug("Looking for a signature, got 0x%lx\n", sig);
        if (sig != SIGNATURE)
                return -1;
diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c
index e8b1120f486d..eef3e64ca0a8 100644
--- a/drivers/leds/led-triggers.c
+++ b/drivers/leds/led-triggers.c
@@ -88,21 +88,23 @@ ssize_t led_trigger_show(struct device *dev, struct device_attribute *attr,
        down_read(&led_cdev->trigger_lock);
        if (!led_cdev->trigger)
-                len += sprintf(buf+len, "[none] ");
+                len += scnprintf(buf+len, PAGE_SIZE - len, "[none] ");
        else
-                len += sprintf(buf+len, "none ");
+                len += scnprintf(buf+len, PAGE_SIZE - len, "none ");
        list_for_each_entry(trig, &trigger_list, next_trig) {
                if (led_cdev->trigger && !strcmp(led_cdev->trigger->name,
                                                        trig->name))
-                        len += sprintf(buf+len, "[%s] ", trig->name);
+                        len += scnprintf(buf+len, PAGE_SIZE - len, "[%s] ",
+                                         trig->name);
                else
-                        len += sprintf(buf+len, "%s ", trig->name);
+                        len += scnprintf(buf+len, PAGE_SIZE - len, "%s ",
+                                         trig->name);
        }
        up_read(&led_cdev->trigger_lock);
        up_read(&triggers_list_lock);
-        len += sprintf(len+buf, "\n");
+        len += scnprintf(len+buf, PAGE_SIZE - len, "\n");
        return len;
 }
 EXPORT_SYMBOL_GPL(led_trigger_show);
diff --git a/drivers/leds/leds-pca955x.c b/drivers/leds/leds-pca955x.c
index b775e1efecd3..b9f71a87b7e1 100644
--- a/drivers/leds/leds-pca955x.c
+++ b/drivers/leds/leds-pca955x.c
@@ -281,7 +281,7 @@ static int pca955x_probe(struct i2c_client *client,
                        "slave address 0x%02x\n",
                        id->name, chip->bits, client->addr);
-        if (!i2c_check_functionality(adapter, I2C_FUNC_I2C))
+        if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA))
                return -EIO;
        if (pdata) {
diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
index 4d46f2ce606f..16c3390e5d9f 100644
--- a/drivers/md/bcache/alloc.c
+++ b/drivers/md/bcache/alloc.c
@@ -285,8 +285,10 @@ do {									\
                        break;                                          \
                                                                        \
                mutex_unlock(&(ca)->set->bucket_lock);                  \
-                if (kthread_should_stop())                              \
+                if (kthread_should_stop()) {                            \
+                        set_current_state(TASK_RUNNING);                \
                        return 0;                                       \
+                }                                                       \
                                                                        \
                try_to_freeze();                                        \
                schedule();                                             \
@@ -514,15 +516,21 @@ struct open_bucket {
 /*
 * We keep multiple buckets open for writes, and try to segregate different
- * write streams for better cache utilization: first we look for a bucket where
+ * write streams for better cache utilization: first we try to segregate flash
- * the last write to it was sequential with the current write, and failing that
+ * only volume write streams from cached devices, secondly we look for a bucket
- * we look for a bucket that was last used by the same task.
+ * where the last write to it was sequential with the current write, and
+ * failing that we look for a bucket that was last used by the same task.
 *
 * The ideas is if you've got multiple tasks pulling data into the cache at the
 * same time, you'll get better cache utilization if you try to segregate their
 * data and preserve locality.
 *
- * For example, say you've starting Firefox at the same time you're copying a
+ * For example, dirty sectors of flash only volume is not reclaimable, if their
+ * dirty sectors mixed with dirty sectors of cached device, such buckets will
+ * be marked as dirty and won't be reclaimed, though the dirty data of cached
+ * device have been written back to backend device.
+ *
+ * And say you've starting Firefox at the same time you're copying a
 * bunch of files. Firefox will likely end up being fairly hot and stay in the
 * cache awhile, but the data you copied might not be; if you wrote all that
 * data to the same buckets it'd get invalidated at the same time.
@@ -539,7 +547,10 @@ static struct open_bucket *pick_data_bucket(struct cache_set *c,
        struct open_bucket *ret, *ret_task = NULL;
        list_for_each_entry_reverse(ret, &c->data_buckets, list)
-                if (!bkey_cmp(&ret->key, search))
+                if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) !=
+                    UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)]))
+                        continue;
+                else if (!bkey_cmp(&ret->key, search))
                        goto found;
                else if (ret->last_write_point == write_point)
                        ret_task = ret;
diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
index 02619cabda8b..7fe7df56fa33 100644
--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -904,7 +904,7 @@ void bcache_write_super(struct cache_set *);
 int bch_flash_dev_create(struct cache_set *c, uint64_t size);
-int bch_cached_dev_attach(struct cached_dev *, struct cache_set *);
+int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *);
 void bch_cached_dev_detach(struct cached_dev *);
 void bch_cached_dev_run(struct cached_dev *);
 void bcache_device_stop(struct bcache_device *);
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index 5b815e64c1c9..4ed621ad27e4 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -808,7 +808,10 @@ int bch_btree_cache_alloc(struct cache_set *c)
        c->shrink.scan_objects = bch_mca_scan;
        c->shrink.seeks = 4;
        c->shrink.batch = c->btree_pages * 2;
-        register_shrinker(&c->shrink);
+        if (register_shrinker(&c->shrink))
+                pr_warn("bcache: %s: could not register shrinker",
+                                __func__);
        return 0;
 }
@@ -1866,14 +1869,17 @@ void bch_initial_gc_finish(struct cache_set *c)
         */
        for_each_cache(ca, c, i) {
                for_each_bucket(b, ca) {
-                        if (fifo_full(&ca->free[RESERVE_PRIO]))
+                        if (fifo_full(&ca->free[RESERVE_PRIO]) &&
+                            fifo_full(&ca->free[RESERVE_BTREE]))
                                break;
                        if (bch_can_invalidate_bucket(ca, b) &&
                            !GC_MARK(b)) {
                                __bch_invalidate_one_bucket(ca, b);
-                                fifo_push(&ca->free[RESERVE_PRIO],
+                                if (!fifo_push(&ca->free[RESERVE_PRIO],
-                                          b - ca->buckets);
+                                   b - ca->buckets))
+                                        fifo_push(&ca->free[RESERVE_BTREE],
+                                                  b - ca->buckets);
                        }
                }
        }
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
index e73aeb0e892c..e497bde96db3 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -633,11 +633,11 @@ static void do_bio_hook(struct search *s, struct bio *orig_bio)
 static void search_free(struct closure *cl)
 {
        struct search *s = container_of(cl, struct search, cl);
-        bio_complete(s);
        if (s->iop.bio)
                bio_put(s->iop.bio);
+        bio_complete(s);
        closure_debug_destroy(cl);
        mempool_free(s, s->d->c->search);
 }
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 8eaadd9869bc..ef28ddfff7c6 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -890,6 +890,12 @@ static void cached_dev_detach_finish(struct work_struct *w)
        mutex_lock(&bch_register_lock);
+        cancel_delayed_work_sync(&dc->writeback_rate_update);
+        if (!IS_ERR_OR_NULL(dc->writeback_thread)) {
+                kthread_stop(dc->writeback_thread);
+                dc->writeback_thread = NULL;
+        }
        memset(&dc->sb.set_uuid, 0, 16);
        SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE);
@@ -930,15 +936,18 @@ void bch_cached_dev_detach(struct cached_dev *dc)
        cached_dev_put(dc);
 }
-int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c)
+int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c,
+                          uint8_t *set_uuid)
 {
        uint32_t rtime = cpu_to_le32(get_seconds());
        struct uuid_entry *u;
        char buf[BDEVNAME_SIZE];
+        struct cached_dev *exist_dc, *t;
        bdevname(dc->bdev, buf);
-        if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))
+        if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) ||
+            (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)))
                return -ENOENT;
        if (dc->disk.c) {
@@ -958,6 +967,16 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c)
                return -EINVAL;
        }
+        /* Check whether already attached */
+        list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) {
+                if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) {
+                        pr_err("Tried to attach %s but duplicate UUID already attached",
+                                buf);
+                        return -EINVAL;
+                }
+        }
        u = uuid_find(c, dc->sb.uuid);
        if (u &&
@@ -1172,7 +1191,7 @@ static void register_bdev(struct cache_sb *sb, struct page *sb_page,
        list_add(&dc->list, &uncached_devices);
        list_for_each_entry(c, &bch_cache_sets, list)
-                bch_cached_dev_attach(dc, c);
+                bch_cached_dev_attach(dc, c, NULL);
        if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE ||
            BDEV_STATE(&dc->sb) == BDEV_STATE_STALE)
@@ -1694,7 +1713,7 @@ static void run_cache_set(struct cache_set *c)
        bcache_write_super(c);
        list_for_each_entry_safe(dc, t, &uncached_devices, list)
-                bch_cached_dev_attach(dc, c);
+                bch_cached_dev_attach(dc, c, NULL);
        flash_devs_run(c);
@@ -1811,6 +1830,7 @@ void bch_cache_release(struct kobject *kobj)
 static int cache_alloc(struct cache_sb *sb, struct cache *ca)
 {
        size_t free;
+        size_t btree_buckets;
        struct bucket *b;
        __module_get(THIS_MODULE);
@@ -1820,9 +1840,19 @@ static int cache_alloc(struct cache_sb *sb, struct cache *ca)
        ca->journal.bio.bi_max_vecs = 8;
        ca->journal.bio.bi_io_vec = ca->journal.bio.bi_inline_vecs;
+        /*
+         * when ca->sb.njournal_buckets is not zero, journal exists,
+         * and in bch_journal_replay(), tree node may split,
+         * so bucket of RESERVE_BTREE type is needed,
+         * the worst situation is all journal buckets are valid journal,
+         * and all the keys need to replay,
+         * so the number of  RESERVE_BTREE type buckets should be as much
+         * as journal buckets
+         */
+        btree_buckets = ca->sb.njournal_buckets ?: 8;
        free = roundup_pow_of_two(ca->sb.nbuckets) >> 10;
-        if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) ||
+        if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) ||
            !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
            !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) ||
            !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) ||
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 4fbb5532f24c..5a5c1f1bd8a5 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -191,7 +191,7 @@ STORE(__cached_dev)
 {
        struct cached_dev *dc = container_of(kobj, struct cached_dev,
                                             disk.kobj);
-        ssize_t v = size;
+        ssize_t v;
        struct cache_set *c;
        struct kobj_uevent_env *env;
@@ -263,17 +263,20 @@ STORE(__cached_dev)
        }
        if (attr == &sysfs_attach) {
-                if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16)
+                uint8_t         set_uuid[16];
+                if (bch_parse_uuid(buf, set_uuid) < 16)
                        return -EINVAL;
+                v = -ENOENT;
                list_for_each_entry(c, &bch_cache_sets, list) {
-                        v = bch_cached_dev_attach(dc, c);
+                        v = bch_cached_dev_attach(dc, c, set_uuid);
                        if (!v)
                                return size;
                }
                pr_err("Can't attach %s: cache set not found", buf);
-                size = v;
+                return v;
        }
        if (attr == &sysfs_detach && dc->disk.c)
diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
index bbb1dc9e1639..f2c0000de613 100644
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -425,19 +425,28 @@ static int bch_writeback_thread(void *arg)
        while (!kthread_should_stop()) {
                down_write(&dc->writeback_lock);
-                if (!atomic_read(&dc->has_dirty) ||
+                set_current_state(TASK_INTERRUPTIBLE);
-                    (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
+                /*
-                     !dc->writeback_running)) {
+                 * If the bache device is detaching, skip here and continue
+                 * to perform writeback. Otherwise, if no dirty data on cache,
+                 * or there is dirty data on cache but writeback is disabled,
+                 * the writeback thread should sleep here and wait for others
+                 * to wake up it.
+                 */
+                if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) &&
+                    (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) {
                        up_write(&dc->writeback_lock);
-                        set_current_state(TASK_INTERRUPTIBLE);
-                        if (kthread_should_stop())
+                        if (kthread_should_stop()) {
+                                set_current_state(TASK_RUNNING);
                                return 0;
+                        }
                        try_to_freeze();
                        schedule();
                        continue;
                }
+                set_current_state(TASK_RUNNING);
                searched_full_index = refill_dirty(dc);
@@ -447,6 +456,14 @@ static int bch_writeback_thread(void *arg)
                        cached_dev_put(dc);
                        SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN);
                        bch_write_bdev_super(dc, NULL);
+                        /*
+                         * If bcache device is detaching via sysfs interface,
+                         * writeback thread should stop after there is no dirty
+                         * data on cache. BCACHE_DEV_DETACHING flag is set in
+                         * bch_cached_dev_detach().
+                         */
+                        if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
+                                break;
                }
                up_write(&dc->writeback_lock);
diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
index 969c815c90b6..b1d5fa0bc8f7 100644
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -813,12 +813,14 @@ enum new_flag {
 static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
 {
        struct dm_buffer *b;
+        bool tried_noio_alloc = false;
        /*
         * dm-bufio is resistant to allocation failures (it just keeps
         * one buffer reserved in cases all the allocations fail).
         * So set flags to not try too hard:
-         *      GFP_NOIO: don't recurse into the I/O layer
+         *      GFP_NOWAIT: don't wait; if we need to sleep we'll release our
+         *                  mutex and wait ourselves.
         *      __GFP_NORETRY: don't retry and rather return failure
         *      __GFP_NOMEMALLOC: don't use emergency reserves
         *      __GFP_NOWARN: don't print a warning in case of failure
@@ -828,7 +830,7 @@ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client
         */
        while (1) {
                if (dm_bufio_cache_size_latch != 1) {
-                        b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+                        b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
                        if (b)
                                return b;
                }
@@ -836,6 +838,15 @@ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client
                if (nf == NF_PREFETCH)
                        return NULL;
+                if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
+                        dm_bufio_unlock(c);
+                        b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+                        dm_bufio_lock(c);
+                        if (b)
+                                return b;
+                        tried_noio_alloc = true;
+                }
                if (!list_empty(&c->reserved_buffers)) {
                        b = list_entry(c->reserved_buffers.next,
                                       struct dm_buffer, lru_list);
@@ -1563,19 +1574,11 @@ dm_bufio_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 static unsigned long
 dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
 {
-        struct dm_bufio_client *c;
+        struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker);
-        unsigned long count;
+        unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) +
-        unsigned long retain_target;
+                              READ_ONCE(c->n_buffers[LIST_DIRTY]);
+        unsigned long retain_target = get_retain_buffers(c);
-        c = container_of(shrink, struct dm_bufio_client, shrinker);
-        if (sc->gfp_mask & __GFP_FS)
-                dm_bufio_lock(c);
-        else if (!dm_bufio_trylock(c))
-                return 0;
-        count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];
-        retain_target = get_retain_buffers(c);
-        dm_bufio_unlock(c);
        return (count < retain_target) ? 0 : (count - retain_target);
 }
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 81c5e1a1f363..1b84d2890fbf 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -300,6 +300,7 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where,
        else if (rw & REQ_WRITE_SAME)
                special_cmd_max_sectors = q->limits.max_write_same_sectors;
        if ((rw & (REQ_DISCARD | REQ_WRITE_SAME)) && special_cmd_max_sectors == 0) {
+                atomic_inc(&io->count);
                dec_count(io, region, -EOPNOTSUPP);
                return;
        }
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index e503279c34fc..6865b186f749 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1773,12 +1773,12 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
            cmd == DM_LIST_VERSIONS_CMD)
                return 0;
-        if ((cmd == DM_DEV_CREATE_CMD)) {
+        if (cmd == DM_DEV_CREATE_CMD) {
                if (!*param->name) {
                        DMWARN("name not supplied when creating device");
                        return -EINVAL;
                }
-        } else if ((*param->uuid && *param->name)) {
+        } else if (*param->uuid && *param->name) {
                DMWARN("only supply one of name or uuid, cmd(%u)", cmd);
                return -EINVAL;
        }
diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
index a1cc797fe88f..315767e8ae4d 100644
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -1299,6 +1299,8 @@ static void schedule_external_copy(struct thin_c *tc, dm_block_t virt_block,
 static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
+static void requeue_bios(struct pool *pool);
 static void check_for_space(struct pool *pool)
 {
        int r;
@@ -1311,8 +1313,10 @@ static void check_for_space(struct pool *pool)
        if (r)
                return;
-        if (nr_free)
+        if (nr_free) {
                set_pool_mode(pool, PM_WRITE);
+                requeue_bios(pool);
+        }
 }
 /*
@@ -1389,7 +1393,10 @@ static int alloc_data_block(struct thin_c *tc, dm_block_t *result)
        r = dm_pool_alloc_data_block(pool->pmd, result);
        if (r) {
-                metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+                if (r == -ENOSPC)
+                        set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
+                else
+                        metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
                return r;
        }
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 9ec6948e3b8b..3d9a80759d95 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -974,7 +974,8 @@ static void dec_pending(struct dm_io *io, int error)
                } else {
                        /* done with normal IO or empty flush */
                        trace_block_bio_complete(md->queue, bio, io_error);
-                        bio->bi_error = io_error;
+                        if (io_error)
+                                bio->bi_error = io_error;
                        bio_endio(bio);
                }
        }
diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c
index 494d01d0e92a..a7a561af05c9 100644
--- a/drivers/md/md-cluster.c
+++ b/drivers/md/md-cluster.c
@@ -945,8 +945,10 @@ static int add_new_disk(struct mddev *mddev, struct md_rdev *rdev)
        cmsg.raid_slot = cpu_to_le32(rdev->desc_nr);
        lock_comm(cinfo);
        ret = __sendmsg(cinfo, &cmsg);
-        if (ret)
+        if (ret) {
+                unlock_comm(cinfo);
                return ret;
+        }
        cinfo->no_new_dev_lockres->flags |= DLM_LKF_NOQUEUE;
        ret = dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_EX);
        cinfo->no_new_dev_lockres->flags &= ~DLM_LKF_NOQUEUE;
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0a856cb181e9..07f307402351 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1028,8 +1028,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
         * (not needed for Linear and RAID0 as metadata doesn't
         * record this size)
         */
-        if (rdev->sectors >= (2ULL << 32) && sb->level >= 1)
+        if (IS_ENABLED(CONFIG_LBDAF) && (u64)rdev->sectors >= (2ULL << 32) &&
-                rdev->sectors = (2ULL << 32) - 2;
+            sb->level >= 1)
+                rdev->sectors = (sector_t)(2ULL << 32) - 2;
        if (rdev->sectors < ((sector_t)sb->size) * 2 && sb->level >= 1)
                /* "this cannot possibly happen" ... */
@@ -1322,8 +1323,9 @@ super_90_rdev_size_change(struct md_rdev *rdev, sector_t num_sectors)
        /* Limit to 4TB as metadata cannot record more than that.
         * 4TB == 2^32 KB, or 2*2^32 sectors.
         */
-        if (num_sectors >= (2ULL << 32) && rdev->mddev->level >= 1)
+        if (IS_ENABLED(CONFIG_LBDAF) && (u64)num_sectors >= (2ULL << 32) &&
-                num_sectors = (2ULL << 32) - 2;
+            rdev->mddev->level >= 1)
+                num_sectors = (sector_t)(2ULL << 32) - 2;
        md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
                       rdev->sb_page);
        md_super_wait(rdev->mddev);
@@ -2688,7 +2690,8 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
                        err = 0;
                }
        } else if (cmd_match(buf, "re-add")) {
-                if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1)) {
+                if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
+                        rdev->saved_raid_disk >= 0) {
                        /* clear_bit is performed _after_ all the devices
                         * have their local Faulty bit cleared. If any writes
                         * happen in the meantime in the local node, they
@@ -6142,6 +6145,9 @@ static int hot_remove_disk(struct mddev *mddev, dev_t dev)
        struct md_rdev *rdev;
        int ret = -1;
+        if (!mddev->pers)
+                return -ENODEV;
        rdev = find_rdev(mddev, dev);
        if (!rdev)
                return -ENXIO;
@@ -8151,6 +8157,7 @@ static int remove_and_add_spares(struct mddev *mddev,
                        if (mddev->pers->hot_remove_disk(
                                    mddev, rdev) == 0) {
                                sysfs_unlink_rdev(mddev, rdev);
+                                rdev->saved_raid_disk = rdev->raid_disk;
                                rdev->raid_disk = -1;
                                removed++;
                        }
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index f24a9e14021d..89dcbf2fa846 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1686,6 +1686,17 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
                        struct md_rdev *repl =
                                conf->mirrors[conf->raid_disks + number].rdev;
                        freeze_array(conf, 0);
+                        if (atomic_read(&repl->nr_pending)) {
+                                /* It means that some queued IO of retry_list
+                                 * hold repl. Thus, we cannot set replacement
+                                 * as NULL, avoiding rdev NULL pointer
+                                 * dereference in sync_request_write and
+                                 * handle_write_finished.
+                                 */
+                                err = -EBUSY;
+                                unfreeze_array(conf);
+                                goto abort;
+                        }
                        clear_bit(Replacement, &repl->flags);
                        p->rdev = repl;
                        conf->mirrors[conf->raid_disks + number].rdev = NULL;
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index a8a86d450d76..7b6acedc89c1 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2630,7 +2630,8 @@ static void handle_write_completed(struct r10conf *conf, struct r10bio *r10_bio)
                for (m = 0; m < conf->copies; m++) {
                        int dev = r10_bio->devs[m].devnum;
                        rdev = conf->mirrors[dev].rdev;
-                        if (r10_bio->devs[m].bio == NULL)
+                        if (r10_bio->devs[m].bio == NULL ||
+                                r10_bio->devs[m].bio->bi_end_io == NULL)
                                continue;
                        if (!r10_bio->devs[m].bio->bi_error) {
                                rdev_clear_badblocks(
@@ -2645,7 +2646,8 @@ static void handle_write_completed(struct r10conf *conf, struct r10bio *r10_bio)
                                        md_error(conf->mddev, rdev);
                        }
                        rdev = conf->mirrors[dev].replacement;
-                        if (r10_bio->devs[m].repl_bio == NULL)
+                        if (r10_bio->devs[m].repl_bio == NULL ||
+                                r10_bio->devs[m].repl_bio->bi_end_io == NULL)
                                continue;
                        if (!r10_bio->devs[m].repl_bio->bi_error) {
@@ -2698,6 +2700,11 @@ static void handle_write_completed(struct r10conf *conf, struct r10bio *r10_bio)
                        list_add(&r10_bio->retry_list, &conf->bio_end_io_list);
                        conf->nr_queued++;
                        spin_unlock_irq(&conf->device_lock);
+                        /*
+                         * In case freeze_array() is waiting for condition
+                         * nr_pending == nr_queued + extra to be true.
+                         */
+                        wake_up(&conf->wait_barrier);
                        md_wakeup_thread(conf->mddev->thread);
                } else {
                        if (test_bit(R10BIO_WriteError,
@@ -3633,6 +3640,7 @@ static int run(struct mddev *mddev)
                if (blk_queue_discard(bdev_get_queue(rdev->bdev)))
                        discard_supported = true;
+                first = 0;
        }
        if (mddev->queue) {
@@ -4039,6 +4047,7 @@ static int raid10_start_reshape(struct mddev *mddev)
                                diff = 0;
                        if (first || diff < min_offset_diff)
                                min_offset_diff = diff;
+                        first = 0;
                }
        }
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 86ab6d14d782..d59b861764a1 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -110,8 +110,7 @@ static inline void unlock_device_hash_lock(struct r5conf *conf, int hash)
 static inline void lock_all_device_hash_locks_irq(struct r5conf *conf)
 {
        int i;
-        local_irq_disable();
+        spin_lock_irq(conf->hash_locks);
-        spin_lock(conf->hash_locks);
        for (i = 1; i < NR_STRIPE_HASH_LOCKS; i++)
                spin_lock_nest_lock(conf->hash_locks + i, conf->hash_locks);
        spin_lock(&conf->device_lock);
@@ -121,9 +120,9 @@ static inline void unlock_all_device_hash_locks_irq(struct r5conf *conf)
 {
        int i;
        spin_unlock(&conf->device_lock);
-        for (i = NR_STRIPE_HASH_LOCKS; i; i--)
+        for (i = NR_STRIPE_HASH_LOCKS - 1; i; i--)
-                spin_unlock(conf->hash_locks + i - 1);
+                spin_unlock(conf->hash_locks + i);
-        local_irq_enable();
+        spin_unlock_irq(conf->hash_locks);
 }
 /* bio's attached to a stripe+device for I/O are linked together in bi_sector
@@ -726,12 +725,11 @@ static bool is_full_stripe_write(struct stripe_head *sh)
 static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
 {
-        local_irq_disable();
        if (sh1 > sh2) {
-                spin_lock(&sh2->stripe_lock);
+                spin_lock_irq(&sh2->stripe_lock);
                spin_lock_nested(&sh1->stripe_lock, 1);
        } else {
-                spin_lock(&sh1->stripe_lock);
+                spin_lock_irq(&sh1->stripe_lock);
                spin_lock_nested(&sh2->stripe_lock, 1);
        }
 }
@@ -739,8 +737,7 @@ static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
 static void unlock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
 {
        spin_unlock(&sh1->stripe_lock);
-        spin_unlock(&sh2->stripe_lock);
+        spin_unlock_irq(&sh2->stripe_lock);
-        local_irq_enable();
 }
 /* Only freshly new full stripe normal write stripe can be added to a batch list */
@@ -2031,15 +2028,16 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp)
 static int grow_stripes(struct r5conf *conf, int num)
 {
        struct kmem_cache *sc;
+        size_t namelen = sizeof(conf->cache_name[0]);
        int devs = max(conf->raid_disks, conf->previous_raid_disks);
        if (conf->mddev->gendisk)
-                sprintf(conf->cache_name[0],
+                snprintf(conf->cache_name[0], namelen,
                        "raid%d-%s", conf->level, mdname(conf->mddev));
        else
-                sprintf(conf->cache_name[0],
+                snprintf(conf->cache_name[0], namelen,
                        "raid%d-%p", conf->level, conf->mddev);
-        sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
+        snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]);
        conf->active_name = 0;
        sc = kmem_cache_create(conf->cache_name[conf->active_name],
@@ -3372,9 +3370,20 @@ static int fetch_block(struct stripe_head *sh, struct stripe_head_state *s,
                BUG_ON(test_bit(R5_Wantcompute, &dev->flags));
                BUG_ON(test_bit(R5_Wantread, &dev->flags));
                BUG_ON(sh->batch_head);
+                /*
+                 * In the raid6 case if the only non-uptodate disk is P
+                 * then we already trusted P to compute the other failed
+                 * drives. It is safe to compute rather than re-read P.
+                 * In other cases we only compute blocks from failed
+                 * devices, otherwise check/repair might fail to detect
+                 * a real inconsistency.
+                 */
                if ((s->uptodate == disks - 1) &&
+                    ((sh->qd_idx >= 0 && sh->pd_idx == disk_idx) ||
                    (s->failed && (disk_idx == s->failed_num[0] ||
-                                   disk_idx == s->failed_num[1]))) {
+                                   disk_idx == s->failed_num[1])))) {
                        /* have disk failed, and we're requested to fetch it;
                         * do compute it
                         */
diff --git a/drivers/media/common/b2c2/flexcop-fe-tuner.c b/drivers/media/common/b2c2/flexcop-fe-tuner.c
index 9c59f4306883..f5956402fc69 100644
--- a/drivers/media/common/b2c2/flexcop-fe-tuner.c
+++ b/drivers/media/common/b2c2/flexcop-fe-tuner.c
@@ -38,7 +38,7 @@ static int flexcop_fe_request_firmware(struct dvb_frontend *fe,
 #endif
 /* lnb control */
-#if FE_SUPPORTED(MT312) || FE_SUPPORTED(STV0299)
+#if (FE_SUPPORTED(MT312) || FE_SUPPORTED(STV0299)) && FE_SUPPORTED(PLL)
 static int flexcop_set_voltage(struct dvb_frontend *fe,
                               enum fe_sec_voltage voltage)
 {
@@ -68,7 +68,7 @@ static int flexcop_set_voltage(struct dvb_frontend *fe,
 #endif
 #if FE_SUPPORTED(S5H1420) || FE_SUPPORTED(STV0299) || FE_SUPPORTED(MT312)
-static int flexcop_sleep(struct dvb_frontend* fe)
+static int __maybe_unused flexcop_sleep(struct dvb_frontend* fe)
 {
        struct flexcop_device *fc = fe->dvb->priv;
        if (fc->fe_sleep)
diff --git a/drivers/media/common/siano/smsendian.c b/drivers/media/common/siano/smsendian.c
index bfe831c10b1c..b95a631f23f9 100644
--- a/drivers/media/common/siano/smsendian.c
+++ b/drivers/media/common/siano/smsendian.c
@@ -35,7 +35,7 @@ void smsendian_handle_tx_message(void *buffer)
        switch (msg->x_msg_header.msg_type) {
        case MSG_SMS_DATA_DOWNLOAD_REQ:
        {
-                msg->msg_data[0] = le32_to_cpu(msg->msg_data[0]);
+                msg->msg_data[0] = le32_to_cpu((__force __le32)(msg->msg_data[0]));
                break;
        }
@@ -44,7 +44,7 @@ void smsendian_handle_tx_message(void *buffer)
                                sizeof(struct sms_msg_hdr))/4;
                for (i = 0; i < msg_words; i++)
-                        msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]);
+                        msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]);
                break;
        }
@@ -64,7 +64,7 @@ void smsendian_handle_rx_message(void *buffer)
        {
                struct sms_version_res *ver =
                        (struct sms_version_res *) msg;
-                ver->chip_model = le16_to_cpu(ver->chip_model);
+                ver->chip_model = le16_to_cpu((__force __le16)ver->chip_model);
                break;
        }
@@ -81,7 +81,7 @@ void smsendian_handle_rx_message(void *buffer)
                                sizeof(struct sms_msg_hdr))/4;
                for (i = 0; i < msg_words; i++)
-                        msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]);
+                        msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]);
                break;
        }
@@ -95,9 +95,9 @@ void smsendian_handle_message_header(void *msg)
 #ifdef __BIG_ENDIAN
        struct sms_msg_hdr *phdr = (struct sms_msg_hdr *)msg;
-        phdr->msg_type = le16_to_cpu(phdr->msg_type);
+        phdr->msg_type = le16_to_cpu((__force __le16)phdr->msg_type);
-        phdr->msg_length = le16_to_cpu(phdr->msg_length);
+        phdr->msg_length = le16_to_cpu((__force __le16)phdr->msg_length);
-        phdr->msg_flags = le16_to_cpu(phdr->msg_flags);
+        phdr->msg_flags = le16_to_cpu((__force __le16)phdr->msg_flags);
 #endif /* __BIG_ENDIAN */
 }
 EXPORT_SYMBOL_GPL(smsendian_handle_message_header);
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index ea9abde902e9..209db65ab610 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -1071,7 +1071,7 @@ static int dvb_demux_do_ioctl(struct file *file,
                break;
        default:
-                ret = -EINVAL;
+                ret = -ENOTTY;
                break;
        }
        mutex_unlock(&dmxdev->mutex);
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index fb66184dc9b6..77cf211e842e 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -750,6 +750,29 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, u8 * b
                goto exit;
        }
+        /*
+         * It may need some time for the CAM to settle down, or there might
+         * be a race condition between the CAM, writing HC and our last
+         * check for DA. This happens, if the CAM asserts DA, just after
+         * checking DA before we are setting HC. In this case it might be
+         * a bug in the CAM to keep the FR bit, the lower layer/HW
+         * communication requires a longer timeout or the CAM needs more
+         * time internally. But this happens in reality!
+         * We need to read the status from the HW again and do the same
+         * we did for the previous check for DA
+         */
+        status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS);
+        if (status < 0)
+                goto exit;
+        if (status & (STATUSREG_DA | STATUSREG_RE)) {
+                if (status & STATUSREG_DA)
+                        dvb_ca_en50221_thread_wakeup(ca);
+                status = -EAGAIN;
+                goto exit;
+        }
        /* send the amount of data */
        if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0)
                goto exit;
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index e2a3833170e3..2c835e69c4df 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -230,8 +230,20 @@ static void dvb_frontend_add_event(struct dvb_frontend *fe,
        wake_up_interruptible (&events->wait_queue);
 }
+static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
+                                   struct dvb_fe_events *events)
+{
+        int ret;
+        up(&fepriv->sem);
+        ret = events->eventw != events->eventr;
+        down(&fepriv->sem);
+        return ret;
+}
 static int dvb_frontend_get_event(struct dvb_frontend *fe,
-                            struct dvb_frontend_event *event, int flags)
+                                  struct dvb_frontend_event *event, int flags)
 {
        struct dvb_frontend_private *fepriv = fe->frontend_priv;
        struct dvb_fe_events *events = &fepriv->events;
@@ -249,13 +261,8 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
                if (flags & O_NONBLOCK)
                        return -EWOULDBLOCK;
-                up(&fepriv->sem);
+                ret = wait_event_interruptible(events->wait_queue,
+                                               dvb_frontend_test_event(fepriv, events));
-                ret = wait_event_interruptible (events->wait_queue,
-                                                events->eventw != events->eventr);
-                if (down_interruptible (&fepriv->sem))
-                        return -ERESTARTSYS;
                if (ret < 0)
                        return ret;
diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
index feeeb70d841e..d14d075ab1d6 100644
--- a/drivers/media/dvb-frontends/m88ds3103.c
+++ b/drivers/media/dvb-frontends/m88ds3103.c
@@ -1281,11 +1281,12 @@ static int m88ds3103_select(struct i2c_adapter *adap, void *mux_priv, u32 chan)
 * New users must use I2C client binding directly!
 */
 struct dvb_frontend *m88ds3103_attach(const struct m88ds3103_config *cfg,
-                struct i2c_adapter *i2c, struct i2c_adapter **tuner_i2c_adapter)
+                                      struct i2c_adapter *i2c,
+                                      struct i2c_adapter **tuner_i2c_adapter)
 {
        struct i2c_client *client;
        struct i2c_board_info board_info;
-        struct m88ds3103_platform_data pdata;
+        struct m88ds3103_platform_data pdata = {};
        pdata.clk = cfg->clock;
        pdata.i2c_wr_max = cfg->i2c_wr_max;
@@ -1428,6 +1429,8 @@ static int m88ds3103_probe(struct i2c_client *client,
        case M88DS3103_CHIP_ID:
                break;
        default:
+                ret = -ENODEV;
+                dev_err(&client->dev, "Unknown device. Chip_id=%02x\n", dev->chip_id);
                goto err_kfree;
        }
diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
index 821a8f481507..9d6270591858 100644
--- a/drivers/media/dvb-frontends/si2168.c
+++ b/drivers/media/dvb-frontends/si2168.c
@@ -14,6 +14,8 @@
 *    GNU General Public License for more details.
 */
+#include <linux/delay.h>
 #include "si2168_priv.h"
 static const struct dvb_frontend_ops si2168_ops;
@@ -420,6 +422,7 @@ static int si2168_init(struct dvb_frontend *fe)
                if (ret)
                        goto err;
+                udelay(100);
                memcpy(cmd.args, "\x85", 1);
                cmd.wlen = 1;
                cmd.rlen = 1;
diff --git a/drivers/media/dvb-frontends/ts2020.c b/drivers/media/dvb-frontends/ts2020.c
index 7979e5d6498b..7ca359391535 100644
--- a/drivers/media/dvb-frontends/ts2020.c
+++ b/drivers/media/dvb-frontends/ts2020.c
@@ -369,7 +369,7 @@ static int ts2020_read_tuner_gain(struct dvb_frontend *fe, unsigned v_agc,
                gain2 = clamp_t(long, gain2, 0, 13);
                v_agc = clamp_t(long, v_agc, 400, 1100);
-                *_gain = -(gain1 * 2330 +
+                *_gain = -((__s64)gain1 * 2330 +
                           gain2 * 3500 +
                           v_agc * 24 / 10 * 10 +
                           10000);
@@ -387,7 +387,7 @@ static int ts2020_read_tuner_gain(struct dvb_frontend *fe, unsigned v_agc,
                gain3 = clamp_t(long, gain3, 0, 6);
                v_agc = clamp_t(long, v_agc, 600, 1600);
-                *_gain = -(gain1 * 2650 +
+                *_gain = -((__s64)gain1 * 2650 +
                           gain2 * 3380 +
                           gain3 * 2850 +
                           v_agc * 176 / 100 * 10 -
diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c
index fe6eb78b6914..17d217c3585a 100644
--- a/drivers/media/i2c/cx25840/cx25840-core.c
+++ b/drivers/media/i2c/cx25840/cx25840-core.c
@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2c_client *client)
        INIT_WORK(&state->fw_work, cx25840_work_handler);
        init_waitqueue_head(&state->fw_wait);
        q = create_singlethread_workqueue("cx25840_fw");
-        prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+        if (q) {
-        queue_work(q, &state->fw_work);
+                prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
-        schedule();
+                queue_work(q, &state->fw_work);
-        finish_wait(&state->fw_wait, &wait);
+                schedule();
-        destroy_workqueue(q);
+                finish_wait(&state->fw_wait, &wait);
+                destroy_workqueue(q);
+        }
        /* 6. */
        cx25840_write(client, 0x115, 0x8c);
@@ -465,8 +467,13 @@ static void cx23885_initialize(struct i2c_client *client)
 {
        DEFINE_WAIT(wait);
        struct cx25840_state *state = to_state(i2c_get_clientdata(client));
+        u32 clk_freq = 0;
        struct workqueue_struct *q;
+        /* cx23885 sets hostdata to clk_freq pointer */
+        if (v4l2_get_subdev_hostdata(&state->sd))
+                clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd));
        /*
         * Come out of digital power down
         * The CX23888, at least, needs this, otherwise registers aside from
@@ -502,8 +509,13 @@ static void cx23885_initialize(struct i2c_client *client)
                 * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz
                 * 572.73 MHz before post divide
                 */
-                /* HVR1850 or 50MHz xtal */
+                if (clk_freq == 25000000) {
-                cx25840_write(client, 0x2, 0x71);
+                        /* 888/ImpactVCBe or 25Mhz xtal */
+                        ; /* nothing to do */
+                } else {
+                        /* HVR1850 or 50MHz xtal */
+                        cx25840_write(client, 0x2, 0x71);
+                }
                cx25840_write4(client, 0x11c, 0x01d1744c);
                cx25840_write4(client, 0x118, 0x00000416);
                cx25840_write4(client, 0x404, 0x0010253e);
@@ -546,9 +558,15 @@ static void cx23885_initialize(struct i2c_client *client)
        /* HVR1850 */
        switch (state->id) {
        case CX23888_AV:
-                /* 888/HVR1250 specific */
+                if (clk_freq == 25000000) {
-                cx25840_write4(client, 0x10c, 0x13333333);
+                        /* 888/ImpactVCBe or 25MHz xtal */
-                cx25840_write4(client, 0x108, 0x00000515);
+                        cx25840_write4(client, 0x10c, 0x01b6db7b);
+                        cx25840_write4(client, 0x108, 0x00000512);
+                } else {
+                        /* 888/HVR1250 or 50MHz xtal */
+                        cx25840_write4(client, 0x10c, 0x13333333);
+                        cx25840_write4(client, 0x108, 0x00000515);
+                }
                break;
        default:
                cx25840_write4(client, 0x10c, 0x002be2c9);
@@ -575,7 +593,7 @@ static void cx23885_initialize(struct i2c_client *client)
                 * 368.64 MHz before post divide
                 * 122.88 MHz / 0xa = 12.288 MHz
                 */
-                /* HVR1850  or 50MHz xtal */
+                /* HVR1850 or 50MHz xtal or 25MHz xtal */
                cx25840_write4(client, 0x114, 0x017dbf48);
                cx25840_write4(client, 0x110, 0x000a030e);
                break;
@@ -631,11 +649,13 @@ static void cx23885_initialize(struct i2c_client *client)
        INIT_WORK(&state->fw_work, cx25840_work_handler);
        init_waitqueue_head(&state->fw_wait);
        q = create_singlethread_workqueue("cx25840_fw");
-        prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+        if (q) {
-        queue_work(q, &state->fw_work);
+                prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
-        schedule();
+                queue_work(q, &state->fw_work);
-        finish_wait(&state->fw_wait, &wait);
+                schedule();
-        destroy_workqueue(q);
+                finish_wait(&state->fw_wait, &wait);
+                destroy_workqueue(q);
+        }
        /* Call the cx23888 specific std setup func, we no longer rely on
         * the generic cx24840 func.
@@ -746,11 +766,13 @@ static void cx231xx_initialize(struct i2c_client *client)
        INIT_WORK(&state->fw_work, cx25840_work_handler);
        init_waitqueue_head(&state->fw_wait);
        q = create_singlethread_workqueue("cx25840_fw");
-        prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
+        if (q) {
-        queue_work(q, &state->fw_work);
+                prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
-        schedule();
+                queue_work(q, &state->fw_work);
-        finish_wait(&state->fw_wait, &wait);
+                schedule();
-        destroy_workqueue(q);
+                finish_wait(&state->fw_wait, &wait);
+                destroy_workqueue(q);
+        }
        cx25840_std_setup(client);
diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c
index d0ad6a25bdab..5ac2babe123b 100644
--- a/drivers/media/i2c/s5k6aa.c
+++ b/drivers/media/i2c/s5k6aa.c
@@ -421,6 +421,7 @@ static int s5k6aa_set_ahb_address(struct i2c_client *client)
 /**
 * s5k6aa_configure_pixel_clock - apply ISP main clock/PLL configuration
+ * @s5k6aa: pointer to &struct s5k6aa describing the device
 *
 * Configure the internal ISP PLL for the required output frequency.
 * Locking: called with s5k6aa.lock mutex held.
@@ -669,6 +670,7 @@ static int s5k6aa_set_input_params(struct s5k6aa *s5k6aa)
 /**
 * s5k6aa_configure_video_bus - configure the video output interface
+ * @s5k6aa: pointer to &struct s5k6aa describing the device
 * @bus_type: video bus type: parallel or MIPI-CSI
 * @nlanes: number of MIPI lanes to be used (MIPI-CSI only)
 *
@@ -724,6 +726,8 @@ static int s5k6aa_new_config_sync(struct i2c_client *client, int timeout,
 /**
 * s5k6aa_set_prev_config - write user preview register set
+ * @s5k6aa: pointer to &struct s5k6aa describing the device
+ * @preset: s5kaa preset to be applied
 *
 * Configure output resolution and color fromat, pixel clock
 * frequency range, device frame rate type and frame period range.
@@ -777,6 +781,7 @@ static int s5k6aa_set_prev_config(struct s5k6aa *s5k6aa,
 /**
 * s5k6aa_initialize_isp - basic ISP MCU initialization
+ * @sd: pointer to V4L2 sub-device descriptor
 *
 * Configure AHB addresses for registers read/write; configure PLLs for
 * required output pixel clock. The ISP power supply needs to be already
diff --git a/drivers/media/i2c/smiapp/smiapp-core.c b/drivers/media/i2c/smiapp/smiapp-core.c
index fb39dfd55e75..46a052c5be2e 100644
--- a/drivers/media/i2c/smiapp/smiapp-core.c
+++ b/drivers/media/i2c/smiapp/smiapp-core.c
@@ -981,7 +981,7 @@ static int smiapp_read_nvm(struct smiapp_sensor *sensor,
                if (rval)
                        goto out;
-                for (i = 0; i < 1000; i++) {
+                for (i = 1000; i > 0; i--) {
                        rval = smiapp_read(
                                sensor,
                                SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s);
@@ -992,11 +992,10 @@ static int smiapp_read_nvm(struct smiapp_sensor *sensor,
                        if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY)
                                break;
-                        if (--i == 0) {
+                }
-                                rval = -ETIMEDOUT;
+                if (!i) {
-                                goto out;
+                        rval = -ETIMEDOUT;
-                        }
+                        goto out;
                }
                for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) {
diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c
index 1f8af1ee8352..1e4783b51a35 100644
--- a/drivers/media/i2c/soc_camera/ov6650.c
+++ b/drivers/media/i2c/soc_camera/ov6650.c
@@ -1033,7 +1033,7 @@ static int ov6650_probe(struct i2c_client *client,
        priv->code        = MEDIA_BUS_FMT_YUYV8_2X8;
        priv->colorspace  = V4L2_COLORSPACE_JPEG;
-        priv->clk = v4l2_clk_get(&client->dev, "mclk");
+        priv->clk = v4l2_clk_get(&client->dev, NULL);
        if (IS_ERR(priv->clk)) {
                ret = PTR_ERR(priv->clk);
                goto eclkget;
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 9ef5baaf8646..bc630a719776 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -197,57 +197,61 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
        }
 }
-static u8 i2c_rd8(struct v4l2_subdev *sd, u16 reg)
+static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
 {
-        u8 val;
+        __le32 val = 0;
-        i2c_rd(sd, reg, &val, 1);
+        i2c_rd(sd, reg, (u8 __force *)&val, n);
-        return val;
+        return le32_to_cpu(val);
+}
+static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n)
+{
+        __le32 raw = cpu_to_le32(val);
+        i2c_wr(sd, reg, (u8 __force *)&raw, n);
+}
+static u8 i2c_rd8(struct v4l2_subdev *sd, u16 reg)
+{
+        return i2c_rdreg(sd, reg, 1);
 }
 static void i2c_wr8(struct v4l2_subdev *sd, u16 reg, u8 val)
 {
-        i2c_wr(sd, reg, &val, 1);
+        i2c_wrreg(sd, reg, val, 1);
 }
 static void i2c_wr8_and_or(struct v4l2_subdev *sd, u16 reg,
                u8 mask, u8 val)
 {
-        i2c_wr8(sd, reg, (i2c_rd8(sd, reg) & mask) | val);
+        i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 1) & mask) | val, 1);
 }
 static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
 {
-        u16 val;
+        return i2c_rdreg(sd, reg, 2);
-        i2c_rd(sd, reg, (u8 *)&val, 2);
-        return val;
 }
 static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val)
 {
-        i2c_wr(sd, reg, (u8 *)&val, 2);
+        i2c_wrreg(sd, reg, val, 2);
 }
 static void i2c_wr16_and_or(struct v4l2_subdev *sd, u16 reg, u16 mask, u16 val)
 {
-        i2c_wr16(sd, reg, (i2c_rd16(sd, reg) & mask) | val);
+        i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 2) & mask) | val, 2);
 }
 static u32 i2c_rd32(struct v4l2_subdev *sd, u16 reg)
 {
-        u32 val;
+        return i2c_rdreg(sd, reg, 4);
-        i2c_rd(sd, reg, (u8 *)&val, 4);
-        return val;
 }
 static void i2c_wr32(struct v4l2_subdev *sd, u16 reg, u32 val)
 {
-        i2c_wr(sd, reg, (u8 *)&val, 4);
+        i2c_wrreg(sd, reg, val, 4);
 }
 /* --------------- STATUS --------------- */
@@ -1240,7 +1244,7 @@ static int tc358743_g_register(struct v4l2_subdev *sd,
        reg->size = tc358743_get_reg_size(reg->reg);
-        i2c_rd(sd, reg->reg, (u8 *)&reg->val, reg->size);
+        reg->val = i2c_rdreg(sd, reg->reg, reg->size);
        return 0;
 }
@@ -1266,7 +1270,7 @@ static int tc358743_s_register(struct v4l2_subdev *sd,
            reg->reg == BCAPS)
                return 0;
-        i2c_wr(sd, (u16)reg->reg, (u8 *)&reg->val,
+        i2c_wrreg(sd, (u16)reg->reg, reg->val,
                        tc358743_get_reg_size(reg->reg));
        return 0;
diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
index 8aa726651630..90fcccc05b56 100644
--- a/drivers/media/pci/bt8xx/bt878.c
+++ b/drivers/media/pci/bt8xx/bt878.c
@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
               bt878_num);
        if (bt878_num >= BT878_MAX) {
                printk(KERN_ERR "bt878: Too many devices inserted\n");
-                result = -ENOMEM;
+                return -ENOMEM;
-                goto fail0;
        }
        if (pci_enable_device(dev))
                return -EIO;
diff --git a/drivers/media/pci/cx23885/cx23885-cards.c b/drivers/media/pci/cx23885/cx23885-cards.c
index f384f295676e..679d122af63c 100644
--- a/drivers/media/pci/cx23885/cx23885-cards.c
+++ b/drivers/media/pci/cx23885/cx23885-cards.c
@@ -2124,6 +2124,10 @@ void cx23885_card_setup(struct cx23885_dev *dev)
                                &dev->i2c_bus[2].i2c_adap,
                                "cx25840", 0x88 >> 1, NULL);
                if (dev->sd_cx25840) {
+                        /* set host data for clk_freq configuration */
+                        v4l2_set_subdev_hostdata(dev->sd_cx25840,
+                                                &dev->clk_freq);
                        dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE;
                        v4l2_subdev_call(dev->sd_cx25840, core, load_fw);
                }
diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c
index e8f847226a19..6eb3be13b430 100644
--- a/drivers/media/pci/cx23885/cx23885-core.c
+++ b/drivers/media/pci/cx23885/cx23885-core.c
@@ -872,6 +872,16 @@ static int cx23885_dev_setup(struct cx23885_dev *dev)
        if (cx23885_boards[dev->board].clk_freq > 0)
                dev->clk_freq = cx23885_boards[dev->board].clk_freq;
+        if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE &&
+                dev->pci->subsystem_device == 0x7137) {
+                /* Hauppauge ImpactVCBe device ID 0x7137 is populated
+                 * with an 888, and a 25Mhz crystal, instead of the
+                 * usual third overtone 50Mhz. The default clock rate must
+                 * be overridden so the cx25840 is properly configured
+                 */
+                dev->clk_freq = 25000000;
+        }
        dev->pci_bus  = dev->pci->bus->number;
        dev->pci_slot = PCI_SLOT(dev->pci->devfn);
        cx23885_irq_add(dev, 0x001f00);
diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c
index 0042803a9de7..54398d8a4696 100644
--- a/drivers/media/pci/cx25821/cx25821-core.c
+++ b/drivers/media/pci/cx25821/cx25821-core.c
@@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25821_dev *dev)
        dev->nr = ++cx25821_devcount;
        sprintf(dev->name, "cx25821[%d]", dev->nr);
+        if (dev->nr >= ARRAY_SIZE(card)) {
+                CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card));
+                return -ENODEV;
+        }
        if (dev->pci->device != 0x8210) {
                pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n",
                        __func__, dev->pci->device);
@@ -886,9 +890,6 @@ static int cx25821_dev_setup(struct cx25821_dev *dev)
                dev->channels[i].sram_channels = &cx25821_sram_channels[i];
        }
-        if (dev->nr > 1)
-                CX25821_INFO("dev->nr > 1!");
        /* board config */
        dev->board = 1;         /* card[dev->nr]; */
        dev->_max_num_decoders = MAX_DECODERS;
diff --git a/drivers/media/pci/saa7164/saa7164-fw.c b/drivers/media/pci/saa7164/saa7164-fw.c
index 269e0782c7b6..93d53195e8ca 100644
--- a/drivers/media/pci/saa7164/saa7164-fw.c
+++ b/drivers/media/pci/saa7164/saa7164-fw.c
@@ -430,7 +430,8 @@ int saa7164_downloadfirmware(struct saa7164_dev *dev)
                        __func__, fw->size);
                if (fw->size != fwlength) {
-                        printk(KERN_ERR "xc5000: firmware incorrect size\n");
+                        printk(KERN_ERR "saa7164: firmware incorrect size %zu != %u\n",
+                                fw->size, fwlength);
                        ret = -ENOMEM;
                        goto out;
                }
diff --git a/drivers/media/pci/solo6x10/solo6x10-v4l2.c b/drivers/media/pci/solo6x10/solo6x10-v4l2.c
index f7ce493b1fee..a0b61e88c838 100644
--- a/drivers/media/pci/solo6x10/solo6x10-v4l2.c
+++ b/drivers/media/pci/solo6x10/solo6x10-v4l2.c
@@ -342,6 +342,17 @@ static void solo_stop_streaming(struct vb2_queue *q)
        struct solo_dev *solo_dev = vb2_get_drv_priv(q);
        solo_stop_thread(solo_dev);
+        spin_lock(&solo_dev->slock);
+        while (!list_empty(&solo_dev->vidq_active)) {
+                struct solo_vb2_buf *buf = list_entry(
+                                solo_dev->vidq_active.next,
+                                struct solo_vb2_buf, list);
+                list_del(&buf->list);
+                vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
+        }
+        spin_unlock(&solo_dev->slock);
        INIT_LIST_HEAD(&solo_dev->vidq_active);
 }
diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
index 56e683b19a73..91e02c1ff392 100644
--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -2077,6 +2077,7 @@ error_csiphy:
 static void isp_detach_iommu(struct isp_device *isp)
 {
+        arm_iommu_detach_device(isp->dev);
        arm_iommu_release_mapping(isp->mapping);
        isp->mapping = NULL;
        iommu_group_remove_device(isp->dev);
@@ -2110,8 +2111,7 @@ static int isp_attach_iommu(struct isp_device *isp)
        mapping = arm_iommu_create_mapping(&platform_bus_type, SZ_1G, SZ_2G);
        if (IS_ERR(mapping)) {
                dev_err(isp->dev, "failed to create ARM IOMMU mapping\n");
-                ret = PTR_ERR(mapping);
+                return PTR_ERR(mapping);
-                goto error;
        }
        isp->mapping = mapping;
@@ -2126,7 +2126,8 @@ static int isp_attach_iommu(struct isp_device *isp)
        return 0;
 error:
-        isp_detach_iommu(isp);
+        arm_iommu_release_mapping(isp->mapping);
+        isp->mapping = NULL;
        return ret;
 }
diff --git a/drivers/media/platform/rcar_jpu.c b/drivers/media/platform/rcar_jpu.c
index f8e3e83c52a2..20de5e9fc217 100644
--- a/drivers/media/platform/rcar_jpu.c
+++ b/drivers/media/platform/rcar_jpu.c
@@ -1278,7 +1278,7 @@ static int jpu_open(struct file *file)
                /* ...issue software reset */
                ret = jpu_reset(jpu);
                if (ret)
-                        goto device_prepare_rollback;
+                        goto jpu_reset_rollback;
        }
        jpu->ref_count++;
@@ -1286,6 +1286,8 @@ static int jpu_open(struct file *file)
        mutex_unlock(&jpu->mutex);
        return 0;
+jpu_reset_rollback:
+        clk_disable_unprepare(jpu->clk);
 device_prepare_rollback:
        mutex_unlock(&jpu->mutex);
 v4l_prepare_rollback:
diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c
index 537b858cb94a..fa6af4a7dae1 100644
--- a/drivers/media/platform/s3c-camif/camif-capture.c
+++ b/drivers/media/platform/s3c-camif/camif-capture.c
@@ -1268,16 +1268,17 @@ static void __camif_subdev_try_format(struct camif_dev *camif,
 {
        const struct s3c_camif_variant *variant = camif->variant;
        const struct vp_pix_limits *pix_lim;
-        int i = ARRAY_SIZE(camif_mbus_formats);
+        unsigned int i;
        /* FIXME: constraints against codec or preview path ? */
        pix_lim = &variant->vp_pix_limits[VP_CODEC];
-        while (i-- >= 0)
+        for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++)
                if (camif_mbus_formats[i] == mf->code)
                        break;
-        mf->code = camif_mbus_formats[i];
+        if (i == ARRAY_SIZE(camif_mbus_formats))
+                mf->code = camif_mbus_formats[0];
        if (pad == CAMIF_SD_PAD_SINK) {
                v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
diff --git a/drivers/media/platform/soc_camera/soc_scale_crop.c b/drivers/media/platform/soc_camera/soc_scale_crop.c
index bda29bc1b933..2f74a5ac0147 100644
--- a/drivers/media/platform/soc_camera/soc_scale_crop.c
+++ b/drivers/media/platform/soc_camera/soc_scale_crop.c
@@ -405,3 +405,7 @@ void soc_camera_calc_client_output(struct soc_camera_device *icd,
        mf->height = soc_camera_shift_scale(rect->height, shift, scale_v);
 }
 EXPORT_SYMBOL(soc_camera_calc_client_output);
+MODULE_DESCRIPTION("soc-camera scaling-cropping functions");
+MODULE_AUTHOR("Guennadi Liakhovetski <kernel@pengutronix.de>");
+MODULE_LICENSE("GPL");
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
index 8490a65ae1c6..a43404cad3e3 100644
--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
@@ -83,7 +83,7 @@ static void c8sectpfe_timer_interrupt(unsigned long ac8sectpfei)
 static void channel_swdemux_tsklet(unsigned long data)
 {
        struct channel_info *channel = (struct channel_info *)data;
-        struct c8sectpfei *fei = channel->fei;
+        struct c8sectpfei *fei;
        unsigned long wp, rp;
        int pos, num_packets, n, size;
        u8 *buf;
@@ -91,6 +91,8 @@ static void channel_swdemux_tsklet(unsigned long data)
        if (unlikely(!channel || !channel->irec))
                return;
+        fei = channel->fei;
        wp = readl(channel->irec + DMA_PRDS_BUSWP_TP(0));
        rp = readl(channel->irec + DMA_PRDS_BUSRP_TP(0));
diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
index 471d6a8ae8a4..9326439bc49c 100644
--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
+++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
@@ -96,7 +96,7 @@ MODULE_PARM_DESC(max_rds_errors, "RDS maximum block errors: *1*");
 */
 int si470x_get_register(struct si470x_device *radio, int regnr)
 {
-        u16 buf[READ_REG_NUM];
+        __be16 buf[READ_REG_NUM];
        struct i2c_msg msgs[1] = {
                {
                        .addr = radio->client->addr,
@@ -121,7 +121,7 @@ int si470x_get_register(struct si470x_device *radio, int regnr)
 int si470x_set_register(struct si470x_device *radio, int regnr)
 {
        int i;
-        u16 buf[WRITE_REG_NUM];
+        __be16 buf[WRITE_REG_NUM];
        struct i2c_msg msgs[1] = {
                {
                        .addr = radio->client->addr,
@@ -151,7 +151,7 @@ int si470x_set_register(struct si470x_device *radio, int regnr)
 static int si470x_get_all_registers(struct si470x_device *radio)
 {
        int i;
-        u16 buf[READ_REG_NUM];
+        __be16 buf[READ_REG_NUM];
        struct i2c_msg msgs[1] = {
                {
                        .addr = radio->client->addr,
diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index f838d9c7ed12..0fba4a2c1602 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1370,8 +1370,13 @@ static int mceusb_dev_probe(struct usb_interface *intf,
                goto rc_dev_fail;
        /* wire up inbound data handler */
-        usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
+        if (usb_endpoint_xfer_int(ep_in))
-                                mceusb_dev_recv, ir, ep_in->bInterval);
+                usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
+                                 mceusb_dev_recv, ir, ep_in->bInterval);
+        else
+                usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
+                                  mceusb_dev_recv, ir);
        ir->urb_in->transfer_dma = ir->dma_in;
        ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
index a7a8452e99d2..c1ce8d3ce877 100644
--- a/drivers/media/tuners/r820t.c
+++ b/drivers/media/tuners/r820t.c
@@ -410,9 +410,11 @@ static int r820t_write(struct r820t_priv *priv, u8 reg, const u8 *val,
        return 0;
 }
-static int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val)
+static inline int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val)
 {
-        return r820t_write(priv, reg, &val, 1);
+        u8 tmp = val; /* work around GCC PR81715 with asan-stack=1 */
+        return r820t_write(priv, reg, &tmp, 1);
 }
 static int r820t_read_cache_reg(struct r820t_priv *priv, int reg)
@@ -425,17 +427,18 @@ static int r820t_read_cache_reg(struct r820t_priv *priv, int reg)
                return -EINVAL;
 }
-static int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val,
+static inline int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val,
                                u8 bit_mask)
 {
+        u8 tmp = val;
        int rc = r820t_read_cache_reg(priv, reg);
        if (rc < 0)
                return rc;
-        val = (rc & ~bit_mask) | (val & bit_mask);
+        tmp = (rc & ~bit_mask) | (tmp & bit_mask);
-        return r820t_write(priv, reg, &val, 1);
+        return r820t_write(priv, reg, &tmp, 1);
 }
 static int r820t_read(struct r820t_priv *priv, u8 reg, u8 *val, int len)
diff --git a/drivers/media/usb/cpia2/cpia2_v4l.c b/drivers/media/usb/cpia2/cpia2_v4l.c
index 9caea8344547..d793c630f1dd 100644
--- a/drivers/media/usb/cpia2/cpia2_v4l.c
+++ b/drivers/media/usb/cpia2/cpia2_v4l.c
@@ -812,7 +812,7 @@ static int cpia2_querybuf(struct file *file, void *fh, struct v4l2_buffer *buf)
        struct camera_data *cam = video_drvdata(file);
        if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
-           buf->index > cam->num_frames)
+           buf->index >= cam->num_frames)
                return -EINVAL;
        buf->m.offset = cam->buffers[buf->index].data - cam->frame_buffer;
@@ -863,7 +863,7 @@ static int cpia2_qbuf(struct file *file, void *fh, struct v4l2_buffer *buf)
        if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
           buf->memory != V4L2_MEMORY_MMAP ||
-           buf->index > cam->num_frames)
+           buf->index >= cam->num_frames)
                return -EINVAL;
        DBG("QBUF #%d\n", buf->index);
diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
index 04ae21278440..77f54e4198d3 100644
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -864,6 +864,9 @@ struct usb_device_id cx231xx_id_table[] = {
         .driver_info = CX231XX_BOARD_CNXT_RDE_250},
        {USB_DEVICE(0x0572, 0x58A0),
         .driver_info = CX231XX_BOARD_CNXT_RDU_250},
+        /* AverMedia DVD EZMaker 7 */
+        {USB_DEVICE(0x07ca, 0xc039),
+         .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
        {USB_DEVICE(0x2040, 0xb110),
         .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
        {USB_DEVICE(0x2040, 0xb111),
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
index 3721ee63b8fb..09c97847bf95 100644
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -503,18 +503,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
 static int lme2510_return_status(struct dvb_usb_device *d)
 {
-        int ret = 0;
+        int ret;
        u8 *data;
-        data = kzalloc(10, GFP_KERNEL);
+        data = kzalloc(6, GFP_KERNEL);
        if (!data)
                return -ENOMEM;
-        ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+        ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
-                        0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+                              0x06, 0x80, 0x0302, 0x00,
-        info("Firmware Status: %x (%x)", ret , data[2]);
+                              data, 0x6, 200);
+        if (ret != 6)
+                ret = -EINVAL;
+        else
+                ret = data[2];
+        info("Firmware Status: %6ph", data);
-        ret = (ret < 0) ? -ENODEV : data[2];
        kfree(data);
        return ret;
 }
@@ -1078,8 +1083,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
                if (adap->fe[0]) {
                        info("FE Found M88RS2000");
-                        dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
-                                        &d->i2c_adap);
                        st->i2c_tuner_gate_w = 5;
                        st->i2c_tuner_gate_r = 5;
                        st->i2c_tuner_addr = 0x60;
@@ -1145,17 +1148,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
                        ret = st->tuner_config;
                break;
        case TUNER_RS2000:
-                ret = st->tuner_config;
+                if (dvb_attach(ts2020_attach, adap->fe[0],
+                               &ts2020_config, &d->i2c_adap))
+                        ret = st->tuner_config;
                break;
        default:
                break;
        }
-        if (ret)
+        if (ret) {
                info("TUN Found %s tuner", tun_msg[ret]);
-        else {
+        } else {
-                info("TUN No tuner found --- resetting device");
+                info("TUN No tuner found");
-                lme_coldreset(d);
                return -ENODEV;
        }
@@ -1199,6 +1203,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
 static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
 {
        struct lme2510_state *st = d->priv;
+        int status;
        usb_reset_configuration(d->udev);
@@ -1207,12 +1212,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
        st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
-        if (lme2510_return_status(d) == 0x44) {
+        status = lme2510_return_status(d);
+        if (status == 0x44) {
                *name = lme_firmware_switch(d, 0);
                return COLD;
        }
-        return 0;
+        if (status != 0x47)
+                return -EINVAL;
+        return WARM;
 }
 static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
index ab7151181728..d00b27ed73a6 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -818,6 +818,8 @@ static int dvico_bluebird_xc2028_callback(void *ptr, int component,
        case XC2028_RESET_CLK:
                deb_info("%s: XC2028_RESET_CLK %d\n", __func__, arg);
                break;
+        case XC2028_I2C_FLUSH:
+                break;
        default:
                deb_info("%s: unknown command %d, arg %d\n", __func__,
                         command, arg);
diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
index 7df0707a0455..38c03283a441 100644
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
@@ -431,6 +431,7 @@ static int stk7700ph_xc3028_callback(void *ptr, int component,
                state->dib7000p_ops.set_gpio(adap->fe_adap[0].fe, 8, 0, 1);
                break;
        case XC2028_RESET_CLK:
+        case XC2028_I2C_FLUSH:
                break;
        default:
                err("%s: unknown command %d, arg %d\n", __func__,
diff --git a/drivers/media/usb/em28xx/Kconfig b/drivers/media/usb/em28xx/Kconfig
index e382210c4ada..75323f5efd0f 100644
--- a/drivers/media/usb/em28xx/Kconfig
+++ b/drivers/media/usb/em28xx/Kconfig
@@ -11,7 +11,7 @@ config VIDEO_EM28XX_V4L2
        select VIDEO_SAA711X if MEDIA_SUBDRV_AUTOSELECT
        select VIDEO_TVP5150 if MEDIA_SUBDRV_AUTOSELECT
        select VIDEO_MSP3400 if MEDIA_SUBDRV_AUTOSELECT
-        select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT
+        select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT
        ---help---
          This is a video4linux driver for Empia 28xx based TV cards.
diff --git a/drivers/media/usb/em28xx/em28xx.h b/drivers/media/usb/em28xx/em28xx.h
index 76bf8ba372b3..5b53e31ce262 100644
--- a/drivers/media/usb/em28xx/em28xx.h
+++ b/drivers/media/usb/em28xx/em28xx.h
@@ -187,7 +187,7 @@
   USB 2.0 spec says bulk packet size is always 512 bytes
 */
 #define EM28XX_BULK_PACKET_MULTIPLIER 384
-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384
+#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94
 #define EM28XX_INTERLACED_DEFAULT 1
diff --git a/drivers/media/usb/go7007/Kconfig b/drivers/media/usb/go7007/Kconfig
index 95a3af644a92..af1d02430931 100644
--- a/drivers/media/usb/go7007/Kconfig
+++ b/drivers/media/usb/go7007/Kconfig
@@ -11,7 +11,7 @@ config VIDEO_GO7007
        select VIDEO_TW2804 if MEDIA_SUBDRV_AUTOSELECT
        select VIDEO_TW9903 if MEDIA_SUBDRV_AUTOSELECT
        select VIDEO_TW9906 if MEDIA_SUBDRV_AUTOSELECT
-        select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT
+        select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT
        select VIDEO_UDA1342 if MEDIA_SUBDRV_AUTOSELECT
        ---help---
          This is a video4linux driver for the WIS GO7007 MPEG
diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
index 3fc64197b4e6..08f0ca7aa012 100644
--- a/drivers/media/usb/hdpvr/hdpvr-core.c
+++ b/drivers/media/usb/hdpvr/hdpvr-core.c
@@ -273,7 +273,9 @@ static int hdpvr_probe(struct usb_interface *interface,
        struct hdpvr_device *dev;
        struct usb_host_interface *iface_desc;
        struct usb_endpoint_descriptor *endpoint;
+#if IS_ENABLED(CONFIG_I2C)
        struct i2c_client *client;
+#endif
        size_t buffer_size;
        int i;
        int retval = -ENOMEM;
diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c
index 58f23bcfe94e..299750e56916 100644
--- a/drivers/media/usb/pwc/pwc-if.c
+++ b/drivers/media/usb/pwc/pwc-if.c
@@ -1119,8 +1119,10 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id
        return 0;
+#ifdef CONFIG_USB_PWC_INPUT_EVDEV
 err_video_unreg:
        video_unregister_device(&pdev->vdev);
+#endif
 err_unregister_v4l2_dev:
        v4l2_device_unregister(&pdev->v4l2_dev);
 err_free_controls:
diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
index 29428bef272c..483457d4904f 100644
--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -95,6 +95,8 @@ static int usbtv_probe(struct usb_interface *intf,
        return 0;
 usbtv_audio_fail:
+        /* we must not free at this point */
+        usb_get_dev(usbtv->udev);
        usbtv_video_free(usbtv);
 usbtv_video_fail:
@@ -127,6 +129,7 @@ static void usbtv_disconnect(struct usb_interface *intf)
 static struct usb_device_id usbtv_id_table[] = {
        { USB_DEVICE(0x1b71, 0x3002) },
+        { USB_DEVICE(0x1f71, 0x3301) },
        {}
 };
 MODULE_DEVICE_TABLE(usb, usbtv_id_table);
diff --git a/drivers/media/v4l2-core/Kconfig b/drivers/media/v4l2-core/Kconfig
index 9beece00869b..29b3436d0910 100644
--- a/drivers/media/v4l2-core/Kconfig
+++ b/drivers/media/v4l2-core/Kconfig
@@ -37,7 +37,6 @@ config VIDEO_PCI_SKELETON
 # Used by drivers that need tuner.ko
 config VIDEO_TUNER
        tristate
-        depends on MEDIA_TUNER
 # Used by drivers that need v4l2-mem2mem.ko
 config V4L2_MEM2MEM_DEV
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 4379b949bb93..9292e35aef06 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -18,8 +18,18 @@
 #include <linux/videodev2.h>
 #include <linux/v4l2-subdev.h>
 #include <media/v4l2-dev.h>
+#include <media/v4l2-fh.h>
+#include <media/v4l2-ctrls.h>
 #include <media/v4l2-ioctl.h>
+/* Use the same argument order as copy_in_user */
+#define assign_in_user(to, from)                                        \
+({                                                                      \
+        typeof(*from) __assign_tmp;                                     \
+                                                                        \
+        get_user(__assign_tmp, from) || put_user(__assign_tmp, to);     \
+})
 static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
        long ret = -ENOIOCTLCMD;
@@ -33,131 +43,90 @@ static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 struct v4l2_clip32 {
        struct v4l2_rect        c;
-        compat_caddr_t          next;
+        compat_caddr_t          next;
 };
 struct v4l2_window32 {
        struct v4l2_rect        w;
-        __u32                   field;  /* enum v4l2_field */
+        __u32                   field;  /* enum v4l2_field */
        __u32                   chromakey;
        compat_caddr_t          clips; /* actually struct v4l2_clip32 * */
        __u32                   clipcount;
        compat_caddr_t          bitmap;
+        __u8                    global_alpha;
 };
-static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
+static int get_v4l2_window32(struct v4l2_window __user *kp,
-{
+                             struct v4l2_window32 __user *up,
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) ||
+                             void __user *aux_buf, u32 aux_space)
-                copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
-                get_user(kp->field, &up->field) ||
-                get_user(kp->chromakey, &up->chromakey) ||
-                get_user(kp->clipcount, &up->clipcount))
-                        return -EFAULT;
-        if (kp->clipcount > 2048)
-                return -EINVAL;
-        if (kp->clipcount) {
-                struct v4l2_clip32 __user *uclips;
-                struct v4l2_clip __user *kclips;
-                int n = kp->clipcount;
-                compat_caddr_t p;
-                if (get_user(p, &up->clips))
-                        return -EFAULT;
-                uclips = compat_ptr(p);
-                kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip));
-                kp->clips = kclips;
-                while (--n >= 0) {
-                        if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
-                                return -EFAULT;
-                        if (put_user(n ? kclips + 1 : NULL, &kclips->next))
-                                return -EFAULT;
-                        uclips += 1;
-                        kclips += 1;
-                }
-        } else
-                kp->clips = NULL;
-        return 0;
-}
-static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
-        if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
+        struct v4l2_clip32 __user *uclips;
-                put_user(kp->field, &up->field) ||
+        struct v4l2_clip __user *kclips;
-                put_user(kp->chromakey, &up->chromakey) ||
+        compat_caddr_t p;
-                put_user(kp->clipcount, &up->clipcount))
+        u32 clipcount;
-                        return -EFAULT;
-        return 0;
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-}
+            copy_in_user(&kp->w, &up->w, sizeof(up->w)) ||
+            assign_in_user(&kp->field, &up->field) ||
-static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
+            assign_in_user(&kp->chromakey, &up->chromakey) ||
-{
+            assign_in_user(&kp->global_alpha, &up->global_alpha) ||
-        if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format)))
+            get_user(clipcount, &up->clipcount) ||
-                return -EFAULT;
+            put_user(clipcount, &kp->clipcount))
-        return 0;
-}
-static inline int get_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
-                                struct v4l2_pix_format_mplane __user *up)
-{
-        if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format_mplane)))
-                return -EFAULT;
-        return 0;
-}
-static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
-{
-        if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format)))
                return -EFAULT;
-        return 0;
+        if (clipcount > 2048)
-}
+                return -EINVAL;
+        if (!clipcount)
+                return put_user(NULL, &kp->clips);
-static inline int put_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
+        if (get_user(p, &up->clips))
-                                struct v4l2_pix_format_mplane __user *up)
-{
-        if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format_mplane)))
                return -EFAULT;
-        return 0;
+        uclips = compat_ptr(p);
-}
+        if (aux_space < clipcount * sizeof(*kclips))
-static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
-{
-        if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format)))
                return -EFAULT;
-        return 0;
+        kclips = aux_buf;
-}
+        if (put_user(kclips, &kp->clips))
-static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
-{
-        if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format)))
                return -EFAULT;
-        return 0;
-}
-static inline int get_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
+        while (clipcount--) {
-{
+                if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
-        if (copy_from_user(kp, up, sizeof(struct v4l2_sliced_vbi_format)))
+                        return -EFAULT;
-                return -EFAULT;
+                if (put_user(clipcount ? kclips + 1 : NULL, &kclips->next))
+                        return -EFAULT;
+                uclips++;
+                kclips++;
+        }
        return 0;
 }
-static inline int put_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
+static int put_v4l2_window32(struct v4l2_window __user *kp,
+                             struct v4l2_window32 __user *up)
 {
-        if (copy_to_user(up, kp, sizeof(struct v4l2_sliced_vbi_format)))
+        struct v4l2_clip __user *kclips;
+        struct v4l2_clip32 __user *uclips;
+        compat_caddr_t p;
+        u32 clipcount;
+        if (copy_in_user(&up->w, &kp->w, sizeof(kp->w)) ||
+            assign_in_user(&up->field, &kp->field) ||
+            assign_in_user(&up->chromakey, &kp->chromakey) ||
+            assign_in_user(&up->global_alpha, &kp->global_alpha) ||
+            get_user(clipcount, &kp->clipcount) ||
+            put_user(clipcount, &up->clipcount))
                return -EFAULT;
-        return 0;
+        if (!clipcount)
-}
+                return 0;
-static inline int get_v4l2_sdr_format(struct v4l2_sdr_format *kp, struct v4l2_sdr_format __user *up)
+        if (get_user(kclips, &kp->clips))
-{
-        if (copy_from_user(kp, up, sizeof(struct v4l2_sdr_format)))
                return -EFAULT;
-        return 0;
+        if (get_user(p, &up->clips))
-}
-static inline int put_v4l2_sdr_format(struct v4l2_sdr_format *kp, struct v4l2_sdr_format __user *up)
-{
-        if (copy_to_user(up, kp, sizeof(struct v4l2_sdr_format)))
                return -EFAULT;
+        uclips = compat_ptr(p);
+        while (clipcount--) {
+                if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
+                        return -EFAULT;
+                uclips++;
+                kclips++;
+        }
        return 0;
 }
@@ -191,97 +160,158 @@ struct v4l2_create_buffers32 {
        __u32                   reserved[8];
 };
-static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int __bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
+{
+        u32 type;
+        if (get_user(type, &up->type))
+                return -EFAULT;
+        switch (type) {
+        case V4L2_BUF_TYPE_VIDEO_OVERLAY:
+        case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {
+                u32 clipcount;
+                if (get_user(clipcount, &up->fmt.win.clipcount))
+                        return -EFAULT;
+                if (clipcount > 2048)
+                        return -EINVAL;
+                *size = clipcount * sizeof(struct v4l2_clip);
+                return 0;
+        }
+        default:
+                *size = 0;
+                return 0;
+        }
+}
+static int bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
 {
-        if (get_user(kp->type, &up->type))
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)))
                return -EFAULT;
+        return __bufsize_v4l2_format(up, size);
+}
-        switch (kp->type) {
+static int __get_v4l2_format32(struct v4l2_format __user *kp,
+                               struct v4l2_format32 __user *up,
+                               void __user *aux_buf, u32 aux_space)
+{
+        u32 type;
+        if (get_user(type, &up->type) || put_user(type, &kp->type))
+                return -EFAULT;
+        switch (type) {
        case V4L2_BUF_TYPE_VIDEO_CAPTURE:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-                return get_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
+                return copy_in_user(&kp->fmt.pix, &up->fmt.pix,
+                                    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-                return get_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
+                return copy_in_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
-                                                  &up->fmt.pix_mp);
+                                    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_VIDEO_OVERLAY:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
-                return get_v4l2_window32(&kp->fmt.win, &up->fmt.win);
+                return get_v4l2_window32(&kp->fmt.win, &up->fmt.win,
+                                         aux_buf, aux_space);
        case V4L2_BUF_TYPE_VBI_CAPTURE:
        case V4L2_BUF_TYPE_VBI_OUTPUT:
-                return get_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
+                return copy_in_user(&kp->fmt.vbi, &up->fmt.vbi,
+                                    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
        case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-                return get_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
+                return copy_in_user(&kp->fmt.sliced, &up->fmt.sliced,
+                                    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_SDR_CAPTURE:
        case V4L2_BUF_TYPE_SDR_OUTPUT:
-                return get_v4l2_sdr_format(&kp->fmt.sdr, &up->fmt.sdr);
+                return copy_in_user(&kp->fmt.sdr, &up->fmt.sdr,
+                                    sizeof(kp->fmt.sdr)) ? -EFAULT : 0;
        default:
-                pr_info("compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-                                                                kp->type);
                return -EINVAL;
        }
 }
-static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int get_v4l2_format32(struct v4l2_format __user *kp,
+                             struct v4l2_format32 __user *up,
+                             void __user *aux_buf, u32 aux_space)
 {
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)))
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)))
                return -EFAULT;
-        return __get_v4l2_format32(kp, up);
+        return __get_v4l2_format32(kp, up, aux_buf, aux_space);
 }
-static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
+static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *up,
+                               u32 *size)
 {
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)))
-            copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
                return -EFAULT;
-        return __get_v4l2_format32(&kp->format, &up->format);
+        return __bufsize_v4l2_format(&up->format, size);
 }
-static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int get_v4l2_create32(struct v4l2_create_buffers __user *kp,
+                             struct v4l2_create_buffers32 __user *up,
+                             void __user *aux_buf, u32 aux_space)
 {
-        if (put_user(kp->type, &up->type))
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+            copy_in_user(kp, up,
+                         offsetof(struct v4l2_create_buffers32, format)))
                return -EFAULT;
+        return __get_v4l2_format32(&kp->format, &up->format,
+                                   aux_buf, aux_space);
+}
+static int __put_v4l2_format32(struct v4l2_format __user *kp,
+                               struct v4l2_format32 __user *up)
+{
+        u32 type;
-        switch (kp->type) {
+        if (get_user(type, &kp->type))
+                return -EFAULT;
+        switch (type) {
        case V4L2_BUF_TYPE_VIDEO_CAPTURE:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-                return put_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
+                return copy_in_user(&up->fmt.pix, &kp->fmt.pix,
+                                    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-                return put_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
+                return copy_in_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
-                                                  &up->fmt.pix_mp);
+                                    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_VIDEO_OVERLAY:
        case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
                return put_v4l2_window32(&kp->fmt.win, &up->fmt.win);
        case V4L2_BUF_TYPE_VBI_CAPTURE:
        case V4L2_BUF_TYPE_VBI_OUTPUT:
-                return put_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
+                return copy_in_user(&up->fmt.vbi, &kp->fmt.vbi,
+                                    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
        case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-                return put_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
+                return copy_in_user(&up->fmt.sliced, &kp->fmt.sliced,
+                                    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
        case V4L2_BUF_TYPE_SDR_CAPTURE:
        case V4L2_BUF_TYPE_SDR_OUTPUT:
-                return put_v4l2_sdr_format(&kp->fmt.sdr, &up->fmt.sdr);
+                return copy_in_user(&up->fmt.sdr, &kp->fmt.sdr,
+                                    sizeof(kp->fmt.sdr)) ? -EFAULT : 0;
        default:
-                pr_info("compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-                                                                kp->type);
                return -EINVAL;
        }
 }
-static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int put_v4l2_format32(struct v4l2_format __user *kp,
+                             struct v4l2_format32 __user *up)
 {
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)))
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
                return -EFAULT;
        return __put_v4l2_format32(kp, up);
 }
-static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
+static int put_v4l2_create32(struct v4l2_create_buffers __user *kp,
+                             struct v4l2_create_buffers32 __user *up)
 {
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-            copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
+            copy_in_user(up, kp,
-            copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
+                         offsetof(struct v4l2_create_buffers32, format)) ||
+            copy_in_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
                return -EFAULT;
        return __put_v4l2_format32(&kp->format, &up->format);
 }
@@ -295,25 +325,28 @@ struct v4l2_standard32 {
        __u32                reserved[4];
 };
-static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
+static int get_v4l2_standard32(struct v4l2_standard __user *kp,
+                               struct v4l2_standard32 __user *up)
 {
        /* other fields are not set by the user, nor used by the driver */
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-                get_user(kp->index, &up->index))
+            assign_in_user(&kp->index, &up->index))
                return -EFAULT;
        return 0;
 }
-static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
+static int put_v4l2_standard32(struct v4l2_standard __user *kp,
+                               struct v4l2_standard32 __user *up)
 {
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(kp->index, &up->index) ||
+            assign_in_user(&up->index, &kp->index) ||
-                put_user(kp->id, &up->id) ||
+            assign_in_user(&up->id, &kp->id) ||
-                copy_to_user(up->name, kp->name, 24) ||
+            copy_in_user(up->name, kp->name, sizeof(up->name)) ||
-                copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
+            copy_in_user(&up->frameperiod, &kp->frameperiod,
-                put_user(kp->framelines, &up->framelines) ||
+                         sizeof(up->frameperiod)) ||
-                copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)))
+            assign_in_user(&up->framelines, &kp->framelines) ||
-                        return -EFAULT;
+            copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+                return -EFAULT;
        return 0;
 }
@@ -352,134 +385,186 @@ struct v4l2_buffer32 {
        __u32                   reserved;
 };
-static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
+static int get_v4l2_plane32(struct v4l2_plane __user *up,
-                                enum v4l2_memory memory)
+                            struct v4l2_plane32 __user *up32,
+                            enum v4l2_memory memory)
 {
-        void __user *up_pln;
+        compat_ulong_t p;
-        compat_long_t p;
        if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
-                copy_in_user(&up->data_offset, &up32->data_offset,
+            copy_in_user(&up->data_offset, &up32->data_offset,
-                                sizeof(__u32)))
+                         sizeof(up->data_offset)))
                return -EFAULT;
-        if (memory == V4L2_MEMORY_USERPTR) {
+        switch (memory) {
-                if (get_user(p, &up32->m.userptr))
+        case V4L2_MEMORY_MMAP:
-                        return -EFAULT;
+        case V4L2_MEMORY_OVERLAY:
-                up_pln = compat_ptr(p);
+                if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
-                if (put_user((unsigned long)up_pln, &up->m.userptr))
+                                 sizeof(up32->m.mem_offset)))
                        return -EFAULT;
-        } else if (memory == V4L2_MEMORY_DMABUF) {
+                break;
-                if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(int)))
+        case V4L2_MEMORY_USERPTR:
+                if (get_user(p, &up32->m.userptr) ||
+                    put_user((unsigned long)compat_ptr(p), &up->m.userptr))
                        return -EFAULT;
-        } else {
+                break;
-                if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
+        case V4L2_MEMORY_DMABUF:
-                                        sizeof(__u32)))
+                if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd)))
                        return -EFAULT;
+                break;
        }
        return 0;
 }
-static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
+static int put_v4l2_plane32(struct v4l2_plane __user *up,
-                                enum v4l2_memory memory)
+                            struct v4l2_plane32 __user *up32,
+                            enum v4l2_memory memory)
 {
+        unsigned long p;
        if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
-                copy_in_user(&up32->data_offset, &up->data_offset,
+            copy_in_user(&up32->data_offset, &up->data_offset,
-                                sizeof(__u32)))
+                         sizeof(up->data_offset)))
                return -EFAULT;
-        /* For MMAP, driver might've set up the offset, so copy it back.
+        switch (memory) {
-         * USERPTR stays the same (was userspace-provided), so no copying. */
+        case V4L2_MEMORY_MMAP:
-        if (memory == V4L2_MEMORY_MMAP)
+        case V4L2_MEMORY_OVERLAY:
                if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
-                                        sizeof(__u32)))
+                                 sizeof(up->m.mem_offset)))
                        return -EFAULT;
-        /* For DMABUF, driver might've set up the fd, so copy it back. */
+                break;
-        if (memory == V4L2_MEMORY_DMABUF)
+        case V4L2_MEMORY_USERPTR:
-                if (copy_in_user(&up32->m.fd, &up->m.fd,
+                if (get_user(p, &up->m.userptr) ||
-                                        sizeof(int)))
+                    put_user((compat_ulong_t)ptr_to_compat((__force void *)p),
+                             &up32->m.userptr))
+                        return -EFAULT;
+                break;
+        case V4L2_MEMORY_DMABUF:
+                if (copy_in_user(&up32->m.fd, &up->m.fd, sizeof(up->m.fd)))
                        return -EFAULT;
+                break;
+        }
+        return 0;
+}
+static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *up, u32 *size)
+{
+        u32 type;
+        u32 length;
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+            get_user(type, &up->type) ||
+            get_user(length, &up->length))
+                return -EFAULT;
+        if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
+                if (length > VIDEO_MAX_PLANES)
+                        return -EINVAL;
+                /*
+                 * We don't really care if userspace decides to kill itself
+                 * by passing a very big length value
+                 */
+                *size = length * sizeof(struct v4l2_plane);
+        } else {
+                *size = 0;
+        }
        return 0;
 }
-static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
+static int get_v4l2_buffer32(struct v4l2_buffer __user *kp,
+                             struct v4l2_buffer32 __user *up,
+                             void __user *aux_buf, u32 aux_space)
 {
+        u32 type;
+        u32 length;
+        enum v4l2_memory memory;
        struct v4l2_plane32 __user *uplane32;
        struct v4l2_plane __user *uplane;
        compat_caddr_t p;
-        int num_planes;
        int ret;
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-                get_user(kp->index, &up->index) ||
+            assign_in_user(&kp->index, &up->index) ||
-                get_user(kp->type, &up->type) ||
+            get_user(type, &up->type) ||
-                get_user(kp->flags, &up->flags) ||
+            put_user(type, &kp->type) ||
-                get_user(kp->memory, &up->memory) ||
+            assign_in_user(&kp->flags, &up->flags) ||
-                get_user(kp->length, &up->length))
+            get_user(memory, &up->memory) ||
-                        return -EFAULT;
+            put_user(memory, &kp->memory) ||
+            get_user(length, &up->length) ||
+            put_user(length, &kp->length))
+                return -EFAULT;
-        if (V4L2_TYPE_IS_OUTPUT(kp->type))
+        if (V4L2_TYPE_IS_OUTPUT(type))
-                if (get_user(kp->bytesused, &up->bytesused) ||
+                if (assign_in_user(&kp->bytesused, &up->bytesused) ||
-                        get_user(kp->field, &up->field) ||
+                    assign_in_user(&kp->field, &up->field) ||
-                        get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+                    assign_in_user(&kp->timestamp.tv_sec,
-                        get_user(kp->timestamp.tv_usec,
+                                   &up->timestamp.tv_sec) ||
-                                        &up->timestamp.tv_usec))
+                    assign_in_user(&kp->timestamp.tv_usec,
+                                   &up->timestamp.tv_usec))
                        return -EFAULT;
-        if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
+        if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
-                num_planes = kp->length;
+                u32 num_planes = length;
                if (num_planes == 0) {
-                        kp->m.planes = NULL;
+                        /*
-                        /* num_planes == 0 is legal, e.g. when userspace doesn't
+                         * num_planes == 0 is legal, e.g. when userspace doesn't
-                         * need planes array on DQBUF*/
+                         * need planes array on DQBUF
-                        return 0;
+                         */
+                        return put_user(NULL, &kp->m.planes);
                }
+                if (num_planes > VIDEO_MAX_PLANES)
+                        return -EINVAL;
                if (get_user(p, &up->m.planes))
                        return -EFAULT;
                uplane32 = compat_ptr(p);
                if (!access_ok(VERIFY_READ, uplane32,
-                                num_planes * sizeof(struct v4l2_plane32)))
+                               num_planes * sizeof(*uplane32)))
                        return -EFAULT;
-                /* We don't really care if userspace decides to kill itself
+                /*
-                 * by passing a very big num_planes value */
+                 * We don't really care if userspace decides to kill itself
-                uplane = compat_alloc_user_space(num_planes *
+                 * by passing a very big num_planes value
-                                                sizeof(struct v4l2_plane));
+                 */
-                kp->m.planes = (__force struct v4l2_plane *)uplane;
+                if (aux_space < num_planes * sizeof(*uplane))
+                        return -EFAULT;
+                uplane = aux_buf;
+                if (put_user((__force struct v4l2_plane *)uplane,
+                             &kp->m.planes))
+                        return -EFAULT;
-                while (--num_planes >= 0) {
+                while (num_planes--) {
-                        ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
+                        ret = get_v4l2_plane32(uplane, uplane32, memory);
                        if (ret)
                                return ret;
-                        ++uplane;
+                        uplane++;
-                        ++uplane32;
+                        uplane32++;
                }
        } else {
-                switch (kp->memory) {
+                switch (memory) {
                case V4L2_MEMORY_MMAP:
-                        if (get_user(kp->m.offset, &up->m.offset))
+                case V4L2_MEMORY_OVERLAY:
+                        if (assign_in_user(&kp->m.offset, &up->m.offset))
                                return -EFAULT;
                        break;
-                case V4L2_MEMORY_USERPTR:
+                case V4L2_MEMORY_USERPTR: {
-                        {
+                        compat_ulong_t userptr;
-                        compat_long_t tmp;
-                        if (get_user(tmp, &up->m.userptr))
+                        if (get_user(userptr, &up->m.userptr) ||
-                                return -EFAULT;
+                            put_user((unsigned long)compat_ptr(userptr),
+                                     &kp->m.userptr))
-                        kp->m.userptr = (unsigned long)compat_ptr(tmp);
-                        }
-                        break;
-                case V4L2_MEMORY_OVERLAY:
-                        if (get_user(kp->m.offset, &up->m.offset))
                                return -EFAULT;
                        break;
+                }
                case V4L2_MEMORY_DMABUF:
-                        if (get_user(kp->m.fd, &up->m.fd))
+                        if (assign_in_user(&kp->m.fd, &up->m.fd))
                                return -EFAULT;
                        break;
                }
@@ -488,65 +573,70 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
        return 0;
 }
-static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
+static int put_v4l2_buffer32(struct v4l2_buffer __user *kp,
+                             struct v4l2_buffer32 __user *up)
 {
+        u32 type;
+        u32 length;
+        enum v4l2_memory memory;
        struct v4l2_plane32 __user *uplane32;
        struct v4l2_plane __user *uplane;
        compat_caddr_t p;
-        int num_planes;
        int ret;
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(kp->index, &up->index) ||
+            assign_in_user(&up->index, &kp->index) ||
-                put_user(kp->type, &up->type) ||
+            get_user(type, &kp->type) ||
-                put_user(kp->flags, &up->flags) ||
+            put_user(type, &up->type) ||
-                put_user(kp->memory, &up->memory))
+            assign_in_user(&up->flags, &kp->flags) ||
-                        return -EFAULT;
+            get_user(memory, &kp->memory) ||
+            put_user(memory, &up->memory))
+                return -EFAULT;
-        if (put_user(kp->bytesused, &up->bytesused) ||
+        if (assign_in_user(&up->bytesused, &kp->bytesused) ||
-                put_user(kp->field, &up->field) ||
+            assign_in_user(&up->field, &kp->field) ||
-                put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+            assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
-                put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
+            assign_in_user(&up->timestamp.tv_usec, &kp->timestamp.tv_usec) ||
-                copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
+            copy_in_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
-                put_user(kp->sequence, &up->sequence) ||
+            assign_in_user(&up->sequence, &kp->sequence) ||
-                put_user(kp->reserved2, &up->reserved2) ||
+            assign_in_user(&up->reserved2, &kp->reserved2) ||
-                put_user(kp->reserved, &up->reserved) ||
+            assign_in_user(&up->reserved, &kp->reserved) ||
-                put_user(kp->length, &up->length))
+            get_user(length, &kp->length) ||
-                        return -EFAULT;
+            put_user(length, &up->length))
+                return -EFAULT;
+        if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
+                u32 num_planes = length;
-        if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
-                num_planes = kp->length;
                if (num_planes == 0)
                        return 0;
-                uplane = (__force struct v4l2_plane __user *)kp->m.planes;
+                if (get_user(uplane, ((__force struct v4l2_plane __user **)&kp->m.planes)))
+                        return -EFAULT;
                if (get_user(p, &up->m.planes))
                        return -EFAULT;
                uplane32 = compat_ptr(p);
-                while (--num_planes >= 0) {
+                while (num_planes--) {
-                        ret = put_v4l2_plane32(uplane, uplane32, kp->memory);
+                        ret = put_v4l2_plane32(uplane, uplane32, memory);
                        if (ret)
                                return ret;
                        ++uplane;
                        ++uplane32;
                }
        } else {
-                switch (kp->memory) {
+                switch (memory) {
                case V4L2_MEMORY_MMAP:
-                        if (put_user(kp->m.offset, &up->m.offset))
+                case V4L2_MEMORY_OVERLAY:
+                        if (assign_in_user(&up->m.offset, &kp->m.offset))
                                return -EFAULT;
                        break;
                case V4L2_MEMORY_USERPTR:
-                        if (put_user(kp->m.userptr, &up->m.userptr))
+                        if (assign_in_user(&up->m.userptr, &kp->m.userptr))
-                                return -EFAULT;
-                        break;
-                case V4L2_MEMORY_OVERLAY:
-                        if (put_user(kp->m.offset, &up->m.offset))
                                return -EFAULT;
                        break;
                case V4L2_MEMORY_DMABUF:
-                        if (put_user(kp->m.fd, &up->m.fd))
+                        if (assign_in_user(&up->m.fd, &kp->m.fd))
                                return -EFAULT;
                        break;
                }
@@ -558,7 +648,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
 struct v4l2_framebuffer32 {
        __u32                   capability;
        __u32                   flags;
-        compat_caddr_t          base;
+        compat_caddr_t          base;
        struct {
                __u32           width;
                __u32           height;
@@ -571,30 +661,33 @@ struct v4l2_framebuffer32 {
        } fmt;
 };
-static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
+static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
+                                  struct v4l2_framebuffer32 __user *up)
 {
-        u32 tmp;
+        compat_caddr_t tmp;
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-                get_user(tmp, &up->base) ||
+            get_user(tmp, &up->base) ||
-                get_user(kp->capability, &up->capability) ||
+            put_user((__force void *)compat_ptr(tmp), &kp->base) ||
-                get_user(kp->flags, &up->flags) ||
+            assign_in_user(&kp->capability, &up->capability) ||
-                copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
+            assign_in_user(&kp->flags, &up->flags) ||
-                        return -EFAULT;
+            copy_in_user(&kp->fmt, &up->fmt, sizeof(kp->fmt)))
-        kp->base = (__force void *)compat_ptr(tmp);
+                return -EFAULT;
        return 0;
 }
-static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
+static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
+                                  struct v4l2_framebuffer32 __user *up)
 {
-        u32 tmp = (u32)((unsigned long)kp->base);
+        void *base;
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(tmp, &up->base) ||
+            get_user(base, &kp->base) ||
-                put_user(kp->capability, &up->capability) ||
+            put_user(ptr_to_compat(base), &up->base) ||
-                put_user(kp->flags, &up->flags) ||
+            assign_in_user(&up->capability, &kp->capability) ||
-                copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt)))
+            assign_in_user(&up->flags, &kp->flags) ||
-                        return -EFAULT;
+            copy_in_user(&up->fmt, &kp->fmt, sizeof(kp->fmt)))
+                return -EFAULT;
        return 0;
 }
@@ -606,21 +699,26 @@ struct v4l2_input32 {
        __u32        tuner;             /*  Associated tuner */
        compat_u64   std;
        __u32        status;
-        __u32        reserved[4];
+        __u32        capabilities;
+        __u32        reserved[3];
 };
-/* The 64-bit v4l2_input struct has extra padding at the end of the struct.
+/*
-   Otherwise it is identical to the 32-bit version. */
+ * The 64-bit v4l2_input struct has extra padding at the end of the struct.
-static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
+ * Otherwise it is identical to the 32-bit version.
+ */
+static inline int get_v4l2_input32(struct v4l2_input __user *kp,
+                                   struct v4l2_input32 __user *up)
 {
-        if (copy_from_user(kp, up, sizeof(struct v4l2_input32)))
+        if (copy_in_user(kp, up, sizeof(*up)))
                return -EFAULT;
        return 0;
 }
-static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
+static inline int put_v4l2_input32(struct v4l2_input __user *kp,
+                                   struct v4l2_input32 __user *up)
 {
-        if (copy_to_user(up, kp, sizeof(struct v4l2_input32)))
+        if (copy_in_user(up, kp, sizeof(*up)))
                return -EFAULT;
        return 0;
 }
@@ -644,58 +742,95 @@ struct v4l2_ext_control32 {
        };
 } __attribute__ ((packed));
-/* The following function really belong in v4l2-common, but that causes
+/* Return true if this control is a pointer type. */
-   a circular dependency between modules. We need to think about this, but
+static inline bool ctrl_is_pointer(struct file *file, u32 id)
-   for now this will do. */
-/* Return non-zero if this control is a pointer type. Currently only
-   type STRING is a pointer type. */
-static inline int ctrl_is_pointer(u32 id)
 {
-        switch (id) {
+        struct video_device *vdev = video_devdata(file);
-        case V4L2_CID_RDS_TX_PS_NAME:
+        struct v4l2_fh *fh = NULL;
-        case V4L2_CID_RDS_TX_RADIO_TEXT:
+        struct v4l2_ctrl_handler *hdl = NULL;
-                return 1;
+        struct v4l2_query_ext_ctrl qec = { id };
-        default:
+        const struct v4l2_ioctl_ops *ops = vdev->ioctl_ops;
-                return 0;
+        if (test_bit(V4L2_FL_USES_V4L2_FH, &vdev->flags))
+                fh = file->private_data;
+        if (fh && fh->ctrl_handler)
+                hdl = fh->ctrl_handler;
+        else if (vdev->ctrl_handler)
+                hdl = vdev->ctrl_handler;
+        if (hdl) {
+                struct v4l2_ctrl *ctrl = v4l2_ctrl_find(hdl, id);
+                return ctrl && ctrl->is_ptr;
        }
+        if (!ops || !ops->vidioc_query_ext_ctrl)
+                return false;
+        return !ops->vidioc_query_ext_ctrl(file, fh, &qec) &&
+                (qec.flags & V4L2_CTRL_FLAG_HAS_PAYLOAD);
+}
+static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *up,
+                                     u32 *size)
+{
+        u32 count;
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+            get_user(count, &up->count))
+                return -EFAULT;
+        if (count > V4L2_CID_MAX_CTRLS)
+                return -EINVAL;
+        *size = count * sizeof(struct v4l2_ext_control);
+        return 0;
 }
-static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
+static int get_v4l2_ext_controls32(struct file *file,
+                                   struct v4l2_ext_controls __user *kp,
+                                   struct v4l2_ext_controls32 __user *up,
+                                   void __user *aux_buf, u32 aux_space)
 {
        struct v4l2_ext_control32 __user *ucontrols;
        struct v4l2_ext_control __user *kcontrols;
-        int n;
+        u32 count;
+        u32 n;
        compat_caddr_t p;
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-                get_user(kp->ctrl_class, &up->ctrl_class) ||
+            assign_in_user(&kp->ctrl_class, &up->ctrl_class) ||
-                get_user(kp->count, &up->count) ||
+            get_user(count, &up->count) ||
-                get_user(kp->error_idx, &up->error_idx) ||
+            put_user(count, &kp->count) ||
-                copy_from_user(kp->reserved, up->reserved,
+            assign_in_user(&kp->error_idx, &up->error_idx) ||
-                               sizeof(kp->reserved)))
+            copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
-                        return -EFAULT;
+                return -EFAULT;
-        n = kp->count;
-        if (n == 0) {
+        if (count == 0)
-                kp->controls = NULL;
+                return put_user(NULL, &kp->controls);
-                return 0;
+        if (count > V4L2_CID_MAX_CTRLS)
-        }
+                return -EINVAL;
        if (get_user(p, &up->controls))
                return -EFAULT;
        ucontrols = compat_ptr(p);
-        if (!access_ok(VERIFY_READ, ucontrols,
+        if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
-                        n * sizeof(struct v4l2_ext_control32)))
+                return -EFAULT;
+        if (aux_space < count * sizeof(*kcontrols))
                return -EFAULT;
-        kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
+        kcontrols = aux_buf;
-        kp->controls = (__force struct v4l2_ext_control *)kcontrols;
+        if (put_user((__force struct v4l2_ext_control *)kcontrols,
-        while (--n >= 0) {
+                     &kp->controls))
+                return -EFAULT;
+        for (n = 0; n < count; n++) {
                u32 id;
                if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols)))
                        return -EFAULT;
                if (get_user(id, &kcontrols->id))
                        return -EFAULT;
-                if (ctrl_is_pointer(id)) {
+                if (ctrl_is_pointer(file, id)) {
                        void __user *s;
                        if (get_user(p, &ucontrols->string))
@@ -710,43 +845,55 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
        return 0;
 }
-static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
+static int put_v4l2_ext_controls32(struct file *file,
+                                   struct v4l2_ext_controls __user *kp,
+                                   struct v4l2_ext_controls32 __user *up)
 {
        struct v4l2_ext_control32 __user *ucontrols;
-        struct v4l2_ext_control __user *kcontrols =
+        struct v4l2_ext_control __user *kcontrols;
-                (__force struct v4l2_ext_control __user *)kp->controls;
+        u32 count;
-        int n = kp->count;
+        u32 n;
        compat_caddr_t p;
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(kp->ctrl_class, &up->ctrl_class) ||
+            assign_in_user(&up->ctrl_class, &kp->ctrl_class) ||
-                put_user(kp->count, &up->count) ||
+            get_user(count, &kp->count) ||
-                put_user(kp->error_idx, &up->error_idx) ||
+            put_user(count, &up->count) ||
-                copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+            assign_in_user(&up->error_idx, &kp->error_idx) ||
-                        return -EFAULT;
+            copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)) ||
-        if (!kp->count)
+            get_user(kcontrols, &kp->controls))
-                return 0;
+                return -EFAULT;
+        if (!count || count > (U32_MAX/sizeof(*ucontrols)))
+                return 0;
        if (get_user(p, &up->controls))
                return -EFAULT;
        ucontrols = compat_ptr(p);
-        if (!access_ok(VERIFY_WRITE, ucontrols,
+        if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
-                        n * sizeof(struct v4l2_ext_control32)))
                return -EFAULT;
-        while (--n >= 0) {
+        for (n = 0; n < count; n++) {
-                unsigned size = sizeof(*ucontrols);
+                unsigned int size = sizeof(*ucontrols);
                u32 id;
-                if (get_user(id, &kcontrols->id))
+                if (get_user(id, &kcontrols->id) ||
+                    put_user(id, &ucontrols->id) ||
+                    assign_in_user(&ucontrols->size, &kcontrols->size) ||
+                    copy_in_user(&ucontrols->reserved2, &kcontrols->reserved2,
+                                 sizeof(ucontrols->reserved2)))
                        return -EFAULT;
-                /* Do not modify the pointer when copying a pointer control.
-                   The contents of the pointer was changed, not the pointer
+                /*
-                   itself. */
+                 * Do not modify the pointer when copying a pointer control.
-                if (ctrl_is_pointer(id))
+                 * The contents of the pointer was changed, not the pointer
+                 * itself.
+                 */
+                if (ctrl_is_pointer(file, id))
                        size -= sizeof(ucontrols->value64);
                if (copy_in_user(ucontrols, kcontrols, size))
                        return -EFAULT;
                ucontrols++;
                kcontrols++;
        }
@@ -766,18 +913,19 @@ struct v4l2_event32 {
        __u32                           reserved[8];
 };
-static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
+static int put_v4l2_event32(struct v4l2_event __user *kp,
+                            struct v4l2_event32 __user *up)
 {
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(kp->type, &up->type) ||
+            assign_in_user(&up->type, &kp->type) ||
-                copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
+            copy_in_user(&up->u, &kp->u, sizeof(kp->u)) ||
-                put_user(kp->pending, &up->pending) ||
+            assign_in_user(&up->pending, &kp->pending) ||
-                put_user(kp->sequence, &up->sequence) ||
+            assign_in_user(&up->sequence, &kp->sequence) ||
-                put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+            assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
-                put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
+            assign_in_user(&up->timestamp.tv_nsec, &kp->timestamp.tv_nsec) ||
-                put_user(kp->id, &up->id) ||
+            assign_in_user(&up->id, &kp->id) ||
-                copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
+            copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
-                        return -EFAULT;
+                return -EFAULT;
        return 0;
 }
@@ -789,32 +937,35 @@ struct v4l2_edid32 {
        compat_caddr_t edid;
 };
-static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
+static int get_v4l2_edid32(struct v4l2_edid __user *kp,
+                           struct v4l2_edid32 __user *up)
 {
-        u32 tmp;
+        compat_uptr_t tmp;
-        if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) ||
+        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-                get_user(kp->pad, &up->pad) ||
+            assign_in_user(&kp->pad, &up->pad) ||
-                get_user(kp->start_block, &up->start_block) ||
+            assign_in_user(&kp->start_block, &up->start_block) ||
-                get_user(kp->blocks, &up->blocks) ||
+            assign_in_user(&kp->blocks, &up->blocks) ||
-                get_user(tmp, &up->edid) ||
+            get_user(tmp, &up->edid) ||
-                copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+            put_user(compat_ptr(tmp), &kp->edid) ||
-                        return -EFAULT;
+            copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
-        kp->edid = (__force u8 *)compat_ptr(tmp);
+                return -EFAULT;
        return 0;
 }
-static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
+static int put_v4l2_edid32(struct v4l2_edid __user *kp,
+                           struct v4l2_edid32 __user *up)
 {
-        u32 tmp = (u32)((unsigned long)kp->edid);
+        void *edid;
-        if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) ||
+        if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-                put_user(kp->pad, &up->pad) ||
+            assign_in_user(&up->pad, &kp->pad) ||
-                put_user(kp->start_block, &up->start_block) ||
+            assign_in_user(&up->start_block, &kp->start_block) ||
-                put_user(kp->blocks, &up->blocks) ||
+            assign_in_user(&up->blocks, &kp->blocks) ||
-                put_user(tmp, &up->edid) ||
+            get_user(edid, &kp->edid) ||
-                copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+            put_user(ptr_to_compat(edid), &up->edid) ||
-                        return -EFAULT;
+            copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+                return -EFAULT;
        return 0;
 }
@@ -830,7 +981,7 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
 #define VIDIOC_ENUMINPUT32      _IOWR('V', 26, struct v4l2_input32)
 #define VIDIOC_G_EDID32         _IOWR('V', 40, struct v4l2_edid32)
 #define VIDIOC_S_EDID32         _IOWR('V', 41, struct v4l2_edid32)
-#define VIDIOC_TRY_FMT32        _IOWR('V', 64, struct v4l2_format32)
+#define VIDIOC_TRY_FMT32        _IOWR('V', 64, struct v4l2_format32)
 #define VIDIOC_G_EXT_CTRLS32    _IOWR('V', 71, struct v4l2_ext_controls32)
 #define VIDIOC_S_EXT_CTRLS32    _IOWR('V', 72, struct v4l2_ext_controls32)
 #define VIDIOC_TRY_EXT_CTRLS32  _IOWR('V', 73, struct v4l2_ext_controls32)
@@ -846,22 +997,23 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
 #define VIDIOC_G_OUTPUT32       _IOR ('V', 46, s32)
 #define VIDIOC_S_OUTPUT32       _IOWR('V', 47, s32)
+static int alloc_userspace(unsigned int size, u32 aux_space,
+                           void __user **up_native)
+{
+        *up_native = compat_alloc_user_space(size + aux_space);
+        if (!*up_native)
+                return -ENOMEM;
+        if (clear_user(*up_native, size))
+                return -EFAULT;
+        return 0;
+}
 static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
-        union {
-                struct v4l2_format v2f;
-                struct v4l2_buffer v2b;
-                struct v4l2_framebuffer v2fb;
-                struct v4l2_input v2i;
-                struct v4l2_standard v2s;
-                struct v4l2_ext_controls v2ecs;
-                struct v4l2_event v2ev;
-                struct v4l2_create_buffers v2crt;
-                struct v4l2_edid v2edid;
-                unsigned long vx;
-                int vi;
-        } karg;
        void __user *up = compat_ptr(arg);
+        void __user *up_native = NULL;
+        void __user *aux_buf;
+        u32 aux_space;
        int compatible_arg = 1;
        long err = 0;
@@ -900,30 +1052,52 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
        case VIDIOC_STREAMOFF:
        case VIDIOC_S_INPUT:
        case VIDIOC_S_OUTPUT:
-                err = get_user(karg.vi, (s32 __user *)up);
+                err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
+                if (!err && assign_in_user((unsigned int __user *)up_native,
+                                           (compat_uint_t __user *)up))
+                        err = -EFAULT;
                compatible_arg = 0;
                break;
        case VIDIOC_G_INPUT:
        case VIDIOC_G_OUTPUT:
+                err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
                compatible_arg = 0;
                break;
        case VIDIOC_G_EDID:
        case VIDIOC_S_EDID:
-                err = get_v4l2_edid32(&karg.v2edid, up);
+                err = alloc_userspace(sizeof(struct v4l2_edid), 0, &up_native);
+                if (!err)
+                        err = get_v4l2_edid32(up_native, up);
                compatible_arg = 0;
                break;
        case VIDIOC_G_FMT:
        case VIDIOC_S_FMT:
        case VIDIOC_TRY_FMT:
-                err = get_v4l2_format32(&karg.v2f, up);
+                err = bufsize_v4l2_format(up, &aux_space);
+                if (!err)
+                        err = alloc_userspace(sizeof(struct v4l2_format),
+                                              aux_space, &up_native);
+                if (!err) {
+                        aux_buf = up_native + sizeof(struct v4l2_format);
+                        err = get_v4l2_format32(up_native, up,
+                                                aux_buf, aux_space);
+                }
                compatible_arg = 0;
                break;
        case VIDIOC_CREATE_BUFS:
-                err = get_v4l2_create32(&karg.v2crt, up);
+                err = bufsize_v4l2_create(up, &aux_space);
+                if (!err)
+                        err = alloc_userspace(sizeof(struct v4l2_create_buffers),
+                                              aux_space, &up_native);
+                if (!err) {
+                        aux_buf = up_native + sizeof(struct v4l2_create_buffers);
+                        err = get_v4l2_create32(up_native, up,
+                                                aux_buf, aux_space);
+                }
                compatible_arg = 0;
                break;
@@ -931,36 +1105,63 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
        case VIDIOC_QUERYBUF:
        case VIDIOC_QBUF:
        case VIDIOC_DQBUF:
-                err = get_v4l2_buffer32(&karg.v2b, up);
+                err = bufsize_v4l2_buffer(up, &aux_space);
+                if (!err)
+                        err = alloc_userspace(sizeof(struct v4l2_buffer),
+                                              aux_space, &up_native);
+                if (!err) {
+                        aux_buf = up_native + sizeof(struct v4l2_buffer);
+                        err = get_v4l2_buffer32(up_native, up,
+                                                aux_buf, aux_space);
+                }
                compatible_arg = 0;
                break;
        case VIDIOC_S_FBUF:
-                err = get_v4l2_framebuffer32(&karg.v2fb, up);
+                err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+                                      &up_native);
+                if (!err)
+                        err = get_v4l2_framebuffer32(up_native, up);
                compatible_arg = 0;
                break;
        case VIDIOC_G_FBUF:
+                err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+                                      &up_native);
                compatible_arg = 0;
                break;
        case VIDIOC_ENUMSTD:
-                err = get_v4l2_standard32(&karg.v2s, up);
+                err = alloc_userspace(sizeof(struct v4l2_standard), 0,
+                                      &up_native);
+                if (!err)
+                        err = get_v4l2_standard32(up_native, up);
                compatible_arg = 0;
                break;
        case VIDIOC_ENUMINPUT:
-                err = get_v4l2_input32(&karg.v2i, up);
+                err = alloc_userspace(sizeof(struct v4l2_input), 0, &up_native);
+                if (!err)
+                        err = get_v4l2_input32(up_native, up);
                compatible_arg = 0;
                break;
        case VIDIOC_G_EXT_CTRLS:
        case VIDIOC_S_EXT_CTRLS:
        case VIDIOC_TRY_EXT_CTRLS:
-                err = get_v4l2_ext_controls32(&karg.v2ecs, up);
+                err = bufsize_v4l2_ext_controls(up, &aux_space);
+                if (!err)
+                        err = alloc_userspace(sizeof(struct v4l2_ext_controls),
+                                              aux_space, &up_native);
+                if (!err) {
+                        aux_buf = up_native + sizeof(struct v4l2_ext_controls);
+                        err = get_v4l2_ext_controls32(file, up_native, up,
+                                                      aux_buf, aux_space);
+                }
                compatible_arg = 0;
                break;
        case VIDIOC_DQEVENT:
+                err = alloc_userspace(sizeof(struct v4l2_event), 0, &up_native);
                compatible_arg = 0;
                break;
        }
@@ -969,22 +1170,26 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
        if (compatible_arg)
                err = native_ioctl(file, cmd, (unsigned long)up);
-        else {
+        else
-                mm_segment_t old_fs = get_fs();
+                err = native_ioctl(file, cmd, (unsigned long)up_native);
-                set_fs(KERNEL_DS);
+        if (err == -ENOTTY)
-                err = native_ioctl(file, cmd, (unsigned long)&karg);
+                return err;
-                set_fs(old_fs);
-        }
-        /* Special case: even after an error we need to put the
+        /*
-           results back for these ioctls since the error_idx will
+         * Special case: even after an error we need to put the
-           contain information on which control failed. */
+         * results back for these ioctls since the error_idx will
+         * contain information on which control failed.
+         */
        switch (cmd) {
        case VIDIOC_G_EXT_CTRLS:
        case VIDIOC_S_EXT_CTRLS:
        case VIDIOC_TRY_EXT_CTRLS:
-                if (put_v4l2_ext_controls32(&karg.v2ecs, up))
+                if (put_v4l2_ext_controls32(file, up_native, up))
+                        err = -EFAULT;
+                break;
+        case VIDIOC_S_EDID:
+                if (put_v4l2_edid32(up_native, up))
                        err = -EFAULT;
                break;
        }
@@ -996,44 +1201,46 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
        case VIDIOC_S_OUTPUT:
        case VIDIOC_G_INPUT:
        case VIDIOC_G_OUTPUT:
-                err = put_user(((s32)karg.vi), (s32 __user *)up);
+                if (assign_in_user((compat_uint_t __user *)up,
+                                   ((unsigned int __user *)up_native)))
+                        err = -EFAULT;
                break;
        case VIDIOC_G_FBUF:
-                err = put_v4l2_framebuffer32(&karg.v2fb, up);
+                err = put_v4l2_framebuffer32(up_native, up);
                break;
        case VIDIOC_DQEVENT:
-                err = put_v4l2_event32(&karg.v2ev, up);
+                err = put_v4l2_event32(up_native, up);
                break;
        case VIDIOC_G_EDID:
-        case VIDIOC_S_EDID:
+                err = put_v4l2_edid32(up_native, up);
-                err = put_v4l2_edid32(&karg.v2edid, up);
                break;
        case VIDIOC_G_FMT:
        case VIDIOC_S_FMT:
        case VIDIOC_TRY_FMT:
-                err = put_v4l2_format32(&karg.v2f, up);
+                err = put_v4l2_format32(up_native, up);
                break;
        case VIDIOC_CREATE_BUFS:
-                err = put_v4l2_create32(&karg.v2crt, up);
+                err = put_v4l2_create32(up_native, up);
                break;
+        case VIDIOC_PREPARE_BUF:
        case VIDIOC_QUERYBUF:
        case VIDIOC_QBUF:
        case VIDIOC_DQBUF:
-                err = put_v4l2_buffer32(&karg.v2b, up);
+                err = put_v4l2_buffer32(up_native, up);
                break;
        case VIDIOC_ENUMSTD:
-                err = put_v4l2_standard32(&karg.v2s, up);
+                err = put_v4l2_standard32(up_native, up);
                break;
        case VIDIOC_ENUMINPUT:
-                err = put_v4l2_input32(&karg.v2i, up);
+                err = put_v4l2_input32(up_native, up);
                break;
        }
        return err;
diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 7486af2c8ae4..5e2a7e59f578 100644
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -2783,8 +2783,11 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
        /* Handles IOCTL */
        err = func(file, cmd, parg);
-        if (err == -ENOIOCTLCMD)
+        if (err == -ENOTTY || err == -ENOIOCTLCMD) {
                err = -ENOTTY;
+                goto out;
+        }
        if (err == 0) {
                if (cmd == VIDIOC_DQBUF)
                        trace_v4l2_dqbuf(video_devdata(file)->minor, parg);
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 3dc9ed2e0774..0c1a42bf27fd 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -205,6 +205,10 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory,
        struct vb2_buffer *vb;
        int ret;
+        /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */
+        num_buffers = min_t(unsigned int, num_buffers,
+                            VB2_MAX_FRAME - q->num_buffers);
        for (buffer = 0; buffer < num_buffers; ++buffer) {
                /* Allocate videobuf buffer structures */
                vb = kzalloc(q->buf_struct_size, GFP_KERNEL);
@@ -866,9 +870,12 @@ void vb2_buffer_done(struct vb2_buffer *vb, enum vb2_buffer_state state)
        dprintk(4, "done processing on buffer %d, state: %d\n",
                        vb->index, state);
-        /* sync buffers */
+        if (state != VB2_BUF_STATE_QUEUED &&
-        for (plane = 0; plane < vb->num_planes; ++plane)
+            state != VB2_BUF_STATE_REQUEUEING) {
-                call_void_memop(vb, finish, vb->planes[plane].mem_priv);
+                /* sync buffers */
+                for (plane = 0; plane < vb->num_planes; ++plane)
+                        call_void_memop(vb, finish, vb->planes[plane].mem_priv);
+        }
        spin_lock_irqsave(&q->done_lock, flags);
        if (state == VB2_BUF_STATE_QUEUED ||
diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
index 23886e8fbfd8..df966509ebb2 100644
--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
@@ -594,6 +594,12 @@ static int vb2_internal_dqbuf(struct vb2_queue *q, struct v4l2_buffer *b,
                        b->flags & V4L2_BUF_FLAG_LAST)
                q->last_buffer_dequeued = true;
+        /*
+         *  After calling the VIDIOC_DQBUF V4L2_BUF_FLAG_DONE must be
+         *  cleared.
+         */
+        b->flags &= ~V4L2_BUF_FLAG_DONE;
        return ret;
 }
diff --git a/drivers/memory/tegra/mc.c b/drivers/memory/tegra/mc.c
index a1ae0cc2b86d..6ab481ee8ece 100644
--- a/drivers/memory/tegra/mc.c
+++ b/drivers/memory/tegra/mc.c
@@ -20,14 +20,6 @@
 #include "mc.h"
 #define MC_INTSTATUS 0x000
-#define  MC_INT_DECERR_MTS (1 << 16)
-#define  MC_INT_SECERR_SEC (1 << 13)
-#define  MC_INT_DECERR_VPR (1 << 12)
-#define  MC_INT_INVALID_APB_ASID_UPDATE (1 << 11)
-#define  MC_INT_INVALID_SMMU_PAGE (1 << 10)
-#define  MC_INT_ARBITRATION_EMEM (1 << 9)
-#define  MC_INT_SECURITY_VIOLATION (1 << 8)
-#define  MC_INT_DECERR_EMEM (1 << 6)
 #define MC_INTMASK 0x004
@@ -248,12 +240,13 @@ static const char *const error_names[8] = {
 static irqreturn_t tegra_mc_irq(int irq, void *data)
 {
        struct tegra_mc *mc = data;
-        unsigned long status, mask;
+        unsigned long status;
        unsigned int bit;
        /* mask all interrupts to avoid flooding */
-        status = mc_readl(mc, MC_INTSTATUS);
+        status = mc_readl(mc, MC_INTSTATUS) & mc->soc->intmask;
-        mask = mc_readl(mc, MC_INTMASK);
+        if (!status)
+                return IRQ_NONE;
        for_each_set_bit(bit, &status, 32) {
                const char *error = status_names[bit] ?: "unknown";
@@ -346,7 +339,6 @@ static int tegra_mc_probe(struct platform_device *pdev)
        const struct of_device_id *match;
        struct resource *res;
        struct tegra_mc *mc;
-        u32 value;
        int err;
        match = of_match_node(tegra_mc_of_match, pdev->dev.of_node);
@@ -414,11 +406,7 @@ static int tegra_mc_probe(struct platform_device *pdev)
        WARN(!mc->soc->client_id_mask, "Missing client ID mask for this SoC\n");
-        value = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR |
+        mc_writel(mc, mc->soc->intmask, MC_INTMASK);
-                MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE |
-                MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM;
-        mc_writel(mc, value, MC_INTMASK);
        return 0;
 }
diff --git a/drivers/memory/tegra/mc.h b/drivers/memory/tegra/mc.h
index ddb16676c3af..24e020b4609b 100644
--- a/drivers/memory/tegra/mc.h
+++ b/drivers/memory/tegra/mc.h
@@ -14,6 +14,15 @@
 #include <soc/tegra/mc.h>
+#define MC_INT_DECERR_MTS (1 << 16)
+#define MC_INT_SECERR_SEC (1 << 13)
+#define MC_INT_DECERR_VPR (1 << 12)
+#define MC_INT_INVALID_APB_ASID_UPDATE (1 << 11)
+#define MC_INT_INVALID_SMMU_PAGE (1 << 10)
+#define MC_INT_ARBITRATION_EMEM (1 << 9)
+#define MC_INT_SECURITY_VIOLATION (1 << 8)
+#define MC_INT_DECERR_EMEM (1 << 6)
 static inline u32 mc_readl(struct tegra_mc *mc, unsigned long offset)
 {
        return readl(mc->regs + offset);
diff --git a/drivers/memory/tegra/tegra114.c b/drivers/memory/tegra/tegra114.c
index ba8fff3d66a6..6d2a5a849d92 100644
--- a/drivers/memory/tegra/tegra114.c
+++ b/drivers/memory/tegra/tegra114.c
@@ -930,4 +930,6 @@ const struct tegra_mc_soc tegra114_mc_soc = {
        .atom_size = 32,
        .client_id_mask = 0x7f,
        .smmu = &tegra114_smmu_soc,
+        .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION |
+                   MC_INT_DECERR_EMEM,
 };
diff --git a/drivers/memory/tegra/tegra124.c b/drivers/memory/tegra/tegra124.c
index 21e7255e3d96..234e74f97a4b 100644
--- a/drivers/memory/tegra/tegra124.c
+++ b/drivers/memory/tegra/tegra124.c
@@ -1019,6 +1019,9 @@ const struct tegra_mc_soc tegra124_mc_soc = {
        .smmu = &tegra124_smmu_soc,
        .emem_regs = tegra124_mc_emem_regs,
        .num_emem_regs = ARRAY_SIZE(tegra124_mc_emem_regs),
+        .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR |
+                   MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE |
+                   MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM,
 };
 #endif /* CONFIG_ARCH_TEGRA_124_SOC */
@@ -1041,5 +1044,8 @@ const struct tegra_mc_soc tegra132_mc_soc = {
        .atom_size = 32,
        .client_id_mask = 0x7f,
        .smmu = &tegra132_smmu_soc,
+        .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR |
+                   MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE |
+                   MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM,
 };
 #endif /* CONFIG_ARCH_TEGRA_132_SOC */
diff --git a/drivers/memory/tegra/tegra210.c b/drivers/memory/tegra/tegra210.c
index 5e144abe4c18..47c78a6d8f00 100644
--- a/drivers/memory/tegra/tegra210.c
+++ b/drivers/memory/tegra/tegra210.c
@@ -1077,4 +1077,7 @@ const struct tegra_mc_soc tegra210_mc_soc = {
        .atom_size = 64,
        .client_id_mask = 0xff,
        .smmu = &tegra210_smmu_soc,
+        .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR |
+                   MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE |
+                   MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM,
 };
diff --git a/drivers/memory/tegra/tegra30.c b/drivers/memory/tegra/tegra30.c
index b44737840e70..d0689428ea1a 100644
--- a/drivers/memory/tegra/tegra30.c
+++ b/drivers/memory/tegra/tegra30.c
@@ -952,4 +952,6 @@ const struct tegra_mc_soc tegra30_mc_soc = {
        .atom_size = 16,
        .client_id_mask = 0x7f,
        .smmu = &tegra30_smmu_soc,
+        .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION |
+                   MC_INT_DECERR_EMEM,
 };
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
index 5dcc0313c38a..207370d68c17 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -6848,6 +6848,7 @@ mpt_print_ioc_summary(MPT_ADAPTER *ioc, char *buffer, int *size, int len, int sh
        *size = y;
 }
+#ifdef CONFIG_PROC_FS
 static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan)
 {
        char expVer[32];
@@ -6879,6 +6880,7 @@ static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int
        seq_putc(m, '\n');
 }
+#endif
 /**
 *      mpt_set_taskmgmt_in_progress_flag - set flags associated with task management
diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
index 02b5f69e1a42..14cf6dfc3b14 100644
--- a/drivers/message/fusion/mptctl.c
+++ b/drivers/message/fusion/mptctl.c
@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg)
                                __FILE__, __LINE__, iocnum);
                return -ENODEV;
        }
+        if (karg.hdr.id >= MPT_MAX_FC_DEVICES)
+                return -EINVAL;
        dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n",
            ioc->name));
diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
index 7ebccfa8072a..cb790b68920f 100644
--- a/drivers/message/fusion/mptsas.c
+++ b/drivers/message/fusion/mptsas.c
@@ -1994,6 +1994,7 @@ static struct scsi_host_template mptsas_driver_template = {
        .cmd_per_lun                    = 7,
        .use_clustering                 = ENABLE_CLUSTERING,
        .shost_attrs                    = mptscsih_host_attrs,
+        .no_write_same                  = 1,
 };
 static int mptsas_get_linkerrors(struct sas_phy *phy)
diff --git a/drivers/mfd/cros_ec.c b/drivers/mfd/cros_ec.c
index 0eee63542038..115a6f67ab51 100644
--- a/drivers/mfd/cros_ec.c
+++ b/drivers/mfd/cros_ec.c
@@ -68,7 +68,11 @@ int cros_ec_register(struct cros_ec_device *ec_dev)
        mutex_init(&ec_dev->lock);
-        cros_ec_query_all(ec_dev);
+        err = cros_ec_query_all(ec_dev);
+        if (err) {
+                dev_err(dev, "Cannot identify the EC: error %d\n", err);
+                return err;
+        }
        err = mfd_add_devices(ec_dev->dev, PLATFORM_DEVID_AUTO, &ec_cell, 1,
                              NULL, ec_dev->irq, NULL);
diff --git a/drivers/mfd/intel-lpss.c b/drivers/mfd/intel-lpss.c
index fe89e5e337d5..ac867489b5a9 100644
--- a/drivers/mfd/intel-lpss.c
+++ b/drivers/mfd/intel-lpss.c
@@ -269,11 +269,11 @@ static void intel_lpss_init_dev(const struct intel_lpss *lpss)
        intel_lpss_deassert_reset(lpss);
+        intel_lpss_set_remap_addr(lpss);
        if (!intel_lpss_has_idma(lpss))
                return;
-        intel_lpss_set_remap_addr(lpss);
        /* Make sure that SPI multiblock DMA transfers are re-enabled */
        if (lpss->type == LPSS_DEV_SPI)
                writel(value, lpss->priv + LPSS_PRIV_SSP_REG);
diff --git a/drivers/mfd/palmas.c b/drivers/mfd/palmas.c
index 321e734b3d9b..9b6a9630de19 100644
--- a/drivers/mfd/palmas.c
+++ b/drivers/mfd/palmas.c
@@ -437,6 +437,19 @@ static void palmas_power_off(void)
                return;
        node = palmas_dev->dev->of_node;
+        if (of_property_read_bool(node, "ti,palmas-override-powerhold")) {
+                addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE,
+                                          PALMAS_PRIMARY_SECONDARY_PAD2);
+                slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE);
+                ret = regmap_update_bits(palmas_dev->regmap[slave], addr,
+                                PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0);
+                if (ret)
+                        dev_err(palmas_dev->dev,
+                                "Unable to write PRIMARY_SECONDARY_PAD2 %d\n",
+                                ret);
+        }
        override_powerhold =
                of_property_read_bool(node, "ti,palmas-override-powerhold");
diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
index cc91f7b3d90c..eb29113e0bac 100644
--- a/drivers/misc/enclosure.c
+++ b/drivers/misc/enclosure.c
@@ -148,7 +148,7 @@ enclosure_register(struct device *dev, const char *name, int components,
        for (i = 0; i < components; i++) {
                edev->component[i].number = -1;
                edev->component[i].slot = -1;
-                edev->component[i].power_status = 1;
+                edev->component[i].power_status = -1;
        }
        mutex_lock(&container_list_lock);
@@ -600,6 +600,11 @@ static ssize_t get_component_power_status(struct device *cdev,
        if (edev->cb->get_power_status)
                edev->cb->get_power_status(edev, ecomp);
+        /* If still uninitialized, the callback failed or does not exist. */
+        if (ecomp->power_status == -1)
+                return (edev->cb->get_power_status) ? -EIO : -ENOTTY;
        return snprintf(buf, 40, "%s\n", ecomp->power_status ? "on" : "off");
 }
diff --git a/drivers/misc/ibmasm/ibmasmfs.c b/drivers/misc/ibmasm/ibmasmfs.c
index e8b933111e0d..92109cadc3fc 100644
--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -507,35 +507,14 @@ static int remote_settings_file_close(struct inode *inode, struct file *file)
 static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
 {
        void __iomem *address = (void __iomem *)file->private_data;
-        unsigned char *page;
-        int retval;
        int len = 0;
        unsigned int value;
+        char lbuf[20];
-        if (*offset < 0)
-                return -EINVAL;
-        if (count == 0 || count > 1024)
-                return 0;
-        if (*offset != 0)
-                return 0;
-        page = (unsigned char *)__get_free_page(GFP_KERNEL);
-        if (!page)
-                return -ENOMEM;
        value = readl(address);
-        len = sprintf(page, "%d\n", value);
+        len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
-        if (copy_to_user(buf, page, len)) {
-                retval = -EFAULT;
-                goto exit;
-        }
-        *offset += len;
-        retval = len;
-exit:
+        return simple_read_from_buffer(buf, count, offset, lbuf, len);
-        free_page((unsigned long)page);
-        return retval;
 }
 static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
index 4ef189a7a2fb..8c04e342e30a 100644
--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -571,7 +571,6 @@ static long mei_ioctl(struct file *file, unsigned int cmd, unsigned long data)
                break;
        default:
-                dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
                rets = -ENOIOCTLCMD;
        }
diff --git a/drivers/misc/vmw_balloon.c b/drivers/misc/vmw_balloon.c
index 1e688bfec567..5e047bfc0cc4 100644
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -467,7 +467,7 @@ static int vmballoon_send_batched_lock(struct vmballoon *b,
                unsigned int num_pages, bool is_2m_pages, unsigned int *target)
 {
        unsigned long status;
-        unsigned long pfn = page_to_pfn(b->page);
+        unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page));
        STATS_INC(b->stats.lock[is_2m_pages]);
@@ -515,7 +515,7 @@ static bool vmballoon_send_batched_unlock(struct vmballoon *b,
                unsigned int num_pages, bool is_2m_pages, unsigned int *target)
 {
        unsigned long status;
-        unsigned long pfn = page_to_pfn(b->page);
+        unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page));
        STATS_INC(b->stats.unlock[is_2m_pages]);
@@ -576,15 +576,9 @@ static void vmballoon_pop(struct vmballoon *b)
                }
        }
-        if (b->batch_page) {
+        /* Clearing the batch_page unconditionally has no adverse effect */
-                vunmap(b->batch_page);
+        free_page((unsigned long)b->batch_page);
-                b->batch_page = NULL;
+        b->batch_page = NULL;
-        }
-        if (b->page) {
-                __free_page(b->page);
-                b->page = NULL;
-        }
 }
 /*
@@ -991,16 +985,13 @@ static const struct vmballoon_ops vmballoon_batched_ops = {
 static bool vmballoon_init_batching(struct vmballoon *b)
 {
-        b->page = alloc_page(VMW_PAGE_ALLOC_NOSLEEP);
+        struct page *page;
-        if (!b->page)
-                return false;
-        b->batch_page = vmap(&b->page, 1, VM_MAP, PAGE_KERNEL);
+        page = alloc_page(GFP_KERNEL | __GFP_ZERO);
-        if (!b->batch_page) {
+        if (!page)
-                __free_page(b->page);
                return false;
-        }
+        b->batch_page = page_address(page);
        return true;
 }
diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
index f42d9c4e4561..cc277f7849b0 100644
--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
+++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
@@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u32 flags)
        size_t pas_size;
        size_t vas_size;
        size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
-        const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+        u64 num_pages;
+        if (size > SIZE_MAX - PAGE_SIZE)
+                return NULL;
+        num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
        if (num_pages >
                 (SIZE_MAX - queue_size) /
                 (sizeof(*queue->kernel_if->u.g.pas) +
@@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_queue(u64 size)
 {
        struct vmci_queue *queue;
        size_t queue_page_size;
-        const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+        u64 num_pages;
        const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
+        if (size > SIZE_MAX - PAGE_SIZE)
+                return NULL;
+        num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
        if (num_pages > (SIZE_MAX - queue_size) /
                 sizeof(*queue->kernel_if->u.h.page))
                return NULL;
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
index 5f7d10ba498a..299a83f1ad38 100644
--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -2791,6 +2791,14 @@ int mmc_pm_notify(struct notifier_block *notify_block,
                if (!err)
                        break;
+                if (!mmc_card_is_removable(host)) {
+                        dev_warn(mmc_dev(host),
+                                 "pre_suspend failed for non-removable host: "
+                                 "%d\n", err);
+                        /* Avoid removing non-removable hosts */
+                        break;
+                }
                /* Calling bus_ops->remove() with a claimed host can deadlock */
                host->bus_ops->remove(host);
                mmc_claim_host(host);
diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
index fb204ee6ff89..581f5d0271f4 100644
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -619,6 +619,7 @@ static int dw_mci_idmac_init(struct dw_mci *host)
                                        (sizeof(struct idmac_desc_64addr) *
                                                        (i + 1))) >> 32;
                        /* Initialize reserved and buffer size fields to "0" */
+                        p->des0 = 0;
                        p->des1 = 0;
                        p->des2 = 0;
                        p->des3 = 0;
@@ -640,6 +641,7 @@ static int dw_mci_idmac_init(struct dw_mci *host)
                     i++, p++) {
                        p->des3 = cpu_to_le32(host->sg_dma +
                                        (sizeof(struct idmac_desc) * (i + 1)));
+                        p->des0 = 0;
                        p->des1 = 0;
                }
@@ -2807,8 +2809,8 @@ static bool dw_mci_reset(struct dw_mci *host)
        }
        if (host->use_dma == TRANS_MODE_IDMAC)
-                /* It is also recommended that we reset and reprogram idmac */
+                /* It is also required that we reinit idmac */
-                dw_mci_idmac_reset(host);
+                dw_mci_idmac_init(host);
        ret = true;
diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c
index 76e8bce6f46e..ad572a0f2124 100644
--- a/drivers/mmc/host/jz4740_mmc.c
+++ b/drivers/mmc/host/jz4740_mmc.c
@@ -368,9 +368,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host,
                host->irq_mask &= ~irq;
        else
                host->irq_mask |= irq;
-        spin_unlock_irqrestore(&host->lock, flags);
        writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK);
+        spin_unlock_irqrestore(&host->lock, flags);
 }
 static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host,
diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
index 7bc146efb389..fac21ee6fd6d 100644
--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -2102,8 +2102,8 @@ static int omap_hsmmc_configure_wake_irq(struct omap_hsmmc_host *host)
         */
        if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) {
                struct pinctrl *p = devm_pinctrl_get(host->dev);
-                if (!p) {
+                if (IS_ERR(p)) {
-                        ret = -ENODEV;
+                        ret = PTR_ERR(p);
                        goto err_free_irq;
                }
                if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) {
diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
index f280744578e4..ffd448149796 100644
--- a/drivers/mmc/host/sdhci-iproc.c
+++ b/drivers/mmc/host/sdhci-iproc.c
@@ -32,6 +32,8 @@ struct sdhci_iproc_host {
        const struct sdhci_iproc_data *data;
        u32 shadow_cmd;
        u32 shadow_blk;
+        bool is_cmd_shadowed;
+        bool is_blk_shadowed;
 };
 #define REG_OFFSET_IN_BITS(reg) ((reg) << 3 & 0x18)
@@ -47,8 +49,22 @@ static inline u32 sdhci_iproc_readl(struct sdhci_host *host, int reg)
 static u16 sdhci_iproc_readw(struct sdhci_host *host, int reg)
 {
-        u32 val = sdhci_iproc_readl(host, (reg & ~3));
+        struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
-        u16 word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff;
+        struct sdhci_iproc_host *iproc_host = sdhci_pltfm_priv(pltfm_host);
+        u32 val;
+        u16 word;
+        if ((reg == SDHCI_TRANSFER_MODE) && iproc_host->is_cmd_shadowed) {
+                /* Get the saved transfer mode */
+                val = iproc_host->shadow_cmd;
+        } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) &&
+                   iproc_host->is_blk_shadowed) {
+                /* Get the saved block info */
+                val = iproc_host->shadow_blk;
+        } else {
+                val = sdhci_iproc_readl(host, (reg & ~3));
+        }
+        word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff;
        return word;
 }
@@ -104,13 +120,15 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg)
        if (reg == SDHCI_COMMAND) {
                /* Write the block now as we are issuing a command */
-                if (iproc_host->shadow_blk != 0) {
+                if (iproc_host->is_blk_shadowed) {
                        sdhci_iproc_writel(host, iproc_host->shadow_blk,
                                SDHCI_BLOCK_SIZE);
-                        iproc_host->shadow_blk = 0;
+                        iproc_host->is_blk_shadowed = false;
                }
                oldval = iproc_host->shadow_cmd;
-        } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) {
+                iproc_host->is_cmd_shadowed = false;
+        } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) &&
+                   iproc_host->is_blk_shadowed) {
                /* Block size and count are stored in shadow reg */
                oldval = iproc_host->shadow_blk;
        } else {
@@ -122,9 +140,11 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg)
        if (reg == SDHCI_TRANSFER_MODE) {
                /* Save the transfer mode until the command is issued */
                iproc_host->shadow_cmd = newval;
+                iproc_host->is_cmd_shadowed = true;
        } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) {
                /* Save the block info until the command is issued */
                iproc_host->shadow_blk = newval;
+                iproc_host->is_blk_shadowed = true;
        } else {
                /* Command or other regular 32-bit write */
                sdhci_iproc_writel(host, newval, reg & ~3);
diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
index 90e94a028a49..ac66c61d9433 100644
--- a/drivers/mmc/host/sdhci-of-esdhc.c
+++ b/drivers/mmc/host/sdhci-of-esdhc.c
@@ -418,6 +418,20 @@ static void esdhc_of_set_clock(struct sdhci_host *host, unsigned int clock)
        if (esdhc->vendor_ver < VENDOR_V_23)
                pre_div = 2;
+        /*
+         * Limit SD clock to 167MHz for ls1046a according to its datasheet
+         */
+        if (clock > 167000000 &&
+            of_find_compatible_node(NULL, NULL, "fsl,ls1046a-esdhc"))
+                clock = 167000000;
+        /*
+         * Limit SD clock to 125MHz for ls1012a according to its datasheet
+         */
+        if (clock > 125000000 &&
+            of_find_compatible_node(NULL, NULL, "fsl,ls1012a-esdhc"))
+                clock = 125000000;
        /* Workaround to reduce the clock frequency for p1010 esdhc */
        if (of_find_compatible_node(NULL, NULL, "fsl,p1010-esdhc")) {
                if (clock > 20000000)
@@ -584,6 +598,8 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
 {
        struct sdhci_host *host;
        struct device_node *np;
+        struct sdhci_pltfm_host *pltfm_host;
+        struct sdhci_esdhc *esdhc;
        int ret;
        np = pdev->dev.of_node;
@@ -600,6 +616,14 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
        sdhci_get_of_property(pdev);
+        pltfm_host = sdhci_priv(host);
+        esdhc = pltfm_host->priv;
+        if (esdhc->vendor_ver == VENDOR_V_22)
+                host->quirks2 |= SDHCI_QUIRK2_HOST_NO_CMD23;
+        if (esdhc->vendor_ver > VENDOR_V_22)
+                host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
        if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
            of_device_is_compatible(np, "fsl,p5020-esdhc") ||
            of_device_is_compatible(np, "fsl,p4080-esdhc") ||
diff --git a/drivers/mtd/chips/Kconfig b/drivers/mtd/chips/Kconfig
index 8a25adced79f..bbfa1f129266 100644
--- a/drivers/mtd/chips/Kconfig
+++ b/drivers/mtd/chips/Kconfig
@@ -67,6 +67,10 @@ endchoice
 config MTD_CFI_GEOMETRY
        bool "Specific CFI Flash geometry selection"
        depends on MTD_CFI_ADV_OPTIONS
+        select MTD_MAP_BANK_WIDTH_1 if  !(MTD_MAP_BANK_WIDTH_2 || \
+                 MTD_MAP_BANK_WIDTH_4  || MTD_MAP_BANK_WIDTH_8 || \
+                 MTD_MAP_BANK_WIDTH_16 || MTD_MAP_BANK_WIDTH_32)
+        select MTD_CFI_I1 if !(MTD_CFI_I2 || MTD_CFI_I4 || MTD_CFI_I8)
        help
          This option does not affect the code directly, but will enable
          some other configuration options which would allow you to reduce
diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
index 286b97a304cf..4509ee0b294a 100644
--- a/drivers/mtd/chips/cfi_cmdset_0001.c
+++ b/drivers/mtd/chips/cfi_cmdset_0001.c
@@ -45,6 +45,7 @@
 #define I82802AB        0x00ad
 #define I82802AC        0x00ac
 #define PF38F4476       0x881c
+#define M28F00AP30      0x8963
 /* STMicroelectronics chips */
 #define M50LPW080       0x002F
 #define M50FLW080A      0x0080
@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi,
                extp->MinorVersion = '1';
 }
+static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip)
+{
+        /*
+         * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t
+         * Erase Supend for their small Erase Blocks(0x8000)
+         */
+        if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30)
+                return 1;
+        return 0;
+}
 static inline struct cfi_pri_intelext *
 read_pri_intelext(struct map_info *map, __u16 adr)
 {
@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long
                     (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1))))
                        goto sleep;
+                /* Do not allow suspend iff read/write to EB address */
+                if ((adr & chip->in_progress_block_mask) ==
+                    chip->in_progress_block_addr)
+                        goto sleep;
+                /* do not suspend small EBs, buggy Micron Chips */
+                if (cfi_is_micron_28F00AP30(cfi, chip) &&
+                    (chip->in_progress_block_mask == ~(0x8000-1)))
+                        goto sleep;
                /* Erase suspend */
-                map_write(map, CMD(0xB0), adr);
+                map_write(map, CMD(0xB0), chip->in_progress_block_addr);
                /* If the flash has finished erasing, then 'erase suspend'
                 * appears to make some (28F320) flash devices switch to
                 * 'read' mode.  Make sure that we switch to 'read status'
                 * mode so we get the right data. --rmk
                 */
-                map_write(map, CMD(0x70), adr);
+                map_write(map, CMD(0x70), chip->in_progress_block_addr);
                chip->oldstate = FL_ERASING;
                chip->state = FL_ERASE_SUSPENDING;
                chip->erase_suspended = 1;
                for (;;) {
-                        status = map_read(map, adr);
+                        status = map_read(map, chip->in_progress_block_addr);
                        if (map_word_andequal(map, status, status_OK, status_OK))
                                break;
@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad
                   sending the 0x70 (Read Status) command to an erasing
                   chip and expecting it to be ignored, that's what we
                   do. */
-                map_write(map, CMD(0xd0), adr);
+                map_write(map, CMD(0xd0), chip->in_progress_block_addr);
-                map_write(map, CMD(0x70), adr);
+                map_write(map, CMD(0x70), chip->in_progress_block_addr);
                chip->oldstate = FL_READY;
                chip->state = FL_ERASING;
                break;
@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
        map_write(map, CMD(0xD0), adr);
        chip->state = FL_ERASING;
        chip->erase_suspended = 0;
+        chip->in_progress_block_addr = adr;
+        chip->in_progress_block_mask = ~(len - 1);
        ret = INVAL_CACHE_AND_WAIT(map, chip, adr,
                                   adr, len,
diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
index c3624eb571d1..fb5a3052f144 100644
--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -42,7 +42,7 @@
 #define AMD_BOOTLOC_BUG
 #define FORCE_WORD_WRITE 0
-#define MAX_WORD_RETRIES 3
+#define MAX_RETRIES 3
 #define SST49LF004B             0x0060
 #define SST49LF040B             0x0050
@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr
                    (mode == FL_WRITING && (cfip->EraseSuspend & 0x2))))
                        goto sleep;
-                /* We could check to see if we're trying to access the sector
+                /* Do not allow suspend iff read/write to EB address */
-                 * that is currently being erased. However, no user will try
+                if ((adr & chip->in_progress_block_mask) ==
-                 * anything like that so we just wait for the timeout. */
+                    chip->in_progress_block_addr)
+                        goto sleep;
                /* Erase suspend */
                /* It's harmless to issue the Erase-Suspend and Erase-Resume
@@ -1644,7 +1645,7 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip,
                map_write( map, CMD(0xF0), chip->start );
                /* FIXME - should have reset delay before continuing */
-                if (++retry_cnt <= MAX_WORD_RETRIES)
+                if (++retry_cnt <= MAX_RETRIES)
                        goto retry;
                ret = -EIO;
@@ -1877,7 +1878,7 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
                if (time_after(jiffies, timeo) && !chip_ready(map, adr))
                        break;
-                if (chip_ready(map, adr)) {
+                if (chip_good(map, adr, datum)) {
                        xip_enable(map, chip, adr);
                        goto op_done;
                }
@@ -2103,7 +2104,7 @@ retry:
                map_write(map, CMD(0xF0), chip->start);
                /* FIXME - should have reset delay before continuing */
-                if (++retry_cnt <= MAX_WORD_RETRIES)
+                if (++retry_cnt <= MAX_RETRIES)
                        goto retry;
                ret = -EIO;
@@ -2238,6 +2239,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
        unsigned long int adr;
        DECLARE_WAITQUEUE(wait, current);
        int ret = 0;
+        int retry_cnt = 0;
        adr = cfi->addr_unlock1;
@@ -2255,6 +2257,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
        ENABLE_VPP(map);
        xip_disable(map, chip, adr);
+ retry:
        cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
        cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
        cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
@@ -2265,6 +2268,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
        chip->state = FL_ERASING;
        chip->erase_suspended = 0;
        chip->in_progress_block_addr = adr;
+        chip->in_progress_block_mask = ~(map->size - 1);
        INVALIDATE_CACHE_UDELAY(map, chip,
                                adr, map->size,
@@ -2290,12 +2294,13 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
                        chip->erase_suspended = 0;
                }
-                if (chip_ready(map, adr))
+                if (chip_good(map, adr, map_word_ff(map)))
                        break;
                if (time_after(jiffies, timeo)) {
                        printk(KERN_WARNING "MTD %s(): software timeout\n",
                                __func__ );
+                        ret = -EIO;
                        break;
                }
@@ -2303,12 +2308,15 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
                UDELAY(map, chip, adr, 1000000/HZ);
        }
        /* Did we succeed? */
-        if (!chip_good(map, adr, map_word_ff(map))) {
+        if (ret) {
                /* reset on all failures. */
                map_write( map, CMD(0xF0), chip->start );
                /* FIXME - should have reset delay before continuing */
-                ret = -EIO;
+                if (++retry_cnt <= MAX_RETRIES) {
+                        ret = 0;
+                        goto retry;
+                }
        }
        chip->state = FL_READY;
@@ -2327,6 +2335,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
        unsigned long timeo = jiffies + HZ;
        DECLARE_WAITQUEUE(wait, current);
        int ret = 0;
+        int retry_cnt = 0;
        adr += chip->start;
@@ -2344,6 +2353,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
        ENABLE_VPP(map);
        xip_disable(map, chip, adr);
+ retry:
        cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
        cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
        cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
@@ -2354,6 +2364,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
        chip->state = FL_ERASING;
        chip->erase_suspended = 0;
        chip->in_progress_block_addr = adr;
+        chip->in_progress_block_mask = ~(len - 1);
        INVALIDATE_CACHE_UDELAY(map, chip,
                                adr, len,
@@ -2379,7 +2390,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
                        chip->erase_suspended = 0;
                }
-                if (chip_ready(map, adr)) {
+                if (chip_good(map, adr, map_word_ff(map))) {
                        xip_enable(map, chip, adr);
                        break;
                }
@@ -2388,6 +2399,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
                        xip_enable(map, chip, adr);
                        printk(KERN_WARNING "MTD %s(): software timeout\n",
                                __func__ );
+                        ret = -EIO;
                        break;
                }
@@ -2395,12 +2407,15 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
                UDELAY(map, chip, adr, 1000000/HZ);
        }
        /* Did we succeed? */
-        if (!chip_good(map, adr, map_word_ff(map))) {
+        if (ret) {
                /* reset on all failures. */
                map_write( map, CMD(0xF0), chip->start );
                /* FIXME - should have reset delay before continuing */
-                ret = -EIO;
+                if (++retry_cnt <= MAX_RETRIES) {
+                        ret = 0;
+                        goto retry;
+                }
        }
        chip->state = FL_READY;
@@ -2530,7 +2545,7 @@ static int cfi_atmel_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
 struct ppb_lock {
        struct flchip *chip;
-        loff_t offset;
+        unsigned long adr;
        int locked;
 };
@@ -2548,8 +2563,9 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
        unsigned long timeo;
        int ret;
+        adr += chip->start;
        mutex_lock(&chip->mutex);
-        ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
+        ret = get_chip(map, chip, adr, FL_LOCKING);
        if (ret) {
                mutex_unlock(&chip->mutex);
                return ret;
@@ -2567,8 +2583,8 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
        if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
                chip->state = FL_LOCKING;
-                map_write(map, CMD(0xA0), chip->start + adr);
+                map_write(map, CMD(0xA0), adr);
-                map_write(map, CMD(0x00), chip->start + adr);
+                map_write(map, CMD(0x00), adr);
        } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
                /*
                 * Unlocking of one specific sector is not supported, so we
@@ -2606,7 +2622,7 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
        map_write(map, CMD(0x00), chip->start);
        chip->state = FL_READY;
-        put_chip(map, chip, adr + chip->start);
+        put_chip(map, chip, adr);
        mutex_unlock(&chip->mutex);
        return ret;
@@ -2663,9 +2679,9 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
                 * sectors shall be unlocked, so lets keep their locking
                 * status at "unlocked" (locked=0) for the final re-locking.
                 */
-                if ((adr < ofs) || (adr >= (ofs + len))) {
+                if ((offset < ofs) || (offset >= (ofs + len))) {
                        sect[sectors].chip = &cfi->chips[chipnum];
-                        sect[sectors].offset = offset;
+                        sect[sectors].adr = adr;
                        sect[sectors].locked = do_ppb_xxlock(
                                map, &cfi->chips[chipnum], adr, 0,
                                DO_XXLOCK_ONEBLOCK_GETLOCK);
@@ -2679,6 +2695,8 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
                        i++;
                if (adr >> cfi->chipshift) {
+                        if (offset >= (ofs + len))
+                                break;
                        adr = 0;
                        chipnum++;
@@ -2709,7 +2727,7 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
         */
        for (i = 0; i < sectors; i++) {
                if (sect[i].locked)
-                        do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
+                        do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
                                      DO_XXLOCK_ONEBLOCK_LOCK);
        }
diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c
index 7c0b27d132b1..b479bd81120b 100644
--- a/drivers/mtd/chips/jedec_probe.c
+++ b/drivers/mtd/chips/jedec_probe.c
@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base,
        do {
                uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
                mask = (1 << (cfi->device_type * 8)) - 1;
+                if (ofs >= map->size)
+                        return 0;
                result = map_read(map, base + ofs);
                bank++;
        } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
diff --git a/drivers/mtd/maps/ck804xrom.c b/drivers/mtd/maps/ck804xrom.c
index 0455166f05fa..4f206a99164c 100644
--- a/drivers/mtd/maps/ck804xrom.c
+++ b/drivers/mtd/maps/ck804xrom.c
@@ -112,8 +112,8 @@ static void ck804xrom_cleanup(struct ck804xrom_window *window)
 }
-static int ck804xrom_init_one(struct pci_dev *pdev,
+static int __init ck804xrom_init_one(struct pci_dev *pdev,
-                              const struct pci_device_id *ent)
+                                     const struct pci_device_id *ent)
 {
        static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
        u8 byte;
diff --git a/drivers/mtd/maps/esb2rom.c b/drivers/mtd/maps/esb2rom.c
index 76ed651b515b..9646b0766ce0 100644
--- a/drivers/mtd/maps/esb2rom.c
+++ b/drivers/mtd/maps/esb2rom.c
@@ -144,8 +144,8 @@ static void esb2rom_cleanup(struct esb2rom_window *window)
        pci_dev_put(window->pdev);
 }
-static int esb2rom_init_one(struct pci_dev *pdev,
+static int __init esb2rom_init_one(struct pci_dev *pdev,
-                            const struct pci_device_id *ent)
+                                   const struct pci_device_id *ent)
 {
        static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
        struct esb2rom_window *window = &esb2rom_window;
diff --git a/drivers/mtd/maps/ichxrom.c b/drivers/mtd/maps/ichxrom.c
index 8636bba42200..976d42f63aef 100644
--- a/drivers/mtd/maps/ichxrom.c
+++ b/drivers/mtd/maps/ichxrom.c
@@ -57,10 +57,12 @@ static void ichxrom_cleanup(struct ichxrom_window *window)
 {
        struct ichxrom_map_info *map, *scratch;
        u16 word;
+        int ret;
        /* Disable writes through the rom window */
-        pci_read_config_word(window->pdev, BIOS_CNTL, &word);
+        ret = pci_read_config_word(window->pdev, BIOS_CNTL, &word);
-        pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1);
+        if (!ret)
+                pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1);
        pci_dev_put(window->pdev);
        /* Free all of the mtd devices */
@@ -84,8 +86,8 @@ static void ichxrom_cleanup(struct ichxrom_window *window)
 }
-static int ichxrom_init_one(struct pci_dev *pdev,
+static int __init ichxrom_init_one(struct pci_dev *pdev,
-                            const struct pci_device_id *ent)
+                                   const struct pci_device_id *ent)
 {
        static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
        struct ichxrom_window *window = &ichxrom_window;
diff --git a/drivers/mtd/nand/brcmnand/brcmnand.c b/drivers/mtd/nand/brcmnand/brcmnand.c
index 4a07ba1195b5..d125d19a35e4 100644
--- a/drivers/mtd/nand/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/brcmnand/brcmnand.c
@@ -1922,16 +1922,9 @@ static int brcmnand_setup_dev(struct brcmnand_host *host)
        tmp &= ~ACC_CONTROL_PARTIAL_PAGE;
        tmp &= ~ACC_CONTROL_RD_ERASED;
        tmp &= ~ACC_CONTROL_FAST_PGM_RDIN;
-        if (ctrl->features & BRCMNAND_HAS_PREFETCH) {
+        if (ctrl->features & BRCMNAND_HAS_PREFETCH)
-                /*
+                tmp &= ~ACC_CONTROL_PREFETCH;
-                 * FIXME: Flash DMA + prefetch may see spurious erased-page ECC
-                 * errors
-                 */
-                if (has_flash_dma(ctrl))
-                        tmp &= ~ACC_CONTROL_PREFETCH;
-                else
-                        tmp |= ACC_CONTROL_PREFETCH;
-        }
        nand_writereg(ctrl, offs, tmp);
        return 0;
diff --git a/drivers/mtd/nand/denali_pci.c b/drivers/mtd/nand/denali_pci.c
index de31514df282..d38527e0a2f2 100644
--- a/drivers/mtd/nand/denali_pci.c
+++ b/drivers/mtd/nand/denali_pci.c
@@ -119,3 +119,7 @@ static struct pci_driver denali_pci_driver = {
 };
 module_pci_driver(denali_pci_driver);
+MODULE_DESCRIPTION("PCI driver for Denali NAND controller");
+MODULE_AUTHOR("Intel Corporation and its suppliers");
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/mtd/nand/fsl_ifc_nand.c b/drivers/mtd/nand/fsl_ifc_nand.c
index 7f4ac8c19001..2c0bbaed3609 100644
--- a/drivers/mtd/nand/fsl_ifc_nand.c
+++ b/drivers/mtd/nand/fsl_ifc_nand.c
@@ -449,9 +449,16 @@ static void fsl_ifc_cmdfunc(struct mtd_info *mtd, unsigned int command,
        case NAND_CMD_READID:
        case NAND_CMD_PARAM: {
+                /*
+                 * For READID, read 8 bytes that are currently used.
+                 * For PARAM, read all 3 copies of 256-bytes pages.
+                 */
+                int len = 8;
                int timing = IFC_FIR_OP_RB;
-                if (command == NAND_CMD_PARAM)
+                if (command == NAND_CMD_PARAM) {
                        timing = IFC_FIR_OP_RBCD;
+                        len = 256 * 3;
+                }
                ifc_out32((IFC_FIR_OP_CW0 << IFC_NAND_FIR0_OP0_SHIFT) |
                          (IFC_FIR_OP_UA  << IFC_NAND_FIR0_OP1_SHIFT) |
@@ -461,12 +468,8 @@ static void fsl_ifc_cmdfunc(struct mtd_info *mtd, unsigned int command,
                          &ifc->ifc_nand.nand_fcr0);
                ifc_out32(column, &ifc->ifc_nand.row3);
-                /*
+                ifc_out32(len, &ifc->ifc_nand.nand_fbcr);
-                 * although currently it's 8 bytes for READID, we always read
+                ifc_nand_ctrl->read_bytes = len;
-                 * the maximum 256 bytes(for PARAM)
-                 */
-                ifc_out32(256, &ifc->ifc_nand.nand_fbcr);
-                ifc_nand_ctrl->read_bytes = 256;
                set_addr(mtd, 0, 0, 0);
                fsl_ifc_run_command(mtd);
@@ -726,6 +729,7 @@ static int fsl_ifc_wait(struct mtd_info *mtd, struct nand_chip *chip)
        struct fsl_ifc_ctrl *ctrl = priv->ctrl;
        struct fsl_ifc_regs __iomem *ifc = ctrl->regs;
        u32 nand_fsr;
+        int status;
        /* Use READ_STATUS command, but wait for the device to be ready */
        ifc_out32((IFC_FIR_OP_CW0 << IFC_NAND_FIR0_OP0_SHIFT) |
@@ -740,12 +744,12 @@ static int fsl_ifc_wait(struct mtd_info *mtd, struct nand_chip *chip)
        fsl_ifc_run_command(mtd);
        nand_fsr = ifc_in32(&ifc->ifc_nand.nand_fsr);
+        status = nand_fsr >> 24;
        /*
         * The chip always seems to report that it is
         * write-protected, even when it is not.
         */
-        return nand_fsr | NAND_STATUS_WP;
+        return status | NAND_STATUS_WP;
 }
 static int fsl_ifc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
index 2064adac1d17..40a335c6b792 100644
--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
@@ -1029,24 +1029,97 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
                return ret;
        }
-        /* handle the block mark swapping */
-        block_mark_swapping(this, payload_virt, auxiliary_virt);
        /* Loop over status bytes, accumulating ECC status. */
        status = auxiliary_virt + nfc_geo->auxiliary_status_offset;
+        read_page_swap_end(this, buf, nfc_geo->payload_size,
+                           this->payload_virt, this->payload_phys,
+                           nfc_geo->payload_size,
+                           payload_virt, payload_phys);
        for (i = 0; i < nfc_geo->ecc_chunk_count; i++, status++) {
                if ((*status == STATUS_GOOD) || (*status == STATUS_ERASED))
                        continue;
                if (*status == STATUS_UNCORRECTABLE) {
+                        int eccbits = nfc_geo->ecc_strength * nfc_geo->gf_len;
+                        u8 *eccbuf = this->raw_buffer;
+                        int offset, bitoffset;
+                        int eccbytes;
+                        int flips;
+                        /* Read ECC bytes into our internal raw_buffer */
+                        offset = nfc_geo->metadata_size * 8;
+                        offset += ((8 * nfc_geo->ecc_chunk_size) + eccbits) * (i + 1);
+                        offset -= eccbits;
+                        bitoffset = offset % 8;
+                        eccbytes = DIV_ROUND_UP(offset + eccbits, 8);
+                        offset /= 8;
+                        eccbytes -= offset;
+                        chip->cmdfunc(mtd, NAND_CMD_RNDOUT, offset, -1);
+                        chip->read_buf(mtd, eccbuf, eccbytes);
+                        /*
+                         * ECC data are not byte aligned and we may have
+                         * in-band data in the first and last byte of
+                         * eccbuf. Set non-eccbits to one so that
+                         * nand_check_erased_ecc_chunk() does not count them
+                         * as bitflips.
+                         */
+                        if (bitoffset)
+                                eccbuf[0] |= GENMASK(bitoffset - 1, 0);
+                        bitoffset = (bitoffset + eccbits) % 8;
+                        if (bitoffset)
+                                eccbuf[eccbytes - 1] |= GENMASK(7, bitoffset);
+                        /*
+                         * The ECC hardware has an uncorrectable ECC status
+                         * code in case we have bitflips in an erased page. As
+                         * nothing was written into this subpage the ECC is
+                         * obviously wrong and we can not trust it. We assume
+                         * at this point that we are reading an erased page and
+                         * try to correct the bitflips in buffer up to
+                         * ecc_strength bitflips. If this is a page with random
+                         * data, we exceed this number of bitflips and have a
+                         * ECC failure. Otherwise we use the corrected buffer.
+                         */
+                        if (i == 0) {
+                                /* The first block includes metadata */
+                                flips = nand_check_erased_ecc_chunk(
+                                                buf + i * nfc_geo->ecc_chunk_size,
+                                                nfc_geo->ecc_chunk_size,
+                                                eccbuf, eccbytes,
+                                                auxiliary_virt,
+                                                nfc_geo->metadata_size,
+                                                nfc_geo->ecc_strength);
+                        } else {
+                                flips = nand_check_erased_ecc_chunk(
+                                                buf + i * nfc_geo->ecc_chunk_size,
+                                                nfc_geo->ecc_chunk_size,
+                                                eccbuf, eccbytes,
+                                                NULL, 0,
+                                                nfc_geo->ecc_strength);
+                        }
+                        if (flips > 0) {
+                                max_bitflips = max_t(unsigned int, max_bitflips,
+                                                     flips);
+                                mtd->ecc_stats.corrected += flips;
+                                continue;
+                        }
                        mtd->ecc_stats.failed++;
                        continue;
                }
                mtd->ecc_stats.corrected += *status;
                max_bitflips = max_t(unsigned int, max_bitflips, *status);
        }
+        /* handle the block mark swapping */
+        block_mark_swapping(this, buf, auxiliary_virt);
        if (oob_required) {
                /*
                 * It's time to deliver the OOB bytes. See gpmi_ecc_read_oob()
@@ -1062,11 +1135,6 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
                chip->oob_poi[0] = ((uint8_t *) auxiliary_virt)[0];
        }
-        read_page_swap_end(this, buf, nfc_geo->payload_size,
-                        this->payload_virt, this->payload_phys,
-                        nfc_geo->payload_size,
-                        payload_virt, payload_phys);
        return max_bitflips;
 }
diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c
index e584d910f945..c37611127ca3 100644
--- a/drivers/mtd/nand/mxc_nand.c
+++ b/drivers/mtd/nand/mxc_nand.c
@@ -49,7 +49,7 @@
 #define NFC_V1_V2_CONFIG                (host->regs + 0x0a)
 #define NFC_V1_V2_ECC_STATUS_RESULT     (host->regs + 0x0c)
 #define NFC_V1_V2_RSLTMAIN_AREA         (host->regs + 0x0e)
-#define NFC_V1_V2_RSLTSPARE_AREA        (host->regs + 0x10)
+#define NFC_V21_RSLTSPARE_AREA          (host->regs + 0x10)
 #define NFC_V1_V2_WRPROT                (host->regs + 0x12)
 #define NFC_V1_UNLOCKSTART_BLKADDR      (host->regs + 0x14)
 #define NFC_V1_UNLOCKEND_BLKADDR        (host->regs + 0x16)
@@ -1034,6 +1034,9 @@ static void preset_v2(struct mtd_info *mtd)
        writew(config1, NFC_V1_V2_CONFIG1);
        /* preset operation */
+        /* spare area size in 16-bit half-words */
+        writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
        /* Unlock the internal RAM Buffer */
        writew(0x2, NFC_V1_V2_CONFIG);
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index e561fbcb93b3..d2639ea121f4 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -626,7 +626,8 @@ static void nand_command(struct mtd_info *mtd, unsigned int command,
                chip->cmd_ctrl(mtd, readcmd, ctrl);
                ctrl &= ~NAND_CTRL_CHANGE;
        }
-        chip->cmd_ctrl(mtd, command, ctrl);
+        if (command != NAND_CMD_NONE)
+                chip->cmd_ctrl(mtd, command, ctrl);
        /* Address cycle, when necessary */
        ctrl = NAND_CTRL_ALE | NAND_CTRL_CHANGE;
@@ -655,6 +656,7 @@ static void nand_command(struct mtd_info *mtd, unsigned int command,
         */
        switch (command) {
+        case NAND_CMD_NONE:
        case NAND_CMD_PAGEPROG:
        case NAND_CMD_ERASE1:
        case NAND_CMD_ERASE2:
@@ -717,7 +719,9 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command,
        }
        /* Command latch cycle */
-        chip->cmd_ctrl(mtd, command, NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE);
+        if (command != NAND_CMD_NONE)
+                chip->cmd_ctrl(mtd, command,
+                               NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE);
        if (column != -1 || page_addr != -1) {
                int ctrl = NAND_CTRL_CHANGE | NAND_NCE | NAND_ALE;
@@ -750,6 +754,7 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command,
         */
        switch (command) {
+        case NAND_CMD_NONE:
        case NAND_CMD_CACHEDPROG:
        case NAND_CMD_PAGEPROG:
        case NAND_CMD_ERASE1:
@@ -2062,6 +2067,7 @@ static int nand_write_oob_syndrome(struct mtd_info *mtd,
 static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
                            struct mtd_oob_ops *ops)
 {
+        unsigned int max_bitflips = 0;
        int page, realpage, chipnr;
        struct nand_chip *chip = mtd->priv;
        struct mtd_ecc_stats stats;
@@ -2122,6 +2128,8 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
                                nand_wait_ready(mtd);
                }
+                max_bitflips = max_t(unsigned int, max_bitflips, ret);
                readlen -= len;
                if (!readlen)
                        break;
@@ -2147,7 +2155,7 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
        if (mtd->ecc_stats.failed - stats.failed)
                return -EBADMSG;
-        return  mtd->ecc_stats.corrected - stats.corrected ? -EUCLEAN : 0;
+        return max_bitflips;
 }
 /**
diff --git a/drivers/mtd/nand/sh_flctl.c b/drivers/mtd/nand/sh_flctl.c
index bcba1a924c75..1f2785ee909f 100644
--- a/drivers/mtd/nand/sh_flctl.c
+++ b/drivers/mtd/nand/sh_flctl.c
@@ -160,7 +160,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl)
        memset(&cfg, 0, sizeof(cfg));
        cfg.direction = DMA_MEM_TO_DEV;
-        cfg.dst_addr = (dma_addr_t)FLDTFIFO(flctl);
+        cfg.dst_addr = flctl->fifo;
        cfg.src_addr = 0;
        ret = dmaengine_slave_config(flctl->chan_fifo0_tx, &cfg);
        if (ret < 0)
@@ -176,7 +176,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl)
        cfg.direction = DMA_DEV_TO_MEM;
        cfg.dst_addr = 0;
-        cfg.src_addr = (dma_addr_t)FLDTFIFO(flctl);
+        cfg.src_addr = flctl->fifo;
        ret = dmaengine_slave_config(flctl->chan_fifo0_rx, &cfg);
        if (ret < 0)
                goto err;
@@ -1096,6 +1096,7 @@ static int flctl_probe(struct platform_device *pdev)
        flctl->reg = devm_ioremap_resource(&pdev->dev, res);
        if (IS_ERR(flctl->reg))
                return PTR_ERR(flctl->reg);
+        flctl->fifo = res->start + 0x24; /* FLDTFIFO */
        irq = platform_get_irq(pdev, 0);
        if (irq < 0) {
diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c
index 824711845c44..3bb9b34d9e77 100644
--- a/drivers/mtd/nand/sunxi_nand.c
+++ b/drivers/mtd/nand/sunxi_nand.c
@@ -1046,8 +1046,14 @@ static int sunxi_nand_hw_common_ecc_ctrl_init(struct mtd_info *mtd,
        /* Add ECC info retrieval from DT */
        for (i = 0; i < ARRAY_SIZE(strengths); i++) {
-                if (ecc->strength <= strengths[i])
+                if (ecc->strength <= strengths[i]) {
+                        /*
+                         * Update ecc->strength value with the actual strength
+                         * that will be used by the ECC engine.
+                         */
+                        ecc->strength = strengths[i];
                        break;
+                }
        }
        if (i >= ARRAY_SIZE(strengths)) {
diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c
index c1aaf0336cf2..5cde3ad1665e 100644
--- a/drivers/mtd/ubi/attach.c
+++ b/drivers/mtd/ubi/attach.c
@@ -175,6 +175,40 @@ static int add_corrupted(struct ubi_attach_info *ai, int pnum, int ec)
 }
 /**
+ * add_fastmap - add a Fastmap related physical eraseblock.
+ * @ai: attaching information
+ * @pnum: physical eraseblock number the VID header came from
+ * @vid_hdr: the volume identifier header
+ * @ec: erase counter of the physical eraseblock
+ *
+ * This function allocates a 'struct ubi_ainf_peb' object for a Fastamp
+ * physical eraseblock @pnum and adds it to the 'fastmap' list.
+ * Such blocks can be Fastmap super and data blocks from both the most
+ * recent Fastmap we're attaching from or from old Fastmaps which will
+ * be erased.
+ */
+static int add_fastmap(struct ubi_attach_info *ai, int pnum,
+                       struct ubi_vid_hdr *vid_hdr, int ec)
+{
+        struct ubi_ainf_peb *aeb;
+        aeb = kmem_cache_alloc(ai->aeb_slab_cache, GFP_KERNEL);
+        if (!aeb)
+                return -ENOMEM;
+        aeb->pnum = pnum;
+        aeb->vol_id = be32_to_cpu(vidh->vol_id);
+        aeb->sqnum = be64_to_cpu(vidh->sqnum);
+        aeb->ec = ec;
+        list_add(&aeb->u.list, &ai->fastmap);
+        dbg_bld("add to fastmap list: PEB %d, vol_id %d, sqnum: %llu", pnum,
+                aeb->vol_id, aeb->sqnum);
+        return 0;
+}
+/**
 * validate_vid_hdr - check volume identifier header.
 * @ubi: UBI device description object
 * @vid_hdr: the volume identifier header to check
@@ -803,13 +837,26 @@ out_unlock:
        return err;
 }
+static bool vol_ignored(int vol_id)
+{
+        switch (vol_id) {
+                case UBI_LAYOUT_VOLUME_ID:
+                return true;
+        }
+#ifdef CONFIG_MTD_UBI_FASTMAP
+        return ubi_is_fm_vol(vol_id);
+#else
+        return false;
+#endif
+}
 /**
 * scan_peb - scan and process UBI headers of a PEB.
 * @ubi: UBI device description object
 * @ai: attaching information
 * @pnum: the physical eraseblock number
- * @vid: The volume ID of the found volume will be stored in this pointer
+ * @fast: true if we're scanning for a Fastmap
- * @sqnum: The sqnum of the found volume will be stored in this pointer
 *
 * This function reads UBI headers of PEB @pnum, checks them, and adds
 * information about this PEB to the corresponding list or RB-tree in the
@@ -817,9 +864,9 @@ out_unlock:
 * successfully handled and a negative error code in case of failure.
 */
 static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai,
-                    int pnum, int *vid, unsigned long long *sqnum)
+                    int pnum, bool fast)
 {
-        long long uninitialized_var(ec);
+        long long ec;
        int err, bitflips = 0, vol_id = -1, ec_err = 0;
        dbg_bld("scan PEB %d", pnum);
@@ -935,6 +982,20 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai,
                         */
                        ai->maybe_bad_peb_count += 1;
        case UBI_IO_BAD_HDR:
+                        /*
+                         * If we're facing a bad VID header we have to drop *all*
+                         * Fastmap data structures we find. The most recent Fastmap
+                         * could be bad and therefore there is a chance that we attach
+                         * from an old one. On a fine MTD stack a PEB must not render
+                         * bad all of a sudden, but the reality is different.
+                         * So, let's be paranoid and help finding the root cause by
+                         * falling back to scanning mode instead of attaching with a
+                         * bad EBA table and cause data corruption which is hard to
+                         * analyze.
+                         */
+                        if (fast)
+                                ai->force_full_scan = 1;
                if (ec_err)
                        /*
                         * Both headers are corrupted. There is a possibility
@@ -991,21 +1052,15 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai,
        }
        vol_id = be32_to_cpu(vidh->vol_id);
-        if (vid)
+        if (vol_id > UBI_MAX_VOLUMES && !vol_ignored(vol_id)) {
-                *vid = vol_id;
-        if (sqnum)
-                *sqnum = be64_to_cpu(vidh->sqnum);
-        if (vol_id > UBI_MAX_VOLUMES && vol_id != UBI_LAYOUT_VOLUME_ID) {
                int lnum = be32_to_cpu(vidh->lnum);
                /* Unsupported internal volume */
                switch (vidh->compat) {
                case UBI_COMPAT_DELETE:
-                        if (vol_id != UBI_FM_SB_VOLUME_ID
+                        ubi_msg(ubi, "\"delete\" compatible internal volume %d:%d found, will remove it",
-                            && vol_id != UBI_FM_DATA_VOLUME_ID) {
+                                vol_id, lnum);
-                                ubi_msg(ubi, "\"delete\" compatible internal volume %d:%d found, will remove it",
-                                        vol_id, lnum);
-                        }
                        err = add_to_list(ai, pnum, vol_id, lnum,
                                          ec, 1, &ai->erase);
                        if (err)
@@ -1037,7 +1092,12 @@ static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai,
        if (ec_err)
                ubi_warn(ubi, "valid VID header but corrupted EC header at PEB %d",
                         pnum);
-        err = ubi_add_to_av(ubi, ai, pnum, ec, vidh, bitflips);
+        if (ubi_is_fm_vol(vol_id))
+                err = add_fastmap(ai, pnum, vidh, ec);
+        else
+                err = ubi_add_to_av(ubi, ai, pnum, ec, vidh, bitflips);
        if (err)
                return err;
@@ -1186,6 +1246,10 @@ static void destroy_ai(struct ubi_attach_info *ai)
                list_del(&aeb->u.list);
                kmem_cache_free(ai->aeb_slab_cache, aeb);
        }
+        list_for_each_entry_safe(aeb, aeb_tmp, &ai->fastmap, u.list) {
+                list_del(&aeb->u.list);
+                kmem_cache_free(ai->aeb_slab_cache, aeb);
+        }
        /* Destroy the volume RB-tree */
        rb = ai->volumes.rb_node;
@@ -1245,7 +1309,7 @@ static int scan_all(struct ubi_device *ubi, struct ubi_attach_info *ai,
                cond_resched();
                dbg_gen("process PEB %d", pnum);
-                err = scan_peb(ubi, ai, pnum, NULL, NULL);
+                err = scan_peb(ubi, ai, pnum, false);
                if (err < 0)
                        goto out_vidh;
        }
@@ -1311,6 +1375,7 @@ static struct ubi_attach_info *alloc_ai(void)
        INIT_LIST_HEAD(&ai->free);
        INIT_LIST_HEAD(&ai->erase);
        INIT_LIST_HEAD(&ai->alien);
+        INIT_LIST_HEAD(&ai->fastmap);
        ai->volumes = RB_ROOT;
        ai->aeb_slab_cache = kmem_cache_create("ubi_aeb_slab_cache",
                                               sizeof(struct ubi_ainf_peb),
@@ -1337,52 +1402,58 @@ static struct ubi_attach_info *alloc_ai(void)
 */
 static int scan_fast(struct ubi_device *ubi, struct ubi_attach_info **ai)
 {
-        int err, pnum, fm_anchor = -1;
+        int err, pnum;
-        unsigned long long max_sqnum = 0;
+        struct ubi_attach_info *scan_ai;
        err = -ENOMEM;
+        scan_ai = alloc_ai();
+        if (!scan_ai)
+                goto out;
        ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
        if (!ech)
-                goto out;
+                goto out_ai;
        vidh = ubi_zalloc_vid_hdr(ubi, GFP_KERNEL);
        if (!vidh)
                goto out_ech;
        for (pnum = 0; pnum < UBI_FM_MAX_START; pnum++) {
-                int vol_id = -1;
-                unsigned long long sqnum = -1;
                cond_resched();
                dbg_gen("process PEB %d", pnum);
-                err = scan_peb(ubi, *ai, pnum, &vol_id, &sqnum);
+                err = scan_peb(ubi, scan_ai, pnum, true);
                if (err < 0)
                        goto out_vidh;
-                if (vol_id == UBI_FM_SB_VOLUME_ID && sqnum > max_sqnum) {
-                        max_sqnum = sqnum;
-                        fm_anchor = pnum;
-                }
        }
        ubi_free_vid_hdr(ubi, vidh);
        kfree(ech);
-        if (fm_anchor < 0)
+        if (scan_ai->force_full_scan)
-                return UBI_NO_FASTMAP;
+                err = UBI_NO_FASTMAP;
+        else
+                err = ubi_scan_fastmap(ubi, *ai, scan_ai);
-        destroy_ai(*ai);
+        if (err) {
-        *ai = alloc_ai();
+                /*
-        if (!*ai)
+                 * Didn't attach via fastmap, do a full scan but reuse what
-                return -ENOMEM;
+                 * we've aready scanned.
+                 */
+                destroy_ai(*ai);
+                *ai = scan_ai;
+        } else
+                destroy_ai(scan_ai);
-        return ubi_scan_fastmap(ubi, *ai, fm_anchor);
+        return err;
 out_vidh:
        ubi_free_vid_hdr(ubi, vidh);
 out_ech:
        kfree(ech);
+out_ai:
+        destroy_ai(scan_ai);
 out:
        return err;
 }
diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
index ebf46ad2d513..07ad86759d92 100644
--- a/drivers/mtd/ubi/block.c
+++ b/drivers/mtd/ubi/block.c
@@ -99,6 +99,8 @@ struct ubiblock {
 /* Linked list of all ubiblock instances */
 static LIST_HEAD(ubiblock_devices);
+static DEFINE_IDR(ubiblock_minor_idr);
+/* Protects ubiblock_devices and ubiblock_minor_idr */
 static DEFINE_MUTEX(devices_mutex);
 static int ubiblock_major;
@@ -242,7 +244,7 @@ static int ubiblock_open(struct block_device *bdev, fmode_t mode)
         * in any case.
         */
        if (mode & FMODE_WRITE) {
-                ret = -EPERM;
+                ret = -EROFS;
                goto out_unlock;
        }
@@ -354,8 +356,6 @@ static struct blk_mq_ops ubiblock_mq_ops = {
        .map_queue      = blk_mq_map_queue,
 };
-static DEFINE_IDR(ubiblock_minor_idr);
 int ubiblock_create(struct ubi_volume_info *vi)
 {
        struct ubiblock *dev;
@@ -368,14 +368,15 @@ int ubiblock_create(struct ubi_volume_info *vi)
        /* Check that the volume isn't already handled */
        mutex_lock(&devices_mutex);
        if (find_dev_nolock(vi->ubi_num, vi->vol_id)) {
-                mutex_unlock(&devices_mutex);
+                ret = -EEXIST;
-                return -EEXIST;
+                goto out_unlock;
        }
-        mutex_unlock(&devices_mutex);
        dev = kzalloc(sizeof(struct ubiblock), GFP_KERNEL);
-        if (!dev)
+        if (!dev) {
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out_unlock;
+        }
        mutex_init(&dev->dev_mutex);
@@ -440,14 +441,13 @@ int ubiblock_create(struct ubi_volume_info *vi)
                goto out_free_queue;
        }
-        mutex_lock(&devices_mutex);
        list_add_tail(&dev->list, &ubiblock_devices);
-        mutex_unlock(&devices_mutex);
        /* Must be the last step: anyone can call file ops from now on */
        add_disk(dev->gd);
        dev_info(disk_to_dev(dev->gd), "created from ubi%d:%d(%s)",
                 dev->ubi_num, dev->vol_id, vi->name);
+        mutex_unlock(&devices_mutex);
        return 0;
 out_free_queue:
@@ -460,6 +460,8 @@ out_put_disk:
        put_disk(dev->gd);
 out_free_dev:
        kfree(dev);
+out_unlock:
+        mutex_unlock(&devices_mutex);
        return ret;
 }
@@ -481,30 +483,36 @@ static void ubiblock_cleanup(struct ubiblock *dev)
 int ubiblock_remove(struct ubi_volume_info *vi)
 {
        struct ubiblock *dev;
+        int ret;
        mutex_lock(&devices_mutex);
        dev = find_dev_nolock(vi->ubi_num, vi->vol_id);
        if (!dev) {
-                mutex_unlock(&devices_mutex);
+                ret = -ENODEV;
-                return -ENODEV;
+                goto out_unlock;
        }
        /* Found a device, let's lock it so we can check if it's busy */
        mutex_lock(&dev->dev_mutex);
        if (dev->refcnt > 0) {
-                mutex_unlock(&dev->dev_mutex);
+                ret = -EBUSY;
-                mutex_unlock(&devices_mutex);
+                goto out_unlock_dev;
-                return -EBUSY;
        }
        /* Remove from device list */
        list_del(&dev->list);
-        mutex_unlock(&devices_mutex);
        ubiblock_cleanup(dev);
        mutex_unlock(&dev->dev_mutex);
+        mutex_unlock(&devices_mutex);
        kfree(dev);
        return 0;
+out_unlock_dev:
+        mutex_unlock(&dev->dev_mutex);
+out_unlock:
+        mutex_unlock(&devices_mutex);
+        return ret;
 }
 static int ubiblock_resize(struct ubi_volume_info *vi)
@@ -633,6 +641,7 @@ static void ubiblock_remove_all(void)
        struct ubiblock *next;
        struct ubiblock *dev;
+        mutex_lock(&devices_mutex);
        list_for_each_entry_safe(dev, next, &ubiblock_devices, list) {
                /* The module is being forcefully removed */
                WARN_ON(dev->desc);
@@ -641,6 +650,7 @@ static void ubiblock_remove_all(void)
                ubiblock_cleanup(dev);
                kfree(dev);
        }
+        mutex_unlock(&devices_mutex);
 }
 int __init ubiblock_init(void)
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 27de0463226e..c9f5ae424af7 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -889,6 +889,17 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
                return -EINVAL;
        }
+        /*
+         * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes.
+         * MLC NAND is different and needs special care, otherwise UBI or UBIFS
+         * will die soon and you will lose all your data.
+         */
+        if (mtd->type == MTD_MLCNANDFLASH) {
+                pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n",
+                        mtd->index);
+                return -EINVAL;
+        }
        if (ubi_num == UBI_DEV_NUM_AUTO) {
                /* Search for an empty slot in the @ubi_devices array */
                for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
@@ -1121,6 +1132,9 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
         */
        get_device(&ubi->dev);
+#ifdef CONFIG_MTD_UBI_FASTMAP
+        cancel_work_sync(&ubi->fm_work);
+#endif
        ubi_debugfs_exit_dev(ubi);
        uif_close(ubi);
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index 4dd0391d2942..03cf0553ec1b 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -350,6 +350,82 @@ out_unlock:
        return err;
 }
+#ifdef CONFIG_MTD_UBI_FASTMAP
+/**
+ * check_mapping - check and fixup a mapping
+ * @ubi: UBI device description object
+ * @vol: volume description object
+ * @lnum: logical eraseblock number
+ * @pnum: physical eraseblock number
+ *
+ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap
+ * operations, if such an operation is interrupted the mapping still looks
+ * good, but upon first read an ECC is reported to the upper layer.
+ * Normaly during the full-scan at attach time this is fixed, for Fastmap
+ * we have to deal with it while reading.
+ * If the PEB behind a LEB shows this symthom we change the mapping to
+ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure.
+ *
+ * Returns 0 on success, negative error code in case of failure.
+ */
+static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
+                         int *pnum)
+{
+        int err;
+        struct ubi_vid_hdr *vid_hdr;
+        if (!ubi->fast_attach)
+                return 0;
+        vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS);
+        if (!vid_hdr)
+                return -ENOMEM;
+        err = ubi_io_read_vid_hdr(ubi, *pnum, vid_hdr, 0);
+        if (err > 0 && err != UBI_IO_BITFLIPS) {
+                int torture = 0;
+                switch (err) {
+                        case UBI_IO_FF:
+                        case UBI_IO_FF_BITFLIPS:
+                        case UBI_IO_BAD_HDR:
+                        case UBI_IO_BAD_HDR_EBADMSG:
+                                break;
+                        default:
+                                ubi_assert(0);
+                }
+                if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS)
+                        torture = 1;
+                down_read(&ubi->fm_eba_sem);
+                vol->eba_tbl[lnum] = UBI_LEB_UNMAPPED;
+                up_read(&ubi->fm_eba_sem);
+                ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture);
+                *pnum = UBI_LEB_UNMAPPED;
+        } else if (err < 0) {
+                ubi_err(ubi, "unable to read VID header back from PEB %i: %i",
+                        *pnum, err);
+                goto out_free;
+        }
+        err = 0;
+out_free:
+        ubi_free_vid_hdr(ubi, vid_hdr);
+        return err;
+}
+#else
+static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
+                  int *pnum)
+{
+        return 0;
+}
+#endif
 /**
 * ubi_eba_read_leb - read data.
 * @ubi: UBI device description object
@@ -381,7 +457,13 @@ int ubi_eba_read_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
                return err;
        pnum = vol->eba_tbl[lnum];
-        if (pnum < 0) {
+        if (pnum >= 0) {
+                err = check_mapping(ubi, vol, lnum, &pnum);
+                if (err < 0)
+                        goto out_unlock;
+        }
+        if (pnum == UBI_LEB_UNMAPPED) {
                /*
                 * The logical eraseblock is not mapped, fill the whole buffer
                 * with 0xFF bytes. The exception is static volumes for which
@@ -697,6 +779,14 @@ int ubi_eba_write_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
        pnum = vol->eba_tbl[lnum];
        if (pnum >= 0) {
+                err = check_mapping(ubi, vol, lnum, &pnum);
+                if (err < 0) {
+                        leb_write_unlock(ubi, vol_id, lnum);
+                        return err;
+                }
+        }
+        if (pnum >= 0) {
                dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d",
                        len, offset, vol_id, lnum, pnum);
@@ -1088,6 +1178,8 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to,
        struct ubi_volume *vol;
        uint32_t crc;
+        ubi_assert(rwsem_is_locked(&ubi->fm_eba_sem));
        vol_id = be32_to_cpu(vid_hdr->vol_id);
        lnum = be32_to_cpu(vid_hdr->lnum);
@@ -1256,9 +1348,7 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to,
        }
        ubi_assert(vol->eba_tbl[lnum] == from);
-        down_read(&ubi->fm_eba_sem);
        vol->eba_tbl[lnum] = to;
-        up_read(&ubi->fm_eba_sem);
 out_unlock_buf:
        mutex_unlock(&ubi->buf_mutex);
diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
index 30d3999dddba..69dd21679a30 100644
--- a/drivers/mtd/ubi/fastmap-wl.c
+++ b/drivers/mtd/ubi/fastmap-wl.c
@@ -262,6 +262,8 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi)
        struct ubi_fm_pool *pool = &ubi->fm_wl_pool;
        int pnum;
+        ubi_assert(rwsem_is_locked(&ubi->fm_eba_sem));
        if (pool->used == pool->size) {
                /* We cannot update the fastmap here because this
                 * function is called in atomic context.
@@ -303,7 +305,7 @@ int ubi_ensure_anchor_pebs(struct ubi_device *ubi)
        wrk->anchor = 1;
        wrk->func = &wear_leveling_worker;
-        schedule_ubi_work(ubi, wrk);
+        __schedule_ubi_work(ubi, wrk);
        return 0;
 }
@@ -344,7 +346,7 @@ int ubi_wl_put_fm_peb(struct ubi_device *ubi, struct ubi_wl_entry *fm_e,
        spin_unlock(&ubi->wl_lock);
        vol_id = lnum ? UBI_FM_DATA_VOLUME_ID : UBI_FM_SB_VOLUME_ID;
-        return schedule_erase(ubi, e, vol_id, lnum, torture);
+        return schedule_erase(ubi, e, vol_id, lnum, torture, true);
 }
 /**
@@ -360,7 +362,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi)
 {
        int i;
-        flush_work(&ubi->fm_work);
        return_unused_pool_pebs(ubi, &ubi->fm_pool);
        return_unused_pool_pebs(ubi, &ubi->fm_wl_pool);
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index bba7dd1b5ebf..72e89b352034 100644
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -326,6 +326,7 @@ static int update_vol(struct ubi_device *ubi, struct ubi_attach_info *ai,
                        aeb->pnum = new_aeb->pnum;
                        aeb->copy_flag = new_vh->copy_flag;
                        aeb->scrub = new_aeb->scrub;
+                        aeb->sqnum = new_aeb->sqnum;
                        kmem_cache_free(ai->aeb_slab_cache, new_aeb);
                /* new_aeb is older */
@@ -851,27 +852,57 @@ fail:
 }
 /**
+ * find_fm_anchor - find the most recent Fastmap superblock (anchor)
+ * @ai: UBI attach info to be filled
+ */
+static int find_fm_anchor(struct ubi_attach_info *ai)
+{
+        int ret = -1;
+        struct ubi_ainf_peb *aeb;
+        unsigned long long max_sqnum = 0;
+        list_for_each_entry(aeb, &ai->fastmap, u.list) {
+                if (aeb->vol_id == UBI_FM_SB_VOLUME_ID && aeb->sqnum > max_sqnum) {
+                        max_sqnum = aeb->sqnum;
+                        ret = aeb->pnum;
+                }
+        }
+        return ret;
+}
+/**
 * ubi_scan_fastmap - scan the fastmap.
 * @ubi: UBI device object
 * @ai: UBI attach info to be filled
- * @fm_anchor: The fastmap starts at this PEB
+ * @scan_ai: UBI attach info from the first 64 PEBs,
+ *           used to find the most recent Fastmap data structure
 *
 * Returns 0 on success, UBI_NO_FASTMAP if no fastmap was found,
 * UBI_BAD_FASTMAP if one was found but is not usable.
 * < 0 indicates an internal error.
 */
 int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
-                     int fm_anchor)
+                     struct ubi_attach_info *scan_ai)
 {
        struct ubi_fm_sb *fmsb, *fmsb2;
        struct ubi_vid_hdr *vh;
        struct ubi_ec_hdr *ech;
        struct ubi_fastmap_layout *fm;
-        int i, used_blocks, pnum, ret = 0;
+        struct ubi_ainf_peb *tmp_aeb, *aeb;
+        int i, used_blocks, pnum, fm_anchor, ret = 0;
        size_t fm_size;
        __be32 crc, tmp_crc;
        unsigned long long sqnum = 0;
+        fm_anchor = find_fm_anchor(scan_ai);
+        if (fm_anchor < 0)
+                return UBI_NO_FASTMAP;
+        /* Move all (possible) fastmap blocks into our new attach structure. */
+        list_for_each_entry_safe(aeb, tmp_aeb, &scan_ai->fastmap, u.list)
+                list_move_tail(&aeb->u.list, &ai->fastmap);
        down_write(&ubi->fm_protect);
        memset(ubi->fm_buf, 0, ubi->fm_size);
@@ -1484,22 +1515,30 @@ int ubi_update_fastmap(struct ubi_device *ubi)
        struct ubi_wl_entry *tmp_e;
        down_write(&ubi->fm_protect);
+        down_write(&ubi->work_sem);
+        down_write(&ubi->fm_eba_sem);
        ubi_refill_pools(ubi);
        if (ubi->ro_mode || ubi->fm_disabled) {
+                up_write(&ubi->fm_eba_sem);
+                up_write(&ubi->work_sem);
                up_write(&ubi->fm_protect);
                return 0;
        }
        ret = ubi_ensure_anchor_pebs(ubi);
        if (ret) {
+                up_write(&ubi->fm_eba_sem);
+                up_write(&ubi->work_sem);
                up_write(&ubi->fm_protect);
                return ret;
        }
        new_fm = kzalloc(sizeof(*new_fm), GFP_KERNEL);
        if (!new_fm) {
+                up_write(&ubi->fm_eba_sem);
+                up_write(&ubi->work_sem);
                up_write(&ubi->fm_protect);
                return -ENOMEM;
        }
@@ -1608,16 +1647,14 @@ int ubi_update_fastmap(struct ubi_device *ubi)
                new_fm->e[0] = tmp_e;
        }
-        down_write(&ubi->work_sem);
-        down_write(&ubi->fm_eba_sem);
        ret = ubi_write_fastmap(ubi, new_fm);
-        up_write(&ubi->fm_eba_sem);
-        up_write(&ubi->work_sem);
        if (ret)
                goto err;
 out_unlock:
+        up_write(&ubi->fm_eba_sem);
+        up_write(&ubi->work_sem);
        up_write(&ubi->fm_protect);
        kfree(old_fm);
        return ret;
diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h
index de1ea2e4c37d..05d9ec66437c 100644
--- a/drivers/mtd/ubi/ubi.h
+++ b/drivers/mtd/ubi/ubi.h
@@ -699,6 +699,8 @@ struct ubi_ainf_volume {
 * @erase: list of physical eraseblocks which have to be erased
 * @alien: list of physical eraseblocks which should not be used by UBI (e.g.,
 *         those belonging to "preserve"-compatible internal volumes)
+ * @fastmap: list of physical eraseblocks which relate to fastmap (e.g.,
+ *           eraseblocks of the current and not yet erased old fastmap blocks)
 * @corr_peb_count: count of PEBs in the @corr list
 * @empty_peb_count: count of PEBs which are presumably empty (contain only
 *                   0xFF bytes)
@@ -709,6 +711,8 @@ struct ubi_ainf_volume {
 * @vols_found: number of volumes found
 * @highest_vol_id: highest volume ID
 * @is_empty: flag indicating whether the MTD device is empty or not
+ * @force_full_scan: flag indicating whether we need to do a full scan and drop
+                     all existing Fastmap data structures
 * @min_ec: lowest erase counter value
 * @max_ec: highest erase counter value
 * @max_sqnum: highest sequence number value
@@ -727,6 +731,7 @@ struct ubi_attach_info {
        struct list_head free;
        struct list_head erase;
        struct list_head alien;
+        struct list_head fastmap;
        int corr_peb_count;
        int empty_peb_count;
        int alien_peb_count;
@@ -735,6 +740,7 @@ struct ubi_attach_info {
        int vols_found;
        int highest_vol_id;
        int is_empty;
+        int force_full_scan;
        int min_ec;
        int max_ec;
        unsigned long long max_sqnum;
@@ -907,7 +913,7 @@ int ubi_compare_lebs(struct ubi_device *ubi, const struct ubi_ainf_peb *aeb,
 size_t ubi_calc_fm_size(struct ubi_device *ubi);
 int ubi_update_fastmap(struct ubi_device *ubi);
 int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
-                     int fm_anchor);
+                     struct ubi_attach_info *scan_ai);
 #else
 static inline int ubi_update_fastmap(struct ubi_device *ubi) { return 0; }
 #endif
@@ -1101,4 +1107,42 @@ static inline int idx2vol_id(const struct ubi_device *ubi, int idx)
                return idx;
 }
+/**
+ * ubi_is_fm_vol - check whether a volume ID is a Fastmap volume.
+ * @vol_id: volume ID
+ */
+static inline bool ubi_is_fm_vol(int vol_id)
+{
+        switch (vol_id) {
+                case UBI_FM_SB_VOLUME_ID:
+                case UBI_FM_DATA_VOLUME_ID:
+                return true;
+        }
+        return false;
+}
+/**
+ * ubi_find_fm_block - check whether a PEB is part of the current Fastmap.
+ * @ubi: UBI device description object
+ * @pnum: physical eraseblock to look for
+ *
+ * This function returns a wear leveling object if @pnum relates to the current
+ * fastmap, @NULL otherwise.
+ */
+static inline struct ubi_wl_entry *ubi_find_fm_block(const struct ubi_device *ubi,
+                                                     int pnum)
+{
+        int i;
+        if (ubi->fm) {
+                for (i = 0; i < ubi->fm->used_blocks; i++) {
+                        if (ubi->fm->e[i]->pnum == pnum)
+                                return ubi->fm->e[i];
+                }
+        }
+        return NULL;
+}
 #endif /* !__UBI_UBI_H__ */
diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
index 3ea4c022cbb9..ccdb3dd74421 100644
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -265,6 +265,12 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
                        vol->last_eb_bytes = vol->usable_leb_size;
        }
+        /* Make volume "available" before it becomes accessible via sysfs */
+        spin_lock(&ubi->volumes_lock);
+        ubi->volumes[vol_id] = vol;
+        ubi->vol_count += 1;
+        spin_unlock(&ubi->volumes_lock);
        /* Register character device for the volume */
        cdev_init(&vol->cdev, &ubi_vol_cdev_operations);
        vol->cdev.owner = THIS_MODULE;
@@ -304,11 +310,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
        if (err)
                goto out_sysfs;
-        spin_lock(&ubi->volumes_lock);
-        ubi->volumes[vol_id] = vol;
-        ubi->vol_count += 1;
-        spin_unlock(&ubi->volumes_lock);
        ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED);
        self_check_volumes(ubi);
        return err;
@@ -328,6 +329,10 @@ out_sysfs:
 out_cdev:
        cdev_del(&vol->cdev);
 out_mapping:
+        spin_lock(&ubi->volumes_lock);
+        ubi->volumes[vol_id] = NULL;
+        ubi->vol_count -= 1;
+        spin_unlock(&ubi->volumes_lock);
        if (do_free)
                kfree(vol->eba_tbl);
 out_acc:
diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 75286588b823..b3c1b8106a68 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -580,7 +580,7 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
 * failure.
 */
 static int schedule_erase(struct ubi_device *ubi, struct ubi_wl_entry *e,
-                          int vol_id, int lnum, int torture)
+                          int vol_id, int lnum, int torture, bool nested)
 {
        struct ubi_work *wl_wrk;
@@ -599,7 +599,10 @@ static int schedule_erase(struct ubi_device *ubi, struct ubi_wl_entry *e,
        wl_wrk->lnum = lnum;
        wl_wrk->torture = torture;
-        schedule_ubi_work(ubi, wl_wrk);
+        if (nested)
+                __schedule_ubi_work(ubi, wl_wrk);
+        else
+                schedule_ubi_work(ubi, wl_wrk);
        return 0;
 }
@@ -658,6 +661,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
        if (!vid_hdr)
                return -ENOMEM;
+        down_read(&ubi->fm_eba_sem);
        mutex_lock(&ubi->move_mutex);
        spin_lock(&ubi->wl_lock);
        ubi_assert(!ubi->move_from && !ubi->move_to);
@@ -884,6 +888,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
        dbg_wl("done");
        mutex_unlock(&ubi->move_mutex);
+        up_read(&ubi->fm_eba_sem);
        return 0;
        /*
@@ -925,6 +930,7 @@ out_not_moved:
        }
        mutex_unlock(&ubi->move_mutex);
+        up_read(&ubi->fm_eba_sem);
        return 0;
 out_error:
@@ -946,6 +952,7 @@ out_error:
 out_ro:
        ubi_ro_mode(ubi);
        mutex_unlock(&ubi->move_mutex);
+        up_read(&ubi->fm_eba_sem);
        ubi_assert(err != 0);
        return err < 0 ? err : -EIO;
@@ -953,6 +960,7 @@ out_cancel:
        ubi->wl_scheduled = 0;
        spin_unlock(&ubi->wl_lock);
        mutex_unlock(&ubi->move_mutex);
+        up_read(&ubi->fm_eba_sem);
        ubi_free_vid_hdr(ubi, vid_hdr);
        return 0;
 }
@@ -1075,7 +1083,7 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
                int err1;
                /* Re-schedule the LEB for erasure */
-                err1 = schedule_erase(ubi, e, vol_id, lnum, 0);
+                err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false);
                if (err1) {
                        wl_entry_destroy(ubi, e);
                        err = err1;
@@ -1256,7 +1264,7 @@ retry:
        }
        spin_unlock(&ubi->wl_lock);
-        err = schedule_erase(ubi, e, vol_id, lnum, torture);
+        err = schedule_erase(ubi, e, vol_id, lnum, torture, false);
        if (err) {
                spin_lock(&ubi->wl_lock);
                wl_tree_add(e, &ubi->used);
@@ -1479,6 +1487,7 @@ int ubi_thread(void *u)
        }
        dbg_wl("background thread \"%s\" is killed", ubi->bgt_name);
+        ubi->thread_enabled = 0;
        return 0;
 }
@@ -1488,9 +1497,6 @@ int ubi_thread(void *u)
 */
 static void shutdown_work(struct ubi_device *ubi)
 {
-#ifdef CONFIG_MTD_UBI_FASTMAP
-        flush_work(&ubi->fm_work);
-#endif
        while (!list_empty(&ubi->works)) {
                struct ubi_work *wrk;
@@ -1503,6 +1509,46 @@ static void shutdown_work(struct ubi_device *ubi)
 }
 /**
+ * erase_aeb - erase a PEB given in UBI attach info PEB
+ * @ubi: UBI device description object
+ * @aeb: UBI attach info PEB
+ * @sync: If true, erase synchronously. Otherwise schedule for erasure
+ */
+static int erase_aeb(struct ubi_device *ubi, struct ubi_ainf_peb *aeb, bool sync)
+{
+        struct ubi_wl_entry *e;
+        int err;
+        e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+        if (!e)
+                return -ENOMEM;
+        e->pnum = aeb->pnum;
+        e->ec = aeb->ec;
+        ubi->lookuptbl[e->pnum] = e;
+        if (sync) {
+                err = sync_erase(ubi, e, false);
+                if (err)
+                        goto out_free;
+                wl_tree_add(e, &ubi->free);
+                ubi->free_count++;
+        } else {
+                err = schedule_erase(ubi, e, aeb->vol_id, aeb->lnum, 0, false);
+                if (err)
+                        goto out_free;
+        }
+        return 0;
+out_free:
+        wl_entry_destroy(ubi, e);
+        return err;
+}
+/**
 * ubi_wl_init - initialize the WL sub-system using attaching information.
 * @ubi: UBI device description object
 * @ai: attaching information
@@ -1539,17 +1585,9 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
        list_for_each_entry_safe(aeb, tmp, &ai->erase, u.list) {
                cond_resched();
-                e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+                err = erase_aeb(ubi, aeb, false);
-                if (!e)
+                if (err)
-                        goto out_free;
-                e->pnum = aeb->pnum;
-                e->ec = aeb->ec;
-                ubi->lookuptbl[e->pnum] = e;
-                if (schedule_erase(ubi, e, aeb->vol_id, aeb->lnum, 0)) {
-                        wl_entry_destroy(ubi, e);
                        goto out_free;
-                }
                found_pebs++;
        }
@@ -1600,19 +1638,49 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
                }
        }
-        dbg_wl("found %i PEBs", found_pebs);
+        list_for_each_entry(aeb, &ai->fastmap, u.list) {
+                cond_resched();
-        if (ubi->fm) {
+                e = ubi_find_fm_block(ubi, aeb->pnum);
-                ubi_assert(ubi->good_peb_count ==
-                           found_pebs + ubi->fm->used_blocks);
-                for (i = 0; i < ubi->fm->used_blocks; i++) {
+                if (e) {
-                        e = ubi->fm->e[i];
+                        ubi_assert(!ubi->lookuptbl[e->pnum]);
                        ubi->lookuptbl[e->pnum] = e;
+                } else {
+                        bool sync = false;
+                        /*
+                         * Usually old Fastmap PEBs are scheduled for erasure
+                         * and we don't have to care about them but if we face
+                         * an power cut before scheduling them we need to
+                         * take care of them here.
+                         */
+                        if (ubi->lookuptbl[aeb->pnum])
+                                continue;
+                        /*
+                         * The fastmap update code might not find a free PEB for
+                         * writing the fastmap anchor to and then reuses the
+                         * current fastmap anchor PEB. When this PEB gets erased
+                         * and a power cut happens before it is written again we
+                         * must make sure that the fastmap attach code doesn't
+                         * find any outdated fastmap anchors, hence we erase the
+                         * outdated fastmap anchor PEBs synchronously here.
+                         */
+                        if (aeb->vol_id == UBI_FM_SB_VOLUME_ID)
+                                sync = true;
+                        err = erase_aeb(ubi, aeb, sync);
+                        if (err)
+                                goto out_free;
                }
+                found_pebs++;
        }
-        else
-                ubi_assert(ubi->good_peb_count == found_pebs);
+        dbg_wl("found %i PEBs", found_pebs);
+        ubi_assert(ubi->good_peb_count == found_pebs);
        reserved_pebs = WL_RESERVED_PEBS;
        ubi_fastmap_init(ubi, &reserved_pebs);
diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
index f184fb5bd110..5116aec3c174 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -411,6 +411,9 @@ config XEN_NETDEV_BACKEND
 config VMXNET3
        tristate "VMware VMXNET3 ethernet driver"
        depends on PCI && INET
+        depends on !(PAGE_SIZE_64KB || ARM64_64K_PAGES || \
+                     IA64_PAGE_SIZE_64KB || MICROBLAZE_64K_PAGES || \
+                     PARISC_PAGE_SIZE_64KB || PPC_64K_PAGES)
        help
          This driver supports VMware's vmxnet3 virtual ethernet NIC.
          To compile this driver as a module, choose M here: the
diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
index bb9e9fc45e1b..82d23bd3a742 100644
--- a/drivers/net/bonding/bond_alb.c
+++ b/drivers/net/bonding/bond_alb.c
@@ -453,7 +453,7 @@ static void rlb_update_client(struct rlb_client_info *client_info)
 {
        int i;
-        if (!client_info->slave)
+        if (!client_info->slave || !is_valid_ether_addr(client_info->mac_dst))
                return;
        for (i = 0; i < RLB_ARP_BURST_SIZE; i++) {
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 2cb34b0f3856..339118f3c718 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1490,39 +1490,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
                        goto err_close;
        }
-        /* If the mode uses primary, then the following is handled by
-         * bond_change_active_slave().
-         */
-        if (!bond_uses_primary(bond)) {
-                /* set promiscuity level to new slave */
-                if (bond_dev->flags & IFF_PROMISC) {
-                        res = dev_set_promiscuity(slave_dev, 1);
-                        if (res)
-                                goto err_close;
-                }
-                /* set allmulti level to new slave */
-                if (bond_dev->flags & IFF_ALLMULTI) {
-                        res = dev_set_allmulti(slave_dev, 1);
-                        if (res)
-                                goto err_close;
-                }
-                netif_addr_lock_bh(bond_dev);
-                dev_mc_sync_multiple(slave_dev, bond_dev);
-                dev_uc_sync_multiple(slave_dev, bond_dev);
-                netif_addr_unlock_bh(bond_dev);
-        }
-        if (BOND_MODE(bond) == BOND_MODE_8023AD) {
-                /* add lacpdu mc addr to mc list */
-                u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
-                dev_mc_add(slave_dev, lacpdu_multicast);
-        }
        res = vlan_vids_add_by_dev(slave_dev, bond_dev);
        if (res) {
                netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
@@ -1647,8 +1614,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
        } /* switch(bond_mode) */
 #ifdef CONFIG_NET_POLL_CONTROLLER
-        slave_dev->npinfo = bond->dev->npinfo;
+        if (bond->dev->npinfo) {
-        if (slave_dev->npinfo) {
                if (slave_enable_netpoll(new_slave)) {
                        netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
                        res = -EBUSY;
@@ -1679,6 +1645,40 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
                goto err_upper_unlink;
        }
+        /* If the mode uses primary, then the following is handled by
+         * bond_change_active_slave().
+         */
+        if (!bond_uses_primary(bond)) {
+                /* set promiscuity level to new slave */
+                if (bond_dev->flags & IFF_PROMISC) {
+                        res = dev_set_promiscuity(slave_dev, 1);
+                        if (res)
+                                goto err_sysfs_del;
+                }
+                /* set allmulti level to new slave */
+                if (bond_dev->flags & IFF_ALLMULTI) {
+                        res = dev_set_allmulti(slave_dev, 1);
+                        if (res) {
+                                if (bond_dev->flags & IFF_PROMISC)
+                                        dev_set_promiscuity(slave_dev, -1);
+                                goto err_sysfs_del;
+                        }
+                }
+                netif_addr_lock_bh(bond_dev);
+                dev_mc_sync_multiple(slave_dev, bond_dev);
+                dev_uc_sync_multiple(slave_dev, bond_dev);
+                netif_addr_unlock_bh(bond_dev);
+                if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+                        /* add lacpdu mc addr to mc list */
+                        u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+                        dev_mc_add(slave_dev, lacpdu_multicast);
+                }
+        }
        bond->slave_cnt++;
        bond_compute_features(bond);
        bond_set_carrier(bond);
@@ -1702,6 +1702,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
        return 0;
 /* Undo stages on error */
+err_sysfs_del:
+        bond_sysfs_slave_del(new_slave);
 err_upper_unlink:
        bond_upper_dev_unlink(bond_dev, slave_dev);
@@ -1709,9 +1712,6 @@ err_unregister:
        netdev_rx_handler_unregister(slave_dev);
 err_detach:
-        if (!bond_uses_primary(bond))
-                bond_hw_addr_flush(bond_dev, slave_dev);
        vlan_vids_del_by_dev(slave_dev, bond_dev);
        if (rcu_access_pointer(bond->primary_slave) == new_slave)
                RCU_INIT_POINTER(bond->primary_slave, NULL);
@@ -2555,11 +2555,13 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
        bond_for_each_slave_rcu(bond, slave, iter) {
                unsigned long trans_start = dev_trans_start(slave->dev);
+                slave->new_link = BOND_LINK_NOCHANGE;
                if (slave->link != BOND_LINK_UP) {
                        if (bond_time_in_interval(bond, trans_start, 1) &&
                            bond_time_in_interval(bond, slave->last_rx, 1)) {
-                                slave->link  = BOND_LINK_UP;
+                                slave->new_link = BOND_LINK_UP;
                                slave_state_changed = 1;
                                /* primary_slave has no meaning in round-robin
@@ -2586,7 +2588,7 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
                        if (!bond_time_in_interval(bond, trans_start, 2) ||
                            !bond_time_in_interval(bond, slave->last_rx, 2)) {
-                                slave->link  = BOND_LINK_DOWN;
+                                slave->new_link = BOND_LINK_DOWN;
                                slave_state_changed = 1;
                                if (slave->link_failure_count < UINT_MAX)
@@ -2617,6 +2619,11 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
                if (!rtnl_trylock())
                        goto re_arm;
+                bond_for_each_slave(bond, slave, iter) {
+                        if (slave->new_link != BOND_LINK_NOCHANGE)
+                                slave->link = slave->new_link;
+                }
                if (slave_state_changed) {
                        bond_slave_state_change(bond);
                        if (BOND_MODE(bond) == BOND_MODE_XOR)
@@ -3276,12 +3283,17 @@ static void bond_fold_stats(struct rtnl_link_stats64 *_res,
        for (i = 0; i < sizeof(*_res) / sizeof(u64); i++) {
                u64 nv = new[i];
                u64 ov = old[i];
+                s64 delta = nv - ov;
                /* detects if this particular field is 32bit only */
                if (((nv | ov) >> 32) == 0)
-                        res[i] += (u32)nv - (u32)ov;
+                        delta = (s64)(s32)((u32)nv - (u32)ov);
-                else
-                        res[i] += nv - ov;
+                /* filter anomalies, some drivers reset their stats
+                 * at down/up events.
+                 */
+                if (delta > 0)
+                        res[i] += delta;
        }
 }
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 55e93b6b6d21..66560a8fcfa2 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1115,6 +1115,7 @@ static int bond_option_primary_set(struct bonding *bond,
                                    slave->dev->name);
                        rcu_assign_pointer(bond->primary_slave, slave);
                        strcpy(bond->params.primary, slave->dev->name);
+                        bond->force_primary = true;
                        bond_select_active_slave(bond);
                        goto out;
                }
diff --git a/drivers/net/can/cc770/cc770.c b/drivers/net/can/cc770/cc770.c
index 1e37313054f3..6da69af103e6 100644
--- a/drivers/net/can/cc770/cc770.c
+++ b/drivers/net/can/cc770/cc770.c
@@ -390,37 +390,23 @@ static int cc770_get_berr_counter(const struct net_device *dev,
        return 0;
 }
-static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static void cc770_tx(struct net_device *dev, int mo)
 {
        struct cc770_priv *priv = netdev_priv(dev);
-        struct net_device_stats *stats = &dev->stats;
+        struct can_frame *cf = (struct can_frame *)priv->tx_skb->data;
-        struct can_frame *cf = (struct can_frame *)skb->data;
-        unsigned int mo = obj2msgobj(CC770_OBJ_TX);
        u8 dlc, rtr;
        u32 id;
        int i;
-        if (can_dropped_invalid_skb(dev, skb))
-                return NETDEV_TX_OK;
-        if ((cc770_read_reg(priv,
-                            msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
-                netdev_err(dev, "TX register is still occupied!\n");
-                return NETDEV_TX_BUSY;
-        }
-        netif_stop_queue(dev);
        dlc = cf->can_dlc;
        id = cf->can_id;
-        if (cf->can_id & CAN_RTR_FLAG)
+        rtr = cf->can_id & CAN_RTR_FLAG ? 0 : MSGCFG_DIR;
-                rtr = 0;
-        else
+        cc770_write_reg(priv, msgobj[mo].ctrl0,
-                rtr = MSGCFG_DIR;
+                        MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
        cc770_write_reg(priv, msgobj[mo].ctrl1,
                        RMTPND_RES | TXRQST_RES | CPUUPD_SET | NEWDAT_RES);
-        cc770_write_reg(priv, msgobj[mo].ctrl0,
-                        MSGVAL_SET | TXIE_SET | RXIE_RES | INTPND_RES);
        if (id & CAN_EFF_FLAG) {
                id &= CAN_EFF_MASK;
                cc770_write_reg(priv, msgobj[mo].config,
@@ -439,22 +425,30 @@ static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
        for (i = 0; i < dlc; i++)
                cc770_write_reg(priv, msgobj[mo].data[i], cf->data[i]);
-        /* Store echo skb before starting the transfer */
-        can_put_echo_skb(skb, dev, 0);
        cc770_write_reg(priv, msgobj[mo].ctrl1,
-                        RMTPND_RES | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
+                        RMTPND_UNC | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
+        cc770_write_reg(priv, msgobj[mo].ctrl0,
+                        MSGVAL_SET | TXIE_SET | RXIE_SET | INTPND_UNC);
+}
-        stats->tx_bytes += dlc;
+static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+        struct cc770_priv *priv = netdev_priv(dev);
+        unsigned int mo = obj2msgobj(CC770_OBJ_TX);
+        if (can_dropped_invalid_skb(dev, skb))
+                return NETDEV_TX_OK;
-        /*
+        netif_stop_queue(dev);
-         * HM: We had some cases of repeated IRQs so make sure the
-         * INT is acknowledged I know it's already further up, but
+        if ((cc770_read_reg(priv,
-         * doing again fixed the issue
+                            msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
-         */
+                netdev_err(dev, "TX register is still occupied!\n");
-        cc770_write_reg(priv, msgobj[mo].ctrl0,
+                return NETDEV_TX_BUSY;
-                        MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
+        }
+        priv->tx_skb = skb;
+        cc770_tx(dev, mo);
        return NETDEV_TX_OK;
 }
@@ -680,19 +674,46 @@ static void cc770_tx_interrupt(struct net_device *dev, unsigned int o)
        struct cc770_priv *priv = netdev_priv(dev);
        struct net_device_stats *stats = &dev->stats;
        unsigned int mo = obj2msgobj(o);
+        struct can_frame *cf;
+        u8 ctrl1;
+        ctrl1 = cc770_read_reg(priv, msgobj[mo].ctrl1);
-        /* Nothing more to send, switch off interrupts */
        cc770_write_reg(priv, msgobj[mo].ctrl0,
                        MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
-        /*
+        cc770_write_reg(priv, msgobj[mo].ctrl1,
-         * We had some cases of repeated IRQ so make sure the
+                        RMTPND_RES | TXRQST_RES | MSGLST_RES | NEWDAT_RES);
-         * INT is acknowledged
+        if (unlikely(!priv->tx_skb)) {
+                netdev_err(dev, "missing tx skb in tx interrupt\n");
+                return;
+        }
+        if (unlikely(ctrl1 & MSGLST_SET)) {
+                stats->rx_over_errors++;
+                stats->rx_errors++;
+        }
+        /* When the CC770 is sending an RTR message and it receives a regular
+         * message that matches the id of the RTR message, it will overwrite the
+         * outgoing message in the TX register. When this happens we must
+         * process the received message and try to transmit the outgoing skb
+         * again.
         */
-        cc770_write_reg(priv, msgobj[mo].ctrl0,
+        if (unlikely(ctrl1 & NEWDAT_SET)) {
-                        MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
+                cc770_rx(dev, mo, ctrl1);
+                cc770_tx(dev, mo);
+                return;
+        }
+        cf = (struct can_frame *)priv->tx_skb->data;
+        stats->tx_bytes += cf->can_dlc;
        stats->tx_packets++;
+        can_put_echo_skb(priv->tx_skb, dev, 0);
        can_get_echo_skb(dev, 0);
+        priv->tx_skb = NULL;
        netif_wake_queue(dev);
 }
@@ -804,6 +825,7 @@ struct net_device *alloc_cc770dev(int sizeof_priv)
        priv->can.do_set_bittiming = cc770_set_bittiming;
        priv->can.do_set_mode = cc770_set_mode;
        priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES;
+        priv->tx_skb = NULL;
        memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags));
diff --git a/drivers/net/can/cc770/cc770.h b/drivers/net/can/cc770/cc770.h
index a1739db98d91..95752e1d1283 100644
--- a/drivers/net/can/cc770/cc770.h
+++ b/drivers/net/can/cc770/cc770.h
@@ -193,6 +193,8 @@ struct cc770_priv {
        u8 cpu_interface;       /* CPU interface register */
        u8 clkout;              /* Clock out register */
        u8 bus_config;          /* Bus conffiguration register */
+        struct sk_buff *tx_skb;
 };
 struct net_device *alloc_cc770dev(int sizeof_priv);
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 16f7cadda5c3..47f43bdecd51 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -493,7 +493,7 @@ static int flexcan_start_xmit(struct sk_buff *skb, struct net_device *dev)
                data = be32_to_cpup((__be32 *)&cf->data[0]);
                flexcan_write(data, &regs->mb[FLEXCAN_TX_BUF_ID].data[0]);
        }
-        if (cf->can_dlc > 3) {
+        if (cf->can_dlc > 4) {
                data = be32_to_cpup((__be32 *)&cf->data[4]);
                flexcan_write(data, &regs->mb[FLEXCAN_TX_BUF_ID].data[1]);
        }
diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
index 357c9e89fdf9..047348033e27 100644
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1078,6 +1078,7 @@ static void ems_usb_disconnect(struct usb_interface *intf)
                usb_free_urb(dev->intr_urb);
                kfree(dev->intr_in_buffer);
+                kfree(dev->tx_msg_buffer);
        }
 }
diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c
index db1855b0e08f..59f891bebcc6 100644
--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1175,7 +1175,7 @@ static void kvaser_usb_rx_can_msg(const struct kvaser_usb *dev,
        skb = alloc_can_skb(priv->netdev, &cf);
        if (!skb) {
-                stats->tx_dropped++;
+                stats->rx_dropped++;
                return;
        }
diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
index 51670b322409..700b98d9c250 100644
--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -2,6 +2,7 @@
 *
 * Copyright (C) 2012 - 2014 Xilinx, Inc.
 * Copyright (C) 2009 PetaLogix. All rights reserved.
+ * Copyright (C) 2017 Sandvik Mining and Construction Oy
 *
 * Description:
 * This driver is developed for Axi CAN IP and for Zynq CANPS Controller.
@@ -25,8 +26,10 @@
 #include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/of.h>
+#include <linux/of_device.h>
 #include <linux/platform_device.h>
 #include <linux/skbuff.h>
+#include <linux/spinlock.h>
 #include <linux/string.h>
 #include <linux/types.h>
 #include <linux/can/dev.h>
@@ -100,7 +103,7 @@ enum xcan_reg {
 #define XCAN_INTR_ALL           (XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\
                                 XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \
                                 XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \
-                                 XCAN_IXR_ARBLST_MASK | XCAN_IXR_RXOK_MASK)
+                                 XCAN_IXR_RXOFLW_MASK | XCAN_IXR_ARBLST_MASK)
 /* CAN register bit shift - XCAN_<REG>_<BIT>_SHIFT */
 #define XCAN_BTR_SJW_SHIFT              7  /* Synchronous jump width */
@@ -117,6 +120,7 @@ enum xcan_reg {
 /**
 * struct xcan_priv - This definition define CAN driver instance
 * @can:                        CAN private data structure.
+ * @tx_lock:                    Lock for synchronizing TX interrupt handling
 * @tx_head:                    Tx CAN packets ready to send on the queue
 * @tx_tail:                    Tx CAN packets successfully sended on the queue
 * @tx_max:                     Maximum number packets the driver can send
@@ -131,6 +135,7 @@ enum xcan_reg {
 */
 struct xcan_priv {
        struct can_priv can;
+        spinlock_t tx_lock;
        unsigned int tx_head;
        unsigned int tx_tail;
        unsigned int tx_max;
@@ -158,6 +163,11 @@ static const struct can_bittiming_const xcan_bittiming_const = {
        .brp_inc = 1,
 };
+#define XCAN_CAP_WATERMARK      0x0001
+struct xcan_devtype_data {
+        unsigned int caps;
+};
 /**
 * xcan_write_reg_le - Write a value to the device register little endian
 * @priv:       Driver private data structure
@@ -237,6 +247,10 @@ static int set_reset_mode(struct net_device *ndev)
                usleep_range(500, 10000);
        }
+        /* reset clears FIFOs */
+        priv->tx_head = 0;
+        priv->tx_tail = 0;
        return 0;
 }
@@ -391,6 +405,7 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev)
        struct net_device_stats *stats = &ndev->stats;
        struct can_frame *cf = (struct can_frame *)skb->data;
        u32 id, dlc, data[2] = {0, 0};
+        unsigned long flags;
        if (can_dropped_invalid_skb(ndev, skb))
                return NETDEV_TX_OK;
@@ -438,6 +453,9 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev)
                data[1] = be32_to_cpup((__be32 *)(cf->data + 4));
        can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max);
+        spin_lock_irqsave(&priv->tx_lock, flags);
        priv->tx_head++;
        /* Write the Frame to Xilinx CAN TX FIFO */
@@ -453,10 +471,16 @@ static int xcan_start_xmit(struct sk_buff *skb, struct net_device *ndev)
                stats->tx_bytes += cf->can_dlc;
        }
+        /* Clear TX-FIFO-empty interrupt for xcan_tx_interrupt() */
+        if (priv->tx_max > 1)
+                priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXFEMP_MASK);
        /* Check if the TX buffer is full */
        if ((priv->tx_head - priv->tx_tail) == priv->tx_max)
                netif_stop_queue(ndev);
+        spin_unlock_irqrestore(&priv->tx_lock, flags);
        return NETDEV_TX_OK;
 }
@@ -529,6 +553,123 @@ static int xcan_rx(struct net_device *ndev)
 }
 /**
+ * xcan_current_error_state - Get current error state from HW
+ * @ndev:       Pointer to net_device structure
+ *
+ * Checks the current CAN error state from the HW. Note that this
+ * only checks for ERROR_PASSIVE and ERROR_WARNING.
+ *
+ * Return:
+ * ERROR_PASSIVE or ERROR_WARNING if either is active, ERROR_ACTIVE
+ * otherwise.
+ */
+static enum can_state xcan_current_error_state(struct net_device *ndev)
+{
+        struct xcan_priv *priv = netdev_priv(ndev);
+        u32 status = priv->read_reg(priv, XCAN_SR_OFFSET);
+        if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK)
+                return CAN_STATE_ERROR_PASSIVE;
+        else if (status & XCAN_SR_ERRWRN_MASK)
+                return CAN_STATE_ERROR_WARNING;
+        else
+                return CAN_STATE_ERROR_ACTIVE;
+}
+/**
+ * xcan_set_error_state - Set new CAN error state
+ * @ndev:       Pointer to net_device structure
+ * @new_state:  The new CAN state to be set
+ * @cf:         Error frame to be populated or NULL
+ *
+ * Set new CAN error state for the device, updating statistics and
+ * populating the error frame if given.
+ */
+static void xcan_set_error_state(struct net_device *ndev,
+                                 enum can_state new_state,
+                                 struct can_frame *cf)
+{
+        struct xcan_priv *priv = netdev_priv(ndev);
+        u32 ecr = priv->read_reg(priv, XCAN_ECR_OFFSET);
+        u32 txerr = ecr & XCAN_ECR_TEC_MASK;
+        u32 rxerr = (ecr & XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT;
+        priv->can.state = new_state;
+        if (cf) {
+                cf->can_id |= CAN_ERR_CRTL;
+                cf->data[6] = txerr;
+                cf->data[7] = rxerr;
+        }
+        switch (new_state) {
+        case CAN_STATE_ERROR_PASSIVE:
+                priv->can.can_stats.error_passive++;
+                if (cf)
+                        cf->data[1] = (rxerr > 127) ?
+                                        CAN_ERR_CRTL_RX_PASSIVE :
+                                        CAN_ERR_CRTL_TX_PASSIVE;
+                break;
+        case CAN_STATE_ERROR_WARNING:
+                priv->can.can_stats.error_warning++;
+                if (cf)
+                        cf->data[1] |= (txerr > rxerr) ?
+                                        CAN_ERR_CRTL_TX_WARNING :
+                                        CAN_ERR_CRTL_RX_WARNING;
+                break;
+        case CAN_STATE_ERROR_ACTIVE:
+                if (cf)
+                        cf->data[1] |= CAN_ERR_CRTL_ACTIVE;
+                break;
+        default:
+                /* non-ERROR states are handled elsewhere */
+                WARN_ON(1);
+                break;
+        }
+}
+/**
+ * xcan_update_error_state_after_rxtx - Update CAN error state after RX/TX
+ * @ndev:       Pointer to net_device structure
+ *
+ * If the device is in a ERROR-WARNING or ERROR-PASSIVE state, check if
+ * the performed RX/TX has caused it to drop to a lesser state and set
+ * the interface state accordingly.
+ */
+static void xcan_update_error_state_after_rxtx(struct net_device *ndev)
+{
+        struct xcan_priv *priv = netdev_priv(ndev);
+        enum can_state old_state = priv->can.state;
+        enum can_state new_state;
+        /* changing error state due to successful frame RX/TX can only
+         * occur from these states
+         */
+        if (old_state != CAN_STATE_ERROR_WARNING &&
+            old_state != CAN_STATE_ERROR_PASSIVE)
+                return;
+        new_state = xcan_current_error_state(ndev);
+        if (new_state != old_state) {
+                struct sk_buff *skb;
+                struct can_frame *cf;
+                skb = alloc_can_err_skb(ndev, &cf);
+                xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
+                if (skb) {
+                        struct net_device_stats *stats = &ndev->stats;
+                        stats->rx_packets++;
+                        stats->rx_bytes += cf->can_dlc;
+                        netif_rx(skb);
+                }
+        }
+}
+/**
 * xcan_err_interrupt - error frame Isr
 * @ndev:       net_device pointer
 * @isr:        interrupt status register value
@@ -543,16 +684,12 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr)
        struct net_device_stats *stats = &ndev->stats;
        struct can_frame *cf;
        struct sk_buff *skb;
-        u32 err_status, status, txerr = 0, rxerr = 0;
+        u32 err_status;
        skb = alloc_can_err_skb(ndev, &cf);
        err_status = priv->read_reg(priv, XCAN_ESR_OFFSET);
        priv->write_reg(priv, XCAN_ESR_OFFSET, err_status);
-        txerr = priv->read_reg(priv, XCAN_ECR_OFFSET) & XCAN_ECR_TEC_MASK;
-        rxerr = ((priv->read_reg(priv, XCAN_ECR_OFFSET) &
-                        XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT);
-        status = priv->read_reg(priv, XCAN_SR_OFFSET);
        if (isr & XCAN_IXR_BSOFF_MASK) {
                priv->can.state = CAN_STATE_BUS_OFF;
@@ -562,28 +699,10 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr)
                can_bus_off(ndev);
                if (skb)
                        cf->can_id |= CAN_ERR_BUSOFF;
-        } else if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK) {
+        } else {
-                priv->can.state = CAN_STATE_ERROR_PASSIVE;
+                enum can_state new_state = xcan_current_error_state(ndev);
-                priv->can.can_stats.error_passive++;
-                if (skb) {
+                xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
-                        cf->can_id |= CAN_ERR_CRTL;
-                        cf->data[1] = (rxerr > 127) ?
-                                        CAN_ERR_CRTL_RX_PASSIVE :
-                                        CAN_ERR_CRTL_TX_PASSIVE;
-                        cf->data[6] = txerr;
-                        cf->data[7] = rxerr;
-                }
-        } else if (status & XCAN_SR_ERRWRN_MASK) {
-                priv->can.state = CAN_STATE_ERROR_WARNING;
-                priv->can.can_stats.error_warning++;
-                if (skb) {
-                        cf->can_id |= CAN_ERR_CRTL;
-                        cf->data[1] |= (txerr > rxerr) ?
-                                        CAN_ERR_CRTL_TX_WARNING :
-                                        CAN_ERR_CRTL_RX_WARNING;
-                        cf->data[6] = txerr;
-                        cf->data[7] = rxerr;
-                }
        }
        /* Check for Arbitration lost interrupt */
@@ -599,7 +718,6 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr)
        if (isr & XCAN_IXR_RXOFLW_MASK) {
                stats->rx_over_errors++;
                stats->rx_errors++;
-                priv->write_reg(priv, XCAN_SRR_OFFSET, XCAN_SRR_RESET_MASK);
                if (skb) {
                        cf->can_id |= CAN_ERR_CRTL;
                        cf->data[1] |= CAN_ERR_CRTL_RX_OVERFLOW;
@@ -708,26 +826,20 @@ static int xcan_rx_poll(struct napi_struct *napi, int quota)
        isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
        while ((isr & XCAN_IXR_RXNEMP_MASK) && (work_done < quota)) {
-                if (isr & XCAN_IXR_RXOK_MASK) {
+                work_done += xcan_rx(ndev);
-                        priv->write_reg(priv, XCAN_ICR_OFFSET,
-                                XCAN_IXR_RXOK_MASK);
-                        work_done += xcan_rx(ndev);
-                } else {
-                        priv->write_reg(priv, XCAN_ICR_OFFSET,
-                                XCAN_IXR_RXNEMP_MASK);
-                        break;
-                }
                priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_RXNEMP_MASK);
                isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
        }
-        if (work_done)
+        if (work_done) {
                can_led_event(ndev, CAN_LED_EVENT_RX);
+                xcan_update_error_state_after_rxtx(ndev);
+        }
        if (work_done < quota) {
                napi_complete(napi);
                ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-                ier |= (XCAN_IXR_RXOK_MASK | XCAN_IXR_RXNEMP_MASK);
+                ier |= XCAN_IXR_RXNEMP_MASK;
                priv->write_reg(priv, XCAN_IER_OFFSET, ier);
        }
        return work_done;
@@ -742,18 +854,71 @@ static void xcan_tx_interrupt(struct net_device *ndev, u32 isr)
 {
        struct xcan_priv *priv = netdev_priv(ndev);
        struct net_device_stats *stats = &ndev->stats;
+        unsigned int frames_in_fifo;
+        int frames_sent = 1; /* TXOK => at least 1 frame was sent */
+        unsigned long flags;
+        int retries = 0;
+        /* Synchronize with xmit as we need to know the exact number
+         * of frames in the FIFO to stay in sync due to the TXFEMP
+         * handling.
+         * This also prevents a race between netif_wake_queue() and
+         * netif_stop_queue().
+         */
+        spin_lock_irqsave(&priv->tx_lock, flags);
-        while ((priv->tx_head - priv->tx_tail > 0) &&
+        frames_in_fifo = priv->tx_head - priv->tx_tail;
-                        (isr & XCAN_IXR_TXOK_MASK)) {
+        if (WARN_ON_ONCE(frames_in_fifo == 0)) {
+                /* clear TXOK anyway to avoid getting back here */
                priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+                spin_unlock_irqrestore(&priv->tx_lock, flags);
+                return;
+        }
+        /* Check if 2 frames were sent (TXOK only means that at least 1
+         * frame was sent).
+         */
+        if (frames_in_fifo > 1) {
+                WARN_ON(frames_in_fifo > priv->tx_max);
+                /* Synchronize TXOK and isr so that after the loop:
+                 * (1) isr variable is up-to-date at least up to TXOK clear
+                 *     time. This avoids us clearing a TXOK of a second frame
+                 *     but not noticing that the FIFO is now empty and thus
+                 *     marking only a single frame as sent.
+                 * (2) No TXOK is left. Having one could mean leaving a
+                 *     stray TXOK as we might process the associated frame
+                 *     via TXFEMP handling as we read TXFEMP *after* TXOK
+                 *     clear to satisfy (1).
+                 */
+                while ((isr & XCAN_IXR_TXOK_MASK) && !WARN_ON(++retries == 100)) {
+                        priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+                        isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
+                }
+                if (isr & XCAN_IXR_TXFEMP_MASK) {
+                        /* nothing in FIFO anymore */
+                        frames_sent = frames_in_fifo;
+                }
+        } else {
+                /* single frame in fifo, just clear TXOK */
+                priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+        }
+        while (frames_sent--) {
                can_get_echo_skb(ndev, priv->tx_tail %
                                        priv->tx_max);
                priv->tx_tail++;
                stats->tx_packets++;
-                isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
        }
-        can_led_event(ndev, CAN_LED_EVENT_TX);
        netif_wake_queue(ndev);
+        spin_unlock_irqrestore(&priv->tx_lock, flags);
+        can_led_event(ndev, CAN_LED_EVENT_TX);
+        xcan_update_error_state_after_rxtx(ndev);
 }
 /**
@@ -772,6 +937,7 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id)
        struct net_device *ndev = (struct net_device *)dev_id;
        struct xcan_priv *priv = netdev_priv(ndev);
        u32 isr, ier;
+        u32 isr_errors;
        /* Get the interrupt status from Xilinx CAN */
        isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
@@ -790,18 +956,17 @@ static irqreturn_t xcan_interrupt(int irq, void *dev_id)
                xcan_tx_interrupt(ndev, isr);
        /* Check for the type of error interrupt and Processing it */
-        if (isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
+        isr_errors = isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
-                        XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK)) {
+                            XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK);
-                priv->write_reg(priv, XCAN_ICR_OFFSET, (XCAN_IXR_ERROR_MASK |
+        if (isr_errors) {
-                                XCAN_IXR_RXOFLW_MASK | XCAN_IXR_BSOFF_MASK |
+                priv->write_reg(priv, XCAN_ICR_OFFSET, isr_errors);
-                                XCAN_IXR_ARBLST_MASK));
                xcan_err_interrupt(ndev, isr);
        }
        /* Check for the type of receive interrupt and Processing it */
-        if (isr & (XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK)) {
+        if (isr & XCAN_IXR_RXNEMP_MASK) {
                ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-                ier &= ~(XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK);
+                ier &= ~XCAN_IXR_RXNEMP_MASK;
                priv->write_reg(priv, XCAN_IER_OFFSET, ier);
                napi_schedule(&priv->napi);
        }
@@ -1030,6 +1195,18 @@ static int __maybe_unused xcan_resume(struct device *dev)
 static SIMPLE_DEV_PM_OPS(xcan_dev_pm_ops, xcan_suspend, xcan_resume);
+static const struct xcan_devtype_data xcan_zynq_data = {
+        .caps = XCAN_CAP_WATERMARK,
+};
+/* Match table for OF platform binding */
+static const struct of_device_id xcan_of_match[] = {
+        { .compatible = "xlnx,zynq-can-1.0", .data = &xcan_zynq_data },
+        { .compatible = "xlnx,axi-can-1.00.a", },
+        { /* end of list */ },
+};
+MODULE_DEVICE_TABLE(of, xcan_of_match);
 /**
 * xcan_probe - Platform registration call
 * @pdev:       Handle to the platform device structure
@@ -1044,8 +1221,10 @@ static int xcan_probe(struct platform_device *pdev)
        struct resource *res; /* IO mem resources */
        struct net_device *ndev;
        struct xcan_priv *priv;
+        const struct of_device_id *of_id;
+        int caps = 0;
        void __iomem *addr;
-        int ret, rx_max, tx_max;
+        int ret, rx_max, tx_max, tx_fifo_depth;
        /* Get the virtual base address for the device */
        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
@@ -1055,7 +1234,8 @@ static int xcan_probe(struct platform_device *pdev)
                goto err;
        }
-        ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth", &tx_max);
+        ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth",
+                                   &tx_fifo_depth);
        if (ret < 0)
                goto err;
@@ -1063,6 +1243,30 @@ static int xcan_probe(struct platform_device *pdev)
        if (ret < 0)
                goto err;
+        of_id = of_match_device(xcan_of_match, &pdev->dev);
+        if (of_id) {
+                const struct xcan_devtype_data *devtype_data = of_id->data;
+                if (devtype_data)
+                        caps = devtype_data->caps;
+        }
+        /* There is no way to directly figure out how many frames have been
+         * sent when the TXOK interrupt is processed. If watermark programming
+         * is supported, we can have 2 frames in the FIFO and use TXFEMP
+         * to determine if 1 or 2 frames have been sent.
+         * Theoretically we should be able to use TXFWMEMP to determine up
+         * to 3 frames, but it seems that after putting a second frame in the
+         * FIFO, with watermark at 2 frames, it can happen that TXFWMEMP (less
+         * than 2 frames in FIFO) is set anyway with no TXOK (a frame was
+         * sent), which is not a sensible state - possibly TXFWMEMP is not
+         * completely synchronized with the rest of the bits?
+         */
+        if (caps & XCAN_CAP_WATERMARK)
+                tx_max = min(tx_fifo_depth, 2);
+        else
+                tx_max = 1;
        /* Create a CAN device instance */
        ndev = alloc_candev(sizeof(struct xcan_priv), tx_max);
        if (!ndev)
@@ -1077,6 +1281,7 @@ static int xcan_probe(struct platform_device *pdev)
                                        CAN_CTRLMODE_BERR_REPORTING;
        priv->reg_base = addr;
        priv->tx_max = tx_max;
+        spin_lock_init(&priv->tx_lock);
        /* Get IRQ for the device */
        ndev->irq = platform_get_irq(pdev, 0);
@@ -1144,9 +1349,9 @@ static int xcan_probe(struct platform_device *pdev)
        devm_can_led_init(ndev);
        clk_disable_unprepare(priv->bus_clk);
        clk_disable_unprepare(priv->can_clk);
-        netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth:%d\n",
+        netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth: actual %d, using %d\n",
                        priv->reg_base, ndev->irq, priv->can.clock.freq,
-                        priv->tx_max);
+                        tx_fifo_depth, priv->tx_max);
        return 0;
@@ -1182,14 +1387,6 @@ static int xcan_remove(struct platform_device *pdev)
        return 0;
 }
-/* Match table for OF platform binding */
-static const struct of_device_id xcan_of_match[] = {
-        { .compatible = "xlnx,zynq-can-1.0", },
-        { .compatible = "xlnx,axi-can-1.00.a", },
-        { /* end of list */ },
-};
-MODULE_DEVICE_TABLE(of, xcan_of_match);
 static struct platform_driver xcan_driver = {
        .probe = xcan_probe,
        .remove = xcan_remove,
diff --git a/drivers/net/ethernet/3com/3c509.c b/drivers/net/ethernet/3com/3c509.c
index 4547a1b8b958..7677c745fb30 100644
--- a/drivers/net/ethernet/3com/3c509.c
+++ b/drivers/net/ethernet/3com/3c509.c
@@ -562,7 +562,7 @@ static void el3_common_remove (struct net_device *dev)
 }
 #ifdef CONFIG_EISA
-static int __init el3_eisa_probe (struct device *device)
+static int el3_eisa_probe(struct device *device)
 {
        short i;
        int ioaddr, irq, if_port;
diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
index 2839af00f20c..1c5f3b273e6a 100644
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -907,7 +907,7 @@ static struct eisa_device_id vortex_eisa_ids[] = {
 };
 MODULE_DEVICE_TABLE(eisa, vortex_eisa_ids);
-static int __init vortex_eisa_probe(struct device *device)
+static int vortex_eisa_probe(struct device *device)
 {
        void __iomem *ioaddr;
        struct eisa_device *edev;
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
index 618d952c2984..2ef4b4e884ae 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
@@ -829,7 +829,7 @@ static int xgbe_remove(struct platform_device *pdev)
        return 0;
 }
-#ifdef CONFIG_PM
+#ifdef CONFIG_PM_SLEEP
 static int xgbe_suspend(struct device *dev)
 {
        struct net_device *netdev = dev_get_drvdata(dev);
@@ -868,7 +868,7 @@ static int xgbe_resume(struct device *dev)
        return ret;
 }
-#endif /* CONFIG_PM */
+#endif /* CONFIG_PM_SLEEP */
 #ifdef CONFIG_ACPI
 static const struct acpi_device_id xgbe_acpi_match[] = {
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
index 446058081866..7a0ab4c44ee4 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
@@ -872,14 +872,14 @@ static void xgbe_phy_adjust_link(struct xgbe_prv_data *pdata)
                if (pdata->tx_pause != pdata->phy.tx_pause) {
                        new_state = 1;
-                        pdata->hw_if.config_tx_flow_control(pdata);
                        pdata->tx_pause = pdata->phy.tx_pause;
+                        pdata->hw_if.config_tx_flow_control(pdata);
                }
                if (pdata->rx_pause != pdata->phy.rx_pause) {
                        new_state = 1;
-                        pdata->hw_if.config_rx_flow_control(pdata);
                        pdata->rx_pause = pdata->phy.rx_pause;
+                        pdata->hw_if.config_rx_flow_control(pdata);
                }
                /* Speed support */
diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
index c31e691d11fc..e8d31640058d 100644
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
@@ -604,6 +604,7 @@ static void xgene_enet_cle_bypass(struct xgene_enet_pdata *pdata,
        xgene_enet_rd_csr(pdata, CLE_BYPASS_REG0_0_ADDR, &cb);
        cb |= CFG_CLE_BYPASS_EN0;
        CFG_CLE_IP_PROTOCOL0_SET(&cb, 3);
+        CFG_CLE_IP_HDR_LEN_SET(&cb, 0);
        xgene_enet_wr_csr(pdata, CLE_BYPASS_REG0_0_ADDR, cb);
        xgene_enet_rd_csr(pdata, CLE_BYPASS_REG1_0_ADDR, &cb);
diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
index c153a1dc5ff7..480312105964 100644
--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
+++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
@@ -147,6 +147,7 @@ enum xgene_enet_rm {
 #define CFG_RXCLK_MUXSEL0_SET(dst, val) xgene_set_bits(dst, val, 26, 3)
 #define CFG_CLE_IP_PROTOCOL0_SET(dst, val)      xgene_set_bits(dst, val, 16, 2)
+#define CFG_CLE_IP_HDR_LEN_SET(dst, val)        xgene_set_bits(dst, val, 8, 5)
 #define CFG_CLE_DSTQID0_SET(dst, val)           xgene_set_bits(dst, val, 0, 12)
 #define CFG_CLE_FPSEL0_SET(dst, val)            xgene_set_bits(dst, val, 16, 4)
 #define CFG_MACMODE_SET(dst, val)               xgene_set_bits(dst, val, 18, 2)
diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c
index abe1eabc0171..9cc5daed13ed 100644
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -250,39 +250,48 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
                        continue;
                }
-                pktlen = info & LEN_MASK;
+                /* Prepare the BD for next cycle. netif_receive_skb()
-                stats->rx_packets++;
+                 * only if new skb was allocated and mapped to avoid holes
-                stats->rx_bytes += pktlen;
+                 * in the RX fifo.
-                skb = rx_buff->skb;
+                 */
-                skb_put(skb, pktlen);
+                skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE);
-                skb->dev = ndev;
+                if (unlikely(!skb)) {
-                skb->protocol = eth_type_trans(skb, ndev);
+                        if (net_ratelimit())
+                                netdev_err(ndev, "cannot allocate skb\n");
-                dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
+                        /* Return ownership to EMAC */
-                                 dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
+                        rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
-                /* Prepare the BD for next cycle */
-                rx_buff->skb = netdev_alloc_skb_ip_align(ndev,
-                                                         EMAC_BUFFER_SIZE);
-                if (unlikely(!rx_buff->skb)) {
                        stats->rx_errors++;
-                        /* Because receive_skb is below, increment rx_dropped */
                        stats->rx_dropped++;
                        continue;
                }
-                /* receive_skb only if new skb was allocated to avoid holes */
+                addr = dma_map_single(&ndev->dev, (void *)skb->data,
-                netif_receive_skb(skb);
-                addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data,
                                      EMAC_BUFFER_SIZE, DMA_FROM_DEVICE);
                if (dma_mapping_error(&ndev->dev, addr)) {
                        if (net_ratelimit())
-                                netdev_err(ndev, "cannot dma map\n");
+                                netdev_err(ndev, "cannot map dma buffer\n");
-                        dev_kfree_skb(rx_buff->skb);
+                        dev_kfree_skb(skb);
+                        /* Return ownership to EMAC */
+                        rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
                        stats->rx_errors++;
+                        stats->rx_dropped++;
                        continue;
                }
+                /* unmap previosly mapped skb */
+                dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
+                                 dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
+                pktlen = info & LEN_MASK;
+                stats->rx_packets++;
+                stats->rx_bytes += pktlen;
+                skb_put(rx_buff->skb, pktlen);
+                rx_buff->skb->dev = ndev;
+                rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev);
+                netif_receive_skb(rx_buff->skb);
+                rx_buff->skb = skb;
                dma_unmap_addr_set(rx_buff, addr, addr);
                dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE);
diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c
index c31c7407b753..425dae560322 100644
--- a/drivers/net/ethernet/arc/emac_rockchip.c
+++ b/drivers/net/ethernet/arc/emac_rockchip.c
@@ -150,8 +150,10 @@ static int emac_rockchip_probe(struct platform_device *pdev)
        /* Optional regulator for PHY */
        priv->regulator = devm_regulator_get_optional(dev, "phy");
        if (IS_ERR(priv->regulator)) {
-                if (PTR_ERR(priv->regulator) == -EPROBE_DEFER)
+                if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) {
-                        return -EPROBE_DEFER;
+                        err = -EPROBE_DEFER;
+                        goto out_clk_disable;
+                }
                dev_err(dev, "no regulator found\n");
                priv->regulator = NULL;
        }
diff --git a/drivers/net/ethernet/broadcom/bcm63xx_enet.c b/drivers/net/ethernet/broadcom/bcm63xx_enet.c
index 8b1929e9f698..ec5834087e4b 100644
--- a/drivers/net/ethernet/broadcom/bcm63xx_enet.c
+++ b/drivers/net/ethernet/broadcom/bcm63xx_enet.c
@@ -1063,7 +1063,8 @@ static int bcm_enet_open(struct net_device *dev)
        val = enet_readl(priv, ENET_CTL_REG);
        val |= ENET_CTL_ENABLE_MASK;
        enet_writel(priv, val, ENET_CTL_REG);
-        enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG);
+        if (priv->dma_has_sram)
+                enet_dma_writel(priv, ENETDMA_CFG_EN_MASK, ENETDMA_CFG_REG);
        enet_dmac_writel(priv, priv->dma_chan_en_mask,
                         ENETDMAC_CHANCFG, priv->rx_chan);
@@ -1787,7 +1788,9 @@ static int bcm_enet_probe(struct platform_device *pdev)
                ret = PTR_ERR(priv->mac_clk);
                goto out;
        }
-        clk_prepare_enable(priv->mac_clk);
+        ret = clk_prepare_enable(priv->mac_clk);
+        if (ret)
+                goto out_put_clk_mac;
        /* initialize default and fetch platform data */
        priv->rx_ring_size = BCMENET_DEF_RX_DESC;
@@ -1819,9 +1822,11 @@ static int bcm_enet_probe(struct platform_device *pdev)
                if (IS_ERR(priv->phy_clk)) {
                        ret = PTR_ERR(priv->phy_clk);
                        priv->phy_clk = NULL;
-                        goto out_put_clk_mac;
+                        goto out_disable_clk_mac;
                }
-                clk_prepare_enable(priv->phy_clk);
+                ret = clk_prepare_enable(priv->phy_clk);
+                if (ret)
+                        goto out_put_clk_phy;
        }
        /* do minimal hardware init to be able to probe mii bus */
@@ -1921,13 +1926,16 @@ out_free_mdio:
 out_uninit_hw:
        /* turn off mdc clock */
        enet_writel(priv, 0, ENET_MIISC_REG);
-        if (priv->phy_clk) {
+        if (priv->phy_clk)
                clk_disable_unprepare(priv->phy_clk);
+out_put_clk_phy:
+        if (priv->phy_clk)
                clk_put(priv->phy_clk);
-        }
-out_put_clk_mac:
+out_disable_clk_mac:
        clk_disable_unprepare(priv->mac_clk);
+out_put_clk_mac:
        clk_put(priv->mac_clk);
 out:
        free_netdev(dev);
@@ -2772,7 +2780,9 @@ static int bcm_enetsw_probe(struct platform_device *pdev)
                ret = PTR_ERR(priv->mac_clk);
                goto out_unmap;
        }
-        clk_enable(priv->mac_clk);
+        ret = clk_prepare_enable(priv->mac_clk);
+        if (ret)
+                goto out_put_clk;
        priv->rx_chan = 0;
        priv->tx_chan = 1;
@@ -2793,7 +2803,7 @@ static int bcm_enetsw_probe(struct platform_device *pdev)
        ret = register_netdev(dev);
        if (ret)
-                goto out_put_clk;
+                goto out_disable_clk;
        netif_carrier_off(dev);
        platform_set_drvdata(pdev, dev);
@@ -2802,6 +2812,9 @@ static int bcm_enetsw_probe(struct platform_device *pdev)
        return 0;
+out_disable_clk:
+        clk_disable_unprepare(priv->mac_clk);
 out_put_clk:
        clk_put(priv->mac_clk);
@@ -2833,6 +2846,9 @@ static int bcm_enetsw_remove(struct platform_device *pdev)
        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
        release_mem_region(res->start, resource_size(res));
+        clk_disable_unprepare(priv->mac_clk);
+        clk_put(priv->mac_clk);
        free_netdev(dev);
        return 0;
 }
diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
index 027705117086..af9ec57bbebf 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -729,37 +729,33 @@ static unsigned int __bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
                                             struct bcm_sysport_tx_ring *ring)
 {
        struct net_device *ndev = priv->netdev;
-        unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
        unsigned int pkts_compl = 0, bytes_compl = 0;
+        unsigned int txbds_processed = 0;
        struct bcm_sysport_cb *cb;
+        unsigned int txbds_ready;
+        unsigned int c_index;
        u32 hw_ind;
        /* Compute how many descriptors have been processed since last call */
        hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
        c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
-        ring->p_index = (hw_ind & RING_PROD_INDEX_MASK);
+        txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK;
-        last_c_index = ring->c_index;
-        num_tx_cbs = ring->size;
-        c_index &= (num_tx_cbs - 1);
-        if (c_index >= last_c_index)
-                last_tx_cn = c_index - last_c_index;
-        else
-                last_tx_cn = num_tx_cbs - last_c_index + c_index;
        netif_dbg(priv, tx_done, ndev,
-                  "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n",
+                  "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n",
-                  ring->index, c_index, last_tx_cn, last_c_index);
+                  ring->index, ring->c_index, c_index, txbds_ready);
-        while (last_tx_cn-- > 0) {
+        while (txbds_processed < txbds_ready) {
-                cb = ring->cbs + last_c_index;
+                cb = &ring->cbs[ring->clean_index];
                bcm_sysport_tx_reclaim_one(priv, cb, &bytes_compl, &pkts_compl);
                ring->desc_count++;
-                last_c_index++;
+                txbds_processed++;
-                last_c_index &= (num_tx_cbs - 1);
+                if (likely(ring->clean_index < ring->size - 1))
+                        ring->clean_index++;
+                else
+                        ring->clean_index = 0;
        }
        ring->c_index = c_index;
@@ -1229,6 +1225,7 @@ static int bcm_sysport_init_tx_ring(struct bcm_sysport_priv *priv,
        netif_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64);
        ring->index = index;
        ring->size = size;
+        ring->clean_index = 0;
        ring->alloc_size = ring->size;
        ring->desc_cpu = p;
        ring->desc_count = ring->size;
diff --git a/drivers/net/ethernet/broadcom/bcmsysport.h b/drivers/net/ethernet/broadcom/bcmsysport.h
index f28bf545d7f4..8ace6ecb5f79 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.h
+++ b/drivers/net/ethernet/broadcom/bcmsysport.h
@@ -638,7 +638,7 @@ struct bcm_sysport_tx_ring {
        unsigned int    desc_count;     /* Number of descriptors */
        unsigned int    curr_desc;      /* Current descriptor */
        unsigned int    c_index;        /* Last consumer index */
-        unsigned int    p_index;        /* Current producer index */
+        unsigned int    clean_index;    /* Current clean index */
        struct bcm_sysport_cb *cbs;     /* Transmit control blocks */
        struct dma_desc *desc_cpu;      /* CPU view of the descriptor */
        struct bcm_sysport_priv *priv;  /* private context backpointer */
diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
index a5e4b4b93d1b..ec3766264408 100644
--- a/drivers/net/ethernet/broadcom/bgmac.c
+++ b/drivers/net/ethernet/broadcom/bgmac.c
@@ -531,7 +531,8 @@ static void bgmac_dma_tx_ring_free(struct bgmac *bgmac,
        int i;
        for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) {
-                int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN;
+                u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1);
+                unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN;
                slot = &ring->slots[i];
                dev_kfree_skb(slot->skb);
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index e5911ccb2148..949a82458a29 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -2044,6 +2044,7 @@ static void bnx2x_set_rx_buf_size(struct bnx2x *bp)
                                  ETH_OVREHEAD +
                                  mtu +
                                  BNX2X_FW_RX_ALIGN_END;
+                fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size);
                /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */
                if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE)
                        fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD;
@@ -3052,7 +3053,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link)
        del_timer_sync(&bp->timer);
-        if (IS_PF(bp)) {
+        if (IS_PF(bp) && !BP_NOMCP(bp)) {
                /* Set ALWAYS_ALIVE bit in shmem */
                bp->fw_drv_pulse_wr_seq |= DRV_PULSE_ALWAYS_ALIVE;
                bnx2x_drv_pulse(bp);
@@ -3134,7 +3135,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link)
        bp->cnic_loaded = false;
        /* Clear driver version indication in shmem */
-        if (IS_PF(bp))
+        if (IS_PF(bp) && !BP_NOMCP(bp))
                bnx2x_update_mng_version(bp);
        /* Check if there are pending parity attentions. If there are - set
@@ -3942,15 +3943,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
                /* when transmitting in a vf, start bd must hold the ethertype
                 * for fw to enforce it
                 */
+                u16 vlan_tci = 0;
 #ifndef BNX2X_STOP_ON_ERROR
-                if (IS_VF(bp))
+                if (IS_VF(bp)) {
 #endif
-                        tx_start_bd->vlan_or_ethertype =
+                        /* Still need to consider inband vlan for enforced */
-                                cpu_to_le16(ntohs(eth->h_proto));
+                        if (__vlan_get_tag(skb, &vlan_tci)) {
+                                tx_start_bd->vlan_or_ethertype =
+                                        cpu_to_le16(ntohs(eth->h_proto));
+                        } else {
+                                tx_start_bd->bd_flags.as_bitfield |=
+                                        (X_ETH_INBAND_VLAN <<
+                                         ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT);
+                                tx_start_bd->vlan_or_ethertype =
+                                        cpu_to_le16(vlan_tci);
+                        }
 #ifndef BNX2X_STOP_ON_ERROR
-                else
+                } else {
                        /* used by FW for packet accounting */
                        tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod);
+                }
 #endif
        }
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
index d946bba43726..87534c6efd66 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -594,7 +594,7 @@ static void bnx2x_ets_e3b0_nig_disabled(const struct link_params *params,
         * slots for the highest priority.
         */
        REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
-                   NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+                   NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
        /* Mapping between the CREDIT_WEIGHT registers and actual client
         * numbers
         */
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
index abb3ff6498dc..8ddb68a3fdb6 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -9570,6 +9570,15 @@ static int bnx2x_init_shmem(struct bnx2x *bp)
        do {
                bp->common.shmem_base = REG_RD(bp, MISC_REG_SHARED_MEM_ADDR);
+                /* If we read all 0xFFs, means we are in PCI error state and
+                 * should bail out to avoid crashes on adapter's FW reads.
+                 */
+                if (bp->common.shmem_base == 0xFFFFFFFF) {
+                        bp->flags |= NO_MCP_FLAG;
+                        return -ENODEV;
+                }
                if (bp->common.shmem_base) {
                        val = SHMEM_RD(bp, validity_map[BP_PORT(bp)]);
                        if (val & SHR_MEM_VALIDITY_MB)
@@ -14214,7 +14223,10 @@ static pci_ers_result_t bnx2x_io_slot_reset(struct pci_dev *pdev)
                BNX2X_ERR("IO slot reset --> driver unload\n");
                /* MCP should have been reset; Need to wait for validity */
-                bnx2x_init_shmem(bp);
+                if (bnx2x_init_shmem(bp)) {
+                        rtnl_unlock();
+                        return PCI_ERS_RESULT_DISCONNECT;
+                }
                if (IS_PF(bp) && SHMEM2_HAS(bp, drv_capabilities_flag)) {
                        u32 v;
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index a38a9cb3d544..9904d768a20a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -2925,6 +2925,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct bnxt *bp, u16 vnic_id, u32 tpa_flags)
        struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id];
        struct hwrm_vnic_tpa_cfg_input req = {0};
+        if (vnic->fw_vnic_id == INVALID_HW_RING_ID)
+                return 0;
        bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1);
        if (tpa_flags) {
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index ea044bbcd384..3eebb57975e3 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -29,7 +29,7 @@ static int bnxt_vf_ndo_prep(struct bnxt *bp, int vf_id)
                netdev_err(bp->dev, "vf ndo called though sriov is disabled\n");
                return -EINVAL;
        }
-        if (vf_id >= bp->pf.max_vfs) {
+        if (vf_id >= bp->pf.active_vfs) {
                netdev_err(bp->dev, "Invalid VF id %d\n", vf_id);
                return -EINVAL;
        }
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index ab53e0cfb4dc..ce3a56bea6e6 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -8722,14 +8722,15 @@ static void tg3_free_consistent(struct tg3 *tp)
        tg3_mem_rx_release(tp);
        tg3_mem_tx_release(tp);
-        /* Protect tg3_get_stats64() from reading freed tp->hw_stats. */
+        /* tp->hw_stats can be referenced safely:
-        tg3_full_lock(tp, 0);
+         *     1. under rtnl_lock
+         *     2. or under tp->lock if TG3_FLAG_INIT_COMPLETE is set.
+         */
        if (tp->hw_stats) {
                dma_free_coherent(&tp->pdev->dev, sizeof(struct tg3_hw_stats),
                                  tp->hw_stats, tp->stats_mapping);
                tp->hw_stats = NULL;
        }
-        tg3_full_unlock(tp);
 }
 /*
@@ -9277,6 +9278,15 @@ static int tg3_chip_reset(struct tg3 *tp)
        tg3_restore_clk(tp);
+        /* Increase the core clock speed to fix tx timeout issue for 5762
+         * with 100Mbps link speed.
+         */
+        if (tg3_asic_rev(tp) == ASIC_REV_5762) {
+                val = tr32(TG3_CPMU_CLCK_ORIDE_ENABLE);
+                tw32(TG3_CPMU_CLCK_ORIDE_ENABLE, val |
+                     TG3_CPMU_MAC_ORIDE_ENABLE);
+        }
        /* Reprobe ASF enable state.  */
        tg3_flag_clear(tp, ENABLE_ASF);
        tp->phy_flags &= ~(TG3_PHYFLG_1G_ON_VAUX_OK |
@@ -10051,6 +10061,16 @@ static int tg3_reset_hw(struct tg3 *tp, bool reset_phy)
        tw32(GRC_MODE, tp->grc_mode | val);
+        /* On one of the AMD platform, MRRS is restricted to 4000 because of
+         * south bridge limitation. As a workaround, Driver is setting MRRS
+         * to 2048 instead of default 4096.
+         */
+        if (tp->pdev->subsystem_vendor == PCI_VENDOR_ID_DELL &&
+            tp->pdev->subsystem_device == TG3PCI_SUBDEVICE_ID_DELL_5762) {
+                val = tr32(TG3PCI_DEV_STATUS_CTRL) & ~MAX_READ_REQ_MASK;
+                tw32(TG3PCI_DEV_STATUS_CTRL, val | MAX_READ_REQ_SIZE_2048);
+        }
        /* Setup the timer prescalar register.  Clock is always 66Mhz. */
        val = tr32(GRC_MISC_CFG);
        val &= ~0xff;
@@ -14153,7 +14173,7 @@ static struct rtnl_link_stats64 *tg3_get_stats64(struct net_device *dev,
        struct tg3 *tp = netdev_priv(dev);
        spin_lock_bh(&tp->lock);
-        if (!tp->hw_stats) {
+        if (!tp->hw_stats || !tg3_flag(tp, INIT_COMPLETE)) {
                *stats = tp->net_stats_prev;
                spin_unlock_bh(&tp->lock);
                return stats;
@@ -14230,7 +14250,8 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
         */
        if (tg3_asic_rev(tp) == ASIC_REV_57766 ||
            tg3_asic_rev(tp) == ASIC_REV_5717 ||
-            tg3_asic_rev(tp) == ASIC_REV_5719)
+            tg3_asic_rev(tp) == ASIC_REV_5719 ||
+            tg3_asic_rev(tp) == ASIC_REV_5720)
                reset_phy = true;
        err = tg3_restart_hw(tp, reset_phy);
diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
index 31c9f8295953..19532961e173 100644
--- a/drivers/net/ethernet/broadcom/tg3.h
+++ b/drivers/net/ethernet/broadcom/tg3.h
@@ -95,6 +95,7 @@
 #define TG3PCI_SUBDEVICE_ID_DELL_JAGUAR         0x0106
 #define TG3PCI_SUBDEVICE_ID_DELL_MERLOT         0x0109
 #define TG3PCI_SUBDEVICE_ID_DELL_SLIM_MERLOT    0x010a
+#define TG3PCI_SUBDEVICE_ID_DELL_5762           0x07f0
 #define TG3PCI_SUBVENDOR_ID_COMPAQ              PCI_VENDOR_ID_COMPAQ
 #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE      0x007c
 #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE_2    0x009a
@@ -280,6 +281,9 @@
 #define TG3PCI_STD_RING_PROD_IDX        0x00000098 /* 64-bit */
 #define TG3PCI_RCV_RET_RING_CON_IDX     0x000000a0 /* 64-bit */
 /* 0xa8 --> 0xb8 unused */
+#define TG3PCI_DEV_STATUS_CTRL          0x000000b4
+#define  MAX_READ_REQ_SIZE_2048          0x00004000
+#define  MAX_READ_REQ_MASK               0x00007000
 #define TG3PCI_DUAL_MAC_CTRL            0x000000b8
 #define  DUAL_MAC_CTRL_CH_MASK           0x00000003
 #define  DUAL_MAC_CTRL_ID                0x00000004
diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
index 0f6811860ad5..a36e38676640 100644
--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
+++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
@@ -2845,7 +2845,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver)
 static void
 bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
 {
-        memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
+        strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
 }
 static void
diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
index cc1725616f9d..50747573f42e 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
@@ -2823,7 +2823,7 @@ static int liquidio_xmit(struct sk_buff *skb, struct net_device *netdev)
                if (!g) {
                        netif_info(lio, tx_err, lio->netdev,
                                   "Transmit scatter gather: glist null!\n");
-                        goto lio_xmit_dma_failed;
+                        goto lio_xmit_failed;
                }
                cmdsetup.s.gather = 1;
diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
index 8f7aa53a4c4b..7ae8374bff13 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -50,6 +50,7 @@
 #include <linux/stringify.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
+#include <linux/nospec.h>
 #include <asm/uaccess.h>
 #include "common.h"
@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
                if (t.qset_idx >= nqsets)
                        return -EINVAL;
+                t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
                q = &adapter->params.sge.qset[q1 + t.qset_idx];
                t.rspq_size = q->rspq_size;
diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
index cf61a5869c6e..de23f23b41de 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
@@ -6076,13 +6076,18 @@ int t4_fw_upgrade(struct adapter *adap, unsigned int mbox,
        if (!t4_fw_matches_chip(adap, fw_hdr))
                return -EINVAL;
+        /* Disable FW_OK flag so that mbox commands with FW_OK flag set
+         * wont be sent when we are flashing FW.
+         */
+        adap->flags &= ~FW_OK;
        ret = t4_fw_halt(adap, mbox, force);
        if (ret < 0 && !force)
-                return ret;
+                goto out;
        ret = t4_load_fw(adap, fw_data, size);
        if (ret < 0)
-                return ret;
+                goto out;
        /*
         * Older versions of the firmware don't understand the new
@@ -6093,7 +6098,17 @@ int t4_fw_upgrade(struct adapter *adap, unsigned int mbox,
         * its header flags to see if it advertises the capability.
         */
        reset = ((be32_to_cpu(fw_hdr->flags) & FW_HDR_FLAGS_RESET_HALT) == 0);
-        return t4_fw_restart(adap, mbox, reset);
+        ret = t4_fw_restart(adap, mbox, reset);
+        /* Grab potentially new Firmware Device Log parameters so we can see
+         * how healthy the new Firmware is.  It's okay to contact the new
+         * Firmware for these parameters even though, as far as it's
+         * concerned, we've never said "HELLO" to it ...
+         */
+        (void)t4_init_devlog_params(adap);
+out:
+        adap->flags |= FW_OK;
+        return ret;
 }
 /**
@@ -7696,7 +7711,16 @@ int t4_cim_read_la(struct adapter *adap, u32 *la_buf, unsigned int *wrptr)
                ret = t4_cim_read(adap, UP_UP_DBG_LA_DATA_A, 1, &la_buf[i]);
                if (ret)
                        break;
-                idx = (idx + 1) & UPDBGLARDPTR_M;
+                /* Bits 0-3 of UpDbgLaRdPtr can be between 0000 to 1001 to
+                 * identify the 32-bit portion of the full 312-bit data
+                 */
+                if (is_t6(adap->params.chip) && (idx & 0xf) >= 9)
+                        idx = (idx & 0xff0) + 0x10;
+                else
+                        idx++;
+                /* address can't exceed 0xfff */
+                idx &= UPDBGLARDPTR_M;
        }
 restart:
        if (cfg & UPDBGLAEN_F) {
diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
index fa3786a9d30e..ec8ffd7eae33 100644
--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
+++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
@@ -2604,8 +2604,8 @@ void t4vf_sge_stop(struct adapter *adapter)
 int t4vf_sge_init(struct adapter *adapter)
 {
        struct sge_params *sge_params = &adapter->params.sge;
-        u32 fl0 = sge_params->sge_fl_buffer_size[0];
+        u32 fl_small_pg = sge_params->sge_fl_buffer_size[0];
-        u32 fl1 = sge_params->sge_fl_buffer_size[1];
+        u32 fl_large_pg = sge_params->sge_fl_buffer_size[1];
        struct sge *s = &adapter->sge;
        unsigned int ingpadboundary, ingpackboundary;
@@ -2614,9 +2614,20 @@ int t4vf_sge_init(struct adapter *adapter)
         * the Physical Function Driver.  Ideally we should be able to deal
         * with _any_ configuration.  Practice is different ...
         */
-        if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) {
+        /* We only bother using the Large Page logic if the Large Page Buffer
+         * is larger than our Page Size Buffer.
+         */
+        if (fl_large_pg <= fl_small_pg)
+                fl_large_pg = 0;
+        /* The Page Size Buffer must be exactly equal to our Page Size and the
+         * Large Page Size Buffer should be 0 (per above) or a power of 2.
+         */
+        if (fl_small_pg != PAGE_SIZE ||
+            (fl_large_pg & (fl_large_pg - 1)) != 0) {
                dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n",
-                        fl0, fl1);
+                        fl_small_pg, fl_large_pg);
                return -EINVAL;
        }
        if ((sge_params->sge_control & RXPKTCPLMODE_F) == 0) {
@@ -2627,8 +2638,8 @@ int t4vf_sge_init(struct adapter *adapter)
        /*
         * Now translate the adapter parameters into our internal forms.
         */
-        if (fl1)
+        if (fl_large_pg)
-                s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT;
+                s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT;
        s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F)
                        ? 128 : 64);
        s->pktshift = PKTSHIFT_G(sge_params->sge_control);
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index b36643ef0593..029fa5bee520 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1726,6 +1726,8 @@ static int enic_open(struct net_device *netdev)
        }
        for (i = 0; i < enic->rq_count; i++) {
+                /* enable rq before updating rq desc */
+                vnic_rq_enable(&enic->rq[i]);
                vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf);
                /* Need at least one buffer on ring to get going */
                if (vnic_rq_desc_used(&enic->rq[i]) == 0) {
@@ -1737,8 +1739,6 @@ static int enic_open(struct net_device *netdev)
        for (i = 0; i < enic->wq_count; i++)
                vnic_wq_enable(&enic->wq[i]);
-        for (i = 0; i < enic->rq_count; i++)
-                vnic_rq_enable(&enic->rq[i]);
        if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic))
                enic_dev_add_station_addr(enic);
@@ -1765,8 +1765,12 @@ static int enic_open(struct net_device *netdev)
        return 0;
 err_out_free_rq:
-        for (i = 0; i < enic->rq_count; i++)
+        for (i = 0; i < enic->rq_count; i++) {
+                err = vnic_rq_disable(&enic->rq[i]);
+                if (err)
+                        return err;
                vnic_rq_clean(&enic->rq[i], enic_free_rq_buf);
+        }
        enic_dev_notify_unset(enic);
 err_out_free_intr:
        enic_unset_affinity_hint(enic);
@@ -2539,11 +2543,11 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
        pci_set_master(pdev);
        /* Query PCI controller on system for DMA addressing
-         * limitation for the device.  Try 64-bit first, and
+         * limitation for the device.  Try 47-bit first, and
         * fail to 32-bit.
         */
-        err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64));
+        err = pci_set_dma_mask(pdev, DMA_BIT_MASK(47));
        if (err) {
                err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32));
                if (err) {
@@ -2557,10 +2561,10 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
                        goto err_out_release_regions;
                }
        } else {
-                err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
+                err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(47));
                if (err) {
                        dev_err(dev, "Unable to obtain %u-bit DMA "
-                                "for consistent allocations, aborting\n", 64);
+                                "for consistent allocations, aborting\n", 47);
                        goto err_out_release_regions;
                }
                using_dac = 1;
diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
index 8966f3159bb2..3acde3b9b767 100644
--- a/drivers/net/ethernet/dec/tulip/de4x5.c
+++ b/drivers/net/ethernet/dec/tulip/de4x5.c
@@ -1990,7 +1990,7 @@ SetMulticastFilter(struct net_device *dev)
 static u_char de4x5_irq[] = EISA_ALLOWED_IRQ_LIST;
-static int __init de4x5_eisa_probe (struct device *gendev)
+static int de4x5_eisa_probe(struct device *gendev)
 {
        struct eisa_device *edev;
        u_long iobase;
diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
index 6d0c5d5eea6d..58c0fccdd8cb 100644
--- a/drivers/net/ethernet/faraday/ftgmac100.c
+++ b/drivers/net/ethernet/faraday/ftgmac100.c
@@ -28,6 +28,7 @@
 #include <linux/io.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
+#include <linux/of.h>
 #include <linux/phy.h>
 #include <linux/platform_device.h>
 #include <net/ip.h>
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 458e2d97d096..ae8e4fc22e7b 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3539,6 +3539,8 @@ fec_drv_remove(struct platform_device *pdev)
        fec_enet_mii_remove(fep);
        if (fep->reg_phy)
                regulator_disable(fep->reg_phy);
+        pm_runtime_put(&pdev->dev);
+        pm_runtime_disable(&pdev->dev);
        of_node_put(fep->phy_node);
        free_netdev(ndev);
diff --git a/drivers/net/ethernet/freescale/fsl_pq_mdio.c b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
index 40071dad1c57..9c76f1a2f57b 100644
--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
+++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
@@ -382,7 +382,7 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
 {
        const struct of_device_id *id =
                of_match_device(fsl_pq_mdio_match, &pdev->dev);
-        const struct fsl_pq_mdio_data *data = id->data;
+        const struct fsl_pq_mdio_data *data;
        struct device_node *np = pdev->dev.of_node;
        struct resource res;
        struct device_node *tbi;
@@ -390,6 +390,13 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
        struct mii_bus *new_bus;
        int err;
+        if (!id) {
+                dev_err(&pdev->dev, "Failed to match device\n");
+                return -ENODEV;
+        }
+        data = id->data;
        dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible);
        new_bus = mdiobus_alloc_size(sizeof(*priv));
diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
index 7923bfdc9b30..2d61369f586f 100644
--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -1375,9 +1375,11 @@ static int gfar_probe(struct platform_device *ofdev)
        gfar_init_addr_hash_table(priv);
-        /* Insert receive time stamps into padding alignment bytes */
+        /* Insert receive time stamps into padding alignment bytes, and
+         * plus 2 bytes padding to ensure the cpu alignment.
+         */
        if (priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER)
-                priv->padding = 8;
+                priv->padding = 8 + DEFAULT_PADDING;
        if (dev->features & NETIF_F_IP_CSUM ||
            priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER)
@@ -3051,9 +3053,6 @@ static void gfar_process_frame(struct net_device *ndev, struct sk_buff *skb)
        if (ndev->features & NETIF_F_RXCSUM)
                gfar_rx_checksum(skb, fcb);
-        /* Tell the skb what kind of packet this is */
-        skb->protocol = eth_type_trans(skb, ndev);
        /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here.
         * Even if vlan rx accel is disabled, on some chips
         * RXFCB_VLN is pseudo randomly set.
@@ -3124,13 +3123,15 @@ int gfar_clean_rx_ring(struct gfar_priv_rx_q *rx_queue, int rx_work_limit)
                        continue;
                }
+                gfar_process_frame(ndev, skb);
                /* Increment the number of packets */
                total_pkts++;
                total_bytes += skb->len;
                skb_record_rx_queue(skb, rx_queue->qindex);
-                gfar_process_frame(ndev, skb);
+                skb->protocol = eth_type_trans(skb, ndev);
                /* Send the packet up the stack */
                napi_gro_receive(&rx_queue->grp->napi_rx, skb);
diff --git a/drivers/net/ethernet/freescale/gianfar_ptp.c b/drivers/net/ethernet/freescale/gianfar_ptp.c
index b40fba929d65..d540ee190038 100644
--- a/drivers/net/ethernet/freescale/gianfar_ptp.c
+++ b/drivers/net/ethernet/freescale/gianfar_ptp.c
@@ -314,11 +314,10 @@ static int ptp_gianfar_adjtime(struct ptp_clock_info *ptp, s64 delta)
        now = tmr_cnt_read(etsects);
        now += delta;
        tmr_cnt_write(etsects, now);
+        set_fipers(etsects);
        spin_unlock_irqrestore(&etsects->lock, flags);
-        set_fipers(etsects);
        return 0;
 }
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
index 802d55457f19..b1a27aef4425 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c
@@ -776,7 +776,7 @@ static void hns_xgmac_get_strings(u32 stringset, u8 *data)
 */
 static int hns_xgmac_get_sset_count(int stringset)
 {
-        if (stringset == ETH_SS_STATS)
+        if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS)
                return ARRAY_SIZE(g_xgmac_stats_string);
        return 0;
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
index a0332129970b..4b91eb70c683 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
@@ -1000,8 +1000,10 @@ int hns_get_sset_count(struct net_device *netdev, int stringset)
                        cnt--;
                return cnt;
-        } else {
+        } else if (stringset == ETH_SS_STATS) {
                return (HNS_NET_STATS_CNT + ops->get_sset_count(h, stringset));
+        } else {
+                return -EOPNOTSUPP;
        }
 }
diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c
index ae6e30d39f0f..3daf2d4a7ca0 100644
--- a/drivers/net/ethernet/hp/hp100.c
+++ b/drivers/net/ethernet/hp/hp100.c
@@ -194,7 +194,6 @@ static const char *hp100_isa_tbl[] = {
 };
 #endif
-#ifdef CONFIG_EISA
 static struct eisa_device_id hp100_eisa_tbl[] = {
        { "HWPF180" }, /* HP J2577 rev A */
        { "HWP1920" }, /* HP 27248B */
@@ -205,9 +204,7 @@ static struct eisa_device_id hp100_eisa_tbl[] = {
        { "" }         /* Mandatory final entry ! */
 };
 MODULE_DEVICE_TABLE(eisa, hp100_eisa_tbl);
-#endif
-#ifdef CONFIG_PCI
 static const struct pci_device_id hp100_pci_tbl[] = {
        {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585A, PCI_ANY_ID, PCI_ANY_ID,},
        {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585B, PCI_ANY_ID, PCI_ANY_ID,},
@@ -219,7 +216,6 @@ static const struct pci_device_id hp100_pci_tbl[] = {
        {}                      /* Terminating entry */
 };
 MODULE_DEVICE_TABLE(pci, hp100_pci_tbl);
-#endif
 static int hp100_rx_ratio = HP100_DEFAULT_RX_RATIO;
 static int hp100_priority_tx = HP100_DEFAULT_PRIORITY_TX;
@@ -2842,8 +2838,7 @@ static void cleanup_dev(struct net_device *d)
        free_netdev(d);
 }
-#ifdef CONFIG_EISA
+static int hp100_eisa_probe(struct device *gendev)
-static int __init hp100_eisa_probe (struct device *gendev)
 {
        struct net_device *dev = alloc_etherdev(sizeof(struct hp100_private));
        struct eisa_device *edev = to_eisa_device(gendev);
@@ -2884,9 +2879,7 @@ static struct eisa_driver hp100_eisa_driver = {
                .remove  = hp100_eisa_remove,
        }
 };
-#endif
-#ifdef CONFIG_PCI
 static int hp100_pci_probe(struct pci_dev *pdev,
                           const struct pci_device_id *ent)
 {
@@ -2955,7 +2948,6 @@ static struct pci_driver hp100_pci_driver = {
        .probe          = hp100_pci_probe,
        .remove         = hp100_pci_remove,
 };
-#endif
 /*
 *  module section
@@ -3032,23 +3024,17 @@ static int __init hp100_module_init(void)
        err = hp100_isa_init();
        if (err && err != -ENODEV)
                goto out;
-#ifdef CONFIG_EISA
        err = eisa_driver_register(&hp100_eisa_driver);
        if (err && err != -ENODEV)
                goto out2;
-#endif
-#ifdef CONFIG_PCI
        err = pci_register_driver(&hp100_pci_driver);
        if (err && err != -ENODEV)
                goto out3;
-#endif
 out:
        return err;
 out3:
-#ifdef CONFIG_EISA
        eisa_driver_unregister (&hp100_eisa_driver);
 out2:
-#endif
        hp100_isa_cleanup();
        goto out;
 }
@@ -3057,12 +3043,8 @@ static int __init hp100_module_init(void)
 static void __exit hp100_module_exit(void)
 {
        hp100_isa_cleanup();
-#ifdef CONFIG_EISA
        eisa_driver_unregister (&hp100_eisa_driver);
-#endif
-#ifdef CONFIG_PCI
        pci_unregister_driver (&hp100_pci_driver);
-#endif
 }
 module_init(hp100_module_init)
diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c
index 5d7db6c01c46..f301c03c527b 100644
--- a/drivers/net/ethernet/ibm/emac/core.c
+++ b/drivers/net/ethernet/ibm/emac/core.c
@@ -342,6 +342,7 @@ static int emac_reset(struct emac_instance *dev)
 {
        struct emac_regs __iomem *p = dev->emacp;
        int n = 20;
+        bool __maybe_unused try_internal_clock = false;
        DBG(dev, "reset" NL);
@@ -354,6 +355,7 @@ static int emac_reset(struct emac_instance *dev)
        }
 #ifdef CONFIG_PPC_DCR_NATIVE
+do_retry:
        /*
         * PPC460EX/GT Embedded Processor Advanced User's Manual
         * section 28.10.1 Mode Register 0 (EMACx_MR0) states:
@@ -361,10 +363,19 @@ static int emac_reset(struct emac_instance *dev)
         * of the EMAC. If none is present, select the internal clock
         * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1).
         * After a soft reset, select the external clock.
+         *
+         * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the
+         * ethernet cable is not attached. This causes the reset to timeout
+         * and the PHY detection code in emac_init_phy() is unable to
+         * communicate and detect the AR8035-A PHY. As a result, the emac
+         * driver bails out early and the user has no ethernet.
+         * In order to stay compatible with existing configurations, the
+         * driver will temporarily switch to the internal clock, after
+         * the first reset fails.
         */
        if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
-                if (dev->phy_address == 0xffffffff &&
+                if (try_internal_clock || (dev->phy_address == 0xffffffff &&
-                    dev->phy_map == 0xffffffff) {
+                                           dev->phy_map == 0xffffffff)) {
                        /* No PHY: select internal loop clock before reset */
                        dcri_clrset(SDR0, SDR0_ETH_CFG,
                                    0, SDR0_ETH_CFG_ECS << dev->cell_index);
@@ -382,8 +393,15 @@ static int emac_reset(struct emac_instance *dev)
 #ifdef CONFIG_PPC_DCR_NATIVE
        if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
-                if (dev->phy_address == 0xffffffff &&
+                if (!n && !try_internal_clock) {
-                    dev->phy_map == 0xffffffff) {
+                        /* first attempt has timed out. */
+                        n = 20;
+                        try_internal_clock = true;
+                        goto do_retry;
+                }
+                if (try_internal_clock || (dev->phy_address == 0xffffffff &&
+                                           dev->phy_map == 0xffffffff)) {
                        /* No PHY: restore external clock source after reset */
                        dcri_clrset(SDR0, SDR0_ETH_CFG,
                                    SDR0_ETH_CFG_ECS << dev->cell_index, 0);
diff --git a/drivers/net/ethernet/intel/e1000/e1000.h b/drivers/net/ethernet/intel/e1000/e1000.h
index 98fe5a2cd6e3..481e994490ce 100644
--- a/drivers/net/ethernet/intel/e1000/e1000.h
+++ b/drivers/net/ethernet/intel/e1000/e1000.h
@@ -331,7 +331,8 @@ struct e1000_adapter {
 enum e1000_state_t {
        __E1000_TESTING,
        __E1000_RESETTING,
-        __E1000_DOWN
+        __E1000_DOWN,
+        __E1000_DISABLED
 };
 #undef pr_fmt
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 068023595d84..2a1d4a9d3c19 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -940,7 +940,7 @@ static int e1000_init_hw_struct(struct e1000_adapter *adapter,
 static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 {
        struct net_device *netdev;
-        struct e1000_adapter *adapter;
+        struct e1000_adapter *adapter = NULL;
        struct e1000_hw *hw;
        static int cards_found = 0;
@@ -950,6 +950,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
        u16 tmp = 0;
        u16 eeprom_apme_mask = E1000_EEPROM_APME;
        int bars, need_ioport;
+        bool disable_dev = false;
        /* do not allocate ioport bars when not needed */
        need_ioport = e1000_is_need_ioport(pdev);
@@ -1250,11 +1251,13 @@ err_mdio_ioremap:
        iounmap(hw->ce4100_gbe_mdio_base_virt);
        iounmap(hw->hw_addr);
 err_ioremap:
+        disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
        free_netdev(netdev);
 err_alloc_etherdev:
        pci_release_selected_regions(pdev, bars);
 err_pci_reg:
-        pci_disable_device(pdev);
+        if (!adapter || disable_dev)
+                pci_disable_device(pdev);
        return err;
 }
@@ -1272,6 +1275,7 @@ static void e1000_remove(struct pci_dev *pdev)
        struct net_device *netdev = pci_get_drvdata(pdev);
        struct e1000_adapter *adapter = netdev_priv(netdev);
        struct e1000_hw *hw = &adapter->hw;
+        bool disable_dev;
        e1000_down_and_stop(adapter);
        e1000_release_manageability(adapter);
@@ -1290,9 +1294,11 @@ static void e1000_remove(struct pci_dev *pdev)
                iounmap(hw->flash_address);
        pci_release_selected_regions(pdev, adapter->bars);
+        disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
        free_netdev(netdev);
-        pci_disable_device(pdev);
+        if (disable_dev)
+                pci_disable_device(pdev);
 }
 /**
@@ -5135,7 +5141,8 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake)
        if (netif_running(netdev))
                e1000_free_irq(adapter);
-        pci_disable_device(pdev);
+        if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
+                pci_disable_device(pdev);
        return 0;
 }
@@ -5179,6 +5186,10 @@ static int e1000_resume(struct pci_dev *pdev)
                pr_err("Cannot enable PCI device from suspend\n");
                return err;
        }
+        /* flush memory to make sure state is correct */
+        smp_mb__before_atomic();
+        clear_bit(__E1000_DISABLED, &adapter->flags);
        pci_set_master(pdev);
        pci_enable_wake(pdev, PCI_D3hot, 0);
@@ -5253,7 +5264,9 @@ static pci_ers_result_t e1000_io_error_detected(struct pci_dev *pdev,
        if (netif_running(netdev))
                e1000_down(adapter);
-        pci_disable_device(pdev);
+        if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
+                pci_disable_device(pdev);
        /* Request a slot slot reset. */
        return PCI_ERS_RESULT_NEED_RESET;
@@ -5281,6 +5294,10 @@ static pci_ers_result_t e1000_io_slot_reset(struct pci_dev *pdev)
                pr_err("Cannot re-enable PCI device after reset.\n");
                return PCI_ERS_RESULT_DISCONNECT;
        }
+        /* flush memory to make sure state is correct */
+        smp_mb__before_atomic();
+        clear_bit(__E1000_DISABLED, &adapter->flags);
        pci_set_master(pdev);
        pci_enable_wake(pdev, PCI_D3hot, 0);
diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
index 1908a38e7f31..485b9cc53f8b 100644
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -1574,7 +1574,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
         * we have already determined whether we have link or not.
         */
        if (!mac->autoneg)
-                return -E1000_ERR_CONFIG;
+                return 1;
        /* Auto-Neg is enabled.  Auto Speed Detection takes care
         * of MAC speed/duplex configuration.  So we only need to
diff --git a/drivers/net/ethernet/intel/e1000e/mac.c b/drivers/net/ethernet/intel/e1000e/mac.c
index 645ace74429e..fe133f33a6c6 100644
--- a/drivers/net/ethernet/intel/e1000e/mac.c
+++ b/drivers/net/ethernet/intel/e1000e/mac.c
@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct e1000_hw *hw)
         * we have already determined whether we have link or not.
         */
        if (!mac->autoneg)
-                return -E1000_ERR_CONFIG;
+                return 1;
        /* Auto-Neg is enabled.  Auto Speed Detection takes care
         * of MAC speed/duplex configuration.  So we only need to
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 5205f1ebe381..6369d88b81c1 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -1182,6 +1182,7 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work)
        struct e1000_hw *hw = &adapter->hw;
        if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) {
+                struct sk_buff *skb = adapter->tx_hwtstamp_skb;
                struct skb_shared_hwtstamps shhwtstamps;
                u64 txstmp;
@@ -1190,9 +1191,14 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work)
                e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp);
-                skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps);
+                /* Clear the global tx_hwtstamp_skb pointer and force writes
-                dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
+                 * prior to notifying the stack of a Tx timestamp.
+                 */
                adapter->tx_hwtstamp_skb = NULL;
+                wmb(); /* force write prior to skb_tstamp_tx */
+                skb_tstamp_tx(skb, &shhwtstamps);
+                dev_kfree_skb_any(skb);
        } else if (time_after(jiffies, adapter->tx_hwtstamp_start
                              + adapter->tx_timeout_factor * HZ)) {
                dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
@@ -2324,8 +2330,8 @@ static int e1000_alloc_ring_dma(struct e1000_adapter *adapter,
 {
        struct pci_dev *pdev = adapter->pdev;
-        ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma,
+        ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma,
-                                        GFP_KERNEL);
+                                         GFP_KERNEL);
        if (!ring->desc)
                return -ENOMEM;
@@ -3526,6 +3532,12 @@ s32 e1000e_get_base_timinca(struct e1000_adapter *adapter, u32 *timinca)
        switch (hw->mac.type) {
        case e1000_pch2lan:
+                /* Stable 96MHz frequency */
+                incperiod = INCPERIOD_96MHz;
+                incvalue = INCVALUE_96MHz;
+                shift = INCVALUE_SHIFT_96MHz;
+                adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz;
+                break;
        case e1000_pch_lpt:
                if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) {
                        /* Stable 96MHz frequency */
@@ -6583,12 +6595,17 @@ static int e1000e_pm_thaw(struct device *dev)
 static int e1000e_pm_suspend(struct device *dev)
 {
        struct pci_dev *pdev = to_pci_dev(dev);
+        int rc;
        e1000e_flush_lpic(pdev);
        e1000e_pm_freeze(dev);
-        return __e1000_shutdown(pdev, false);
+        rc = __e1000_shutdown(pdev, false);
+        if (rc)
+                e1000e_pm_thaw(dev);
+        return rc;
 }
 static int e1000e_pm_resume(struct device *dev)
diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
index 2ce0eba5e040..38431b49020f 100644
--- a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
+++ b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
@@ -983,7 +983,7 @@ static void fm10k_self_test(struct net_device *dev,
        memset(data, 0, sizeof(*data) * FM10K_TEST_LEN);
-        if (FM10K_REMOVED(hw)) {
+        if (FM10K_REMOVED(hw->hw_addr)) {
                netif_err(interface, drv, dev,
                          "Interface removed - test blocked\n");
                eth_test->flags |= ETH_TEST_FL_FAILED;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index 488a50d59dca..3da1f206ff84 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -1073,6 +1073,11 @@ static int i40e_get_eeprom_len(struct net_device *netdev)
        struct i40e_hw *hw = &np->vsi->back->hw;
        u32 val;
+#define X722_EEPROM_SCOPE_LIMIT 0x5B9FFF
+        if (hw->mac.type == I40E_MAC_X722) {
+                val = X722_EEPROM_SCOPE_LIMIT + 1;
+                return val;
+        }
        val = (rd32(hw, I40E_GLPCI_LBARCTRL)
                & I40E_GLPCI_LBARCTRL_FL_SIZE_MASK)
                >> I40E_GLPCI_LBARCTRL_FL_SIZE_SHIFT;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
index 6100cdd9ad13..dd4e6ea9e0e1 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
@@ -292,14 +292,14 @@ i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset,
 {
        enum i40e_status_code ret_code = 0;
-        if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) {
+        ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ);
-                ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ);
+        if (!ret_code) {
-                if (!ret_code) {
+                if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) {
                        ret_code = i40e_read_nvm_word_aq(hw, offset, data);
-                        i40e_release_nvm(hw);
+                } else {
+                        ret_code = i40e_read_nvm_word_srctl(hw, offset, data);
                }
-        } else {
+                i40e_release_nvm(hw);
-                ret_code = i40e_read_nvm_word_srctl(hw, offset, data);
        }
        return ret_code;
 }
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 53803fd6350c..02b23f6277fb 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -3174,7 +3174,7 @@ static int __igb_close(struct net_device *netdev, bool suspending)
 static int igb_close(struct net_device *netdev)
 {
-        if (netif_device_present(netdev))
+        if (netif_device_present(netdev) || netdev->dismantle)
                return __igb_close(netdev, false);
        return 0;
 }
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 7430dd44019e..ea693bbf56d8 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -818,6 +818,7 @@ static void mvneta_port_up(struct mvneta_port *pp)
        }
        mvreg_write(pp, MVNETA_TXQ_CMD, q_map);
+        q_map = 0;
        /* Enable all initialized RXQs. */
        mvreg_write(pp, MVNETA_RXQ_CMD, BIT(rxq_def));
 }
diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
index 4f34e1b79705..ac92685dd4e5 100644
--- a/drivers/net/ethernet/marvell/mvpp2.c
+++ b/drivers/net/ethernet/marvell/mvpp2.c
@@ -5666,6 +5666,7 @@ static void mvpp2_set_rx_mode(struct net_device *dev)
        int id = port->id;
        bool allmulti = dev->flags & IFF_ALLMULTI;
+retry:
        mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC);
        mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti);
        mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti);
@@ -5673,9 +5674,13 @@ static void mvpp2_set_rx_mode(struct net_device *dev)
        /* Remove all port->id's mcast enries */
        mvpp2_prs_mcast_del_all(priv, id);
-        if (allmulti && !netdev_mc_empty(dev)) {
+        if (!allmulti) {
-                netdev_for_each_mc_addr(ha, dev)
+                netdev_for_each_mc_addr(ha, dev) {
-                        mvpp2_prs_mac_da_accept(priv, id, ha->addr, true);
+                        if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) {
+                                allmulti = true;
+                                goto retry;
+                        }
+                }
        }
 }
diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
index 4b62aa1f9ff8..6e5065f0907b 100644
--- a/drivers/net/ethernet/marvell/sky2.c
+++ b/drivers/net/ethernet/marvell/sky2.c
@@ -5079,7 +5079,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
        INIT_WORK(&hw->restart_work, sky2_restart);
        pci_set_drvdata(pdev, hw);
-        pdev->d3_delay = 150;
+        pdev->d3_delay = 200;
        return 0;
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
index ddb5541882f5..bcfac000199e 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -967,6 +967,22 @@ static int mlx4_en_set_coalesce(struct net_device *dev,
        if (!coal->tx_max_coalesced_frames_irq)
                return -EINVAL;
+        if (coal->tx_coalesce_usecs > MLX4_EN_MAX_COAL_TIME ||
+            coal->rx_coalesce_usecs > MLX4_EN_MAX_COAL_TIME ||
+            coal->rx_coalesce_usecs_low > MLX4_EN_MAX_COAL_TIME ||
+            coal->rx_coalesce_usecs_high > MLX4_EN_MAX_COAL_TIME) {
+                netdev_info(dev, "%s: maximum coalesce time supported is %d usecs\n",
+                            __func__, MLX4_EN_MAX_COAL_TIME);
+                return -ERANGE;
+        }
+        if (coal->tx_max_coalesced_frames > MLX4_EN_MAX_COAL_PKTS ||
+            coal->rx_max_coalesced_frames > MLX4_EN_MAX_COAL_PKTS) {
+                netdev_info(dev, "%s: maximum coalesced frames supported is %d\n",
+                            __func__, MLX4_EN_MAX_COAL_PKTS);
+                return -ERANGE;
+        }
        priv->rx_frames = (coal->rx_max_coalesced_frames ==
                           MLX4_EN_AUTO_CONF) ?
                                MLX4_EN_RX_COAL_TARGET :
diff --git a/drivers/net/ethernet/mellanox/mlx4/mcg.c b/drivers/net/ethernet/mellanox/mlx4/mcg.c
index 1d4e2e054647..897d061e4f03 100644
--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
+++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
@@ -35,6 +35,7 @@
 #include <linux/etherdevice.h>
 #include <linux/mlx4/cmd.h>
+#include <linux/mlx4/qp.h>
 #include <linux/export.h>
 #include "mlx4.h"
@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *dev,
        if (IS_ERR(mailbox))
                return PTR_ERR(mailbox);
+        if (!mlx4_qp_lookup(dev, rule->qpn)) {
+                mlx4_err_rule(dev, "QP doesn't exist\n", rule);
+                ret = -EINVAL;
+                goto out;
+        }
        trans_rule_ctrl_to_hw(rule, mailbox->buf);
        size += sizeof(struct mlx4_net_trans_rule_hw_ctrl);
        list_for_each_entry(cur, &rule->list, list) {
                ret = parse_trans_rule(dev, cur, mailbox->buf + size);
-                if (ret < 0) {
+                if (ret < 0)
-                        mlx4_free_cmd_mailbox(dev, mailbox);
+                        goto out;
-                        return ret;
-                }
                size += ret;
        }
@@ -1021,6 +1027,7 @@ int mlx4_flow_attach(struct mlx4_dev *dev,
                }
        }
+out:
        mlx4_free_cmd_mailbox(dev, mailbox);
        return ret;
diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
index 10aa6544cf4d..607daaffae98 100644
--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
@@ -140,6 +140,9 @@ enum {
 #define MLX4_EN_TX_COAL_PKTS    16
 #define MLX4_EN_TX_COAL_TIME    0x10
+#define MLX4_EN_MAX_COAL_PKTS   U16_MAX
+#define MLX4_EN_MAX_COAL_TIME   U16_MAX
 #define MLX4_EN_RX_RATE_LOW             400000
 #define MLX4_EN_RX_COAL_TIME_LOW        0
 #define MLX4_EN_RX_RATE_HIGH            450000
@@ -518,8 +521,8 @@ struct mlx4_en_priv {
        u16 rx_usecs_low;
        u32 pkt_rate_high;
        u16 rx_usecs_high;
-        u16 sample_interval;
+        u32 sample_interval;
-        u16 adaptive_rx_coal;
+        u32 adaptive_rx_coal;
        u32 msg_enable;
        u32 loopback_ok;
        u32 validate_loopback;
diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
index 168823dde79f..d6d87dd8a28f 100644
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -280,6 +280,9 @@ void mlx4_qp_release_range(struct mlx4_dev *dev, int base_qpn, int cnt)
        u64 in_param = 0;
        int err;
+        if (!cnt)
+                return;
        if (mlx4_is_mfunc(dev)) {
                set_param_l(&in_param, base_qpn);
                set_param_h(&in_param, cnt);
@@ -378,6 +381,19 @@ static void mlx4_qp_free_icm(struct mlx4_dev *dev, int qpn)
                __mlx4_qp_free_icm(dev, qpn);
 }
+struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn)
+{
+        struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
+        struct mlx4_qp *qp;
+        spin_lock_irq(&qp_table->lock);
+        qp = __mlx4_qp_lookup(dev, qpn);
+        spin_unlock_irq(&qp_table->lock);
+        return qp;
+}
 int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp)
 {
        struct mlx4_priv *priv = mlx4_priv(dev);
@@ -465,6 +481,12 @@ int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn,
        }
        if (attr & MLX4_UPDATE_QP_QOS_VPORT) {
+                if (!(dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_QOS_VPP)) {
+                        mlx4_warn(dev, "Granular QoS per VF is not enabled\n");
+                        err = -EOPNOTSUPP;
+                        goto out;
+                }
                qp_mask |= 1ULL << MLX4_UPD_QP_MASK_QOS_VPP;
                cmd->qp_context.qos_vport = params->qos_vport;
        }
diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
index d1fc7fa87b05..7911dc3da98e 100644
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2891,7 +2891,7 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4_dev *dev, int slave,
        u32 srqn = qp_get_srqn(qpc) & 0xffffff;
        int use_srq = (qp_get_srqn(qpc) >> 24) & 1;
        struct res_srq *srq;
-        int local_qpn = be32_to_cpu(qpc->local_qpn) & 0xffffff;
+        int local_qpn = vhcr->in_modifier & 0xffffff;
        err = adjust_qp_sched_queue(dev, slave, qpc, inbox);
        if (err)
@@ -5040,6 +5040,13 @@ void mlx4_delete_all_resources_for_slave(struct mlx4_dev *dev, int slave)
        mutex_unlock(&priv->mfunc.master.res_tracker.slave_list[slave].mutex);
 }
+static void update_qos_vpp(struct mlx4_update_qp_context *ctx,
+                           struct mlx4_vf_immed_vlan_work *work)
+{
+        ctx->qp_mask |= cpu_to_be64(1ULL << MLX4_UPD_QP_MASK_QOS_VPP);
+        ctx->qp_context.qos_vport = work->qos_vport;
+}
 void mlx4_vf_immed_vlan_work_handler(struct work_struct *_work)
 {
        struct mlx4_vf_immed_vlan_work *work =
@@ -5144,11 +5151,10 @@ void mlx4_vf_immed_vlan_work_handler(struct work_struct *_work)
                                        qp->sched_queue & 0xC7;
                                upd_context->qp_context.pri_path.sched_queue |=
                                        ((work->qos & 0x7) << 3);
-                                upd_context->qp_mask |=
-                                        cpu_to_be64(1ULL <<
+                                if (dev->caps.flags2 &
-                                                    MLX4_UPD_QP_MASK_QOS_VPP);
+                                    MLX4_DEV_CAP_FLAG2_QOS_VPP)
-                                upd_context->qp_context.qos_vport =
+                                        update_qos_vpp(upd_context, work);
-                                        work->qos_vport;
                        }
                        err = mlx4_cmd(dev, mailbox->dma,
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
index 6c66d2979795..9ac14df0ca3b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -643,6 +643,7 @@ static void cmd_work_handler(struct work_struct *work)
        struct semaphore *sem;
        unsigned long flags;
        int alloc_ret;
+        int cmd_mode;
        sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
        down(sem);
@@ -688,6 +689,7 @@ static void cmd_work_handler(struct work_struct *work)
        set_signature(ent, !cmd->checksum_disabled);
        dump_command(dev, ent, 1);
        ent->ts1 = ktime_get_ns();
+        cmd_mode = cmd->mode;
        /* ring doorbell after the descriptor is valid */
        mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx);
@@ -695,7 +697,7 @@ static void cmd_work_handler(struct work_struct *work)
        iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell);
        mmiowb();
        /* if not in polling don't use ent after this point */
-        if (cmd->mode == CMD_MODE_POLLING) {
+        if (cmd_mode == CMD_MODE_POLLING) {
                poll_timeout(ent);
                /* make sure we read the descriptor after ownership is SW */
                rmb();
@@ -1126,7 +1128,7 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
 {
        struct mlx5_core_dev *dev = filp->private_data;
        struct mlx5_cmd_debug *dbg = &dev->cmd.dbg;
-        char outlen_str[8];
+        char outlen_str[8] = {0};
        int outlen;
        void *ptr;
        int err;
@@ -1141,8 +1143,6 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
        if (copy_from_user(outlen_str, buf, count))
                return -EFAULT;
-        outlen_str[7] = 0;
        err = sscanf(outlen_str, "%d", &outlen);
        if (err < 0)
                return err;
@@ -1623,7 +1623,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev)
        cmd->checksum_disabled = 1;
        cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
-        cmd->bitmask = (1 << cmd->max_reg_cmds) - 1;
+        cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
        cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
        if (cmd->cmdif_rev > CMD_IF_REV) {
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index f5c1f4acc57b..7c42be586be8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -513,7 +513,6 @@ static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
        struct mlx5_priv *priv  = &mdev->priv;
        struct msix_entry *msix = priv->msix_arr;
        int irq                 = msix[i + MLX5_EQ_VEC_COMP_BASE].vector;
-        int err;
        if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) {
                mlx5_core_warn(mdev, "zalloc_cpumask_var failed");
@@ -523,18 +522,11 @@ static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
        cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
                        priv->irq_info[i].mask);
-        err = irq_set_affinity_hint(irq, priv->irq_info[i].mask);
+        if (IS_ENABLED(CONFIG_SMP) &&
-        if (err) {
+            irq_set_affinity_hint(irq, priv->irq_info[i].mask))
-                mlx5_core_warn(mdev, "irq_set_affinity_hint failed,irq 0x%.4x",
+                mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
-                               irq);
-                goto err_clear_mask;
-        }
        return 0;
-err_clear_mask:
-        free_cpumask_var(priv->irq_info[i].mask);
-        return err;
 }
 static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i)
diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c
index 1bd419dbda6d..0798b4adb039 100644
--- a/drivers/net/ethernet/natsemi/sonic.c
+++ b/drivers/net/ethernet/natsemi/sonic.c
@@ -71,7 +71,7 @@ static int sonic_open(struct net_device *dev)
        for (i = 0; i < SONIC_NUM_RRS; i++) {
                dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE),
                                                  SONIC_RBSIZE, DMA_FROM_DEVICE);
-                if (!laddr) {
+                if (dma_mapping_error(lp->device, laddr)) {
                        while(i > 0) { /* free any that were mapped successfully */
                                i--;
                                dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE);
diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
index b8d5270359cd..e30676515529 100644
--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu)
        cmd.req.arg3 = 0;
        if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE)
-                netxen_issue_cmd(adapter, &cmd);
+                rcode = netxen_issue_cmd(adapter, &cmd);
        if (rcode != NX_RCODE_SUCCESS)
                return -EIO;
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 7ccdb46c6764..21e0af2620ee 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -43,7 +43,7 @@
 #define ILT_CFG_REG(cli, reg)   PSWRQ2_REG_ ## cli ## _ ## reg ## _RT_OFFSET
 /* ILT entry structure */
-#define ILT_ENTRY_PHY_ADDR_MASK         0x000FFFFFFFFFFFULL
+#define ILT_ENTRY_PHY_ADDR_MASK         (~0ULL >> 12)
 #define ILT_ENTRY_PHY_ADDR_SHIFT        0
 #define ILT_ENTRY_VALID_MASK            0x1ULL
 #define ILT_ENTRY_VALID_SHIFT           52
diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
index 174f7341c5c3..688b6da5a9bb 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
@@ -22,6 +22,7 @@
 #include <linux/etherdevice.h>
 #include <linux/vmalloc.h>
 #include <linux/qed/qed_if.h>
+#include <linux/crash_dump.h>
 #include "qed.h"
 #include "qed_sp.h"
@@ -634,6 +635,14 @@ static int qed_slowpath_setup_int(struct qed_dev *cdev,
        /* We want a minimum of one slowpath and one fastpath vector per hwfn */
        cdev->int_params.in.min_msix_cnt = cdev->num_hwfns * 2;
+        if (is_kdump_kernel()) {
+                DP_INFO(cdev,
+                        "Kdump kernel: Limit the max number of requested MSI-X vectors to %hd\n",
+                        cdev->int_params.in.min_msix_cnt);
+                cdev->int_params.in.num_vectors =
+                        cdev->int_params.in.min_msix_cnt;
+        }
        rc = qed_set_int_mode(cdev, false);
        if (rc)  {
                DP_ERR(cdev, "qed_slowpath_setup_int ERR\n");
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
index f9640d5ce6ba..b4f3cb55605e 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -3850,7 +3850,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter)
        struct list_head *head = &mbx->cmd_q;
        struct qlcnic_cmd_args *cmd = NULL;
-        spin_lock(&mbx->queue_lock);
+        spin_lock_bh(&mbx->queue_lock);
        while (!list_empty(head)) {
                cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
@@ -3861,7 +3861,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter)
                qlcnic_83xx_notify_cmd_completion(adapter, cmd);
        }
-        spin_unlock(&mbx->queue_lock);
+        spin_unlock_bh(&mbx->queue_lock);
 }
 static int qlcnic_83xx_check_mbx_status(struct qlcnic_adapter *adapter)
@@ -3897,12 +3897,12 @@ static void qlcnic_83xx_dequeue_mbx_cmd(struct qlcnic_adapter *adapter,
 {
        struct qlcnic_mailbox *mbx = adapter->ahw->mailbox;
-        spin_lock(&mbx->queue_lock);
+        spin_lock_bh(&mbx->queue_lock);
        list_del(&cmd->list);
        mbx->num_cmds--;
-        spin_unlock(&mbx->queue_lock);
+        spin_unlock_bh(&mbx->queue_lock);
        qlcnic_83xx_notify_cmd_completion(adapter, cmd);
 }
@@ -3967,7 +3967,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter,
                init_completion(&cmd->completion);
                cmd->rsp_opcode = QLC_83XX_MBX_RESPONSE_UNKNOWN;
-                spin_lock(&mbx->queue_lock);
+                spin_lock_bh(&mbx->queue_lock);
                list_add_tail(&cmd->list, &mbx->cmd_q);
                mbx->num_cmds++;
@@ -3975,7 +3975,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter,
                *timeout = cmd->total_cmds * QLC_83XX_MBX_TIMEOUT;
                queue_work(mbx->work_q, &mbx->work);
-                spin_unlock(&mbx->queue_lock);
+                spin_unlock_bh(&mbx->queue_lock);
                return 0;
        }
@@ -4071,15 +4071,15 @@ static void qlcnic_83xx_mailbox_worker(struct work_struct *work)
                mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT;
                spin_unlock_irqrestore(&mbx->aen_lock, flags);
-                spin_lock(&mbx->queue_lock);
+                spin_lock_bh(&mbx->queue_lock);
                if (list_empty(head)) {
-                        spin_unlock(&mbx->queue_lock);
+                        spin_unlock_bh(&mbx->queue_lock);
                        return;
                }
                cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
-                spin_unlock(&mbx->queue_lock);
+                spin_unlock_bh(&mbx->queue_lock);
                mbx_ops->encode_cmd(adapter, cmd);
                mbx_ops->nofity_fw(adapter, QLC_83XX_MBX_REQUEST);
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
index 509b596cf1e8..bd1ec70fb736 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapter *adapter, int sem, u32 id_reg)
                        }
                        return -EIO;
                }
-                usleep_range(1000, 1500);
+                udelay(1200);
        }
        if (id_reg)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
index 7327b729ba2e..ffa6885acfc8 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
@@ -127,6 +127,8 @@ static int qlcnic_sriov_virtid_fn(struct qlcnic_adapter *adapter, int vf_id)
                return 0;
        pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV);
+        if (!pos)
+                return 0;
        pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset);
        pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride);
diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
index be258d90de9e..e3223f2fe2ff 100644
--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev, struct ql_mpi_coredump *mpi_coredump)
                sizeof(struct mpi_coredump_global_header);
        mpi_coredump->mpi_global_header.imageSize =
                sizeof(struct ql_mpi_coredump);
-        memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+        strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
                sizeof(mpi_coredump->mpi_global_header.idString));
        /* Get generic NIC reg dump */
@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_adapter *qdev,
                sizeof(struct mpi_coredump_global_header);
        mpi_coredump->mpi_global_header.imageSize =
                sizeof(struct ql_reg_dump);
-        memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
+        strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
                sizeof(mpi_coredump->mpi_global_header.idString));
diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
index 1ef03939d25f..c90ae4d4be7d 100644
--- a/drivers/net/ethernet/qualcomm/qca_spi.c
+++ b/drivers/net/ethernet/qualcomm/qca_spi.c
@@ -296,8 +296,9 @@ qcaspi_receive(struct qcaspi *qca)
        /* Allocate rx SKB if we don't have one available. */
        if (!qca->rx_skb) {
-                qca->rx_skb = netdev_alloc_skb(net_dev,
+                qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
-                                               net_dev->mtu + VLAN_ETH_HLEN);
+                                                        net_dev->mtu +
+                                                        VLAN_ETH_HLEN);
                if (!qca->rx_skb) {
                        netdev_dbg(net_dev, "out of RX resources\n");
                        qca->stats.out_of_mem++;
@@ -377,7 +378,7 @@ qcaspi_receive(struct qcaspi *qca)
                                        qca->rx_skb, qca->rx_skb->dev);
                                qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
                                netif_rx_ni(qca->rx_skb);
-                                qca->rx_skb = netdev_alloc_skb(net_dev,
+                                qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
                                        net_dev->mtu + VLAN_ETH_HLEN);
                                if (!qca->rx_skb) {
                                        netdev_dbg(net_dev, "out of RX resources\n");
@@ -759,7 +760,8 @@ qcaspi_netdev_init(struct net_device *dev)
        if (!qca->rx_buffer)
                return -ENOBUFS;
-        qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN);
+        qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu +
+                                                VLAN_ETH_HLEN);
        if (!qca->rx_skb) {
                kfree(qca->rx_buffer);
                netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n");
diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c
index ef668d300800..d987d571fdd6 100644
--- a/drivers/net/ethernet/realtek/8139too.c
+++ b/drivers/net/ethernet/realtek/8139too.c
@@ -2229,7 +2229,7 @@ static void rtl8139_poll_controller(struct net_device *dev)
        struct rtl8139_private *tp = netdev_priv(dev);
        const int irq = tp->pci_dev->irq;
-        disable_irq(irq);
+        disable_irq_nosync(irq);
        rtl8139_interrupt(irq, dev);
        enable_irq(irq);
 }
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index c5ea1018cb47..8b4069ea52ce 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -1387,7 +1387,7 @@ DECLARE_RTL_COND(rtl_ocp_tx_cond)
 {
        void __iomem *ioaddr = tp->mmio_addr;
-        return RTL_R8(IBISR0) & 0x02;
+        return RTL_R8(IBISR0) & 0x20;
 }
 static void rtl8168ep_stop_cmac(struct rtl8169_private *tp)
@@ -1395,7 +1395,7 @@ static void rtl8168ep_stop_cmac(struct rtl8169_private *tp)
        void __iomem *ioaddr = tp->mmio_addr;
        RTL_W8(IBCR2, RTL_R8(IBCR2) & ~0x01);
-        rtl_msleep_loop_wait_low(tp, &rtl_ocp_tx_cond, 50, 2000);
+        rtl_msleep_loop_wait_high(tp, &rtl_ocp_tx_cond, 50, 2000);
        RTL_W8(IBISR0, RTL_R8(IBISR0) | 0x20);
        RTL_W8(IBCR0, RTL_R8(IBCR0) & ~0x01);
 }
@@ -2205,19 +2205,14 @@ static bool rtl8169_do_counters(struct net_device *dev, u32 counter_cmd)
        void __iomem *ioaddr = tp->mmio_addr;
        dma_addr_t paddr = tp->counters_phys_addr;
        u32 cmd;
-        bool ret;
        RTL_W32(CounterAddrHigh, (u64)paddr >> 32);
+        RTL_R32(CounterAddrHigh);
        cmd = (u64)paddr & DMA_BIT_MASK(32);
        RTL_W32(CounterAddrLow, cmd);
        RTL_W32(CounterAddrLow, cmd | counter_cmd);
-        ret = rtl_udelay_loop_wait_low(tp, &rtl_counters_cond, 10, 1000);
+        return rtl_udelay_loop_wait_low(tp, &rtl_counters_cond, 10, 1000);
-        RTL_W32(CounterAddrLow, 0);
-        RTL_W32(CounterAddrHigh, 0);
-        return ret;
 }
 static bool rtl8169_reset_counters(struct net_device *dev)
@@ -4837,6 +4832,9 @@ static void rtl_pll_power_down(struct rtl8169_private *tp)
 static void rtl_pll_power_up(struct rtl8169_private *tp)
 {
        rtl_generic_op(tp, tp->pll_power_ops.up);
+        /* give MAC/PHY some time to resume */
+        msleep(20);
 }
 static void rtl_init_pll_power_ops(struct rtl8169_private *tp)
@@ -8416,12 +8414,12 @@ static int rtl_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
                goto err_out_msi_4;
        }
+        pci_set_drvdata(pdev, dev);
        rc = register_netdev(dev);
        if (rc < 0)
                goto err_out_cnt_5;
-        pci_set_drvdata(pdev, dev);
        netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n",
                   rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr,
                   (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq);
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index 424d1dee55c9..afaf79b8761f 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -3222,7 +3222,7 @@ static int sh_eth_drv_probe(struct platform_device *pdev)
        /* MDIO bus init */
        ret = sh_mdio_init(mdp, pd);
        if (ret) {
-                dev_err(&ndev->dev, "failed to initialise MDIO\n");
+                dev_err(&pdev->dev, "failed to initialise MDIO\n");
                goto out_release;
        }
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 5adaf537513b..7bba30f24135 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -54,7 +54,7 @@
 #include <linux/reset.h>
 #include <linux/of_mdio.h>
-#define STMMAC_ALIGN(x) L1_CACHE_ALIGN(x)
+#define STMMAC_ALIGN(x)         __ALIGN_KERNEL(x, SMP_CACHE_BYTES)
 /* Module parameters */
 #define TX_TIMEO        5000
diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index ab6051a43134..ccebf89aa1e4 100644
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -3442,7 +3442,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
                len = (val & RCR_ENTRY_L2_LEN) >>
                        RCR_ENTRY_L2_LEN_SHIFT;
-                len -= ETH_FCS_LEN;
+                append_size = len + ETH_HLEN + ETH_FCS_LEN;
                addr = (val & RCR_ENTRY_PKT_BUF_ADDR) <<
                        RCR_ENTRY_PKT_BUF_ADDR_SHIFT;
@@ -3452,7 +3452,6 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
                                         RCR_ENTRY_PKTBUFSZ_SHIFT];
                off = addr & ~PAGE_MASK;
-                append_size = rcr_size;
                if (num_rcr == 1) {
                        int ptype;
@@ -3465,7 +3464,7 @@ static int niu_process_rx_pkt(struct napi_struct *napi, struct niu *np,
                        else
                                skb_checksum_none_assert(skb);
                } else if (!(val & RCR_ENTRY_MULTI))
-                        append_size = len - skb->len;
+                        append_size = append_size - skb->len;
                niu_rx_skb_append(skb, page, off, append_size, rcr_size);
                if ((page->index + rp->rbr_block_size) - rcr_size == addr) {
diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c
index e23a642357e7..eb4d8df49399 100644
--- a/drivers/net/ethernet/sun/sungem.c
+++ b/drivers/net/ethernet/sun/sungem.c
@@ -60,8 +60,7 @@
 #include <linux/sungem_phy.h>
 #include "sungem.h"
-/* Stripping FCS is causing problems, disabled for now */
+#define STRIP_FCS
-#undef STRIP_FCS
 #define DEFAULT_MSG     (NETIF_MSG_DRV          | \
                         NETIF_MSG_PROBE        | \
@@ -435,7 +434,7 @@ static int gem_rxmac_reset(struct gem *gp)
        writel(desc_dma & 0xffffffff, gp->regs + RXDMA_DBLOW);
        writel(RX_RING_SIZE - 4, gp->regs + RXDMA_KICK);
        val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) |
-               ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128);
+               (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128);
        writel(val, gp->regs + RXDMA_CFG);
        if (readl(gp->regs + GREG_BIFCFG) & GREG_BIFCFG_M66EN)
                writel(((5 & RXDMA_BLANK_IPKTS) |
@@ -760,7 +759,6 @@ static int gem_rx(struct gem *gp, int work_to_do)
        struct net_device *dev = gp->dev;
        int entry, drops, work_done = 0;
        u32 done;
-        __sum16 csum;
        if (netif_msg_rx_status(gp))
                printk(KERN_DEBUG "%s: rx interrupt, done: %d, rx_new: %d\n",
@@ -855,9 +853,13 @@ static int gem_rx(struct gem *gp, int work_to_do)
                        skb = copy_skb;
                }
-                csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff);
+                if (likely(dev->features & NETIF_F_RXCSUM)) {
-                skb->csum = csum_unfold(csum);
+                        __sum16 csum;
-                skb->ip_summed = CHECKSUM_COMPLETE;
+                        csum = (__force __sum16)htons((status & RXDCTRL_TCPCSUM) ^ 0xffff);
+                        skb->csum = csum_unfold(csum);
+                        skb->ip_summed = CHECKSUM_COMPLETE;
+                }
                skb->protocol = eth_type_trans(skb, gp->dev);
                napi_gro_receive(&gp->napi, skb);
@@ -1755,7 +1757,7 @@ static void gem_init_dma(struct gem *gp)
        writel(0, gp->regs + TXDMA_KICK);
        val = (RXDMA_CFG_BASE | (RX_OFFSET << 10) |
-               ((14 / 2) << 13) | RXDMA_CFG_FTHRESH_128);
+               (ETH_HLEN << 13) | RXDMA_CFG_FTHRESH_128);
        writel(val, gp->regs + RXDMA_CFG);
        writel(desc_dma >> 32, gp->regs + RXDMA_DBHI);
@@ -2973,8 +2975,8 @@ static int gem_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
        pci_set_drvdata(pdev, dev);
        /* We can do scatter/gather and HW checksum */
-        dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM;
+        dev->hw_features = NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_RXCSUM;
-        dev->features |= dev->hw_features | NETIF_F_RXCSUM;
+        dev->features = dev->hw_features;
        if (pci_using_dac)
                dev->features |= NETIF_F_HIGHDMA;
diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
index cc106d892e29..b15e322b8bfe 100644
--- a/drivers/net/ethernet/sun/sunvnet.c
+++ b/drivers/net/ethernet/sun/sunvnet.c
@@ -1787,7 +1787,7 @@ static struct vnet *vnet_new(const u64 *local_mac,
        dev->ethtool_ops = &vnet_ethtool_ops;
        dev->watchdog_timeo = VNET_TX_TIMEOUT;
-        dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE |
+        dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO |
                           NETIF_F_HW_CSUM | NETIF_F_SG;
        dev->features = dev->hw_features;
diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
index f9740377f8bb..1ca720071200 100644
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
@@ -283,6 +283,10 @@ struct cpsw_ss_regs {
 /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */
 #define CPSW_V1_SEQ_ID_OFS_SHIFT        16
+#define CPSW_MAX_BLKS_TX                15
+#define CPSW_MAX_BLKS_TX_SHIFT          4
+#define CPSW_MAX_BLKS_RX                5
 struct cpsw_host_regs {
        u32     max_blks;
        u32     blk_cnt;
@@ -866,7 +870,8 @@ static void _cpsw_adjust_link(struct cpsw_slave *slave,
                /* set speed_in input in case RMII mode is used in 100Mbps */
                if (phy->speed == 100)
                        mac_control |= BIT(15);
-                else if (phy->speed == 10)
+                /* in band mode only works in 10Mbps RGMII mode */
+                else if ((phy->speed == 10) && phy_interface_is_rgmii(phy))
                        mac_control |= BIT(18); /* In Band mode */
                if (priv->rx_pause)
@@ -1103,11 +1108,23 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv)
        switch (cpsw->version) {
        case CPSW_VERSION_1:
                slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP);
+                /* Increase RX FIFO size to 5 for supporting fullduplex
+                 * flow control mode
+                 */
+                slave_write(slave,
+                            (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
+                            CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS);
                break;
        case CPSW_VERSION_2:
        case CPSW_VERSION_3:
        case CPSW_VERSION_4:
                slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP);
+                /* Increase RX FIFO size to 5 for supporting fullduplex
+                 * flow control mode
+                 */
+                slave_write(slave,
+                            (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
+                            CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS);
                break;
        }
diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c
index a274cd49afe9..399a89f30826 100644
--- a/drivers/net/ethernet/ti/tlan.c
+++ b/drivers/net/ethernet/ti/tlan.c
@@ -610,8 +610,8 @@ err_out_regions:
 #ifdef CONFIG_PCI
        if (pdev)
                pci_release_regions(pdev);
-#endif
 err_out:
+#endif
        if (pdev)
                pci_disable_device(pdev);
        return rc;
diff --git a/drivers/net/ethernet/xilinx/Kconfig b/drivers/net/ethernet/xilinx/Kconfig
index 4f5c024c6192..5d5c0c433f3e 100644
--- a/drivers/net/ethernet/xilinx/Kconfig
+++ b/drivers/net/ethernet/xilinx/Kconfig
@@ -34,6 +34,7 @@ config XILINX_AXI_EMAC
 config XILINX_LL_TEMAC
        tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver"
        depends on (PPC || MICROBLAZE)
+        depends on !64BIT || BROKEN
        select PHYLIB
        ---help---
          This driver supports the Xilinx 10/100/1000 LocalLink TEMAC
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index 49fe59b180a8..a75ce9051a7f 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -574,6 +574,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
        case HDLCDRVCTL_CALIBRATE:
                if(!capable(CAP_SYS_RAWIO))
                        return -EPERM;
+                if (s->par.bitrate <= 0)
+                        return -EINVAL;
                if (bi.data.calibrate > INT_MAX / s->par.bitrate)
                        return -EINVAL;
                s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c
index 95c0b45a68fb..313e006f74fe 100644
--- a/drivers/net/hippi/rrunner.c
+++ b/drivers/net/hippi/rrunner.c
@@ -1381,8 +1381,8 @@ static int rr_close(struct net_device *dev)
                            rrpriv->info_dma);
        rrpriv->info = NULL;
-        free_irq(pdev->irq, dev);
        spin_unlock_irqrestore(&rrpriv->lock, flags);
+        free_irq(pdev->irq, dev);
        return 0;
 }
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index af827faec7fe..142015af43db 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -282,6 +282,10 @@ static int ipvlan_rcv_frame(struct ipvl_addr *addr, struct sk_buff **pskb,
                if (dev_forward_skb(ipvlan->dev, skb) == NET_RX_SUCCESS)
                        success = true;
        } else {
+                if (!ether_addr_equal_64bits(eth_hdr(skb)->h_dest,
+                                             ipvlan->phy_dev->dev_addr))
+                        skb->pkt_type = PACKET_OTHERHOST;
                ret = RX_HANDLER_ANOTHER;
                success = true;
        }
@@ -353,6 +357,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
                .flowi4_oif = dev->ifindex,
                .flowi4_tos = RT_TOS(ip4h->tos),
                .flowi4_flags = FLOWI_FLAG_ANYSRC,
+                .flowi4_mark = skb->mark,
                .daddr = ip4h->daddr,
                .saddr = ip4h->saddr,
        };
diff --git a/drivers/net/irda/w83977af_ir.c b/drivers/net/irda/w83977af_ir.c
index 4e3d2e7c697c..e8c3a8c32534 100644
--- a/drivers/net/irda/w83977af_ir.c
+++ b/drivers/net/irda/w83977af_ir.c
@@ -518,7 +518,9 @@ static netdev_tx_t w83977af_hard_xmit(struct sk_buff *skb,
                
                mtt = irda_get_mtt(skb);
                pr_debug("%s(%ld), mtt=%d\n", __func__ , jiffies, mtt);
-                        if (mtt)
+                        if (mtt > 1000)
+                                mdelay(mtt/1000);
+                        else if (mtt)
                                udelay(mtt);
                        /* Enable DMA interrupt */
diff --git a/drivers/net/phy/bcm-cygnus.c b/drivers/net/phy/bcm-cygnus.c
index 49bbc6826883..9a7dca2bb618 100644
--- a/drivers/net/phy/bcm-cygnus.c
+++ b/drivers/net/phy/bcm-cygnus.c
@@ -61,17 +61,17 @@ static int bcm_cygnus_afe_config(struct phy_device *phydev)
                return rc;
        /* make rcal=100, since rdb default is 000 */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB1, 0x10);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB1, 0x10);
        if (rc < 0)
                return rc;
        /* CORE_EXPB0, Reset R_CAL/RC_CAL Engine */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x10);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x10);
        if (rc < 0)
                return rc;
        /* CORE_EXPB0, Disable Reset R_CAL/RC_CAL Engine */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x00);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x00);
        return 0;
 }
diff --git a/drivers/net/phy/bcm-phy-lib.h b/drivers/net/phy/bcm-phy-lib.h
index b2091c88b44d..ce16b26d49ff 100644
--- a/drivers/net/phy/bcm-phy-lib.h
+++ b/drivers/net/phy/bcm-phy-lib.h
@@ -14,11 +14,18 @@
 #ifndef _LINUX_BCM_PHY_LIB_H
 #define _LINUX_BCM_PHY_LIB_H
+#include <linux/brcmphy.h>
 #include <linux/phy.h>
 int bcm_phy_write_exp(struct phy_device *phydev, u16 reg, u16 val);
 int bcm_phy_read_exp(struct phy_device *phydev, u16 reg);
+static inline int bcm_phy_write_exp_sel(struct phy_device *phydev,
+                                        u16 reg, u16 val)
+{
+        return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val);
+}
 int bcm_phy_write_misc(struct phy_device *phydev,
                       u16 reg, u16 chl, u16 value);
 int bcm_phy_read_misc(struct phy_device *phydev,
diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 03d4809a9126..bffa70e46202 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -48,10 +48,10 @@
 static void r_rc_cal_reset(struct phy_device *phydev)
 {
        /* Reset R_CAL/RC_CAL Engine */
-        bcm_phy_write_exp(phydev, 0x00b0, 0x0010);
+        bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0010);
        /* Disable Reset R_AL/RC_CAL Engine */
-        bcm_phy_write_exp(phydev, 0x00b0, 0x0000);
+        bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0000);
 }
 static int bcm7xxx_28nm_b0_afe_config_init(struct phy_device *phydev)
diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index e83acc608678..dc934347ae28 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -1203,6 +1203,23 @@ static void dp83640_remove(struct phy_device *phydev)
        kfree(dp83640);
 }
+static int dp83640_soft_reset(struct phy_device *phydev)
+{
+        int ret;
+        ret = genphy_soft_reset(phydev);
+        if (ret < 0)
+                return ret;
+        /* From DP83640 datasheet: "Software driver code must wait 3 us
+         * following a software reset before allowing further serial MII
+         * operations with the DP83640."
+         */
+        udelay(10);             /* Taking udelay inaccuracy into account */
+        return 0;
+}
 static int dp83640_config_init(struct phy_device *phydev)
 {
        struct dp83640_private *dp83640 = phydev->priv;
@@ -1496,6 +1513,7 @@ static struct phy_driver dp83640_driver = {
        .flags          = PHY_HAS_INTERRUPT,
        .probe          = dp83640_probe,
        .remove         = dp83640_remove,
+        .soft_reset     = dp83640_soft_reset,
        .config_init    = dp83640_config_init,
        .config_aneg    = genphy_config_aneg,
        .read_status    = genphy_read_status,
diff --git a/drivers/net/phy/mdio-sun4i.c b/drivers/net/phy/mdio-sun4i.c
index 15bc7f9ea224..afd76e07088b 100644
--- a/drivers/net/phy/mdio-sun4i.c
+++ b/drivers/net/phy/mdio-sun4i.c
@@ -128,8 +128,10 @@ static int sun4i_mdio_probe(struct platform_device *pdev)
        data->regulator = devm_regulator_get(&pdev->dev, "phy");
        if (IS_ERR(data->regulator)) {
-                if (PTR_ERR(data->regulator) == -EPROBE_DEFER)
+                if (PTR_ERR(data->regulator) == -EPROBE_DEFER) {
-                        return -EPROBE_DEFER;
+                        ret = -EPROBE_DEFER;
+                        goto err_out_free_mdiobus;
+                }
                dev_info(&pdev->dev, "no regulator found\n");
        } else {
diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index 7d0690433ee0..7d2cf015c5e7 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -148,6 +148,12 @@ static inline int phy_aneg_done(struct phy_device *phydev)
        if (phydev->drv->aneg_done)
                return phydev->drv->aneg_done(phydev);
+        /* Avoid genphy_aneg_done() if the Clause 45 PHY does not
+         * implement Clause 22 registers
+         */
+        if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0)))
+                return -EINVAL;
        return genphy_aneg_done(phydev);
 }
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 8179727d3423..1f2f25a71d18 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1265,11 +1265,8 @@ static int gen10g_resume(struct phy_device *phydev)
 static int __set_phy_supported(struct phy_device *phydev, u32 max_speed)
 {
-        /* The default values for phydev->supported are provided by the PHY
+        phydev->supported &= ~(PHY_1000BT_FEATURES | PHY_100BT_FEATURES |
-         * driver "features" member, we want to reset to sane defaults first
+                               PHY_10BT_FEATURES);
-         * before supporting higher speeds.
-         */
-        phydev->supported &= PHY_DEFAULT_FEATURES;
        switch (max_speed) {
        default:
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index e2decf71c6d1..46448d7e3290 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2952,6 +2952,15 @@ ppp_connect_channel(struct channel *pch, int unit)
                goto outl;
        ppp_lock(ppp);
+        spin_lock_bh(&pch->downl);
+        if (!pch->chan) {
+                /* Don't connect unregistered channels */
+                spin_unlock_bh(&pch->downl);
+                ppp_unlock(ppp);
+                ret = -ENOTCONN;
+                goto outl;
+        }
+        spin_unlock_bh(&pch->downl);
        if (pch->file.hdrlen > ppp->file.hdrlen)
                ppp->file.hdrlen = pch->file.hdrlen;
        hdrlen = pch->file.hdrlen + 2;  /* for protocol bytes */
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4e0068e775f9..583d50f80b24 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -638,6 +638,10 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
        lock_sock(sk);
        error = -EINVAL;
+        if (sockaddr_len != sizeof(struct sockaddr_pppox))
+                goto end;
        if (sp->sa_protocol != PX_PROTO_OE)
                goto end;
@@ -860,6 +864,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
        struct pppoe_hdr *ph;
        struct net_device *dev;
        char *start;
+        int hlen;
        lock_sock(sk);
        if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -878,16 +883,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
        if (total_len > (dev->mtu + dev->hard_header_len))
                goto end;
+        hlen = LL_RESERVED_SPACE(dev);
-        skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
+        skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
-                           0, GFP_KERNEL);
+                           dev->needed_tailroom, 0, GFP_KERNEL);
        if (!skb) {
                error = -ENOMEM;
                goto end;
        }
        /* Reserve space for headers. */
-        skb_reserve(skb, dev->hard_header_len);
+        skb_reserve(skb, hlen);
        skb_reset_network_header(skb);
        skb->dev = dev;
@@ -948,7 +953,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
        /* Copy the data if there is no space for the header or if it's
         * read-only.
         */
-        if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+        if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
                goto abort;
        __skb_push(skb, sizeof(*ph));
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index f7e8c79349ad..12a627fcc02c 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -501,7 +501,6 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
        po->chan.mtu = dst_mtu(&rt->dst);
        if (!po->chan.mtu)
                po->chan.mtu = PPP_MRU;
-        ip_rt_put(rt);
        po->chan.mtu -= PPTP_HEADER_OVERHEAD;
        po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 27ed25252aac..cfd81eb1b532 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
                if(x < 0 || x > comp->rslot_limit)
                        goto bad;
+                /* Check if the cstate is initialized */
+                if (!comp->rstate[x].initialized)
+                        goto bad;
                comp->flags &=~ SLF_TOSS;
                comp->recv_current = x;
        } else {
@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
        if (cs->cs_tcp.doff > 5)
          memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
        cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
+        cs->initialized = true;
        /* Put headers back on packet
         * Neither header checksum is recalculated
         */
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 61cd53838360..49174837c2ba 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -247,6 +247,17 @@ static void __team_option_inst_mark_removed_port(struct team *team,
        }
 }
+static bool __team_option_inst_tmp_find(const struct list_head *opts,
+                                        const struct team_option_inst *needle)
+{
+        struct team_option_inst *opt_inst;
+        list_for_each_entry(opt_inst, opts, tmp_list)
+                if (opt_inst == needle)
+                        return true;
+        return false;
+}
 static int __team_options_register(struct team *team,
                                   const struct team_option *option,
                                   size_t option_count)
@@ -972,7 +983,8 @@ static void team_port_disable(struct team *team,
 static void ___team_compute_features(struct team *team)
 {
        struct team_port *port;
-        u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
+        netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
+                                          NETIF_F_ALL_FOR_ALL;
        unsigned short max_hard_header_len = ETH_HLEN;
        unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
                                        IFF_XMIT_DST_RELEASE_PERM;
@@ -1039,14 +1051,11 @@ static void team_port_leave(struct team *team, struct team_port *port)
 }
 #ifdef CONFIG_NET_POLL_CONTROLLER
-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
+static int __team_port_enable_netpoll(struct team_port *port)
 {
        struct netpoll *np;
        int err;
-        if (!team->dev->npinfo)
-                return 0;
        np = kzalloc(sizeof(*np), GFP_KERNEL);
        if (!np)
                return -ENOMEM;
@@ -1060,6 +1069,14 @@ static int team_port_enable_netpoll(struct team *team, struct team_port *port)
        return err;
 }
+static int team_port_enable_netpoll(struct team_port *port)
+{
+        if (!port->team->dev->npinfo)
+                return 0;
+        return __team_port_enable_netpoll(port);
+}
 static void team_port_disable_netpoll(struct team_port *port)
 {
        struct netpoll *np = port->np;
@@ -1074,7 +1091,7 @@ static void team_port_disable_netpoll(struct team_port *port)
        kfree(np);
 }
 #else
-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
+static int team_port_enable_netpoll(struct team_port *port)
 {
        return 0;
 }
@@ -1181,7 +1198,7 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
                goto err_vids_add;
        }
-        err = team_port_enable_netpoll(team, port);
+        err = team_port_enable_netpoll(port);
        if (err) {
                netdev_err(dev, "Failed to enable netpoll on device %s\n",
                           portname);
@@ -1889,7 +1906,7 @@ static int team_netpoll_setup(struct net_device *dev,
        mutex_lock(&team->lock);
        list_for_each_entry(port, &team->port_list, list) {
-                err = team_port_enable_netpoll(team, port);
+                err = __team_port_enable_netpoll(port);
                if (err) {
                        __team_netpoll_cleanup(team);
                        break;
@@ -2380,7 +2397,7 @@ send_done:
        if (!nlh) {
                err = __send_and_alloc_skb(&skb, team, portid, send_func);
                if (err)
-                        goto errout;
+                        return err;
                goto send_done;
        }
@@ -2544,6 +2561,14 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
                        if (err)
                                goto team_put;
                        opt_inst->changed = true;
+                        /* dumb/evil user-space can send us duplicate opt,
+                         * keep only the last one
+                         */
+                        if (__team_option_inst_tmp_find(&opt_inst_list,
+                                                        opt_inst))
+                                continue;
                        list_add(&opt_inst->tmp_list, &opt_inst_list);
                }
                if (!opt_found) {
@@ -2660,7 +2685,7 @@ send_done:
        if (!nlh) {
                err = __send_and_alloc_skb(&skb, team, portid, send_func);
                if (err)
-                        goto errout;
+                        return err;
                goto send_done;
        }
diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig
index 1f6893ebce16..3a7286256db0 100644
--- a/drivers/net/usb/Kconfig
+++ b/drivers/net/usb/Kconfig
@@ -395,6 +395,10 @@ config USB_NET_RNDIS_HOST
          The protocol specification is incomplete, and is controlled by
          (and for) Microsoft; it isn't an "Open" ecosystem or market.
+config USB_NET_CDC_SUBSET_ENABLE
+        tristate
+        depends on USB_NET_CDC_SUBSET
 config USB_NET_CDC_SUBSET
        tristate "Simple USB Network Links (CDC Ethernet subset)"
        depends on USB_USBNET
@@ -413,6 +417,7 @@ config USB_NET_CDC_SUBSET
 config USB_ALI_M5632
        bool "ALi M5632 based 'USB 2.0 Data Link' cables"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        help
          Choose this option if you're using a host-to-host cable
          based on this design, which supports USB 2.0 high speed.
@@ -420,6 +425,7 @@ config USB_ALI_M5632
 config USB_AN2720
        bool "AnchorChips 2720 based cables (Xircom PGUNET, ...)"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        help
          Choose this option if you're using a host-to-host cable
          based on this design.  Note that AnchorChips is now a
@@ -428,6 +434,7 @@ config USB_AN2720
 config USB_BELKIN
        bool "eTEK based host-to-host cables (Advance, Belkin, ...)"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        default y
        help
          Choose this option if you're using a host-to-host cable
@@ -437,6 +444,7 @@ config USB_BELKIN
 config USB_ARMLINUX
        bool "Embedded ARM Linux links (iPaq, ...)"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        default y
        help
          Choose this option to support the "usb-eth" networking driver
@@ -454,6 +462,7 @@ config USB_ARMLINUX
 config USB_EPSON2888
        bool "Epson 2888 based firmware (DEVELOPMENT)"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        help
          Choose this option to support the usb networking links used
          by some sample firmware from Epson.
@@ -461,6 +470,7 @@ config USB_EPSON2888
 config USB_KC2190
        bool "KT Technology KC2190 based cables (InstaNet)"
        depends on USB_NET_CDC_SUBSET
+        select USB_NET_CDC_SUBSET_ENABLE
        help
          Choose this option if you're using a host-to-host cable
          with one of these chips.
diff --git a/drivers/net/usb/Makefile b/drivers/net/usb/Makefile
index b5f04068dbe4..37fb46aee341 100644
--- a/drivers/net/usb/Makefile
+++ b/drivers/net/usb/Makefile
@@ -23,7 +23,7 @@ obj-$(CONFIG_USB_NET_GL620A)	+= gl620a.o
 obj-$(CONFIG_USB_NET_NET1080)   += net1080.o
 obj-$(CONFIG_USB_NET_PLUSB)     += plusb.o
 obj-$(CONFIG_USB_NET_RNDIS_HOST)        += rndis_host.o
-obj-$(CONFIG_USB_NET_CDC_SUBSET)        += cdc_subset.o
+obj-$(CONFIG_USB_NET_CDC_SUBSET_ENABLE) += cdc_subset.o
 obj-$(CONFIG_USB_NET_ZAURUS)    += zaurus.o
 obj-$(CONFIG_USB_NET_MCS7830)   += mcs7830.o
 obj-$(CONFIG_USB_USBNET)        += usbnet.o
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index f9343bee1de3..f71abe50ea6f 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -461,6 +461,7 @@ static const struct driver_info wwan_info = {
 #define REALTEK_VENDOR_ID       0x0bda
 #define SAMSUNG_VENDOR_ID       0x04e8
 #define LENOVO_VENDOR_ID        0x17ef
+#define LINKSYS_VENDOR_ID       0x13b1
 #define NVIDIA_VENDOR_ID        0x0955
 #define HP_VENDOR_ID            0x03f0
@@ -650,6 +651,15 @@ static const struct usb_device_id	products[] = {
        .driver_info = 0,
 },
+#if IS_ENABLED(CONFIG_USB_RTL8152)
+/* Linksys USB3GIGV1 Ethernet Adapter */
+{
+        USB_DEVICE_AND_INTERFACE_INFO(LINKSYS_VENDOR_ID, 0x0041, USB_CLASS_COMM,
+                        USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+        .driver_info = 0,
+},
+#endif
 /* Lenovo Thinkpad USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */
 {
        USB_DEVICE_AND_INTERFACE_INFO(LENOVO_VENDOR_ID, 0x7205, USB_CLASS_COMM,
@@ -705,6 +715,12 @@ static const struct usb_device_id	products[] = {
                                      USB_CDC_PROTO_NONE),
        .driver_info = (unsigned long)&wwan_info,
 }, {
+        /* Cinterion AHS3 modem by GEMALTO */
+        USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM,
+                                      USB_CDC_SUBCLASS_ETHERNET,
+                                      USB_CDC_PROTO_NONE),
+        .driver_info = (unsigned long)&wwan_info,
+}, {
        /* Telit modules */
        USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM,
                        USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
index 96a5028621c8..8edbccf06b7b 100644
--- a/drivers/net/usb/cdc_mbim.c
+++ b/drivers/net/usb/cdc_mbim.c
@@ -593,7 +593,7 @@ static const struct driver_info cdc_mbim_info_zlp = {
 */
 static const struct driver_info cdc_mbim_info_ndp_to_end = {
        .description = "CDC MBIM",
-        .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN,
+        .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN | FLAG_SEND_ZLP,
        .bind = cdc_mbim_bind,
        .unbind = cdc_mbim_unbind,
        .manage_power = cdc_mbim_manage_power,
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 1228d0da4075..36e1377fc954 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -825,6 +825,9 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
                goto error2;
        }
+        /* Device-specific flags */
+        ctx->drvflags = drvflags;
        /*
         * Some Huawei devices have been observed to come out of reset in NDP32 mode.
         * Let's check if this is the case, and set the device to NDP16 mode again if
@@ -873,9 +876,6 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
        /* finish setting up the device specific data */
        cdc_ncm_setup(dev);
-        /* Device-specific flags */
-        ctx->drvflags = drvflags;
        /* Allocate the delayed NDP if needed. */
        if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
                ctx->delayed_ndp16 = kzalloc(ctx->max_ndp_size, GFP_KERNEL);
@@ -1069,12 +1069,13 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
        u16 n = 0, index, ndplen;
        u8 ready2send = 0;
        u32 delayed_ndp_size;
+        size_t padding_count;
        /* When our NDP gets written in cdc_ncm_ndp(), then skb_out->len gets updated
         * accordingly. Otherwise, we should check here.
         */
        if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
-                delayed_ndp_size = ctx->max_ndp_size;
+                delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus);
        else
                delayed_ndp_size = 0;
@@ -1207,7 +1208,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
        /* If requested, put NDP at end of frame. */
        if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
                nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
-                cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max);
+                cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max - ctx->max_ndp_size);
                nth16->wNdpIndex = cpu_to_le16(skb_out->len);
                memcpy(skb_put(skb_out, ctx->max_ndp_size), ctx->delayed_ndp16, ctx->max_ndp_size);
@@ -1225,11 +1226,13 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
         * a ZLP after full sized NTBs.
         */
        if (!(dev->driver_info->flags & FLAG_SEND_ZLP) &&
-            skb_out->len > ctx->min_tx_pkt)
+            skb_out->len > ctx->min_tx_pkt) {
-                memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
+                padding_count = ctx->tx_max - skb_out->len;
-                       ctx->tx_max - skb_out->len);
+                memset(skb_put(skb_out, padding_count), 0, padding_count);
-        else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
+        } else if (skb_out->len < ctx->tx_max &&
+                   (skb_out->len % dev->maxpacket) == 0) {
                *skb_put(skb_out, 1) = 0;       /* force short packet */
+        }
        /* set final frame length */
        nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 41e9ebd7d0a6..acec4b565511 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -618,7 +618,8 @@ static int lan78xx_read_otp(struct lan78xx_net *dev, u32 offset,
                        offset += 0x100;
                else
                        ret = -EINVAL;
-                ret = lan78xx_read_raw_otp(dev, offset, length, data);
+                if (!ret)
+                        ret = lan78xx_read_raw_otp(dev, offset, length, data);
        }
        return ret;
@@ -1360,6 +1361,8 @@ static void lan78xx_init_mac_address(struct lan78xx_net *dev)
                        netif_dbg(dev, ifup, dev->net,
                                  "MAC address set to random addr");
                }
+                tasklet_schedule(&dev->bh);
        }
        ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo);
@@ -1859,6 +1862,7 @@ static int lan78xx_reset(struct lan78xx_net *dev)
                buf = DEFAULT_BURST_CAP_SIZE / FS_USB_PKT_SIZE;
                dev->rx_urb_size = DEFAULT_BURST_CAP_SIZE;
                dev->rx_qlen = 4;
+                dev->tx_qlen = 4;
        }
        ret = lan78xx_write_reg(dev, BURST_CAP, buf);
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index b0ea8dee5f06..3b67140eed73 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -631,11 +631,16 @@ static const struct usb_device_id products[] = {
        {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
        {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
        {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
+        {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)},    /* ublox R410M */
        {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
        {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
        {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
+        {QMI_FIXED_INTF(0x0846, 0x68d3, 8)},    /* Netgear Aircard 779S */
        {QMI_FIXED_INTF(0x12d1, 0x140c, 1)},    /* Huawei E173 */
        {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)},    /* Huawei E1820 */
+        {QMI_FIXED_INTF(0x1435, 0xd181, 3)},    /* Wistron NeWeb D18Q1 */
+        {QMI_FIXED_INTF(0x1435, 0xd181, 4)},    /* Wistron NeWeb D18Q1 */
+        {QMI_FIXED_INTF(0x1435, 0xd181, 5)},    /* Wistron NeWeb D18Q1 */
        {QMI_FIXED_INTF(0x16d8, 0x6003, 0)},    /* CMOTech 6003 */
        {QMI_FIXED_INTF(0x16d8, 0x6007, 0)},    /* CMOTech CHE-628S */
        {QMI_FIXED_INTF(0x16d8, 0x6008, 0)},    /* CMOTech CMU-301 */
@@ -712,6 +717,7 @@ static const struct usb_device_id products[] = {
        {QMI_FIXED_INTF(0x19d2, 0x2002, 4)},    /* ZTE (Vodafone) K3765-Z */
        {QMI_FIXED_INTF(0x2001, 0x7e19, 4)},    /* D-Link DWM-221 B1 */
        {QMI_FIXED_INTF(0x2001, 0x7e35, 4)},    /* D-Link DWM-222 */
+        {QMI_FIXED_INTF(0x2020, 0x2033, 4)},    /* BroadMobi BM806U */
        {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)},    /* Sierra Wireless MC7700 */
        {QMI_FIXED_INTF(0x114f, 0x68a2, 8)},    /* Sierra Wireless MC7750 */
        {QMI_FIXED_INTF(0x1199, 0x68a2, 8)},    /* Sierra Wireless MC7710 in QMI mode */
@@ -761,6 +767,7 @@ static const struct usb_device_id products[] = {
        {QMI_FIXED_INTF(0x413c, 0x81a9, 8)},    /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
        {QMI_FIXED_INTF(0x413c, 0x81b1, 8)},    /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
        {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)},    /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
+        {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)},    /* HP lt4120 Snapdragon X5 LTE */
        {QMI_FIXED_INTF(0x22de, 0x9061, 3)},    /* WeTelecom WPD-600N */
        {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)},    /* SIMCom 7230E */
@@ -854,6 +861,18 @@ static int qmi_wwan_probe(struct usb_interface *intf,
                id->driver_info = (unsigned long)&qmi_wwan_info;
        }
+        /* There are devices where the same interface number can be
+         * configured as different functions. We should only bind to
+         * vendor specific functions when matching on interface number
+         */
+        if (id->match_flags & USB_DEVICE_ID_MATCH_INT_NUMBER &&
+            desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) {
+                dev_dbg(&intf->dev,
+                        "Rejecting interface number match for class %02x\n",
+                        desc->bInterfaceClass);
+                return -ENODEV;
+        }
        /* Quectel EC20 quirk where we've QMI on interface 4 instead of 0 */
        if (quectel_ec20_detected(intf) && desc->bInterfaceNumber == 0) {
                dev_dbg(&intf->dev, "Quectel EC20 quirk, skipping interface 0\n");
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 89950f5cea71..2bb336cb13ee 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -506,6 +506,7 @@ enum rtl8152_flags {
 #define VENDOR_ID_REALTEK               0x0bda
 #define VENDOR_ID_SAMSUNG               0x04e8
 #define VENDOR_ID_LENOVO                0x17ef
+#define VENDOR_ID_LINKSYS               0x13b1
 #define VENDOR_ID_NVIDIA                0x0955
 #define MCU_TYPE_PLA                    0x0100
@@ -1609,7 +1610,7 @@ static int r8152_tx_agg_fill(struct r8152 *tp, struct tx_agg *agg)
                tx_data += len;
                agg->skb_len += len;
-                agg->skb_num++;
+                agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1;
                dev_kfree_skb_any(skb);
@@ -3138,7 +3139,8 @@ static int rtl8152_close(struct net_device *netdev)
 #ifdef CONFIG_PM_SLEEP
        unregister_pm_notifier(&tp->pm_notifier);
 #endif
-        napi_disable(&tp->napi);
+        if (!test_bit(RTL8152_UNPLUG, &tp->flags))
+                napi_disable(&tp->napi);
        clear_bit(WORK_ENABLE, &tp->flags);
        usb_kill_urb(tp->intr_urb);
        cancel_delayed_work_sync(&tp->schedule);
@@ -4376,6 +4378,7 @@ static struct usb_device_id rtl8152_table[] = {
        {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)},
        {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO,  0x7205)},
        {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO,  0x304f)},
+        {REALTEK_USB_DEVICE(VENDOR_ID_LINKSYS, 0x0041)},
        {REALTEK_USB_DEVICE(VENDOR_ID_NVIDIA,  0x09ff)},
        {}
 };
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
index c5f375befd2f..7337e6c0e126 100644
--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -945,10 +945,11 @@ static int smsc75xx_set_features(struct net_device *netdev,
        /* it's racing here! */
        ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl);
-        if (ret < 0)
+        if (ret < 0) {
                netdev_warn(dev->net, "Error writing RFE_CTL\n");
+                return ret;
-        return ret;
+        }
+        return 0;
 }
 static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index ba21d072be31..6b4cc1c2e6b4 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -399,6 +399,9 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
        if (ifmp && (dev->ifindex != 0))
                peer->ifindex = ifmp->ifi_index;
+        peer->gso_max_size = dev->gso_max_size;
+        peer->gso_max_segs = dev->gso_max_segs;
        err = register_netdevice(peer);
        put_net(net);
        net = NULL;
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 8dfc75250583..2759d386ade7 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -556,7 +556,12 @@ static int add_recvbuf_small(struct virtnet_info *vi, struct receive_queue *rq,
        hdr = skb_vnet_hdr(skb);
        sg_init_table(rq->sg, 2);
        sg_set_buf(rq->sg, hdr, vi->hdr_len);
-        skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
+        err = skb_to_sgvec(skb, rq->sg + 1, 0, skb->len);
+        if (unlikely(err < 0)) {
+                dev_kfree_skb(skb);
+                return err;
+        }
        err = virtqueue_add_inbuf(rq->vq, rq->sg, 2, skb, gfp);
        if (err < 0)
@@ -858,7 +863,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
        struct virtio_net_hdr_mrg_rxbuf *hdr;
        const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
        struct virtnet_info *vi = sq->vq->vdev->priv;
-        unsigned num_sg;
+        int num_sg;
        unsigned hdr_len = vi->hdr_len;
        bool can_push;
@@ -911,11 +916,16 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
        if (can_push) {
                __skb_push(skb, hdr_len);
                num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
+                if (unlikely(num_sg < 0))
+                        return num_sg;
                /* Pull header back to avoid skew in tx bytes calculations. */
                __skb_pull(skb, hdr_len);
        } else {
                sg_set_buf(sq->sg, hdr, hdr_len);
-                num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
+                num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
+                if (unlikely(num_sg < 0))
+                        return num_sg;
+                num_sg++;
        }
        return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
 }
@@ -1902,8 +1912,8 @@ static int virtnet_probe(struct virtio_device *vdev)
        /* Assume link up if device can't report link status,
           otherwise get link status from config. */
+        netif_carrier_off(dev);
        if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
-                netif_carrier_off(dev);
                schedule_work(&vi->config_work);
        } else {
                vi->status = VIRTIO_NET_S_LINK_UP;
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 0cbf520cea77..419c045d0752 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1563,7 +1563,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
                                          rq->rx_ring[i].basePA);
                        rq->rx_ring[i].base = NULL;
                }
-                rq->buf_info[i] = NULL;
        }
        if (rq->comp_ring.base) {
@@ -1578,6 +1577,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
                        (rq->rx_ring[0].size + rq->rx_ring[1].size);
                dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0],
                                  rq->buf_info_pa);
+                rq->buf_info[0] = rq->buf_info[1] = NULL;
        }
 }
@@ -2789,6 +2789,11 @@ vmxnet3_force_close(struct vmxnet3_adapter *adapter)
        /* we need to enable NAPI, otherwise dev_close will deadlock */
        for (i = 0; i < adapter->num_rx_queues; i++)
                napi_enable(&adapter->rx_queue[i].napi);
+        /*
+         * Need to clear the quiesce bit to ensure that vmxnet3_close
+         * can quiesce the device properly
+         */
+        clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state);
        dev_close(adapter->netdev);
 }
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index ac945f8781ac..d3d59122a357 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -550,13 +550,15 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
        neigh = __ipv4_neigh_lookup_noref(dev, nexthop);
        if (unlikely(!neigh))
                neigh = __neigh_create(&arp_tbl, &nexthop, dev, false);
-        if (!IS_ERR(neigh))
+        if (!IS_ERR(neigh)) {
                ret = dst_neigh_output(dst, neigh, skb);
+                rcu_read_unlock_bh();
+                return ret;
+        }
        rcu_read_unlock_bh();
 err:
-        if (unlikely(ret < 0))
+        vrf_tx_error(skb->dev, skb);
-                vrf_tx_error(skb->dev, skb);
        return ret;
 }
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index dab3bf6649e6..c41378214ede 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -962,7 +962,7 @@ static bool vxlan_snoop(struct net_device *dev,
                        return false;
                /* Don't migrate static entries, drop packets */
-                if (f->state & NUD_NOARP)
+                if (f->state & (NUD_PERMANENT | NUD_NOARP))
                        return true;
                if (net_ratelimit())
@@ -2834,6 +2834,11 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev,
                needed_headroom = lowerdev->hard_header_len;
        }
+        if (lowerdev) {
+                dev->gso_max_size = lowerdev->gso_max_size;
+                dev->gso_max_segs = lowerdev->gso_max_segs;
+        }
        if (conf->mtu) {
                err = __vxlan_change_mtu(dev, lowerdev, dst, conf->mtu, false);
                if (err)
diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
index 0d7645581f91..4842344a96f1 100644
--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -574,7 +574,10 @@ static void ppp_timer(unsigned long arg)
                        ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0,
                                     0, NULL);
                        proto->restart_counter--;
-                } else
+                } else if (netif_carrier_ok(proto->dev))
+                        ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0,
+                                     0, NULL);
+                else
                        ppp_cp_event(proto->dev, proto->pid, TO_BAD, 0, 0,
                                     0, NULL);
                break;
diff --git a/drivers/net/wan/pc300too.c b/drivers/net/wan/pc300too.c
index db363856e0b5..2b064998915f 100644
--- a/drivers/net/wan/pc300too.c
+++ b/drivers/net/wan/pc300too.c
@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci_dev *pdev,
            card->rambase == NULL) {
                pr_err("ioremap() failed\n");
                pc300_pci_remove_one(pdev);
+                return -ENOMEM;
        }
        /* PLX PCI 9050 workaround for local configuration register read bug */
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index ee638cb8b48f..0c23768aa1ec 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -67,6 +67,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA988X_BOARD_DATA_SZ,
                        .board_ext_size = QCA988X_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA6174_HW_2_1_VERSION,
@@ -85,6 +86,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA6174_BOARD_DATA_SZ,
                        .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA6174_HW_2_1_VERSION,
@@ -103,6 +105,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA6174_BOARD_DATA_SZ,
                        .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA6174_HW_3_0_VERSION,
@@ -121,6 +124,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA6174_BOARD_DATA_SZ,
                        .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA6174_HW_3_2_VERSION,
@@ -140,6 +144,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA6174_BOARD_DATA_SZ,
                        .board_ext_size = QCA6174_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA99X0_HW_2_0_DEV_VERSION,
@@ -159,6 +164,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA99X0_BOARD_DATA_SZ,
                        .board_ext_size = QCA99X0_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 1,
        },
        {
                .id = QCA9377_HW_1_0_DEV_VERSION,
@@ -177,6 +183,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA9377_BOARD_DATA_SZ,
                        .board_ext_size = QCA9377_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
        {
                .id = QCA9377_HW_1_1_DEV_VERSION,
@@ -195,6 +202,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
                        .board_size = QCA9377_BOARD_DATA_SZ,
                        .board_ext_size = QCA9377_BOARD_EXT_DATA_SZ,
                },
+                .decap_align_bytes = 4,
        },
 };
diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h
index 858d75f49a9f..257836a0cfbc 100644
--- a/drivers/net/wireless/ath/ath10k/core.h
+++ b/drivers/net/wireless/ath/ath10k/core.h
@@ -670,6 +670,10 @@ struct ath10k {
                        size_t board_size;
                        size_t board_ext_size;
                } fw;
+                /* Number of bytes used for alignment in rx_hdr_status */
+                int decap_align_bytes;
        } hw_params;
        const struct firmware *board;
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 1a88a24ffeac..30c357567054 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -1892,6 +1892,15 @@ static ssize_t ath10k_write_simulate_radar(struct file *file,
                                           size_t count, loff_t *ppos)
 {
        struct ath10k *ar = file->private_data;
+        struct ath10k_vif *arvif;
+        /* Just check for for the first vif alone, as all the vifs will be
+         * sharing the same channel and if the channel is disabled, all the
+         * vifs will share the same 'is_started' state.
+         */
+        arvif = list_first_entry(&ar->arvifs, typeof(*arvif), list);
+        if (!arvif->is_started)
+                return -EINVAL;
        ieee80211_radar_detected(ar->hw);
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 6060dda4e910..b32c47fe926d 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -979,7 +979,7 @@ static void ath10k_process_rx(struct ath10k *ar,
        *status = *rx_status;
        ath10k_dbg(ar, ATH10K_DBG_DATA,
-                   "rx skb %p len %u peer %pM %s %s sn %u %s%s%s%s%s %srate_idx %u vht_nss %u freq %u band %u flag 0x%x fcs-err %i mic-err %i amsdu-more %i\n",
+                   "rx skb %p len %u peer %pM %s %s sn %u %s%s%s%s%s %srate_idx %u vht_nss %u freq %u band %u flag 0x%llx fcs-err %i mic-err %i amsdu-more %i\n",
                   skb,
                   skb->len,
                   ieee80211_get_SA(hdr),
@@ -1076,7 +1076,21 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar,
        hdr = (void *)msdu->data;
        /* Tail */
-        skb_trim(msdu, msdu->len - ath10k_htt_rx_crypto_tail_len(ar, enctype));
+        if (status->flag & RX_FLAG_IV_STRIPPED) {
+                skb_trim(msdu, msdu->len -
+                         ath10k_htt_rx_crypto_tail_len(ar, enctype));
+        } else {
+                /* MIC */
+                if ((status->flag & RX_FLAG_MIC_STRIPPED) &&
+                    enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2)
+                        skb_trim(msdu, msdu->len - 8);
+                /* ICV */
+                if (status->flag & RX_FLAG_ICV_STRIPPED &&
+                    enctype != HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2)
+                        skb_trim(msdu, msdu->len -
+                                 ath10k_htt_rx_crypto_tail_len(ar, enctype));
+        }
        /* MMIC */
        if (!ieee80211_has_morefrags(hdr->frame_control) &&
@@ -1095,12 +1109,14 @@ static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar,
 static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar,
                                          struct sk_buff *msdu,
                                          struct ieee80211_rx_status *status,
-                                          const u8 first_hdr[64])
+                                          const u8 first_hdr[64],
+                                          enum htt_rx_mpdu_encrypt_type enctype)
 {
        struct ieee80211_hdr *hdr;
        size_t hdr_len;
        u8 da[ETH_ALEN];
        u8 sa[ETH_ALEN];
+        int bytes_aligned = ar->hw_params.decap_align_bytes;
        /* Delivered decapped frame:
         * [nwifi 802.11 header] <-- replaced with 802.11 hdr
@@ -1123,6 +1139,14 @@ static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar,
        /* push original 802.11 header */
        hdr = (struct ieee80211_hdr *)first_hdr;
        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        if (!(status->flag & RX_FLAG_IV_STRIPPED)) {
+                memcpy(skb_push(msdu,
+                                ath10k_htt_rx_crypto_param_len(ar, enctype)),
+                       (void *)hdr + round_up(hdr_len, bytes_aligned),
+                        ath10k_htt_rx_crypto_param_len(ar, enctype));
+        }
        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
        /* original 802.11 header has a different DA and in
@@ -1142,6 +1166,7 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar,
        size_t hdr_len, crypto_len;
        void *rfc1042;
        bool is_first, is_last, is_amsdu;
+        int bytes_aligned = ar->hw_params.decap_align_bytes;
        rxd = (void *)msdu->data - sizeof(*rxd);
        hdr = (void *)rxd->rx_hdr_status;
@@ -1158,8 +1183,8 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar,
                hdr_len = ieee80211_hdrlen(hdr->frame_control);
                crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
-                rfc1042 += round_up(hdr_len, 4) +
+                rfc1042 += round_up(hdr_len, bytes_aligned) +
-                           round_up(crypto_len, 4);
+                           round_up(crypto_len, bytes_aligned);
        }
        if (is_amsdu)
@@ -1180,6 +1205,7 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar,
        void *rfc1042;
        u8 da[ETH_ALEN];
        u8 sa[ETH_ALEN];
+        int bytes_aligned = ar->hw_params.decap_align_bytes;
        /* Delivered decapped frame:
         * [eth header] <-- replaced with 802.11 hdr & rfc1042/llc
@@ -1203,6 +1229,14 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar,
        /* push original 802.11 header */
        hdr = (struct ieee80211_hdr *)first_hdr;
        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        if (!(status->flag & RX_FLAG_IV_STRIPPED)) {
+                memcpy(skb_push(msdu,
+                                ath10k_htt_rx_crypto_param_len(ar, enctype)),
+                       (void *)hdr + round_up(hdr_len, bytes_aligned),
+                        ath10k_htt_rx_crypto_param_len(ar, enctype));
+        }
        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
        /* original 802.11 header has a different DA and in
@@ -1216,10 +1250,12 @@ static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar,
 static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar,
                                         struct sk_buff *msdu,
                                         struct ieee80211_rx_status *status,
-                                         const u8 first_hdr[64])
+                                         const u8 first_hdr[64],
+                                         enum htt_rx_mpdu_encrypt_type enctype)
 {
        struct ieee80211_hdr *hdr;
        size_t hdr_len;
+        int bytes_aligned = ar->hw_params.decap_align_bytes;
        /* Delivered decapped frame:
         * [amsdu header] <-- replaced with 802.11 hdr
@@ -1231,6 +1267,14 @@ static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar,
        hdr = (struct ieee80211_hdr *)first_hdr;
        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        if (!(status->flag & RX_FLAG_IV_STRIPPED)) {
+                memcpy(skb_push(msdu,
+                                ath10k_htt_rx_crypto_param_len(ar, enctype)),
+                       (void *)hdr + round_up(hdr_len, bytes_aligned),
+                        ath10k_htt_rx_crypto_param_len(ar, enctype));
+        }
        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
 }
@@ -1265,13 +1309,15 @@ static void ath10k_htt_rx_h_undecap(struct ath10k *ar,
                                            is_decrypted);
                break;
        case RX_MSDU_DECAP_NATIVE_WIFI:
-                ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr);
+                ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr,
+                                              enctype);
                break;
        case RX_MSDU_DECAP_ETHERNET2_DIX:
                ath10k_htt_rx_h_undecap_eth(ar, msdu, status, first_hdr, enctype);
                break;
        case RX_MSDU_DECAP_8023_SNAP_LLC:
-                ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr);
+                ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr,
+                                             enctype);
                break;
        }
 }
@@ -1314,7 +1360,8 @@ static void ath10k_htt_rx_h_csum_offload(struct sk_buff *msdu)
 static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
                                 struct sk_buff_head *amsdu,
-                                 struct ieee80211_rx_status *status)
+                                 struct ieee80211_rx_status *status,
+                                 bool fill_crypt_header)
 {
        struct sk_buff *first;
        struct sk_buff *last;
@@ -1324,7 +1371,6 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
        enum htt_rx_mpdu_encrypt_type enctype;
        u8 first_hdr[64];
        u8 *qos;
-        size_t hdr_len;
        bool has_fcs_err;
        bool has_crypto_err;
        bool has_tkip_err;
@@ -1345,15 +1391,17 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
         * decapped header. It'll be used for undecapping of each MSDU.
         */
        hdr = (void *)rxd->rx_hdr_status;
-        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        memcpy(first_hdr, hdr, RX_HTT_HDR_STATUS_LEN);
-        memcpy(first_hdr, hdr, hdr_len);
        /* Each A-MSDU subframe will use the original header as the base and be
         * reported as a separate MSDU so strip the A-MSDU bit from QoS Ctl.
         */
        hdr = (void *)first_hdr;
-        qos = ieee80211_get_qos_ctl(hdr);
-        qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT;
+        if (ieee80211_is_data_qos(hdr->frame_control)) {
+                qos = ieee80211_get_qos_ctl(hdr);
+                qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT;
+        }
        /* Some attention flags are valid only in the last MSDU. */
        last = skb_peek_tail(amsdu);
@@ -1387,11 +1435,17 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
        if (has_tkip_err)
                status->flag |= RX_FLAG_MMIC_ERROR;
-        if (is_decrypted)
+        if (is_decrypted) {
                status->flag |= RX_FLAG_DECRYPTED |
-                                RX_FLAG_IV_STRIPPED |
                                RX_FLAG_MMIC_STRIPPED;
+                if (fill_crypt_header)
+                        status->flag |= RX_FLAG_MIC_STRIPPED |
+                                        RX_FLAG_ICV_STRIPPED;
+                else
+                        status->flag |= RX_FLAG_IV_STRIPPED;
+        }
        skb_queue_walk(amsdu, msdu) {
                ath10k_htt_rx_h_csum_offload(msdu);
                ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
@@ -1404,6 +1458,9 @@ static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
                if (!is_decrypted)
                        continue;
+                if (fill_crypt_header)
+                        continue;
                hdr = (void *)msdu->data;
                hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
        }
@@ -1414,6 +1471,9 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar,
                                    struct ieee80211_rx_status *status)
 {
        struct sk_buff *msdu;
+        struct sk_buff *first_subframe;
+        first_subframe = skb_peek(amsdu);
        while ((msdu = __skb_dequeue(amsdu))) {
                /* Setup per-MSDU flags */
@@ -1422,6 +1482,13 @@ static void ath10k_htt_rx_h_deliver(struct ath10k *ar,
                else
                        status->flag |= RX_FLAG_AMSDU_MORE;
+                if (msdu == first_subframe) {
+                        first_subframe = NULL;
+                        status->flag &= ~RX_FLAG_ALLOW_SAME_PN;
+                } else {
+                        status->flag |= RX_FLAG_ALLOW_SAME_PN;
+                }
                ath10k_process_rx(ar, status, msdu);
        }
 }
@@ -1607,7 +1674,7 @@ static void ath10k_htt_rx_handler(struct ath10k_htt *htt,
                ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status, 0xffff);
                ath10k_htt_rx_h_unchain(ar, &amsdu, ret > 0);
                ath10k_htt_rx_h_filter(ar, &amsdu, rx_status);
-                ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status);
+                ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true);
                ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status);
        }
@@ -1653,7 +1720,7 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
        ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status, 0xffff);
        ath10k_htt_rx_h_filter(ar, &amsdu, rx_status);
-        ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status);
+        ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true);
        ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status);
        if (fw_desc_len > 0) {
@@ -1952,7 +2019,7 @@ static void ath10k_htt_rx_in_ord_ind(struct ath10k *ar, struct sk_buff *skb)
                         */
                        ath10k_htt_rx_h_ppdu(ar, &amsdu, status, vdev_id);
                        ath10k_htt_rx_h_filter(ar, &amsdu, status);
-                        ath10k_htt_rx_h_mpdu(ar, &amsdu, status);
+                        ath10k_htt_rx_h_mpdu(ar, &amsdu, status, false);
                        ath10k_htt_rx_h_deliver(ar, &amsdu, status);
                        break;
                case -EAGAIN:
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index bed8d89fe3a0..916b9b12edd2 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -5285,9 +5285,8 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk)
                                    sta->addr, smps, err);
        }
-        if (changed & IEEE80211_RC_SUPP_RATES_CHANGED ||
+        if (changed & IEEE80211_RC_SUPP_RATES_CHANGED) {
-            changed & IEEE80211_RC_NSS_CHANGED) {
+                ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates\n",
-                ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates/nss\n",
                           sta->addr);
                err = ath10k_station_assoc(ar, arvif->vif, sta, true);
@@ -5497,6 +5496,16 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                           "mac vdev %d peer delete %pM (sta gone)\n",
                           arvif->vdev_id, sta->addr);
+                if (sta->tdls) {
+                        ret = ath10k_mac_tdls_peer_update(ar, arvif->vdev_id,
+                                                          sta,
+                                                          WMI_TDLS_PEER_STATE_TEARDOWN);
+                        if (ret)
+                                ath10k_warn(ar, "failed to update tdls peer state for %pM state %d: %i\n",
+                                            sta->addr,
+                                            WMI_TDLS_PEER_STATE_TEARDOWN, ret);
+                }
                ret = ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
                if (ret)
                        ath10k_warn(ar, "failed to delete peer %pM for vdev %d: %i\n",
@@ -6302,10 +6311,20 @@ static void ath10k_sta_rc_update(struct ieee80211_hw *hw,
 {
        struct ath10k *ar = hw->priv;
        struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
+        struct ath10k_vif *arvif = (void *)vif->drv_priv;
+        struct ath10k_peer *peer;
        u32 bw, smps;
        spin_lock_bh(&ar->data_lock);
+        peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr);
+        if (!peer) {
+                spin_unlock_bh(&ar->data_lock);
+                ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n",
+                            sta->addr, arvif->vdev_id);
+                return;
+        }
        ath10k_dbg(ar, ATH10K_DBG_MAC,
                   "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n",
                   sta->addr, changed, sta->bandwidth, sta->rx_nss,
@@ -6427,7 +6446,7 @@ ath10k_mac_update_rx_channel(struct ath10k *ar,
        lockdep_assert_held(&ar->data_lock);
        WARN_ON(ctx && vifs);
-        WARN_ON(vifs && n_vifs != 1);
+        WARN_ON(vifs && !n_vifs);
        /* FIXME: Sort of an optimization and a workaround. Peers and vifs are
         * on a linked list now. Doing a lookup peer -> vif -> chanctx for each
diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
index 72a4ef709577..a8b2553e8988 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.h
+++ b/drivers/net/wireless/ath/ath10k/wmi.h
@@ -4826,7 +4826,8 @@ enum wmi_10_4_vdev_param {
 #define WMI_VDEV_PARAM_TXBF_MU_TX_BFER BIT(3)
 #define WMI_TXBF_STS_CAP_OFFSET_LSB     4
-#define WMI_TXBF_STS_CAP_OFFSET_MASK    0xf0
+#define WMI_TXBF_STS_CAP_OFFSET_MASK    0x70
+#define WMI_TXBF_CONF_IMPLICIT_BF       BIT(7)
 #define WMI_BF_SOUND_DIM_OFFSET_LSB     8
 #define WMI_BF_SOUND_DIM_OFFSET_MASK    0xf00
diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c
index 654a1e33f827..7c5f189cace7 100644
--- a/drivers/net/wireless/ath/ath5k/debug.c
+++ b/drivers/net/wireless/ath/ath5k/debug.c
@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode *inode, struct file *file)
        }
        for (i = 0; i < eesize; ++i) {
-                AR5K_EEPROM_READ(i, val);
+                if (!ath5k_hw_nvram_read(ah, i, &val)) {
+                        ret = -EIO;
+                        goto freebuf;
+                }
                buf[i] = val;
        }
diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index 41382f89abe1..4435c7bbb625 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -1595,6 +1595,10 @@ bool ath9k_hw_check_alive(struct ath_hw *ah)
        int count = 50;
        u32 reg, last_val;
+        /* Check if chip failed to wake up */
+        if (REG_READ(ah, AR_CFG) == 0xdeadbeef)
+                return false;
        if (AR_SREV_9300(ah))
                return !ath9k_hw_detect_mac_hang(ah);
diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c
index 06ea6cc9e30a..62077bda8dde 100644
--- a/drivers/net/wireless/ath/regd.c
+++ b/drivers/net/wireless/ath/regd.c
@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain)
 EXPORT_SYMBOL(ath_is_49ghz_allowed);
 /* Frequency is one where radar detection is required */
-static bool ath_is_radar_freq(u16 center_freq)
+static bool ath_is_radar_freq(u16 center_freq,
+                              struct ath_regulatory *reg)
 {
+        if (reg->country_code == CTRY_INDIA)
+                return (center_freq >= 5500 && center_freq <= 5700);
        return (center_freq >= 5260 && center_freq <= 5700);
 }
@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct wiphy *wiphy,
                                enum nl80211_reg_initiator initiator,
                                struct ieee80211_channel *ch)
 {
-        if (ath_is_radar_freq(ch->center_freq) ||
+        if (ath_is_radar_freq(ch->center_freq, reg) ||
            (ch->flags & IEEE80211_CHAN_RADAR))
                return;
@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wiphy,
        }
 }
-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */
+/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */
-static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
+static void ath_reg_apply_radar_flags(struct wiphy *wiphy,
+                                      struct ath_regulatory *reg)
 {
        struct ieee80211_supported_band *sband;
        struct ieee80211_channel *ch;
@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
        for (i = 0; i < sband->n_channels; i++) {
                ch = &sband->channels[i];
-                if (!ath_is_radar_freq(ch->center_freq))
+                if (!ath_is_radar_freq(ch->center_freq, reg))
                        continue;
                /* We always enable radar detection/DFS on this
                 * frequency range. Additionally we also apply on
@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy *wiphy,
        struct ath_common *common = container_of(reg, struct ath_common,
                                                 regulatory);
        /* We always apply this */
-        ath_reg_apply_radar_flags(wiphy);
+        ath_reg_apply_radar_flags(wiphy, reg);
        /*
         * This would happen when we have sent a custom regulatory request
@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulatory *reg,
        }
        wiphy_apply_custom_regulatory(wiphy, regd);
-        ath_reg_apply_radar_flags(wiphy);
+        ath_reg_apply_radar_flags(wiphy, reg);
        ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg);
        return 0;
 }
diff --git a/drivers/net/wireless/ath/regd.h b/drivers/net/wireless/ath/regd.h
index 37f53bd8fcb1..184b6810cde9 100644
--- a/drivers/net/wireless/ath/regd.h
+++ b/drivers/net/wireless/ath/regd.h
@@ -68,12 +68,14 @@ enum CountryCode {
        CTRY_AUSTRALIA = 36,
        CTRY_AUSTRIA = 40,
        CTRY_AZERBAIJAN = 31,
+        CTRY_BAHAMAS = 44,
        CTRY_BAHRAIN = 48,
        CTRY_BANGLADESH = 50,
        CTRY_BARBADOS = 52,
        CTRY_BELARUS = 112,
        CTRY_BELGIUM = 56,
        CTRY_BELIZE = 84,
+        CTRY_BERMUDA = 60,
        CTRY_BOLIVIA = 68,
        CTRY_BOSNIA_HERZ = 70,
        CTRY_BRAZIL = 76,
@@ -159,6 +161,7 @@ enum CountryCode {
        CTRY_ROMANIA = 642,
        CTRY_RUSSIA = 643,
        CTRY_SAUDI_ARABIA = 682,
+        CTRY_SERBIA = 688,
        CTRY_SERBIA_MONTENEGRO = 891,
        CTRY_SINGAPORE = 702,
        CTRY_SLOVAKIA = 703,
@@ -170,11 +173,13 @@ enum CountryCode {
        CTRY_SWITZERLAND = 756,
        CTRY_SYRIA = 760,
        CTRY_TAIWAN = 158,
+        CTRY_TANZANIA = 834,
        CTRY_THAILAND = 764,
        CTRY_TRINIDAD_Y_TOBAGO = 780,
        CTRY_TUNISIA = 788,
        CTRY_TURKEY = 792,
        CTRY_UAE = 784,
+        CTRY_UGANDA = 800,
        CTRY_UKRAINE = 804,
        CTRY_UNITED_KINGDOM = 826,
        CTRY_UNITED_STATES = 840,
diff --git a/drivers/net/wireless/ath/regd_common.h b/drivers/net/wireless/ath/regd_common.h
index bdd2b4d61f2f..15bbd1e0d912 100644
--- a/drivers/net/wireless/ath/regd_common.h
+++ b/drivers/net/wireless/ath/regd_common.h
@@ -35,6 +35,7 @@ enum EnumRd {
        FRANCE_RES = 0x31,
        FCC3_FCCA = 0x3A,
        FCC3_WORLD = 0x3B,
+        FCC3_ETSIC = 0x3F,
        ETSI1_WORLD = 0x37,
        ETSI3_ETSIA = 0x32,
@@ -44,6 +45,7 @@ enum EnumRd {
        ETSI4_ETSIC = 0x38,
        ETSI5_WORLD = 0x39,
        ETSI6_WORLD = 0x34,
+        ETSI8_WORLD = 0x3D,
        ETSI_RESERVED = 0x33,
        MKK1_MKKA = 0x40,
@@ -59,6 +61,7 @@ enum EnumRd {
        MKK1_MKKA1 = 0x4A,
        MKK1_MKKA2 = 0x4B,
        MKK1_MKKC = 0x4C,
+        APL2_FCCA = 0x4D,
        APL3_FCCA = 0x50,
        APL1_WORLD = 0x52,
@@ -67,6 +70,7 @@ enum EnumRd {
        APL1_ETSIC = 0x55,
        APL2_ETSIC = 0x56,
        APL5_WORLD = 0x58,
+        APL13_WORLD = 0x5A,
        APL6_WORLD = 0x5B,
        APL7_FCCA = 0x5C,
        APL8_WORLD = 0x5D,
@@ -168,6 +172,7 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = {
        {FCC2_ETSIC, CTL_FCC, CTL_ETSI},
        {FCC3_FCCA, CTL_FCC, CTL_FCC},
        {FCC3_WORLD, CTL_FCC, CTL_ETSI},
+        {FCC3_ETSIC, CTL_FCC, CTL_ETSI},
        {FCC4_FCCA, CTL_FCC, CTL_FCC},
        {FCC5_FCCA, CTL_FCC, CTL_FCC},
        {FCC6_FCCA, CTL_FCC, CTL_FCC},
@@ -179,6 +184,7 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = {
        {ETSI4_WORLD, CTL_ETSI, CTL_ETSI},
        {ETSI5_WORLD, CTL_ETSI, CTL_ETSI},
        {ETSI6_WORLD, CTL_ETSI, CTL_ETSI},
+        {ETSI8_WORLD, CTL_ETSI, CTL_ETSI},
        /* XXX: For ETSI3_ETSIA, Was NO_CTL meant for the 2 GHz band ? */
        {ETSI3_ETSIA, CTL_ETSI, CTL_ETSI},
@@ -188,9 +194,11 @@ static struct reg_dmn_pair_mapping regDomainPairs[] = {
        {FCC1_FCCA, CTL_FCC, CTL_FCC},
        {APL1_WORLD, CTL_FCC, CTL_ETSI},
        {APL2_WORLD, CTL_FCC, CTL_ETSI},
+        {APL2_FCCA, CTL_FCC, CTL_FCC},
        {APL3_WORLD, CTL_FCC, CTL_ETSI},
        {APL4_WORLD, CTL_FCC, CTL_ETSI},
        {APL5_WORLD, CTL_FCC, CTL_ETSI},
+        {APL13_WORLD, CTL_ETSI, CTL_ETSI},
        {APL6_WORLD, CTL_ETSI, CTL_ETSI},
        {APL8_WORLD, CTL_ETSI, CTL_ETSI},
        {APL9_WORLD, CTL_ETSI, CTL_ETSI},
@@ -298,6 +306,7 @@ static struct country_code_to_enum_rd allCountries[] = {
        {CTRY_AUSTRALIA2, FCC6_WORLD, "AU"},
        {CTRY_AUSTRIA, ETSI1_WORLD, "AT"},
        {CTRY_AZERBAIJAN, ETSI4_WORLD, "AZ"},
+        {CTRY_BAHAMAS, FCC3_WORLD, "BS"},
        {CTRY_BAHRAIN, APL6_WORLD, "BH"},
        {CTRY_BANGLADESH, NULL1_WORLD, "BD"},
        {CTRY_BARBADOS, FCC2_WORLD, "BB"},
@@ -305,6 +314,7 @@ static struct country_code_to_enum_rd allCountries[] = {
        {CTRY_BELGIUM, ETSI1_WORLD, "BE"},
        {CTRY_BELGIUM2, ETSI4_WORLD, "BL"},
        {CTRY_BELIZE, APL1_ETSIC, "BZ"},
+        {CTRY_BERMUDA, FCC3_FCCA, "BM"},
        {CTRY_BOLIVIA, APL1_ETSIC, "BO"},
        {CTRY_BOSNIA_HERZ, ETSI1_WORLD, "BA"},
        {CTRY_BRAZIL, FCC3_WORLD, "BR"},
@@ -444,6 +454,7 @@ static struct country_code_to_enum_rd allCountries[] = {
        {CTRY_ROMANIA, NULL1_WORLD, "RO"},
        {CTRY_RUSSIA, NULL1_WORLD, "RU"},
        {CTRY_SAUDI_ARABIA, NULL1_WORLD, "SA"},
+        {CTRY_SERBIA, ETSI1_WORLD, "RS"},
        {CTRY_SERBIA_MONTENEGRO, ETSI1_WORLD, "CS"},
        {CTRY_SINGAPORE, APL6_WORLD, "SG"},
        {CTRY_SLOVAKIA, ETSI1_WORLD, "SK"},
@@ -455,10 +466,12 @@ static struct country_code_to_enum_rd allCountries[] = {
        {CTRY_SWITZERLAND, ETSI1_WORLD, "CH"},
        {CTRY_SYRIA, NULL1_WORLD, "SY"},
        {CTRY_TAIWAN, APL3_FCCA, "TW"},
+        {CTRY_TANZANIA, APL1_WORLD, "TZ"},
        {CTRY_THAILAND, FCC3_WORLD, "TH"},
        {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"},
        {CTRY_TUNISIA, ETSI3_WORLD, "TN"},
        {CTRY_TURKEY, ETSI3_WORLD, "TR"},
+        {CTRY_UGANDA, FCC3_WORLD, "UG"},
        {CTRY_UKRAINE, NULL1_WORLD, "UA"},
        {CTRY_UAE, NULL1_WORLD, "AE"},
        {CTRY_UNITED_KINGDOM, ETSI1_WORLD, "GB"},
diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
index 9bec8237231d..99c21aac68bd 100644
--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
+++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
@@ -57,7 +57,7 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
                       RX_FLAG_MMIC_STRIPPED |
                       RX_FLAG_DECRYPTED;
-        wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%x\n", status.flag);
+        wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%llx\n", status.flag);
        memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status));
diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 85bca557a339..f09fafaaaf1a 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -125,9 +125,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src,
        u32 *d = dst;
        const volatile u32 __iomem *s = src;
-        /* size_t is unsigned, if (count%4 != 0) it will wrap */
+        for (; count >= 4; count -= 4)
-        for (count += 4; count > 4; count -= 4)
                *d++ = __raw_readl(s++);
+        if (unlikely(count)) {
+                /* count can be 1..3 */
+                u32 tmp = __raw_readl(s);
+                memcpy(d, &tmp, count);
+        }
 }
 void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
@@ -136,8 +142,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
        volatile u32 __iomem *d = dst;
        const u32 *s = src;
-        for (count += 4; count > 4; count -= 4)
+        for (; count >= 4; count -= 4)
                __raw_writel(*s++, d++);
+        if (unlikely(count)) {
+                /* count can be 1..3 */
+                u32 tmp = 0;
+                memcpy(&tmp, s, count);
+                __raw_writel(tmp, d);
+        }
 }
 static void wil_disconnect_cid(struct wil6210_priv *wil, int cid,
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
index 59cef6c69fe8..91da67657f81 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
@@ -1109,6 +1109,7 @@ static const struct sdio_device_id brcmf_sdmmc_ids[] = {
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43340),
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43341),
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43362),
+        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43364),
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4335_4339),
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43430),
        BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4345),
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
index 83e5aa6a9f28..ad35e760ed3f 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -6167,7 +6167,7 @@ static void brcmf_cfg80211_reg_notifier(struct wiphy *wiphy,
                  req->alpha2[0], req->alpha2[1]);
        /* ignore non-ISO3166 country codes */
-        for (i = 0; i < sizeof(req->alpha2); i++)
+        for (i = 0; i < 2; i++)
                if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
                        brcmf_err("not a ISO3166 code\n");
                        return;
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
index d224b3dd72ed..3196245ab820 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -461,25 +461,23 @@ static int brcmf_p2p_set_firmware(struct brcmf_if *ifp, u8 *p2p_mac)
 * @dev_addr: optional device address.
 *
 * P2P needs mac addresses for P2P device and interface. If no device
- * address it specified, these are derived from the primary net device, ie.
+ * address it specified, these are derived from a random ethernet
- * the permanent ethernet address of the device.
+ * address.
 */
 static void brcmf_p2p_generate_bss_mac(struct brcmf_p2p_info *p2p, u8 *dev_addr)
 {
-        struct brcmf_if *pri_ifp = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp;
+        bool random_addr = false;
-        bool local_admin = false;
-        if (!dev_addr || is_zero_ether_addr(dev_addr)) {
+        if (!dev_addr || is_zero_ether_addr(dev_addr))
-                dev_addr = pri_ifp->mac_addr;
+                random_addr = true;
-                local_admin = true;
-        }
-        /* Generate the P2P Device Address.  This consists of the device's
+        /* Generate the P2P Device Address obtaining a random ethernet
-         * primary MAC address with the locally administered bit set.
+         * address with the locally administered bit set.
         */
-        memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
+        if (random_addr)
-        if (local_admin)
+                eth_random_addr(p2p->dev_addr);
-                p2p->dev_addr[0] |= 0x02;
+        else
+                memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
        /* Generate the P2P Interface Address.  If the discovery and connection
         * BSSCFGs need to simultaneously co-exist, then this address must be
diff --git a/drivers/net/wireless/cw1200/cw1200_spi.c b/drivers/net/wireless/cw1200/cw1200_spi.c
index a740083634d8..63f95e9c2992 100644
--- a/drivers/net/wireless/cw1200/cw1200_spi.c
+++ b/drivers/net/wireless/cw1200/cw1200_spi.c
@@ -446,8 +446,7 @@ static int cw1200_spi_disconnect(struct spi_device *func)
        return 0;
 }
-#ifdef CONFIG_PM
+static int __maybe_unused cw1200_spi_suspend(struct device *dev)
-static int cw1200_spi_suspend(struct device *dev)
 {
        struct hwbus_priv *self = spi_get_drvdata(to_spi_device(dev));
@@ -460,16 +459,12 @@ static int cw1200_spi_suspend(struct device *dev)
 static SIMPLE_DEV_PM_OPS(cw1200_pm_ops, cw1200_spi_suspend, NULL);
-#endif
 static struct spi_driver spi_driver = {
        .probe          = cw1200_spi_probe,
        .remove         = cw1200_spi_disconnect,
        .driver = {
                .name           = "cw1200_wlan_spi",
-#ifdef CONFIG_PM
+                .pm             = IS_ENABLED(CONFIG_PM) ? &cw1200_pm_ops : NULL,
-                .pm             = &cw1200_pm_ops,
-#endif
        },
 };
diff --git a/drivers/net/wireless/cw1200/pm.h b/drivers/net/wireless/cw1200/pm.h
index 3ed90ff22bb8..534548470ebc 100644
--- a/drivers/net/wireless/cw1200/pm.h
+++ b/drivers/net/wireless/cw1200/pm.h
@@ -31,13 +31,18 @@ int cw1200_pm_init(struct cw1200_pm_state *pm,
 void cw1200_pm_deinit(struct cw1200_pm_state *pm);
 int cw1200_wow_suspend(struct ieee80211_hw *hw,
                       struct cfg80211_wowlan *wowlan);
-int cw1200_wow_resume(struct ieee80211_hw *hw);
 int cw1200_can_suspend(struct cw1200_common *priv);
+int cw1200_wow_resume(struct ieee80211_hw *hw);
 void cw1200_pm_stay_awake(struct cw1200_pm_state *pm,
                          unsigned long tmo);
 #else
 static inline void cw1200_pm_stay_awake(struct cw1200_pm_state *pm,
-                                        unsigned long tmo) {
+                                        unsigned long tmo)
+{
+}
+static inline int cw1200_can_suspend(struct cw1200_common *priv)
+{
+        return 0;
 }
 #endif
 #endif
diff --git a/drivers/net/wireless/cw1200/wsm.c b/drivers/net/wireless/cw1200/wsm.c
index 9e0ca3048657..3dd46c78c1cc 100644
--- a/drivers/net/wireless/cw1200/wsm.c
+++ b/drivers/net/wireless/cw1200/wsm.c
@@ -379,7 +379,6 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv,
 {
        int ret;
        int count;
-        int i;
        count = WSM_GET32(buf);
        if (WARN_ON(count <= 0))
@@ -395,11 +394,10 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv,
        }
        cw1200_debug_txed_multi(priv, count);
-        for (i = 0; i < count; ++i) {
+        do {
                ret = wsm_tx_confirm(priv, buf, link_id);
-                if (ret)
+        } while (!ret && --count);
-                        return ret;
-        }
        return ret;
 underflow:
diff --git a/drivers/net/wireless/iwlwifi/pcie/rx.c b/drivers/net/wireless/iwlwifi/pcie/rx.c
index e06591f625c4..d6f9858ff2de 100644
--- a/drivers/net/wireless/iwlwifi/pcie/rx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/rx.c
@@ -713,6 +713,8 @@ int iwl_pcie_rx_init(struct iwl_trans *trans)
                                                WQ_HIGHPRI | WQ_UNBOUND, 1);
        INIT_WORK(&rba->rx_alloc, iwl_pcie_rx_allocator_work);
+        cancel_work_sync(&rba->rx_alloc);
        spin_lock(&rba->lock);
        atomic_set(&rba->req_pending, 0);
        atomic_set(&rba->req_ready, 0);
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index f877fbc7d7af..e8b770a95f7a 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -699,16 +699,21 @@ static int hwsim_fops_ps_write(void *dat, u64 val)
            val != PS_MANUAL_POLL)
                return -EINVAL;
-        old_ps = data->ps;
-        data->ps = val;
-        local_bh_disable();
        if (val == PS_MANUAL_POLL) {
+                if (data->ps != PS_ENABLED)
+                        return -EINVAL;
+                local_bh_disable();
                ieee80211_iterate_active_interfaces_atomic(
                        data->hw, IEEE80211_IFACE_ITER_NORMAL,
                        hwsim_send_ps_poll, data);
-                data->ps_poll_pending = true;
+                local_bh_enable();
-        } else if (old_ps == PS_DISABLED && val != PS_DISABLED) {
+                return 0;
+        }
+        old_ps = data->ps;
+        data->ps = val;
+        local_bh_disable();
+        if (old_ps == PS_DISABLED && val != PS_DISABLED) {
                ieee80211_iterate_active_interfaces_atomic(
                        data->hw, IEEE80211_IFACE_ITER_NORMAL,
                        hwsim_send_nullfunc_ps, data);
@@ -2920,8 +2925,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
        if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {
                u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);
-                if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))
+                if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) {
+                        kfree(hwname);
                        return -EINVAL;
+                }
                param.regd = hwsim_world_regdom_custom[idx];
        }
diff --git a/drivers/net/wireless/mediatek/mt7601u/mcu.c b/drivers/net/wireless/mediatek/mt7601u/mcu.c
index fbb1986eda3c..686b1b5dd394 100644
--- a/drivers/net/wireless/mediatek/mt7601u/mcu.c
+++ b/drivers/net/wireless/mediatek/mt7601u/mcu.c
@@ -66,8 +66,10 @@ mt7601u_mcu_msg_alloc(struct mt7601u_dev *dev, const void *data, int len)
        WARN_ON(len % 4); /* if length is not divisible by 4 we need to pad */
        skb = alloc_skb(len + MT_DMA_HDR_LEN + 4, GFP_KERNEL);
-        skb_reserve(skb, MT_DMA_HDR_LEN);
+        if (skb) {
-        memcpy(skb_put(skb, len), data, len);
+                skb_reserve(skb, MT_DMA_HDR_LEN);
+                memcpy(skb_put(skb, len), data, len);
+        }
        return skb;
 }
@@ -170,6 +172,8 @@ static int mt7601u_mcu_function_select(struct mt7601u_dev *dev,
        };
        skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
+        if (!skb)
+                return -ENOMEM;
        return mt7601u_mcu_msg_send(dev, skb, CMD_FUN_SET_OP, func == 5);
 }
@@ -205,6 +209,8 @@ mt7601u_mcu_calibrate(struct mt7601u_dev *dev, enum mcu_calibrate cal, u32 val)
        };
        skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg));
+        if (!skb)
+                return -ENOMEM;
        return mt7601u_mcu_msg_send(dev, skb, CMD_CALIBRATION_OP, true);
 }
diff --git a/drivers/net/wireless/mwifiex/usb.c b/drivers/net/wireless/mwifiex/usb.c
index e43aff932360..1a1b1de87583 100644
--- a/drivers/net/wireless/mwifiex/usb.c
+++ b/drivers/net/wireless/mwifiex/usb.c
@@ -624,6 +624,9 @@ static void mwifiex_usb_disconnect(struct usb_interface *intf)
                                         MWIFIEX_FUNC_SHUTDOWN);
        }
+        if (adapter->workqueue)
+                flush_workqueue(adapter->workqueue);
        mwifiex_usb_free(card);
        mwifiex_dbg(adapter, FATAL,
diff --git a/drivers/net/wireless/mwifiex/util.c b/drivers/net/wireless/mwifiex/util.c
index 0cec8a64473e..eb5ffa5b1c6c 100644
--- a/drivers/net/wireless/mwifiex/util.c
+++ b/drivers/net/wireless/mwifiex/util.c
@@ -702,12 +702,14 @@ void mwifiex_hist_data_set(struct mwifiex_private *priv, u8 rx_rate, s8 snr,
                           s8 nflr)
 {
        struct mwifiex_histogram_data *phist_data = priv->hist_data;
+        s8 nf   = -nflr;
+        s8 rssi = snr - nflr;
        atomic_inc(&phist_data->num_samples);
        atomic_inc(&phist_data->rx_rate[rx_rate]);
-        atomic_inc(&phist_data->snr[snr]);
+        atomic_inc(&phist_data->snr[snr + 128]);
-        atomic_inc(&phist_data->noise_flr[128 + nflr]);
+        atomic_inc(&phist_data->noise_flr[nf + 128]);
-        atomic_inc(&phist_data->sig_str[nflr - snr]);
+        atomic_inc(&phist_data->sig_str[rssi + 128]);
 }
 /* function to reset histogram data during init/reset */
diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
index 0881ba8535f4..c78abfc7bd96 100644
--- a/drivers/net/wireless/ray_cs.c
+++ b/drivers/net/wireless/ray_cs.c
@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_parms[] = {
        0x04, 0x08,             /* Noise gain, limit offset */
        0x28, 0x28,             /* det rssi, med busy offsets */
        7,                      /* det sync thresh */
-        0, 2, 2                 /* test mode, min, max */
+        0, 2, 2,                /* test mode, min, max */
+        0,                      /* rx/tx delay */
+        0, 0, 0, 0, 0, 0,       /* current BSS id */
+        0                       /* hop set */
 };
 /*===========================================================================*/
@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_t *local)
         *    a_beacon_period = hops    a_beacon_period = KuS
         *//* 64ms = 010000 */
        if (local->fw_ver == 0x55) {
-                memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms,
+                memcpy(&local->sparm.b4, b4_default_startup_parms,
                       sizeof(struct b4_startup_params));
                /* Translate sane kus input values to old build 4/5 format */
                /* i = hop time in uS truncated to 3 bytes */
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index b7f72f9c7988..b3691712df61 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_interface *intf,
                goto err_free_dev;
        }
        mutex_init(&priv->io_mutex);
+        mutex_init(&priv->conf_mutex);
        SET_IEEE80211_DEV(dev, &intf->dev);
        usb_set_intfdata(intf, dev);
@@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_interface *intf,
                printk(KERN_ERR "rtl8187: Cannot register device\n");
                goto err_free_dmabuf;
        }
-        mutex_init(&priv->conf_mutex);
        skb_queue_head_init(&priv->b_tx_status.queue);
        wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
diff --git a/drivers/net/wireless/realtek/rtlwifi/core.c b/drivers/net/wireless/realtek/rtlwifi/core.c
index 8b537a5a4b01..8006f0972ad1 100644
--- a/drivers/net/wireless/realtek/rtlwifi/core.c
+++ b/drivers/net/wireless/realtek/rtlwifi/core.c
@@ -135,7 +135,6 @@ found_alt:
                       firmware->size);
                rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
        }
-        rtlpriv->rtlhal.fwsize = firmware->size;
        release_firmware(firmware);
 }
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index c48b7e8ee0d6..b51815eccdb3 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1572,7 +1572,14 @@ int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw)
                                dev_kfree_skb_irq(skb);
                                ring->idx = (ring->idx + 1) % ring->entries;
                        }
+                        if (rtlpriv->use_new_trx_flow) {
+                                rtlpci->tx_ring[i].cur_tx_rp = 0;
+                                rtlpci->tx_ring[i].cur_tx_wp = 0;
+                        }
                        ring->idx = 0;
+                        ring->entries = rtlpci->txringcount[i];
                }
        }
        spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c
index 5624ade92cc0..c2a156a8acec 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/rf.c
@@ -304,9 +304,6 @@ static void _rtl92c_get_txpower_writeval_by_regulatory(struct ieee80211_hw *hw,
                        writeVal = 0x00000000;
                if (rtlpriv->dm.dynamic_txhighpower_lvl == TXHIGHPWRLEVEL_BT1)
                        writeVal = writeVal - 0x06060606;
-                else if (rtlpriv->dm.dynamic_txhighpower_lvl ==
-                         TXHIGHPWRLEVEL_BT2)
-                        writeVal = writeVal;
                *(p_outwriteval + rf) = writeVal;
        }
 }
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
index 5a3df9198ddf..89515f02c353 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
@@ -1123,7 +1123,8 @@ static void _rtl8723be_enable_aspm_back_door(struct ieee80211_hw *hw)
        /* Configuration Space offset 0x70f BIT7 is used to control L0S */
        tmp8 = _rtl8723be_dbi_read(rtlpriv, 0x70f);
-        _rtl8723be_dbi_write(rtlpriv, 0x70f, tmp8 | BIT(7));
+        _rtl8723be_dbi_write(rtlpriv, 0x70f, tmp8 | BIT(7) |
+                             ASPM_L1_LATENCY << 3);
        /* Configuration Space offset 0x719 Bit3 is for L1
         * BIT4 is for clock request
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c
index b57cfd965196..7b13962ec9da 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c
@@ -2488,9 +2488,9 @@ void rtl8821ae_dm_txpower_tracking_callback_thermalmeter(
                for (p = RF90_PATH_A; p < MAX_PATH_NUM_8821A; p++)
                        rtldm->swing_idx_ofdm_base[p] = rtldm->swing_idx_ofdm[p];
-                        RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
+                RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
-                                 "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n",
+                         "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n",
-                                 rtldm->thermalvalue, thermal_value);
+                         rtldm->thermalvalue, thermal_value);
                /*Record last Power Tracking Thermal Value*/
                rtldm->thermalvalue = thermal_value;
        }
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
index 738d541a2255..348ed1b0e58b 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
@@ -1127,7 +1127,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl_priv *rtlpriv, u16 addr)
        }
        if (0 == tmp) {
                read_addr = REG_DBI_RDATA + addr % 4;
-                ret = rtl_read_word(rtlpriv, read_addr);
+                ret = rtl_read_byte(rtlpriv, read_addr);
        }
        return ret;
 }
@@ -1169,7 +1169,8 @@ static void _rtl8821ae_enable_aspm_back_door(struct ieee80211_hw *hw)
        }
        tmp = _rtl8821ae_dbi_read(rtlpriv, 0x70f);
-        _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7));
+        _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7) |
+                             ASPM_L1_LATENCY << 3);
        tmp = _rtl8821ae_dbi_read(rtlpriv, 0x719);
        _rtl8821ae_dbi_write(rtlpriv, 0x719, tmp | BIT(3) | BIT(4));
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index b6faf624480e..d676d055feda 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -99,6 +99,7 @@
 #define RTL_USB_MAX_RX_COUNT                    100
 #define QBSS_LOAD_SIZE                          5
 #define MAX_WMMELE_LENGTH                       64
+#define ASPM_L1_LATENCY                         7
 #define TOTAL_CAM_ENTRY                         32
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index a13d1f2b5912..259590013382 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -3425,6 +3425,10 @@ static int rndis_wlan_bind(struct usbnet *usbdev, struct usb_interface *intf)
        /* because rndis_command() sleeps we need to use workqueue */
        priv->workqueue = create_singlethread_workqueue("rndis_wlan");
+        if (!priv->workqueue) {
+                wiphy_free(wiphy);
+                return -ENOMEM;
+        }
        INIT_WORK(&priv->work, rndis_wlan_worker);
        INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller);
        INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results);
diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c
index 8428858204a6..fc895b466ebb 100644
--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
+++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
@@ -155,7 +155,6 @@ static void rsi_reset_card(struct sdio_func *pfunction)
        int err;
        struct mmc_card *card = pfunction->card;
        struct mmc_host *host = card->host;
-        s32 bit = (fls(host->ocr_avail) - 1);
        u8 cmd52_resp;
        u32 clock, resp, i;
        u16 rca;
@@ -175,7 +174,6 @@ static void rsi_reset_card(struct sdio_func *pfunction)
        msleep(20);
        /* Initialize the SDIO card */
-        host->ios.vdd = bit;
        host->ios.chip_select = MMC_CS_DONTCARE;
        host->ios.bus_mode = MMC_BUSMODE_OPENDRAIN;
        host->ios.power_mode = MMC_POWER_UP;
diff --git a/drivers/net/wireless/ti/wl1251/main.c b/drivers/net/wireless/ti/wl1251/main.c
index 9bee3f11898a..869411f55d88 100644
--- a/drivers/net/wireless/ti/wl1251/main.c
+++ b/drivers/net/wireless/ti/wl1251/main.c
@@ -1196,8 +1196,7 @@ static void wl1251_op_bss_info_changed(struct ieee80211_hw *hw,
                WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS);
                enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc;
-                wl1251_acx_arp_ip_filter(wl, enable, addr);
+                ret = wl1251_acx_arp_ip_filter(wl, enable, addr);
                if (ret < 0)
                        goto out_sleep;
        }
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c b/drivers/net/wireless/ti/wlcore/sdio.c
index d0228457befe..031528669510 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -388,6 +388,11 @@ static int wl1271_suspend(struct device *dev)
        mmc_pm_flag_t sdio_flags;
        int ret = 0;
+        if (!wl) {
+                dev_err(dev, "no wilink module was probed\n");
+                goto out;
+        }
        dev_dbg(dev, "wl1271 suspend. wow_enabled: %d\n",
                wl->wow_enabled);
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index fd221cc4cb79..68d0a5c9d437 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -86,6 +86,9 @@ struct netfront_cb {
 /* IRQ name is queue name with "-tx" or "-rx" appended */
 #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3)
+static DECLARE_WAIT_QUEUE_HEAD(module_load_q);
+static DECLARE_WAIT_QUEUE_HEAD(module_unload_q);
 struct netfront_stats {
        u64                     packets;
        u64                     bytes;
@@ -236,7 +239,7 @@ static void rx_refill_timeout(unsigned long data)
 static int netfront_tx_slot_available(struct netfront_queue *queue)
 {
        return (queue->tx.req_prod_pvt - queue->tx.rsp_cons) <
-                (NET_TX_RING_SIZE - MAX_SKB_FRAGS - 2);
+                (NET_TX_RING_SIZE - XEN_NETIF_NR_SLOTS_MIN - 1);
 }
 static void xennet_maybe_wake_tx(struct netfront_queue *queue)
@@ -340,6 +343,9 @@ static int xennet_open(struct net_device *dev)
        unsigned int i = 0;
        struct netfront_queue *queue = NULL;
+        if (!np->queues)
+                return -ENODEV;
        for (i = 0; i < num_queues; ++i) {
                queue = &np->queues[i];
                napi_enable(&queue->napi);
@@ -770,7 +776,7 @@ static int xennet_get_responses(struct netfront_queue *queue,
        RING_IDX cons = queue->rx.rsp_cons;
        struct sk_buff *skb = xennet_get_rx_skb(queue, cons);
        grant_ref_t ref = xennet_get_rx_ref(queue, cons);
-        int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD);
+        int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD);
        int slots = 1;
        int err = 0;
        unsigned long ret;
@@ -873,7 +879,6 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
                                  struct sk_buff *skb,
                                  struct sk_buff_head *list)
 {
-        struct skb_shared_info *shinfo = skb_shinfo(skb);
        RING_IDX cons = queue->rx.rsp_cons;
        struct sk_buff *nskb;
@@ -882,15 +887,16 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
                        RING_GET_RESPONSE(&queue->rx, ++cons);
                skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
-                if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+                if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
                        unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
                        BUG_ON(pull_to <= skb_headlen(skb));
                        __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
                }
-                BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+                BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
-                skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
+                skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+                                skb_frag_page(nfrag),
                                rx->offset, rx->status, PAGE_SIZE);
                skb_shinfo(nskb)->nr_frags = 0;
@@ -1329,6 +1335,12 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev)
        netif_carrier_off(netdev);
+        xenbus_switch_state(dev, XenbusStateInitialising);
+        wait_event(module_load_q,
+                           xenbus_read_driver_state(dev->otherend) !=
+                           XenbusStateClosed &&
+                           xenbus_read_driver_state(dev->otherend) !=
+                           XenbusStateUnknown);
        return netdev;
 exit:
@@ -1360,18 +1372,8 @@ static int netfront_probe(struct xenbus_device *dev,
 #ifdef CONFIG_SYSFS
        info->netdev->sysfs_groups[0] = &xennet_dev_group;
 #endif
-        err = register_netdev(info->netdev);
-        if (err) {
-                pr_warn("%s: register_netdev err=%d\n", __func__, err);
-                goto fail;
-        }
        return 0;
- fail:
-        xennet_free_netdev(netdev);
-        dev_set_drvdata(&dev->dev, NULL);
-        return err;
 }
 static void xennet_end_access(int ref, void *page)
@@ -1740,8 +1742,6 @@ static void xennet_destroy_queues(struct netfront_info *info)
 {
        unsigned int i;
-        rtnl_lock();
        for (i = 0; i < info->netdev->real_num_tx_queues; i++) {
                struct netfront_queue *queue = &info->queues[i];
@@ -1750,8 +1750,6 @@ static void xennet_destroy_queues(struct netfront_info *info)
                netif_napi_del(&queue->napi);
        }
-        rtnl_unlock();
        kfree(info->queues);
        info->queues = NULL;
 }
@@ -1767,8 +1765,6 @@ static int xennet_create_queues(struct netfront_info *info,
        if (!info->queues)
                return -ENOMEM;
-        rtnl_lock();
        for (i = 0; i < *num_queues; i++) {
                struct netfront_queue *queue = &info->queues[i];
@@ -1777,7 +1773,7 @@ static int xennet_create_queues(struct netfront_info *info,
                ret = xennet_init_queue(queue);
                if (ret < 0) {
-                        dev_warn(&info->netdev->dev,
+                        dev_warn(&info->xbdev->dev,
                                 "only created %d queues\n", i);
                        *num_queues = i;
                        break;
@@ -1791,10 +1787,8 @@ static int xennet_create_queues(struct netfront_info *info,
        netif_set_real_num_tx_queues(info->netdev, *num_queues);
-        rtnl_unlock();
        if (*num_queues == 0) {
-                dev_err(&info->netdev->dev, "no queues\n");
+                dev_err(&info->xbdev->dev, "no queues\n");
                return -EINVAL;
        }
        return 0;
@@ -1836,6 +1830,7 @@ static int talk_to_netback(struct xenbus_device *dev,
                goto out;
        }
+        rtnl_lock();
        if (info->queues)
                xennet_destroy_queues(info);
@@ -1846,6 +1841,7 @@ static int talk_to_netback(struct xenbus_device *dev,
                info->queues = NULL;
                goto out;
        }
+        rtnl_unlock();
        /* Create shared ring, alloc event channel -- for each queue */
        for (i = 0; i < num_queues; ++i) {
@@ -1942,8 +1938,10 @@ abort_transaction_no_dev_fatal:
        xenbus_transaction_end(xbt, 1);
 destroy_ring:
        xennet_disconnect_backend(info);
+        rtnl_lock();
        xennet_destroy_queues(info);
 out:
+        rtnl_unlock();
        device_unregister(&dev->dev);
        return err;
 }
@@ -1979,6 +1977,15 @@ static int xennet_connect(struct net_device *dev)
        netdev_update_features(dev);
        rtnl_unlock();
+        if (dev->reg_state == NETREG_UNINITIALIZED) {
+                err = register_netdev(dev);
+                if (err) {
+                        pr_warn("%s: register_netdev err=%d\n", __func__, err);
+                        device_unregister(&np->xbdev->dev);
+                        return err;
+                }
+        }
        /*
         * All public and private state should now be sane.  Get
         * ready to start sending and receiving packets and give the driver
@@ -2021,7 +2028,10 @@ static void netback_changed(struct xenbus_device *dev,
        case XenbusStateInitialised:
        case XenbusStateReconfiguring:
        case XenbusStateReconfigured:
+                break;
        case XenbusStateUnknown:
+                wake_up_all(&module_unload_q);
                break;
        case XenbusStateInitWait:
@@ -2037,10 +2047,12 @@ static void netback_changed(struct xenbus_device *dev,
                break;
        case XenbusStateClosed:
+                wake_up_all(&module_unload_q);
                if (dev->state == XenbusStateClosed)
                        break;
                /* Missed the backend's CLOSING state -- fallthrough */
        case XenbusStateClosing:
+                wake_up_all(&module_unload_q);
                xenbus_frontend_closed(dev);
                break;
        }
@@ -2146,12 +2158,32 @@ static int xennet_remove(struct xenbus_device *dev)
        dev_dbg(&dev->dev, "%s\n", dev->nodename);
+        if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
+                xenbus_switch_state(dev, XenbusStateClosing);
+                wait_event(module_unload_q,
+                           xenbus_read_driver_state(dev->otherend) ==
+                           XenbusStateClosing ||
+                           xenbus_read_driver_state(dev->otherend) ==
+                           XenbusStateUnknown);
+                xenbus_switch_state(dev, XenbusStateClosed);
+                wait_event(module_unload_q,
+                           xenbus_read_driver_state(dev->otherend) ==
+                           XenbusStateClosed ||
+                           xenbus_read_driver_state(dev->otherend) ==
+                           XenbusStateUnknown);
+        }
        xennet_disconnect_backend(info);
-        unregister_netdev(info->netdev);
+        if (info->netdev->reg_state == NETREG_REGISTERED)
+                unregister_netdev(info->netdev);
-        if (info->queues)
+        if (info->queues) {
+                rtnl_lock();
                xennet_destroy_queues(info);
+                rtnl_unlock();
+        }
        xennet_free_netdev(info->netdev);
        return 0;
diff --git a/drivers/nfc/nfcmrvl/fw_dnld.c b/drivers/nfc/nfcmrvl/fw_dnld.c
index af62c4c854f3..b4f31dad40d6 100644
--- a/drivers/nfc/nfcmrvl/fw_dnld.c
+++ b/drivers/nfc/nfcmrvl/fw_dnld.c
@@ -17,7 +17,7 @@
 */
 #include <linux/module.h>
-#include <linux/unaligned/access_ok.h>
+#include <asm/unaligned.h>
 #include <linux/firmware.h>
 #include <linux/nfc.h>
 #include <net/nfc/nci.h>
diff --git a/drivers/nfc/nfcmrvl/spi.c b/drivers/nfc/nfcmrvl/spi.c
index a7faa0bcc01e..fc8e78a29d77 100644
--- a/drivers/nfc/nfcmrvl/spi.c
+++ b/drivers/nfc/nfcmrvl/spi.c
@@ -96,10 +96,9 @@ static int nfcmrvl_spi_nci_send(struct nfcmrvl_private *priv,
        /* Send the SPI packet */
        err = nci_spi_send(drv_data->nci_spi, &drv_data->handshake_completion,
                           skb);
-        if (err != 0) {
+        if (err)
                nfc_err(priv->dev, "spi_send failed %d", err);
-                kfree_skb(skb);
-        }
        return err;
 }
diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
index 3bbdf60f8908..49f3fba75f4d 100644
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -955,6 +955,9 @@ static int ntb_transport_init_queue(struct ntb_transport_ctx *nt,
        mw_base = nt->mw_vec[mw_num].phys_addr;
        mw_size = nt->mw_vec[mw_num].phys_size;
+        if (max_mw_size && mw_size > max_mw_size)
+                mw_size = max_mw_size;
        tx_size = (unsigned int)mw_size / num_qps_mw;
        qp_offset = tx_size * (qp_num / mw_count);
diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
index 254b0ee37039..a71187c783b7 100644
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -237,14 +237,18 @@ int nvdimm_revalidate_disk(struct gendisk *disk)
 {
        struct device *dev = disk->driverfs_dev;
        struct nd_region *nd_region = to_nd_region(dev->parent);
-        const char *pol = nd_region->ro ? "only" : "write";
+        int disk_ro = get_disk_ro(disk);
-        if (nd_region->ro == get_disk_ro(disk))
+        /*
+         * Upgrade to read-only if the region is read-only preserve as
+         * read-only if the disk is already read-only.
+         */
+        if (disk_ro || nd_region->ro == disk_ro)
                return 0;
-        dev_info(dev, "%s read-%s, marking %s read-%s\n",
+        dev_info(dev, "%s read-only, marking %s read-only\n",
-                        dev_name(&nd_region->dev), pol, disk->disk_name, pol);
+                        dev_name(&nd_region->dev), disk->disk_name);
-        set_disk_ro(disk, nd_region->ro);
+        set_disk_ro(disk, 1);
        return 0;
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index d6ceb8b91cd6..01f47b68b6e7 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1583,23 +1583,26 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid)
        nvmeq->cq_vector = qid - 1;
        result = adapter_alloc_cq(dev, qid, nvmeq);
        if (result < 0)
-                return result;
+                goto release_vector;
        result = adapter_alloc_sq(dev, qid, nvmeq);
        if (result < 0)
                goto release_cq;
+        nvme_init_queue(nvmeq, qid);
        result = queue_request_irq(dev, nvmeq, nvmeq->irqname);
        if (result < 0)
                goto release_sq;
-        nvme_init_queue(nvmeq, qid);
        return result;
 release_sq:
+        dev->online_queues--;
        adapter_delete_sq(dev, qid);
 release_cq:
        adapter_delete_cq(dev, qid);
+ release_vector:
+        nvmeq->cq_vector = -1;
        return result;
 }
@@ -1794,6 +1797,7 @@ static int nvme_configure_admin_queue(struct nvme_dev *dev)
                goto free_nvmeq;
        nvmeq->cq_vector = 0;
+        nvme_init_queue(nvmeq, 0);
        result = queue_request_irq(dev, nvmeq, nvmeq->irqname);
        if (result) {
                nvmeq->cq_vector = -1;
@@ -2976,10 +2980,16 @@ static void nvme_dev_shutdown(struct nvme_dev *dev)
        mutex_unlock(&dev->shutdown_lock);
 }
-static void nvme_dev_remove(struct nvme_dev *dev)
+static void nvme_remove_namespaces(struct nvme_dev *dev)
 {
        struct nvme_ns *ns, *next;
+        list_for_each_entry_safe(ns, next, &dev->namespaces, list)
+                nvme_ns_remove(ns);
+}
+static void nvme_dev_remove(struct nvme_dev *dev)
+{
        if (nvme_io_incapable(dev)) {
                /*
                 * If the device is not capable of IO (surprise hot-removal,
@@ -2989,8 +2999,7 @@ static void nvme_dev_remove(struct nvme_dev *dev)
                 */
                nvme_dev_shutdown(dev);
        }
-        list_for_each_entry_safe(ns, next, &dev->namespaces, list)
+        nvme_remove_namespaces(dev);
-                nvme_ns_remove(ns);
 }
 static int nvme_setup_prp_pools(struct nvme_dev *dev)
@@ -3157,7 +3166,6 @@ static void nvme_probe_work(struct work_struct *work)
                goto disable;
        }
-        nvme_init_queue(dev->queues[0], 0);
        result = nvme_alloc_admin_tags(dev);
        if (result)
                goto disable;
@@ -3174,7 +3182,7 @@ static void nvme_probe_work(struct work_struct *work)
         */
        if (dev->online_queues < 2) {
                dev_warn(dev->dev, "IO queues not created\n");
-                nvme_dev_remove(dev);
+                nvme_remove_namespaces(dev);
        } else {
                nvme_unfreeze_queues(dev);
                nvme_dev_add(dev);
diff --git a/drivers/of/device.c b/drivers/of/device.c
index 97a280d50d6d..7c509bff9295 100644
--- a/drivers/of/device.c
+++ b/drivers/of/device.c
@@ -223,7 +223,7 @@ ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len)
                        str[i] = '_';
        }
-        return tsize;
+        return repend;
 }
 EXPORT_SYMBOL_GPL(of_device_get_modalias);
diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index e16ea5717b7f..2a547ca3d443 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -156,20 +156,20 @@ static void __init of_unittest_dynamic(void)
        /* Add a new property - should pass*/
        prop->name = "new-property";
        prop->value = "new-property-data";
-        prop->length = strlen(prop->value);
+        prop->length = strlen(prop->value) + 1;
        unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
        /* Try to add an existing property - should fail */
        prop++;
        prop->name = "new-property";
        prop->value = "new-property-data-should-fail";
-        prop->length = strlen(prop->value);
+        prop->length = strlen(prop->value) + 1;
        unittest(of_add_property(np, prop) != 0,
                 "Adding an existing property should have failed\n");
        /* Try to modify an existing property - should pass */
        prop->value = "modify-property-data-should-pass";
-        prop->length = strlen(prop->value);
+        prop->length = strlen(prop->value) + 1;
        unittest(of_update_property(np, prop) == 0,
                 "Updating an existing property should have passed\n");
@@ -177,7 +177,7 @@ static void __init of_unittest_dynamic(void)
        prop++;
        prop->name = "modify-property";
        prop->value = "modify-missing-property-data-should-pass";
-        prop->length = strlen(prop->value);
+        prop->length = strlen(prop->value) + 1;
        unittest(of_update_property(np, prop) == 0,
                 "Updating a missing property should have passed\n");
diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c
index 312cb5b74dec..1d288fa4f4d6 100644
--- a/drivers/parisc/lba_pci.c
+++ b/drivers/parisc/lba_pci.c
@@ -1365,9 +1365,27 @@ lba_hw_init(struct lba_device *d)
                WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG);
        }
-        /* Set HF mode as the default (vs. -1 mode). */
+        /*
+         * Hard Fail vs. Soft Fail on PCI "Master Abort".
+         *
+         * "Master Abort" means the MMIO transaction timed out - usually due to
+         * the device not responding to an MMIO read. We would like HF to be
+         * enabled to find driver problems, though it means the system will
+         * crash with a HPMC.
+         *
+         * In SoftFail mode "~0L" is returned as a result of a timeout on the
+         * pci bus. This is like how PCI busses on x86 and most other
+         * architectures behave.  In order to increase compatibility with
+         * existing (x86) PCI hardware and existing Linux drivers we enable
+         * Soft Faul mode on PA-RISC now too.
+         */
        stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL);
+#if defined(ENABLE_HARDFAIL)
        WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
+#else
+        WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL);
+#endif
        /*
        ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal
diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
index 78530d1714dc..bdce0679674c 100644
--- a/drivers/parport/parport_pc.c
+++ b/drivers/parport/parport_pc.c
@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards {
        netmos_9901,
        netmos_9865,
        quatech_sppxp100,
+        wch_ch382l,
 };
@@ -2708,6 +2709,7 @@ static struct parport_pc_pci {
        /* netmos_9901 */               { 1, { { 0, -1 }, } },
        /* netmos_9865 */               { 1, { { 0, -1 }, } },
        /* quatech_sppxp100 */          { 1, { { 0, 1 }, } },
+        /* wch_ch382l */                { 1, { { 2, -1 }, } },
 };
 static const struct pci_device_id parport_pc_pci_tbl[] = {
@@ -2797,6 +2799,8 @@ static const struct pci_device_id parport_pc_pci_tbl[] = {
        /* Quatech SPPXP-100 Parallel port PCI ExpressCard */
        { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100,
          PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 },
+        /* WCH CH382L PCI-E single parallel port card */
+        { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l },
        { 0, } /* terminate list */
 };
 MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);
diff --git a/drivers/pci/controller/pci-keystone.c b/drivers/pci/controller/pci-keystone.c
index 81f653cedef2..8eb90a6839c4 100644
--- a/drivers/pci/controller/pci-keystone.c
+++ b/drivers/pci/controller/pci-keystone.c
@@ -183,7 +183,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
        }
        /* interrupt controller is in a child node */
-        *np_temp = of_find_node_by_name(np_pcie, controller);
+        *np_temp = of_get_child_by_name(np_pcie, controller);
        if (!(*np_temp)) {
                dev_err(dev, "Node for %s is absent\n", controller);
                return -EINVAL;
@@ -192,6 +192,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
        temp = of_irq_count(*np_temp);
        if (!temp) {
                dev_err(dev, "No IRQ entries in %s\n", controller);
+                of_node_put(*np_temp);
                return -EINVAL;
        }
@@ -209,6 +210,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
                        break;
        }
+        of_node_put(*np_temp);
        if (temp) {
                *num_irqs = temp;
                return 0;
diff --git a/drivers/pci/controller/pci-layerscape.c b/drivers/pci/controller/pci-layerscape.c
index 7f57e3f730ea..6cb78844f1b2 100644
--- a/drivers/pci/controller/pci-layerscape.c
+++ b/drivers/pci/controller/pci-layerscape.c
@@ -118,13 +118,7 @@ static void ls1021_pcie_host_init(struct pcie_port *pp)
        dw_pcie_setup_rc(pp);
-        /*
+        ls_pcie_drop_msg_tlp(pcie);
-         * LS1021A Workaround for internal TKT228622
-         * to fix the INTx hang issue
-         */
-        val = ioread32(pcie->dbi + PCIE_STRFMR1);
-        val &= 0xffff;
-        iowrite32(val, pcie->dbi + PCIE_STRFMR1);
 }
 static int ls_pcie_link_up(struct dw_pcie *pci)
@@ -150,6 +144,7 @@ static void ls_pcie_host_init(struct pcie_port *pp)
        iowrite32(1, pcie->dbi + PCIE_DBI_RO_WR_EN);
        ls_pcie_fix_class(pcie);
        ls_pcie_clear_multifunction(pcie);
+        ls_pcie_drop_msg_tlp(pcie);
        iowrite32(0, pcie->dbi + PCIE_DBI_RO_WR_EN);
 }
@@ -216,6 +211,7 @@ static const struct of_device_id ls_pcie_of_match[] = {
        { .compatible = "fsl,ls1021a-pcie", .data = &ls1021_drvdata },
        { .compatible = "fsl,ls1043a-pcie", .data = &ls1043_drvdata },
        { .compatible = "fsl,ls2080a-pcie", .data = &ls2080_drvdata },
+        { .compatible = "fsl,ls2085a-pcie", .data = &ls2080_drvdata },
        { },
 };
 MODULE_DEVICE_TABLE(of, ls_pcie_of_match);
diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
index 0b3e0bfa7be5..572ca192cb1f 100644
--- a/drivers/pci/hotplug/acpiphp_glue.c
+++ b/drivers/pci/hotplug/acpiphp_glue.c
@@ -587,6 +587,7 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
 {
        unsigned long long sta = 0;
        struct acpiphp_func *func;
+        u32 dvid;
        list_for_each_entry(func, &slot->funcs, sibling) {
                if (func->flags & FUNC_HAS_STA) {
@@ -597,19 +598,27 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
                        if (ACPI_SUCCESS(status) && sta)
                                break;
                } else {
-                        u32 dvid;
+                        if (pci_bus_read_dev_vendor_id(slot->bus,
+                                        PCI_DEVFN(slot->device, func->function),
-                        pci_bus_read_config_dword(slot->bus,
+                                        &dvid, 0)) {
-                                                  PCI_DEVFN(slot->device,
-                                                            func->function),
-                                                  PCI_VENDOR_ID, &dvid);
-                        if (dvid != 0xffffffff) {
                                sta = ACPI_STA_ALL;
                                break;
                        }
                }
        }
+        if (!sta) {
+                /*
+                 * Check for the slot itself since it may be that the
+                 * ACPI slot is a device below PCIe upstream port so in
+                 * that case it may not even be reachable yet.
+                 */
+                if (pci_bus_read_dev_vendor_id(slot->bus,
+                                PCI_DEVFN(slot->device, 0), &dvid, 0)) {
+                        sta = ACPI_STA_ALL;
+                }
+        }
        return (unsigned int)sta;
 }
diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h
index 62d6fe6c3714..cbe58480b474 100644
--- a/drivers/pci/hotplug/pciehp.h
+++ b/drivers/pci/hotplug/pciehp.h
@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie_device *dev);
 int pcie_init_notification(struct controller *ctrl);
 int pciehp_enable_slot(struct slot *p_slot);
 int pciehp_disable_slot(struct slot *p_slot);
-void pcie_enable_notification(struct controller *ctrl);
+void pcie_reenable_notification(struct controller *ctrl);
 int pciehp_power_on_slot(struct slot *slot);
 void pciehp_power_off_slot(struct slot *slot);
 void pciehp_get_power_status(struct slot *slot, u8 *status);
diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
index 612b21a14df5..8f6ded43760a 100644
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -295,7 +295,7 @@ static int pciehp_resume(struct pcie_device *dev)
        ctrl = get_service_data(dev);
        /* reinitialize the chipset's event detection logic */
-        pcie_enable_notification(ctrl);
+        pcie_reenable_notification(ctrl);
        slot = ctrl->slot;
diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
index 5c24e938042f..63c6c7fce3eb 100644
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -628,7 +628,7 @@ static irqreturn_t pcie_isr(int irq, void *dev_id)
        return IRQ_HANDLED;
 }
-void pcie_enable_notification(struct controller *ctrl)
+static void pcie_enable_notification(struct controller *ctrl)
 {
        u16 cmd, mask;
@@ -666,6 +666,17 @@ void pcie_enable_notification(struct controller *ctrl)
                 pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
 }
+void pcie_reenable_notification(struct controller *ctrl)
+{
+        /*
+         * Clear both Presence and Data Link Layer Changed to make sure
+         * those events still fire after we have re-enabled them.
+         */
+        pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
+                                   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
+        pcie_enable_notification(ctrl);
+}
 static void pcie_disable_notification(struct controller *ctrl)
 {
        u16 mask;
diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c
index a32ba753e413..afaf13474796 100644
--- a/drivers/pci/pci-acpi.c
+++ b/drivers/pci/pci-acpi.c
@@ -543,7 +543,7 @@ void acpi_pci_add_bus(struct pci_bus *bus)
        union acpi_object *obj;
        struct pci_host_bridge *bridge;
-        if (acpi_pci_disabled || !bus->bridge)
+        if (acpi_pci_disabled || !bus->bridge || !ACPI_HANDLE(bus->bridge))
                return;
        acpi_pci_slot_enumerate(bus);
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 32bd8ab79d53..dd9ebdc968c8 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -1140,11 +1140,14 @@ static int pci_pm_runtime_suspend(struct device *dev)
        int error;
        /*
-         * If pci_dev->driver is not set (unbound), the device should
+         * If pci_dev->driver is not set (unbound), we leave the device in D0,
-         * always remain in D0 regardless of the runtime PM status
+         * but it may go to D3cold when the bridge above it runtime suspends.
+         * Save its config space in case that happens.
         */
-        if (!pci_dev->driver)
+        if (!pci_dev->driver) {
+                pci_save_state(pci_dev);
                return 0;
+        }
        if (!pm || !pm->runtime_suspend)
                return -ENOSYS;
@@ -1195,16 +1198,18 @@ static int pci_pm_runtime_resume(struct device *dev)
        const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
        /*
-         * If pci_dev->driver is not set (unbound), the device should
+         * Restoring config space is necessary even if the device is not bound
-         * always remain in D0 regardless of the runtime PM status
+         * to a driver because although we left it in D0, it may have gone to
+         * D3cold when the bridge above it runtime suspended.
         */
+        pci_restore_standard_config(pci_dev);
        if (!pci_dev->driver)
                return 0;
        if (!pm || !pm->runtime_resume)
                return -ENOSYS;
-        pci_restore_standard_config(pci_dev);
        pci_fixup_device(pci_fixup_resume_early, pci_dev);
        __pci_enable_wake(pci_dev, PCI_D0, true, false);
        pci_fixup_device(pci_fixup_resume, pci_dev);
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index ec91cd17bf34..5fb4ed6ea322 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -180,13 +180,16 @@ static ssize_t enable_store(struct device *dev, struct device_attribute *attr,
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
-        if (!val) {
+        device_lock(dev);
-                if (pci_is_enabled(pdev))
+        if (dev->driver)
-                        pci_disable_device(pdev);
+                result = -EBUSY;
-                else
+        else if (val)
-                        result = -EIO;
-        } else
                result = pci_enable_device(pdev);
+        else if (pci_is_enabled(pdev))
+                pci_disable_device(pdev);
+        else
+                result = -EIO;
+        device_unlock(dev);
        return result < 0 ? result : count;
 }
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 193ac13de49b..566897f24dee 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -230,7 +230,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
                        res->flags |= IORESOURCE_ROM_ENABLE;
                l64 = l & PCI_ROM_ADDRESS_MASK;
                sz64 = sz & PCI_ROM_ADDRESS_MASK;
-                mask64 = (u32)PCI_ROM_ADDRESS_MASK;
+                mask64 = PCI_ROM_ADDRESS_MASK;
        }
        if (res->flags & IORESOURCE_MEM_64) {
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 254192b5dad1..5697b32819cb 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3614,6 +3614,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9120,
                         quirk_dma_func1_alias);
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
                         quirk_dma_func1_alias);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
+                         quirk_dma_func1_alias);
 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
                         quirk_dma_func1_alias);
@@ -3626,11 +3628,16 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x917a,
 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0,
                         quirk_dma_func1_alias);
+/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220,
+                         quirk_dma_func1_alias);
 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
                         quirk_dma_func1_alias);
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642,
                         quirk_dma_func1_alias);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645,
+                         quirk_dma_func1_alias);
 /* https://bugs.gentoo.org/show_bug.cgi?id=497630 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_JMICRON,
                         PCI_DEVICE_ID_JMICRON_JMB388_ESD,
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index 25062966cbfa..8b2f8b2a574e 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -63,7 +63,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
                mask = (u32)PCI_BASE_ADDRESS_IO_MASK;
                new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK;
        } else if (resno == PCI_ROM_RESOURCE) {
-                mask = (u32)PCI_ROM_ADDRESS_MASK;
+                mask = PCI_ROM_ADDRESS_MASK;
        } else {
                mask = (u32)PCI_BASE_ADDRESS_MEM_MASK;
                new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK;
diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
index 8af1f900ea65..1ba58fb6f796 100644
--- a/drivers/perf/arm_pmu.c
+++ b/drivers/perf/arm_pmu.c
@@ -321,10 +321,16 @@ validate_group(struct perf_event *event)
        return 0;
 }
+static struct arm_pmu_platdata *armpmu_get_platdata(struct arm_pmu *armpmu)
+{
+        struct platform_device *pdev = armpmu->plat_device;
+        return pdev ? dev_get_platdata(&pdev->dev) : NULL;
+}
 static irqreturn_t armpmu_dispatch_irq(int irq, void *dev)
 {
        struct arm_pmu *armpmu;
-        struct platform_device *plat_device;
        struct arm_pmu_platdata *plat;
        int ret;
        u64 start_clock, finish_clock;
@@ -336,8 +342,8 @@ static irqreturn_t armpmu_dispatch_irq(int irq, void *dev)
         * dereference.
         */
        armpmu = *(void **)dev;
-        plat_device = armpmu->plat_device;
-        plat = dev_get_platdata(&plat_device->dev);
+        plat = armpmu_get_platdata(armpmu);
        start_clock = sched_clock();
        if (plat && plat->handle_irq)
diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index a4dcdb48fd56..1ff21b89961e 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -980,19 +980,16 @@ struct pinctrl_state *pinctrl_lookup_state(struct pinctrl *p,
 EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
 /**
- * pinctrl_select_state() - select/activate/program a pinctrl state to HW
+ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW
 * @p: the pinctrl handle for the device that requests configuration
 * @state: the state handle to select/activate/program
 */
-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
+static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
 {
        struct pinctrl_setting *setting, *setting2;
        struct pinctrl_state *old_state = p->state;
        int ret;
-        if (p->state == state)
-                return 0;
        if (p->state) {
                /*
                 * For each pinmux setting in the old state, forget SW's record
@@ -1056,6 +1053,19 @@ unapply_new_state:
        return ret;
 }
+/**
+ * pinctrl_select_state() - select/activate/program a pinctrl state to HW
+ * @p: the pinctrl handle for the device that requests configuration
+ * @state: the state handle to select/activate/program
+ */
+int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
+{
+        if (p->state == state)
+                return 0;
+        return pinctrl_commit_state(p, state);
+}
 EXPORT_SYMBOL_GPL(pinctrl_select_state);
 static void devm_pinctrl_release(struct device *dev, void *res)
@@ -1224,7 +1234,7 @@ void pinctrl_unregister_map(struct pinctrl_map const *map)
 int pinctrl_force_sleep(struct pinctrl_dev *pctldev)
 {
        if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep))
-                return pinctrl_select_state(pctldev->p, pctldev->hog_sleep);
+                return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep);
        return 0;
 }
 EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
@@ -1236,7 +1246,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
 int pinctrl_force_default(struct pinctrl_dev *pctldev)
 {
        if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default))
-                return pinctrl_select_state(pctldev->p, pctldev->hog_default);
+                return pinctrl_commit_state(pctldev->p, pctldev->hog_default);
        return 0;
 }
 EXPORT_SYMBOL_GPL(pinctrl_force_default);
diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c
index 271cca63e9bd..9aa82a4e9e25 100644
--- a/drivers/pinctrl/pinctrl-at91-pio4.c
+++ b/drivers/pinctrl/pinctrl-at91-pio4.c
@@ -568,8 +568,10 @@ static int atmel_pctl_dt_node_to_map(struct pinctrl_dev *pctldev,
                for_each_child_of_node(np_config, np) {
                        ret = atmel_pctl_dt_subnode_to_map(pctldev, np, map,
                                                    &reserved_maps, num_maps);
-                        if (ret < 0)
+                        if (ret < 0) {
+                                of_node_put(np);
                                break;
+                        }
                }
        }
diff --git a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
index 1b580ba76453..907d7db3fcee 100644
--- a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
@@ -145,19 +145,19 @@ static const struct sunxi_desc_pin sun9i_a80_pins[] = {
                  SUNXI_FUNCTION(0x0, "gpio_in"),
                  SUNXI_FUNCTION(0x1, "gpio_out"),
                  SUNXI_FUNCTION(0x3, "mcsi"),          /* MCLK */
-                  SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 14)), /* PB_EINT14 */
+                  SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 14)), /* PB_EINT14 */
        SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 15),
                  SUNXI_FUNCTION(0x0, "gpio_in"),
                  SUNXI_FUNCTION(0x1, "gpio_out"),
                  SUNXI_FUNCTION(0x3, "mcsi"),          /* SCK */
                  SUNXI_FUNCTION(0x4, "i2c4"),          /* SCK */
-                  SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 15)), /* PB_EINT15 */
+                  SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 15)), /* PB_EINT15 */
        SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 16),
                  SUNXI_FUNCTION(0x0, "gpio_in"),
                  SUNXI_FUNCTION(0x1, "gpio_out"),
                  SUNXI_FUNCTION(0x3, "mcsi"),          /* SDA */
                  SUNXI_FUNCTION(0x4, "i2c4"),          /* SDA */
-                  SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 16)), /* PB_EINT16 */
+                  SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 16)), /* PB_EINT16 */
        /* Hole */
        SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 0),
diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c
index 92430f781eb7..a0b8c8a8c323 100644
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -59,12 +59,14 @@ static int send_command(struct cros_ec_device *ec_dev,
                        struct cros_ec_command *msg)
 {
        int ret;
+        int (*xfer_fxn)(struct cros_ec_device *ec, struct cros_ec_command *msg);
        if (ec_dev->proto_version > 2)
-                ret = ec_dev->pkt_xfer(ec_dev, msg);
+                xfer_fxn = ec_dev->pkt_xfer;
        else
-                ret = ec_dev->cmd_xfer(ec_dev, msg);
+                xfer_fxn = ec_dev->cmd_xfer;
+        ret = (*xfer_fxn)(ec_dev, msg);
        if (msg->result == EC_RES_IN_PROGRESS) {
                int i;
                struct cros_ec_command *status_msg;
@@ -87,7 +89,7 @@ static int send_command(struct cros_ec_device *ec_dev,
                for (i = 0; i < EC_COMMAND_RETRIES; i++) {
                        usleep_range(10000, 11000);
-                        ret = ec_dev->cmd_xfer(ec_dev, status_msg);
+                        ret = (*xfer_fxn)(ec_dev, status_msg);
                        if (ret < 0)
                                break;
diff --git a/drivers/platform/chrome/cros_ec_sysfs.c b/drivers/platform/chrome/cros_ec_sysfs.c
index f3baf9973989..24f1630a8b3f 100644
--- a/drivers/platform/chrome/cros_ec_sysfs.c
+++ b/drivers/platform/chrome/cros_ec_sysfs.c
@@ -187,7 +187,7 @@ static ssize_t show_ec_version(struct device *dev,
                count += scnprintf(buf + count, PAGE_SIZE - count,
                                   "Build info:    EC error %d\n", msg->result);
        else {
-                msg->data[sizeof(msg->data) - 1] = '\0';
+                msg->data[EC_HOST_PARAM_SIZE - 1] = '\0';
                count += scnprintf(buf + count, PAGE_SIZE - count,
                                   "Build info:    %s\n", msg->data);
        }
diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
index 1089eaa02b00..988ebe9a6b90 100644
--- a/drivers/platform/x86/Kconfig
+++ b/drivers/platform/x86/Kconfig
@@ -95,6 +95,7 @@ config DELL_LAPTOP
        tristate "Dell Laptop Extras"
        depends on X86
        depends on DCDBAS
+        depends on DMI
        depends on BACKLIGHT_CLASS_DEVICE
        depends on ACPI_VIDEO || ACPI_VIDEO = n
        depends on RFKILL || RFKILL = n
@@ -110,6 +111,7 @@ config DELL_LAPTOP
 config DELL_WMI
        tristate "Dell WMI extras"
        depends on ACPI_WMI
+        depends on DMI
        depends on INPUT
        depends on ACPI_VIDEO || ACPI_VIDEO = n
        select INPUT_SPARSEKMAP
diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
index a3661cc44f86..0e0403e024c5 100644
--- a/drivers/platform/x86/asus-nb-wmi.c
+++ b/drivers/platform/x86/asus-nb-wmi.c
@@ -101,6 +101,15 @@ static const struct dmi_system_id asus_quirks[] = {
        },
        {
                .callback = dmi_matched,
+                .ident = "ASUSTeK COMPUTER INC. X302UA",
+                .matches = {
+                        DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+                        DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"),
+                },
+                .driver_data = &quirk_asus_wapf4,
+        },
+        {
+                .callback = dmi_matched,
                .ident = "ASUSTeK COMPUTER INC. X401U",
                .matches = {
                        DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
diff --git a/drivers/platform/x86/intel_mid_thermal.c b/drivers/platform/x86/intel_mid_thermal.c
index 5c768c4627d3..78e1bfee698a 100644
--- a/drivers/platform/x86/intel_mid_thermal.c
+++ b/drivers/platform/x86/intel_mid_thermal.c
@@ -415,6 +415,7 @@ static struct thermal_device_info *initialize_sensor(int index)
        return td_info;
 }
+#ifdef CONFIG_PM_SLEEP
 /**
 * mid_thermal_resume - resume routine
 * @dev: device structure
@@ -442,6 +443,7 @@ static int mid_thermal_suspend(struct device *dev)
         */
        return configure_adc(0);
 }
+#endif
 static SIMPLE_DEV_PM_OPS(mid_thermal_pm,
                         mid_thermal_suspend, mid_thermal_resume);
diff --git a/drivers/platform/x86/tc1100-wmi.c b/drivers/platform/x86/tc1100-wmi.c
index 89aa976f0ab2..65b0a4845ddd 100644
--- a/drivers/platform/x86/tc1100-wmi.c
+++ b/drivers/platform/x86/tc1100-wmi.c
@@ -52,7 +52,9 @@ struct tc1100_data {
        u32 jogdial;
 };
+#ifdef CONFIG_PM
 static struct tc1100_data suspend_data;
+#endif
 /* --------------------------------------------------------------------------
                                Device Management
diff --git a/drivers/power/Kconfig b/drivers/power/Kconfig
index 237d7aa73e8c..9f53fb74ae6f 100644
--- a/drivers/power/Kconfig
+++ b/drivers/power/Kconfig
@@ -159,6 +159,7 @@ config BATTERY_SBS
 config BATTERY_BQ27XXX
        tristate "BQ27xxx battery driver"
+        depends on I2C || I2C=n
        help
          Say Y here to enable support for batteries with BQ27xxx (I2C/HDQ) chips.
diff --git a/drivers/power/bq27xxx_battery.c b/drivers/power/bq27xxx_battery.c
index 880233ce9343..6c3a447f378b 100644
--- a/drivers/power/bq27xxx_battery.c
+++ b/drivers/power/bq27xxx_battery.c
@@ -285,7 +285,7 @@ static u8 bq27421_regs[] = {
        0x18,   /* AP           */
 };
-static u8 *bq27xxx_regs[] = {
+static u8 *bq27xxx_regs[] __maybe_unused = {
        [BQ27000] = bq27000_regs,
        [BQ27010] = bq27010_regs,
        [BQ27500] = bq27500_regs,
@@ -991,7 +991,7 @@ static void bq27xxx_external_power_changed(struct power_supply *psy)
        schedule_delayed_work(&di->work, 0);
 }
-static int bq27xxx_powersupply_init(struct bq27xxx_device_info *di,
+static int __maybe_unused bq27xxx_powersupply_init(struct bq27xxx_device_info *di,
                                    const char *name)
 {
        int ret;
@@ -1026,7 +1026,7 @@ static int bq27xxx_powersupply_init(struct bq27xxx_device_info *di,
        return 0;
 }
-static void bq27xxx_powersupply_unregister(struct bq27xxx_device_info *di)
+static void __maybe_unused bq27xxx_powersupply_unregister(struct bq27xxx_device_info *di)
 {
        /*
         * power_supply_unregister call bq27xxx_battery_get_property which
diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
index dfe1ee89f7c7..922a86787c5c 100644
--- a/drivers/power/pda_power.c
+++ b/drivers/power/pda_power.c
@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags(struct resource *res)
 static struct device *dev;
 static struct pda_power_pdata *pdata;
 static struct resource *ac_irq, *usb_irq;
-static struct timer_list charger_timer;
+static struct delayed_work charger_work;
-static struct timer_list supply_timer;
+static struct delayed_work polling_work;
-static struct timer_list polling_timer;
+static struct delayed_work supply_work;
 static int polling;
 static struct power_supply *pda_psy_ac, *pda_psy_usb;
@@ -140,7 +140,7 @@ static void update_charger(void)
        }
 }
-static void supply_timer_func(unsigned long unused)
+static void supply_work_func(struct work_struct *work)
 {
        if (ac_status == PDA_PSY_TO_CHANGE) {
                ac_status = new_ac_status;
@@ -161,11 +161,12 @@ static void psy_changed(void)
         * Okay, charger set. Now wait a bit before notifying supplicants,
         * charge power should stabilize.
         */
-        mod_timer(&supply_timer,
+        cancel_delayed_work(&supply_work);
-                  jiffies + msecs_to_jiffies(pdata->wait_for_charger));
+        schedule_delayed_work(&supply_work,
+                              msecs_to_jiffies(pdata->wait_for_charger));
 }
-static void charger_timer_func(unsigned long unused)
+static void charger_work_func(struct work_struct *work)
 {
        update_status();
        psy_changed();
@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int irq, void *power_supply)
         * Wait a bit before reading ac/usb line status and setting charger,
         * because ac/usb status readings may lag from irq.
         */
-        mod_timer(&charger_timer,
+        cancel_delayed_work(&charger_work);
-                  jiffies + msecs_to_jiffies(pdata->wait_for_status));
+        schedule_delayed_work(&charger_work,
+                              msecs_to_jiffies(pdata->wait_for_status));
        return IRQ_HANDLED;
 }
-static void polling_timer_func(unsigned long unused)
+static void polling_work_func(struct work_struct *work)
 {
        int changed = 0;
@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned long unused)
        if (changed)
                psy_changed();
-        mod_timer(&polling_timer,
+        cancel_delayed_work(&polling_work);
-                  jiffies + msecs_to_jiffies(pdata->polling_interval));
+        schedule_delayed_work(&polling_work,
+                              msecs_to_jiffies(pdata->polling_interval));
 }
 #if IS_ENABLED(CONFIG_USB_PHY)
@@ -250,8 +253,9 @@ static int otg_handle_notification(struct notifier_block *nb,
         * Wait a bit before reading ac/usb line status and setting charger,
         * because ac/usb status readings may lag from irq.
         */
-        mod_timer(&charger_timer,
+        cancel_delayed_work(&charger_work);
-                  jiffies + msecs_to_jiffies(pdata->wait_for_status));
+        schedule_delayed_work(&charger_work,
+                              msecs_to_jiffies(pdata->wait_for_status));
        return NOTIFY_OK;
 }
@@ -300,8 +304,8 @@ static int pda_power_probe(struct platform_device *pdev)
        if (!pdata->ac_max_uA)
                pdata->ac_max_uA = 500000;
-        setup_timer(&charger_timer, charger_timer_func, 0);
+        INIT_DELAYED_WORK(&charger_work, charger_work_func);
-        setup_timer(&supply_timer, supply_timer_func, 0);
+        INIT_DELAYED_WORK(&supply_work, supply_work_func);
        ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
        usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
@@ -385,9 +389,10 @@ static int pda_power_probe(struct platform_device *pdev)
        if (polling) {
                dev_dbg(dev, "will poll for status\n");
-                setup_timer(&polling_timer, polling_timer_func, 0);
+                INIT_DELAYED_WORK(&polling_work, polling_work_func);
-                mod_timer(&polling_timer,
+                cancel_delayed_work(&polling_work);
-                          jiffies + msecs_to_jiffies(pdata->polling_interval));
+                schedule_delayed_work(&polling_work,
+                                      msecs_to_jiffies(pdata->polling_interval));
        }
        if (ac_irq || usb_irq)
@@ -433,9 +438,9 @@ static int pda_power_remove(struct platform_device *pdev)
                free_irq(ac_irq->start, pda_psy_ac);
        if (polling)
-                del_timer_sync(&polling_timer);
+                cancel_delayed_work_sync(&polling_work);
-        del_timer_sync(&charger_timer);
+        cancel_delayed_work_sync(&charger_work);
-        del_timer_sync(&supply_timer);
+        cancel_delayed_work_sync(&supply_work);
        if (pdata->is_usb_online)
                power_supply_unregister(pda_psy_usb);
diff --git a/drivers/power/reset/zx-reboot.c b/drivers/power/reset/zx-reboot.c
index a5b009673d0e..5eb719e73e9e 100644
--- a/drivers/power/reset/zx-reboot.c
+++ b/drivers/power/reset/zx-reboot.c
@@ -78,3 +78,7 @@ static struct platform_driver zx_reboot_driver = {
        },
 };
 module_platform_driver(zx_reboot_driver);
+MODULE_DESCRIPTION("ZTE SoCs reset driver");
+MODULE_AUTHOR("Jun Nie <jun.nie@linaro.org>");
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index 84419af16f77..fd12ccc11e26 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_zone(
        power_zone->id = result;
        idr_init(&power_zone->idr);
+        result = -ENOMEM;
        power_zone->name = kstrdup(name, GFP_KERNEL);
        if (!power_zone->name)
                goto err_name_alloc;
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index da7bae991552..d877ff124365 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -88,6 +88,7 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin,
        case PTP_PF_PHYSYNC:
                if (chan != 0)
                        return -EINVAL;
+                break;
        default:
                return -EINVAL;
        }
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 2e481b9e8ea5..60a5e0c63a13 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -97,30 +97,26 @@ static s32 scaled_ppm_to_ppb(long ppm)
 /* posix clock implementation */
-static int ptp_clock_getres(struct posix_clock *pc, struct timespec *tp)
+static int ptp_clock_getres(struct posix_clock *pc, struct timespec64 *tp)
 {
        tp->tv_sec = 0;
        tp->tv_nsec = 1;
        return 0;
 }
-static int ptp_clock_settime(struct posix_clock *pc, const struct timespec *tp)
+static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp)
 {
        struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
-        struct timespec64 ts = timespec_to_timespec64(*tp);
-        return  ptp->info->settime64(ptp->info, &ts);
+        return  ptp->info->settime64(ptp->info, tp);
 }
-static int ptp_clock_gettime(struct posix_clock *pc, struct timespec *tp)
+static int ptp_clock_gettime(struct posix_clock *pc, struct timespec64 *tp)
 {
        struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
-        struct timespec64 ts;
        int err;
-        err = ptp->info->gettime64(ptp->info, &ts);
+        err = ptp->info->gettime64(ptp->info, tp);
-        if (!err)
-                *tp = timespec64_to_timespec(ts);
        return err;
 }
@@ -133,7 +129,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct timex *tx)
        ops = ptp->info;
        if (tx->modes & ADJ_SETOFFSET) {
-                struct timespec ts;
+                struct timespec64 ts;
                ktime_t kt;
                s64 delta;
@@ -146,7 +142,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct timex *tx)
                if ((unsigned long) ts.tv_nsec >= NSEC_PER_SEC)
                        return -EINVAL;
-                kt = timespec_to_ktime(ts);
+                kt = timespec64_to_ktime(ts);
                delta = ktime_to_ns(kt);
                err = ops->adjtime(ops, delta);
        } else if (tx->modes & ADJ_FREQUENCY) {
diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
index d4de0607b502..3039fb762893 100644
--- a/drivers/pwm/pwm-tegra.c
+++ b/drivers/pwm/pwm-tegra.c
@@ -69,6 +69,7 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
        struct tegra_pwm_chip *pc = to_tegra_pwm_chip(chip);
        unsigned long long c;
        unsigned long rate, hz;
+        unsigned long long ns100 = NSEC_PER_SEC;
        u32 val = 0;
        int err;
@@ -87,9 +88,11 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
         * cycles at the PWM clock rate will take period_ns nanoseconds.
         */
        rate = clk_get_rate(pc->clk) >> PWM_DUTY_WIDTH;
-        hz = NSEC_PER_SEC / period_ns;
-        rate = (rate + (hz / 2)) / hz;
+        /* Consider precision in PWM_SCALE_WIDTH rate calculation */
+        ns100 *= 100;
+        hz = DIV_ROUND_CLOSEST_ULL(ns100, period_ns);
+        rate = DIV_ROUND_CLOSEST(rate * 100, hz);
        /*
         * Since the actual PWM divider is the register's frequency divider
diff --git a/drivers/regulator/anatop-regulator.c b/drivers/regulator/anatop-regulator.c
index 3a6d0290c54c..c5e272ea4372 100644
--- a/drivers/regulator/anatop-regulator.c
+++ b/drivers/regulator/anatop-regulator.c
@@ -296,6 +296,11 @@ static int anatop_regulator_probe(struct platform_device *pdev)
                if (!sreg->sel && !strcmp(sreg->name, "vddpu"))
                        sreg->sel = 22;
+                /* set the default voltage of the pcie phy to be 1.100v */
+                if (!sreg->sel && rdesc->name &&
+                    !strcmp(rdesc->name, "vddpcie"))
+                        sreg->sel = 0x10;
                if (!sreg->bypass && !sreg->sel) {
                        dev_err(&pdev->dev, "Failed to read a valid default voltage selector.\n");
                        return -EINVAL;
diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
index 3fe18da3ad52..8132b0e66932 100644
--- a/drivers/regulator/of_regulator.c
+++ b/drivers/regulator/of_regulator.c
@@ -277,6 +277,7 @@ int of_regulator_match(struct device *dev, struct device_node *node,
                                dev_err(dev,
                                        "failed to parse DT for regulator %s\n",
                                        child->name);
+                                of_node_put(child);
                                return -EINVAL;
                        }
                        match->of_node = of_node_get(child);
diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c
index 2a44e5dd9c2a..c68556bf6f39 100644
--- a/drivers/regulator/pfuze100-regulator.c
+++ b/drivers/regulator/pfuze100-regulator.c
@@ -152,6 +152,7 @@ static struct regulator_ops pfuze100_sw_regulator_ops = {
 static struct regulator_ops pfuze100_swb_regulator_ops = {
        .enable = regulator_enable_regmap,
        .disable = regulator_disable_regmap,
+        .is_enabled = regulator_is_enabled_regmap,
        .list_voltage = regulator_list_voltage_table,
        .map_voltage = regulator_map_voltage_ascend,
        .set_voltage_sel = regulator_set_voltage_sel_regmap,
diff --git a/drivers/rtc/hctosys.c b/drivers/rtc/hctosys.c
index e1cfa06810ef..e79f2a181ad2 100644
--- a/drivers/rtc/hctosys.c
+++ b/drivers/rtc/hctosys.c
@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void)
        tv64.tv_sec = rtc_tm_to_time64(&tm);
+#if BITS_PER_LONG == 32
+        if (tv64.tv_sec > INT_MAX)
+                goto err_read;
+#endif
        err = do_settimeofday64(&tv64);
        dev_info(rtc->dev.parent,
diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
index 733d85686639..6e8fa60c1aa2 100644
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -217,6 +217,13 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
                        missing = year;
        }
+        /* Can't proceed if alarm is still invalid after replacing
+         * missing fields.
+         */
+        err = rtc_valid_tm(&alarm->time);
+        if (err)
+                goto done;
        /* with luck, no rollover is needed */
        t_now = rtc_tm_to_time64(&now);
        t_alm = rtc_tm_to_time64(&alarm->time);
@@ -268,9 +275,9 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
                dev_warn(&rtc->dev, "alarm rollover not handled\n");
        }
-done:
        err = rtc_valid_tm(&alarm->time);
+done:
        if (err) {
                dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n",
                        alarm->time.tm_year + 1900, alarm->time.tm_mon + 1,
@@ -342,6 +349,11 @@ int rtc_set_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
 {
        int err;
+        if (!rtc->ops)
+                return -ENODEV;
+        else if (!rtc->ops->set_alarm)
+                return -EINVAL;
        err = rtc_valid_tm(&alarm->time);
        if (err != 0)
                return err;
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 8f7034ba7d9e..86015b393dd5 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -41,6 +41,9 @@
 #include <linux/pm.h>
 #include <linux/of.h>
 #include <linux/of_platform.h>
+#ifdef CONFIG_X86
+#include <asm/i8259.h>
+#endif
 /* this is for "generic access to PC-style RTC" using CMOS_READ/CMOS_WRITE */
 #include <asm-generic/rtc.h>
@@ -1058,17 +1061,23 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
 {
        cmos_wake_setup(&pnp->dev);
-        if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0))
+        if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
+                unsigned int irq = 0;
+#ifdef CONFIG_X86
                /* Some machines contain a PNP entry for the RTC, but
                 * don't define the IRQ. It should always be safe to
-                 * hardcode it in these cases
+                 * hardcode it on systems with a legacy PIC.
                 */
+                if (nr_legacy_irqs())
+                        irq = 8;
+#endif
                return cmos_do_probe(&pnp->dev,
-                                pnp_get_resource(pnp, IORESOURCE_IO, 0), 8);
+                                pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
-        else
+        } else {
                return cmos_do_probe(&pnp->dev,
                                pnp_get_resource(pnp, IORESOURCE_IO, 0),
                                pnp_irq(pnp, 0));
+        }
 }
 static void __exit cmos_pnp_remove(struct pnp_dev *pnp)
diff --git a/drivers/rtc/rtc-ds1374.c b/drivers/rtc/rtc-ds1374.c
index 3b3049c8c9e0..c0eb113588ff 100644
--- a/drivers/rtc/rtc-ds1374.c
+++ b/drivers/rtc/rtc-ds1374.c
@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
                if (get_user(new_margin, (int __user *)arg))
                        return -EFAULT;
+                /* the hardware's tick rate is 4096 Hz, so
+                 * the counter value needs to be scaled accordingly
+                 */
+                new_margin <<= 12;
                if (new_margin < 1 || new_margin > 16777216)
                        return -EINVAL;
@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
                ds1374_wdt_ping();
                /* fallthrough */
        case WDIOC_GETTIMEOUT:
-                return put_user(wdt_margin, (int __user *)arg);
+                /* when returning ... inverse is true */
+                return put_user((wdt_margin >> 12), (int __user *)arg);
        case WDIOC_SETOPTIONS:
                if (copy_from_user(&options, (int __user *)arg, sizeof(int)))
                        return -EFAULT;
@@ -543,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
                if (options & WDIOS_DISABLECARD) {
                        pr_info("disable watchdog\n");
                        ds1374_wdt_disable();
+                        return 0;
                }
                if (options & WDIOS_ENABLECARD) {
                        pr_info("enable watchdog\n");
                        ds1374_wdt_settimeout(wdt_margin);
                        ds1374_wdt_ping();
+                        return 0;
                }
                return -EINVAL;
        }
        return -ENOTTY;
diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c
index df39ce02a99d..c6b0c7ed7a30 100644
--- a/drivers/rtc/rtc-opal.c
+++ b/drivers/rtc/rtc-opal.c
@@ -58,6 +58,7 @@ static void tm_to_opal(struct rtc_time *tm, u32 *y_m_d, u64 *h_m_s_ms)
 static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
 {
        long rc = OPAL_BUSY;
+        int retries = 10;
        u32 y_m_d;
        u64 h_m_s_ms;
        __be32 __y_m_d;
@@ -67,8 +68,11 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
                rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms);
                if (rc == OPAL_BUSY_EVENT)
                        opal_poll_events(NULL);
-                else
+                else if (retries-- && (rc == OPAL_HARDWARE
+                                       || rc == OPAL_INTERNAL_ERROR))
                        msleep(10);
+                else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
+                        break;
        }
        if (rc != OPAL_SUCCESS)
@@ -84,6 +88,7 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
 static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
 {
        long rc = OPAL_BUSY;
+        int retries = 10;
        u32 y_m_d = 0;
        u64 h_m_s_ms = 0;
@@ -92,8 +97,11 @@ static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
                rc = opal_rtc_write(y_m_d, h_m_s_ms);
                if (rc == OPAL_BUSY_EVENT)
                        opal_poll_events(NULL);
-                else
+                else if (retries-- && (rc == OPAL_HARDWARE
+                                       || rc == OPAL_INTERNAL_ERROR))
                        msleep(10);
+                else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
+                        break;
        }
        return rc == OPAL_SUCCESS ? 0 : -EIO;
@@ -142,6 +150,16 @@ static int opal_get_tpo_time(struct device *dev, struct rtc_wkalrm *alarm)
        y_m_d = be32_to_cpu(__y_m_d);
        h_m_s_ms = ((u64)be32_to_cpu(__h_m) << 32);
+        /* check if no alarm is set */
+        if (y_m_d == 0 && h_m_s_ms == 0) {
+                pr_debug("No alarm is set\n");
+                rc = -ENOENT;
+                goto exit;
+        } else {
+                pr_debug("Alarm set to %x %llx\n", y_m_d, h_m_s_ms);
+        }
        opal_to_tm(y_m_d, h_m_s_ms, &alarm->time);
 exit:
diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c
index 950c5d0b6dca..a161fbf6f172 100644
--- a/drivers/rtc/rtc-snvs.c
+++ b/drivers/rtc/rtc-snvs.c
@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct device *dev, struct rtc_time *tm)
 {
        struct snvs_rtc_data *data = dev_get_drvdata(dev);
        unsigned long time;
+        int ret;
        rtc_tm_to_time(tm, &time);
        /* Disable RTC first */
-        snvs_rtc_enable(data, false);
+        ret = snvs_rtc_enable(data, false);
+        if (ret)
+                return ret;
        /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */
        regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH);
        regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH));
        /* Enable RTC again */
-        snvs_rtc_enable(data, true);
+        ret = snvs_rtc_enable(data, true);
-        return 0;
+        return ret;
 }
 static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
@@ -257,7 +260,7 @@ static int snvs_rtc_probe(struct platform_device *pdev)
                of_property_read_u32(pdev->dev.of_node, "offset", &data->offset);
        }
-        if (!data->regmap) {
+        if (IS_ERR(data->regmap)) {
                dev_err(&pdev->dev, "Can't find snvs syscon\n");
                return -ENODEV;
        }
@@ -287,7 +290,11 @@ static int snvs_rtc_probe(struct platform_device *pdev)
        regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff);
        /* Enable RTC */
-        snvs_rtc_enable(data, true);
+        ret = snvs_rtc_enable(data, true);
+        if (ret) {
+                dev_err(&pdev->dev, "failed to enable rtc %d\n", ret);
+                goto error_rtc_device_register;
+        }
        device_init_wakeup(&pdev->dev, true);
diff --git a/drivers/rtc/rtc-tx4939.c b/drivers/rtc/rtc-tx4939.c
index 560d9a5e0225..a9528083061d 100644
--- a/drivers/rtc/rtc-tx4939.c
+++ b/drivers/rtc/rtc-tx4939.c
@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct device *dev, struct rtc_time *tm)
        for (i = 2; i < 6; i++)
                buf[i] = __raw_readl(&rtcreg->dat);
        spin_unlock_irq(&pdata->lock);
-        sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
+        sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
+                (buf[3] << 8) | buf[2];
        rtc_time_to_tm(sec, tm);
        return rtc_valid_tm(tm);
 }
@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
        alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
        alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
        spin_unlock_irq(&pdata->lock);
-        sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
+        sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
+                (buf[3] << 8) | buf[2];
        rtc_time_to_tm(sec, &alrm->time);
        return rtc_valid_tm(&alrm->time);
 }
diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c
index e7a6f1222642..b76a85d14ef0 100644
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1881,8 +1881,12 @@ static int __dasd_device_is_unusable(struct dasd_device *device,
 {
        int mask = ~(DASD_STOPPED_DC_WAIT | DASD_UNRESUMED_PM);
-        if (test_bit(DASD_FLAG_OFFLINE, &device->flags)) {
+        if (test_bit(DASD_FLAG_OFFLINE, &device->flags) &&
-                /* dasd is being set offline. */
+            !test_bit(DASD_FLAG_SAFE_OFFLINE_RUNNING, &device->flags)) {
+                /*
+                 * dasd is being set offline
+                 * but it is no safe offline where we have to allow I/O
+                 */
                return 1;
        }
        if (device->stopped) {
diff --git a/drivers/s390/block/dasd_3990_erp.c b/drivers/s390/block/dasd_3990_erp.c
index d26134713682..d05c553eb552 100644
--- a/drivers/s390/block/dasd_3990_erp.c
+++ b/drivers/s390/block/dasd_3990_erp.c
@@ -2743,6 +2743,16 @@ dasd_3990_erp_action(struct dasd_ccw_req * cqr)
                erp = dasd_3990_erp_handle_match_erp(cqr, erp);
        }
+        /*
+         * For path verification work we need to stick with the path that was
+         * originally chosen so that the per path configuration data is
+         * assigned correctly.
+         */
+        if (test_bit(DASD_CQR_VERIFY_PATH, &erp->flags) && cqr->lpm) {
+                erp->lpm = cqr->lpm;
+        }
        if (device->features & DASD_FEATURE_ERPLOG) {
                /* print current erp_chain */
                dev_err(&device->cdev->dev,
diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index 9083247f55a8..21d174e9ebdb 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -518,10 +518,12 @@ static int prefix_LRE(struct ccw1 *ccw, struct PFX_eckd_data *pfxdata,
        pfxdata->validity.define_extent = 1;
        /* private uid is kept up to date, conf_data may be outdated */
-        if (startpriv->uid.type != UA_BASE_DEVICE) {
+        if (startpriv->uid.type == UA_BASE_PAV_ALIAS)
                pfxdata->validity.verify_base = 1;
-                if (startpriv->uid.type == UA_HYPER_PAV_ALIAS)
-                        pfxdata->validity.hyper_pav = 1;
+        if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) {
+                pfxdata->validity.verify_base = 1;
+                pfxdata->validity.hyper_pav = 1;
        }
        /* define extend data (mostly)*/
@@ -3002,10 +3004,12 @@ static int prepare_itcw(struct itcw *itcw,
        pfxdata.validity.define_extent = 1;
        /* private uid is kept up to date, conf_data may be outdated */
-        if (startpriv->uid.type != UA_BASE_DEVICE) {
+        if (startpriv->uid.type == UA_BASE_PAV_ALIAS)
+                pfxdata.validity.verify_base = 1;
+        if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) {
                pfxdata.validity.verify_base = 1;
-                if (startpriv->uid.type == UA_HYPER_PAV_ALIAS)
+                pfxdata.validity.hyper_pav = 1;
-                        pfxdata.validity.hyper_pav = 1;
        }
        switch (cmd) {
diff --git a/drivers/s390/char/Makefile b/drivers/s390/char/Makefile
index 6fa9364d1c07..835f1054976b 100644
--- a/drivers/s390/char/Makefile
+++ b/drivers/s390/char/Makefile
@@ -2,6 +2,8 @@
 # S/390 character devices
 #
+CFLAGS_REMOVE_sclp_early_core.o += $(CC_FLAGS_EXPOLINE)
 obj-y += ctrlchar.o keyboard.o defkeymap.o sclp.o sclp_rw.o sclp_quiesce.o \
         sclp_cmd.o sclp_config.o sclp_cpi_sys.o sclp_ocf.o sclp_ctl.o \
         sclp_early.o
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index 1e16331891a9..f9d6a9f00640 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -451,6 +451,7 @@ static void chsc_process_sei_link_incident(struct chsc_sei_nt0_area *sei_area)
 static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area)
 {
+        struct channel_path *chp;
        struct chp_link link;
        struct chp_id chpid;
        int status;
@@ -463,10 +464,17 @@ static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area)
        chpid.id = sei_area->rsid;
        /* allocate a new channel path structure, if needed */
        status = chp_get_status(chpid);
-        if (status < 0)
+        if (!status)
-                chp_new(chpid);
-        else if (!status)
                return;
+        if (status < 0) {
+                chp_new(chpid);
+        } else {
+                chp = chpid_to_chp(chpid);
+                mutex_lock(&chp->lock);
+                chp_update_desc(chp);
+                mutex_unlock(&chp->lock);
+        }
        memset(&link, 0, sizeof(struct chp_link));
        link.chpid = chpid;
        if ((sei_area->vf & 0xc0) != 0) {
diff --git a/drivers/s390/cio/device_fsm.c b/drivers/s390/cio/device_fsm.c
index 92e03b42e661..3fc73b5894f0 100644
--- a/drivers/s390/cio/device_fsm.c
+++ b/drivers/s390/cio/device_fsm.c
@@ -822,6 +822,7 @@ ccw_device_online_timeout(struct ccw_device *cdev, enum dev_event dev_event)
        ccw_device_set_timeout(cdev, 0);
        cdev->private->iretry = 255;
+        cdev->private->async_kill_io_rc = -ETIMEDOUT;
        ret = ccw_device_cancel_halt_clear(cdev);
        if (ret == -EBUSY) {
                ccw_device_set_timeout(cdev, 3*HZ);
@@ -898,7 +899,7 @@ ccw_device_killing_irq(struct ccw_device *cdev, enum dev_event dev_event)
        /* OK, i/o is dead now. Call interrupt handler. */
        if (cdev->handler)
                cdev->handler(cdev, cdev->private->intparm,
-                              ERR_PTR(-EIO));
+                              ERR_PTR(cdev->private->async_kill_io_rc));
 }
 static void
@@ -915,14 +916,16 @@ ccw_device_killing_timeout(struct ccw_device *cdev, enum dev_event dev_event)
        ccw_device_online_verify(cdev, 0);
        if (cdev->handler)
                cdev->handler(cdev, cdev->private->intparm,
-                              ERR_PTR(-EIO));
+                              ERR_PTR(cdev->private->async_kill_io_rc));
 }
 void ccw_device_kill_io(struct ccw_device *cdev)
 {
        int ret;
+        ccw_device_set_timeout(cdev, 0);
        cdev->private->iretry = 255;
+        cdev->private->async_kill_io_rc = -EIO;
        ret = ccw_device_cancel_halt_clear(cdev);
        if (ret == -EBUSY) {
                ccw_device_set_timeout(cdev, 3*HZ);
diff --git a/drivers/s390/cio/io_sch.h b/drivers/s390/cio/io_sch.h
index b108f4a5c7dd..b142c7a389b7 100644
--- a/drivers/s390/cio/io_sch.h
+++ b/drivers/s390/cio/io_sch.h
@@ -155,6 +155,7 @@ struct ccw_device_private {
        unsigned long intparm;  /* user interruption parameter */
        struct qdio_irq *qdio_data;
        struct irb irb;         /* device status */
+        int async_kill_io_rc;
        struct senseid senseid; /* SenseID info */
        struct pgid pgid[8];    /* path group IDs per chpid*/
        struct ccw1 iccws[2];   /* ccws for SNID/SID/SPGID commands */
diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
index 4bb5262f7aee..742ca57ece8c 100644
--- a/drivers/s390/cio/qdio_main.c
+++ b/drivers/s390/cio/qdio_main.c
@@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct qdio_q *q, unsigned int ccq)
 static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state,
                        int start, int count, int auto_ack)
 {
-        int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0;
+        int rc, tmp_count = count, tmp_start = start, nr = q->nr;
        unsigned int ccq = 0;
        qperf_inc(q, eqbs);
@@ -149,14 +149,7 @@ again:
                qperf_inc(q, eqbs_partial);
                DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x",
                        tmp_count);
-                /*
+                return count - tmp_count;
-                 * Retry once, if that fails bail out and process the
-                 * extracted buffers before trying again.
-                 */
-                if (!retried++)
-                        goto again;
-                else
-                        return count - tmp_count;
        }
        DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
@@ -212,7 +205,10 @@ again:
        return 0;
 }
-/* returns number of examined buffers and their common state in *state */
+/*
+ * Returns number of examined buffers and their common state in *state.
+ * Requested number of buffers-to-examine must be > 0.
+ */
 static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
                                 unsigned char *state, unsigned int count,
                                 int auto_ack, int merge_pending)
@@ -223,17 +219,23 @@ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
        if (is_qebsm(q))
                return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
-        for (i = 0; i < count; i++) {
+        /* get initial state: */
-                if (!__state) {
+        __state = q->slsb.val[bufnr];
-                        __state = q->slsb.val[bufnr];
+        if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
-                        if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
+                __state = SLSB_P_OUTPUT_EMPTY;
-                                __state = SLSB_P_OUTPUT_EMPTY;
-                } else if (merge_pending) {
+        for (i = 1; i < count; i++) {
-                        if ((q->slsb.val[bufnr] & __state) != __state)
-                                break;
-                } else if (q->slsb.val[bufnr] != __state)
-                        break;
                bufnr = next_buf(bufnr);
+                /* merge PENDING into EMPTY: */
+                if (merge_pending &&
+                    q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING &&
+                    __state == SLSB_P_OUTPUT_EMPTY)
+                        continue;
+                /* stop if next state differs from initial state: */
+                if (q->slsb.val[bufnr] != __state)
+                        break;
        }
        *state = __state;
        return i;
diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c
index 48b3866a9ded..35286907c636 100644
--- a/drivers/s390/cio/qdio_setup.c
+++ b/drivers/s390/cio/qdio_setup.c
@@ -140,7 +140,7 @@ static int __qdio_allocate_qs(struct qdio_q **irq_ptr_qs, int nr_queues)
        int i;
        for (i = 0; i < nr_queues; i++) {
-                q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL);
+                q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL);
                if (!q)
                        return -ENOMEM;
@@ -456,7 +456,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data)
 {
        struct ciw *ciw;
        struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data;
-        int rc;
        memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib));
        memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag));
@@ -493,16 +492,14 @@ int qdio_setup_irq(struct qdio_initialize *init_data)
        ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE);
        if (!ciw) {
                DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no);
-                rc = -EINVAL;
+                return -EINVAL;
-                goto out_err;
        }
        irq_ptr->equeue = *ciw;
        ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE);
        if (!ciw) {
                DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no);
-                rc = -EINVAL;
+                return -EINVAL;
-                goto out_err;
        }
        irq_ptr->aqueue = *ciw;
@@ -510,9 +507,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data)
        irq_ptr->orig_handler = init_data->cdev->handler;
        init_data->cdev->handler = qdio_int_handler;
        return 0;
-out_err:
-        qdio_release_memory(irq_ptr);
-        return rc;
 }
 void qdio_print_subchannel_info(struct qdio_irq *irq_ptr,
diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
index 5006cb6ce62d..50030cdf91fb 100644
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -591,6 +591,11 @@ struct qeth_cmd_buffer {
        void (*callback) (struct qeth_channel *, struct qeth_cmd_buffer *);
 };
+static inline struct qeth_ipa_cmd *__ipa_cmd(struct qeth_cmd_buffer *iob)
+{
+        return (struct qeth_ipa_cmd *)(iob->data + IPA_PDU_HEADER_SIZE);
+}
 /**
 * definition of a qeth channel, used for read and write
 */
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index e5b9506698b1..95c631125a20 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -517,8 +517,7 @@ static inline int qeth_is_cq(struct qeth_card *card, unsigned int queue)
            queue == card->qdio.no_in_queues - 1;
 }
+static int __qeth_issue_next_read(struct qeth_card *card)
-static int qeth_issue_next_read(struct qeth_card *card)
 {
        int rc;
        struct qeth_cmd_buffer *iob;
@@ -549,6 +548,17 @@ static int qeth_issue_next_read(struct qeth_card *card)
        return rc;
 }
+static int qeth_issue_next_read(struct qeth_card *card)
+{
+        int ret;
+        spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card)));
+        ret = __qeth_issue_next_read(card);
+        spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card)));
+        return ret;
+}
 static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card)
 {
        struct qeth_reply *reply;
@@ -952,7 +962,7 @@ void qeth_clear_thread_running_bit(struct qeth_card *card, unsigned long thread)
        spin_lock_irqsave(&card->thread_mask_lock, flags);
        card->thread_running_mask &= ~thread;
        spin_unlock_irqrestore(&card->thread_mask_lock, flags);
-        wake_up(&card->wait_q);
+        wake_up_all(&card->wait_q);
 }
 EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit);
@@ -1156,6 +1166,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm,
                }
                rc = qeth_get_problem(cdev, irb);
                if (rc) {
+                        card->read_or_write_problem = 1;
                        qeth_clear_ipacmd_list(card);
                        qeth_schedule_recovery(card);
                        goto out;
@@ -1174,7 +1185,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm,
                return;
        if (channel == &card->read &&
            channel->state == CH_STATE_UP)
-                qeth_issue_next_read(card);
+                __qeth_issue_next_read(card);
        iob = channel->iob;
        index = channel->buf_no;
@@ -2054,7 +2065,7 @@ int qeth_send_control_data(struct qeth_card *card, int len,
        unsigned long flags;
        struct qeth_reply *reply = NULL;
        unsigned long timeout, event_timeout;
-        struct qeth_ipa_cmd *cmd;
+        struct qeth_ipa_cmd *cmd = NULL;
        QETH_CARD_TEXT(card, 2, "sendctl");
@@ -2068,23 +2079,27 @@ int qeth_send_control_data(struct qeth_card *card, int len,
        }
        reply->callback = reply_cb;
        reply->param = reply_param;
-        if (card->state == CARD_STATE_DOWN)
-                reply->seqno = QETH_IDX_COMMAND_SEQNO;
-        else
-                reply->seqno = card->seqno.ipa++;
        init_waitqueue_head(&reply->wait_q);
-        spin_lock_irqsave(&card->lock, flags);
-        list_add_tail(&reply->list, &card->cmd_waiter_list);
-        spin_unlock_irqrestore(&card->lock, flags);
        QETH_DBF_HEX(CTRL, 2, iob->data, QETH_DBF_CTRL_LEN);
        while (atomic_cmpxchg(&card->write.irq_pending, 0, 1)) ;
-        qeth_prepare_control_data(card, len, iob);
-        if (IS_IPA(iob->data))
+        if (IS_IPA(iob->data)) {
+                cmd = __ipa_cmd(iob);
+                cmd->hdr.seqno = card->seqno.ipa++;
+                reply->seqno = cmd->hdr.seqno;
                event_timeout = QETH_IPA_TIMEOUT;
-        else
+        } else {
+                reply->seqno = QETH_IDX_COMMAND_SEQNO;
                event_timeout = QETH_TIMEOUT;
+        }
+        qeth_prepare_control_data(card, len, iob);
+        spin_lock_irqsave(&card->lock, flags);
+        list_add_tail(&reply->list, &card->cmd_waiter_list);
+        spin_unlock_irqrestore(&card->lock, flags);
        timeout = jiffies + event_timeout;
        QETH_CARD_TEXT(card, 6, "noirqpnd");
@@ -2109,9 +2124,8 @@ int qeth_send_control_data(struct qeth_card *card, int len,
        /* we have only one long running ipassist, since we can ensure
           process context of this command we can sleep */
-        cmd = (struct qeth_ipa_cmd *)(iob->data+IPA_PDU_HEADER_SIZE);
+        if (cmd && cmd->hdr.command == IPA_CMD_SETIP &&
-        if ((cmd->hdr.command == IPA_CMD_SETIP) &&
+            cmd->hdr.prot_version == QETH_PROT_IPV4) {
-            (cmd->hdr.prot_version == QETH_PROT_IPV4)) {
                if (!wait_event_timeout(reply->wait_q,
                    atomic_read(&reply->received), event_timeout))
                        goto time_err;
@@ -2877,7 +2891,7 @@ static void qeth_fill_ipacmd_header(struct qeth_card *card,
        memset(cmd, 0, sizeof(struct qeth_ipa_cmd));
        cmd->hdr.command = command;
        cmd->hdr.initiator = IPA_CMD_INITIATOR_HOST;
-        cmd->hdr.seqno = card->seqno.ipa;
+        /* cmd->hdr.seqno is set by qeth_send_control_data() */
        cmd->hdr.adapter_type = qeth_get_ipa_adp_type(card->info.link_type);
        cmd->hdr.rel_adapter_no = (__u8) card->info.portno;
        if (card->options.layer2)
@@ -4966,8 +4980,6 @@ static void qeth_core_free_card(struct qeth_card *card)
        QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
        qeth_clean_channel(&card->read);
        qeth_clean_channel(&card->write);
-        if (card->dev)
-                free_netdev(card->dev);
        kfree(card->ip_tbd_list);
        qeth_free_qdio_buffers(card);
        unregister_service_level(&card->qeth_service_level);
diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index 58bcb3c9a86a..acdb5ccb0ab9 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -1062,8 +1062,8 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev)
                qeth_l2_set_offline(cgdev);
        if (card->dev) {
-                netif_napi_del(&card->napi);
                unregister_netdev(card->dev);
+                free_netdev(card->dev);
                card->dev = NULL;
        }
        return;
diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index 0d6888cbd96e..bbdb3b6c54bb 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3243,8 +3243,8 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev)
                qeth_l3_set_offline(cgdev);
        if (card->dev) {
-                netif_napi_del(&card->napi);
                unregister_netdev(card->dev);
+                free_netdev(card->dev);
                card->dev = NULL;
        }
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 34367d172961..b6caad0fee24 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -3,7 +3,7 @@
 *
 * Debug traces for zfcp.
 *
- * Copyright IBM Corp. 2002, 2017
+ * Copyright IBM Corp. 2002, 2018
 */
 #define KMSG_COMPONENT "zfcp"
@@ -287,6 +287,27 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter,
        spin_unlock_irqrestore(&dbf->rec_lock, flags);
 }
+/**
+ * zfcp_dbf_rec_trig_lock - trace event related to triggered recovery with lock
+ * @tag: identifier for event
+ * @adapter: adapter on which the erp_action should run
+ * @port: remote port involved in the erp_action
+ * @sdev: scsi device involved in the erp_action
+ * @want: wanted erp_action
+ * @need: required erp_action
+ *
+ * The adapter->erp_lock must not be held.
+ */
+void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
+                            struct zfcp_port *port, struct scsi_device *sdev,
+                            u8 want, u8 need)
+{
+        unsigned long flags;
+        read_lock_irqsave(&adapter->erp_lock, flags);
+        zfcp_dbf_rec_trig(tag, adapter, port, sdev, want, need);
+        read_unlock_irqrestore(&adapter->erp_lock, flags);
+}
 /**
 * zfcp_dbf_rec_run_lvl - trace event related to running recovery
@@ -604,6 +625,46 @@ void zfcp_dbf_scsi(char *tag, int level, struct scsi_cmnd *sc,
        spin_unlock_irqrestore(&dbf->scsi_lock, flags);
 }
+/**
+ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
+ * @tag: Identifier for event.
+ * @adapter: Pointer to zfcp adapter as context for this event.
+ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
+ * @ret: Return value of calling function.
+ *
+ * This SCSI trace variant does not depend on any of:
+ * scsi_cmnd, zfcp_fsf_req, scsi_device.
+ */
+void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+                      unsigned int scsi_id, int ret)
+{
+        struct zfcp_dbf *dbf = adapter->dbf;
+        struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
+        unsigned long flags;
+        static int const level = 1;
+        if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
+                return;
+        spin_lock_irqsave(&dbf->scsi_lock, flags);
+        memset(rec, 0, sizeof(*rec));
+        memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
+        rec->id = ZFCP_DBF_SCSI_CMND;
+        rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
+        rec->scsi_retries = ~0;
+        rec->scsi_allowed = ~0;
+        rec->fcp_rsp_info = ~0;
+        rec->scsi_id = scsi_id;
+        rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
+        rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32);
+        rec->host_scribble = ~0;
+        memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
+        debug_event(dbf->scsi, level, rec, sizeof(*rec));
+        spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+}
 static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
 {
        struct debug_info *d;
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 3b23d6754598..2abcd331b05d 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -34,11 +34,28 @@ enum zfcp_erp_steps {
        ZFCP_ERP_STEP_LUN_OPENING       = 0x2000,
 };
+/**
+ * enum zfcp_erp_act_type - Type of ERP action object.
+ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+ *                        either of the first four enum values.
+ *                        Used to indicate that an ERP action could not be
+ *                        set up despite a detected need for some recovery.
+ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
+ *                          either of the first four enum values.
+ *                          Used to indicate that ERP not needed because
+ *                          the object has ZFCP_STATUS_COMMON_ERP_FAILED.
+ */
 enum zfcp_erp_act_type {
        ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
        ZFCP_ERP_ACTION_REOPEN_PORT        = 2,
        ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
        ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
+        ZFCP_ERP_ACTION_NONE               = 0xc0,
+        ZFCP_ERP_ACTION_FAILED             = 0xe0,
 };
 enum zfcp_erp_act_state {
@@ -125,6 +142,49 @@ static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter *adapter)
        }
 }
+static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
+                                  struct zfcp_port *port,
+                                  struct scsi_device *sdev)
+{
+        int need = want;
+        struct zfcp_scsi_dev *zsdev;
+        switch (want) {
+        case ZFCP_ERP_ACTION_REOPEN_LUN:
+                zsdev = sdev_to_zfcp(sdev);
+                if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+                        need = 0;
+                break;
+        case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
+                if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+                        need = 0;
+                break;
+        case ZFCP_ERP_ACTION_REOPEN_PORT:
+                if (atomic_read(&port->status) &
+                    ZFCP_STATUS_COMMON_ERP_FAILED) {
+                        need = 0;
+                        /* ensure propagation of failed status to new devices */
+                        zfcp_erp_set_port_status(
+                                port, ZFCP_STATUS_COMMON_ERP_FAILED);
+                }
+                break;
+        case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
+                if (atomic_read(&adapter->status) &
+                    ZFCP_STATUS_COMMON_ERP_FAILED) {
+                        need = 0;
+                        /* ensure propagation of failed status to new devices */
+                        zfcp_erp_set_adapter_status(
+                                adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
+                }
+                break;
+        default:
+                need = 0;
+                break;
+        }
+        return need;
+}
 static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
                                 struct zfcp_port *port,
                                 struct scsi_device *sdev)
@@ -248,16 +308,27 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
        int retval = 1, need;
        struct zfcp_erp_action *act;
-        if (!adapter->erp_thread)
+        need = zfcp_erp_handle_failed(want, adapter, port, sdev);
-                return -EIO;
+        if (!need) {
+                need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
+                goto out;
+        }
+        if (!adapter->erp_thread) {
+                need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
+                retval = -EIO;
+                goto out;
+        }
        need = zfcp_erp_required_act(want, adapter, port, sdev);
        if (!need)
                goto out;
        act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
-        if (!act)
+        if (!act) {
+                need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
                goto out;
+        }
        atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
        ++adapter->erp_total_count;
        list_add_tail(&act->list, &adapter->erp_ready_head);
@@ -268,18 +339,32 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
        return retval;
 }
+void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
+                                      u64 port_name, u32 port_id)
+{
+        unsigned long flags;
+        static /* don't waste stack */ struct zfcp_port tmpport;
+        write_lock_irqsave(&adapter->erp_lock, flags);
+        /* Stand-in zfcp port with fields just good enough for
+         * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
+         * Under lock because tmpport is static.
+         */
+        atomic_set(&tmpport.status, -1); /* unknown */
+        tmpport.wwpn = port_name;
+        tmpport.d_id = port_id;
+        zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
+                          ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+                          ZFCP_ERP_ACTION_NONE);
+        write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
 static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
                                    int clear_mask, char *id)
 {
        zfcp_erp_adapter_block(adapter, clear_mask);
        zfcp_scsi_schedule_rports_block(adapter);
-        /* ensure propagation of failed status to new devices */
-        if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-                zfcp_erp_set_adapter_status(adapter,
-                                            ZFCP_STATUS_COMMON_ERP_FAILED);
-                return -EIO;
-        }
        return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
                                       adapter, NULL, NULL, id, 0);
 }
@@ -298,12 +383,8 @@ void zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, int clear, char *id)
        zfcp_scsi_schedule_rports_block(adapter);
        write_lock_irqsave(&adapter->erp_lock, flags);
-        if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+        zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-                zfcp_erp_set_adapter_status(adapter,
+                                NULL, NULL, id, 0);
-                                            ZFCP_STATUS_COMMON_ERP_FAILED);
-        else
-                zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-                                        NULL, NULL, id, 0);
        write_unlock_irqrestore(&adapter->erp_lock, flags);
 }
@@ -344,9 +425,6 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear,
        zfcp_erp_port_block(port, clear);
        zfcp_scsi_schedule_rport_block(port);
-        if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-                return;
        zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
                                port->adapter, port, NULL, id, 0);
 }
@@ -372,12 +450,6 @@ static int _zfcp_erp_port_reopen(struct zfcp_port *port, int clear, char *id)
        zfcp_erp_port_block(port, clear);
        zfcp_scsi_schedule_rport_block(port);
-        if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-                /* ensure propagation of failed status to new devices */
-                zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
-                return -EIO;
-        }
        return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
                                       port->adapter, port, NULL, id, 0);
 }
@@ -417,9 +489,6 @@ static void _zfcp_erp_lun_reopen(struct scsi_device *sdev, int clear, char *id,
        zfcp_erp_lun_block(sdev, clear);
-        if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-                return;
        zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
                                zfcp_sdev->port, sdev, id, act_status);
 }
diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
index 21c8c689b02b..b326f05c7f89 100644
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -3,7 +3,7 @@
 *
 * External function declarations.
 *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2018
 */
 #ifndef ZFCP_EXT_H
@@ -34,6 +34,9 @@ extern int zfcp_dbf_adapter_register(struct zfcp_adapter *);
 extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *);
 extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
                              struct zfcp_port *, struct scsi_device *, u8, u8);
+extern void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
+                                   struct zfcp_port *port,
+                                   struct scsi_device *sdev, u8 want, u8 need);
 extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
 extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
                                 struct zfcp_erp_action *erp);
@@ -49,10 +52,15 @@ extern void zfcp_dbf_san_res(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
                          struct zfcp_fsf_req *);
+extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+                             unsigned int scsi_id, int ret);
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
 extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
+extern void zfcp_erp_port_forced_no_port_dbf(char *id,
+                                             struct zfcp_adapter *adapter,
+                                             u64 port_name, u32 port_id);
 extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index a9b8104b982e..3afb200b2829 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
 *
 * Interface to Linux SCSI midlayer.
 *
- * Copyright IBM Corp. 2002, 2017
+ * Copyright IBM Corp. 2002, 2018
 */
 #define KMSG_COMPONENT "zfcp"
@@ -180,6 +180,7 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt)
                if (abrt_req)
                        break;
+                zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
                zfcp_erp_wait(adapter);
                ret = fc_block_scsi_eh(scpnt);
                if (ret) {
@@ -276,6 +277,7 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
                if (fsf_req)
                        break;
+                zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
                zfcp_erp_wait(adapter);
                ret = fc_block_scsi_eh(scpnt);
                if (ret) {
@@ -322,15 +324,16 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
 {
        struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
        struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
-        int ret;
+        int ret = SUCCESS, fc_ret;
        zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
        zfcp_erp_wait(adapter);
-        ret = fc_block_scsi_eh(scpnt);
+        fc_ret = fc_block_scsi_eh(scpnt);
-        if (ret)
+        if (fc_ret)
-                return ret;
+                ret = fc_ret;
-        return SUCCESS;
+        zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
+        return ret;
 }
 struct scsi_transport_template *zfcp_scsi_transport_template;
@@ -600,6 +603,11 @@ static void zfcp_scsi_terminate_rport_io(struct fc_rport *rport)
        if (port) {
                zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
                put_device(&port->dev);
+        } else {
+                zfcp_erp_port_forced_no_port_dbf(
+                        "sctrpin", adapter,
+                        rport->port_name /* zfcp_scsi_rport_register */,
+                        rport->port_id /* zfcp_scsi_rport_register */);
        }
 }
@@ -616,9 +624,9 @@ static void zfcp_scsi_rport_register(struct zfcp_port *port)
        ids.port_id = port->d_id;
        ids.roles = FC_RPORT_ROLE_FCP_TARGET;
-        zfcp_dbf_rec_trig("scpaddy", port->adapter, port, NULL,
+        zfcp_dbf_rec_trig_lock("scpaddy", port->adapter, port, NULL,
-                          ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
+                               ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
-                          ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
+                               ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
        rport = fc_remote_port_add(port->adapter->scsi_host, 0, &ids);
        if (!rport) {
                dev_err(&port->adapter->ccw_device->dev,
@@ -640,9 +648,9 @@ static void zfcp_scsi_rport_block(struct zfcp_port *port)
        struct fc_rport *rport = port->rport;
        if (rport) {
-                zfcp_dbf_rec_trig("scpdely", port->adapter, port, NULL,
+                zfcp_dbf_rec_trig_lock("scpdely", port->adapter, port, NULL,
-                                  ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
+                                       ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
-                                  ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
+                                       ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
                fc_remote_port_delete(rport);
                port->rport = NULL;
        }
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index a56a7b243e91..5466246c69b4 100644
--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w-9xxx.c
@@ -889,6 +889,11 @@ static int twa_chrdev_open(struct inode *inode, struct file *file)
        unsigned int minor_number;
        int retval = TW_IOCTL_ERROR_OS_ENODEV;
+        if (!capable(CAP_SYS_ADMIN)) {
+                retval = -EACCES;
+                goto out;
+        }
        minor_number = iminor(inode);
        if (minor_number >= twa_device_extension_count)
                goto out;
diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
index 2940bd769936..14af38036287 100644
--- a/drivers/scsi/3w-xxxx.c
+++ b/drivers/scsi/3w-xxxx.c
@@ -1034,6 +1034,9 @@ static int tw_chrdev_open(struct inode *inode, struct file *file)
        dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n");
+        if (!capable(CAP_SYS_ADMIN))
+                return -EACCES;
        minor_number = iminor(inode);
        if (minor_number >= tw_device_extension_count)
                return -ENODEV;
diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index 8c758c36fc70..cf531ad8b6ee 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -1321,9 +1321,10 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced)
        host = aac->scsi_host_ptr;
        scsi_block_requests(host);
        aac_adapter_disable_int(aac);
-        if (aac->thread->pid != current->pid) {
+        if (aac->thread && aac->thread->pid != current->pid) {
                spin_unlock_irq(host->host_lock);
                kthread_stop(aac->thread);
+                aac->thread = NULL;
                jafo = 1;
        }
@@ -1363,13 +1364,13 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced)
         * will ensure that i/o is queisced and the card is flushed in that
         * case.
         */
+        aac_free_irq(aac);
        aac_fib_map_free(aac);
        pci_free_consistent(aac->pdev, aac->comm_size, aac->comm_addr, aac->comm_phys);
        aac->comm_addr = NULL;
        aac->comm_phys = 0;
        kfree(aac->queues);
        aac->queues = NULL;
-        aac_free_irq(aac);
        kfree(aac->fsa_dev);
        aac->fsa_dev = NULL;
        quirks = aac_get_driver_ident(index)->quirks;
@@ -1392,6 +1393,7 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced)
                                          aac->name);
                if (IS_ERR(aac->thread)) {
                        retval = PTR_ERR(aac->thread);
+                        aac->thread = NULL;
                        goto out;
                }
        }
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index aa6eccb8940b..8da8b46da722 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1085,6 +1085,7 @@ static void __aac_shutdown(struct aac_dev * aac)
                                up(&fib->event_wait);
                }
                kthread_stop(aac->thread);
+                aac->thread = NULL;
        }
        aac_send_shutdown(aac);
        aac_adapter_disable_int(aac);
@@ -1189,8 +1190,10 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
         *      Map in the registers from the adapter.
         */
        aac->base_size = AAC_MIN_FOOTPRINT_SIZE;
-        if ((*aac_drivers[index].init)(aac))
+        if ((*aac_drivers[index].init)(aac)) {
+                error = -ENODEV;
                goto out_unmap;
+        }
        if (aac->sync_mode) {
                if (aac_sync_mode)
diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c
index febbd83e2ecd..24e57e770432 100644
--- a/drivers/scsi/advansys.c
+++ b/drivers/scsi/advansys.c
@@ -6291,18 +6291,17 @@ static uchar AscGetSynPeriodIndex(ASC_DVC_VAR *asc_dvc, uchar syn_time)
 static uchar
 AscMsgOutSDTR(ASC_DVC_VAR *asc_dvc, uchar sdtr_period, uchar sdtr_offset)
 {
-        EXT_MSG sdtr_buf;
+        PortAddr iop_base = asc_dvc->iop_base;
-        uchar sdtr_period_index;
+        uchar sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period);
-        PortAddr iop_base;
+        EXT_MSG sdtr_buf = {
+                .msg_type = EXTENDED_MESSAGE,
-        iop_base = asc_dvc->iop_base;
+                .msg_len = MS_SDTR_LEN,
-        sdtr_buf.msg_type = EXTENDED_MESSAGE;
+                .msg_req = EXTENDED_SDTR,
-        sdtr_buf.msg_len = MS_SDTR_LEN;
+                .xfer_period = sdtr_period,
-        sdtr_buf.msg_req = EXTENDED_SDTR;
+                .req_ack_offset = sdtr_offset,
-        sdtr_buf.xfer_period = sdtr_period;
+        };
        sdtr_offset &= ASC_SYN_MAX_OFFSET;
-        sdtr_buf.req_ack_offset = sdtr_offset;
-        sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period);
        if (sdtr_period_index <= asc_dvc->max_sdtr_index) {
                AscMemWordCopyPtrToLram(iop_base, ASCV_MSGOUT_BEG,
                                        (uchar *)&sdtr_buf,
@@ -11030,6 +11029,9 @@ static int advansys_board_found(struct Scsi_Host *shost, unsigned int iop,
                ASC_DBG(2, "AdvInitGetConfig()\n");
                ret = AdvInitGetConfig(pdev, shost) ? -ENODEV : 0;
+#else
+                share_irq = 0;
+                ret = -ENODEV;
 #endif /* CONFIG_PCI */
        }
diff --git a/drivers/scsi/arm/fas216.c b/drivers/scsi/arm/fas216.c
index decdc71b6b86..f6d7c4712e66 100644
--- a/drivers/scsi/arm/fas216.c
+++ b/drivers/scsi/arm/fas216.c
@@ -2009,7 +2009,7 @@ static void fas216_rq_sns_done(FAS216_Info *info, struct scsi_cmnd *SCpnt,
                 * have valid data in the sense buffer that could
                 * confuse the higher levels.
                 */
-                memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer));
+                memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
 //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id);
 //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); }
        /*
diff --git a/drivers/scsi/bnx2fc/bnx2fc.h b/drivers/scsi/bnx2fc/bnx2fc.h
index 499e369eabf0..8bc1625337f6 100644
--- a/drivers/scsi/bnx2fc/bnx2fc.h
+++ b/drivers/scsi/bnx2fc/bnx2fc.h
@@ -191,6 +191,7 @@ struct bnx2fc_hba {
        struct bnx2fc_cmd_mgr *cmd_mgr;
        spinlock_t hba_lock;
        struct mutex hba_mutex;
+        struct mutex hba_stats_mutex;
        unsigned long adapter_state;
                #define ADAPTER_STATE_UP                0
                #define ADAPTER_STATE_GOING_DOWN        1
diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
index 67405c628864..d0b227ffbd5f 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -641,15 +641,17 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost)
        if (!fw_stats)
                return NULL;
+        mutex_lock(&hba->hba_stats_mutex);
        bnx2fc_stats = fc_get_host_stats(shost);
        init_completion(&hba->stat_req_done);
        if (bnx2fc_send_stat_req(hba))
-                return bnx2fc_stats;
+                goto unlock_stats_mutex;
        rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ));
        if (!rc) {
                BNX2FC_HBA_DBG(lport, "FW stat req timed out\n");
-                return bnx2fc_stats;
+                goto unlock_stats_mutex;
        }
        BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt);
        bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt;
@@ -671,6 +673,9 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost)
        memcpy(&hba->prev_stats, hba->stats_buffer,
               sizeof(struct fcoe_statistics_params));
+unlock_stats_mutex:
+        mutex_unlock(&hba->hba_stats_mutex);
        return bnx2fc_stats;
 }
@@ -1302,6 +1307,7 @@ static struct bnx2fc_hba *bnx2fc_hba_create(struct cnic_dev *cnic)
        }
        spin_lock_init(&hba->hba_lock);
        mutex_init(&hba->hba_mutex);
+        mutex_init(&hba->hba_stats_mutex);
        hba->cnic = cnic;
diff --git a/drivers/scsi/bnx2fc/bnx2fc_io.c b/drivers/scsi/bnx2fc/bnx2fc_io.c
index 0002caf687dd..eb3b5c0f299f 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_io.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_io.c
@@ -1858,6 +1858,7 @@ void bnx2fc_process_scsi_cmd_compl(struct bnx2fc_cmd *io_req,
                /* we will not receive ABTS response for this IO */
                BNX2FC_IO_DBG(io_req, "Timer context finished processing "
                           "this scsi cmd\n");
+                return;
        }
        /* Cancel the timeout_work, as we received IO completion */
diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
index 622bdabc8894..dab195f04da7 100644
--- a/drivers/scsi/csiostor/csio_hw.c
+++ b/drivers/scsi/csiostor/csio_hw.c
@@ -1769,7 +1769,6 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param)
                goto bye;
        }
-        mempool_free(mbp, hw->mb_mempool);
        if (finicsum != cfcsum) {
                csio_warn(hw,
                      "Config File checksum mismatch: csum=%#x, computed=%#x\n",
@@ -1780,6 +1779,10 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param)
        rv = csio_hw_validate_caps(hw, mbp);
        if (rv != 0)
                goto bye;
+        mempool_free(mbp, hw->mb_mempool);
+        mbp = NULL;
        /*
         * Note that we're operating with parameters
         * not supplied by the driver, rather than from hard-wired
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index d4cda5e9600e..21c8d210c456 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -180,11 +180,14 @@ static u8 adpt_read_blink_led(adpt_hba* host)
 *============================================================================
 */
+#ifdef MODULE
 static struct pci_device_id dptids[] = {
        { PCI_DPT_VENDOR_ID, PCI_DPT_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,},
        { PCI_DPT_VENDOR_ID, PCI_DPT_RAPTOR_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,},
        { 0, }
 };
+#endif
 MODULE_DEVICE_TABLE(pci,dptids);
 static int adpt_detect(struct scsi_host_template* sht)
diff --git a/drivers/scsi/fdomain.c b/drivers/scsi/fdomain.c
index eefe14d453db..b87ab38a4530 100644
--- a/drivers/scsi/fdomain.c
+++ b/drivers/scsi/fdomain.c
@@ -1768,7 +1768,7 @@ struct scsi_host_template fdomain_driver_template = {
 };
 #ifndef PCMCIA
-#ifdef CONFIG_PCI
+#if defined(CONFIG_PCI) && defined(MODULE)
 static struct pci_device_id fdomain_pci_tbl[] = {
        { PCI_VENDOR_ID_FD, PCI_DEVICE_ID_FD_36C70,
diff --git a/drivers/scsi/g_NCR5380.c b/drivers/scsi/g_NCR5380.c
index f8d2478b11cc..87e081f8a386 100644
--- a/drivers/scsi/g_NCR5380.c
+++ b/drivers/scsi/g_NCR5380.c
@@ -538,7 +538,10 @@ static inline int NCR5380_pread(struct Scsi_Host *instance, unsigned char *dst,
                        printk(KERN_ERR "53C400r: Got 53C80_IRQ start=%d, blocks=%d\n", start, blocks);
                        return -1;
                }
-                while (NCR5380_read(C400_CONTROL_STATUS_REG) & CSR_HOST_BUF_NOT_RDY);
+                while (NCR5380_read(C400_CONTROL_STATUS_REG) & CSR_HOST_BUF_NOT_RDY)
+                {
+                        // FIXME - no timeout
+                }
 #ifndef SCSI_G_NCR5380_MEM
                {
diff --git a/drivers/scsi/ibmvscsi/ibmvfc.h b/drivers/scsi/ibmvscsi/ibmvfc.h
index 8fae03215a85..543c10266984 100644
--- a/drivers/scsi/ibmvscsi/ibmvfc.h
+++ b/drivers/scsi/ibmvscsi/ibmvfc.h
@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes {
 };
 struct ibmvfc_fcp_rsp_info {
-        __be16 reserved;
+        u8 reserved[3];
        u8 rsp_code;
        u8 reserved2[4];
 }__attribute__((packed, aligned (2)));
diff --git a/drivers/scsi/initio.c b/drivers/scsi/initio.c
index 6a926bae76b2..7a91cf3ff173 100644
--- a/drivers/scsi/initio.c
+++ b/drivers/scsi/initio.c
@@ -110,11 +110,6 @@
 #define i91u_MAXQUEUE           2
 #define i91u_REVID "Initio INI-9X00U/UW SCSI device driver; Revision: 1.04a"
-#define I950_DEVICE_ID  0x9500  /* Initio's inic-950 product ID   */
-#define I940_DEVICE_ID  0x9400  /* Initio's inic-940 product ID   */
-#define I935_DEVICE_ID  0x9401  /* Initio's inic-935 product ID   */
-#define I920_DEVICE_ID  0x0002  /* Initio's other product ID      */
 #ifdef DEBUG_i91u
 static unsigned int i91u_debug = DEBUG_DEFAULT;
 #endif
@@ -127,17 +122,6 @@ static int setup_debug = 0;
 static void i91uSCBPost(u8 * pHcb, u8 * pScb);
-/* PCI Devices supported by this driver */
-static struct pci_device_id i91u_pci_devices[] = {
-        { PCI_VENDOR_ID_INIT,  I950_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
-        { PCI_VENDOR_ID_INIT,  I940_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
-        { PCI_VENDOR_ID_INIT,  I935_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
-        { PCI_VENDOR_ID_INIT,  I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
-        { PCI_VENDOR_ID_DOMEX, I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
-        { }
-};
-MODULE_DEVICE_TABLE(pci, i91u_pci_devices);
 #define DEBUG_INTERRUPT 0
 #define DEBUG_QUEUE     0
 #define DEBUG_STATE     0
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 7a58128a0000..2f61d8cd5882 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -835,8 +835,10 @@ static void ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd)
        qc->err_mask |= AC_ERR_OTHER;
        sata_port->ioasa.status |= ATA_BUSY;
-        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
        ata_qc_complete(qc);
+        if (ipr_cmd->eh_comp)
+                complete(ipr_cmd->eh_comp);
+        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
 }
 /**
@@ -5864,8 +5866,10 @@ static void ipr_erp_done(struct ipr_cmnd *ipr_cmd)
                res->in_erp = 0;
        }
        scsi_dma_unmap(ipr_cmd->scsi_cmd);
-        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
        scsi_cmd->scsi_done(scsi_cmd);
+        if (ipr_cmd->eh_comp)
+                complete(ipr_cmd->eh_comp);
+        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
 }
 /**
@@ -6255,8 +6259,10 @@ static void ipr_erp_start(struct ipr_ioa_cfg *ioa_cfg,
        }
        scsi_dma_unmap(ipr_cmd->scsi_cmd);
-        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
        scsi_cmd->scsi_done(scsi_cmd);
+        if (ipr_cmd->eh_comp)
+                complete(ipr_cmd->eh_comp);
+        list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
 }
 /**
@@ -6282,8 +6288,10 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd)
                scsi_dma_unmap(scsi_cmd);
                spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
-                list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
                scsi_cmd->scsi_done(scsi_cmd);
+                if (ipr_cmd->eh_comp)
+                        complete(ipr_cmd->eh_comp);
+                list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
                spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
        } else {
                spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index c1ccf1ee99ea..9f0b00c38658 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
                 */
                switch (session->state) {
                case ISCSI_STATE_FAILED:
+                        /*
+                         * cmds should fail during shutdown, if the session
+                         * state is bad, allowing completion to happen
+                         */
+                        if (unlikely(system_state != SYSTEM_RUNNING)) {
+                                reason = FAILURE_SESSION_FAILED;
+                                sc->result = DID_NO_CONNECT << 16;
+                                break;
+                        }
                case ISCSI_STATE_IN_RECOVERY:
                        reason = FAILURE_SESSION_IN_RECOVERY;
                        sc->result = DID_IMM_RETRY << 16;
@@ -1727,7 +1736,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
        if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
                reason = FAILURE_SESSION_IN_RECOVERY;
-                sc->result = DID_REQUEUE;
+                sc->result = DID_REQUEUE << 16;
                goto fault;
        }
@@ -1980,6 +1989,19 @@ static enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
        if (session->state != ISCSI_STATE_LOGGED_IN) {
                /*
+                 * During shutdown, if session is prematurely disconnected,
+                 * recovery won't happen and there will be hung cmds. Not
+                 * handling cmds would trigger EH, also bad in this case.
+                 * Instead, handle cmd, allow completion to happen and let
+                 * upper layer to deal with the result.
+                 */
+                if (unlikely(system_state != SYSTEM_RUNNING)) {
+                        sc->result = DID_NO_CONNECT << 16;
+                        ISCSI_DBG_EH(session, "sc on shutdown, handled\n");
+                        rc = BLK_EH_HANDLED;
+                        goto done;
+                }
+                /*
                 * We are probably in the middle of iscsi recovery so let
                 * that complete and handle the error.
                 */
@@ -2083,7 +2105,7 @@ done:
                task->last_timeout = jiffies;
        spin_unlock(&session->frwd_lock);
        ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ?
-                     "timer reset" : "nh");
+                     "timer reset" : "shutdown or nh");
        return rc;
 }
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index 022bb6e10d98..12886f96b286 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp)
        phy->phy->minimum_linkrate = dr->pmin_linkrate;
        phy->phy->maximum_linkrate = dr->pmax_linkrate;
        phy->phy->negotiated_linkrate = phy->linkrate;
+        phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED);
 skip:
        if (new_phy)
@@ -675,7 +676,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
        res = smp_execute_task(dev, req, RPEL_REQ_SIZE,
                                    resp, RPEL_RESP_SIZE);
-        if (!res)
+        if (res)
                goto out;
        phy->invalid_dword_count = scsi_to_u32(&resp[12]);
@@ -684,6 +685,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
        phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
 out:
+        kfree(req);
        kfree(resp);
        return res;
diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
index 519dac4e341e..9a8c2f97ed70 100644
--- a/drivers/scsi/libsas/sas_scsi_host.c
+++ b/drivers/scsi/libsas/sas_scsi_host.c
@@ -222,6 +222,7 @@ out_done:
 static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
 {
        struct sas_ha_struct *sas_ha = SHOST_TO_SAS_HA(cmd->device->host);
+        struct domain_device *dev = cmd_to_domain_dev(cmd);
        struct sas_task *task = TO_SAS_TASK(cmd);
        /* At this point, we only get called following an actual abort
@@ -230,6 +231,14 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
         */
        sas_end_task(cmd, task);
+        if (dev_is_sata(dev)) {
+                /* defer commands to libata so that libata EH can
+                 * handle ata qcs correctly
+                 */
+                list_move_tail(&cmd->eh_entry, &sas_ha->eh_ata_q);
+                return;
+        }
        /* now finish the command and move it on to the error
         * handler done list, this also takes it off the
         * error handler pending list.
@@ -237,22 +246,6 @@ static void sas_eh_finish_cmd(struct scsi_cmnd *cmd)
        scsi_eh_finish_cmd(cmd, &sas_ha->eh_done_q);
 }
-static void sas_eh_defer_cmd(struct scsi_cmnd *cmd)
-{
-        struct domain_device *dev = cmd_to_domain_dev(cmd);
-        struct sas_ha_struct *ha = dev->port->ha;
-        struct sas_task *task = TO_SAS_TASK(cmd);
-        if (!dev_is_sata(dev)) {
-                sas_eh_finish_cmd(cmd);
-                return;
-        }
-        /* report the timeout to libata */
-        sas_end_task(cmd, task);
-        list_move_tail(&cmd->eh_entry, &ha->eh_ata_q);
-}
 static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd *my_cmd)
 {
        struct scsi_cmnd *cmd, *n;
@@ -260,7 +253,7 @@ static void sas_scsi_clear_queue_lu(struct list_head *error_q, struct scsi_cmnd
        list_for_each_entry_safe(cmd, n, error_q, eh_entry) {
                if (cmd->device->sdev_target == my_cmd->device->sdev_target &&
                    cmd->device->lun == my_cmd->device->lun)
-                        sas_eh_defer_cmd(cmd);
+                        sas_eh_finish_cmd(cmd);
        }
 }
@@ -622,12 +615,12 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
                case TASK_IS_DONE:
                        SAS_DPRINTK("%s: task 0x%p is done\n", __func__,
                                    task);
-                        sas_eh_defer_cmd(cmd);
+                        sas_eh_finish_cmd(cmd);
                        continue;
                case TASK_IS_ABORTED:
                        SAS_DPRINTK("%s: task 0x%p is aborted\n",
                                    __func__, task);
-                        sas_eh_defer_cmd(cmd);
+                        sas_eh_finish_cmd(cmd);
                        continue;
                case TASK_IS_AT_LU:
                        SAS_DPRINTK("task 0x%p is at LU: lu recover\n", task);
@@ -638,7 +631,7 @@ static void sas_eh_handle_sas_errors(struct Scsi_Host *shost, struct list_head *
                                            "recovered\n",
                                            SAS_ADDR(task->dev),
                                            cmd->device->lun);
-                                sas_eh_defer_cmd(cmd);
+                                sas_eh_finish_cmd(cmd);
                                sas_scsi_clear_queue_lu(work_q, cmd);
                                goto Again;
                        }
diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
index 4639dac64e7f..f096766150bc 100644
--- a/drivers/scsi/lpfc/lpfc_attr.c
+++ b/drivers/scsi/lpfc/lpfc_attr.c
@@ -634,7 +634,12 @@ lpfc_issue_lip(struct Scsi_Host *shost)
        LPFC_MBOXQ_t *pmboxq;
        int mbxstatus = MBXERR_ERROR;
+        /*
+         * If the link is offline, disabled or BLOCK_MGMT_IO
+         * it doesn't make any sense to allow issue_lip
+         */
        if ((vport->fc_flag & FC_OFFLINE_MODE) ||
+            (phba->hba_flag & LINK_DISABLED) ||
            (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO))
                return -EPERM;
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index be901f6db6d3..4131addfb872 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -691,8 +691,9 @@ lpfc_work_done(struct lpfc_hba *phba)
            (phba->hba_flag & HBA_SP_QUEUE_EVT)) {
                if (pring->flag & LPFC_STOP_IOCB_EVENT) {
                        pring->flag |= LPFC_DEFERRED_RING_EVENT;
-                        /* Set the lpfc data pending flag */
+                        /* Preserve legacy behavior. */
-                        set_bit(LPFC_DATA_READY, &phba->data_flags);
+                        if (!(phba->hba_flag & HBA_SP_QUEUE_EVT))
+                                set_bit(LPFC_DATA_READY, &phba->data_flags);
                } else {
                        if (phba->link_state >= LPFC_LINK_UP) {
                                pring->flag &= ~LPFC_DEFERRED_RING_EVENT;
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 8379fbbc60db..3406586b9201 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -115,6 +115,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, union lpfc_wqe *wqe)
        /* set consumption flag every once in a while */
        if (!((q->host_index + 1) % q->entry_repost))
                bf_set(wqe_wqec, &wqe->generic.wqe_com, 1);
+        else
+                bf_set(wqe_wqec, &wqe->generic.wqe_com, 0);
        if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED)
                bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id);
        lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size);
@@ -13493,6 +13495,9 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
        case LPFC_Q_CREATE_VERSION_1:
                bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1,
                       wq->entry_count);
+                bf_set(lpfc_mbox_hdr_version, &shdr->request,
+                       LPFC_Q_CREATE_VERSION_1);
                switch (wq->entry_size) {
                default:
                case 64:
diff --git a/drivers/scsi/mac_esp.c b/drivers/scsi/mac_esp.c
index 14c0334f41e4..26c67c42985c 100644
--- a/drivers/scsi/mac_esp.c
+++ b/drivers/scsi/mac_esp.c
@@ -55,6 +55,7 @@ struct mac_esp_priv {
        int error;
 };
 static struct esp *esp_chips[2];
+static DEFINE_SPINLOCK(esp_chips_lock);
 #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \
                               platform_get_drvdata((struct platform_device *) \
@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform_device *dev)
        }
        host->irq = IRQ_MAC_SCSI;
-        esp_chips[dev->id] = esp;
-        mb();
+        /* The request_irq() call is intended to succeed for the first device
-        if (esp_chips[!dev->id] == NULL) {
+         * and fail for the second device.
-                err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
+         */
-                if (err < 0) {
+        err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
-                        esp_chips[dev->id] = NULL;
+        spin_lock(&esp_chips_lock);
-                        goto fail_free_priv;
+        if (err < 0 && esp_chips[!dev->id] == NULL) {
-                }
+                spin_unlock(&esp_chips_lock);
+                goto fail_free_priv;
        }
+        esp_chips[dev->id] = esp;
+        spin_unlock(&esp_chips_lock);
        err = scsi_esp_register(esp, &dev->dev);
        if (err)
@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform_device *dev)
        return 0;
 fail_free_irq:
-        if (esp_chips[!dev->id] == NULL)
+        spin_lock(&esp_chips_lock);
+        esp_chips[dev->id] = NULL;
+        if (esp_chips[!dev->id] == NULL) {
+                spin_unlock(&esp_chips_lock);
                free_irq(host->irq, esp);
+        } else
+                spin_unlock(&esp_chips_lock);
 fail_free_priv:
        kfree(mep);
 fail_free_command_block:
@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platform_device *dev)
        scsi_esp_unregister(esp);
+        spin_lock(&esp_chips_lock);
        esp_chips[dev->id] = NULL;
-        if (!(esp_chips[0] || esp_chips[1]))
+        if (esp_chips[!dev->id] == NULL) {
+                spin_unlock(&esp_chips_lock);
                free_irq(irq, NULL);
+        } else
+                spin_unlock(&esp_chips_lock);
        kfree(mep);
diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
index 9d05302a3bcd..19bffe0b2cc0 100644
--- a/drivers/scsi/megaraid.c
+++ b/drivers/scsi/megaraid.c
@@ -4197,6 +4197,9 @@ megaraid_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
        int irq, i, j;
        int error = -ENODEV;
+        if (hba_count >= MAX_CONTROLLERS)
+                goto out;
        if (pci_enable_device(pdev))
                goto out;
        pci_set_master(pdev);
diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index 96007633ad39..213944ed64d9 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -1886,6 +1886,9 @@ megasas_build_syspd_fusion(struct megasas_instance *instance,
                pRAID_Context->timeoutValue = cpu_to_le16(os_timeout_value);
                pRAID_Context->VirtualDiskTgtId = cpu_to_le16(device_id);
        } else {
+                if (os_timeout_value)
+                        os_timeout_value++;
                /* system pd Fast Path */
                io_request->Function = MPI2_FUNCTION_SCSI_IO_REQUEST;
                timeout_limit = (scmd->device->type == TYPE_DISK) ?
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index e111c3d8c5d6..7d67a68bcc62 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -3886,19 +3886,6 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
                return 0;
        }
-        /*
-         * Bug work around for firmware SATL handling.  The loop
-         * is based on atomic operations and ensures consistency
-         * since we're lockless at this point
-         */
-        do {
-                if (test_bit(0, &sas_device_priv_data->ata_command_pending)) {
-                        scmd->result = SAM_STAT_BUSY;
-                        scmd->scsi_done(scmd);
-                        return 0;
-                }
-        } while (_scsih_set_satl_pending(scmd, true));
        sas_target_priv_data = sas_device_priv_data->sas_target;
        /* invalid device handle */
@@ -3924,6 +3911,19 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
            sas_device_priv_data->block)
                return SCSI_MLQUEUE_DEVICE_BUSY;
+        /*
+         * Bug work around for firmware SATL handling.  The loop
+         * is based on atomic operations and ensures consistency
+         * since we're lockless at this point
+         */
+        do {
+                if (test_bit(0, &sas_device_priv_data->ata_command_pending)) {
+                        scmd->result = SAM_STAT_BUSY;
+                        scmd->scsi_done(scmd);
+                        return 0;
+                }
+        } while (_scsih_set_satl_pending(scmd, true));
        if (scmd->sc_data_direction == DMA_FROM_DEVICE)
                mpi_control = MPI2_SCSIIO_CONTROL_READ;
        else if (scmd->sc_data_direction == DMA_TO_DEVICE)
@@ -3945,6 +3945,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
        if (!smid) {
                pr_err(MPT3SAS_FMT "%s: failed obtaining a smid\n",
                    ioc->name, __func__);
+                _scsih_set_satl_pending(scmd, false);
                goto out;
        }
        mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
@@ -3975,6 +3976,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd)
        if (mpi_request->DataLength) {
                if (ioc->build_sg_scmd(ioc, scmd, smid)) {
                        mpt3sas_base_free_smid(ioc, smid);
+                        _scsih_set_satl_pending(scmd, false);
                        goto out;
                }
        } else
@@ -8635,7 +8637,7 @@ _scsih_probe(struct pci_dev *pdev, const struct pci_device_id *id)
        snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name),
            "fw_event_%s%d", ioc->driver_name, ioc->id);
        ioc->firmware_event_thread = alloc_ordered_workqueue(
-            ioc->firmware_event_name, WQ_MEM_RECLAIM);
+            ioc->firmware_event_name, 0);
        if (!ioc->firmware_event_thread) {
                pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n",
                    ioc->name, __FILE__, __LINE__, __func__);
diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
index 02360de6b7e0..39285070f3b5 100644
--- a/drivers/scsi/mvumi.c
+++ b/drivers/scsi/mvumi.c
@@ -2629,7 +2629,7 @@ static void mvumi_shutdown(struct pci_dev *pdev)
        mvumi_flush_cache(mhba);
 }
-static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
+static int __maybe_unused mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
 {
        struct mvumi_hba *mhba = NULL;
@@ -2648,7 +2648,7 @@ static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
        return 0;
 }
-static int mvumi_resume(struct pci_dev *pdev)
+static int __maybe_unused mvumi_resume(struct pci_dev *pdev)
 {
        int ret;
        struct mvumi_hba *mhba = NULL;
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index e197c6f39de2..41a646696bab 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -325,11 +325,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
        wait_for_completion(&tm_iocb->u.tmf.comp);
-        rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ?
+        rval = tm_iocb->u.tmf.data;
-            QLA_SUCCESS : QLA_FUNCTION_FAILED;
-        if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) {
+        if (rval != QLA_SUCCESS) {
-                ql_dbg(ql_dbg_taskm, vha, 0x8030,
+                ql_log(ql_log_warn, vha, 0x8030,
                    "TM IOCB failed (%x).\n", rval);
        }
@@ -365,6 +364,7 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res)
        srb_t *sp = (srb_t *)ptr;
        struct srb_iocb *abt = &sp->u.iocb_cmd;
+        del_timer(&sp->u.iocb_cmd.timer);
        complete(&abt->u.abt.comp);
 }
@@ -3260,7 +3260,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
                return;
        if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
-            fcport->fp_speed > ha->link_data_rate)
+            fcport->fp_speed > ha->link_data_rate ||
+            !ha->flags.gpsc_supported)
                return;
        rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 1f6a3b86965f..440d79e6aea5 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -268,7 +268,8 @@ qla2x00_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
        struct device_reg_2xxx __iomem *reg = &ha->iobase->isp;
        /* Read all mbox registers? */
-        mboxes = (1 << ha->mbx_count) - 1;
+        WARN_ON_ONCE(ha->mbx_count > 32);
+        mboxes = (1ULL << ha->mbx_count) - 1;
        if (!ha->mcp)
                ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n");
        else
@@ -2495,7 +2496,8 @@ qla24xx_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
        struct device_reg_24xx __iomem *reg = &ha->iobase->isp24;
        /* Read all mbox registers? */
-        mboxes = (1 << ha->mbx_count) - 1;
+        WARN_ON_ONCE(ha->mbx_count > 32);
+        mboxes = (1ULL << ha->mbx_count) - 1;
        if (!ha->mcp)
                ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n");
        else
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 5cbf20ab94aa..18b19744398a 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4938,8 +4938,9 @@ qla2x00_do_dpc(void *data)
                        }
                }
-                if (test_and_clear_bit(ISP_ABORT_NEEDED,
+                if (test_and_clear_bit
-                                                &base_vha->dpc_flags)) {
+                    (ISP_ABORT_NEEDED, &base_vha->dpc_flags) &&
+                    !test_bit(UNLOADING, &base_vha->dpc_flags)) {
                        ql_dbg(ql_dbg_dpc, base_vha, 0x4007,
                            "ISP abort scheduled.\n");
diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index e6faa0b050d1..824e27eec7a1 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -5502,7 +5502,7 @@ static fc_port_t *qlt_get_port_database(struct scsi_qla_host *vha,
        fc_port_t *fcport;
        int rc;
-        fcport = kzalloc(sizeof(*fcport), GFP_KERNEL);
+        fcport = qla2x00_alloc_fcport(vha, GFP_KERNEL);
        if (!fcport) {
                ql_dbg(ql_dbg_tgt_mgt, vha, 0xf06f,
                    "qla_target(%d): Allocation of tmp FC port failed",
diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
index a7cfc270bd08..ce1d063f3e83 100644
--- a/drivers/scsi/qla4xxx/ql4_def.h
+++ b/drivers/scsi/qla4xxx/ql4_def.h
@@ -168,6 +168,8 @@
 #define DEV_DB_NON_PERSISTENT   0
 #define DEV_DB_PERSISTENT       1
+#define QL4_ISP_REG_DISCONNECT 0xffffffffU
 #define COPY_ISID(dst_isid, src_isid) {                 \
        int i, j;                                       \
        for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;)  \
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index 01c3610a60cf..d8c03431d0aa 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_iscsi_transport = {
 static struct scsi_transport_template *qla4xxx_scsi_transport;
+static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha)
+{
+        u32 reg_val = 0;
+        int rval = QLA_SUCCESS;
+        if (is_qla8022(ha))
+                reg_val = readl(&ha->qla4_82xx_reg->host_status);
+        else if (is_qla8032(ha) || is_qla8042(ha))
+                reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER);
+        else
+                reg_val = readw(&ha->reg->ctrl_status);
+        if (reg_val == QL4_ISP_REG_DISCONNECT)
+                rval = QLA_ERROR;
+        return rval;
+}
 static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num,
                             uint32_t iface_type, uint32_t payload_size,
                             uint32_t pid, struct sockaddr *dst_addr)
@@ -9196,10 +9214,17 @@ static int qla4xxx_eh_abort(struct scsi_cmnd *cmd)
        struct srb *srb = NULL;
        int ret = SUCCESS;
        int wait = 0;
+        int rval;
        ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n",
                   ha->host_no, id, lun, cmd, cmd->cmnd[0]);
+        rval = qla4xxx_isp_check_reg(ha);
+        if (rval != QLA_SUCCESS) {
+                ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
+                return FAILED;
+        }
        spin_lock_irqsave(&ha->hardware_lock, flags);
        srb = (struct srb *) CMD_SP(cmd);
        if (!srb) {
@@ -9251,6 +9276,7 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd)
        struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
        struct ddb_entry *ddb_entry = cmd->device->hostdata;
        int ret = FAILED, stat;
+        int rval;
        if (!ddb_entry)
                return ret;
@@ -9270,6 +9296,12 @@ static int qla4xxx_eh_device_reset(struct scsi_cmnd *cmd)
                      cmd, jiffies, cmd->request->timeout / HZ,
                      ha->dpc_flags, cmd->result, cmd->allowed));
+        rval = qla4xxx_isp_check_reg(ha);
+        if (rval != QLA_SUCCESS) {
+                ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
+                return FAILED;
+        }
        /* FIXME: wait for hba to go online */
        stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun);
        if (stat != QLA_SUCCESS) {
@@ -9313,6 +9345,7 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd)
        struct scsi_qla_host *ha = to_qla_host(cmd->device->host);
        struct ddb_entry *ddb_entry = cmd->device->hostdata;
        int stat, ret;
+        int rval;
        if (!ddb_entry)
                return FAILED;
@@ -9330,6 +9363,12 @@ static int qla4xxx_eh_target_reset(struct scsi_cmnd *cmd)
                      ha->host_no, cmd, jiffies, cmd->request->timeout / HZ,
                      ha->dpc_flags, cmd->result, cmd->allowed));
+        rval = qla4xxx_isp_check_reg(ha);
+        if (rval != QLA_SUCCESS) {
+                ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
+                return FAILED;
+        }
        stat = qla4xxx_reset_target(ha, ddb_entry);
        if (stat != QLA_SUCCESS) {
                starget_printk(KERN_INFO, scsi_target(cmd->device),
@@ -9384,9 +9423,16 @@ static int qla4xxx_eh_host_reset(struct scsi_cmnd *cmd)
 {
        int return_status = FAILED;
        struct scsi_qla_host *ha;
+        int rval;
        ha = to_qla_host(cmd->device->host);
+        rval = qla4xxx_isp_check_reg(ha);
+        if (rval != QLA_SUCCESS) {
+                ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n");
+                return FAILED;
+        }
        if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba)
                qla4_83xx_set_idc_dontreset(ha);
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
index 60720e5b1ebc..6b61b09b3226 100644
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -180,7 +180,7 @@ static struct {
        {"HITACHI", "6586-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
        {"HITACHI", "6588-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
        {"HP", "A6189A", NULL, BLIST_SPARSELUN | BLIST_LARGELUN},       /* HP VA7400 */
-        {"HP", "OPEN-", "*", BLIST_REPORTLUN2}, /* HP XP Arrays */
+        {"HP", "OPEN-", "*", BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES}, /* HP XP Arrays */
        {"HP", "NetRAID-4M", NULL, BLIST_FORCELUN},
        {"HP", "HSV100", NULL, BLIST_REPORTLUN2 | BLIST_NOSTARTONADD},
        {"HP", "C1557A", NULL, BLIST_FORCELUN},
@@ -589,17 +589,12 @@ int scsi_get_device_flags_keyed(struct scsi_device *sdev,
                                int key)
 {
        struct scsi_dev_info_list *devinfo;
-        int err;
        devinfo = scsi_dev_info_list_find(vendor, model, key);
        if (!IS_ERR(devinfo))
                return devinfo->flags;
-        err = PTR_ERR(devinfo);
+        /* key or device not found: return nothing */
-        if (err != -ENOENT)
-                return err;
-        /* nothing found, return nothing */
        if (key != SCSI_DEVINFO_GLOBAL)
                return 0;
diff --git a/drivers/scsi/scsi_dh.c b/drivers/scsi/scsi_dh.c
index 4d655b568269..a8ebaeace154 100644
--- a/drivers/scsi/scsi_dh.c
+++ b/drivers/scsi/scsi_dh.c
@@ -56,10 +56,16 @@ static const struct scsi_dh_blist scsi_dh_blist[] = {
        {"IBM", "1815",                 "rdac", },
        {"IBM", "1818",                 "rdac", },
        {"IBM", "3526",                 "rdac", },
-        {"SGI", "TP9",                  "rdac", },
+        {"IBM", "3542",                 "rdac", },
+        {"IBM", "3552",                 "rdac", },
+        {"SGI", "TP9300",               "rdac", },
+        {"SGI", "TP9400",               "rdac", },
+        {"SGI", "TP9500",               "rdac", },
+        {"SGI", "TP9700",               "rdac", },
        {"SGI", "IS",                   "rdac", },
-        {"STK", "OPENstorage D280",     "rdac", },
+        {"STK", "OPENstorage",          "rdac", },
        {"STK", "FLEXLINE 380",         "rdac", },
+        {"STK", "BladeCtlr",            "rdac", },
        {"SUN", "CSM",                  "rdac", },
        {"SUN", "LCSM100",              "rdac", },
        {"SUN", "STK6580_6780",         "rdac", },
diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c
index e3cd3ece4412..c3d1891d2d3f 100644
--- a/drivers/scsi/scsi_transport_srp.c
+++ b/drivers/scsi/scsi_transport_srp.c
@@ -52,6 +52,8 @@ struct srp_internal {
        struct transport_container rport_attr_cont;
 };
+static int scsi_is_srp_rport(const struct device *dev);
 #define to_srp_internal(tmpl) container_of(tmpl, struct srp_internal, t)
 #define dev_to_rport(d) container_of(d, struct srp_rport, dev)
@@ -61,9 +63,24 @@ static inline struct Scsi_Host *rport_to_shost(struct srp_rport *r)
        return dev_to_shost(r->dev.parent);
 }
+static int find_child_rport(struct device *dev, void *data)
+{
+        struct device **child = data;
+        if (scsi_is_srp_rport(dev)) {
+                WARN_ON_ONCE(*child);
+                *child = dev;
+        }
+        return 0;
+}
 static inline struct srp_rport *shost_to_rport(struct Scsi_Host *shost)
 {
-        return transport_class_to_srp_rport(&shost->shost_gendev);
+        struct device *child = NULL;
+        WARN_ON_ONCE(device_for_each_child(&shost->shost_gendev, &child,
+                                           find_child_rport) < 0);
+        return child ? dev_to_rport(child) : NULL;
 }
 /**
@@ -637,7 +654,8 @@ static enum blk_eh_timer_return srp_timed_out(struct scsi_cmnd *scmd)
        struct srp_rport *rport = shost_to_rport(shost);
        pr_debug("timeout for sdev %s\n", dev_name(&sdev->sdev_gendev));
-        return rport->fast_io_fail_tmo < 0 && rport->dev_loss_tmo < 0 &&
+        return rport && rport->fast_io_fail_tmo < 0 &&
+                rport->dev_loss_tmo < 0 &&
                i->f->reset_timer_if_blocked && scsi_device_blocked(sdev) ?
                BLK_EH_RESET_TIMER : BLK_EH_NOT_HANDLED;
 }
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index dd72205ba298..6fffb73766de 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1929,6 +1929,8 @@ sd_spinup_disk(struct scsi_disk *sdkp)
                                break;  /* standby */
                        if (sshdr.asc == 4 && sshdr.ascq == 0xc)
                                break;  /* unavailable */
+                        if (sshdr.asc == 4 && sshdr.ascq == 0x1b)
+                                break;  /* sanitize in progress */
                        /*
                         * Issue command to spin up drive when not ready
                         */
@@ -2393,6 +2395,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer)
        int res;
        struct scsi_device *sdp = sdkp->device;
        struct scsi_mode_data data;
+        int disk_ro = get_disk_ro(sdkp->disk);
        int old_wp = sdkp->write_prot;
        set_disk_ro(sdkp->disk, 0);
@@ -2433,7 +2436,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer)
                          "Test WP failed, assume Write Enabled\n");
        } else {
                sdkp->write_prot = ((data.device_specific & 0x80) != 0);
-                set_disk_ro(sdkp->disk, sdkp->write_prot);
+                set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro);
                if (sdkp->first_scan || old_wp != sdkp->write_prot) {
                        sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n",
                                  sdkp->write_prot ? "on" : "off");
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index 044d06410d4c..01168acc864d 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -546,7 +546,6 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
                                        ecomp = &edev->component[components++];
                                if (!IS_ERR(ecomp)) {
-                                        ses_get_power_status(edev, ecomp);
                                        if (addl_desc_ptr)
                                                ses_process_descriptor(
                                                        ecomp,
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 0f0ff75755e0..e1639e80db53 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -51,6 +51,7 @@ static int sg_version_num = 30536;	/* 2 digits for each component */
 #include <linux/atomic.h>
 #include <linux/ratelimit.h>
 #include <linux/uio.h>
+#include <linux/cred.h> /* for sg_check_file_access() */
 #include "scsi.h"
 #include <scsi/scsi_dbg.h>
@@ -221,6 +222,33 @@ static void sg_device_destroy(struct kref *kref);
        sdev_prefix_printk(prefix, (sdp)->device,               \
                           (sdp)->disk->disk_name, fmt, ##a)
+/*
+ * The SCSI interfaces that use read() and write() as an asynchronous variant of
+ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
+ * to trigger read() and write() calls from various contexts with elevated
+ * privileges. This can lead to kernel memory corruption (e.g. if these
+ * interfaces are called through splice()) and privilege escalation inside
+ * userspace (e.g. if a process with access to such a device passes a file
+ * descriptor to a SUID binary as stdin/stdout/stderr).
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static int sg_check_file_access(struct file *filp, const char *caller)
+{
+        if (filp->f_cred != current_real_cred()) {
+                pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
+                        caller, task_tgid_vnr(current), current->comm);
+                return -EPERM;
+        }
+        if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
+                pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
+                        caller, task_tgid_vnr(current), current->comm);
+                return -EACCES;
+        }
+        return 0;
+}
 static int sg_allow_access(struct file *filp, unsigned char *cmd)
 {
        struct sg_fd *sfp = filp->private_data;
@@ -405,6 +433,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
        struct sg_header *old_hdr = NULL;
        int retval = 0;
+        /*
+         * This could cause a response to be stranded. Close the associated
+         * file descriptor to free up any resources being held.
+         */
+        retval = sg_check_file_access(filp, __func__);
+        if (retval)
+                return retval;
        if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
                return -ENXIO;
        SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
@@ -535,6 +571,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
        } else
                count = (old_hdr->result == 0) ? 0 : -EIO;
        sg_finish_rem_req(srp);
+        sg_remove_request(sfp, srp);
        retval = count;
 free_old_hdr:
        kfree(old_hdr);
@@ -575,6 +612,7 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
        }
 err_out:
        err2 = sg_finish_rem_req(srp);
+        sg_remove_request(sfp, srp);
        return err ? : err2 ? : count;
 }
@@ -590,9 +628,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
        struct sg_header old_hdr;
        sg_io_hdr_t *hp;
        unsigned char cmnd[SG_MAX_CDB_SIZE];
+        int retval;
-        if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+        retval = sg_check_file_access(filp, __func__);
-                return -EINVAL;
+        if (retval)
+                return retval;
        if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
                return -ENXIO;
@@ -674,18 +714,14 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
         * is a non-zero input_size, so emit a warning.
         */
        if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
-                static char cmd[TASK_COMM_LEN];
+                printk_ratelimited(KERN_WARNING
-                if (strcmp(current->comm, cmd)) {
+                                   "sg_write: data in/out %d/%d bytes "
-                        printk_ratelimited(KERN_WARNING
+                                   "for SCSI command 0x%x-- guessing "
-                                           "sg_write: data in/out %d/%d bytes "
+                                   "data in;\n   program %s not setting "
-                                           "for SCSI command 0x%x-- guessing "
+                                   "count and/or reply_len properly\n",
-                                           "data in;\n   program %s not setting "
+                                   old_hdr.reply_len - (int)SZ_SG_HEADER,
-                                           "count and/or reply_len properly\n",
+                                   input_size, (unsigned int) cmnd[0],
-                                           old_hdr.reply_len - (int)SZ_SG_HEADER,
+                                   current->comm);
-                                           input_size, (unsigned int) cmnd[0],
-                                           current->comm);
-                        strcpy(cmd, current->comm);
-                }
        }
        k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking);
        return (k < 0) ? k : count;
@@ -784,11 +820,15 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
                        "sg_common_write:  scsi opcode=0x%02x, cmd_size=%d\n",
                        (int) cmnd[0], (int) hp->cmd_len));
+        if (hp->dxfer_len >= SZ_256M)
+                return -EINVAL;
        k = sg_start_req(srp, cmnd);
        if (k) {
                SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,
                        "sg_common_write: start_req err=%d\n", k));
                sg_finish_rem_req(srp);
+                sg_remove_request(sfp, srp);
                return k;       /* probably out of space --> ENOMEM */
        }
        if (atomic_read(&sdp->detaching)) {
@@ -801,6 +841,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
                }
                sg_finish_rem_req(srp);
+                sg_remove_request(sfp, srp);
                return -ENODEV;
        }
@@ -1290,6 +1331,7 @@ sg_rq_end_io_usercontext(struct work_struct *work)
        struct sg_fd *sfp = srp->parentfp;
        sg_finish_rem_req(srp);
+        sg_remove_request(sfp, srp);
        kref_put(&sfp->f_ref, sg_remove_sfp);
 }
@@ -1834,8 +1876,6 @@ sg_finish_rem_req(Sg_request *srp)
        else
                sg_remove_scat(sfp, req_schp);
-        sg_remove_request(sfp, srp);
        return ret;
 }
@@ -1901,7 +1941,7 @@ retry:
                num = (rem_sz > scatter_elem_sz_prev) ?
                        scatter_elem_sz_prev : rem_sz;
-                schp->pages[k] = alloc_pages(gfp_mask, order);
+                schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order);
                if (!schp->pages[k])
                        goto out;
@@ -2072,11 +2112,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
                if ((1 == resp->done) && (!resp->sg_io_owned) &&
                    ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
                        resp->done = 2; /* guard against other readers */
-                        break;
+                        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+                        return resp;
                }
        }
        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-        return resp;
+        return NULL;
 }
 /* always adds to end of list */
@@ -2154,6 +2195,7 @@ sg_add_sfp(Sg_device * sdp)
        write_lock_irqsave(&sdp->sfd_lock, iflags);
        if (atomic_read(&sdp->detaching)) {
                write_unlock_irqrestore(&sdp->sfd_lock, iflags);
+                kfree(sfp);
                return ERR_PTR(-ENODEV);
        }
        list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
@@ -2182,12 +2224,17 @@ sg_remove_sfp_usercontext(struct work_struct *work)
        struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
        struct sg_device *sdp = sfp->parentdp;
        Sg_request *srp;
+        unsigned long iflags;
        /* Cleanup any responses which were never read(). */
+        write_lock_irqsave(&sfp->rq_list_lock, iflags);
        while (!list_empty(&sfp->rq_list)) {
                srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
                sg_finish_rem_req(srp);
+                list_del(&srp->entry);
+                srp->parentfp = NULL;
        }
+        write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
        if (sfp->reserve.bufflen > 0) {
                SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp,
diff --git a/drivers/scsi/sim710.c b/drivers/scsi/sim710.c
index 3b3b56f4a830..82ed99848378 100644
--- a/drivers/scsi/sim710.c
+++ b/drivers/scsi/sim710.c
@@ -176,8 +176,7 @@ static struct eisa_device_id sim710_eisa_ids[] = {
 };
 MODULE_DEVICE_TABLE(eisa, sim710_eisa_ids);
-static __init int
+static int sim710_eisa_probe(struct device *dev)
-sim710_eisa_probe(struct device *dev)
 {
        struct eisa_device *edev = to_eisa_device(dev);
        unsigned long io_addr = edev->base_addr;
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index 804586aeaffe..5dc288fecace 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -520,16 +520,26 @@ static int sr_init_command(struct scsi_cmnd *SCpnt)
 static int sr_block_open(struct block_device *bdev, fmode_t mode)
 {
        struct scsi_cd *cd;
+        struct scsi_device *sdev;
        int ret = -ENXIO;
-        mutex_lock(&sr_mutex);
        cd = scsi_cd_get(bdev->bd_disk);
-        if (cd) {
+        if (!cd)
-                ret = cdrom_open(&cd->cdi, bdev, mode);
+                goto out;
-                if (ret)
-                        scsi_cd_put(cd);
+        sdev = cd->device;
-        }
+        scsi_autopm_get_device(sdev);
+        check_disk_change(bdev);
+        mutex_lock(&sr_mutex);
+        ret = cdrom_open(&cd->cdi, bdev, mode);
        mutex_unlock(&sr_mutex);
+        scsi_autopm_put_device(sdev);
+        if (ret)
+                scsi_cd_put(cd);
+out:
        return ret;
 }
@@ -557,6 +567,8 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
        if (ret)
                goto out;
+        scsi_autopm_get_device(sdev);
        /*
         * Send SCSI addressing ioctls directly to mid level, send other
         * ioctls to cdrom/block level.
@@ -565,15 +577,18 @@ static int sr_block_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
        case SCSI_IOCTL_GET_IDLUN:
        case SCSI_IOCTL_GET_BUS_NUMBER:
                ret = scsi_ioctl(sdev, cmd, argp);
-                goto out;
+                goto put;
        }
        ret = cdrom_ioctl(&cd->cdi, bdev, mode, cmd, arg);
        if (ret != -ENOSYS)
-                goto out;
+                goto put;
        ret = scsi_ioctl(sdev, cmd, argp);
+put:
+        scsi_autopm_put_device(sdev);
 out:
        mutex_unlock(&sr_mutex);
        return ret;
@@ -582,18 +597,28 @@ out:
 static unsigned int sr_block_check_events(struct gendisk *disk,
                                          unsigned int clearing)
 {
-        struct scsi_cd *cd = scsi_cd(disk);
+        unsigned int ret = 0;
+        struct scsi_cd *cd;
-        if (atomic_read(&cd->device->disk_events_disable_depth))
+        cd = scsi_cd_get(disk);
+        if (!cd)
                return 0;
-        return cdrom_check_events(&cd->cdi, clearing);
+        if (!atomic_read(&cd->device->disk_events_disable_depth))
+                ret = cdrom_check_events(&cd->cdi, clearing);
+        scsi_cd_put(cd);
+        return ret;
 }
 static int sr_block_revalidate_disk(struct gendisk *disk)
 {
-        struct scsi_cd *cd = scsi_cd(disk);
        struct scsi_sense_hdr sshdr;
+        struct scsi_cd *cd;
+        cd = scsi_cd_get(disk);
+        if (!cd)
+                return -ENXIO;
        /* if the unit is not ready, nothing more to do */
        if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr))
@@ -602,6 +627,7 @@ static int sr_block_revalidate_disk(struct gendisk *disk)
        sr_cd_check(&cd->cdi);
        get_sectorsize(cd);
 out:
+        scsi_cd_put(cd);
        return 0;
 }
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 5e4e1ba96f10..44b7a69d022a 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -890,10 +890,11 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb,
                case TEST_UNIT_READY:
                        break;
                default:
-                        set_host_byte(scmnd, DID_TARGET_FAILURE);
+                        set_host_byte(scmnd, DID_ERROR);
                }
                break;
        case SRB_STATUS_INVALID_LUN:
+                set_host_byte(scmnd, DID_NO_CONNECT);
                do_work = true;
                process_err_fn = storvsc_remove_lun;
                break;
@@ -1537,7 +1538,7 @@ static struct scsi_host_template scsi_driver = {
        .eh_timed_out =         storvsc_eh_timed_out,
        .slave_alloc =          storvsc_device_alloc,
        .slave_configure =      storvsc_device_configure,
-        .cmd_per_lun =          255,
+        .cmd_per_lun =          2048,
        .this_id =              -1,
        .use_clustering =       ENABLE_CLUSTERING,
        /* Make sure we dont get a sg segment crosses a page boundary */
diff --git a/drivers/scsi/sym53c8xx_2/sym_hipd.c b/drivers/scsi/sym53c8xx_2/sym_hipd.c
index 6b349e301869..c6425e3df5a0 100644
--- a/drivers/scsi/sym53c8xx_2/sym_hipd.c
+++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c
@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char dt, u_char sfac, u_char *divp, u_char *fa
         *  Look for the greatest clock divisor that allows an 
         *  input speed faster than the period.
         */
-        while (div-- > 0)
+        while (--div > 0)
                if (kpc >= (div_10M[div] << 2)) break;
        /*
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 0c2482ec7d21..8c58adadb728 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -2923,6 +2923,8 @@ static int ufshcd_slave_alloc(struct scsi_device *sdev)
        /* REPORT SUPPORTED OPERATION CODES is not supported */
        sdev->no_report_opcodes = 1;
+        /* WRITE_SAME command is not supported */
+        sdev->no_write_same = 1;
        ufshcd_set_queue_depth(sdev);
@@ -3445,6 +3447,7 @@ static void ufshcd_exception_event_handler(struct work_struct *work)
        hba = container_of(work, struct ufs_hba, eeh_work);
        pm_runtime_get_sync(hba->dev);
+        scsi_block_requests(hba->host);
        err = ufshcd_get_ee_status(hba, &status);
        if (err) {
                dev_err(hba->dev, "%s: failed to get exception status %d\n",
@@ -3460,6 +3463,7 @@ static void ufshcd_exception_event_handler(struct work_struct *work)
                                        __func__, err);
        }
 out:
+        scsi_unblock_requests(hba->host);
        pm_runtime_put_sync(hba->dev);
        return;
 }
@@ -4392,12 +4396,15 @@ static int ufshcd_config_vreg(struct device *dev,
                struct ufs_vreg *vreg, bool on)
 {
        int ret = 0;
-        struct regulator *reg = vreg->reg;
+        struct regulator *reg;
-        const char *name = vreg->name;
+        const char *name;
        int min_uV, uA_load;
        BUG_ON(!vreg);
+        reg = vreg->reg;
+        name = vreg->name;
        if (regulator_count_voltages(reg) > 0) {
                min_uV = on ? vreg->min_uV : 0;
                ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 03a2aadf0d3c..8ef905cbfc9c 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -28,6 +28,7 @@
 #include <scsi/scsi_device.h>
 #include <scsi/scsi_cmnd.h>
 #include <scsi/scsi_tcq.h>
+#include <scsi/scsi_devinfo.h>
 #include <linux/seqlock.h>
 #define VIRTIO_SCSI_MEMPOOL_SZ 64
@@ -704,6 +705,28 @@ static int virtscsi_device_reset(struct scsi_cmnd *sc)
        return virtscsi_tmf(vscsi, cmd);
 }
+static int virtscsi_device_alloc(struct scsi_device *sdevice)
+{
+        /*
+         * Passed through SCSI targets (e.g. with qemu's 'scsi-block')
+         * may have transfer limits which come from the host SCSI
+         * controller or something on the host side other than the
+         * target itself.
+         *
+         * To make this work properly, the hypervisor can adjust the
+         * target's VPD information to advertise these limits.  But
+         * for that to work, the guest has to look at the VPD pages,
+         * which we won't do by default if it is an SPC-2 device, even
+         * if it does actually support it.
+         *
+         * So, set the blist to always try to read the VPD pages.
+         */
+        sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES;
+        return 0;
+}
 /**
 * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth
 * @sdev:       Virtscsi target whose queue depth to change
@@ -775,6 +798,7 @@ static struct scsi_host_template virtscsi_host_template_single = {
        .change_queue_depth = virtscsi_change_queue_depth,
        .eh_abort_handler = virtscsi_abort,
        .eh_device_reset_handler = virtscsi_device_reset,
+        .slave_alloc = virtscsi_device_alloc,
        .can_queue = 1024,
        .dma_boundary = UINT_MAX,
@@ -795,6 +819,7 @@ static struct scsi_host_template virtscsi_host_template_multi = {
        .eh_abort_handler = virtscsi_abort,
        .eh_device_reset_handler = virtscsi_device_reset,
+        .slave_alloc = virtscsi_device_alloc,
        .can_queue = 1024,
        .dma_boundary = UINT_MAX,
        .use_clustering = ENABLE_CLUSTERING,
diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c
index 8feac599e9ab..44be6b593b30 100644
--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -1669,12 +1669,12 @@ static int atmel_spi_remove(struct platform_device *pdev)
        pm_runtime_get_sync(&pdev->dev);
        /* reset the hardware and block queue progress */
-        spin_lock_irq(&as->lock);
        if (as->use_dma) {
                atmel_spi_stop_dma(as);
                atmel_spi_release_dma(as);
        }
+        spin_lock_irq(&as->lock);
        spi_writel(as, CR, SPI_BIT(SWRST));
        spi_writel(as, CR, SPI_BIT(SWRST)); /* AT91SAM9263 Rev B workaround */
        spi_readl(as, SR);
diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c
index 02fb96797ac8..0d8f43a17edb 100644
--- a/drivers/spi/spi-davinci.c
+++ b/drivers/spi/spi-davinci.c
@@ -646,7 +646,7 @@ static int davinci_spi_bufs(struct spi_device *spi, struct spi_transfer *t)
                        buf = t->rx_buf;
                t->rx_dma = dma_map_single(&spi->dev, buf,
                                t->len, DMA_FROM_DEVICE);
-                if (dma_mapping_error(&spi->dev, !t->rx_dma)) {
+                if (dma_mapping_error(&spi->dev, t->rx_dma)) {
                        ret = -EFAULT;
                        goto err_rx_map;
                }
diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c
index a6d7029a85ac..581df3ebfc88 100644
--- a/drivers/spi/spi-dw-mmio.c
+++ b/drivers/spi/spi-dw-mmio.c
@@ -120,8 +120,8 @@ static int dw_spi_mmio_remove(struct platform_device *pdev)
 {
        struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev);
-        clk_disable_unprepare(dwsmmio->clk);
        dw_spi_remove_host(&dwsmmio->dws);
+        clk_disable_unprepare(dwsmmio->clk);
        return 0;
 }
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 0e5723ab47f0..d17ec6775718 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1228,12 +1228,23 @@ static int spi_imx_remove(struct platform_device *pdev)
 {
        struct spi_master *master = platform_get_drvdata(pdev);
        struct spi_imx_data *spi_imx = spi_master_get_devdata(master);
+        int ret;
        spi_bitbang_stop(&spi_imx->bitbang);
+        ret = clk_enable(spi_imx->clk_per);
+        if (ret)
+                return ret;
+        ret = clk_enable(spi_imx->clk_ipg);
+        if (ret) {
+                clk_disable(spi_imx->clk_per);
+                return ret;
+        }
        writel(0, spi_imx->base + MXC_CSPICTRL);
-        clk_unprepare(spi_imx->clk_ipg);
+        clk_disable_unprepare(spi_imx->clk_ipg);
-        clk_unprepare(spi_imx->clk_per);
+        clk_disable_unprepare(spi_imx->clk_per);
        spi_imx_sdma_exit(spi_imx);
        spi_master_put(master);
diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
index 1a7a67495507..651381495f7a 100644
--- a/drivers/spi/spi-omap2-mcspi.c
+++ b/drivers/spi/spi-omap2-mcspi.c
@@ -454,6 +454,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
        int                     elements = 0;
        int                     word_len, element_count;
        struct omap2_mcspi_cs   *cs = spi->controller_state;
+        void __iomem            *chstat_reg = cs->base + OMAP2_MCSPI_CHSTAT0;
        mcspi = spi_master_get_devdata(spi->master);
        mcspi_dma = &mcspi->dma_channels[spi->chip_select];
        count = xfer->len;
@@ -549,8 +551,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
        if (l & OMAP2_MCSPI_CHCONF_TURBO) {
                elements--;
-                if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0)
+                if (!mcspi_wait_for_reg_bit(chstat_reg,
-                                   & OMAP2_MCSPI_CHSTAT_RXS)) {
+                                            OMAP2_MCSPI_CHSTAT_RXS)) {
                        u32 w;
                        w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0);
@@ -568,8 +570,7 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
                        return count;
                }
        }
-        if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0)
+        if (!mcspi_wait_for_reg_bit(chstat_reg, OMAP2_MCSPI_CHSTAT_RXS)) {
-                                & OMAP2_MCSPI_CHSTAT_RXS)) {
                u32 w;
                w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0);
diff --git a/drivers/spi/spi-pxa2xx.h b/drivers/spi/spi-pxa2xx.h
index 58efa98313aa..24c07fea9de2 100644
--- a/drivers/spi/spi-pxa2xx.h
+++ b/drivers/spi/spi-pxa2xx.h
@@ -38,7 +38,7 @@ struct driver_data {
        /* SSP register addresses */
        void __iomem *ioaddr;
-        u32 ssdr_physical;
+        phys_addr_t ssdr_physical;
        /* SSP masks*/
        u32 dma_cr1;
diff --git a/drivers/spi/spi-sun4i.c b/drivers/spi/spi-sun4i.c
index 39d7c7c70112..2eea3de5a668 100644
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -458,7 +458,7 @@ err_free_master:
 static int sun4i_spi_remove(struct platform_device *pdev)
 {
-        pm_runtime_disable(&pdev->dev);
+        pm_runtime_force_suspend(&pdev->dev);
        return 0;
 }
diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c
index e77add01b0e9..48888ab630c2 100644
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -457,7 +457,7 @@ err_free_master:
 static int sun6i_spi_remove(struct platform_device *pdev)
 {
-        pm_runtime_disable(&pdev->dev);
+        pm_runtime_force_suspend(&pdev->dev);
        return 0;
 }
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index d39a202696c5..6638832e3bd8 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -707,8 +707,14 @@ static int spi_map_buf(struct spi_master *master, struct device *dev,
        for (i = 0; i < sgs; i++) {
                if (vmalloced_buf) {
-                        min = min_t(size_t,
+                        /*
-                                    len, desc_len - offset_in_page(buf));
+                         * Next scatterlist entry size is the minimum between
+                         * the desc_len and the remaining buffer length that
+                         * fits in a page.
+                         */
+                        min = min_t(size_t, desc_len,
+                                    min_t(size_t, len,
+                                          PAGE_SIZE - offset_in_page(buf)));
                        vm_page = vmalloc_to_page(buf);
                        if (!vm_page) {
                                sg_free_table(sgt);
diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c
index 5d1e9a0fc389..e2ff6b5b2094 100644
--- a/drivers/ssb/main.c
+++ b/drivers/ssb/main.c
@@ -613,9 +613,10 @@ out:
        return err;
 }
-static int ssb_bus_register(struct ssb_bus *bus,
+static int __maybe_unused
-                            ssb_invariants_func_t get_invariants,
+ssb_bus_register(struct ssb_bus *bus,
-                            unsigned long baseaddr)
+                 ssb_invariants_func_t get_invariants,
+                 unsigned long baseaddr)
 {
        int err;
diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index b64327722660..013b33760639 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin)
        mutex_lock(&ashmem_mutex);
        if (asma->size == 0) {
-                ret = -EINVAL;
+                mutex_unlock(&ashmem_mutex);
-                goto out;
+                return -EINVAL;
        }
        if (!asma->file) {
-                ret = -EBADF;
+                mutex_unlock(&ashmem_mutex);
-                goto out;
+                return -EBADF;
        }
+        mutex_unlock(&ashmem_mutex);
        ret = vfs_llseek(asma->file, offset, origin);
        if (ret < 0)
-                goto out;
+                return ret;
        /** Copy f_pos from backing file, since f_ops->llseek() sets it */
        file->f_pos = asma->file->f_pos;
-out:
-        mutex_unlock(&ashmem_mutex);
        return ret;
 }
@@ -704,30 +703,30 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
        size_t pgstart, pgend;
        int ret = -EINVAL;
-        if (unlikely(!asma->file))
-                return -EINVAL;
        if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
                return -EFAULT;
+        mutex_lock(&ashmem_mutex);
+        if (unlikely(!asma->file))
+                goto out_unlock;
        /* per custom, you can pass zero for len to mean "everything onward" */
        if (!pin.len)
                pin.len = PAGE_ALIGN(asma->size) - pin.offset;
        if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
-                return -EINVAL;
+                goto out_unlock;
        if (unlikely(((__u32)-1) - pin.offset < pin.len))
-                return -EINVAL;
+                goto out_unlock;
        if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
-                return -EINVAL;
+                goto out_unlock;
        pgstart = pin.offset / PAGE_SIZE;
        pgend = pgstart + (pin.len / PAGE_SIZE) - 1;
-        mutex_lock(&ashmem_mutex);
        switch (cmd) {
        case ASHMEM_PIN:
                ret = ashmem_pin(asma, pgstart, pgend);
@@ -740,6 +739,7 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
                break;
        }
+out_unlock:
        mutex_unlock(&ashmem_mutex);
        return ret;
diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
index ca15a87f6fd3..13a9b4c42b26 100644
--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_heap *heap,
        struct page **tmp = pages;
        if (!pages)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
        if (buffer->flags & ION_FLAG_CACHED)
                pgprot = PAGE_KERNEL;
diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c
index d4c3e5512dd5..b69dfc706440 100644
--- a/drivers/staging/android/ion/ion_system_heap.c
+++ b/drivers/staging/android/ion/ion_system_heap.c
@@ -27,7 +27,7 @@
 #include "ion_priv.h"
 static gfp_t high_order_gfp_flags = (GFP_HIGHUSER | __GFP_ZERO | __GFP_NOWARN |
-                                     __GFP_NORETRY) & ~__GFP_DIRECT_RECLAIM;
+                                     __GFP_NORETRY) & ~__GFP_RECLAIM;
 static gfp_t low_order_gfp_flags  = (GFP_HIGHUSER | __GFP_ZERO | __GFP_NOWARN);
 static const unsigned int orders[] = {8, 4, 0};
 static const int num_orders = ARRAY_SIZE(orders);
diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c
index b63dd2ef78b5..1f398d06f4ee 100644
--- a/drivers/staging/comedi/drivers.c
+++ b/drivers/staging/comedi/drivers.c
@@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct comedi_subdevice *s,
        struct comedi_cmd *cmd = &async->cmd;
        if (cmd->stop_src == TRIG_COUNT) {
-                unsigned int nscans = nsamples / cmd->scan_end_arg;
+                unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg);
-                unsigned int scans_left = __comedi_nscans_left(s, nscans);
                unsigned int scan_pos =
                    comedi_bytes_to_samples(s, async->scan_progress);
                unsigned long long samples_left = 0;
diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c
index c975f6e8be49..8f181caffca3 100644
--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -1348,6 +1348,8 @@ static void ack_a_interrupt(struct comedi_device *dev, unsigned short a_status)
                ack |= NISTC_INTA_ACK_AI_START;
        if (a_status & NISTC_AI_STATUS1_STOP)
                ack |= NISTC_INTA_ACK_AI_STOP;
+        if (a_status & NISTC_AI_STATUS1_OVER)
+                ack |= NISTC_INTA_ACK_AI_ERR;
        if (ack)
                ni_stc_writew(dev, ack, NISTC_INTA_ACK_REG);
 }
diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
index e9e43139157d..769a94015117 100644
--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c
+++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
@@ -642,7 +642,7 @@ static int daqp_ao_insn_write(struct comedi_device *dev,
        /* Make sure D/A update mode is direct update */
        outb(0, dev->iobase + DAQP_AUX_REG);
-        for (i = 0; i > insn->n; i++) {
+        for (i = 0; i < insn->n; i++) {
                unsigned val = data[i];
                int ret;
diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c
index abc66908681d..6f032009f93f 100644
--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -124,6 +124,8 @@
 #define AD7192_GPOCON_P1DAT     BIT(1) /* P1 state */
 #define AD7192_GPOCON_P0DAT     BIT(0) /* P0 state */
+#define AD7192_EXT_FREQ_MHZ_MIN 2457600
+#define AD7192_EXT_FREQ_MHZ_MAX 5120000
 #define AD7192_INT_FREQ_MHZ     4915200
 /* NOTE:
@@ -199,6 +201,12 @@ static int ad7192_calibrate_all(struct ad7192_state *st)
                                ARRAY_SIZE(ad7192_calib_arr));
 }
+static inline bool ad7192_valid_external_frequency(u32 freq)
+{
+        return (freq >= AD7192_EXT_FREQ_MHZ_MIN &&
+                freq <= AD7192_EXT_FREQ_MHZ_MAX);
+}
 static int ad7192_setup(struct ad7192_state *st,
                        const struct ad7192_platform_data *pdata)
 {
@@ -224,17 +232,20 @@ static int ad7192_setup(struct ad7192_state *st,
                         id);
        switch (pdata->clock_source_sel) {
-        case AD7192_CLK_EXT_MCLK1_2:
-        case AD7192_CLK_EXT_MCLK2:
-                st->mclk = AD7192_INT_FREQ_MHZ;
-                break;
        case AD7192_CLK_INT:
        case AD7192_CLK_INT_CO:
-                if (pdata->ext_clk_hz)
+                st->mclk = AD7192_INT_FREQ_MHZ;
-                        st->mclk = pdata->ext_clk_hz;
-                else
-                        st->mclk = AD7192_INT_FREQ_MHZ;
                break;
+        case AD7192_CLK_EXT_MCLK1_2:
+        case AD7192_CLK_EXT_MCLK2:
+                if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) {
+                        st->mclk = pdata->ext_clk_hz;
+                        break;
+                }
+                dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n",
+                        pdata->ext_clk_hz);
+                ret = -EINVAL;
+                goto out;
        default:
                ret = -EINVAL;
                goto out;
diff --git a/drivers/staging/lustre/lustre/ptlrpc/sec.c b/drivers/staging/lustre/lustre/ptlrpc/sec.c
index 39f5261c9854..5cf5b7334089 100644
--- a/drivers/staging/lustre/lustre/ptlrpc/sec.c
+++ b/drivers/staging/lustre/lustre/ptlrpc/sec.c
@@ -824,7 +824,7 @@ void sptlrpc_request_out_callback(struct ptlrpc_request *req)
        if (req->rq_pool || !req->rq_reqbuf)
                return;
-        kfree(req->rq_reqbuf);
+        kvfree(req->rq_reqbuf);
        req->rq_reqbuf = NULL;
        req->rq_reqbuf_len = 0;
 }
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index a076ede50b22..ec90f2781085 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -1399,19 +1399,13 @@ static int rtw_wx_get_essid(struct net_device *dev,
        if ((check_fwstate(pmlmepriv, _FW_LINKED)) ||
            (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) {
                len = pcur_bss->Ssid.SsidLength;
-                wrqu->essid.length = len;
                memcpy(extra, pcur_bss->Ssid.Ssid, len);
-                wrqu->essid.flags = 1;
        } else {
-                ret = -1;
+                len = 0;
-                goto exit;
+                *extra = 0;
        }
+        wrqu->essid.length = len;
-exit:
+        wrqu->essid.flags = 1;
        return ret;
 }
diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
index e06864f64beb..0f6bc6b8e4c6 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -1749,6 +1749,8 @@ static short rtl8192_usb_initendpoints(struct net_device *dev)
                priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL);
                priv->oldaddr = kmalloc(16, GFP_KERNEL);
+                if (!priv->oldaddr)
+                        return -ENOMEM;
                oldaddr = priv->oldaddr;
                align = ((long)oldaddr) & 3;
                if (align) {
diff --git a/drivers/staging/speakup/kobjects.c b/drivers/staging/speakup/kobjects.c
index fdfeb42b2b8f..06ef26872462 100644
--- a/drivers/staging/speakup/kobjects.c
+++ b/drivers/staging/speakup/kobjects.c
@@ -831,7 +831,9 @@ static ssize_t message_show(struct kobject *kobj,
        struct msg_group_t *group = spk_find_msg_group(attr->attr.name);
        unsigned long flags;
-        BUG_ON(!group);
+        if (WARN_ON(!group))
+                return -EINVAL;
        spin_lock_irqsave(&speakup_info.spinlock, flags);
        retval = message_show_helper(buf, group->start, group->end);
        spin_unlock_irqrestore(&speakup_info.spinlock, flags);
@@ -843,7 +845,9 @@ static ssize_t message_store(struct kobject *kobj, struct kobj_attribute *attr,
 {
        struct msg_group_t *group = spk_find_msg_group(attr->attr.name);
-        BUG_ON(!group);
+        if (WARN_ON(!group))
+                return -EINVAL;
        return message_store_helper(buf, count, group);
 }
diff --git a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
index 824d460911ec..58ccafb97344 100644
--- a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
+++ b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
@@ -1039,7 +1039,6 @@ static int synaptics_rmi4_remove(struct i2c_client *client)
        return 0;
 }
-#ifdef CONFIG_PM
 /**
 * synaptics_rmi4_suspend() - suspend the touch screen controller
 * @dev: pointer to device structure
@@ -1047,7 +1046,7 @@ static int synaptics_rmi4_remove(struct i2c_client *client)
 * This function is used to suspend the
 * touch panel controller and returns integer
 */
-static int synaptics_rmi4_suspend(struct device *dev)
+static int __maybe_unused synaptics_rmi4_suspend(struct device *dev)
 {
        /* Touch sleep mode */
        int retval;
@@ -1081,7 +1080,7 @@ static int synaptics_rmi4_suspend(struct device *dev)
 * This function is used to resume the touch panel
 * controller and returns integer.
 */
-static int synaptics_rmi4_resume(struct device *dev)
+static int __maybe_unused synaptics_rmi4_resume(struct device *dev)
 {
        int retval;
        unsigned char intr_status;
@@ -1112,8 +1111,6 @@ static int synaptics_rmi4_resume(struct device *dev)
        return 0;
 }
-#endif
 static SIMPLE_DEV_PM_OPS(synaptics_rmi4_dev_pm_ops, synaptics_rmi4_suspend,
                         synaptics_rmi4_resume);
diff --git a/drivers/staging/unisys/visorhba/visorhba_main.c b/drivers/staging/unisys/visorhba/visorhba_main.c
index c119f20dfd44..3f2ccf9d7358 100644
--- a/drivers/staging/unisys/visorhba/visorhba_main.c
+++ b/drivers/staging/unisys/visorhba/visorhba_main.c
@@ -792,7 +792,7 @@ static void
 do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
 {
        struct scsi_device *scsidev;
-        unsigned char buf[36];
+        unsigned char *buf;
        struct scatterlist *sg;
        unsigned int i;
        char *this_page;
@@ -807,6 +807,10 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
                if (cmdrsp->scsi.no_disk_result == 0)
                        return;
+                buf = kzalloc(sizeof(char) * 36, GFP_KERNEL);
+                if (!buf)
+                        return;
                /* Linux scsi code wants a device at Lun 0
                 * to issue report luns, but we don't want
                 * a disk there so we'll present a processor
@@ -820,6 +824,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
                if (scsi_sg_count(scsicmd) == 0) {
                        memcpy(scsi_sglist(scsicmd), buf,
                               cmdrsp->scsi.bufflen);
+                        kfree(buf);
                        return;
                }
@@ -831,6 +836,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd)
                        memcpy(this_page, buf + bufind, sg[i].length);
                        kunmap_atomic(this_page_orig);
                }
+                kfree(buf);
        } else {
                devdata = (struct visorhba_devdata *)scsidev->host->hostdata;
                for_each_vdisk_match(vdisk, devdata, scsidev) {
diff --git a/drivers/staging/unisys/visorinput/Kconfig b/drivers/staging/unisys/visorinput/Kconfig
index d83deb4137e8..6baba2795ce7 100644
--- a/drivers/staging/unisys/visorinput/Kconfig
+++ b/drivers/staging/unisys/visorinput/Kconfig
@@ -4,7 +4,7 @@
 config UNISYS_VISORINPUT
        tristate "Unisys visorinput driver"
-        depends on UNISYSSPAR && UNISYS_VISORBUS && FB
+        depends on UNISYSSPAR && UNISYS_VISORBUS && FB && INPUT
        ---help---
        If you say Y here, you will enable the Unisys visorinput driver.
diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c
index dbbe72c7e255..f78353ddeea5 100644
--- a/drivers/staging/wilc1000/host_interface.c
+++ b/drivers/staging/wilc1000/host_interface.c
@@ -2179,6 +2179,8 @@ static s32 Handle_Get_InActiveTime(struct host_if_drv *hif_drv,
        wid.type = WID_STR;
        wid.size = ETH_ALEN;
        wid.val = kmalloc(wid.size, GFP_KERNEL);
+        if (!wid.val)
+                return -ENOMEM;
        stamac = wid.val;
        memcpy(stamac, strHostIfStaInactiveT->mac, ETH_ALEN);
diff --git a/drivers/staging/wilc1000/linux_mon.c b/drivers/staging/wilc1000/linux_mon.c
index 450af1b77f99..b2092c5ec7f3 100644
--- a/drivers/staging/wilc1000/linux_mon.c
+++ b/drivers/staging/wilc1000/linux_mon.c
@@ -251,6 +251,8 @@ static netdev_tx_t WILC_WFI_mon_xmit(struct sk_buff *skb,
        if (skb->data[0] == 0xc0 && (!(memcmp(broadcast, &skb->data[4], 6)))) {
                skb2 = dev_alloc_skb(skb->len + sizeof(struct wilc_wfi_radiotap_cb_hdr));
+                if (!skb2)
+                        return -ENOMEM;
                memcpy(skb_put(skb2, skb->len), skb->data, skb->len);
diff --git a/drivers/staging/wilc1000/wilc_wlan_if.h b/drivers/staging/wilc1000/wilc_wlan_if.h
index be972afe6e62..bfc3e96d8d25 100644
--- a/drivers/staging/wilc1000/wilc_wlan_if.h
+++ b/drivers/staging/wilc1000/wilc_wlan_if.h
@@ -12,6 +12,7 @@
 #include <linux/semaphore.h>
 #include "linux_wlan_common.h"
+#include <linux/netdevice.h>
 /********************************************
 *
diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c
index 013a6240f193..c1ad0aea23b9 100644
--- a/drivers/staging/wlan-ng/prism2mgmt.c
+++ b/drivers/staging/wlan-ng/prism2mgmt.c
@@ -169,7 +169,7 @@ int prism2mgmt_scan(wlandevice_t *wlandev, void *msgp)
                                     hw->ident_sta_fw.variant) >
            HFA384x_FIRMWARE_VERSION(1, 5, 0)) {
                if (msg->scantype.data != P80211ENUM_scantype_active)
-                        word = cpu_to_le16(msg->maxchanneltime.data);
+                        word = msg->maxchanneltime.data;
                else
                        word = 0;
diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
index 2e35db7f4aac..c15af2fcf2ba 100644
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd,
        else
                ret = vfs_iter_read(fd, &iter, &pos);
-        kfree(bvec);
        if (is_write) {
                if (ret < 0 || ret != data_length) {
                        pr_err("%s() write returned %d\n", __func__, ret);
-                        return (ret < 0 ? ret : -EINVAL);
+                        if (ret >= 0)
+                                ret = -EINVAL;
                }
        } else {
                /*
@@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd,
                                pr_err("%s() returned %d, expecting %u for "
                                                "S_ISBLK\n", __func__, ret,
                                                data_length);
-                                return (ret < 0 ? ret : -EINVAL);
+                                if (ret >= 0)
+                                        ret = -EINVAL;
                        }
                } else {
                        if (ret < 0) {
                                pr_err("%s() returned %d for non S_ISBLK\n",
                                                __func__, ret);
-                                return ret;
+                        } else if (ret != data_length) {
+                                /*
+                                 * Short read case:
+                                 * Probably some one truncate file under us.
+                                 * We must explicitly zero sg-pages to prevent
+                                 * expose uninizialized pages to userspace.
+                                 */
+                                if (ret < data_length)
+                                        ret += iov_iter_zero(data_length - ret, &iter);
+                                else
+                                        ret = -EINVAL;
                        }
                }
        }
-        return 1;
+        kfree(bvec);
+        return ret;
 }
 static sense_reason_t
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index a7d30e894cab..c43c942e1f87 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -900,7 +900,7 @@ static int tcmu_configure_device(struct se_device *dev)
        info->version = __stringify(TCMU_MAILBOX_VERSION);
        info->mem[0].name = "tcm-user command & data buffer";
-        info->mem[0].addr = (phys_addr_t) udev->mb_addr;
+        info->mem[0].addr = (phys_addr_t)(uintptr_t)udev->mb_addr;
        info->mem[0].size = TCMU_RING_SIZE;
        info->mem[0].memtype = UIO_MEM_VIRTUAL;
diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig
index 8cc4ac64a91c..4b660b5beb98 100644
--- a/drivers/thermal/Kconfig
+++ b/drivers/thermal/Kconfig
@@ -299,7 +299,7 @@ config X86_PKG_TEMP_THERMAL
 config INTEL_SOC_DTS_IOSF_CORE
        tristate
-        depends on X86
+        depends on X86 && PCI
        select IOSF_MBI
        help
          This is becoming a common feature for Intel SoCs to expose the additional
@@ -309,7 +309,7 @@ config INTEL_SOC_DTS_IOSF_CORE
 config INTEL_SOC_DTS_THERMAL
        tristate "Intel SoCs DTS thermal driver"
-        depends on X86
+        depends on X86 && PCI
        select INTEL_SOC_DTS_IOSF_CORE
        select THERMAL_WRITABLE_TRIPS
        help
diff --git a/drivers/thermal/imx_thermal.c b/drivers/thermal/imx_thermal.c
index c5547bd711db..6a8300108148 100644
--- a/drivers/thermal/imx_thermal.c
+++ b/drivers/thermal/imx_thermal.c
@@ -589,6 +589,9 @@ static int imx_thermal_probe(struct platform_device *pdev)
        regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN);
        regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
+        data->irq_enabled = true;
+        data->mode = THERMAL_DEVICE_ENABLED;
        ret = devm_request_threaded_irq(&pdev->dev, data->irq,
                        imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread,
                        0, "imx_thermal", data);
@@ -600,9 +603,6 @@ static int imx_thermal_probe(struct platform_device *pdev)
                return ret;
        }
-        data->irq_enabled = true;
-        data->mode = THERMAL_DEVICE_ENABLED;
        return 0;
 }
diff --git a/drivers/thermal/power_allocator.c b/drivers/thermal/power_allocator.c
index 1246aa6fcab0..737635f0bec0 100644
--- a/drivers/thermal/power_allocator.c
+++ b/drivers/thermal/power_allocator.c
@@ -523,6 +523,7 @@ static void allow_maximum_power(struct thermal_zone_device *tz)
        struct thermal_instance *instance;
        struct power_allocator_params *params = tz->governor_data;
+        mutex_lock(&tz->lock);
        list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
                if ((instance->trip != params->trip_max_desired_temperature) ||
                    (!cdev_is_power_actor(instance->cdev)))
@@ -532,6 +533,7 @@ static void allow_maximum_power(struct thermal_zone_device *tz)
                instance->cdev->updated = false;
                thermal_cdev_update(instance->cdev);
        }
+        mutex_unlock(&tz->lock);
 }
 /**
diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c
index fa61eff88496..16d45a25284f 100644
--- a/drivers/thermal/samsung/exynos_tmu.c
+++ b/drivers/thermal/samsung/exynos_tmu.c
@@ -585,6 +585,7 @@ static int exynos5433_tmu_initialize(struct platform_device *pdev)
                threshold_code = temp_to_code(data, temp);
                rising_threshold = readl(data->base + rising_reg_offset);
+                rising_threshold &= ~(0xff << j * 8);
                rising_threshold |= (threshold_code << j * 8);
                writel(rising_threshold, data->base + rising_reg_offset);
diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c
index 534dd9136662..81b35aace9de 100644
--- a/drivers/thermal/spear_thermal.c
+++ b/drivers/thermal/spear_thermal.c
@@ -54,8 +54,7 @@ static struct thermal_zone_device_ops ops = {
        .get_temp = thermal_get_temp,
 };
-#ifdef CONFIG_PM
+static int __maybe_unused spear_thermal_suspend(struct device *dev)
-static int spear_thermal_suspend(struct device *dev)
 {
        struct platform_device *pdev = to_platform_device(dev);
        struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev);
@@ -72,7 +71,7 @@ static int spear_thermal_suspend(struct device *dev)
        return 0;
 }
-static int spear_thermal_resume(struct device *dev)
+static int __maybe_unused spear_thermal_resume(struct device *dev)
 {
        struct platform_device *pdev = to_platform_device(dev);
        struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev);
@@ -94,7 +93,6 @@ static int spear_thermal_resume(struct device *dev)
        return 0;
 }
-#endif
 static SIMPLE_DEV_PM_OPS(spear_thermal_pm_ops, spear_thermal_suspend,
                spear_thermal_resume);
diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
index 20a41f7de76f..6713fd1958e7 100644
--- a/drivers/thunderbolt/nhi.c
+++ b/drivers/thunderbolt/nhi.c
@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_ops = {
                                            * we just disable hotplug, the
                                            * pci-tunnels stay alive.
                                            */
+        .thaw_noirq = nhi_resume_noirq,
        .restore_noirq = nhi_resume_noirq,
 };
diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig
index c01f45095877..82c4d2e45319 100644
--- a/drivers/tty/Kconfig
+++ b/drivers/tty/Kconfig
@@ -226,7 +226,7 @@ config CYCLADES
 config CYZ_INTR
        bool "Cyclades-Z interrupt mode operation"
-        depends on CYCLADES
+        depends on CYCLADES && PCI
        help
          The Cyclades-Z family of multiport cards allows 2 (two) driver op
          modes: polling and interrupt. In polling mode, the driver will check
diff --git a/drivers/tty/hvc/hvc_opal.c b/drivers/tty/hvc/hvc_opal.c
index 47b54c6aefd2..9f660e55d1ba 100644
--- a/drivers/tty/hvc/hvc_opal.c
+++ b/drivers/tty/hvc/hvc_opal.c
@@ -323,7 +323,6 @@ static void udbg_init_opal_common(void)
        udbg_putc = udbg_opal_putc;
        udbg_getc = udbg_opal_getc;
        udbg_getc_poll = udbg_opal_getc_poll;
-        tb_ticks_per_usec = 0x200; /* Make udelay not suck */
 }
 void __init hvc_opal_init_early(void)
diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c
index fa816b7193b6..11725422dacb 100644
--- a/drivers/tty/hvc/hvc_xen.c
+++ b/drivers/tty/hvc/hvc_xen.c
@@ -323,6 +323,7 @@ void xen_console_resume(void)
        }
 }
+#ifdef CONFIG_HVC_XEN_FRONTEND
 static void xencons_disconnect_backend(struct xencons_info *info)
 {
        if (info->irq > 0)
@@ -363,7 +364,6 @@ static int xen_console_remove(struct xencons_info *info)
        return 0;
 }
-#ifdef CONFIG_HVC_XEN_FRONTEND
 static int xencons_remove(struct xenbus_device *dev)
 {
        return xen_console_remove(dev_get_drvdata(&dev->dev));
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 9aff37186246..6060c3e8925e 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -137,6 +137,9 @@ struct gsm_dlci {
        struct mutex mutex;
        /* Link layer */
+        int mode;
+#define DLCI_MODE_ABM           0       /* Normal Asynchronous Balanced Mode */
+#define DLCI_MODE_ADM           1       /* Asynchronous Disconnected Mode */
        spinlock_t lock;        /* Protects the internal state */
        struct timer_list t1;   /* Retransmit timer for SABM and UA */
        int retries;
@@ -1380,7 +1383,13 @@ retry:
        ctrl->data = data;
        ctrl->len = clen;
        gsm->pending_cmd = ctrl;
-        gsm->cretries = gsm->n2;
+        /* If DLCI0 is in ADM mode skip retries, it won't respond */
+        if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
+                gsm->cretries = 1;
+        else
+                gsm->cretries = gsm->n2;
        mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
        gsm_control_transmit(gsm, ctrl);
        spin_unlock_irqrestore(&gsm->control_lock, flags);
@@ -1467,6 +1476,10 @@ static void gsm_dlci_open(struct gsm_dlci *dlci)
 *      in which case an opening port goes back to closed and a closing port
 *      is simply put into closed state (any further frames from the other
 *      end will get a DM response)
+ *
+ *      Some control dlci can stay in ADM mode with other dlci working just
+ *      fine. In that case we can just keep the control dlci open after the
+ *      DLCI_OPENING retries time out.
 */
 static void gsm_dlci_t1(unsigned long data)
@@ -1480,8 +1493,16 @@ static void gsm_dlci_t1(unsigned long data)
                if (dlci->retries) {
                        gsm_command(dlci->gsm, dlci->addr, SABM|PF);
                        mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
-                } else
+                } else if (!dlci->addr && gsm->control == (DM | PF)) {
+                        if (debug & 8)
+                                pr_info("DLCI %d opening in ADM mode.\n",
+                                        dlci->addr);
+                        dlci->mode = DLCI_MODE_ADM;
+                        gsm_dlci_open(dlci);
+                } else {
                        gsm_dlci_close(dlci);
+                }
                break;
        case DLCI_CLOSING:
                dlci->retries--;
@@ -1499,8 +1520,8 @@ static void gsm_dlci_t1(unsigned long data)
 *      @dlci: DLCI to open
 *
 *      Commence opening a DLCI from the Linux side. We issue SABM messages
- *      to the modem which should then reply with a UA, at which point we
+ *      to the modem which should then reply with a UA or ADM, at which point
- *      will move into open state. Opening is done asynchronously with retry
+ *      we will move into open state. Opening is done asynchronously with retry
 *      running off timers and the responses.
 */
@@ -2870,11 +2891,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk)
 static int gsm_carrier_raised(struct tty_port *port)
 {
        struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
+        struct gsm_mux *gsm = dlci->gsm;
        /* Not yet open so no carrier info */
        if (dlci->state != DLCI_OPEN)
                return 0;
        if (debug & 2)
                return 1;
+        /*
+         * Basic mode with control channel in ADM mode may not respond
+         * to CMD_MSC at all and modem_rx is empty.
+         */
+        if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
+            !dlci->modem_rx)
+                return 1;
        return dlci->modem_rx & TIOCM_CD;
 }
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 41dda25da049..b1ec202099b2 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -128,6 +128,8 @@ struct n_tty_data {
        struct mutex output_lock;
 };
+#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
 static inline size_t read_cnt(struct n_tty_data *ldata)
 {
        return ldata->read_head - ldata->read_tail;
@@ -145,6 +147,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i)
 static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
 {
+        smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
        return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
 }
@@ -322,9 +325,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata)
 static void reset_buffer_flags(struct n_tty_data *ldata)
 {
        ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
-        ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
        ldata->commit_head = 0;
-        ldata->echo_mark = 0;
        ldata->line_start = 0;
        ldata->erasing = 0;
@@ -645,13 +646,20 @@ static size_t __process_echoes(struct tty_struct *tty)
        old_space = space = tty_write_room(tty);
        tail = ldata->echo_tail;
-        while (ldata->echo_commit != tail) {
+        while (MASK(ldata->echo_commit) != MASK(tail)) {
                c = echo_buf(ldata, tail);
                if (c == ECHO_OP_START) {
                        unsigned char op;
                        int no_space_left = 0;
                        /*
+                         * Since add_echo_byte() is called without holding
+                         * output_lock, we might see only portion of multi-byte
+                         * operation.
+                         */
+                        if (MASK(ldata->echo_commit) == MASK(tail + 1))
+                                goto not_yet_stored;
+                        /*
                         * If the buffer byte is the start of a multi-byte
                         * operation, get the next byte, which is either the
                         * op code or a control character value.
@@ -662,6 +670,8 @@ static size_t __process_echoes(struct tty_struct *tty)
                                unsigned int num_chars, num_bs;
                        case ECHO_OP_ERASE_TAB:
+                                if (MASK(ldata->echo_commit) == MASK(tail + 2))
+                                        goto not_yet_stored;
                                num_chars = echo_buf(ldata, tail + 2);
                                /*
@@ -756,7 +766,8 @@ static size_t __process_echoes(struct tty_struct *tty)
        /* If the echo buffer is nearly full (so that the possibility exists
         * of echo overrun before the next commit), then discard enough
         * data at the tail to prevent a subsequent overrun */
-        while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
+        while (ldata->echo_commit > tail &&
+               ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
                if (echo_buf(ldata, tail) == ECHO_OP_START) {
                        if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
                                tail += 3;
@@ -766,6 +777,7 @@ static size_t __process_echoes(struct tty_struct *tty)
                        tail++;
        }
+ not_yet_stored:
        ldata->echo_tail = tail;
        return old_space - space;
 }
@@ -776,6 +788,7 @@ static void commit_echoes(struct tty_struct *tty)
        size_t nr, old, echoed;
        size_t head;
+        mutex_lock(&ldata->output_lock);
        head = ldata->echo_head;
        ldata->echo_mark = head;
        old = ldata->echo_commit - ldata->echo_tail;
@@ -784,10 +797,12 @@ static void commit_echoes(struct tty_struct *tty)
         * is over the threshold (and try again each time another
         * block is accumulated) */
        nr = head - ldata->echo_tail;
-        if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK))
+        if (nr < ECHO_COMMIT_WATERMARK ||
+            (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
+                mutex_unlock(&ldata->output_lock);
                return;
+        }
-        mutex_lock(&ldata->output_lock);
        ldata->echo_commit = head;
        echoed = __process_echoes(tty);
        mutex_unlock(&ldata->output_lock);
@@ -838,7 +853,9 @@ static void flush_echoes(struct tty_struct *tty)
 static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
 {
-        *echo_buf_addr(ldata, ldata->echo_head++) = c;
+        *echo_buf_addr(ldata, ldata->echo_head) = c;
+        smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
+        ldata->echo_head++;
 }
 /**
@@ -1006,14 +1023,15 @@ static void eraser(unsigned char c, struct tty_struct *tty)
        }
        seen_alnums = 0;
-        while (ldata->read_head != ldata->canon_head) {
+        while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
                head = ldata->read_head;
                /* erase a single possibly multibyte character */
                do {
                        head--;
                        c = read_buf(ldata, head);
-                } while (is_continuation(c, tty) && head != ldata->canon_head);
+                } while (is_continuation(c, tty) &&
+                         MASK(head) != MASK(ldata->canon_head));
                /* do not partially erase */
                if (is_continuation(c, tty))
@@ -1055,7 +1073,7 @@ static void eraser(unsigned char c, struct tty_struct *tty)
                                 * This info is used to go back the correct
                                 * number of columns.
                                 */
-                                while (tail != ldata->canon_head) {
+                                while (MASK(tail) != MASK(ldata->canon_head)) {
                                        tail--;
                                        c = read_buf(ldata, tail);
                                        if (c == '\t') {
@@ -1332,7 +1350,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c)
                        finish_erasing(ldata);
                        echo_char(c, tty);
                        echo_char_raw('\n', ldata);
-                        while (tail != ldata->read_head) {
+                        while (MASK(tail) != MASK(ldata->read_head)) {
                                echo_char(read_buf(ldata, tail), tty);
                                tail++;
                        }
@@ -1917,31 +1935,22 @@ static int n_tty_open(struct tty_struct *tty)
        struct n_tty_data *ldata;
        /* Currently a malloc failure here can panic */
-        ldata = vmalloc(sizeof(*ldata));
+        ldata = vzalloc(sizeof(*ldata));
        if (!ldata)
-                goto err;
+                return -ENOMEM;
        ldata->overrun_time = jiffies;
        mutex_init(&ldata->atomic_read_lock);
        mutex_init(&ldata->output_lock);
        tty->disc_data = ldata;
-        reset_buffer_flags(tty->disc_data);
-        ldata->column = 0;
-        ldata->canon_column = 0;
        ldata->minimum_to_wake = 1;
-        ldata->num_overrun = 0;
-        ldata->no_room = 0;
-        ldata->lnext = 0;
        tty->closing = 0;
        /* indicate buffer work may resume */
        clear_bit(TTY_LDISC_HALTED, &tty->flags);
        n_tty_set_termios(tty, NULL);
        tty_unthrottle(tty);
        return 0;
-err:
-        return -ENOMEM;
 }
 static inline int input_available_p(struct tty_struct *tty, int poll)
@@ -2238,6 +2247,12 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
                                }
                                if (tty_hung_up_p(file))
                                        break;
+                                /*
+                                 * Abort readers for ttys which never actually
+                                 * get hung up.  See __tty_hangup().
+                                 */
+                                if (test_bit(TTY_HUPPING, &tty->flags))
+                                        break;
                                if (!timeout)
                                        break;
                                if (file->f_flags & O_NONBLOCK) {
@@ -2473,7 +2488,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata)
        tail = ldata->read_tail;
        nr = head - tail;
        /* Skip EOF-chars.. */
-        while (head != tail) {
+        while (MASK(head) != MASK(tail)) {
                if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
                    read_buf(ldata, tail) == __DISABLED_CHAR)
                        nr--;
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 96aa0ad32497..c8a2e5b0eff7 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -106,16 +106,19 @@ static void pty_unthrottle(struct tty_struct *tty)
 static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
 {
        struct tty_struct *to = tty->link;
+        unsigned long flags;
        if (tty->stopped)
                return 0;
        if (c > 0) {
+                spin_lock_irqsave(&to->port->lock, flags);
                /* Stuff the data into the input queue of the other end */
                c = tty_insert_flip_string(to->port, buf, c);
                /* And shovel */
                if (c)
                        tty_flip_buffer_push(to->port);
+                spin_unlock_irqrestore(&to->port->lock, flags);
        }
        return c;
 }
diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 7025f47fa284..746c76b358a0 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -5300,6 +5300,17 @@ static struct pci_device_id serial_pci_tbl[] = {
                PCI_ANY_ID, PCI_ANY_ID, 0, 0,    /* 135a.0dc0 */
                pbn_b2_4_115200 },
        /*
+         * BrainBoxes UC-260
+         */
+        {       PCI_VENDOR_ID_INTASHIELD, 0x0D21,
+                PCI_ANY_ID, PCI_ANY_ID,
+                PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
+                pbn_b2_4_115200 },
+        {       PCI_VENDOR_ID_INTASHIELD, 0x0E34,
+                PCI_ANY_ID, PCI_ANY_ID,
+                 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
+                pbn_b2_4_115200 },
+        /*
         * Perle PCI-RAS cards
         */
        {       PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,
diff --git a/drivers/tty/serial/8250/Kconfig b/drivers/tty/serial/8250/Kconfig
index 4d94d59884e7..a19cfed2858a 100644
--- a/drivers/tty/serial/8250/Kconfig
+++ b/drivers/tty/serial/8250/Kconfig
@@ -372,7 +372,7 @@ config SERIAL_8250_MID
        tristate "Support for serial ports on Intel MID platforms"
        depends on SERIAL_8250 && PCI
        select HSU_DMA if SERIAL_8250_DMA
-        select HSU_DMA_PCI if X86_INTEL_MID
+        select HSU_DMA_PCI if (HSU_DMA && X86_INTEL_MID)
        select RATIONAL
        help
          Selecting this option will enable handling of the extra features
diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c
index 03ebe401fff7..040018d59608 100644
--- a/drivers/tty/serial/arc_uart.c
+++ b/drivers/tty/serial/arc_uart.c
@@ -597,6 +597,11 @@ static int arc_serial_probe(struct platform_device *pdev)
        if (dev_id < 0)
                dev_id = 0;
+        if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
+                dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
+                return -EINVAL;
+        }
        uart = &arc_uart_ports[dev_id];
        port = &uart->port;
diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
index 53e4d5056db7..e0277cf0bf58 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1783,6 +1783,7 @@ static void atmel_get_ip_name(struct uart_port *port)
                switch (version) {
                case 0x302:
                case 0x10213:
+                case 0x10302:
                        dev_dbg(port->dev, "This version is usart\n");
                        atmel_port->is_usart = true;
                        break;
diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
index 3d790033744e..01e2274b23f2 100644
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1818,6 +1818,10 @@ static int lpuart_probe(struct platform_device *pdev)
                dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
                return ret;
        }
+        if (ret >= ARRAY_SIZE(lpuart_ports)) {
+                dev_err(&pdev->dev, "serial%d out of range\n", ret);
+                return -EINVAL;
+        }
        sport->port.line = ret;
        sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart");
diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
index 016e4be05cec..07ede982b472 100644
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -1923,6 +1923,12 @@ static int serial_imx_probe(struct platform_device *pdev)
        else if (ret < 0)
                return ret;
+        if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
+                dev_err(&pdev->dev, "serial%d out of range\n",
+                        sport->port.line);
+                return -EINVAL;
+        }
        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
        base = devm_ioremap_resource(&pdev->dev, res);
        if (IS_ERR(base))
@@ -2057,12 +2063,14 @@ static void serial_imx_enable_wakeup(struct imx_port *sport, bool on)
                val &= ~UCR3_AWAKEN;
        writel(val, sport->port.membase + UCR3);
-        val = readl(sport->port.membase + UCR1);
+        if (sport->have_rtscts) {
-        if (on)
+                val = readl(sport->port.membase + UCR1);
-                val |= UCR1_RTSDEN;
+                if (on)
-        else
+                        val |= UCR1_RTSDEN;
-                val &= ~UCR1_RTSDEN;
+                else
-        writel(val, sport->port.membase + UCR1);
+                        val &= ~UCR1_RTSDEN;
+                writel(val, sport->port.membase + UCR1);
+        }
 }
 static int imx_serial_port_suspend_noirq(struct device *dev)
diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index cd0414bbe094..daa4a65ef6ff 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1274,6 +1274,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
                s->port.line = pdev->id < 0 ? 0 : pdev->id;
        else if (ret < 0)
                return ret;
+        if (s->port.line >= ARRAY_SIZE(auart_port)) {
+                dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
+                return -EINVAL;
+        }
        if (of_id) {
                pdev->id_entry = of_id->data;
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index e6bc1a6be4a4..4d532a085db9 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -860,15 +860,12 @@ static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p)
        dma->rx_conf.direction          = DMA_DEV_TO_MEM;
        dma->rx_conf.src_addr_width     = DMA_SLAVE_BUSWIDTH_1_BYTE;
        dma->rx_conf.src_addr           = p->port.mapbase + S3C2410_URXH;
-        dma->rx_conf.src_maxburst       = 16;
+        dma->rx_conf.src_maxburst       = 1;
        dma->tx_conf.direction          = DMA_MEM_TO_DEV;
        dma->tx_conf.dst_addr_width     = DMA_SLAVE_BUSWIDTH_1_BYTE;
        dma->tx_conf.dst_addr           = p->port.mapbase + S3C2410_UTXH;
-        if (dma_get_cache_alignment() >= 16)
+        dma->tx_conf.dst_maxburst       = 1;
-                dma->tx_conf.dst_maxburst = 16;
-        else
-                dma->tx_conf.dst_maxburst = 1;
        dma_cap_zero(mask);
        dma_cap_set(DMA_SLAVE, mask);
@@ -1807,6 +1804,10 @@ static int s3c24xx_serial_probe(struct platform_device *pdev)
        dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
+        if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
+                dev_err(&pdev->dev, "serial%d out of range\n", index);
+                return -EINVAL;
+        }
        ourport = &s3c24xx_serial_ports[index];
        ourport->drv_data = s3c24xx_get_driver_data(pdev);
diff --git a/drivers/tty/serial/sccnxp.c b/drivers/tty/serial/sccnxp.c
index fcf803ffad19..cdd2f942317c 100644
--- a/drivers/tty/serial/sccnxp.c
+++ b/drivers/tty/serial/sccnxp.c
@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_device *pdev)
        clk = devm_clk_get(&pdev->dev, NULL);
        if (IS_ERR(clk)) {
-                if (PTR_ERR(clk) == -EPROBE_DEFER) {
+                ret = PTR_ERR(clk);
-                        ret = -EPROBE_DEFER;
+                if (ret == -EPROBE_DEFER)
                        goto err_out;
-                }
+                uartclk = 0;
+        } else {
+                clk_prepare_enable(clk);
+                uartclk = clk_get_rate(clk);
+        }
+        if (!uartclk) {
                dev_notice(&pdev->dev, "Using default clock frequency\n");
                uartclk = s->chip->freq_std;
-        } else
+        }
-                uartclk = clk_get_rate(clk);
        /* Check input frequency */
        if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) {
diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c
index 3eb57eb532f1..02147361eaa9 100644
--- a/drivers/tty/serial/serial_mctrl_gpio.c
+++ b/drivers/tty/serial/serial_mctrl_gpio.c
@@ -20,6 +20,7 @@
 #include <linux/gpio/consumer.h>
 #include <linux/termios.h>
 #include <linux/serial_core.h>
+#include <linux/module.h>
 #include "serial_mctrl_gpio.h"
@@ -193,6 +194,7 @@ struct mctrl_gpios *mctrl_gpio_init(struct uart_port *port, unsigned int idx)
        return gpios;
 }
+EXPORT_SYMBOL_GPL(mctrl_gpio_init);
 void mctrl_gpio_free(struct device *dev, struct mctrl_gpios *gpios)
 {
@@ -247,3 +249,6 @@ void mctrl_gpio_disable_ms(struct mctrl_gpios *gpios)
                disable_irq(gpios->irq[i]);
        }
 }
+EXPORT_SYMBOL_GPL(mctrl_gpio_disable_ms);
+MODULE_LICENSE("GPL");
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 80d0ffe7abc1..b63920481b1d 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -847,6 +847,8 @@ static void sci_receive_chars(struct uart_port *port)
                /* Tell the rest of the system the news. New characters! */
                tty_flip_buffer_push(tport);
        } else {
+                /* TTY buffers full; read from RX reg to prevent lockup */
+                serial_port_in(port, SCxRDR);
                serial_port_in(port, SCxSR); /* dummy read */
                sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port));
        }
@@ -1455,7 +1457,16 @@ static void sci_free_dma(struct uart_port *port)
        if (s->chan_rx)
                sci_rx_dma_release(s, false);
 }
-#else
+static void sci_flush_buffer(struct uart_port *port)
+{
+        /*
+         * In uart_flush_buffer(), the xmit circular buffer has just been
+         * cleared, so we have to reset tx_dma_len accordingly.
+         */
+        to_sci_port(port)->tx_dma_len = 0;
+}
+#else /* !CONFIG_SERIAL_SH_SCI_DMA */
 static inline void sci_request_dma(struct uart_port *port)
 {
 }
@@ -1463,7 +1474,9 @@ static inline void sci_request_dma(struct uart_port *port)
 static inline void sci_free_dma(struct uart_port *port)
 {
 }
-#endif
+#define sci_flush_buffer        NULL
+#endif /* !CONFIG_SERIAL_SH_SCI_DMA */
 static irqreturn_t sci_rx_interrupt(int irq, void *ptr)
 {
@@ -2203,6 +2216,7 @@ static struct uart_ops sci_uart_ops = {
        .break_ctl      = sci_break_ctl,
        .startup        = sci_startup,
        .shutdown       = sci_shutdown,
+        .flush_buffer   = sci_flush_buffer,
        .set_termios    = sci_set_termios,
        .pm             = sci_pm,
        .type           = sci_type,
@@ -2405,13 +2419,12 @@ static void serial_console_write(struct console *co, const char *s,
        unsigned long flags;
        int locked = 1;
-        local_irq_save(flags);
        if (port->sysrq)
                locked = 0;
        else if (oops_in_progress)
-                locked = spin_trylock(&port->lock);
+                locked = spin_trylock_irqsave(&port->lock, flags);
        else
-                spin_lock(&port->lock);
+                spin_lock_irqsave(&port->lock, flags);
        /* first save the SCSCR then disable the interrupts */
        ctrl = serial_port_in(port, SCSCR);
@@ -2428,8 +2441,7 @@ static void serial_console_write(struct console *co, const char *s,
        serial_port_out(port, SCSCR, ctrl);
        if (locked)
-                spin_unlock(&port->lock);
+                spin_unlock_irqrestore(&port->lock, flags);
-        local_irq_restore(flags);
 }
 static int serial_console_setup(struct console *co, char *options)
diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
index 009e0dbc12d2..4f2f4aca8d2e 100644
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -1026,7 +1026,7 @@ static struct uart_port *cdns_uart_get_port(int id)
        struct uart_port *port;
        /* Try the given port id if failed use default method */
-        if (cdns_uart_port[id].mapbase != 0) {
+        if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
                /* Find the next unused port */
                for (id = 0; id < CDNS_UART_NR_PORTS; id++)
                        if (cdns_uart_port[id].mapbase == 0)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 1bb629ab8ecc..198451fa9e5d 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -702,6 +702,14 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
                return;
        }
+        /*
+         * Some console devices aren't actually hung up for technical and
+         * historical reasons, which can lead to indefinite interruptible
+         * sleep in n_tty_read().  The following explicitly tells
+         * n_tty_read() to abort readers.
+         */
+        set_bit(TTY_HUPPING, &tty->flags);
        /* inuse_filps is protected by the single tty lock,
           this really needs to change if we want to flush the
           workqueue with the lock held */
@@ -757,6 +765,7 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
         * can't yet guarantee all that.
         */
        set_bit(TTY_HUPPED, &tty->flags);
+        clear_bit(TTY_HUPPING, &tty->flags);
        tty_unlock(tty);
        if (f)
@@ -1694,6 +1703,8 @@ static void release_tty(struct tty_struct *tty, int idx)
        if (tty->link)
                tty->link->port->itty = NULL;
        tty_buffer_cancel_work(tty->port);
+        if (tty->link)
+                tty_buffer_cancel_work(tty->link->port);
        tty_kref_put(tty->link);
        tty_kref_put(tty);
@@ -3143,7 +3154,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
        kref_init(&tty->kref);
        tty->magic = TTY_MAGIC;
-        tty_ldisc_init(tty);
+        if (tty_ldisc_init(tty)) {
+                kfree(tty);
+                return NULL;
+        }
        tty->session = NULL;
        tty->pgrp = NULL;
        mutex_init(&tty->legacy_mutex);
diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
index 9bee25cfa0be..d9e013dc2c08 100644
--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c
@@ -168,12 +168,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc)
                        return ERR_CAST(ldops);
        }
-        ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL);
+        /*
-        if (ld == NULL) {
+         * There is no way to handle allocation failure of only 16 bytes.
-                put_ldops(ldops);
+         * Let's simplify error handling and save more memory.
-                return ERR_PTR(-ENOMEM);
+         */
-        }
+        ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL);
        ld->ops = ldops;
        ld->tty = tty;
@@ -804,12 +803,13 @@ void tty_ldisc_release(struct tty_struct *tty)
 *      the tty structure is not completely set up when this call is made.
 */
-void tty_ldisc_init(struct tty_struct *tty)
+int tty_ldisc_init(struct tty_struct *tty)
 {
        struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY);
        if (IS_ERR(ld))
-                panic("n_tty: init_tty");
+                return PTR_ERR(ld);
        tty->ldisc = ld;
+        return 0;
 }
 /**
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index e4f69bddcfb1..ff3286fc22d8 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1312,6 +1312,11 @@ static void csi_m(struct vc_data *vc)
                        case 3:
                                vc->vc_italic = 1;
                                break;
+                        case 21:
+                                /*
+                                 * No console drivers support double underline, so
+                                 * convert it to a single underline.
+                                 */
                        case 4:
                                vc->vc_underline = 1;
                                break;
@@ -1348,7 +1353,6 @@ static void csi_m(struct vc_data *vc)
                                vc->vc_disp_ctrl = 1;
                                vc->vc_toggle_meta = 1;
                                break;
-                        case 21:
                        case 22:
                                vc->vc_intensity = 1;
                                break;
@@ -1725,7 +1729,7 @@ static void reset_terminal(struct vc_data *vc, int do_clear)
        default_attr(vc);
        update_attr(vc);
-        vc->vc_tab_stop[0]      = 0x01010100;
+        vc->vc_tab_stop[0]      =
        vc->vc_tab_stop[1]      =
        vc->vc_tab_stop[2]      =
        vc->vc_tab_stop[3]      =
@@ -1769,7 +1773,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
                vc->vc_pos -= (vc->vc_x << 1);
                while (vc->vc_x < vc->vc_cols - 1) {
                        vc->vc_x++;
-                        if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
+                        if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31)))
                                break;
                }
                vc->vc_pos += (vc->vc_x << 1);
@@ -1829,7 +1833,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
                        lf(vc);
                        return;
                case 'H':
-                        vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31));
+                        vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31));
                        return;
                case 'Z':
                        respond_ID(tty);
@@ -2022,7 +2026,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
                        return;
                case 'g':
                        if (!vc->vc_par[0])
-                                vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31));
+                                vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31));
                        else if (vc->vc_par[0] == 3) {
                                vc->vc_tab_stop[0] =
                                        vc->vc_tab_stop[1] =
diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
index 939c6ad71068..57ee43512992 100644
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -851,7 +851,7 @@ static inline void ci_role_destroy(struct ci_hdrc *ci)
 {
        ci_hdrc_gadget_destroy(ci);
        ci_hdrc_host_destroy(ci);
-        if (ci->is_otg)
+        if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
                ci_hdrc_otg_destroy(ci);
 }
@@ -951,27 +951,35 @@ static int ci_hdrc_probe(struct platform_device *pdev)
        /* initialize role(s) before the interrupt is requested */
        if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) {
                ret = ci_hdrc_host_init(ci);
-                if (ret)
+                if (ret) {
-                        dev_info(dev, "doesn't support host\n");
+                        if (ret == -ENXIO)
+                                dev_info(dev, "doesn't support host\n");
+                        else
+                                goto deinit_phy;
+                }
        }
        if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) {
                ret = ci_hdrc_gadget_init(ci);
-                if (ret)
+                if (ret) {
-                        dev_info(dev, "doesn't support gadget\n");
+                        if (ret == -ENXIO)
+                                dev_info(dev, "doesn't support gadget\n");
+                        else
+                                goto deinit_host;
+                }
        }
        if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) {
                dev_err(dev, "no supported roles\n");
                ret = -ENODEV;
-                goto deinit_phy;
+                goto deinit_gadget;
        }
        if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) {
                ret = ci_hdrc_otg_init(ci);
                if (ret) {
                        dev_err(dev, "init otg fails, ret = %d\n", ret);
-                        goto stop;
+                        goto deinit_gadget;
                }
        }
@@ -1036,7 +1044,12 @@ static int ci_hdrc_probe(struct platform_device *pdev)
        ci_extcon_unregister(ci);
 stop:
-        ci_role_destroy(ci);
+        if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
+                ci_hdrc_otg_destroy(ci);
+deinit_gadget:
+        ci_hdrc_gadget_destroy(ci);
+deinit_host:
+        ci_hdrc_host_destroy(ci);
 deinit_phy:
        ci_usb_phy_exit(ci);
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 3f6bb3fff890..a501f3ba6a3f 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -377,7 +377,7 @@ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
        res = usb_submit_urb(acm->read_urbs[index], mem_flags);
        if (res) {
-                if (res != -EPERM) {
+                if (res != -EPERM && res != -ENODEV) {
                        dev_err(&acm->data->dev,
                                        "%s - usb_submit_urb failed: %d\n",
                                        __func__, res);
@@ -1695,6 +1695,12 @@ static const struct usb_device_id acm_ids[] = {
        { USB_DEVICE(0x0ace, 0x1611), /* ZyDAS 56K USB MODEM - new version */
        .driver_info = SINGLE_RX_URB, /* firmware bug */
        },
+        { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
+        .driver_info = SINGLE_RX_URB,
+        },
+        { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
+        .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+        },
        { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
        .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
        },
@@ -1765,6 +1771,9 @@ static const struct usb_device_id acm_ids[] = {
        { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */
        .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */
        },
+        { USB_DEVICE(0x0ca6, 0xa050), /* Castles VEGA3000 */
+        .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+        },
        { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
        .driver_info = CLEAR_HALT_CONDITIONS,
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 22dcccf2d286..6a287c81a7be 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -157,7 +157,9 @@ static const unsigned short full_speed_maxpacket_maxes[4] = {
 static const unsigned short high_speed_maxpacket_maxes[4] = {
        [USB_ENDPOINT_XFER_CONTROL] = 64,
        [USB_ENDPOINT_XFER_ISOC] = 1024,
-        [USB_ENDPOINT_XFER_BULK] = 512,
+        /* Bulk should be 512, but some devices use 1024: we will warn below */
+        [USB_ENDPOINT_XFER_BULK] = 1024,
        [USB_ENDPOINT_XFER_INT] = 1024,
 };
 static const unsigned short super_speed_maxpacket_maxes[4] = {
diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c
index 358ca8dd784f..a5240b4d7ab9 100644
--- a/drivers/usb/core/generic.c
+++ b/drivers/usb/core/generic.c
@@ -208,8 +208,13 @@ static int generic_suspend(struct usb_device *udev, pm_message_t msg)
        if (!udev->parent)
                rc = hcd_bus_suspend(udev, msg);
-        /* Non-root devices don't need to do anything for FREEZE or PRETHAW */
+        /*
-        else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
+         * Non-root USB2 devices don't need to do anything for FREEZE
+         * or PRETHAW. USB3 devices don't support global suspend and
+         * needs to be selectively suspended.
+         */
+        else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
+                 && (udev->speed < USB_SPEED_SUPER))
                rc = 0;
        else
                rc = usb_port_suspend(udev, msg);
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 24b084748b63..d90d08e3c8de 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -2340,6 +2340,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd)
        spin_lock_irqsave (&hcd_root_hub_lock, flags);
        if (hcd->rh_registered) {
+                pm_wakeup_event(&hcd->self.root_hub->dev, 0);
                set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags);
                queue_work(pm_wq, &hcd->wakeup_work);
        }
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 926e9ef10f0b..4e032545a420 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -632,12 +632,17 @@ void usb_wakeup_notification(struct usb_device *hdev,
                unsigned int portnum)
 {
        struct usb_hub *hub;
+        struct usb_port *port_dev;
        if (!hdev)
                return;
        hub = usb_hub_to_struct_hub(hdev);
        if (hub) {
+                port_dev = hub->ports[portnum - 1];
+                if (port_dev && port_dev->child)
+                        pm_wakeup_event(&port_dev->child->dev, 0);
                set_bit(portnum, hub->wakeup_bits);
                kick_hub_wq(hub);
        }
@@ -1118,10 +1123,14 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
                if (!udev || udev->state == USB_STATE_NOTATTACHED) {
                        /* Tell hub_wq to disconnect the device or
-                         * check for a new connection
+                         * check for a new connection or over current condition.
+                         * Based on USB2.0 Spec Section 11.12.5,
+                         * C_PORT_OVER_CURRENT could be set while
+                         * PORT_OVER_CURRENT is not. So check for any of them.
                         */
                        if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
-                            (portstatus & USB_PORT_STAT_OVERCURRENT))
+                            (portstatus & USB_PORT_STAT_OVERCURRENT) ||
+                            (portchange & USB_PORT_STAT_C_OVERCURRENT))
                                set_bit(port1, hub->change_bits);
                } else if (portstatus & USB_PORT_STAT_ENABLE) {
@@ -3306,6 +3315,10 @@ static int wait_for_ss_port_enable(struct usb_device *udev,
        while (delay_ms < 2000) {
                if (status || *portstatus & USB_PORT_STAT_CONNECTION)
                        break;
+                if (!port_is_power_on(hub, *portstatus)) {
+                        status = -ENODEV;
+                        break;
+                }
                msleep(20);
                delay_ms += 20;
                status = hub_port_status(hub, *port1, portstatus, portchange);
@@ -3368,8 +3381,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
        /* Skip the initial Clear-Suspend step for a remote wakeup */
        status = hub_port_status(hub, port1, &portstatus, &portchange);
-        if (status == 0 && !port_is_suspended(hub, portstatus))
+        if (status == 0 && !port_is_suspended(hub, portstatus)) {
+                if (portchange & USB_PORT_STAT_C_SUSPEND)
+                        pm_wakeup_event(&udev->dev, 0);
                goto SuspendCleared;
+        }
        /* see 7.1.7.7; affects power usage, but not budgeting */
        if (hub_is_superspeed(hub->hdev))
@@ -4446,7 +4462,9 @@ hub_port_init(struct usb_hub *hub, struct usb_device *udev, int port1,
                                 * reset. But only on the first attempt,
                                 * lest we get into a time out/reset loop
                                 */
-                                if (r == 0  || (r == -ETIMEDOUT && retries == 0))
+                                if (r == 0 || (r == -ETIMEDOUT &&
+                                                retries == 0 &&
+                                                udev->speed > USB_SPEED_FULL))
                                        break;
                        }
                        udev->descriptor.bMaxPacketSize0 =
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index f73a0305b3f5..60ff61915d25 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
        ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+        /* Linger a bit, prior to the next control message. */
+        if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
+                msleep(200);
        kfree(dr);
        return ret;
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index c05c4f877750..99f67764765f 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = {
        { USB_DEVICE(0x03f0, 0x0701), .driver_info =
                        USB_QUIRK_STRING_FETCH_255 },
+        /* HP v222w 16GB Mini USB Drive */
+        { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
        /* Creative SB Audigy 2 NX */
        { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
@@ -225,8 +228,16 @@ static const struct usb_device_id usb_quirk_list[] = {
        { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
                        USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+        /* Corsair K70 RGB */
+        { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+        /* Corsair Strafe */
+        { USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
+          USB_QUIRK_DELAY_CTRL_MSG },
        /* Corsair Strafe RGB */
-        { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+        { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+          USB_QUIRK_DELAY_CTRL_MSG },
        /* Corsair K70 LUX */
        { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
diff --git a/drivers/usb/dwc2/core.h b/drivers/usb/dwc2/core.h
index a738a68d2292..a899d47c2a7c 100644
--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -187,7 +187,7 @@ struct dwc2_hsotg_ep {
        unsigned char           dir_in;
        unsigned char           index;
        unsigned char           mc;
-        unsigned char           interval;
+        u16                     interval;
        unsigned int            halted:1;
        unsigned int            periodic:1;
diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
index 0abf73c91beb..98705b83d2dc 100644
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -2424,12 +2424,6 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg,
        dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) |
               DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0);
-        dwc2_hsotg_enqueue_setup(hsotg);
-        dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
-                dwc2_readl(hsotg->regs + DIEPCTL0),
-                dwc2_readl(hsotg->regs + DOEPCTL0));
        /* clear global NAKs */
        val = DCTL_CGOUTNAK | DCTL_CGNPINNAK;
        if (!is_usb_reset)
@@ -2440,6 +2434,12 @@ void dwc2_hsotg_core_init_disconnected(struct dwc2_hsotg *hsotg,
        mdelay(3);
        hsotg->lx_state = DWC2_L0;
+        dwc2_hsotg_enqueue_setup(hsotg);
+        dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n",
+                dwc2_readl(hsotg->regs + DIEPCTL0),
+                dwc2_readl(hsotg->regs + DOEPCTL0));
 }
 static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg)
diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
index 571c21727ff9..85fb6226770c 100644
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -1402,8 +1402,12 @@ static void dwc2_conn_id_status_change(struct work_struct *work)
                if (count > 250)
                        dev_err(hsotg->dev,
                                "Connection id status change timed out\n");
-                hsotg->op_state = OTG_STATE_A_HOST;
+                spin_lock_irqsave(&hsotg->lock, flags);
+                dwc2_hsotg_disconnect(hsotg);
+                spin_unlock_irqrestore(&hsotg->lock, flags);
+                hsotg->op_state = OTG_STATE_A_HOST;
                /* Initialize the Core for Host mode */
                dwc2_core_init(hsotg, false, -1);
                dwc2_enable_global_interrupts(hsotg);
diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
index b66723a77db3..1ef92df8e3e7 100644
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -214,6 +214,8 @@
 #define DWC3_GUSB3PIPECTL_TX_DEEPH(n)   ((n) << 1)
 /* Global TX Fifo Size Register */
+#define DWC31_GTXFIFOSIZ_TXFRAMNUM      BIT(15)         /* DWC_usb31 only */
+#define DWC31_GTXFIFOSIZ_TXFDEF(n)      ((n) & 0x7fff)  /* DWC_usb31 only */
 #define DWC3_GTXFIFOSIZ_TXFDEF(n)       ((n) & 0xffff)
 #define DWC3_GTXFIFOSIZ_TXFSTADDR(n)    ((n) & 0xffff0000)
diff --git a/drivers/usb/dwc3/dwc3-keystone.c b/drivers/usb/dwc3/dwc3-keystone.c
index 72664700b8a2..12ee23f53cdd 100644
--- a/drivers/usb/dwc3/dwc3-keystone.c
+++ b/drivers/usb/dwc3/dwc3-keystone.c
@@ -107,6 +107,10 @@ static int kdwc3_probe(struct platform_device *pdev)
                return PTR_ERR(kdwc->usbss);
        kdwc->clk = devm_clk_get(kdwc->dev, "usb");
+        if (IS_ERR(kdwc->clk)) {
+                dev_err(kdwc->dev, "unable to get usb clock\n");
+                return PTR_ERR(kdwc->clk);
+        }
        error = clk_prepare_enable(kdwc->clk);
        if (error < 0) {
diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index d2c0c1a8d979..68230adf2449 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -167,7 +167,7 @@ static int dwc3_pci_probe(struct pci_dev *pci,
        ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res));
        if (ret) {
                dev_err(dev, "couldn't add resources to dwc3 device\n");
-                return ret;
+                goto err;
        }
        pci_set_drvdata(pci, dwc3);
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index c778c511ea90..3e35a67b6369 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2532,6 +2532,8 @@ static void dwc3_gadget_conndone_interrupt(struct dwc3 *dwc)
                break;
        }
+        dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket;
        /* Enable USB2 LPM Capability */
        if ((dwc->revision > DWC3_REVISION_194A)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index d186d0282a38..eb445c2ab15e 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -104,7 +104,6 @@ int config_ep_by_speed(struct usb_gadget *g,
                        struct usb_function *f,
                        struct usb_ep *_ep)
 {
-        struct usb_composite_dev        *cdev = get_gadget_data(g);
        struct usb_endpoint_descriptor *chosen_desc = NULL;
        struct usb_descriptor_header **speed_desc = NULL;
@@ -176,8 +175,12 @@ ep_found:
                        _ep->maxburst = comp_desc->bMaxBurst + 1;
                        break;
                default:
-                        if (comp_desc->bMaxBurst != 0)
+                        if (comp_desc->bMaxBurst != 0) {
+                                struct usb_composite_dev *cdev;
+                                cdev = get_gadget_data(g);
                                ERROR(cdev, "ep0 bMaxBurst must be 0\n");
+                        }
                        _ep->maxburst = 1;
                        break;
                }
@@ -1325,7 +1328,7 @@ static int count_ext_compat(struct usb_configuration *c)
        return res;
 }
-static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
+static int fill_ext_compat(struct usb_configuration *c, u8 *buf)
 {
        int i, count;
@@ -1352,10 +1355,12 @@ static void fill_ext_compat(struct usb_configuration *c, u8 *buf)
                                buf += 23;
                        }
                        count += 24;
-                        if (count >= 4096)
+                        if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ)
-                                return;
+                                return count;
                }
        }
+        return count;
 }
 static int count_ext_prop(struct usb_configuration *c, int interface)
@@ -1400,25 +1405,20 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
        struct usb_os_desc *d;
        struct usb_os_desc_ext_prop *ext_prop;
        int j, count, n, ret;
-        u8 *start = buf;
        f = c->interface[interface];
+        count = 10; /* header length */
        for (j = 0; j < f->os_desc_n; ++j) {
                if (interface != f->os_desc_table[j].if_id)
                        continue;
                d = f->os_desc_table[j].os_desc;
                if (d)
                        list_for_each_entry(ext_prop, &d->ext_prop, entry) {
-                                /* 4kB minus header length */
+                                n = ext_prop->data_len +
-                                n = buf - start;
-                                if (n >= 4086)
-                                        return 0;
-                                count = ext_prop->data_len +
                                        ext_prop->name_len + 14;
-                                if (count > 4086 - n)
+                                if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ)
-                                        return -EINVAL;
+                                        return count;
-                                usb_ext_prop_put_size(buf, count);
+                                usb_ext_prop_put_size(buf, n);
                                usb_ext_prop_put_type(buf, ext_prop->type);
                                ret = usb_ext_prop_put_name(buf, ext_prop->name,
                                                            ext_prop->name_len);
@@ -1444,11 +1444,12 @@ static int fill_ext_prop(struct usb_configuration *c, int interface, u8 *buf)
                                default:
                                        return -EINVAL;
                                }
-                                buf += count;
+                                buf += n;
+                                count += n;
                        }
        }
-        return 0;
+        return count;
 }
 /*
@@ -1717,6 +1718,7 @@ unknown:
                        req->complete = composite_setup_complete;
                        buf = req->buf;
                        os_desc_cfg = cdev->os_desc_config;
+                        w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ);
                        memset(buf, 0, w_length);
                        buf[5] = 0x01;
                        switch (ctrl->bRequestType & USB_RECIP_MASK) {
@@ -1740,8 +1742,8 @@ unknown:
                                        count += 16; /* header */
                                        put_unaligned_le32(count, buf);
                                        buf += 16;
-                                        fill_ext_compat(os_desc_cfg, buf);
+                                        value = fill_ext_compat(os_desc_cfg, buf);
-                                        value = w_length;
+                                        value = min_t(u16, w_length, value);
                                }
                                break;
                        case USB_RECIP_INTERFACE:
@@ -1770,8 +1772,7 @@ unknown:
                                                              interface, buf);
                                        if (value < 0)
                                                return value;
+                                        value = min_t(u16, w_length, value);
-                                        value = w_length;
                                }
                                break;
                        }
@@ -2035,8 +2036,8 @@ int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
                goto end;
        }
-        /* OS feature descriptor length <= 4kB */
+        cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ,
-        cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL);
+                                         GFP_KERNEL);
        if (!cdev->os_desc_req->buf) {
                ret = PTR_ERR(cdev->os_desc_req->buf);
                kfree(cdev->os_desc_req);
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 39bb65265bff..4800bb22cdd6 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -649,11 +649,15 @@ static void ffs_user_copy_worker(struct work_struct *work)
        bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
        if (io_data->read && ret > 0) {
+                mm_segment_t oldfs = get_fs();
+                set_fs(USER_DS);
                use_mm(io_data->mm);
                ret = copy_to_iter(io_data->buf, ret, &io_data->data);
                if (ret != io_data->req->actual && iov_iter_count(&io_data->data))
                        ret = -EFAULT;
                unuse_mm(io_data->mm);
+                set_fs(oldfs);
        }
        io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
@@ -1333,7 +1337,6 @@ ffs_fs_kill_sb(struct super_block *sb)
        if (sb->s_fs_info) {
                ffs_release_dev(sb->s_fs_info);
                ffs_data_closed(sb->s_fs_info);
-                ffs_data_put(sb->s_fs_info);
        }
 }
@@ -2756,10 +2759,8 @@ static int _ffs_func_bind(struct usb_configuration *c,
        struct ffs_data *ffs = func->ffs;
        const int full = !!func->ffs->fs_descs_count;
-        const int high = gadget_is_dualspeed(func->gadget) &&
+        const int high = !!func->ffs->hs_descs_count;
-                func->ffs->hs_descs_count;
+        const int super = !!func->ffs->ss_descs_count;
-        const int super = gadget_is_superspeed(func->gadget) &&
-                func->ffs->ss_descs_count;
        int fs_len, hs_len, ss_len, ret, i;
        struct ffs_ep *eps_ptr;
@@ -3036,7 +3037,7 @@ static int ffs_func_setup(struct usb_function *f,
        __ffs_event_add(ffs, FUNCTIONFS_SETUP);
        spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
-        return 0;
+        return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
 }
 static void ffs_func_suspend(struct usb_function *f)
@@ -3490,7 +3491,8 @@ static void ffs_closed(struct ffs_data *ffs)
        ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
        ffs_dev_unlock();
-        unregister_gadget_item(ci);
+        if (test_bit(FFS_FL_BOUND, &ffs->flags))
+                unregister_gadget_item(ci);
        return;
 done:
        ffs_dev_unlock();
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index ee579ba2b59e..a5dae5bb62ab 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -223,6 +223,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
        /* pick the first one */
        list = list_first_entry(&hidg->completed_out_req,
                                struct f_hidg_req_list, list);
+        /*
+         * Remove this from list to protect it from beign free()
+         * while host disables our function
+         */
+        list_del(&list->list);
        req = list->req;
        count = min_t(unsigned int, count, req->actual - list->pos);
        spin_unlock_irqrestore(&hidg->spinlock, flags);
@@ -238,15 +245,20 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
         * call, taking into account its current read position.
         */
        if (list->pos == req->actual) {
-                spin_lock_irqsave(&hidg->spinlock, flags);
-                list_del(&list->list);
                kfree(list);
-                spin_unlock_irqrestore(&hidg->spinlock, flags);
                req->length = hidg->report_length;
                ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
-                if (ret < 0)
+                if (ret < 0) {
+                        free_ep_req(hidg->out_ep, req);
                        return ret;
+                }
+        } else {
+                spin_lock_irqsave(&hidg->spinlock, flags);
+                list_add(&list->list, &hidg->completed_out_req);
+                spin_unlock_irqrestore(&hidg->spinlock, flags);
+                wake_up(&hidg->read_queue);
        }
        return count;
@@ -490,14 +502,18 @@ static void hidg_disable(struct usb_function *f)
 {
        struct f_hidg *hidg = func_to_hidg(f);
        struct f_hidg_req_list *list, *next;
+        unsigned long flags;
        usb_ep_disable(hidg->in_ep);
        usb_ep_disable(hidg->out_ep);
+        spin_lock_irqsave(&hidg->spinlock, flags);
        list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
+                free_ep_req(hidg->out_ep, list->req);
                list_del(&list->list);
                kfree(list);
        }
+        spin_unlock_irqrestore(&hidg->spinlock, flags);
 }
 static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index af60cc3714c1..5ead414586a1 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -201,12 +201,6 @@ static inline struct usb_request *midi_alloc_ep_req(struct usb_ep *ep,
        return alloc_ep_req(ep, length, length);
 }
-static void free_ep_req(struct usb_ep *ep, struct usb_request *req)
-{
-        kfree(req->buf);
-        usb_ep_free_request(ep, req);
-}
 static const uint8_t f_midi_cin_length[] = {
        0, 0, 2, 3, 3, 1, 2, 3, 3, 3, 3, 3, 2, 2, 3, 1
 };
diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
index 9f3ced62d916..67b243989938 100644
--- a/drivers/usb/gadget/function/f_sourcesink.c
+++ b/drivers/usb/gadget/function/f_sourcesink.c
@@ -303,12 +303,6 @@ static inline struct usb_request *ss_alloc_ep_req(struct usb_ep *ep, int len)
        return alloc_ep_req(ep, len, ss->buflen);
 }
-void free_ep_req(struct usb_ep *ep, struct usb_request *req)
-{
-        kfree(req->buf);
-        usb_ep_free_request(ep, req);
-}
 static void disable_ep(struct usb_composite_dev *cdev, struct usb_ep *ep)
 {
        int                     value;
diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
index 12064d3bddf6..b5dab103be38 100644
--- a/drivers/usb/gadget/function/f_uac2.c
+++ b/drivers/usb/gadget/function/f_uac2.c
@@ -1052,6 +1052,8 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
                dev_err(dev, "%s:%d Error!\n", __func__, __LINE__);
                return ret;
        }
+        iad_desc.bFirstInterface = ret;
        std_ac_if_desc.bInterfaceNumber = ret;
        agdev->ac_intf = ret;
        agdev->ac_alt = 0;
diff --git a/drivers/usb/gadget/function/g_zero.h b/drivers/usb/gadget/function/g_zero.h
index 15f180904f8a..5ed90b437f18 100644
--- a/drivers/usb/gadget/function/g_zero.h
+++ b/drivers/usb/gadget/function/g_zero.h
@@ -59,7 +59,6 @@ void lb_modexit(void);
 int lb_modinit(void);
 /* common utilities */
-void free_ep_req(struct usb_ep *ep, struct usb_request *req);
 void disable_endpoints(struct usb_composite_dev *cdev,
                struct usb_ep *in, struct usb_ep *out,
                struct usb_ep *iso_in, struct usb_ep *iso_out);
diff --git a/drivers/usb/gadget/function/uvc_configfs.c b/drivers/usb/gadget/function/uvc_configfs.c
index ad8c9b05572d..01656f1c6d65 100644
--- a/drivers/usb/gadget/function/uvc_configfs.c
+++ b/drivers/usb/gadget/function/uvc_configfs.c
@@ -2202,7 +2202,7 @@ static struct configfs_item_operations uvc_item_ops = {
        .release                = uvc_attr_release,
 };
-#define UVCG_OPTS_ATTR(cname, conv, str2u, uxx, vnoc, limit)            \
+#define UVCG_OPTS_ATTR(cname, aname, conv, str2u, uxx, vnoc, limit)     \
 static ssize_t f_uvc_opts_##cname##_show(                               \
        struct config_item *item, char *page)                           \
 {                                                                       \
@@ -2245,16 +2245,16 @@ end:									\
        return ret;                                                     \
 }                                                                       \
                                                                        \
-UVC_ATTR(f_uvc_opts_, cname, aname)
+UVC_ATTR(f_uvc_opts_, cname, cname)
 #define identity_conv(x) (x)
-UVCG_OPTS_ATTR(streaming_interval, identity_conv, kstrtou8, u8, identity_conv,
+UVCG_OPTS_ATTR(streaming_interval, streaming_interval, identity_conv,
-               16);
+               kstrtou8, u8, identity_conv, 16);
-UVCG_OPTS_ATTR(streaming_maxpacket, le16_to_cpu, kstrtou16, u16, le16_to_cpu,
+UVCG_OPTS_ATTR(streaming_maxpacket, streaming_maxpacket, le16_to_cpu,
-               3072);
+               kstrtou16, u16, le16_to_cpu, 3072);
-UVCG_OPTS_ATTR(streaming_maxburst, identity_conv, kstrtou8, u8, identity_conv,
+UVCG_OPTS_ATTR(streaming_maxburst, streaming_maxburst, identity_conv,
-               15);
+               kstrtou8, u8, identity_conv, 15);
 #undef identity_conv
diff --git a/drivers/usb/gadget/u_f.c b/drivers/usb/gadget/u_f.c
index c6276f0268ae..907f8144813c 100644
--- a/drivers/usb/gadget/u_f.c
+++ b/drivers/usb/gadget/u_f.c
@@ -11,16 +11,18 @@
 * published by the Free Software Foundation.
 */
-#include <linux/usb/gadget.h>
 #include "u_f.h"
+#include <linux/usb/ch9.h>
-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len)
+struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len)
 {
        struct usb_request      *req;
        req = usb_ep_alloc_request(ep, GFP_ATOMIC);
        if (req) {
                req->length = len ?: default_len;
+                if (usb_endpoint_dir_out(ep->desc))
+                        req->length = usb_ep_align(ep, req->length);
                req->buf = kmalloc(req->length, GFP_ATOMIC);
                if (!req->buf) {
                        usb_ep_free_request(ep, req);
diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
index 1d5f0eb68552..69a1d10df04f 100644
--- a/drivers/usb/gadget/u_f.h
+++ b/drivers/usb/gadget/u_f.h
@@ -16,6 +16,8 @@
 #ifndef __U_F_H__
 #define __U_F_H__
+#include <linux/usb/gadget.h>
 /* Variable Length Array Macros **********************************************/
 #define vla_group(groupname) size_t groupname##__next = 0
 #define vla_group_size(groupname) groupname##__next
@@ -45,8 +47,26 @@
 struct usb_ep;
 struct usb_request;
-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len);
+/**
+ * alloc_ep_req - returns a usb_request allocated by the gadget driver and
-#endif /* __U_F_H__ */
+ * allocates the request's buffer.
+ *
+ * @ep: the endpoint to allocate a usb_request
+ * @len: usb_requests's buffer suggested size
+ * @default_len: used if @len is not provided, ie, is 0
+ *
+ * In case @ep direction is OUT, the @len will be aligned to ep's
+ * wMaxPacketSize. In order to avoid memory leaks or drops, *always* use
+ * usb_requests's length (req->length) to refer to the allocated buffer size.
+ * Requests allocated via alloc_ep_req() *must* be freed by free_ep_req().
+ */
+struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len);
+/* Frees a usb_request previously allocated by alloc_ep_req() */
+static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
+{
+        kfree(req->buf);
+        usb_ep_free_request(ep, req);
+}
+#endif /* __U_F_H__ */
diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
index ccb9c213cc9f..e9bd8d4abca0 100644
--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
@@ -475,7 +475,7 @@ static int bdc_probe(struct platform_device *pdev)
        bdc->dev = dev;
        dev_dbg(bdc->dev, "bdc->regs: %p irq=%d\n", bdc->regs, bdc->irq);
-        temp = bdc_readl(bdc->regs, BDC_BDCSC);
+        temp = bdc_readl(bdc->regs, BDC_BDCCAP1);
        if ((temp & BDC_P64) &&
                        !dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64))) {
                dev_dbg(bdc->dev, "Using 64-bit address\n");
diff --git a/drivers/usb/gadget/udc/bdc/bdc_pci.c b/drivers/usb/gadget/udc/bdc/bdc_pci.c
index 02968842b359..708e36f530d8 100644
--- a/drivers/usb/gadget/udc/bdc/bdc_pci.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_pci.c
@@ -82,6 +82,7 @@ static int bdc_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
        if (ret) {
                dev_err(&pci->dev,
                        "couldn't add resources to bdc device\n");
+                platform_device_put(bdc);
                return ret;
        }
diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
index 8080a11947b7..eb876ed96861 100644
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -2105,16 +2105,13 @@ static int dummy_hub_control(
                        }
                        break;
                case USB_PORT_FEAT_POWER:
-                        if (hcd->speed == HCD_USB3) {
+                        dev_dbg(dummy_dev(dum_hcd), "power-off\n");
-                                if (dum_hcd->port_status & USB_PORT_STAT_POWER)
+                        if (hcd->speed == HCD_USB3)
-                                        dev_dbg(dummy_dev(dum_hcd),
+                                dum_hcd->port_status &= ~USB_SS_PORT_STAT_POWER;
-                                                "power-off\n");
+                        else
-                        } else
+                                dum_hcd->port_status &= ~USB_PORT_STAT_POWER;
-                                if (dum_hcd->port_status &
+                        set_link_state(dum_hcd);
-                                                        USB_SS_PORT_STAT_POWER)
+                        break;
-                                        dev_dbg(dummy_dev(dum_hcd),
-                                                "power-off\n");
-                        /* FALLS THROUGH */
                default:
                        dum_hcd->port_status &= ~(1 << wValue);
                        set_link_state(dum_hcd);
@@ -2285,14 +2282,13 @@ static int dummy_hub_control(
                                if ((dum_hcd->port_status &
                                     USB_SS_PORT_STAT_POWER) != 0) {
                                        dum_hcd->port_status |= (1 << wValue);
-                                        set_link_state(dum_hcd);
                                }
                        } else
                                if ((dum_hcd->port_status &
                                     USB_PORT_STAT_POWER) != 0) {
                                        dum_hcd->port_status |= (1 << wValue);
-                                        set_link_state(dum_hcd);
                                }
+                        set_link_state(dum_hcd);
                }
                break;
        case GetPortErrorCount:
diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
index aac0ce8aeb0b..8991a4070792 100644
--- a/drivers/usb/gadget/udc/fsl_udc_core.c
+++ b/drivers/usb/gadget/udc/fsl_udc_core.c
@@ -1310,7 +1310,7 @@ static void udc_reset_ep_queue(struct fsl_udc *udc, u8 pipe)
 {
        struct fsl_ep *ep = get_ep_by_pipe(udc, pipe);
-        if (ep->name)
+        if (ep->ep.name)
                nuke(ep, -ESHUTDOWN);
 }
@@ -1698,7 +1698,7 @@ static void dtd_complete_irq(struct fsl_udc *udc)
                curr_ep = get_ep_by_pipe(udc, i);
                /* If the ep is configured */
-                if (curr_ep->name == NULL) {
+                if (!curr_ep->ep.name) {
                        WARNING("Invalid EP?");
                        continue;
                }
diff --git a/drivers/usb/gadget/udc/goku_udc.h b/drivers/usb/gadget/udc/goku_udc.h
index 86d2adafe149..64eb0f2b5ea0 100644
--- a/drivers/usb/gadget/udc/goku_udc.h
+++ b/drivers/usb/gadget/udc/goku_udc.h
@@ -28,7 +28,7 @@ struct goku_udc_regs {
 #       define INT_EP1DATASET           0x00040
 #       define INT_EP2DATASET           0x00080
 #       define INT_EP3DATASET           0x00100
-#define INT_EPnNAK(n)           (0x00100 < (n))         /* 0 < n < 4 */
+#define INT_EPnNAK(n)           (0x00100 << (n))        /* 0 < n < 4 */
 #       define INT_EP1NAK               0x00200
 #       define INT_EP2NAK               0x00400
 #       define INT_EP3NAK               0x00800
diff --git a/drivers/usb/host/Kconfig b/drivers/usb/host/Kconfig
index 3bb08870148f..95e72d75e0a0 100644
--- a/drivers/usb/host/Kconfig
+++ b/drivers/usb/host/Kconfig
@@ -220,6 +220,8 @@ config USB_EHCI_TEGRA
       depends on ARCH_TEGRA
       select USB_EHCI_ROOT_HUB_TT
       select USB_PHY
+        select USB_ULPI
+        select USB_ULPI_VIEWPORT
       help
         This driver enables support for the internal USB Host Controllers
         found in NVIDIA Tegra SoCs. The controllers are EHCI compliant.
diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
index 9d1192aea9d0..602c6e42c34d 100644
--- a/drivers/usb/host/ohci-hcd.c
+++ b/drivers/usb/host/ohci-hcd.c
@@ -444,7 +444,8 @@ static int ohci_init (struct ohci_hcd *ohci)
        struct usb_hcd *hcd = ohci_to_hcd(ohci);
        /* Accept arbitrarily long scatter-gather lists */
-        hcd->self.sg_tablesize = ~0;
+        if (!(hcd->driver->flags & HCD_LOCAL_MEM))
+                hcd->self.sg_tablesize = ~0;
        if (distrust_firmware)
                ohci->flags |= OHCI_QUIRK_HUB_POWER;
diff --git a/drivers/usb/host/ohci-q.c b/drivers/usb/host/ohci-q.c
index 641fed609911..24edb7674710 100644
--- a/drivers/usb/host/ohci-q.c
+++ b/drivers/usb/host/ohci-q.c
@@ -1018,6 +1018,8 @@ skip_ed:
                 * have modified this list.  normally it's just prepending
                 * entries (which we'd ignore), but paranoia won't hurt.
                 */
+                *last = ed->ed_next;
+                ed->ed_next = NULL;
                modified = 0;
                /* unlink urbs as requested, but rescan the list after
@@ -1076,21 +1078,22 @@ rescan_this:
                        goto rescan_this;
                /*
-                 * If no TDs are queued, take ED off the ed_rm_list.
+                 * If no TDs are queued, ED is now idle.
                 * Otherwise, if the HC is running, reschedule.
-                 * If not, leave it on the list for further dequeues.
+                 * If the HC isn't running, add ED back to the
+                 * start of the list for later processing.
                 */
                if (list_empty(&ed->td_list)) {
-                        *last = ed->ed_next;
-                        ed->ed_next = NULL;
                        ed->state = ED_IDLE;
                        list_del(&ed->in_use_list);
                } else if (ohci->rh_state == OHCI_RH_RUNNING) {
-                        *last = ed->ed_next;
-                        ed->ed_next = NULL;
                        ed_schedule(ohci, ed);
                } else {
-                        last = &ed->ed_next;
+                        ed->ed_next = ohci->ed_rm_list;
+                        ohci->ed_rm_list = ed;
+                        /* Don't loop on the same ED */
+                        if (last == &ohci->ed_rm_list)
+                                last = &ed->ed_next;
                }
                if (modified)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index d9363713b7f1..0ec809a35a3f 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -638,7 +638,7 @@ struct xhci_ring *xhci_stream_id_to_ring(
        if (!ep->stream_info)
                return NULL;
-        if (stream_id > ep->stream_info->num_streams)
+        if (stream_id >= ep->stream_info->num_streams)
                return NULL;
        return ep->stream_info->stream_rings[stream_id];
 }
@@ -960,6 +960,8 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id)
        if (dev->out_ctx)
                xhci_free_container_ctx(xhci, dev->out_ctx);
+        if (dev->udev && dev->udev->slot_id)
+                dev->udev->slot_id = 0;
        kfree(xhci->devs[slot_id]);
        xhci->devs[slot_id] = NULL;
 }
diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index 64e722c59a18..e01d353a5978 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -290,7 +290,6 @@ MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_match);
 static struct platform_driver usb_xhci_driver = {
        .probe  = xhci_plat_probe,
        .remove = xhci_plat_remove,
-        .shutdown       = usb_hcd_platform_shutdown,
        .driver = {
                .name = "xhci-hcd",
                .pm = DEV_PM_OPS,
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 82d7419b2c16..d90580a750ba 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -887,6 +887,41 @@ static void xhci_disable_port_wake_on_bits(struct xhci_hcd *xhci)
        spin_unlock_irqrestore(&xhci->lock, flags);
 }
+static bool xhci_pending_portevent(struct xhci_hcd *xhci)
+{
+        __le32 __iomem          **port_array;
+        int                     port_index;
+        u32                     status;
+        u32                     portsc;
+        status = readl(&xhci->op_regs->status);
+        if (status & STS_EINT)
+                return true;
+        /*
+         * Checking STS_EINT is not enough as there is a lag between a change
+         * bit being set and the Port Status Change Event that it generated
+         * being written to the Event Ring. See note in xhci 1.1 section 4.19.2.
+         */
+        port_index = xhci->num_usb2_ports;
+        port_array = xhci->usb2_ports;
+        while (port_index--) {
+                portsc = readl(port_array[port_index]);
+                if (portsc & PORT_CHANGE_MASK ||
+                    (portsc & PORT_PLS_MASK) == XDEV_RESUME)
+                        return true;
+        }
+        port_index = xhci->num_usb3_ports;
+        port_array = xhci->usb3_ports;
+        while (port_index--) {
+                portsc = readl(port_array[port_index]);
+                if (portsc & PORT_CHANGE_MASK ||
+                    (portsc & PORT_PLS_MASK) == XDEV_RESUME)
+                        return true;
+        }
+        return false;
+}
 /*
 * Stop HC (not bus-specific)
 *
@@ -983,7 +1018,7 @@ EXPORT_SYMBOL_GPL(xhci_suspend);
 */
 int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
 {
-        u32                     command, temp = 0, status;
+        u32                     command, temp = 0;
        struct usb_hcd          *hcd = xhci_to_hcd(xhci);
        struct usb_hcd          *secondary_hcd;
        int                     retval = 0;
@@ -1105,8 +1140,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
 done:
        if (retval == 0) {
                /* Resume root hubs only when have pending events. */
-                status = readl(&xhci->op_regs->status);
+                if (xhci_pending_portevent(xhci)) {
-                if (status & STS_EINT) {
                        usb_hcd_resume_root_hub(xhci->shared_hcd);
                        usb_hcd_resume_root_hub(hcd);
                }
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 9ed3de1a1d8c..260a50f6070e 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -382,6 +382,10 @@ struct xhci_op_regs {
 #define PORT_PLC        (1 << 22)
 /* port configure error change - port failed to configure its link partner */
 #define PORT_CEC        (1 << 23)
+#define PORT_CHANGE_MASK        (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
+                                 PORT_RC | PORT_PLC | PORT_CEC)
 /* Cold Attach Status - xHC can set this bit to report device attached during
 * Sx state. Warm port reset should be perfomed to clear this bit and move port
 * to connected state.
diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c
index cce22ff1c2eb..e9113238d9e3 100644
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
@@ -46,6 +46,9 @@
 #define USB_DEVICE_ID_LD_MICROCASSYTIME         0x1033  /* USB Product ID of Micro-CASSY Time (reserved) */
 #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE  0x1035  /* USB Product ID of Micro-CASSY Temperature */
 #define USB_DEVICE_ID_LD_MICROCASSYPH           0x1038  /* USB Product ID of Micro-CASSY pH */
+#define USB_DEVICE_ID_LD_POWERANALYSERCASSY     0x1040  /* USB Product ID of Power Analyser CASSY */
+#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY       0x1042  /* USB Product ID of Converter Controller CASSY */
+#define USB_DEVICE_ID_LD_MACHINETESTCASSY       0x1043  /* USB Product ID of Machine Test CASSY */
 #define USB_DEVICE_ID_LD_JWM            0x1080  /* USB Product ID of Joule and Wattmeter */
 #define USB_DEVICE_ID_LD_DMMP           0x1081  /* USB Product ID of Digital Multimeter P (reserved) */
 #define USB_DEVICE_ID_LD_UMIP           0x1090  /* USB Product ID of UMI P */
@@ -88,6 +91,9 @@ static const struct usb_device_id ld_usb_table[] = {
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
+        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
+        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
+        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
        { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index 343fa6ff9f4b..512c84adcace 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -414,8 +414,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
                          loff_t *ppos)
 {
        struct usb_yurex *dev;
-        int retval = 0;
+        int len = 0;
-        int bytes_read = 0;
        char in_buffer[20];
        unsigned long flags;
@@ -423,26 +422,16 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
        mutex_lock(&dev->io_mutex);
        if (!dev->interface) {          /* already disconnected */
-                retval = -ENODEV;
+                mutex_unlock(&dev->io_mutex);
-                goto exit;
+                return -ENODEV;
        }
        spin_lock_irqsave(&dev->lock, flags);
-        bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+        len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
        spin_unlock_irqrestore(&dev->lock, flags);
-        if (*ppos < bytes_read) {
-                if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos))
-                        retval = -EFAULT;
-                else {
-                        retval = bytes_read - *ppos;
-                        *ppos += bytes_read;
-                }
-        }
-exit:
        mutex_unlock(&dev->io_mutex);
-        return retval;
+        return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
 }
 static ssize_t yurex_write(struct file *file, const char __user *user_buffer,
diff --git a/drivers/usb/mon/mon_text.c b/drivers/usb/mon/mon_text.c
index ad408251d955..108dcc5f5350 100644
--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -82,6 +82,8 @@ struct mon_reader_text {
        wait_queue_head_t wait;
        int printf_size;
+        size_t printf_offset;
+        size_t printf_togo;
        char *printf_buf;
        struct mutex printf_lock;
@@ -373,73 +375,103 @@ err_alloc:
        return rc;
 }
-/*
+static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
- * For simplicity, we read one record in one system call and throw out
+    char __user * const buf, const size_t nbytes)
- * what does not fit. This means that the following does not work:
+{
- *   dd if=/dbg/usbmon/0t bs=10
+        const size_t togo = min(nbytes, rp->printf_togo);
- * Also, we do not allow seeks and do not bother advancing the offset.
- */
+        if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo))
+                return -EFAULT;
+        rp->printf_togo -= togo;
+        rp->printf_offset += togo;
+        return togo;
+}
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_t(struct file *file, char __user *buf,
-                                size_t nbytes, loff_t *ppos)
+    size_t nbytes, loff_t *ppos)
 {
        struct mon_reader_text *rp = file->private_data;
        struct mon_event_text *ep;
        struct mon_text_ptr ptr;
+        ssize_t ret;
-        if (IS_ERR(ep = mon_text_read_wait(rp, file)))
-                return PTR_ERR(ep);
        mutex_lock(&rp->printf_lock);
-        ptr.cnt = 0;
-        ptr.pbuf = rp->printf_buf;
+        if (rp->printf_togo == 0) {
-        ptr.limit = rp->printf_size;
+                ep = mon_text_read_wait(rp, file);
-        mon_text_read_head_t(rp, &ptr, ep);
+                if (IS_ERR(ep)) {
-        mon_text_read_statset(rp, &ptr, ep);
+                        mutex_unlock(&rp->printf_lock);
-        ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+                        return PTR_ERR(ep);
-            " %d", ep->length);
+                }
-        mon_text_read_data(rp, &ptr, ep);
+                ptr.cnt = 0;
+                ptr.pbuf = rp->printf_buf;
-        if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+                ptr.limit = rp->printf_size;
-                ptr.cnt = -EFAULT;
+                mon_text_read_head_t(rp, &ptr, ep);
+                mon_text_read_statset(rp, &ptr, ep);
+                ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+                    " %d", ep->length);
+                mon_text_read_data(rp, &ptr, ep);
+                rp->printf_togo = ptr.cnt;
+                rp->printf_offset = 0;
+                kmem_cache_free(rp->e_slab, ep);
+        }
+        ret = mon_text_copy_to_user(rp, buf, nbytes);
        mutex_unlock(&rp->printf_lock);
-        kmem_cache_free(rp->e_slab, ep);
+        return ret;
-        return ptr.cnt;
 }
+/* ppos is not advanced since the llseek operation is not permitted. */
 static ssize_t mon_text_read_u(struct file *file, char __user *buf,
-                                size_t nbytes, loff_t *ppos)
+    size_t nbytes, loff_t *ppos)
 {
        struct mon_reader_text *rp = file->private_data;
        struct mon_event_text *ep;
        struct mon_text_ptr ptr;
+        ssize_t ret;
-        if (IS_ERR(ep = mon_text_read_wait(rp, file)))
-                return PTR_ERR(ep);
        mutex_lock(&rp->printf_lock);
-        ptr.cnt = 0;
-        ptr.pbuf = rp->printf_buf;
-        ptr.limit = rp->printf_size;
-        mon_text_read_head_u(rp, &ptr, ep);
+        if (rp->printf_togo == 0) {
-        if (ep->type == 'E') {
-                mon_text_read_statset(rp, &ptr, ep);
+                ep = mon_text_read_wait(rp, file);
-        } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
+                if (IS_ERR(ep)) {
-                mon_text_read_isostat(rp, &ptr, ep);
+                        mutex_unlock(&rp->printf_lock);
-                mon_text_read_isodesc(rp, &ptr, ep);
+                        return PTR_ERR(ep);
-        } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
+                }
-                mon_text_read_intstat(rp, &ptr, ep);
+                ptr.cnt = 0;
-        } else {
+                ptr.pbuf = rp->printf_buf;
-                mon_text_read_statset(rp, &ptr, ep);
+                ptr.limit = rp->printf_size;
+                mon_text_read_head_u(rp, &ptr, ep);
+                if (ep->type == 'E') {
+                        mon_text_read_statset(rp, &ptr, ep);
+                } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
+                        mon_text_read_isostat(rp, &ptr, ep);
+                        mon_text_read_isodesc(rp, &ptr, ep);
+                } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
+                        mon_text_read_intstat(rp, &ptr, ep);
+                } else {
+                        mon_text_read_statset(rp, &ptr, ep);
+                }
+                ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+                    " %d", ep->length);
+                mon_text_read_data(rp, &ptr, ep);
+                rp->printf_togo = ptr.cnt;
+                rp->printf_offset = 0;
+                kmem_cache_free(rp->e_slab, ep);
        }
-        ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
-            " %d", ep->length);
-        mon_text_read_data(rp, &ptr, ep);
-        if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
+        ret = mon_text_copy_to_user(rp, buf, nbytes);
-                ptr.cnt = -EFAULT;
        mutex_unlock(&rp->printf_lock);
-        kmem_cache_free(rp->e_slab, ep);
+        return ret;
-        return ptr.cnt;
 }
 static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index 054d8adff5ab..4fa5565f11aa 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1781,6 +1781,7 @@ musb_vbus_show(struct device *dev, struct device_attribute *attr, char *buf)
        int             vbus;
        u8              devctl;
+        pm_runtime_get_sync(dev);
        spin_lock_irqsave(&musb->lock, flags);
        val = musb->a_wait_bcon;
        vbus = musb_platform_get_vbus_status(musb);
@@ -1794,6 +1795,7 @@ musb_vbus_show(struct device *dev, struct device_attribute *attr, char *buf)
                        vbus = 0;
        }
        spin_unlock_irqrestore(&musb->lock, flags);
+        pm_runtime_put_sync(dev);
        return sprintf(buf, "Vbus %s, timeout %lu msec\n",
                        vbus ? "on" : "off", val);
@@ -2528,7 +2530,8 @@ static int musb_resume(struct device *dev)
        pm_runtime_set_active(dev);
        pm_runtime_enable(dev);
-        musb_start(musb);
+        musb_enable_interrupts(musb);
+        musb_platform_enable(musb);
        return 0;
 }
diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index 10d30afe4a3c..a0d1417362cd 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -114,15 +114,19 @@ static int service_tx_status_request(
                }
                is_in = epnum & USB_DIR_IN;
-                if (is_in) {
+                epnum &= 0x0f;
-                        epnum &= 0x0f;
+                if (epnum >= MUSB_C_NUM_EPS) {
+                        handled = -EINVAL;
+                        break;
+                }
+                if (is_in)
                        ep = &musb->endpoints[epnum].ep_in;
-                } else {
+                else
                        ep = &musb->endpoints[epnum].ep_out;
-                }
                regs = musb->endpoints[epnum].regs;
-                if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+                if (!ep->desc) {
                        handled = -EINVAL;
                        break;
                }
diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
index 22358ab524b0..4926d89c787d 100644
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -1054,7 +1054,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep,
                        /* set tx_reinit and schedule the next qh */
                        ep->tx_reinit = 1;
                }
-                musb_start_urb(musb, is_in, next_qh);
+                if (next_qh)
+                        musb_start_urb(musb, is_in, next_qh);
        }
 }
@@ -2587,8 +2589,11 @@ static int musb_bus_suspend(struct usb_hcd *hcd)
 {
        struct musb     *musb = hcd_to_musb(hcd);
        u8              devctl;
+        int             ret;
-        musb_port_suspend(musb, true);
+        ret = musb_port_suspend(musb, true);
+        if (ret)
+                return ret;
        if (!is_host_active(musb))
                return 0;
diff --git a/drivers/usb/musb/musb_host.h b/drivers/usb/musb/musb_host.h
index 7bbf01bf4bb0..54d02ed032df 100644
--- a/drivers/usb/musb/musb_host.h
+++ b/drivers/usb/musb/musb_host.h
@@ -92,7 +92,7 @@ extern void musb_host_rx(struct musb *, u8);
 extern void musb_root_disconnect(struct musb *musb);
 extern void musb_host_resume_root_hub(struct musb *musb);
 extern void musb_host_poke_root_hub(struct musb *musb);
-extern void musb_port_suspend(struct musb *musb, bool do_suspend);
+extern int musb_port_suspend(struct musb *musb, bool do_suspend);
 extern void musb_port_reset(struct musb *musb, bool do_reset);
 extern void musb_host_finish_resume(struct work_struct *work);
 #else
@@ -124,7 +124,10 @@ static inline void musb_root_disconnect(struct musb *musb)	{}
 static inline void musb_host_resume_root_hub(struct musb *musb) {}
 static inline void musb_host_poll_rh_status(struct musb *musb)  {}
 static inline void musb_host_poke_root_hub(struct musb *musb)   {}
-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {}
+static inline int musb_port_suspend(struct musb *musb, bool do_suspend)
+{
+        return 0;
+}
 static inline void musb_port_reset(struct musb *musb, bool do_reset) {}
 static inline void musb_host_finish_resume(struct work_struct *work) {}
 #endif
diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c
index 92d5f718659b..ac5458a69de5 100644
--- a/drivers/usb/musb/musb_virthub.c
+++ b/drivers/usb/musb/musb_virthub.c
@@ -74,14 +74,14 @@ void musb_host_finish_resume(struct work_struct *work)
        spin_unlock_irqrestore(&musb->lock, flags);
 }
-void musb_port_suspend(struct musb *musb, bool do_suspend)
+int musb_port_suspend(struct musb *musb, bool do_suspend)
 {
        struct usb_otg  *otg = musb->xceiv->otg;
        u8              power;
        void __iomem    *mbase = musb->mregs;
        if (!is_host_active(musb))
-                return;
+                return 0;
        /* NOTE:  this doesn't necessarily put PHY into low power mode,
         * turning off its clock; that's a function of PHY integration and
@@ -92,16 +92,20 @@ void musb_port_suspend(struct musb *musb, bool do_suspend)
        if (do_suspend) {
                int retries = 10000;
-                power &= ~MUSB_POWER_RESUME;
+                if (power & MUSB_POWER_RESUME)
-                power |= MUSB_POWER_SUSPENDM;
+                        return -EBUSY;
-                musb_writeb(mbase, MUSB_POWER, power);
-                /* Needed for OPT A tests */
+                if (!(power & MUSB_POWER_SUSPENDM)) {
-                power = musb_readb(mbase, MUSB_POWER);
+                        power |= MUSB_POWER_SUSPENDM;
-                while (power & MUSB_POWER_SUSPENDM) {
+                        musb_writeb(mbase, MUSB_POWER, power);
+                        /* Needed for OPT A tests */
                        power = musb_readb(mbase, MUSB_POWER);
-                        if (retries-- < 1)
+                        while (power & MUSB_POWER_SUSPENDM) {
-                                break;
+                                power = musb_readb(mbase, MUSB_POWER);
+                                if (retries-- < 1)
+                                        break;
+                        }
                }
                dev_dbg(musb->controller, "Root port suspended, power %02x\n", power);
@@ -138,6 +142,7 @@ void musb_port_suspend(struct musb *musb, bool do_suspend)
                schedule_delayed_work(&musb->finish_resume_work,
                                      msecs_to_jiffies(USB_RESUME_TIMEOUT));
        }
+        return 0;
 }
 void musb_port_reset(struct musb *musb, bool do_reset)
diff --git a/drivers/usb/musb/ux500_dma.c b/drivers/usb/musb/ux500_dma.c
index d0b6a1cd7f62..c92a295049ad 100644
--- a/drivers/usb/musb/ux500_dma.c
+++ b/drivers/usb/musb/ux500_dma.c
@@ -207,9 +207,6 @@ static int ux500_dma_channel_program(struct dma_channel *channel,
        BUG_ON(channel->status == MUSB_DMA_STATUS_UNKNOWN ||
                channel->status == MUSB_DMA_STATUS_BUSY);
-        if (!ux500_dma_is_compatible(channel, packet_sz, (void *)dma_addr, len))
-                return false;
        channel->status = MUSB_DMA_STATUS_BUSY;
        channel->actual_len = 0;
        ret = ux500_configure_channel(channel, packet_sz, mode, dma_addr, len);
diff --git a/drivers/usb/phy/Kconfig b/drivers/usb/phy/Kconfig
index 8fbb08e3e754..03b1aade253a 100644
--- a/drivers/usb/phy/Kconfig
+++ b/drivers/usb/phy/Kconfig
@@ -141,6 +141,7 @@ config USB_MSM_OTG
        tristate "Qualcomm on-chip USB OTG controller support"
        depends on (USB || USB_GADGET) && (ARCH_QCOM || COMPILE_TEST)
        depends on RESET_CONTROLLER
+        depends on REGULATOR
        depends on EXTCON
        select USB_PHY
        help
diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
index 8bb9367ada45..6f37966ea54b 100644
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -999,6 +999,10 @@ static int usbhsf_dma_prepare_pop_with_usb_dmac(struct usbhs_pkt *pkt,
        if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1))
                goto usbhsf_pio_prepare_pop;
+        /* return at this time if the pipe is running */
+        if (usbhs_pipe_is_running(pipe))
+                return 0;
        usbhs_pipe_config_change_bfre(pipe, 1);
        ret = usbhsf_fifo_select(pipe, fifo, 0);
@@ -1189,6 +1193,7 @@ static int usbhsf_dma_pop_done_with_usb_dmac(struct usbhs_pkt *pkt,
        usbhsf_fifo_clear(pipe, fifo);
        pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len);
+        usbhs_pipe_running(pipe, 0);
        usbhsf_dma_stop(pipe, fifo);
        usbhsf_dma_unmap(pkt);
        usbhsf_fifo_unselect(pipe, pipe->fifo);
diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
index 56ecb8b5115d..77c3ebe860c5 100644
--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -62,7 +62,9 @@ config USB_SERIAL_SIMPLE
                - Fundamental Software dongle.
                - Google USB serial devices
                - HP4x calculators
+                - Libtransistor USB console
                - a number of Motorola phones
+                - Motorola Tetra devices
                - Novatel Wireless GPS receivers
                - Siemens USB/MPI adapter.
                - ViVOtech ViVOpay USB device.
diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 71133d96f97d..f73ea14e8173 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -118,7 +118,7 @@ static int ch341_control_in(struct usb_device *dev,
        r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
                            USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
                            value, index, buf, bufsize, DEFAULT_TIMEOUT);
-        if (r < bufsize) {
+        if (r < (int)bufsize) {
                if (r >= 0) {
                        dev_err(&dev->dev,
                                "short control message received (%d < %u)\n",
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index a4ab4fdf5ba3..97382301c393 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -33,7 +33,7 @@ static int cp210x_open(struct tty_struct *tty, struct usb_serial_port *);
 static void cp210x_close(struct usb_serial_port *);
 static void cp210x_get_termios(struct tty_struct *, struct usb_serial_port *);
 static void cp210x_get_termios_port(struct usb_serial_port *port,
-        unsigned int *cflagp, unsigned int *baudp);
+        tcflag_t *cflagp, unsigned int *baudp);
 static void cp210x_change_speed(struct tty_struct *, struct usb_serial_port *,
                                                        struct ktermios *);
 static void cp210x_set_termios(struct tty_struct *, struct usb_serial_port *,
@@ -91,6 +91,9 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
        { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
        { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
+        { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */
+        { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */
+        { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */
        { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */
        { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */
        { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */
@@ -108,6 +111,9 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
        { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
        { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
+        { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */
+        { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */
+        { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */
        { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
        { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
        { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
@@ -120,7 +126,9 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
        { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
        { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
+        { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */
        { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+        { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */
        { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
        { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
        { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
@@ -130,17 +138,24 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */
        { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
        { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+        { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
+        { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
        { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
        { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
        { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
        { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+        { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
+        { USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */
        { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
        { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
        { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
        { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
        { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+        { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */
        { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
        { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
+        { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */
+        { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */
        { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
        { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
        { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */
@@ -151,6 +166,7 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
        { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */
        { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */
+        { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */
        { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */
        { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */
        { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */
@@ -209,6 +225,7 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
        { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
        { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */
+        { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */
        { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
        { } /* Terminating Entry */
 };
@@ -513,7 +530,7 @@ static void cp210x_get_termios(struct tty_struct *tty,
                        &tty->termios.c_cflag, &baud);
                tty_encode_baud_rate(tty, baud, baud);
        } else {
-                unsigned int cflag;
+                tcflag_t cflag;
                cflag = 0;
                cp210x_get_termios_port(port, &cflag, &baud);
        }
@@ -524,10 +541,11 @@ static void cp210x_get_termios(struct tty_struct *tty,
 * This is the heart of cp210x_get_termios which always uses a &usb_serial_port.
 */
 static void cp210x_get_termios_port(struct usb_serial_port *port,
-        unsigned int *cflagp, unsigned int *baudp)
+        tcflag_t *cflagp, unsigned int *baudp)
 {
        struct device *dev = &port->dev;
-        unsigned int cflag, modem_ctl[4];
+        tcflag_t cflag;
+        unsigned int modem_ctl[4];
        unsigned int baud;
        unsigned int bits;
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 64fe9dc25ed4..3e5b189a79b4 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -773,6 +773,7 @@ static const struct usb_device_id id_table_combined[] = {
                .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
        { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
        { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) },
+        { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) },
        { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
        { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
        { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
@@ -935,6 +936,7 @@ static const struct usb_device_id id_table_combined[] = {
        { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
        { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
        { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
+        { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
        { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
        { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
                .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
@@ -1909,7 +1911,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
                return ftdi_jtag_probe(serial);
        if (udev->product &&
-                (!strcmp(udev->product, "BeagleBone/XDS100V2") ||
+                (!strcmp(udev->product, "Arrow USB Blaster") ||
+                 !strcmp(udev->product, "BeagleBone/XDS100V2") ||
                 !strcmp(udev->product, "SNAP Connect E10")))
                return ftdi_jtag_probe(serial);
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index 543d2801632b..76a10b222ff9 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -922,6 +922,9 @@
 /*
 * RT Systems programming cables for various ham radios
 */
+/* This device uses the VID of FTDI */
+#define RTSYSTEMS_USB_VX8_PID   0x9e50  /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */
 #define RTSYSTEMS_VID           0x2100  /* Vendor ID */
 #define RTSYSTEMS_USB_S03_PID   0x9001  /* RTS-03 USB to Serial Adapter */
 #define RTSYSTEMS_USB_59_PID    0x9e50  /* USB-59 USB to 8 pin plug */
@@ -1441,6 +1444,12 @@
 #define FTDI_CINTERION_MC55I_PID        0xA951
 /*
+ * Product: FirmwareHubEmulator
+ * Manufacturer: Harman Becker Automotive Systems
+ */
+#define FTDI_FHE_PID            0xA9A0
+/*
 * Product: Comet Caller ID decoder
 * Manufacturer: Crucible Technologies
 */
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 749e1b674145..6947985ccfb0 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2219,7 +2219,6 @@ static int write_cmd_usb(struct edgeport_port *edge_port,
                /* something went wrong */
                dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n",
                        __func__, status);
-                usb_kill_urb(urb);
                usb_free_urb(urb);
                atomic_dec(&CmdUrbs);
                return status;
diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c
index 6b0942428917..8a4047de43dc 100644
--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -373,8 +373,10 @@ static int keyspan_pda_get_modem_info(struct usb_serial *serial,
                             3, /* get pins */
                             USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN,
                             0, 0, data, 1, 2000);
-        if (rc >= 0)
+        if (rc == 1)
                *value = *data;
+        else if (rc >= 0)
+                rc = -EIO;
        kfree(data);
        return rc;
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index ed883a7ad533..58ba6904a087 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -482,6 +482,9 @@ static void mos7840_control_callback(struct urb *urb)
        }
        dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length);
+        if (urb->actual_length < 1)
+                goto out;
        dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__,
                mos7840_port->MsrLsr, mos7840_port->port_num);
        data = urb->transfer_buffer;
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index a818c43a02ec..d982c455e18e 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -236,6 +236,8 @@ static void option_instat_callback(struct urb *urb);
 /* These Quectel products use Qualcomm's vendor ID */
 #define QUECTEL_PRODUCT_UC20                    0x9003
 #define QUECTEL_PRODUCT_UC15                    0x9090
+/* These u-blox products use Qualcomm's vendor ID */
+#define UBLOX_PRODUCT_R410M                     0x90b2
 /* These Yuga products use Qualcomm's vendor ID */
 #define YUGA_PRODUCT_CLM920_NC5                 0x9625
@@ -244,6 +246,7 @@ static void option_instat_callback(struct urb *urb);
 #define QUECTEL_PRODUCT_EC21                    0x0121
 #define QUECTEL_PRODUCT_EC25                    0x0125
 #define QUECTEL_PRODUCT_BG96                    0x0296
+#define QUECTEL_PRODUCT_EP06                    0x0306
 #define CMOTECH_VENDOR_ID                       0x16d8
 #define CMOTECH_PRODUCT_6001                    0x6001
@@ -383,6 +386,9 @@ static void option_instat_callback(struct urb *urb);
 #define FOUR_G_SYSTEMS_PRODUCT_W14              0x9603
 #define FOUR_G_SYSTEMS_PRODUCT_W100             0x9b01
+/* Fujisoft products */
+#define FUJISOFT_PRODUCT_FS040U                 0x9b02
 /* iBall 3.5G connect wireless modem */
 #define IBALL_3_5G_CONNECT                      0x9605
@@ -547,147 +553,15 @@ static void option_instat_callback(struct urb *urb);
 #define WETELECOM_PRODUCT_6802                  0x6802
 #define WETELECOM_PRODUCT_WMD300                0x6803
-struct option_blacklist_info {
-        /* bitmask of interface numbers blacklisted for send_setup */
-        const unsigned long sendsetup;
-        /* bitmask of interface numbers that are reserved */
-        const unsigned long reserved;
-};
-static const struct option_blacklist_info four_g_w14_blacklist = {
-        .sendsetup = BIT(0) | BIT(1),
-};
-static const struct option_blacklist_info four_g_w100_blacklist = {
-        .sendsetup = BIT(1) | BIT(2),
-        .reserved = BIT(3),
-};
-static const struct option_blacklist_info alcatel_x200_blacklist = {
-        .sendsetup = BIT(0) | BIT(1),
-        .reserved = BIT(4),
-};
-static const struct option_blacklist_info zte_0037_blacklist = {
-        .sendsetup = BIT(0) | BIT(1),
-};
-static const struct option_blacklist_info zte_k3765_z_blacklist = {
-        .sendsetup = BIT(0) | BIT(1) | BIT(2),
-        .reserved = BIT(4),
-};
-static const struct option_blacklist_info zte_ad3812_z_blacklist = {
-        .sendsetup = BIT(0) | BIT(1) | BIT(2),
-};
-static const struct option_blacklist_info zte_mc2718_z_blacklist = {
-        .sendsetup = BIT(1) | BIT(2) | BIT(3) | BIT(4),
-};
-static const struct option_blacklist_info zte_mc2716_z_blacklist = {
-        .sendsetup = BIT(1) | BIT(2) | BIT(3),
-};
-static const struct option_blacklist_info zte_me3620_mbim_blacklist = {
-        .reserved = BIT(2) | BIT(3) | BIT(4),
-};
-static const struct option_blacklist_info zte_me3620_xl_blacklist = {
-        .reserved = BIT(3) | BIT(4) | BIT(5),
-};
-static const struct option_blacklist_info zte_zm8620_x_blacklist = {
-        .reserved = BIT(3) | BIT(4) | BIT(5),
-};
-static const struct option_blacklist_info huawei_cdc12_blacklist = {
-        .reserved = BIT(1) | BIT(2),
-};
-static const struct option_blacklist_info net_intf0_blacklist = {
-        .reserved = BIT(0),
-};
-static const struct option_blacklist_info net_intf1_blacklist = {
-        .reserved = BIT(1),
-};
-static const struct option_blacklist_info net_intf2_blacklist = {
-        .reserved = BIT(2),
-};
-static const struct option_blacklist_info net_intf3_blacklist = {
-        .reserved = BIT(3),
-};
-static const struct option_blacklist_info net_intf4_blacklist = {
-        .reserved = BIT(4),
-};
-static const struct option_blacklist_info net_intf5_blacklist = {
-        .reserved = BIT(5),
-};
-static const struct option_blacklist_info net_intf6_blacklist = {
-        .reserved = BIT(6),
-};
-static const struct option_blacklist_info zte_mf626_blacklist = {
-        .sendsetup = BIT(0) | BIT(1),
-        .reserved = BIT(4),
-};
-static const struct option_blacklist_info zte_1255_blacklist = {
-        .reserved = BIT(3) | BIT(4),
-};
-static const struct option_blacklist_info simcom_sim7100e_blacklist = {
-        .reserved = BIT(5) | BIT(6),
-};
-static const struct option_blacklist_info telit_me910_blacklist = {
-        .sendsetup = BIT(0),
-        .reserved = BIT(1) | BIT(3),
-};
-static const struct option_blacklist_info telit_me910_dual_modem_blacklist = {
-        .sendsetup = BIT(0),
-        .reserved = BIT(3),
-};
-static const struct option_blacklist_info telit_le910_blacklist = {
-        .sendsetup = BIT(0),
-        .reserved = BIT(1) | BIT(2),
-};
-static const struct option_blacklist_info telit_le920_blacklist = {
-        .sendsetup = BIT(0),
-        .reserved = BIT(1) | BIT(5),
-};
-static const struct option_blacklist_info telit_le920a4_blacklist_1 = {
-        .sendsetup = BIT(0),
-        .reserved = BIT(1),
-};
-static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = {
+/* Device flags */
-        .sendsetup = BIT(2),
-        .reserved = BIT(0) | BIT(1) | BIT(3),
-};
-static const struct option_blacklist_info telit_le922_blacklist_usbcfg3 = {
+/* Interface does not support modem-control requests */
-        .sendsetup = BIT(0),
+#define NCTRL(ifnum)    ((BIT(ifnum) & 0xff) << 8)
-        .reserved = BIT(1) | BIT(2) | BIT(3),
-};
-static const struct option_blacklist_info cinterion_rmnet2_blacklist = {
+/* Interface is reserved */
-        .reserved = BIT(4) | BIT(5),
+#define RSVD(ifnum)     ((BIT(ifnum) & 0xff) << 0)
-};
-static const struct option_blacklist_info yuga_clm920_nc5_blacklist = {
-        .reserved = BIT(1) | BIT(4),
-};
 static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
@@ -721,26 +595,26 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GKE) },
        { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) },
        { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c1f, USB_CLASS_COMM, 0x02, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173S6, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+          .driver_info = RSVD(1) | RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+          .driver_info = RSVD(1) | RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x14ac, 0xff, 0xff, 0xff),    /* Huawei E1820 */
-                .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4605, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+          .driver_info = RSVD(1) | RSVD(2) },
        { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0xff, 0xff) },
        { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x01) },
        { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x02) },
@@ -1185,65 +1059,70 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) },
        { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */
        { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 0xff), /* 4G LTE usb-modem U901 */
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
        { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
        { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
        /* Quectel products using Qualcomm vendor ID */
        { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
        { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        /* Yuga products use Qualcomm vendor ID */
        { USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5),
-          .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist },
+          .driver_info = RSVD(1) | RSVD(4) },
+        /* u-blox products using Qualcomm vendor ID */
+        { USB_DEVICE(QUALCOMM_VENDOR_ID, UBLOX_PRODUCT_R410M),
+          .driver_info = RSVD(1) | RSVD(3) },
        /* Quectel products using Quectel vendor ID */
        { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
+        { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06),
+          .driver_info = RSVD(4) | RSVD(5) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6004) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6005) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_628A) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHE_628S),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_301),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_628S) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_680) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CDU_685A) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720S),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7002),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629K),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7004),
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7005) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CGU_629),
-          .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_629S),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CHU_720I),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7212),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7213),
-          .driver_info = (kernel_ulong_t)&net_intf0_blacklist },
+          .driver_info = RSVD(0) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7251),
-          .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7252),
-          .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_7253),
-          .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864E) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UC864G) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_DUAL) },
@@ -1251,38 +1130,38 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+          .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
-                .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG2),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
        { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+          .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
-                .driver_info = (kernel_ulong_t)&telit_me910_blacklist },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
-                .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist },
+          .driver_info = NCTRL(0) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
-                .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
-                .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(5) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1207) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1208),
-                .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 },
+          .driver_info = NCTRL(0) | RSVD(1) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1211),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1212),
-                .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 },
+          .driver_info = NCTRL(0) | RSVD(1) },
        { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) },
        { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
-                .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+          .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0003, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0004, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0005, 0xff, 0xff, 0xff) },
@@ -1298,58 +1177,58 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0010, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0011, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0012, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0013, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF628, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0016, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0018, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0020, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0021, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0022, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0023, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0024, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0025, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0028, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0029, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0030, 0xff, 0xff, 0xff) },
-        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF626, 0xff,
+        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF626, 0xff, 0xff, 0xff),
-          0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_mf626_blacklist },
+          .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0032, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0033, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0034, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0037, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&zte_0037_blacklist },
+          .driver_info = NCTRL(0) | NCTRL(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0038, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0039, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0040, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0042, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0043, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0044, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0048, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0049, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0050, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0051, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0052, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0054, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0055, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0056, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0057, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0058, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0061, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0062, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0063, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0064, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0065, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0066, 0xff, 0xff, 0xff) },
@@ -1374,26 +1253,26 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0096, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0097, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0104, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0105, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0106, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0108, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0113, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0117, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0118, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0121, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0122, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0123, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0124, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0125, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0126, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0128, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0135, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0136, 0xff, 0xff, 0xff) },
@@ -1409,50 +1288,50 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0155, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0156, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0157, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0158, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0159, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0161, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0162, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0164, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0165, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0167, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0189, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0191, 0xff, 0xff, 0xff), /* ZTE EuFi890 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0196, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0197, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0199, 0xff, 0xff, 0xff), /* ZTE MF820S */
-          .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0200, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0201, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0254, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0257, 0xff, 0xff, 0xff), /* ZTE MF821 */
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0265, 0xff, 0xff, 0xff), /* ONDA MT8205 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0284, 0xff, 0xff, 0xff), /* ZTE MF880 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0317, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0326, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0330, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0395, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0412, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1012, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1018, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1021, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1057, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1058, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1059, 0xff, 0xff, 0xff) },
@@ -1569,23 +1448,23 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1170, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1244, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1245, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1246, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1247, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1248, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1249, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1250, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1251, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1252, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1253, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1254, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1255, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&zte_1255_blacklist },
+          .driver_info = RSVD(3) | RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1256, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1257, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1258, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1259, 0xff, 0xff, 0xff) },
@@ -1600,7 +1479,7 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1268, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1269, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1270, 0xff, 0xff, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1271, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) },
@@ -1636,17 +1515,17 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1303, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1333, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1401, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1402, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1424, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1425, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff),  /* ZTE MF91 */
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff),  /* Telewell TW-LTE 4G v2 */
-                .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
@@ -1664,8 +1543,8 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1596, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1598, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1600, 0xff, 0xff, 0xff) },
-        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff,
+        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff, 0xff, 0xff),
-          0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_k3765_z_blacklist },
+          .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0014, 0xff, 0xff, 0xff) }, /* ZTE CDMA products */
@@ -1676,20 +1555,20 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0073, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0094, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0130, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf1_blacklist },
+          .driver_info = RSVD(1) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0133, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0141, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0147, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0152, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0168, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0170, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0176, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0178, 0xff, 0xff, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff42, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff43, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff44, 0xff, 0xff, 0xff) },
@@ -1841,19 +1720,19 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC2726, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC8710T, 0xff, 0xff, 0xff) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MC2718, 0xff, 0xff, 0xff),
-         .driver_info = (kernel_ulong_t)&zte_mc2718_z_blacklist },
+         .driver_info = NCTRL(1) | NCTRL(2) | NCTRL(3) | NCTRL(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AD3812, 0xff, 0xff, 0xff),
-         .driver_info = (kernel_ulong_t)&zte_ad3812_z_blacklist },
+         .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) },
        { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MC2716, 0xff, 0xff, 0xff),
-         .driver_info = (kernel_ulong_t)&zte_mc2716_z_blacklist },
+         .driver_info = NCTRL(1) | NCTRL(2) | NCTRL(3) },
        { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_L),
-         .driver_info = (kernel_ulong_t)&zte_me3620_xl_blacklist },
+         .driver_info = RSVD(3) | RSVD(4) | RSVD(5) },
        { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_MBIM),
-         .driver_info = (kernel_ulong_t)&zte_me3620_mbim_blacklist },
+         .driver_info = RSVD(2) | RSVD(3) | RSVD(4) },
        { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ME3620_X),
-         .driver_info = (kernel_ulong_t)&zte_me3620_xl_blacklist },
+         .driver_info = RSVD(3) | RSVD(4) | RSVD(5) },
        { USB_DEVICE(ZTE_VENDOR_ID, ZTE_PRODUCT_ZM8620_X),
-         .driver_info = (kernel_ulong_t)&zte_zm8620_x_blacklist },
+         .driver_info = RSVD(3) | RSVD(4) | RSVD(5) },
        { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x02, 0x01) },
        { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x02, 0x05) },
        { USB_VENDOR_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff, 0x86, 0x10) },
@@ -1873,35 +1752,34 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(ALINK_VENDOR_ID, ALINK_PRODUCT_PH300) },
        { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
        { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
-          .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist },
+          .driver_info = RSVD(5) | RSVD(6) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
-          .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist
+          .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
-        },
        { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
-          .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, 0x0052),
-          .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b6),
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b7),
-          .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+          .driver_info = RSVD(5) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L800MA),
-          .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+          .driver_info = RSVD(2) },
        { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
        { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) },
        { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
-          .driver_info = (kernel_ulong_t)&four_g_w14_blacklist
+          .driver_info = NCTRL(0) | NCTRL(1) },
-        },
        { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
-          .driver_info = (kernel_ulong_t)&four_g_w100_blacklist
+          .driver_info = NCTRL(1) | NCTRL(2) | RSVD(3) },
-        },
+        {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U),
+         .driver_info = RSVD(3)},
        { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
        { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+          .driver_info = RSVD(3) },
        { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9803, 0xff),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
        { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
        { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) },
@@ -1927,14 +1805,14 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_E) },
        { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_EU3_P) },
        { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) },
        { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff),
-                .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist },
+          .driver_info = RSVD(4) | RSVD(5) },
        { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) },
        { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
        { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
@@ -1944,20 +1822,20 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, /* HC28 enumerates with Siemens or Cinterion VID depending on FW revision */
        { USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD120),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD140),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD155),
-                .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200),
-                .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD160),
-                .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+          .driver_info = RSVD(6) },
        { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD500),
-                .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
        { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
        { USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) },
@@ -2034,9 +1912,9 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) },
        { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) },      /* TP-Link LTE Module */
        { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180),
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000),                                 /* TP-Link MA260 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE(CHANGHONG_VENDOR_ID, CHANGHONG_PRODUCT_CH690) },
        { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x02, 0x01) },    /* D-Link DWM-156 (variant) */
        { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d01, 0xff, 0x00, 0x00) },    /* D-Link DWM-156 (variant) */
@@ -2047,9 +1925,9 @@ static const struct usb_device_id option_ids[] = {
        { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) },                   /* D-Link DWM-158 */
        { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d0e, 0xff) },                   /* D-Link DWM-157 C1 */
        { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff),                     /* D-Link DWM-221 B1 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff),                     /* D-Link DWM-222 */
-          .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+          .driver_info = RSVD(4) },
        { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
        { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
        { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
@@ -2109,7 +1987,7 @@ static int option_probe(struct usb_serial *serial,
        struct usb_interface_descriptor *iface_desc =
                                &serial->interface->cur_altsetting->desc;
        struct usb_device_descriptor *dev_desc = &serial->dev->descriptor;
-        const struct option_blacklist_info *blacklist;
+        unsigned long device_flags = id->driver_info;
        /* Never bind to the CD-Rom emulation interface */
        if (iface_desc->bInterfaceClass == 0x08)
@@ -2120,9 +1998,7 @@ static int option_probe(struct usb_serial *serial,
         * the same class/subclass/protocol as the serial interfaces.  Look at
         * the Windows driver .INF files for reserved interface numbers.
         */
-        blacklist = (void *)id->driver_info;
+        if (device_flags & RSVD(iface_desc->bInterfaceNumber))
-        if (blacklist && test_bit(iface_desc->bInterfaceNumber,
-                                                &blacklist->reserved))
                return -ENODEV;
        /*
         * Don't bind network interface on Samsung GT-B3730, it is handled by
@@ -2133,8 +2009,8 @@ static int option_probe(struct usb_serial *serial,
            iface_desc->bInterfaceClass != USB_CLASS_CDC_DATA)
                return -ENODEV;
-        /* Store the blacklist info so we can use it during attach. */
+        /* Store the device flags so we can use them during attach. */
-        usb_set_serial_data(serial, (void *)blacklist);
+        usb_set_serial_data(serial, (void *)device_flags);
        return 0;
 }
@@ -2142,22 +2018,21 @@ static int option_probe(struct usb_serial *serial,
 static int option_attach(struct usb_serial *serial)
 {
        struct usb_interface_descriptor *iface_desc;
-        const struct option_blacklist_info *blacklist;
        struct usb_wwan_intf_private *data;
+        unsigned long device_flags;
        data = kzalloc(sizeof(struct usb_wwan_intf_private), GFP_KERNEL);
        if (!data)
                return -ENOMEM;
-        /* Retrieve blacklist info stored at probe. */
+        /* Retrieve device flags stored at probe. */
-        blacklist = usb_get_serial_data(serial);
+        device_flags = (unsigned long)usb_get_serial_data(serial);
        iface_desc = &serial->interface->cur_altsetting->desc;
-        if (!blacklist || !test_bit(iface_desc->bInterfaceNumber,
+        if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber)))
-                                                &blacklist->sendsetup)) {
                data->use_send_setup = 1;
-        }
        spin_lock_init(&data->susp_lock);
        usb_set_serial_data(serial, data);
diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
index a51b28379850..3da25ad267a2 100644
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -39,6 +39,7 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ2) },
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_DCU11) },
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ3) },
+        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_CHILITAG) },
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_PHAROS) },
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ALDIGA) },
        { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MMX) },
diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
index 3b5a15d1dc0d..123289085ee2 100644
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -17,6 +17,7 @@
 #define PL2303_PRODUCT_ID_DCU11         0x1234
 #define PL2303_PRODUCT_ID_PHAROS        0xaaa0
 #define PL2303_PRODUCT_ID_RSAQ3         0xaaa2
+#define PL2303_PRODUCT_ID_CHILITAG      0xaaa8
 #define PL2303_PRODUCT_ID_ALDIGA        0x0611
 #define PL2303_PRODUCT_ID_MMX           0x0612
 #define PL2303_PRODUCT_ID_GPRS          0x0609
diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
index e98b6e57b703..2674da40d9cd 100644
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
                                        0x01) }
 DEVICE(google, GOOGLE_IDS);
+/* Libtransistor USB console */
+#define LIBTRANSISTOR_IDS()                     \
+        { USB_DEVICE(0x1209, 0x8b00) }
+DEVICE(libtransistor, LIBTRANSISTOR_IDS);
 /* ViVOpay USB Serial Driver */
 #define VIVOPAY_IDS()                   \
        { USB_DEVICE(0x1d5f, 0x1004) }  /* ViVOpay 8800 */
@@ -80,6 +85,11 @@ DEVICE(vivopay, VIVOPAY_IDS);
        { USB_DEVICE(0x22b8, 0x2c64) }  /* Motorola V950 phone */
 DEVICE(moto_modem, MOTO_IDS);
+/* Motorola Tetra driver */
+#define MOTOROLA_TETRA_IDS()                    \
+        { USB_DEVICE(0x0cad, 0x9011) }  /* Motorola Solutions TETRA PEI */
+DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
 /* Novatel Wireless GPS driver */
 #define NOVATEL_IDS()                   \
        { USB_DEVICE(0x09d7, 0x0100) }  /* NovAtel FlexPack GPS */
@@ -108,8 +118,10 @@ static struct usb_serial_driver * const serial_drivers[] = {
        &funsoft_device,
        &flashloader_device,
        &google_device,
+        &libtransistor_device,
        &vivopay_device,
        &moto_modem_device,
+        &motorola_tetra_device,
        &novatel_gps_device,
        &hp4x_device,
        &suunto_device,
@@ -123,8 +135,10 @@ static const struct usb_device_id id_table[] = {
        FUNSOFT_IDS(),
        FLASHLOADER_IDS(),
        GOOGLE_IDS(),
+        LIBTRANSISTOR_IDS(),
        VIVOPAY_IDS(),
        MOTO_IDS(),
+        MOTOROLA_TETRA_IDS(),
        NOVATEL_IDS(),
        HP4X_IDS(),
        SUUNTO_IDS(),
diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
index 337a0be89fcf..dbc3801b43eb 100644
--- a/drivers/usb/serial/visor.c
+++ b/drivers/usb/serial/visor.c
@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_serial *serial,
                goto exit;
        }
-        if (retval == sizeof(*connection_info)) {
+        if (retval != sizeof(*connection_info)) {
-                        connection_info = (struct visor_connection_info *)
+                dev_err(dev, "Invalid connection information received from device\n");
-                                                        transfer_buffer;
+                retval = -ENODEV;
+                goto exit;
-                num_ports = le16_to_cpu(connection_info->num_ports);
-                for (i = 0; i < num_ports; ++i) {
-                        switch (
-                           connection_info->connections[i].port_function_id) {
-                        case VISOR_FUNCTION_GENERIC:
-                                string = "Generic";
-                                break;
-                        case VISOR_FUNCTION_DEBUGGER:
-                                string = "Debugger";
-                                break;
-                        case VISOR_FUNCTION_HOTSYNC:
-                                string = "HotSync";
-                                break;
-                        case VISOR_FUNCTION_CONSOLE:
-                                string = "Console";
-                                break;
-                        case VISOR_FUNCTION_REMOTE_FILE_SYS:
-                                string = "Remote File System";
-                                break;
-                        default:
-                                string = "unknown";
-                                break;
-                        }
-                        dev_info(dev, "%s: port %d, is for %s use\n",
-                                serial->type->description,
-                                connection_info->connections[i].port, string);
-                }
        }
-        /*
-        * Handle devices that report invalid stuff here.
+        connection_info = (struct visor_connection_info *)transfer_buffer;
-        */
+        num_ports = le16_to_cpu(connection_info->num_ports);
+        /* Handle devices that report invalid stuff here. */
        if (num_ports == 0 || num_ports > 2) {
                dev_warn(dev, "%s: No valid connect info available\n",
                        serial->type->description);
                num_ports = 2;
        }
+        for (i = 0; i < num_ports; ++i) {
+                switch (connection_info->connections[i].port_function_id) {
+                case VISOR_FUNCTION_GENERIC:
+                        string = "Generic";
+                        break;
+                case VISOR_FUNCTION_DEBUGGER:
+                        string = "Debugger";
+                        break;
+                case VISOR_FUNCTION_HOTSYNC:
+                        string = "HotSync";
+                        break;
+                case VISOR_FUNCTION_CONSOLE:
+                        string = "Console";
+                        break;
+                case VISOR_FUNCTION_REMOTE_FILE_SYS:
+                        string = "Remote File System";
+                        break;
+                default:
+                        string = "unknown";
+                        break;
+                }
+                dev_info(dev, "%s: port %d, is for %s use\n",
+                        serial->type->description,
+                        connection_info->connections[i].port, string);
+        }
        dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
                num_ports);
diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
index 091e8ec7a6c0..962bb6376b0c 100644
--- a/drivers/usb/storage/ene_ub6250.c
+++ b/drivers/usb/storage/ene_ub6250.c
@@ -1953,6 +1953,8 @@ static int ene_load_bincode(struct us_data *us, unsigned char flag)
        bcb->CDB[0] = 0xEF;
        result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0);
+        if (us->srb != NULL)
+                scsi_set_resid(us->srb, 0);
        info->BIN_FLAG = flag;
        kfree(buf);
@@ -2306,21 +2308,22 @@ static int ms_scsi_irp(struct us_data *us, struct scsi_cmnd *srb)
 static int ene_transport(struct scsi_cmnd *srb, struct us_data *us)
 {
-        int result = 0;
+        int result = USB_STOR_XFER_GOOD;
        struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
        /*US_DEBUG(usb_stor_show_command(us, srb)); */
        scsi_set_resid(srb, 0);
-        if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) {
+        if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
                result = ene_init(us);
-        } else {
+        if (result == USB_STOR_XFER_GOOD) {
+                result = USB_STOR_TRANSPORT_ERROR;
                if (info->SD_Status.Ready)
                        result = sd_scsi_irp(us, srb);
                if (info->MS_Status.Ready)
                        result = ms_scsi_irp(us, srb);
        }
-        return 0;
+        return result;
 }
 static struct scsi_host_template ene_ub6250_host_template;
diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
index f952635ebe5f..6cac8f26b97a 100644
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -1052,20 +1052,19 @@ static int uas_post_reset(struct usb_interface *intf)
                return 0;
        err = uas_configure_endpoints(devinfo);
-        if (err) {
+        if (err && err != -ENODEV)
                shost_printk(KERN_ERR, shost,
                             "%s: alloc streams error %d after reset",
                             __func__, err);
-                return 1;
-        }
+        /* we must unblock the host in every case lest we deadlock */
        spin_lock_irqsave(shost->host_lock, flags);
        scsi_report_bus_reset(shost, 0);
        spin_unlock_irqrestore(shost->host_lock, flags);
        scsi_unblock_requests(shost);
-        return 0;
+        return err ? 1 : 0;
 }
 static int uas_suspend(struct usb_interface *intf, pm_message_t message)
diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index c10eceb76c39..1a34d2a89de6 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2142,6 +2142,13 @@ UNUSUAL_DEV(  0x22b8, 0x3010, 0x0001, 0x0001,
                USB_SC_DEVICE, USB_PR_DEVICE, NULL,
                US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ),
+/* Reported by Teijo Kinnunen <teijo.kinnunen@code-q.fi> */
+UNUSUAL_DEV(  0x152d, 0x2567, 0x0117, 0x0117,
+                "JMicron",
+                "USB to ATA/ATAPI Bridge",
+                USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+                US_FL_BROKEN_FUA ),
 /* Reported-by George Cherian <george.cherian@cavium.com> */
 UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
                "JMicron",
diff --git a/drivers/usb/usbip/stub.h b/drivers/usb/usbip/stub.h
index 266e2b0ce9a8..47ccd73a74f0 100644
--- a/drivers/usb/usbip/stub.h
+++ b/drivers/usb/usbip/stub.h
@@ -88,6 +88,7 @@ struct bus_id_priv {
        struct stub_device *sdev;
        struct usb_device *udev;
        char shutdown_busid;
+        spinlock_t busid_lock;
 };
 /* stub_priv is allocated from stub_priv_cache */
@@ -98,6 +99,7 @@ extern struct usb_device_driver stub_driver;
 /* stub_main.c */
 struct bus_id_priv *get_busid_priv(const char *busid);
+void put_busid_priv(struct bus_id_priv *bid);
 int del_match_busid(char *busid);
 void stub_device_cleanup_urbs(struct stub_device *sdev);
diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
index a3ec49bdc1e6..4aad99a59958 100644
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
                        goto err;
                sdev->ud.tcp_socket = socket;
+                sdev->ud.sockfd = sockfd;
                spin_unlock_irq(&sdev->ud.lock);
@@ -163,8 +164,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
         * step 1?
         */
        if (ud->tcp_socket) {
-                dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n",
+                dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
-                        ud->tcp_socket);
                kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
        }
@@ -187,6 +187,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
        if (ud->tcp_socket) {
                sockfd_put(ud->tcp_socket);
                ud->tcp_socket = NULL;
+                ud->sockfd = -1;
        }
        /* 3. free used data */
@@ -281,6 +282,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev)
        sdev->ud.status         = SDEV_ST_AVAILABLE;
        spin_lock_init(&sdev->ud.lock);
        sdev->ud.tcp_socket     = NULL;
+        sdev->ud.sockfd         = -1;
        INIT_LIST_HEAD(&sdev->priv_init);
        INIT_LIST_HEAD(&sdev->priv_tx);
@@ -312,9 +314,9 @@ static int stub_probe(struct usb_device *udev)
        struct stub_device *sdev = NULL;
        const char *udev_busid = dev_name(&udev->dev);
        struct bus_id_priv *busid_priv;
-        int rc;
+        int rc = 0;
-        dev_dbg(&udev->dev, "Enter\n");
+        dev_dbg(&udev->dev, "Enter probe\n");
        /* check we should claim or not by busid_table */
        busid_priv = get_busid_priv(udev_busid);
@@ -329,13 +331,15 @@ static int stub_probe(struct usb_device *udev)
                 * other matched drivers by the driver core.
                 * See driver_probe_device() in driver/base/dd.c
                 */
-                return -ENODEV;
+                rc = -ENODEV;
+                goto call_put_busid_priv;
        }
        if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
                dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
                         udev_busid);
-                return -ENODEV;
+                rc = -ENODEV;
+                goto call_put_busid_priv;
        }
        if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
@@ -343,13 +347,16 @@ static int stub_probe(struct usb_device *udev)
                        "%s is attached on vhci_hcd... skip!\n",
                        udev_busid);
-                return -ENODEV;
+                rc = -ENODEV;
+                goto call_put_busid_priv;
        }
        /* ok, this is my device */
        sdev = stub_device_alloc(udev);
-        if (!sdev)
+        if (!sdev) {
-                return -ENOMEM;
+                rc = -ENOMEM;
+                goto call_put_busid_priv;
+        }
        dev_info(&udev->dev,
                "usbip-host: register new device (bus %u dev %u)\n",
@@ -381,7 +388,9 @@ static int stub_probe(struct usb_device *udev)
        }
        busid_priv->status = STUB_BUSID_ALLOC;
-        return 0;
+        rc = 0;
+        goto call_put_busid_priv;
 err_files:
        usb_hub_release_port(udev->parent, udev->portnum,
                             (struct usb_dev_state *) udev);
@@ -392,6 +401,9 @@ err_port:
        busid_priv->sdev = NULL;
        stub_device_free(sdev);
+call_put_busid_priv:
+        put_busid_priv(busid_priv);
        return rc;
 }
@@ -417,7 +429,7 @@ static void stub_disconnect(struct usb_device *udev)
        struct bus_id_priv *busid_priv;
        int rc;
-        dev_dbg(&udev->dev, "Enter\n");
+        dev_dbg(&udev->dev, "Enter disconnect\n");
        busid_priv = get_busid_priv(udev_busid);
        if (!busid_priv) {
@@ -430,7 +442,7 @@ static void stub_disconnect(struct usb_device *udev)
        /* get stub_device */
        if (!sdev) {
                dev_err(&udev->dev, "could not get device");
-                return;
+                goto call_put_busid_priv;
        }
        dev_set_drvdata(&udev->dev, NULL);
@@ -445,12 +457,12 @@ static void stub_disconnect(struct usb_device *udev)
                                  (struct usb_dev_state *) udev);
        if (rc) {
                dev_dbg(&udev->dev, "unable to release port\n");
-                return;
+                goto call_put_busid_priv;
        }
        /* If usb reset is called from event handler */
        if (busid_priv->sdev->ud.eh == current)
-                return;
+                goto call_put_busid_priv;
        /* shutdown the current connection */
        shutdown_busid(busid_priv);
@@ -461,12 +473,11 @@ static void stub_disconnect(struct usb_device *udev)
        busid_priv->sdev = NULL;
        stub_device_free(sdev);
-        if (busid_priv->status == STUB_BUSID_ALLOC) {
+        if (busid_priv->status == STUB_BUSID_ALLOC)
                busid_priv->status = STUB_BUSID_ADDED;
-        } else {
-                busid_priv->status = STUB_BUSID_OTHER;
+call_put_busid_priv:
-                del_match_busid((char *)udev_busid);
+        put_busid_priv(busid_priv);
-        }
 }
 #ifdef CONFIG_PM
diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
index 325b4c05acdd..fa90496ca7a8 100644
--- a/drivers/usb/usbip/stub_main.c
+++ b/drivers/usb/usbip/stub_main.c
@@ -28,6 +28,7 @@
 #define DRIVER_DESC "USB/IP Host Driver"
 struct kmem_cache *stub_priv_cache;
 /*
 * busid_tables defines matching busids that usbip can grab. A user can change
 * dynamically what device is locally used and what device is exported to a
@@ -39,6 +40,8 @@ static spinlock_t busid_table_lock;
 static void init_busid_table(void)
 {
+        int i;
        /*
         * This also sets the bus_table[i].status to
         * STUB_BUSID_OTHER, which is 0.
@@ -46,6 +49,9 @@ static void init_busid_table(void)
        memset(busid_table, 0, sizeof(busid_table));
        spin_lock_init(&busid_table_lock);
+        for (i = 0; i < MAX_BUSID; i++)
+                spin_lock_init(&busid_table[i].busid_lock);
 }
 /*
@@ -57,15 +63,20 @@ static int get_busid_idx(const char *busid)
        int i;
        int idx = -1;
-        for (i = 0; i < MAX_BUSID; i++)
+        for (i = 0; i < MAX_BUSID; i++) {
+                spin_lock(&busid_table[i].busid_lock);
                if (busid_table[i].name[0])
                        if (!strncmp(busid_table[i].name, busid, BUSID_SIZE)) {
                                idx = i;
+                                spin_unlock(&busid_table[i].busid_lock);
                                break;
                        }
+                spin_unlock(&busid_table[i].busid_lock);
+        }
        return idx;
 }
+/* Returns holding busid_lock. Should call put_busid_priv() to unlock */
 struct bus_id_priv *get_busid_priv(const char *busid)
 {
        int idx;
@@ -73,13 +84,22 @@ struct bus_id_priv *get_busid_priv(const char *busid)
        spin_lock(&busid_table_lock);
        idx = get_busid_idx(busid);
-        if (idx >= 0)
+        if (idx >= 0) {
                bid = &(busid_table[idx]);
+                /* get busid_lock before returning */
+                spin_lock(&bid->busid_lock);
+        }
        spin_unlock(&busid_table_lock);
        return bid;
 }
+void put_busid_priv(struct bus_id_priv *bid)
+{
+        if (bid)
+                spin_unlock(&bid->busid_lock);
+}
 static int add_match_busid(char *busid)
 {
        int i;
@@ -92,15 +112,19 @@ static int add_match_busid(char *busid)
                goto out;
        }
-        for (i = 0; i < MAX_BUSID; i++)
+        for (i = 0; i < MAX_BUSID; i++) {
+                spin_lock(&busid_table[i].busid_lock);
                if (!busid_table[i].name[0]) {
                        strlcpy(busid_table[i].name, busid, BUSID_SIZE);
                        if ((busid_table[i].status != STUB_BUSID_ALLOC) &&
                            (busid_table[i].status != STUB_BUSID_REMOV))
                                busid_table[i].status = STUB_BUSID_ADDED;
                        ret = 0;
+                        spin_unlock(&busid_table[i].busid_lock);
                        break;
                }
+                spin_unlock(&busid_table[i].busid_lock);
+        }
 out:
        spin_unlock(&busid_table_lock);
@@ -121,6 +145,8 @@ int del_match_busid(char *busid)
        /* found */
        ret = 0;
+        spin_lock(&busid_table[idx].busid_lock);
        if (busid_table[idx].status == STUB_BUSID_OTHER)
                memset(busid_table[idx].name, 0, BUSID_SIZE);
@@ -128,6 +154,7 @@ int del_match_busid(char *busid)
            (busid_table[idx].status != STUB_BUSID_ADDED))
                busid_table[idx].status = STUB_BUSID_REMOV;
+        spin_unlock(&busid_table[idx].busid_lock);
 out:
        spin_unlock(&busid_table_lock);
@@ -140,9 +167,12 @@ static ssize_t show_match_busid(struct device_driver *drv, char *buf)
        char *out = buf;
        spin_lock(&busid_table_lock);
-        for (i = 0; i < MAX_BUSID; i++)
+        for (i = 0; i < MAX_BUSID; i++) {
+                spin_lock(&busid_table[i].busid_lock);
                if (busid_table[i].name[0])
                        out += sprintf(out, "%s ", busid_table[i].name);
+                spin_unlock(&busid_table[i].busid_lock);
+        }
        spin_unlock(&busid_table_lock);
        out += sprintf(out, "\n");
@@ -184,6 +214,51 @@ static ssize_t store_match_busid(struct device_driver *dev, const char *buf,
 static DRIVER_ATTR(match_busid, S_IRUSR | S_IWUSR, show_match_busid,
                   store_match_busid);
+static int do_rebind(char *busid, struct bus_id_priv *busid_priv)
+{
+        int ret;
+        /* device_attach() callers should hold parent lock for USB */
+        if (busid_priv->udev->dev.parent)
+                device_lock(busid_priv->udev->dev.parent);
+        ret = device_attach(&busid_priv->udev->dev);
+        if (busid_priv->udev->dev.parent)
+                device_unlock(busid_priv->udev->dev.parent);
+        if (ret < 0) {
+                dev_err(&busid_priv->udev->dev, "rebind failed\n");
+                return ret;
+        }
+        return 0;
+}
+static void stub_device_rebind(void)
+{
+#if IS_MODULE(CONFIG_USBIP_HOST)
+        struct bus_id_priv *busid_priv;
+        int i;
+        /* update status to STUB_BUSID_OTHER so probe ignores the device */
+        spin_lock(&busid_table_lock);
+        for (i = 0; i < MAX_BUSID; i++) {
+                if (busid_table[i].name[0] &&
+                    busid_table[i].shutdown_busid) {
+                        busid_priv = &(busid_table[i]);
+                        busid_priv->status = STUB_BUSID_OTHER;
+                }
+        }
+        spin_unlock(&busid_table_lock);
+        /* now run rebind - no need to hold locks. driver files are removed */
+        for (i = 0; i < MAX_BUSID; i++) {
+                if (busid_table[i].name[0] &&
+                    busid_table[i].shutdown_busid) {
+                        busid_priv = &(busid_table[i]);
+                        do_rebind(busid_table[i].name, busid_priv);
+                }
+        }
+#endif
+}
 static ssize_t rebind_store(struct device_driver *dev, const char *buf,
                                 size_t count)
 {
@@ -201,11 +276,17 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf,
        if (!bid)
                return -ENODEV;
-        ret = device_attach(&bid->udev->dev);
+        /* mark the device for deletion so probe ignores it during rescan */
-        if (ret < 0) {
+        bid->status = STUB_BUSID_OTHER;
-                dev_err(&bid->udev->dev, "rebind failed\n");
+        /* release the busid lock */
+        put_busid_priv(bid);
+        ret = do_rebind((char *) buf, bid);
+        if (ret < 0)
                return ret;
-        }
+        /* delete device from busid_table */
+        del_match_busid((char *) buf);
        return count;
 }
@@ -328,6 +409,9 @@ static void __exit usbip_host_exit(void)
         */
        usb_deregister_device_driver(&stub_driver);
+        /* initiate scan to attach devices */
+        stub_device_rebind();
        kmem_cache_destroy(stub_priv_cache);
 }
diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
index 7de54a66044f..56cacb68040c 100644
--- a/drivers/usb/usbip/stub_rx.c
+++ b/drivers/usb/usbip/stub_rx.c
@@ -338,23 +338,26 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev,
        return priv;
 }
-static int get_pipe(struct stub_device *sdev, int epnum, int dir)
+static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
 {
        struct usb_device *udev = sdev->udev;
        struct usb_host_endpoint *ep;
        struct usb_endpoint_descriptor *epd = NULL;
+        int epnum = pdu->base.ep;
+        int dir = pdu->base.direction;
+        if (epnum < 0 || epnum > 15)
+                goto err_ret;
        if (dir == USBIP_DIR_IN)
                ep = udev->ep_in[epnum & 0x7f];
        else
                ep = udev->ep_out[epnum & 0x7f];
-        if (!ep) {
+        if (!ep)
-                dev_err(&sdev->interface->dev, "no such endpoint?, %d\n",
+                goto err_ret;
-                        epnum);
-                BUG();
-        }
        epd = &ep->desc;
        if (usb_endpoint_xfer_control(epd)) {
                if (dir == USBIP_DIR_OUT)
                        return usb_sndctrlpipe(udev, epnum);
@@ -377,15 +380,37 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir)
        }
        if (usb_endpoint_xfer_isoc(epd)) {
+                /* validate packet size and number of packets */
+                unsigned int maxp, packets, bytes;
+#define USB_EP_MAXP_MULT_SHIFT  11
+#define USB_EP_MAXP_MULT_MASK   (3 << USB_EP_MAXP_MULT_SHIFT)
+#define USB_EP_MAXP_MULT(m) \
+        (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
+                maxp = usb_endpoint_maxp(epd);
+                maxp *= (USB_EP_MAXP_MULT(
+                                __le16_to_cpu(epd->wMaxPacketSize)) + 1);
+                bytes = pdu->u.cmd_submit.transfer_buffer_length;
+                packets = DIV_ROUND_UP(bytes, maxp);
+                if (pdu->u.cmd_submit.number_of_packets < 0 ||
+                    pdu->u.cmd_submit.number_of_packets > packets) {
+                        dev_err(&sdev->udev->dev,
+                                "CMD_SUBMIT: isoc invalid num packets %d\n",
+                                pdu->u.cmd_submit.number_of_packets);
+                        return -1;
+                }
                if (dir == USBIP_DIR_OUT)
                        return usb_sndisocpipe(udev, epnum);
                else
                        return usb_rcvisocpipe(udev, epnum);
        }
+err_ret:
        /* NOT REACHED */
-        dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
+        dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);
-        return 0;
+        return -1;
 }
 static void masking_bogus_flags(struct urb *urb)
@@ -449,7 +474,10 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
        struct stub_priv *priv;
        struct usbip_device *ud = &sdev->ud;
        struct usb_device *udev = sdev->udev;
-        int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
+        int pipe = get_pipe(sdev, pdu);
+        if (pipe == -1)
+                return;
        priv = stub_priv_alloc(sdev, pdu);
        if (!priv)
diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index 9752b93f754e..1838f1b2c2fa 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -317,18 +317,14 @@ int usbip_recv(struct socket *sock, void *buf, int size)
        struct msghdr msg;
        struct kvec iov;
        int total = 0;
        /* for blocks of if (usbip_dbg_flag_xmit) */
        char *bp = buf;
        int osize = size;
-        usbip_dbg_xmit("enter\n");
+        if (!sock || !buf || !size)
-        if (!sock || !buf || !size) {
-                pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf,
-                       size);
                return -EINVAL;
-        }
+        usbip_dbg_xmit("enter\n");
        do {
                sock->sk->sk_allocation = GFP_NOIO;
@@ -341,11 +337,8 @@ int usbip_recv(struct socket *sock, void *buf, int size)
                msg.msg_flags      = MSG_NOSIGNAL;
                result = kernel_recvmsg(sock, &msg, &iov, 1, size, MSG_WAITALL);
-                if (result <= 0) {
+                if (result <= 0)
-                        pr_debug("receive sock %p buf %p size %u ret %d total %d\n",
-                                 sock, buf, size, result, total);
                        goto err;
-                }
                size -= result;
                buf += result;
diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index 86b08475c254..0fc5ace57c0e 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -248,7 +248,7 @@ enum usbip_side {
 #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
 #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
-#define VDEV_EVENT_REMOVED      (USBIP_EH_SHUTDOWN | USBIP_EH_BYE)
+#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE)
 #define VDEV_EVENT_DOWN         (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
 #define VDEV_EVENT_ERROR_TCP    (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
 #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
@@ -261,6 +261,7 @@ struct usbip_device {
        /* lock for status */
        spinlock_t lock;
+        int sockfd;
        struct socket *tcp_socket;
        struct task_struct *tcp_rx;
diff --git a/drivers/usb/usbip/usbip_event.c b/drivers/usb/usbip/usbip_event.c
index 64933b993d7a..2580a32bcdff 100644
--- a/drivers/usb/usbip/usbip_event.c
+++ b/drivers/usb/usbip/usbip_event.c
@@ -117,11 +117,12 @@ EXPORT_SYMBOL_GPL(usbip_event_add);
 int usbip_event_happened(struct usbip_device *ud)
 {
        int happened = 0;
+        unsigned long flags;
-        spin_lock(&ud->lock);
+        spin_lock_irqsave(&ud->lock, flags);
        if (ud->event != 0)
                happened = 1;
-        spin_unlock(&ud->lock);
+        spin_unlock_irqrestore(&ud->lock, flags);
        return happened;
 }
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index f9af04d7f02f..4d68a1e9e878 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -121,9 +121,11 @@ static void dump_port_status_diff(u32 prev_status, u32 new_status)
 void rh_port_connect(int rhport, enum usb_device_speed speed)
 {
+        unsigned long   flags;
        usbip_dbg_vhci_rh("rh_port_connect %d\n", rhport);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        the_controller->port_status[rhport] |= USB_PORT_STAT_CONNECTION
                | (1 << USB_PORT_FEAT_C_CONNECTION);
@@ -139,22 +141,24 @@ void rh_port_connect(int rhport, enum usb_device_speed speed)
                break;
        }
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        usb_hcd_poll_rh_status(vhci_to_hcd(the_controller));
 }
 static void rh_port_disconnect(int rhport)
 {
+        unsigned long   flags;
        usbip_dbg_vhci_rh("rh_port_disconnect %d\n", rhport);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        the_controller->port_status[rhport] &= ~USB_PORT_STAT_CONNECTION;
        the_controller->port_status[rhport] |=
                                        (1 << USB_PORT_FEAT_C_CONNECTION);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        usb_hcd_poll_rh_status(vhci_to_hcd(the_controller));
 }
@@ -182,13 +186,14 @@ static int vhci_hub_status(struct usb_hcd *hcd, char *buf)
        int             retval;
        int             rhport;
        int             changed = 0;
+        unsigned long   flags;
        retval = DIV_ROUND_UP(VHCI_NPORTS + 1, 8);
        memset(buf, 0, retval);
        vhci = hcd_to_vhci(hcd);
-        spin_lock(&vhci->lock);
+        spin_lock_irqsave(&vhci->lock, flags);
        if (!HCD_HW_ACCESSIBLE(hcd)) {
                usbip_dbg_vhci_rh("hw accessible flag not on?\n");
                goto done;
@@ -209,7 +214,7 @@ static int vhci_hub_status(struct usb_hcd *hcd, char *buf)
                usb_hcd_resume_root_hub(hcd);
 done:
-        spin_unlock(&vhci->lock);
+        spin_unlock_irqrestore(&vhci->lock, flags);
        return changed ? retval : 0;
 }
@@ -236,6 +241,7 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
        struct vhci_hcd *dum;
        int             retval = 0;
        int             rhport;
+        unsigned long   flags;
        u32 prev_port_status[VHCI_NPORTS];
@@ -254,7 +260,7 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
        dum = hcd_to_vhci(hcd);
-        spin_lock(&dum->lock);
+        spin_lock_irqsave(&dum->lock, flags);
        /* store old status and compare now and old later */
        if (usbip_dbg_flag_vhci_rh) {
@@ -279,7 +285,7 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
                case USB_PORT_FEAT_POWER:
                        usbip_dbg_vhci_rh(
                                " ClearPortFeature: USB_PORT_FEAT_POWER\n");
-                        dum->port_status[rhport] = 0;
+                        dum->port_status[rhport] &= ~USB_PORT_STAT_POWER;
                        dum->resuming = 0;
                        break;
                case USB_PORT_FEAT_C_RESET:
@@ -408,7 +414,7 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
        }
        usbip_dbg_vhci_rh(" bye\n");
-        spin_unlock(&dum->lock);
+        spin_unlock_irqrestore(&dum->lock, flags);
        return retval;
 }
@@ -431,6 +437,7 @@ static void vhci_tx_urb(struct urb *urb)
 {
        struct vhci_device *vdev = get_vdev(urb->dev);
        struct vhci_priv *priv;
+        unsigned long flags;
        if (!vdev) {
                pr_err("could not get virtual device");
@@ -443,7 +450,7 @@ static void vhci_tx_urb(struct urb *urb)
                return;
        }
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        priv->seqnum = atomic_inc_return(&the_controller->seqnum);
        if (priv->seqnum == 0xffff)
@@ -457,7 +464,7 @@ static void vhci_tx_urb(struct urb *urb)
        list_add_tail(&priv->list, &vdev->priv_tx);
        wake_up(&vdev->waitq_tx);
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
 }
 static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
@@ -466,15 +473,16 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
        struct device *dev = &urb->dev->dev;
        int ret = 0;
        struct vhci_device *vdev;
+        unsigned long flags;
        /* patch to usb_sg_init() is in 2.5.60 */
        BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        if (urb->status != -EINPROGRESS) {
                dev_err(dev, "URB already unlinked!, status %d\n", urb->status);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                return urb->status;
        }
@@ -486,7 +494,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
            vdev->ud.status == VDEV_ST_ERROR) {
                dev_err(dev, "enqueue for inactive port %d\n", vdev->rhport);
                spin_unlock(&vdev->ud.lock);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                return -ENODEV;
        }
        spin_unlock(&vdev->ud.lock);
@@ -559,14 +567,14 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
 out:
        vhci_tx_urb(urb);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        return 0;
 no_need_xmit:
        usb_hcd_unlink_urb_from_ep(hcd, urb);
 no_need_unlink:
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        if (!ret)
                usb_hcd_giveback_urb(vhci_to_hcd(the_controller),
                                     urb, urb->status);
@@ -623,14 +631,15 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 {
        struct vhci_priv *priv;
        struct vhci_device *vdev;
+        unsigned long flags;
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        priv = urb->hcpriv;
        if (!priv) {
                /* URB was never linked! or will be soon given back by
                 * vhci_rx. */
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                return -EIDRM;
        }
@@ -639,7 +648,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                ret = usb_hcd_check_unlink_urb(hcd, urb, status);
                if (ret) {
-                        spin_unlock(&the_controller->lock);
+                        spin_unlock_irqrestore(&the_controller->lock, flags);
                        return ret;
                }
        }
@@ -664,10 +673,10 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                 */
                usb_hcd_unlink_urb_from_ep(hcd, urb);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb,
                                     urb->status);
-                spin_lock(&the_controller->lock);
+                spin_lock_irqsave(&the_controller->lock, flags);
        } else {
                /* tcp connection is alive */
@@ -679,7 +688,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                unlink = kzalloc(sizeof(struct vhci_unlink), GFP_ATOMIC);
                if (!unlink) {
                        spin_unlock(&vdev->priv_lock);
-                        spin_unlock(&the_controller->lock);
+                        spin_unlock_irqrestore(&the_controller->lock, flags);
                        usbip_event_add(&vdev->ud, VDEV_EVENT_ERROR_MALLOC);
                        return -ENOMEM;
                }
@@ -698,7 +707,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
                spin_unlock(&vdev->priv_lock);
        }
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        usbip_dbg_vhci_hc("leave\n");
        return 0;
@@ -707,8 +716,9 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 {
        struct vhci_unlink *unlink, *tmp;
+        unsigned long flags;
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        spin_lock(&vdev->priv_lock);
        list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
@@ -742,19 +752,19 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
                list_del(&unlink->list);
                spin_unlock(&vdev->priv_lock);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb,
                                     urb->status);
-                spin_lock(&the_controller->lock);
+                spin_lock_irqsave(&the_controller->lock, flags);
                spin_lock(&vdev->priv_lock);
                kfree(unlink);
        }
        spin_unlock(&vdev->priv_lock);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
 }
 /*
@@ -768,7 +778,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
        /* need this? see stub_dev.c */
        if (ud->tcp_socket) {
-                pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket);
+                pr_debug("shutdown sockfd %d\n", ud->sockfd);
                kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
        }
@@ -787,6 +797,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
        if (vdev->ud.tcp_socket) {
                sockfd_put(vdev->ud.tcp_socket);
                vdev->ud.tcp_socket = NULL;
+                vdev->ud.sockfd = -1;
        }
        pr_info("release socket\n");
@@ -821,8 +832,9 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
 static void vhci_device_reset(struct usbip_device *ud)
 {
        struct vhci_device *vdev = container_of(ud, struct vhci_device, ud);
+        unsigned long flags;
-        spin_lock(&ud->lock);
+        spin_lock_irqsave(&ud->lock, flags);
        vdev->speed  = 0;
        vdev->devid  = 0;
@@ -833,17 +845,20 @@ static void vhci_device_reset(struct usbip_device *ud)
        if (ud->tcp_socket) {
                sockfd_put(ud->tcp_socket);
                ud->tcp_socket = NULL;
+                ud->sockfd = -1;
        }
        ud->status = VDEV_ST_NULL;
-        spin_unlock(&ud->lock);
+        spin_unlock_irqrestore(&ud->lock, flags);
 }
 static void vhci_device_unusable(struct usbip_device *ud)
 {
-        spin_lock(&ud->lock);
+        unsigned long flags;
+        spin_lock_irqsave(&ud->lock, flags);
        ud->status = VDEV_ST_ERROR;
-        spin_unlock(&ud->lock);
+        spin_unlock_irqrestore(&ud->lock, flags);
 }
 static void vhci_device_init(struct vhci_device *vdev)
@@ -933,12 +948,13 @@ static int vhci_get_frame_number(struct usb_hcd *hcd)
 static int vhci_bus_suspend(struct usb_hcd *hcd)
 {
        struct vhci_hcd *vhci = hcd_to_vhci(hcd);
+        unsigned long flags;
        dev_dbg(&hcd->self.root_hub->dev, "%s\n", __func__);
-        spin_lock(&vhci->lock);
+        spin_lock_irqsave(&vhci->lock, flags);
        hcd->state = HC_STATE_SUSPENDED;
-        spin_unlock(&vhci->lock);
+        spin_unlock_irqrestore(&vhci->lock, flags);
        return 0;
 }
@@ -947,15 +963,16 @@ static int vhci_bus_resume(struct usb_hcd *hcd)
 {
        struct vhci_hcd *vhci = hcd_to_vhci(hcd);
        int rc = 0;
+        unsigned long flags;
        dev_dbg(&hcd->self.root_hub->dev, "%s\n", __func__);
-        spin_lock(&vhci->lock);
+        spin_lock_irqsave(&vhci->lock, flags);
        if (!HCD_HW_ACCESSIBLE(hcd))
                rc = -ESHUTDOWN;
        else
                hcd->state = HC_STATE_RUNNING;
-        spin_unlock(&vhci->lock);
+        spin_unlock_irqrestore(&vhci->lock, flags);
        return rc;
 }
@@ -1053,17 +1070,18 @@ static int vhci_hcd_suspend(struct platform_device *pdev, pm_message_t state)
        int rhport = 0;
        int connected = 0;
        int ret = 0;
+        unsigned long flags;
        hcd = platform_get_drvdata(pdev);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        for (rhport = 0; rhport < VHCI_NPORTS; rhport++)
                if (the_controller->port_status[rhport] &
                    USB_PORT_STAT_CONNECTION)
                        connected += 1;
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        if (connected > 0) {
                dev_info(&pdev->dev,
diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
index bc4eb0855314..323aa7789989 100644
--- a/drivers/usb/usbip/vhci_rx.c
+++ b/drivers/usb/usbip/vhci_rx.c
@@ -71,10 +71,11 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
 {
        struct usbip_device *ud = &vdev->ud;
        struct urb *urb;
+        unsigned long flags;
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        urb = pickup_urb_and_free_priv(vdev, pdu->base.seqnum);
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        if (!urb) {
                pr_err("cannot find a urb of seqnum %u max seqnum %d\n",
@@ -103,9 +104,9 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
        usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb, urb->status);
@@ -116,8 +117,9 @@ static struct vhci_unlink *dequeue_pending_unlink(struct vhci_device *vdev,
                                                  struct usbip_header *pdu)
 {
        struct vhci_unlink *unlink, *tmp;
+        unsigned long flags;
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        list_for_each_entry_safe(unlink, tmp, &vdev->unlink_rx, list) {
                pr_info("unlink->seqnum %lu\n", unlink->seqnum);
@@ -126,12 +128,12 @@ static struct vhci_unlink *dequeue_pending_unlink(struct vhci_device *vdev,
                                          unlink->seqnum);
                        list_del(&unlink->list);
-                        spin_unlock(&vdev->priv_lock);
+                        spin_unlock_irqrestore(&vdev->priv_lock, flags);
                        return unlink;
                }
        }
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        return NULL;
 }
@@ -141,6 +143,7 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
 {
        struct vhci_unlink *unlink;
        struct urb *urb;
+        unsigned long flags;
        usbip_dump_header(pdu);
@@ -151,9 +154,9 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
                return;
        }
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        if (!urb) {
                /*
@@ -170,9 +173,9 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
                urb->status = pdu->u.ret_unlink.status;
                pr_info("urb->status %d\n", urb->status);
-                spin_lock(&the_controller->lock);
+                spin_lock_irqsave(&the_controller->lock, flags);
                usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb,
                                     urb->status);
@@ -184,10 +187,11 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
 static int vhci_priv_tx_empty(struct vhci_device *vdev)
 {
        int empty = 0;
+        unsigned long flags;
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        empty = list_empty(&vdev->priv_rx);
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        return empty;
 }
diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
index 211f43f67ea2..b9432fdec775 100644
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -32,23 +32,28 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
 {
        char *s = out;
        int i = 0;
+        unsigned long flags;
        BUG_ON(!the_controller || !out);
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        /*
         * output example:
-         * prt sta spd dev socket           local_busid
+         * port sta spd dev      sockfd local_busid
-         * 000 004 000 000         c5a7bb80 1-2.3
+         * 0000 004 000 00000000 000003 1-2.3
-         * 001 004 000 000         d8cee980 2-3.4
+         * 0001 004 000 00000000 000004 2-3.4
         *
-         * IP address can be retrieved from a socket pointer address by looking
+         * Output includes socket fd instead of socket pointer address to
-         * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
+         * avoid leaking kernel memory address in:
-         * port number and its peer IP address.
+         *      /sys/devices/platform/vhci_hcd.0/status and in debug output.
+         * The socket pointer address is not used at the moment and it was
+         * made visible as a convenient way to find IP address from socket
+         * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
+         * a security hole, the change is made to use sockfd instead.
         */
        out += sprintf(out,
-                       "prt sta spd bus dev socket           local_busid\n");
+                       "prt sta spd dev      sockfd local_busid\n");
        for (i = 0; i < VHCI_NPORTS; i++) {
                struct vhci_device *vdev = port_to_vdev(i);
@@ -59,18 +64,17 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
                if (vdev->ud.status == VDEV_ST_USED) {
                        out += sprintf(out, "%03u %08x ",
                                       vdev->speed, vdev->devid);
-                        out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+                        out += sprintf(out, "%06u ", vdev->ud.sockfd);
                        out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
-                } else {
+                } else
-                        out += sprintf(out, "000 000 000 0000000000000000 0-0");
+                        out += sprintf(out, "000 00000000 000000 0-0");
-                }
                out += sprintf(out, "\n");
                spin_unlock(&vdev->ud.lock);
        }
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        return out - s;
 }
@@ -80,11 +84,12 @@ static DEVICE_ATTR_RO(status);
 static int vhci_port_disconnect(__u32 rhport)
 {
        struct vhci_device *vdev;
+        unsigned long flags;
        usbip_dbg_vhci_sysfs("enter\n");
        /* lock */
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        vdev = port_to_vdev(rhport);
@@ -94,14 +99,14 @@ static int vhci_port_disconnect(__u32 rhport)
                /* unlock */
                spin_unlock(&vdev->ud.lock);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                return -EINVAL;
        }
        /* unlock */
        spin_unlock(&vdev->ud.lock);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
@@ -177,6 +182,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
        int sockfd = 0;
        __u32 rhport = 0, devid = 0, speed = 0;
        int err;
+        unsigned long flags;
        /*
         * @rhport: port number of vhci_hcd
@@ -202,14 +208,14 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
        /* now need lock until setting vdev status as used */
        /* begin a lock */
-        spin_lock(&the_controller->lock);
+        spin_lock_irqsave(&the_controller->lock, flags);
        vdev = port_to_vdev(rhport);
        spin_lock(&vdev->ud.lock);
        if (vdev->ud.status != VDEV_ST_NULL) {
                /* end of the lock */
                spin_unlock(&vdev->ud.lock);
-                spin_unlock(&the_controller->lock);
+                spin_unlock_irqrestore(&the_controller->lock, flags);
                sockfd_put(socket);
@@ -223,11 +229,12 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
        vdev->devid         = devid;
        vdev->speed         = speed;
+        vdev->ud.sockfd     = sockfd;
        vdev->ud.tcp_socket = socket;
        vdev->ud.status     = VDEV_ST_NOTASSIGNED;
        spin_unlock(&vdev->ud.lock);
-        spin_unlock(&the_controller->lock);
+        spin_unlock_irqrestore(&the_controller->lock, flags);
        /* end the lock */
        vdev->ud.tcp_rx = kthread_get_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c
index 3c5796c8633a..a9a663a578b6 100644
--- a/drivers/usb/usbip/vhci_tx.c
+++ b/drivers/usb/usbip/vhci_tx.c
@@ -47,16 +47,17 @@ static void setup_cmd_submit_pdu(struct usbip_header *pdup,  struct urb *urb)
 static struct vhci_priv *dequeue_from_priv_tx(struct vhci_device *vdev)
 {
        struct vhci_priv *priv, *tmp;
+        unsigned long flags;
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        list_for_each_entry_safe(priv, tmp, &vdev->priv_tx, list) {
                list_move_tail(&priv->list, &vdev->priv_rx);
-                spin_unlock(&vdev->priv_lock);
+                spin_unlock_irqrestore(&vdev->priv_lock, flags);
                return priv;
        }
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        return NULL;
 }
@@ -137,16 +138,17 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev)
 static struct vhci_unlink *dequeue_from_unlink_tx(struct vhci_device *vdev)
 {
        struct vhci_unlink *unlink, *tmp;
+        unsigned long flags;
-        spin_lock(&vdev->priv_lock);
+        spin_lock_irqsave(&vdev->priv_lock, flags);
        list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
                list_move_tail(&unlink->list, &vdev->unlink_rx);
-                spin_unlock(&vdev->priv_lock);
+                spin_unlock_irqrestore(&vdev->priv_lock, flags);
                return unlink;
        }
-        spin_unlock(&vdev->priv_lock);
+        spin_unlock_irqrestore(&vdev->priv_lock, flags);
        return NULL;
 }
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index fe2b470d7ec6..c55c632a3b24 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -752,6 +752,62 @@ static int __init init_pci_cap_pcix_perm(struct perm_bits *perm)
        return 0;
 }
+static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
+                                 int count, struct perm_bits *perm,
+                                 int offset, __le32 val)
+{
+        __le16 *ctrl = (__le16 *)(vdev->vconfig + pos -
+                                  offset + PCI_EXP_DEVCTL);
+        int readrq = le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ;
+        count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
+        if (count < 0)
+                return count;
+        /*
+         * The FLR bit is virtualized, if set and the device supports PCIe
+         * FLR, issue a reset_function.  Regardless, clear the bit, the spec
+         * requires it to be always read as zero.  NB, reset_function might
+         * not use a PCIe FLR, we don't have that level of granularity.
+         */
+        if (*ctrl & cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR)) {
+                u32 cap;
+                int ret;
+                *ctrl &= ~cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR);
+                ret = pci_user_read_config_dword(vdev->pdev,
+                                                 pos - offset + PCI_EXP_DEVCAP,
+                                                 &cap);
+                if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
+                        pci_try_reset_function(vdev->pdev);
+        }
+        /*
+         * MPS is virtualized to the user, writes do not change the physical
+         * register since determining a proper MPS value requires a system wide
+         * device view.  The MRRS is largely independent of MPS, but since the
+         * user does not have that system-wide view, they might set a safe, but
+         * inefficiently low value.  Here we allow writes through to hardware,
+         * but we set the floor to the physical device MPS setting, so that
+         * we can at least use full TLPs, as defined by the MPS value.
+         *
+         * NB, if any devices actually depend on an artificially low MRRS
+         * setting, this will need to be revisited, perhaps with a quirk
+         * though pcie_set_readrq().
+         */
+        if (readrq != (le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ)) {
+                readrq = 128 <<
+                        ((le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ) >> 12);
+                readrq = max(readrq, pcie_get_mps(vdev->pdev));
+                pcie_set_readrq(vdev->pdev, readrq);
+        }
+        return count;
+}
 /* Permissions for PCI Express capability */
 static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
 {
@@ -759,26 +815,67 @@ static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
        if (alloc_perm_bits(perm, PCI_CAP_EXP_ENDPOINT_SIZEOF_V2))
                return -ENOMEM;
+        perm->writefn = vfio_exp_config_write;
        p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
        /*
-         * Allow writes to device control fields (includes FLR!)
+         * Allow writes to device control fields, except devctl_phantom,
-         * but not to devctl_phantom which could confuse IOMMU
+         * which could confuse IOMMU, MPS, which can break communication
-         * or to the ARI bit in devctl2 which is set at probe time
+         * with other physical devices, and the ARI bit in devctl2, which
+         * is set at probe time.  FLR and MRRS get virtualized via our
+         * writefn.
         */
-        p_setw(perm, PCI_EXP_DEVCTL, NO_VIRT, ~PCI_EXP_DEVCTL_PHANTOM);
+        p_setw(perm, PCI_EXP_DEVCTL,
+               PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_PAYLOAD |
+               PCI_EXP_DEVCTL_READRQ, ~PCI_EXP_DEVCTL_PHANTOM);
        p_setw(perm, PCI_EXP_DEVCTL2, NO_VIRT, ~PCI_EXP_DEVCTL2_ARI);
        return 0;
 }
+static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
+                                int count, struct perm_bits *perm,
+                                int offset, __le32 val)
+{
+        u8 *ctrl = vdev->vconfig + pos - offset + PCI_AF_CTRL;
+        count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
+        if (count < 0)
+                return count;
+        /*
+         * The FLR bit is virtualized, if set and the device supports AF
+         * FLR, issue a reset_function.  Regardless, clear the bit, the spec
+         * requires it to be always read as zero.  NB, reset_function might
+         * not use an AF FLR, we don't have that level of granularity.
+         */
+        if (*ctrl & PCI_AF_CTRL_FLR) {
+                u8 cap;
+                int ret;
+                *ctrl &= ~PCI_AF_CTRL_FLR;
+                ret = pci_user_read_config_byte(vdev->pdev,
+                                                pos - offset + PCI_AF_CAP,
+                                                &cap);
+                if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
+                        pci_try_reset_function(vdev->pdev);
+        }
+        return count;
+}
 /* Permissions for Advanced Function capability */
 static int __init init_pci_cap_af_perm(struct perm_bits *perm)
 {
        if (alloc_perm_bits(perm, pci_cap_length[PCI_CAP_ID_AF]))
                return -ENOMEM;
+        perm->writefn = vfio_af_config_write;
        p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
-        p_setb(perm, PCI_AF_CTRL, NO_VIRT, PCI_AF_CTRL_FLR);
+        p_setb(perm, PCI_AF_CTRL, PCI_AF_CTRL_FLR, PCI_AF_CTRL_FLR);
        return 0;
 }
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 9eda69e40678..645b2197930e 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -955,7 +955,8 @@ err_used:
        if (ubufs)
                vhost_net_ubuf_put_wait_and_free(ubufs);
 err_ubufs:
-        sockfd_put(sock);
+        if (sock)
+                sockfd_put(sock);
 err_vq:
        mutex_unlock(&vq->mutex);
 err:
@@ -981,6 +982,7 @@ static long vhost_net_reset_owner(struct vhost_net *n)
        }
        vhost_net_stop(n, &tx_sock, &rx_sock);
        vhost_net_flush(n);
+        vhost_dev_stop(&n->dev);
        vhost_dev_reset_owner(&n->dev, memory);
        vhost_net_vq_reset(n);
 done:
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index ad2146a9ab2d..675819a1af37 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -173,8 +173,7 @@ int vhost_poll_start(struct vhost_poll *poll, struct file *file)
        if (mask)
                vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask);
        if (mask & POLLERR) {
-                if (poll->wqh)
+                vhost_poll_stop(poll);
-                        remove_wait_queue(poll->wqh, &poll->wait);
                ret = -EINVAL;
        }
diff --git a/drivers/video/backlight/as3711_bl.c b/drivers/video/backlight/as3711_bl.c
index 734a9158946b..e55304d5cf07 100644
--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -262,10 +262,10 @@ static int as3711_bl_register(struct platform_device *pdev,
 static int as3711_backlight_parse_dt(struct device *dev)
 {
        struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
-        struct device_node *bl =
+        struct device_node *bl, *fb;
-                of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
        int ret;
+        bl = of_get_child_by_name(dev->parent->of_node, "backlight");
        if (!bl) {
                dev_dbg(dev, "backlight node not found\n");
                return -ENODEV;
@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(struct device *dev)
                if (pdata->su1_max_uA <= 0)
                        ret = -EINVAL;
                if (ret < 0)
-                        return ret;
+                        goto err_put_bl;
        }
        fb = of_parse_phandle(bl, "su2-dev", 0);
@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(struct device *dev)
                if (pdata->su2_max_uA <= 0)
                        ret = -EINVAL;
                if (ret < 0)
-                        return ret;
+                        goto err_put_bl;
                if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
                        pdata->su2_feedback = AS3711_SU2_VOLTAGE;
@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(struct device *dev)
                        pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
                        count++;
                }
-                if (count != 1)
+                if (count != 1) {
-                        return -EINVAL;
+                        ret = -EINVAL;
+                        goto err_put_bl;
+                }
                count = 0;
                if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(struct device *dev)
                        pdata->su2_fbprot = AS3711_SU2_GPIO4;
                        count++;
                }
-                if (count != 1)
+                if (count != 1) {
-                        return -EINVAL;
+                        ret = -EINVAL;
+                        goto err_put_bl;
+                }
                count = 0;
                if (of_find_property(bl, "su2-auto-curr1", NULL)) {
@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(struct device *dev)
                 * At least one su2-auto-curr* must be specified iff
                 * AS3711_SU2_CURR_AUTO is used
                 */
-                if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
+                if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
-                        return -EINVAL;
+                        ret = -EINVAL;
+                        goto err_put_bl;
+                }
        }
+        of_node_put(bl);
        return 0;
+err_put_bl:
+        of_node_put(bl);
+        return ret;
 }
 static int as3711_backlight_probe(struct platform_device *pdev)
diff --git a/drivers/video/backlight/max8925_bl.c b/drivers/video/backlight/max8925_bl.c
index 7b738d60ecc2..f3aa6088f1d9 100644
--- a/drivers/video/backlight/max8925_bl.c
+++ b/drivers/video/backlight/max8925_bl.c
@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(struct platform_device *pdev)
        if (!pdata)
                return;
-        np = of_find_node_by_name(nproot, "backlight");
+        np = of_get_child_by_name(nproot, "backlight");
        if (!np) {
                dev_err(&pdev->dev, "failed to find backlight node\n");
                return;
@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(struct platform_device *pdev)
        if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
                pdata->dual_string = val;
+        of_node_put(np);
        pdev->dev.platform_data = pdata;
 }
diff --git a/drivers/video/backlight/tps65217_bl.c b/drivers/video/backlight/tps65217_bl.c
index 61d72bffd402..dc920e2aa094 100644
--- a/drivers/video/backlight/tps65217_bl.c
+++ b/drivers/video/backlight/tps65217_bl.c
@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata *
 tps65217_bl_parse_dt(struct platform_device *pdev)
 {
        struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
-        struct device_node *node = of_node_get(tps->dev->of_node);
+        struct device_node *node;
        struct tps65217_bl_pdata *pdata, *err;
        u32 val;
-        node = of_find_node_by_name(node, "backlight");
+        node = of_get_child_by_name(tps->dev->of_node, "backlight");
        if (!node)
                return ERR_PTR(-ENODEV);
diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c
index 0efc52f11ad0..b30e7d87804b 100644
--- a/drivers/video/console/dummycon.c
+++ b/drivers/video/console/dummycon.c
@@ -68,7 +68,6 @@ const struct consw dummy_con = {
    .con_switch =       DUMMY,
    .con_blank =        DUMMY,
    .con_font_set =     DUMMY,
-    .con_font_get =     DUMMY,
    .con_font_default = DUMMY,
    .con_font_copy =    DUMMY,
    .con_set_palette =  DUMMY,
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 517f565b65d7..598ec7545e84 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -409,7 +409,10 @@ static const char *vgacon_startup(void)
                vga_video_port_val = VGA_CRT_DM;
                if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) {
                        static struct resource ega_console_resource =
-                            { .name = "ega", .start = 0x3B0, .end = 0x3BF };
+                            { .name     = "ega",
+                              .flags    = IORESOURCE_IO,
+                              .start    = 0x3B0,
+                              .end      = 0x3BF };
                        vga_video_type = VIDEO_TYPE_EGAM;
                        vga_vram_size = 0x8000;
                        display_desc = "EGA+";
@@ -417,9 +420,15 @@ static const char *vgacon_startup(void)
                                         &ega_console_resource);
                } else {
                        static struct resource mda1_console_resource =
-                            { .name = "mda", .start = 0x3B0, .end = 0x3BB };
+                            { .name     = "mda",
+                              .flags    = IORESOURCE_IO,
+                              .start    = 0x3B0,
+                              .end      = 0x3BB };
                        static struct resource mda2_console_resource =
-                            { .name = "mda", .start = 0x3BF, .end = 0x3BF };
+                            { .name     = "mda",
+                              .flags    = IORESOURCE_IO,
+                              .start    = 0x3BF,
+                              .end      = 0x3BF };
                        vga_video_type = VIDEO_TYPE_MDA;
                        vga_vram_size = 0x2000;
                        display_desc = "*MDA";
@@ -441,15 +450,21 @@ static const char *vgacon_startup(void)
                        vga_vram_size = 0x8000;
                        if (!screen_info.orig_video_isVGA) {
-                                static struct resource ega_console_resource
+                                static struct resource ega_console_resource =
-                                    = { .name = "ega", .start = 0x3C0, .end = 0x3DF };
+                                    { .name     = "ega",
+                                      .flags    = IORESOURCE_IO,
+                                      .start    = 0x3C0,
+                                      .end      = 0x3DF };
                                vga_video_type = VIDEO_TYPE_EGAC;
                                display_desc = "EGA";
                                request_resource(&ioport_resource,
                                                 &ega_console_resource);
                        } else {
-                                static struct resource vga_console_resource
+                                static struct resource vga_console_resource =
-                                    = { .name = "vga+", .start = 0x3C0, .end = 0x3DF };
+                                    { .name     = "vga+",
+                                      .flags    = IORESOURCE_IO,
+                                      .start    = 0x3C0,
+                                      .end      = 0x3DF };
                                vga_video_type = VIDEO_TYPE_VGAC;
                                display_desc = "VGA+";
                                request_resource(&ioport_resource,
@@ -493,7 +508,10 @@ static const char *vgacon_startup(void)
                        }
                } else {
                        static struct resource cga_console_resource =
-                            { .name = "cga", .start = 0x3D4, .end = 0x3D5 };
+                            { .name     = "cga",
+                              .flags    = IORESOURCE_IO,
+                              .start    = 0x3D4,
+                              .end      = 0x3D5 };
                        vga_video_type = VIDEO_TYPE_CGA;
                        vga_vram_size = 0x2000;
                        display_desc = "*CGA";
diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c
index 9362424c2340..924b3d6c3e9b 100644
--- a/drivers/video/fbdev/amba-clcd.c
+++ b/drivers/video/fbdev/amba-clcd.c
@@ -759,8 +759,8 @@ static int clcdfb_of_dma_setup(struct clcd_fb *fb)
        if (err)
                return err;
-        framesize = fb->panel->mode.xres * fb->panel->mode.yres *
+        framesize = PAGE_ALIGN(fb->panel->mode.xres * fb->panel->mode.yres *
-                        fb->panel->bpp / 8;
+                        fb->panel->bpp / 8);
        fb->fb.screen_base = dma_alloc_coherent(&fb->dev->dev, framesize,
                        &dma, GFP_KERNEL);
        if (!fb->fb.screen_base)
diff --git a/drivers/video/fbdev/atmel_lcdfb.c b/drivers/video/fbdev/atmel_lcdfb.c
index 19eb42b57d87..a6da82648c92 100644
--- a/drivers/video/fbdev/atmel_lcdfb.c
+++ b/drivers/video/fbdev/atmel_lcdfb.c
@@ -1120,7 +1120,7 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo)
                goto put_display_node;
        }
-        timings_np = of_find_node_by_name(display_np, "display-timings");
+        timings_np = of_get_child_by_name(display_np, "display-timings");
        if (!timings_np) {
                dev_err(dev, "failed to find display-timings node\n");
                ret = -ENODEV;
@@ -1141,6 +1141,12 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo)
                fb_add_videomode(&fb_vm, &info->modelist);
        }
+        /*
+         * FIXME: Make sure we are not referencing any fields in display_np
+         * and timings_np and drop our references to them before returning to
+         * avoid leaking the nodes on probe deferral and driver unbind.
+         */
        return 0;
 put_timings_node:
diff --git a/drivers/video/fbdev/exynos/s6e8ax0.c b/drivers/video/fbdev/exynos/s6e8ax0.c
index 95873f26e39c..de2f3e793786 100644
--- a/drivers/video/fbdev/exynos/s6e8ax0.c
+++ b/drivers/video/fbdev/exynos/s6e8ax0.c
@@ -829,8 +829,7 @@ static int s6e8ax0_probe(struct mipi_dsim_lcd_device *dsim_dev)
        return 0;
 }
-#ifdef CONFIG_PM
+static int __maybe_unused s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
-static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
 {
        struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev);
@@ -843,7 +842,7 @@ static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
        return 0;
 }
-static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
+static int __maybe_unused s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
 {
        struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev);
@@ -855,10 +854,6 @@ static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
        return 0;
 }
-#else
-#define s6e8ax0_suspend         NULL
-#define s6e8ax0_resume          NULL
-#endif
 static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = {
        .name = "s6e8ax0",
@@ -867,8 +862,8 @@ static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = {
        .power_on = s6e8ax0_power_on,
        .set_sequence = s6e8ax0_set_sequence,
        .probe = s6e8ax0_probe,
-        .suspend = s6e8ax0_suspend,
+        .suspend = IS_ENABLED(CONFIG_PM) ? s6e8ax0_suspend : NULL,
-        .resume = s6e8ax0_resume,
+        .resume = IS_ENABLED(CONFIG_PM) ? s6e8ax0_resume : NULL,
 };
 static int s6e8ax0_init(void)
diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c
index bbec737eef30..bf207444ba0c 100644
--- a/drivers/video/fbdev/intelfb/intelfbdrv.c
+++ b/drivers/video/fbdev/intelfb/intelfbdrv.c
@@ -302,7 +302,7 @@ static __inline__ int get_opt_int(const char *this_opt, const char *name,
 }
 static __inline__ int get_opt_bool(const char *this_opt, const char *name,
-                                   int *ret)
+                                   bool *ret)
 {
        if (!ret)
                return 0;
diff --git a/drivers/video/fbdev/mmp/core.c b/drivers/video/fbdev/mmp/core.c
index a0f496049db7..3a6bb6561ba0 100644
--- a/drivers/video/fbdev/mmp/core.c
+++ b/drivers/video/fbdev/mmp/core.c
@@ -23,6 +23,7 @@
 #include <linux/slab.h>
 #include <linux/dma-mapping.h>
 #include <linux/export.h>
+#include <linux/module.h>
 #include <video/mmp_disp.h>
 static struct mmp_overlay *path_get_overlay(struct mmp_path *path,
@@ -249,3 +250,7 @@ void mmp_unregister_path(struct mmp_path *path)
        mutex_unlock(&disp_lock);
 }
 EXPORT_SYMBOL_GPL(mmp_unregister_path);
+MODULE_AUTHOR("Zhou Zhu <zzhu3@marvell.com>");
+MODULE_DESCRIPTION("Marvell MMP display framework");
+MODULE_LICENSE("GPL");
diff --git a/drivers/video/fbdev/sbuslib.c b/drivers/video/fbdev/sbuslib.c
index a350209ffbd3..31c301d6be62 100644
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
                unsigned char __user *ured;
                unsigned char __user *ugreen;
                unsigned char __user *ublue;
-                int index, count, i;
+                unsigned int index, count, i;
                if (get_user(index, &c->index) ||
                    __get_user(count, &c->count) ||
@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
                unsigned char __user *ugreen;
                unsigned char __user *ublue;
                struct fb_cmap *cmap = &info->cmap;
-                int index, count, i;
+                unsigned int index, count, i;
                u8 red, green, blue;
                if (get_user(index, &c->index) ||
diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c
index 295e0dedaf1f..20f7234e809e 100644
--- a/drivers/video/fbdev/sis/init301.c
+++ b/drivers/video/fbdev/sis/init301.c
@@ -2151,17 +2151,15 @@ SiS_GetVCLK2Ptr(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned shor
                unsigned short RefreshRateTableIndex)
 {
  unsigned short CRT2Index, VCLKIndex = 0, VCLKIndexGEN = 0, VCLKIndexGENCRT = 0;
-  unsigned short modeflag, resinfo, tempbx;
+  unsigned short resinfo, tempbx;
  const unsigned char *CHTVVCLKPtr = NULL;
  if(ModeNo <= 0x13) {
-     modeflag = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ModeFlag;
     resinfo = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ResInfo;
     CRT2Index = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_CRT2CRTC;
     VCLKIndexGEN = (SiS_GetRegByte((SiS_Pr->SiS_P3ca+0x02)) >> 2) & 0x03;
     VCLKIndexGENCRT = VCLKIndexGEN;
  } else {
-     modeflag = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_ModeFlag;
     resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO;
     CRT2Index = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRT2CRTC;
     VCLKIndexGEN = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRTVCLK;
@@ -7270,7 +7268,7 @@ SiS_ShiftXPos(struct SiS_Private *SiS_Pr, int shift)
 static void
 SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned short ModeIdIndex)
 {
-   unsigned short temp, temp1, resinfo = 0;
+   unsigned short temp, temp1;
   unsigned char  *ROMAddr = SiS_Pr->VirtualRomBase;
   if(!(SiS_Pr->SiS_VBType & VB_SIS30xCLV)) return;
@@ -7282,10 +7280,6 @@ SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned
      if(!(ROMAddr[0x61] & 0x04)) return;
   }
-   if(ModeNo > 0x13) {
-      resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO;
-   }
   SiS_SetRegOR(SiS_Pr->SiS_Part4Port,0x3a,0x08);
   temp = SiS_GetReg(SiS_Pr->SiS_Part4Port,0x3a);
   if(!(temp & 0x01)) {
diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c
index d0a4e2f79a57..d215faacce04 100644
--- a/drivers/video/fbdev/sm501fb.c
+++ b/drivers/video/fbdev/sm501fb.c
@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_info *info,
        info->fbmem = ioremap(res->start, resource_size(res));
        if (info->fbmem == NULL) {
                dev_err(dev, "cannot remap framebuffer\n");
+                ret = -ENXIO;
                goto err_mem_res;
        }
diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index 53326badfb61..2add8def83be 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device_attrs[] = {
 static int dlfb_select_std_channel(struct dlfb_data *dev)
 {
        int ret;
-        u8 set_def_chn[] = {       0x57, 0xCD, 0xDC, 0xA7,
+        void *buf;
+        static const u8 set_def_chn[] = {
+                                0x57, 0xCD, 0xDC, 0xA7,
                                0x1C, 0x88, 0x5E, 0x15,
                                0x60, 0xFE, 0xC6, 0x97,
                                0x16, 0x3D, 0x47, 0xF2  };
+        buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL);
+        if (!buf)
+                return -ENOMEM;
        ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
                        NR_USB_REQUEST_CHANNEL,
                        (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0,
-                        set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
+                        buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
+        kfree(buf);
        return ret;
 }
diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
index 178ae93b7ebd..381236ff34d9 100644
--- a/drivers/video/fbdev/uvesafb.c
+++ b/drivers/video/fbdev/uvesafb.c
@@ -1059,7 +1059,8 @@ static int uvesafb_setcmap(struct fb_cmap *cmap, struct fb_info *info)
                    info->cmap.len || cmap->start < info->cmap.start)
                        return -EINVAL;
-                entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
+                entries = kmalloc_array(cmap->len, sizeof(*entries),
+                                        GFP_KERNEL);
                if (!entries)
                        return -ENOMEM;
diff --git a/drivers/video/fbdev/vfb.c b/drivers/video/fbdev/vfb.c
index b9c2f81fb6b9..556c39997aab 100644
--- a/drivers/video/fbdev/vfb.c
+++ b/drivers/video/fbdev/vfb.c
@@ -291,8 +291,23 @@ static int vfb_check_var(struct fb_var_screeninfo *var,
 */
 static int vfb_set_par(struct fb_info *info)
 {
+        switch (info->var.bits_per_pixel) {
+        case 1:
+                info->fix.visual = FB_VISUAL_MONO01;
+                break;
+        case 8:
+                info->fix.visual = FB_VISUAL_PSEUDOCOLOR;
+                break;
+        case 16:
+        case 24:
+        case 32:
+                info->fix.visual = FB_VISUAL_TRUECOLOR;
+                break;
+        }
        info->fix.line_length = get_line_length(info->var.xres_virtual,
                                                info->var.bits_per_pixel);
        return 0;
 }
@@ -525,6 +540,8 @@ static int vfb_probe(struct platform_device *dev)
                goto err2;
        platform_set_drvdata(dev, info);
+        vfb_set_par(info);
        fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n",
                videomemorysize >> 10);
        return 0;
diff --git a/drivers/video/fbdev/via/viafbdev.c b/drivers/video/fbdev/via/viafbdev.c
index f9718f012aae..badee04ef496 100644
--- a/drivers/video/fbdev/via/viafbdev.c
+++ b/drivers/video/fbdev/via/viafbdev.c
@@ -1630,16 +1630,14 @@ static void viafb_init_proc(struct viafb_shared *shared)
 }
 static void viafb_remove_proc(struct viafb_shared *shared)
 {
-        struct proc_dir_entry *viafb_entry = shared->proc_entry,
+        struct proc_dir_entry *viafb_entry = shared->proc_entry;
-                *iga1_entry = shared->iga1_proc_entry,
-                *iga2_entry = shared->iga2_proc_entry;
        if (!viafb_entry)
                return;
-        remove_proc_entry("output_devices", iga2_entry);
+        remove_proc_entry("output_devices", shared->iga2_proc_entry);
        remove_proc_entry("iga2", viafb_entry);
-        remove_proc_entry("output_devices", iga1_entry);
+        remove_proc_entry("output_devices", shared->iga1_proc_entry);
        remove_proc_entry("iga1", viafb_entry);
        remove_proc_entry("supported_output_devices", viafb_entry);
diff --git a/drivers/video/hdmi.c b/drivers/video/hdmi.c
index 162689227a23..b73520aaf697 100644
--- a/drivers/video/hdmi.c
+++ b/drivers/video/hdmi.c
@@ -321,6 +321,17 @@ int hdmi_vendor_infoframe_init(struct hdmi_vendor_infoframe *frame)
 }
 EXPORT_SYMBOL(hdmi_vendor_infoframe_init);
+static int hdmi_vendor_infoframe_length(const struct hdmi_vendor_infoframe *frame)
+{
+        /* for side by side (half) we also need to provide 3D_Ext_Data */
+        if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
+                return 6;
+        else if (frame->vic != 0 || frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID)
+                return 5;
+        else
+                return 4;
+}
 /**
 * hdmi_vendor_infoframe_pack() - write a HDMI vendor infoframe to binary buffer
 * @frame: HDMI infoframe
@@ -341,19 +352,11 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame,
        u8 *ptr = buffer;
        size_t length;
-        /* empty info frame */
-        if (frame->vic == 0 && frame->s3d_struct == HDMI_3D_STRUCTURE_INVALID)
-                return -EINVAL;
        /* only one of those can be supplied */
        if (frame->vic != 0 && frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID)
                return -EINVAL;
-        /* for side by side (half) we also need to provide 3D_Ext_Data */
+        frame->length = hdmi_vendor_infoframe_length(frame);
-        if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
-                frame->length = 6;
-        else
-                frame->length = 5;
        length = HDMI_INFOFRAME_HEADER_SIZE + frame->length;
@@ -372,14 +375,16 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame,
        ptr[5] = 0x0c;
        ptr[6] = 0x00;
-        if (frame->vic) {
+        if (frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID) {
-                ptr[7] = 0x1 << 5;      /* video format */
-                ptr[8] = frame->vic;
-        } else {
                ptr[7] = 0x2 << 5;      /* video format */
                ptr[8] = (frame->s3d_struct & 0xf) << 4;
                if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
                        ptr[9] = (frame->s3d_ext_data & 0xf) << 4;
+        } else if (frame->vic) {
+                ptr[7] = 0x1 << 5;      /* video format */
+                ptr[8] = frame->vic;
+        } else {
+                ptr[7] = 0x0 << 5;      /* video format */
        }
        hdmi_infoframe_set_checksum(buffer, length);
@@ -1161,7 +1166,7 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame,
        if (ptr[0] != HDMI_INFOFRAME_TYPE_VENDOR ||
            ptr[1] != 1 ||
-            (ptr[2] != 5 && ptr[2] != 6))
+            (ptr[2] != 4 && ptr[2] != 5 && ptr[2] != 6))
                return -EINVAL;
        length = ptr[2];
@@ -1189,16 +1194,22 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame,
        hvf->length = length;
-        if (hdmi_video_format == 0x1) {
+        if (hdmi_video_format == 0x2) {
-                hvf->vic = ptr[4];
+                if (length != 5 && length != 6)
-        } else if (hdmi_video_format == 0x2) {
+                        return -EINVAL;
                hvf->s3d_struct = ptr[4] >> 4;
                if (hvf->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) {
-                        if (length == 6)
+                        if (length != 6)
-                                hvf->s3d_ext_data = ptr[5] >> 4;
-                        else
                                return -EINVAL;
+                        hvf->s3d_ext_data = ptr[5] >> 4;
                }
+        } else if (hdmi_video_format == 0x1) {
+                if (length != 5)
+                        return -EINVAL;
+                hvf->vic = ptr[4];
+        } else {
+                if (length != 4)
+                        return -EINVAL;
        }
        return 0;
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index 0c5533813cde..e3ac3e157485 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -239,12 +239,14 @@ static void update_balloon_stats(struct virtio_balloon *vb)
        all_vm_events(events);
        si_meminfo(&i);
+#ifdef CONFIG_VM_EVENT_COUNTERS
        update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_IN,
                                pages_to_bytes(events[PSWPIN]));
        update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_OUT,
                                pages_to_bytes(events[PSWPOUT]));
        update_stat(vb, idx++, VIRTIO_BALLOON_S_MAJFLT, events[PGMAJFAULT]);
        update_stat(vb, idx++, VIRTIO_BALLOON_S_MINFLT, events[PGFAULT]);
+#endif
        update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMFREE,
                                pages_to_bytes(i.freeram));
        update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMTOT,
@@ -477,7 +479,9 @@ static int virtballoon_migratepage(struct balloon_dev_info *vb_dev_info,
        tell_host(vb, vb->inflate_vq);
        /* balloon's page migration 2nd step -- deflate "page" */
+        spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
        balloon_page_delete(page);
+        spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
        vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
        set_page_pfns(vb, vb->pfns, page);
        tell_host(vb, vb->deflate_vq);
diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c
index a4621757a47f..dacb5919970c 100644
--- a/drivers/w1/masters/mxc_w1.c
+++ b/drivers/w1/masters/mxc_w1.c
@@ -113,6 +113,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
        if (IS_ERR(mdev->clk))
                return PTR_ERR(mdev->clk);
+        err = clk_prepare_enable(mdev->clk);
+        if (err)
+                return err;
        clkrate = clk_get_rate(mdev->clk);
        if (clkrate < 10000000)
                dev_warn(&pdev->dev,
@@ -126,12 +130,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
        mdev->regs = devm_ioremap_resource(&pdev->dev, res);
-        if (IS_ERR(mdev->regs))
+        if (IS_ERR(mdev->regs)) {
-                return PTR_ERR(mdev->regs);
+                err = PTR_ERR(mdev->regs);
+                goto out_disable_clk;
-        err = clk_prepare_enable(mdev->clk);
+        }
-        if (err)
-                return err;
        /* Software reset 1-Wire module */
        writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET);
@@ -147,8 +149,12 @@ static int mxc_w1_probe(struct platform_device *pdev)
        err = w1_add_master_device(&mdev->bus_master);
        if (err)
-                clk_disable_unprepare(mdev->clk);
+                goto out_disable_clk;
+        return 0;
+out_disable_clk:
+        clk_disable_unprepare(mdev->clk);
        return err;
 }
diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
index 39886edfa222..88c1b8c01473 100644
--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -741,7 +741,7 @@ int w1_attach_slave_device(struct w1_master *dev, struct w1_reg_num *rn)
        /* slave modules need to be loaded in a context with unlocked mutex */
        mutex_unlock(&dev->mutex);
-        request_module("w1-family-0x%02x", rn->family);
+        request_module("w1-family-0x%02X", rn->family);
        mutex_lock(&dev->mutex);
        spin_lock(&w1_flock);
diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c
index 016bd9355190..2048aad91add 100644
--- a/drivers/watchdog/f71808e_wdt.c
+++ b/drivers/watchdog/f71808e_wdt.c
@@ -450,7 +450,7 @@ static bool watchdog_is_running(void)
        is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0))
                && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF)
-                        & F71808FG_FLAG_WD_EN);
+                        & BIT(F71808FG_FLAG_WD_EN));
        superio_exit(watchdog.sioaddr);
@@ -520,7 +520,8 @@ static ssize_t watchdog_write(struct file *file, const char __user *buf,
                                char c;
                                if (get_user(c, buf + i))
                                        return -EFAULT;
-                                expect_close = (c == 'V');
+                                if (c == 'V')
+                                        expect_close = true;
                        }
                        /* Properly order writes across fork()ed processes */
diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c
index 286369d4f0f5..be99112fad00 100644
--- a/drivers/watchdog/hpwdt.c
+++ b/drivers/watchdog/hpwdt.c
@@ -51,6 +51,7 @@ static char expect_release;
 static unsigned long hpwdt_is_open;
 static void __iomem *pci_mem_addr;              /* the PCI-memory address */
+static unsigned long __iomem *hpwdt_nmistat;
 static unsigned long __iomem *hpwdt_timer_reg;
 static unsigned long __iomem *hpwdt_timer_con;
@@ -474,6 +475,11 @@ static int hpwdt_time_left(void)
 }
 #ifdef CONFIG_HPWDT_NMI_DECODING
+static int hpwdt_my_nmi(void)
+{
+        return ioread8(hpwdt_nmistat) & 0x6;
+}
 /*
 *      NMI Handler
 */
@@ -485,6 +491,9 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs)
        if (!hpwdt_nmi_decoding)
                goto out;
+        if ((ulReason == NMI_UNKNOWN) && !hpwdt_my_nmi())
+                return NMI_DONE;
        spin_lock_irqsave(&rom_lock, rom_pl);
        if (!die_nmi_called && !is_icru && !is_uefi)
                asminline_call(&cmn_regs, cru_rom_addr);
@@ -700,7 +709,7 @@ static void dmi_find_icru(const struct dmi_header *dm, void *dummy)
                smbios_proliant_ptr = (struct smbios_proliant_info *) dm;
                if (smbios_proliant_ptr->misc_features & 0x01)
                        is_icru = 1;
-                if (smbios_proliant_ptr->misc_features & 0x408)
+                if (smbios_proliant_ptr->misc_features & 0x1400)
                        is_uefi = 1;
        }
 }
@@ -840,6 +849,7 @@ static int hpwdt_init_one(struct pci_dev *dev,
                retval = -ENOMEM;
                goto error_pci_iomap;
        }
+        hpwdt_nmistat   = pci_mem_addr + 0x6e;
        hpwdt_timer_reg = pci_mem_addr + 0x70;
        hpwdt_timer_con = pci_mem_addr + 0x72;
diff --git a/drivers/watchdog/imx2_wdt.c b/drivers/watchdog/imx2_wdt.c
index 29ef719a6a3c..d69ab1e28d7d 100644
--- a/drivers/watchdog/imx2_wdt.c
+++ b/drivers/watchdog/imx2_wdt.c
@@ -161,15 +161,21 @@ static void imx2_wdt_timer_ping(unsigned long arg)
        mod_timer(&wdev->timer, jiffies + wdog->timeout * HZ / 2);
 }
-static int imx2_wdt_set_timeout(struct watchdog_device *wdog,
+static void __imx2_wdt_set_timeout(struct watchdog_device *wdog,
-                                unsigned int new_timeout)
+                                   unsigned int new_timeout)
 {
        struct imx2_wdt_device *wdev = watchdog_get_drvdata(wdog);
-        wdog->timeout = new_timeout;
        regmap_update_bits(wdev->regmap, IMX2_WDT_WCR, IMX2_WDT_WCR_WT,
                           WDOG_SEC_TO_COUNT(new_timeout));
+}
+static int imx2_wdt_set_timeout(struct watchdog_device *wdog,
+                                unsigned int new_timeout)
+{
+        __imx2_wdt_set_timeout(wdog, new_timeout);
+        wdog->timeout = new_timeout;
        return 0;
 }
@@ -353,7 +359,11 @@ static int imx2_wdt_suspend(struct device *dev)
        /* The watchdog IP block is running */
        if (imx2_wdt_is_running(wdev)) {
-                imx2_wdt_set_timeout(wdog, IMX2_WDT_MAX_TIME);
+                /*
+                 * Don't update wdog->timeout, we'll restore the current value
+                 * during resume.
+                 */
+                __imx2_wdt_set_timeout(wdog, IMX2_WDT_MAX_TIME);
                imx2_wdt_ping(wdog);
                /* The watchdog is not active */
diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h
index 2b28c00da0df..dfe20b81ced5 100644
--- a/drivers/watchdog/sp5100_tco.h
+++ b/drivers/watchdog/sp5100_tco.h
@@ -54,7 +54,7 @@
 #define SB800_PM_WATCHDOG_CONFIG        0x4C
 #define SB800_PCI_WATCHDOG_DECODE_EN    (1 << 0)
-#define SB800_PM_WATCHDOG_DISABLE       (1 << 2)
+#define SB800_PM_WATCHDOG_DISABLE       (1 << 1)
 #define SB800_PM_WATCHDOG_SECOND_RES    (3 << 0)
 #define SB800_ACPI_MMIO_DECODE_EN       (1 << 0)
 #define SB800_ACPI_MMIO_SEL             (1 << 1)
diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
index 73708acce3ca..3a14948269b1 100644
--- a/drivers/xen/Kconfig
+++ b/drivers/xen/Kconfig
@@ -239,7 +239,7 @@ config XEN_ACPI_HOTPLUG_CPU
 config XEN_ACPI_PROCESSOR
        tristate "Xen ACPI processor"
-        depends on XEN && X86 && ACPI_PROCESSOR && CPU_FREQ
+        depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ
        default m
        help
          This ACPI processor uploads Power Management information to the Xen
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index 83ec7b89d308..21d679f88dfa 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -637,8 +637,6 @@ static void __unbind_from_irq(unsigned int irq)
                xen_irq_info_cleanup(info);
        }
-        BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
        xen_free_irq(irq);
 }
@@ -764,8 +762,8 @@ out:
        mutex_unlock(&irq_mapping_update_lock);
        return irq;
 error_irq:
-        for (; i >= 0; i--)
+        while (nvec--)
-                __unbind_from_irq(irq + i);
+                __unbind_from_irq(irq + nvec);
        mutex_unlock(&irq_mapping_update_lock);
        return ret;
 }
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index a4d749665c9f..1865bcfa869b 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -378,10 +378,8 @@ static int unmap_grant_pages(struct grant_map *map, int offset, int pages)
                }
                range = 0;
                while (range < pages) {
-                        if (map->unmap_ops[offset+range].handle == -1) {
+                        if (map->unmap_ops[offset+range].handle == -1)
-                                range--;
                                break;
-                        }
                        range++;
                }
                err = __unmap_grant_pages(map, offset, range);
@@ -876,8 +874,10 @@ unlock_out:
 out_unlock_put:
        mutex_unlock(&priv->lock);
 out_put_map:
-        if (use_ptemod)
+        if (use_ptemod) {
                map->vma = NULL;
+                unmap_grant_pages(map, 0, map->count);
+        }
        gntdev_put_map(priv, map);
        return err;
 }
diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index c49f79ed58c5..4b7ce442d8e5 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -328,7 +328,7 @@ static void gnttab_handle_deferred(unsigned long unused)
                        if (entry->page) {
                                pr_debug("freeing g.e. %#x (pfn %#lx)\n",
                                         entry->ref, page_to_pfn(entry->page));
-                                __free_page(entry->page);
+                                put_page(entry->page);
                        } else
                                pr_info("freeing g.e. %#x\n", entry->ref);
                        kfree(entry);
@@ -384,7 +384,7 @@ void gnttab_end_foreign_access(grant_ref_t ref, int readonly,
        if (gnttab_end_foreign_access_ref(ref, readonly)) {
                put_free_entry(ref);
                if (page != 0)
-                        free_page(page);
+                        put_page(virt_to_page(page));
        } else
                gnttab_add_deferred(ref, readonly,
                                    page ? virt_to_page(page) : NULL);
diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index f7b19c25c3a4..1889e928a0da 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -359,7 +359,7 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
         * physical address */
        phys = xen_bus_to_phys(dev_addr);
-        if (((dev_addr + size - 1 > dma_mask)) ||
+        if (((dev_addr + size - 1 <= dma_mask)) ||
            range_straddles_page_boundary(phys, size))
                xen_destroy_contiguous_region(phys, order);
diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c
index 2e319d0c395d..84cc98f3cabe 100644
--- a/drivers/xen/xen-acpi-processor.c
+++ b/drivers/xen/xen-acpi-processor.c
@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv)
        }
        /* There are more ACPI Processor objects than in x2APIC or MADT.
         * This can happen with incorrect ACPI SSDT declerations. */
-        if (acpi_id > nr_acpi_bits) {
+        if (acpi_id >= nr_acpi_bits) {
-                pr_debug("We only have %u, trying to set %u\n",
+                pr_debug("max acpi id %u, trying to set %u\n",
-                         nr_acpi_bits, acpi_id);
+                         nr_acpi_bits - 1, acpi_id);
                return AE_OK;
        }
        /* OK, There is a ACPI Processor object */
diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c
index 33a31cfef55d..c2d447687e33 100644
--- a/drivers/xen/xenbus/xenbus_probe.c
+++ b/drivers/xen/xenbus/xenbus_probe.c
@@ -470,8 +470,11 @@ int xenbus_probe_node(struct xen_bus_type *bus,
        /* Register with generic device framework. */
        err = device_register(&xendev->dev);
-        if (err)
+        if (err) {
+                put_device(&xendev->dev);
+                xendev = NULL;
                goto fail;
+        }
        return 0;
 fail:
diff --git a/drivers/zorro/zorro.c b/drivers/zorro/zorro.c
index d295d9878dff..8ec79385d3cc 100644
--- a/drivers/zorro/zorro.c
+++ b/drivers/zorro/zorro.c
@@ -16,6 +16,7 @@
 #include <linux/bitops.h>
 #include <linux/string.h>
 #include <linux/platform_device.h>
+#include <linux/dma-mapping.h>
 #include <linux/slab.h>
 #include <asm/byteorder.h>
@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(struct platform_device *pdev)
                z->dev.parent = &bus->dev;
                z->dev.bus = &zorro_bus_type;
                z->dev.id = i;
+                switch (z->rom.er_Type & ERT_TYPEMASK) {
+                case ERT_ZORROIII:
+                        z->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+                        break;
+                case ERT_ZORROII:
+                default:
+                        z->dev.coherent_dma_mask = DMA_BIT_MASK(24);
+                        break;
+                }
+                z->dev.dma_mask = &z->dev.coherent_dma_mask;
        }
        /* ... then register them */
diff --git a/fs/affs/namei.c b/fs/affs/namei.c
index 181e05b46e72..92448d0ad900 100644
--- a/fs/affs/namei.c
+++ b/fs/affs/namei.c
@@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
        affs_lock_dir(dir);
        bh = affs_find_entry(dir, dentry);
-        affs_unlock_dir(dir);
+        if (IS_ERR(bh)) {
-        if (IS_ERR(bh))
+                affs_unlock_dir(dir);
                return ERR_CAST(bh);
+        }
        if (bh) {
                u32 ino = bh->b_blocknr;
@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
                }
                affs_brelse(bh);
                inode = affs_iget(sb, ino);
-                if (IS_ERR(inode))
+                if (IS_ERR(inode)) {
+                        affs_unlock_dir(dir);
                        return ERR_CAST(inode);
+                }
        }
        d_add(dentry, inode);
+        affs_unlock_dir(dir);
        return NULL;
 }
diff --git a/fs/aio.c b/fs/aio.c
index fe4f49212b99..c283eb03cb38 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -68,9 +68,9 @@ struct aio_ring {
 #define AIO_RING_PAGES  8
 struct kioctx_table {
-        struct rcu_head rcu;
+        struct rcu_head         rcu;
-        unsigned        nr;
+        unsigned                nr;
-        struct kioctx   *table[];
+        struct kioctx __rcu     *table[];
 };
 struct kioctx_cpu {
@@ -115,7 +115,8 @@ struct kioctx {
        struct page             **ring_pages;
        long                    nr_pages;
-        struct work_struct      free_work;
+        struct rcu_head         free_rcu;
+        struct work_struct      free_work;      /* see free_ioctx() */
        /*
         * signals when all in-flight requests are done
@@ -326,7 +327,7 @@ static int aio_ring_mremap(struct vm_area_struct *vma)
        for (i = 0; i < table->nr; i++) {
                struct kioctx *ctx;
-                ctx = table->table[i];
+                ctx = rcu_dereference(table->table[i]);
                if (ctx && ctx->aio_ring_file == file) {
                        if (!atomic_read(&ctx->dead)) {
                                ctx->user_id = ctx->mmap_base = vma->vm_start;
@@ -573,6 +574,12 @@ static int kiocb_cancel(struct aio_kiocb *kiocb)
        return cancel(&kiocb->common);
 }
+/*
+ * free_ioctx() should be RCU delayed to synchronize against the RCU
+ * protected lookup_ioctx() and also needs process context to call
+ * aio_free_ring(), so the double bouncing through kioctx->free_rcu and
+ * ->free_work.
+ */
 static void free_ioctx(struct work_struct *work)
 {
        struct kioctx *ctx = container_of(work, struct kioctx, free_work);
@@ -586,6 +593,14 @@ static void free_ioctx(struct work_struct *work)
        kmem_cache_free(kioctx_cachep, ctx);
 }
+static void free_ioctx_rcufn(struct rcu_head *head)
+{
+        struct kioctx *ctx = container_of(head, struct kioctx, free_rcu);
+        INIT_WORK(&ctx->free_work, free_ioctx);
+        schedule_work(&ctx->free_work);
+}
 static void free_ioctx_reqs(struct percpu_ref *ref)
 {
        struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
@@ -594,8 +609,8 @@ static void free_ioctx_reqs(struct percpu_ref *ref)
        if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
                complete(&ctx->rq_wait->comp);
-        INIT_WORK(&ctx->free_work, free_ioctx);
+        /* Synchronize against RCU protected table->table[] dereferences */
-        schedule_work(&ctx->free_work);
+        call_rcu(&ctx->free_rcu, free_ioctx_rcufn);
 }
 /*
@@ -613,9 +628,8 @@ static void free_ioctx_users(struct percpu_ref *ref)
        while (!list_empty(&ctx->active_reqs)) {
                req = list_first_entry(&ctx->active_reqs,
                                       struct aio_kiocb, ki_list);
-                list_del_init(&req->ki_list);
                kiocb_cancel(req);
+                list_del_init(&req->ki_list);
        }
        spin_unlock_irq(&ctx->ctx_lock);
@@ -636,9 +650,9 @@ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm)
        while (1) {
                if (table)
                        for (i = 0; i < table->nr; i++)
-                                if (!table->table[i]) {
+                                if (!rcu_access_pointer(table->table[i])) {
                                        ctx->id = i;
-                                        table->table[i] = ctx;
+                                        rcu_assign_pointer(table->table[i], ctx);
                                        spin_unlock(&mm->ioctx_lock);
                                        /* While kioctx setup is in progress,
@@ -813,11 +827,11 @@ static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
        }
        table = rcu_dereference_raw(mm->ioctx_table);
-        WARN_ON(ctx != table->table[ctx->id]);
+        WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id]));
-        table->table[ctx->id] = NULL;
+        RCU_INIT_POINTER(table->table[ctx->id], NULL);
        spin_unlock(&mm->ioctx_lock);
-        /* percpu_ref_kill() will do the necessary call_rcu() */
+        /* free_ioctx_reqs() will do the necessary RCU synchronization */
        wake_up_all(&ctx->wait);
        /*
@@ -859,7 +873,8 @@ void exit_aio(struct mm_struct *mm)
        skipped = 0;
        for (i = 0; i < table->nr; ++i) {
-                struct kioctx *ctx = table->table[i];
+                struct kioctx *ctx =
+                        rcu_dereference_protected(table->table[i], true);
                if (!ctx) {
                        skipped++;
@@ -1048,10 +1063,10 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
        if (!table || id >= table->nr)
                goto out;
-        ctx = table->table[id];
+        ctx = rcu_dereference(table->table[id]);
        if (ctx && ctx->user_id == ctx_id) {
-                percpu_ref_get(&ctx->users);
+                if (percpu_ref_tryget_live(&ctx->users))
-                ret = ctx;
+                        ret = ctx;
        }
 out:
        rcu_read_unlock();
diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
index 7a54c6a867c8..500098cdb960 100644
--- a/fs/autofs4/root.c
+++ b/fs/autofs4/root.c
@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inode *dir, struct dentry *dentry, umode_t m
        autofs4_del_active(dentry);
-        inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
+        inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
        if (!inode)
                return -ENOMEM;
        d_add(dentry, inode);
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index 78f005f37847..dd784bcf7c96 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -369,8 +369,13 @@ static Node *create_entry(const char __user *buffer, size_t count)
                s = strchr(p, del);
                if (!s)
                        goto einval;
-                *s++ = '\0';
+                *s = '\0';
-                e->offset = simple_strtoul(p, &p, 10);
+                if (p != s) {
+                        int r = kstrtoint(p, 10, &e->offset);
+                        if (r != 0 || e->offset < 0)
+                                goto einval;
+                }
+                p = s;
                if (*p++)
                        goto einval;
                pr_debug("register: offset: %#x\n", e->offset);
@@ -410,7 +415,8 @@ static Node *create_entry(const char __user *buffer, size_t count)
                if (e->mask &&
                    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
                        goto einval;
-                if (e->size + e->offset > BINPRM_BUF_SIZE)
+                if (e->size > BINPRM_BUF_SIZE ||
+                    BINPRM_BUF_SIZE - e->size < e->offset)
                        goto einval;
                pr_debug("register: magic/mask length: %i\n", e->size);
                if (USE_DEBUG) {
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index fb3e64d37cb4..6b16b8653d98 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -82,12 +82,6 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans,
        switch (type) {
        case ACL_TYPE_ACCESS:
                name = POSIX_ACL_XATTR_ACCESS;
-                if (acl) {
-                        ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-                        if (ret)
-                                return ret;
-                }
-                ret = 0;
                break;
        case ACL_TYPE_DEFAULT:
                if (!S_ISDIR(inode->i_mode))
@@ -123,7 +117,18 @@ out:
 int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 {
-        return __btrfs_set_acl(NULL, inode, acl, type);
+        int ret;
+        umode_t old_mode = inode->i_mode;
+        if (type == ACL_TYPE_ACCESS && acl) {
+                ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+                if (ret)
+                        return ret;
+        }
+        ret = __btrfs_set_acl(NULL, inode, acl, type);
+        if (ret)
+                inode->i_mode = old_mode;
+        return ret;
 }
 /*
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 0f2b7c622ce3..38ee08675468 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -2497,10 +2497,8 @@ read_block_for_search(struct btrfs_trans_handle *trans,
        if (p->reada)
                reada_for_search(root, p, level, slot, key->objectid);
-        btrfs_release_path(p);
        ret = -EAGAIN;
-        tmp = read_tree_block(root, blocknr, 0);
+        tmp = read_tree_block(root, blocknr, gen);
        if (!IS_ERR(tmp)) {
                /*
                 * If the read above didn't mark this buffer up to date,
@@ -2512,6 +2510,8 @@ read_block_for_search(struct btrfs_trans_handle *trans,
                        ret = -EIO;
                free_extent_buffer(tmp);
        }
+        btrfs_release_path(p);
        return ret;
 }
@@ -2769,6 +2769,8 @@ again:
                 * contention with the cow code
                 */
                if (cow) {
+                        bool last_level = (level == (BTRFS_MAX_LEVEL - 1));
                        /*
                         * if we don't really need to cow this block
                         * then we don't want to set the path blocking,
@@ -2793,9 +2795,13 @@ again:
                        }
                        btrfs_set_path_blocking(p);
-                        err = btrfs_cow_block(trans, root, b,
+                        if (last_level)
-                                              p->nodes[level + 1],
+                                err = btrfs_cow_block(trans, root, b, NULL, 0,
-                                              p->slots[level + 1], &b);
+                                                      &b);
+                        else
+                                err = btrfs_cow_block(trans, root, b,
+                                                      p->nodes[level + 1],
+                                                      p->slots[level + 1], &b);
                        if (err) {
                                ret = err;
                                goto done;
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 85b207d19aa5..d106b981d86f 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -923,7 +923,7 @@ static int check_async_write(struct inode *inode, unsigned long bio_flags)
        if (bio_flags & EXTENT_BIO_TREE_LOG)
                return 0;
 #ifdef CONFIG_X86
-        if (cpu_has_xmm4_2)
+        if (static_cpu_has(X86_FEATURE_XMM4_2))
                return 0;
 #endif
        return 1;
@@ -1196,7 +1196,7 @@ static struct btrfs_subvolume_writers *btrfs_alloc_subvolume_writers(void)
        if (!writers)
                return ERR_PTR(-ENOMEM);
-        ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL);
+        ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS);
        if (ret < 0) {
                kfree(writers);
                return ERR_PTR(ret);
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 260f94b019c9..982a9d509817 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4392,6 +4392,7 @@ again:
        if (wait_for_alloc) {
                mutex_unlock(&fs_info->chunk_mutex);
                wait_for_alloc = 0;
+                cond_resched();
                goto again;
        }
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index e767f347f2b1..88bee6703cc0 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -2534,7 +2534,7 @@ int end_extent_writepage(struct page *page, int err, u64 start, u64 end)
        if (!uptodate) {
                ClearPageUptodate(page);
                SetPageError(page);
-                ret = ret < 0 ? ret : -EIO;
+                ret = err < 0 ? err : -EIO;
                mapping_set_error(page->mapping, ret);
        }
        return 0;
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index d4a6eef31854..052973620595 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1861,10 +1861,19 @@ int btrfs_release_file(struct inode *inode, struct file *filp)
 static int start_ordered_ops(struct inode *inode, loff_t start, loff_t end)
 {
        int ret;
+        struct blk_plug plug;
+        /*
+         * This is only called in fsync, which would do synchronous writes, so
+         * a plug can merge adjacent IOs as much as possible.  Esp. in case of
+         * multiple disks using raid profile, a large IO can be split to
+         * several segments of stripe length (currently 64K).
+         */
+        blk_start_plug(&plug);
        atomic_inc(&BTRFS_I(inode)->sync_writers);
        ret = btrfs_fdatawrite_range(inode, start, end);
        atomic_dec(&BTRFS_I(inode)->sync_writers);
+        blk_finish_plug(&plug);
        return ret;
 }
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index cfe99bec49de..45934deacfd7 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -1258,7 +1258,7 @@ static int __btrfs_write_out_cache(struct btrfs_root *root, struct inode *inode,
        /* Lock all pages first so we can lock the extent safely. */
        ret = io_ctl_prepare_pages(io_ctl, inode, 0);
        if (ret)
-                goto out;
+                goto out_unlock;
        lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1,
                         0, &cached_state);
@@ -1351,6 +1351,7 @@ out_nospc_locked:
 out_nospc:
        cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list);
+out_unlock:
        if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA))
                up_write(&block_group->data_rwsem);
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index af1da85da509..b895be3d4311 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1202,6 +1202,8 @@ static noinline int csum_exist_in_range(struct btrfs_root *root,
                list_del(&sums->list);
                kfree(sums);
        }
+        if (ret < 0)
+                return ret;
        return 1;
 }
@@ -1292,8 +1294,11 @@ next_slot:
                leaf = path->nodes[0];
                if (path->slots[0] >= btrfs_header_nritems(leaf)) {
                        ret = btrfs_next_leaf(root, path);
-                        if (ret < 0)
+                        if (ret < 0) {
+                                if (cow_start != (u64)-1)
+                                        cur_offset = cow_start;
                                goto error;
+                        }
                        if (ret > 0)
                                break;
                        leaf = path->nodes[0];
@@ -1348,10 +1353,23 @@ next_slot:
                                goto out_check;
                        if (btrfs_extent_readonly(root, disk_bytenr))
                                goto out_check;
-                        if (btrfs_cross_ref_exist(trans, root, ino,
+                        ret = btrfs_cross_ref_exist(trans, root, ino,
                                                  found_key.offset -
-                                                  extent_offset, disk_bytenr))
+                                                  extent_offset, disk_bytenr);
+                        if (ret) {
+                                /*
+                                 * ret could be -EIO if the above fails to read
+                                 * metadata.
+                                 */
+                                if (ret < 0) {
+                                        if (cow_start != (u64)-1)
+                                                cur_offset = cow_start;
+                                        goto error;
+                                }
+                                WARN_ON_ONCE(nolock);
                                goto out_check;
+                        }
                        disk_bytenr += extent_offset;
                        disk_bytenr += cur_offset - found_key.offset;
                        num_bytes = min(end + 1, extent_end) - cur_offset;
@@ -1369,8 +1387,20 @@ next_slot:
                         * this ensure that csum for a given extent are
                         * either valid or do not exist.
                         */
-                        if (csum_exist_in_range(root, disk_bytenr, num_bytes))
+                        ret = csum_exist_in_range(root, disk_bytenr, num_bytes);
+                        if (ret) {
+                                /*
+                                 * ret could be -EIO if the above fails to read
+                                 * metadata.
+                                 */
+                                if (ret < 0) {
+                                        if (cow_start != (u64)-1)
+                                                cur_offset = cow_start;
+                                        goto error;
+                                }
+                                WARN_ON_ONCE(nolock);
                                goto out_check;
+                        }
                        nocow = 1;
                } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
                        extent_end = found_key.offset +
@@ -2015,7 +2045,15 @@ again:
                goto out;
         }
-        btrfs_set_extent_delalloc(inode, page_start, page_end, &cached_state);
+        ret = btrfs_set_extent_delalloc(inode, page_start, page_end,
+                                        &cached_state);
+        if (ret) {
+                mapping_set_error(page->mapping, ret);
+                end_extent_writepage(page, ret, page_start, page_end);
+                ClearPageChecked(page);
+                goto out;
+        }
        ClearPageChecked(page);
        set_page_dirty(page);
 out:
@@ -6402,8 +6440,7 @@ static int btrfs_mknod(struct inode *dir, struct dentry *dentry,
                goto out_unlock_inode;
        } else {
                btrfs_update_inode(trans, root, inode);
-                unlock_new_inode(inode);
+                d_instantiate_new(dentry, inode);
-                d_instantiate(dentry, inode);
        }
 out_unlock:
@@ -6478,8 +6515,7 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
                goto out_unlock_inode;
        BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
 out_unlock:
        btrfs_end_transaction(trans, root);
@@ -6622,12 +6658,7 @@ static int btrfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
        if (err)
                goto out_fail_inode;
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        /*
-         * mkdir is special.  We're unlocking after we call d_instantiate
-         * to avoid a race with nfsd calling d_instantiate.
-         */
-        unlock_new_inode(inode);
        drop_on_err = 0;
 out_fail:
@@ -9778,8 +9809,7 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry,
                goto out_unlock_inode;
        }
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
 out_unlock:
        btrfs_end_transaction(trans, root);
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 9c3b9d07f341..6caeb946fc1d 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2231,7 +2231,7 @@ static noinline int btrfs_search_path_in_tree(struct btrfs_fs_info *info,
        if (!path)
                return -ENOMEM;
-        ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX];
+        ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX - 1];
        key.objectid = tree_id;
        key.type = BTRFS_ROOT_ITEM_KEY;
@@ -3923,11 +3923,6 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
        if (!(src_file.file->f_mode & FMODE_READ))
                goto out_fput;
-        /* don't make the dst file partly checksummed */
-        if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
-            (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM))
-                goto out_fput;
        ret = -EISDIR;
        if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
                goto out_fput;
@@ -3942,6 +3937,13 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
                mutex_lock(&src->i_mutex);
        }
+        /* don't make the dst file partly checksummed */
+        if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
+            (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) {
+                ret = -EINVAL;
+                goto out_unlock;
+        }
        /* determine range to clone */
        ret = -EINVAL;
        if (off + len > src->i_size || off + len < off)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 88d9b66e2207..a751937dded5 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2186,6 +2186,21 @@ void assert_qgroups_uptodate(struct btrfs_trans_handle *trans)
 }
 /*
+ * Check if the leaf is the last leaf. Which means all node pointers
+ * are at their last position.
+ */
+static bool is_last_leaf(struct btrfs_path *path)
+{
+        int i;
+        for (i = 1; i < BTRFS_MAX_LEVEL && path->nodes[i]; i++) {
+                if (path->slots[i] != btrfs_header_nritems(path->nodes[i]) - 1)
+                        return false;
+        }
+        return true;
+}
+/*
 * returns < 0 on error, 0 when more leafs are to be scanned.
 * returns 1 when done.
 */
@@ -2198,6 +2213,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info *fs_info, struct btrfs_path *path,
        struct ulist *roots = NULL;
        struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem);
        u64 num_bytes;
+        bool done;
        int slot;
        int ret;
@@ -2225,6 +2241,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info *fs_info, struct btrfs_path *path,
                mutex_unlock(&fs_info->qgroup_rescan_lock);
                return ret;
        }
+        done = is_last_leaf(path);
        btrfs_item_key_to_cpu(path->nodes[0], &found,
                              btrfs_header_nritems(path->nodes[0]) - 1);
@@ -2271,6 +2288,8 @@ out:
        }
        btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem);
+        if (done && !ret)
+                ret = 1;
        return ret;
 }
diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
index 1a33d3eb36de..b9fa99577bf7 100644
--- a/fs/btrfs/raid56.c
+++ b/fs/btrfs/raid56.c
@@ -2160,11 +2160,21 @@ int raid56_parity_recover(struct btrfs_root *root, struct bio *bio,
        }
        /*
-         * reconstruct from the q stripe if they are
+         * Loop retry:
-         * asking for mirror 3
+         * for 'mirror == 2', reconstruct from all other stripes.
+         * for 'mirror_num > 2', select a stripe to fail on every retry.
         */
-        if (mirror_num == 3)
+        if (mirror_num > 2) {
-                rbio->failb = rbio->real_stripes - 2;
+                /*
+                 * 'mirror == 3' is to fail the p stripe and
+                 * reconstruct from the q stripe.  'mirror > 3' is to
+                 * fail a data stripe and reconstruct from p+q stripe.
+                 */
+                rbio->failb = rbio->real_stripes - (mirror_num - 1);
+                ASSERT(rbio->failb > 0);
+                if (rbio->failb <= rbio->faila)
+                        rbio->failb--;
+        }
        ret = lock_stripe_add(rbio);
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index b091d94ceef6..6dca9f937bf6 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -2513,7 +2513,7 @@ static int scrub_extent(struct scrub_ctx *sctx, u64 logical, u64 len,
                        have_csum = scrub_find_csum(sctx, logical, csum);
                        if (have_csum == 0)
                                ++sctx->stat.no_csum;
-                        if (sctx->is_dev_replace && !have_csum) {
+                        if (0 && sctx->is_dev_replace && !have_csum) {
                                ret = copy_nocow_pages(sctx, logical, l,
                                                       mirror_num,
                                                      physical_for_dev_replace);
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index c5bbb5300658..83c73738165e 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4674,6 +4674,9 @@ static int send_hole(struct send_ctx *sctx, u64 end)
        u64 len;
        int ret = 0;
+        if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA)
+                return send_update_extent(sctx, offset, end - offset);
        p = fs_path_alloc();
        if (!p)
                return -ENOMEM;
@@ -5008,13 +5011,19 @@ static int is_extent_unchanged(struct send_ctx *sctx,
        while (key.offset < ekey->offset + left_len) {
                ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item);
                right_type = btrfs_file_extent_type(eb, ei);
-                if (right_type != BTRFS_FILE_EXTENT_REG) {
+                if (right_type != BTRFS_FILE_EXTENT_REG &&
+                    right_type != BTRFS_FILE_EXTENT_INLINE) {
                        ret = 0;
                        goto out;
                }
                right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
-                right_len = btrfs_file_extent_num_bytes(eb, ei);
+                if (right_type == BTRFS_FILE_EXTENT_INLINE) {
+                        right_len = btrfs_file_extent_inline_len(eb, slot, ei);
+                        right_len = PAGE_ALIGN(right_len);
+                } else {
+                        right_len = btrfs_file_extent_num_bytes(eb, ei);
+                }
                right_offset = btrfs_file_extent_offset(eb, ei);
                right_gen = btrfs_file_extent_generation(eb, ei);
@@ -5028,6 +5037,19 @@ static int is_extent_unchanged(struct send_ctx *sctx,
                        goto out;
                }
+                /*
+                 * We just wanted to see if when we have an inline extent, what
+                 * follows it is a regular extent (wanted to check the above
+                 * condition for inline extents too). This should normally not
+                 * happen but it's possible for example when we have an inline
+                 * compressed extent representing data with a size matching
+                 * the page size (currently the same as sector size).
+                 */
+                if (right_type == BTRFS_FILE_EXTENT_INLINE) {
+                        ret = 0;
+                        goto out;
+                }
                left_offset_fixed = left_offset;
                if (key.offset < ekey->offset) {
                        /* Fix the right offset for 2a and 7. */
diff --git a/fs/btrfs/tests/qgroup-tests.c b/fs/btrfs/tests/qgroup-tests.c
index 846d277b1901..2b2978c04e80 100644
--- a/fs/btrfs/tests/qgroup-tests.c
+++ b/fs/btrfs/tests/qgroup-tests.c
@@ -70,7 +70,7 @@ static int insert_normal_tree_ref(struct btrfs_root *root, u64 bytenr,
        btrfs_set_extent_generation(leaf, item, 1);
        btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK);
        block_info = (struct btrfs_tree_block_info *)(item + 1);
-        btrfs_set_tree_block_level(leaf, block_info, 1);
+        btrfs_set_tree_block_level(leaf, block_info, 0);
        iref = (struct btrfs_extent_inline_ref *)(block_info + 1);
        if (parent > 0) {
                btrfs_set_extent_inline_ref_type(leaf, iref,
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index ee7832e2d39d..2c7f9a5f8717 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -26,6 +26,7 @@
 #include "print-tree.h"
 #include "backref.h"
 #include "hash.h"
+#include "inode-map.h"
 /* magic values for the inode_only field in btrfs_log_inode:
 *
@@ -2222,8 +2223,10 @@ again:
                        nritems = btrfs_header_nritems(path->nodes[0]);
                        if (path->slots[0] >= nritems) {
                                ret = btrfs_next_leaf(root, path);
-                                if (ret)
+                                if (ret == 1)
                                        break;
+                                else if (ret < 0)
+                                        goto out;
                        }
                        btrfs_item_key_to_cpu(path->nodes[0], &found_key,
                                              path->slots[0]);
@@ -2445,6 +2448,9 @@ static noinline int walk_down_log_tree(struct btrfs_trans_handle *trans,
                                                        next);
                                        btrfs_wait_tree_block_writeback(next);
                                        btrfs_tree_unlock(next);
+                                } else {
+                                        if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+                                                clear_extent_buffer_dirty(next);
                                }
                                WARN_ON(root_owner !=
@@ -2524,6 +2530,9 @@ static noinline int walk_up_log_tree(struct btrfs_trans_handle *trans,
                                                        next);
                                        btrfs_wait_tree_block_writeback(next);
                                        btrfs_tree_unlock(next);
+                                } else {
+                                        if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+                                                clear_extent_buffer_dirty(next);
                                }
                                WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
@@ -2600,6 +2609,9 @@ static int walk_log_tree(struct btrfs_trans_handle *trans,
                                clean_tree_block(trans, log->fs_info, next);
                                btrfs_wait_tree_block_writeback(next);
                                btrfs_tree_unlock(next);
+                        } else {
+                                if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+                                        clear_extent_buffer_dirty(next);
                        }
                        WARN_ON(log->root_key.objectid !=
@@ -2949,8 +2961,11 @@ out_wake_log_root:
        mutex_unlock(&log_root_tree->log_mutex);
        /*
-         * The barrier before waitqueue_active is implied by mutex_unlock
+         * The barrier before waitqueue_active is needed so all the updates
+         * above are seen by the woken threads. It might not be necessary, but
+         * proving that seems to be hard.
         */
+        smp_mb();
        if (waitqueue_active(&log_root_tree->log_commit_wait[index2]))
                wake_up(&log_root_tree->log_commit_wait[index2]);
 out:
@@ -2961,8 +2976,11 @@ out:
        mutex_unlock(&root->log_mutex);
        /*
-         * The barrier before waitqueue_active is implied by mutex_unlock
+         * The barrier before waitqueue_active is needed so all the updates
+         * above are seen by the woken threads. It might not be necessary, but
+         * proving that seems to be hard.
         */
+        smp_mb();
        if (waitqueue_active(&root->log_commit_wait[index1]))
                wake_up(&root->log_commit_wait[index1]);
        return ret;
@@ -3368,8 +3386,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
                 * from this directory and from this transaction
                 */
                ret = btrfs_next_leaf(root, path);
-                if (ret == 1) {
+                if (ret) {
-                        last_offset = (u64)-1;
+                        if (ret == 1)
+                                last_offset = (u64)-1;
+                        else
+                                err = ret;
                        goto done;
                }
                btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
@@ -3820,6 +3841,7 @@ fill_holes:
                        ASSERT(ret == 0);
                        src = src_path->nodes[0];
                        i = 0;
+                        need_find_last_extent = true;
                }
                btrfs_item_key_to_cpu(src, &key, i);
@@ -4558,6 +4580,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
        struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree;
        u64 logged_isize = 0;
        bool need_log_inode_item = true;
+        bool xattrs_logged = false;
        path = btrfs_alloc_path();
        if (!path)
@@ -4798,6 +4821,7 @@ next_slot:
        err = btrfs_log_all_xattrs(trans, root, inode, path, dst_path);
        if (err)
                goto out_unlock;
+        xattrs_logged = true;
        if (max_key.type >= BTRFS_EXTENT_DATA_KEY && !fast_search) {
                btrfs_release_path(path);
                btrfs_release_path(dst_path);
@@ -4810,6 +4834,11 @@ log_extents:
        btrfs_release_path(dst_path);
        if (need_log_inode_item) {
                err = log_inode_item(trans, log, dst_path, inode);
+                if (!err && !xattrs_logged) {
+                        err = btrfs_log_all_xattrs(trans, root, inode, path,
+                                                   dst_path);
+                        btrfs_release_path(path);
+                }
                if (err)
                        goto out_unlock;
        }
@@ -5514,6 +5543,23 @@ again:
                                                      path);
                }
+                if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
+                        struct btrfs_root *root = wc.replay_dest;
+                        btrfs_release_path(path);
+                        /*
+                         * We have just replayed everything, and the highest
+                         * objectid of fs roots probably has changed in case
+                         * some inode_item's got replayed.
+                         *
+                         * root->objectid_mutex is not acquired as log replay
+                         * could only happen during mount.
+                         */
+                        ret = btrfs_find_highest_objectid(root,
+                                                  &root->highest_objectid);
+                }
                key.offset = found_key.offset - 1;
                wc.replay_dest->log_root = NULL;
                free_extent_buffer(log->node);
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 600c67ef8a03..b4d63a9842fa 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -568,6 +568,7 @@ void btrfs_free_stale_device(struct btrfs_device *cur_dev)
                                btrfs_sysfs_remove_fsid(fs_devs);
                                list_del(&fs_devs->list);
                                free_fs_devices(fs_devs);
+                                break;
                        } else {
                                fs_devs->num_devices--;
                                list_del(&dev->dev_list);
@@ -3849,6 +3850,15 @@ int btrfs_resume_balance_async(struct btrfs_fs_info *fs_info)
                return 0;
        }
+        /*
+         * A ro->rw remount sequence should continue with the paused balance
+         * regardless of who pauses it, system or the user as of now, so set
+         * the resume flag.
+         */
+        spin_lock(&fs_info->balance_lock);
+        fs_info->balance_ctl->flags |= BTRFS_BALANCE_RESUME;
+        spin_unlock(&fs_info->balance_lock);
        tsk = kthread_run(balance_kthread, fs_info, "btrfs-balance");
        return PTR_ERR_OR_ZERO(tsk);
 }
@@ -4638,10 +4648,13 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
        if (devs_max && ndevs > devs_max)
                ndevs = devs_max;
        /*
-         * the primary goal is to maximize the number of stripes, so use as many
+         * The primary goal is to maximize the number of stripes, so use as
-         * devices as possible, even if the stripes are not maximum sized.
+         * many devices as possible, even if the stripes are not maximum sized.
+         *
+         * The DUP profile stores more than one stripe per device, the
+         * max_avail is the total size so we have to adjust.
         */
-        stripe_size = devices_info[ndevs-1].max_avail;
+        stripe_size = div_u64(devices_info[ndevs - 1].max_avail, dev_stripes);
        num_stripes = ndevs * dev_stripes;
        /*
@@ -4681,8 +4694,6 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
                        stripe_size = devices_info[ndevs-1].max_avail;
        }
-        stripe_size = div_u64(stripe_size, dev_stripes);
        /* align to BTRFS_STRIPE_LEN */
        stripe_size = div_u64(stripe_size, raid_stripe_len);
        stripe_size *= raid_stripe_len;
@@ -5045,7 +5056,14 @@ int btrfs_num_copies(struct btrfs_fs_info *fs_info, u64 logical, u64 len)
        else if (map->type & BTRFS_BLOCK_GROUP_RAID5)
                ret = 2;
        else if (map->type & BTRFS_BLOCK_GROUP_RAID6)
-                ret = 3;
+                /*
+                 * There could be two corrupted data stripes, we need
+                 * to loop retry in order to rebuild the correct data.
+                 *
+                 * Fail a stripe at a time on every retry except the
+                 * stripe under reconstruction.
+                 */
+                ret = map->num_stripes;
        else
                ret = 1;
        free_extent_map(em);
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 4acbc390a7d6..1d707a67f8ac 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -306,9 +306,8 @@ int calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt,
 {
        int i;
        int rc;
-        char password_with_pad[CIFS_ENCPWD_SIZE];
+        char password_with_pad[CIFS_ENCPWD_SIZE] = {0};
-        memset(password_with_pad, 0, CIFS_ENCPWD_SIZE);
        if (password)
                strncpy(password_with_pad, password, CIFS_ENCPWD_SIZE);
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 0c92af11f4f4..63aea21e6298 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command)
         * greater than cifs socket timeout which is 7 seconds
         */
        while (server->tcpStatus == CifsNeedReconnect) {
-                wait_event_interruptible_timeout(server->response_q,
+                rc = wait_event_interruptible_timeout(server->response_q,
-                        (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+                                                      (server->tcpStatus != CifsNeedReconnect),
+                                                      10 * HZ);
+                if (rc < 0) {
+                        cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+                                 " signal by the process\n", __func__);
+                        return -ERESTARTSYS;
+                }
                /* are we still trying to reconnect? */
                if (server->tcpStatus != CifsNeedReconnect)
@@ -6421,9 +6427,7 @@ SetEARetry:
        pSMB->InformationLevel =
                cpu_to_le16(SMB_SET_FILE_EA);
-        parm_data =
+        parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset;
-                (struct fealist *) (((char *) &pSMB->hdr.Protocol) +
-                                       offset);
        pSMB->ParameterOffset = cpu_to_le16(param_offset);
        pSMB->DataOffset = cpu_to_le16(offset);
        pSMB->SetupCount = 1;
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0a2bf9462637..077ad3a06c9a 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1695,7 +1695,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
                        tmp_end++;
                        if (!(tmp_end < end && tmp_end[1] == delim)) {
                                /* No it is not. Set the password to NULL */
-                                kfree(vol->password);
+                                kzfree(vol->password);
                                vol->password = NULL;
                                break;
                        }
@@ -1733,7 +1733,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
                                        options = end;
                        }
-                        kfree(vol->password);
+                        kzfree(vol->password);
                        /* Now build new password string */
                        temp_len = strlen(value);
                        vol->password = kzalloc(temp_len+1, GFP_KERNEL);
@@ -4148,7 +4148,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid)
                reset_cifs_unix_caps(0, tcon, NULL, vol_info);
 out:
        kfree(vol_info->username);
-        kfree(vol_info->password);
+        kzfree(vol_info->password);
        kfree(vol_info);
        return tcon;
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 49a0d6b027c1..76dacd5307b9 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
                goto mknod_out;
        }
+        if (!S_ISCHR(mode) && !S_ISBLK(mode))
+                goto mknod_out;
        if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
                goto mknod_out;
@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
        buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
        if (buf == NULL) {
-                kfree(full_path);
                rc = -ENOMEM;
-                free_xid(xid);
+                goto mknod_out;
-                return rc;
        }
        if (backup_cred(cifs_sb))
@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
                pdev->minor = cpu_to_le64(MINOR(device_number));
                rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
                                                        &bytes_written, iov, 1);
-        } /* else if (S_ISFIFO) */
+        }
        tcon->ses->server->ops->close(xid, tcon, &fid);
        d_drop(direntry);
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index ec2d07bb9beb..0141aba9eca6 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -589,7 +589,7 @@ cifs_relock_file(struct cifsFileInfo *cfile)
        struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
        int rc = 0;
-        down_read(&cinode->lock_sem);
+        down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING);
        if (cinode->can_cache_brlcks) {
                /* can cache locks - no need to relock */
                up_read(&cinode->lock_sem);
@@ -3241,20 +3241,18 @@ static const struct vm_operations_struct cifs_file_vm_ops = {
 int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma)
 {
-        int rc, xid;
+        int xid, rc = 0;
        struct inode *inode = file_inode(file);
        xid = get_xid();
-        if (!CIFS_CACHE_READ(CIFS_I(inode))) {
+        if (!CIFS_CACHE_READ(CIFS_I(inode)))
                rc = cifs_zap_mapping(inode);
-                if (rc)
+        if (!rc)
-                        return rc;
+                rc = generic_file_mmap(file, vma);
-        }
+        if (!rc)
-        rc = generic_file_mmap(file, vma);
-        if (rc == 0)
                vma->vm_ops = &cifs_file_vm_ops;
        free_xid(xid);
        return rc;
 }
@@ -3264,16 +3262,16 @@ int cifs_file_mmap(struct file *file, struct vm_area_struct *vma)
        int rc, xid;
        xid = get_xid();
        rc = cifs_revalidate_file(file);
-        if (rc) {
+        if (rc)
                cifs_dbg(FYI, "Validation prior to mmap failed, error=%d\n",
                         rc);
-                free_xid(xid);
+        if (!rc)
-                return rc;
+                rc = generic_file_mmap(file, vma);
-        }
+        if (!rc)
-        rc = generic_file_mmap(file, vma);
-        if (rc == 0)
                vma->vm_ops = &cifs_file_vm_ops;
        free_xid(xid);
        return rc;
 }
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 2396ab099849..0cc699d9b932 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -99,14 +99,11 @@ sesInfoFree(struct cifs_ses *buf_to_free)
        kfree(buf_to_free->serverOS);
        kfree(buf_to_free->serverDomain);
        kfree(buf_to_free->serverNOS);
-        if (buf_to_free->password) {
+        kzfree(buf_to_free->password);
-                memset(buf_to_free->password, 0, strlen(buf_to_free->password));
-                kfree(buf_to_free->password);
-        }
        kfree(buf_to_free->user_name);
        kfree(buf_to_free->domainName);
-        kfree(buf_to_free->auth_key.response);
+        kzfree(buf_to_free->auth_key.response);
-        kfree(buf_to_free);
+        kzfree(buf_to_free);
 }
 struct cifs_tcon *
@@ -137,10 +134,7 @@ tconInfoFree(struct cifs_tcon *buf_to_free)
        }
        atomic_dec(&tconInfoAllocCount);
        kfree(buf_to_free->nativeFileSystem);
-        if (buf_to_free->password) {
+        kzfree(buf_to_free->password);
-                memset(buf_to_free->password, 0, strlen(buf_to_free->password));
-                kfree(buf_to_free->password);
-        }
        kfree(buf_to_free);
 }
diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
index abae6dd2c6b9..cc88f4f0325e 100644
--- a/fs/cifs/netmisc.c
+++ b/fs/cifs/netmisc.c
@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le_date, __le16 le_time, int offset)
                cifs_dbg(VFS, "illegal hours %d\n", st->Hours);
        days = sd->Day;
        month = sd->Month;
-        if ((days > 31) || (month > 12)) {
+        if (days < 1 || days > 31 || month < 1 || month > 12) {
                cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days);
-                if (month > 12)
+                days = clamp(days, 1, 31);
-                        month = 12;
+                month = clamp(month, 1, 12);
        }
        month -= 1;
        days += total_days_of_prev_months[month];
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index e88ffe1da045..a035d1a95882 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
        /* BB is NTLMV2 session security format easier to use here? */
        flags = NTLMSSP_NEGOTIATE_56 |  NTLMSSP_REQUEST_TARGET |
                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
-        if (ses->server->sign) {
+                NTLMSSP_NEGOTIATE_SEAL;
+        if (ses->server->sign)
                flags |= NTLMSSP_NEGOTIATE_SIGN;
-                if (!ses->server->session_estab ||
+        if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
-                                ses->ntlmssp->sesskey_per_smbsess)
+                flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-                        flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-        }
        sec_blob->NegotiateFlags = cpu_to_le32(flags);
@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
        flags = NTLMSSP_NEGOTIATE_56 |
                NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
                NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
-                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
+                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
-        if (ses->server->sign) {
+                NTLMSSP_NEGOTIATE_SEAL;
+        if (ses->server->sign)
                flags |= NTLMSSP_NEGOTIATE_SIGN;
-                if (!ses->server->session_estab ||
+        if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
-                                ses->ntlmssp->sesskey_per_smbsess)
+                flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-                        flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
-        }
        tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
        sec_blob->NegotiateFlags = cpu_to_le32(flags);
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f2ff60e58ec8..5f5ba807b414 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -158,7 +158,7 @@ out:
 static int
 smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
 {
-        int rc = 0;
+        int rc;
        struct nls_table *nls_codepage;
        struct cifs_ses *ses;
        struct TCP_Server_Info *server;
@@ -169,10 +169,10 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
         * for those three - in the calling routine.
         */
        if (tcon == NULL)
-                return rc;
+                return 0;
        if (smb2_command == SMB2_TREE_CONNECT)
-                return rc;
+                return 0;
        if (tcon->tidStatus == CifsExiting) {
                /*
@@ -215,8 +215,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
                        return -EAGAIN;
                }
-                wait_event_interruptible_timeout(server->response_q,
+                rc = wait_event_interruptible_timeout(server->response_q,
-                        (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+                                                      (server->tcpStatus != CifsNeedReconnect),
+                                                      10 * HZ);
+                if (rc < 0) {
+                        cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+                                 " signal by the process\n", __func__);
+                        return -ERESTARTSYS;
+                }
                /* are we still trying to reconnect? */
                if (server->tcpStatus != CifsNeedReconnect)
@@ -234,7 +240,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
        }
        if (!tcon->ses->need_reconnect && !tcon->need_reconnect)
-                return rc;
+                return 0;
        nls_codepage = load_nls_default();
@@ -580,8 +586,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
        }
        /* check validate negotiate info response matches what we got earlier */
-        if (pneg_rsp->Dialect !=
+        if (pneg_rsp->Dialect != cpu_to_le16(tcon->ses->server->dialect))
-                        cpu_to_le16(tcon->ses->server->vals->protocol_id))
                goto vneg_out;
        if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
@@ -833,10 +838,8 @@ ssetup_exit:
        if (!rc) {
                mutex_lock(&server->srv_mutex);
-                if (server->sign && server->ops->generate_signingkey) {
+                if (server->ops->generate_signingkey) {
                        rc = server->ops->generate_signingkey(ses);
-                        kfree(ses->auth_key.response);
-                        ses->auth_key.response = NULL;
                        if (rc) {
                                cifs_dbg(FYI,
                                        "SMB3 session key generation failed\n");
@@ -858,10 +861,6 @@ ssetup_exit:
        }
 keygen_exit:
-        if (!server->sign) {
-                kfree(ses->auth_key.response);
-                ses->auth_key.response = NULL;
-        }
        if (spnego_key) {
                key_invalidate(spnego_key);
                key_put(spnego_key);
@@ -1006,15 +1005,19 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
                goto tcon_exit;
        }
-        if (rsp->ShareType & SMB2_SHARE_TYPE_DISK)
+        switch (rsp->ShareType) {
+        case SMB2_SHARE_TYPE_DISK:
                cifs_dbg(FYI, "connection to disk share\n");
-        else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) {
+                break;
+        case SMB2_SHARE_TYPE_PIPE:
                tcon->ipc = true;
                cifs_dbg(FYI, "connection to pipe share\n");
-        } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) {
+                break;
-                tcon->print = true;
+        case SMB2_SHARE_TYPE_PRINT:
+                tcon->ipc = true;
                cifs_dbg(FYI, "connection to printer\n");
-        } else {
+                break;
+        default:
                cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType);
                rc = -EOPNOTSUPP;
                goto tcon_error_exit;
@@ -1559,6 +1562,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        } else
                iov[0].iov_len = get_rfc1002_length(req) + 4;
+        /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
+        if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
+                req->hdr.Flags |= SMB2_FLAGS_SIGNED;
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
index 4d24d17bcfc1..943be5ecfcd9 100644
--- a/fs/compat_binfmt_elf.c
+++ b/fs/compat_binfmt_elf.c
@@ -51,6 +51,7 @@
 #define elf_prstatus    compat_elf_prstatus
 #define elf_prpsinfo    compat_elf_prpsinfo
+#ifdef CONFIG_ELF_CORE
 /*
 * Compat version of cputime_to_compat_timeval, perhaps this
 * should be an inline in <linux/compat.h>.
@@ -63,6 +64,7 @@ static void cputime_to_compat_timeval(const cputime_t cputime,
        value->tv_sec = tv.tv_sec;
        value->tv_usec = tv.tv_usec;
 }
+#endif
 #undef cputime_to_timeval
 #define cputime_to_timeval cputime_to_compat_timeval
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index dcf26537c935..a52ca5cba015 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -811,7 +811,7 @@ static int compat_ioctl_preallocate(struct file *file,
 */
 #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff)
-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd),
+#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd),
 /* ioctl should not be warned about even if it's not implemented.
   Valid reasons to use this:
   - It is implemented with ->compat_ioctl on some device, but programs
diff --git a/fs/dcache.c b/fs/dcache.c
index 3ed642e0a0c2..807efaab838e 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -634,11 +634,16 @@ again:
                spin_unlock(&parent->d_lock);
                goto again;
        }
-        rcu_read_unlock();
+        if (parent != dentry) {
-        if (parent != dentry)
                spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
-        else
+                if (unlikely(dentry->d_lockref.count < 0)) {
+                        spin_unlock(&parent->d_lock);
+                        parent = NULL;
+                }
+        } else {
                parent = NULL;
+        }
+        rcu_read_unlock();
        return parent;
 }
@@ -1892,6 +1897,28 @@ struct dentry *d_instantiate_unique(struct dentry *entry, struct inode *inode)
 EXPORT_SYMBOL(d_instantiate_unique);
+/*
+ * This should be equivalent to d_instantiate() + unlock_new_inode(),
+ * with lockdep-related part of unlock_new_inode() done before
+ * anything else.  Use that instead of open-coding d_instantiate()/
+ * unlock_new_inode() combinations.
+ */
+void d_instantiate_new(struct dentry *entry, struct inode *inode)
+{
+        BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
+        BUG_ON(!inode);
+        lockdep_annotate_inode_mutex_key(inode);
+        security_d_instantiate(entry, inode);
+        spin_lock(&inode->i_lock);
+        __d_instantiate(entry, inode);
+        WARN_ON(!(inode->i_state & I_NEW));
+        inode->i_state &= ~I_NEW;
+        smp_mb();
+        wake_up_bit(&inode->i_state, __I_NEW);
+        spin_unlock(&inode->i_lock);
+}
+EXPORT_SYMBOL(d_instantiate_new);
 /**
 * d_instantiate_no_diralias - instantiate a non-aliased dentry
 * @entry: dentry to complete
@@ -1927,10 +1954,12 @@ struct dentry *d_make_root(struct inode *root_inode)
                static const struct qstr name = QSTR_INIT("/", 1);
                res = __d_alloc(root_inode->i_sb, &name);
-                if (res)
+                if (res) {
+                        res->d_flags |= DCACHE_RCUACCESS;
                        d_instantiate(res, root_inode);
-                else
+                } else {
                        iput(root_inode);
+                }
        }
        return res;
 }
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index e2e47ba5d313..844d0c4da84f 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -287,8 +287,7 @@ ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry,
                iput(ecryptfs_inode);
                goto out;
        }
-        unlock_new_inode(ecryptfs_inode);
+        d_instantiate_new(ecryptfs_dentry, ecryptfs_inode);
-        d_instantiate(ecryptfs_dentry, ecryptfs_inode);
 out:
        return rc;
 }
diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index d6aeb84e90b6..d882d873c5a3 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -178,11 +178,8 @@ ext2_get_acl(struct inode *inode, int type)
        return acl;
 }
-/*
+static int
- * inode->i_mutex: down
+__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
- */
-int
-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 {
        int name_index;
        void *value = NULL;
@@ -192,13 +189,6 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
        switch(type) {
                case ACL_TYPE_ACCESS:
                        name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
-                        if (acl) {
-                                error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-                                if (error)
-                                        return error;
-                                inode->i_ctime = CURRENT_TIME_SEC;
-                                mark_inode_dirty(inode);
-                        }
                        break;
                case ACL_TYPE_DEFAULT:
@@ -225,6 +215,24 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 }
 /*
+ * inode->i_mutex: down
+ */
+int
+ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+{
+        int error;
+        if (type == ACL_TYPE_ACCESS && acl) {
+                error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+                if (error)
+                        return error;
+                inode->i_ctime = CURRENT_TIME_SEC;
+                mark_inode_dirty(inode);
+        }
+        return __ext2_set_acl(inode, acl, type);
+}
+/*
 * Initialize the ACLs of a new inode. Called from ext2_new_inode.
 *
 * dir->i_mutex: down
@@ -241,12 +249,12 @@ ext2_init_acl(struct inode *inode, struct inode *dir)
                return error;
        if (default_acl) {
-                error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+                error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
                posix_acl_release(default_acl);
        }
        if (acl) {
                if (!error)
-                        error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
+                        error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
                posix_acl_release(acl);
        }
        return error;
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index 0aa9bf6e6e53..f600c43f0047 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1175,21 +1175,11 @@ do_indirects:
 static void ext2_truncate_blocks(struct inode *inode, loff_t offset)
 {
-        /*
-         * XXX: it seems like a bug here that we don't allow
-         * IS_APPEND inode to have blocks-past-i_size trimmed off.
-         * review and fix this.
-         *
-         * Also would be nice to be able to handle IO errors and such,
-         * but that's probably too much to ask.
-         */
        if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
            S_ISLNK(inode->i_mode)))
                return;
        if (ext2_inode_is_fast_symlink(inode))
                return;
-        if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
-                return;
        dax_sem_down_write(EXT2_I(inode));
        __ext2_truncate_blocks(inode, offset);
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
index 3267a80dbbe2..da3d40ef1668 100644
--- a/fs/ext2/namei.c
+++ b/fs/ext2/namei.c
@@ -40,8 +40,7 @@ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode)
 {
        int err = ext2_add_link(dentry, inode);
        if (!err) {
-                unlock_new_inode(inode);
+                d_instantiate_new(dentry, inode);
-                d_instantiate(dentry, inode);
                return 0;
        }
        inode_dec_link_count(inode);
@@ -267,8 +266,7 @@ static int ext2_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
        if (err)
                goto out_fail;
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
 out:
        return err;
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index f97110461c19..e0fb7cdcee89 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -183,7 +183,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
        unsigned int bit, bit_max;
        struct ext4_sb_info *sbi = EXT4_SB(sb);
        ext4_fsblk_t start, tmp;
-        int flex_bg = 0;
        struct ext4_group_info *grp;
        J_ASSERT_BH(bh, buffer_locked(bh));
@@ -216,22 +215,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
        start = ext4_group_first_block_no(sb, block_group);
-        if (ext4_has_feature_flex_bg(sb))
-                flex_bg = 1;
        /* Set bits for block and inode bitmaps, and inode table */
        tmp = ext4_block_bitmap(sb, gdp);
-        if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+        if (ext4_block_in_group(sb, tmp, block_group))
                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
        tmp = ext4_inode_bitmap(sb, gdp);
-        if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+        if (ext4_block_in_group(sb, tmp, block_group))
                ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
        tmp = ext4_inode_table(sb, gdp);
        for (; tmp < ext4_inode_table(sb, gdp) +
                     sbi->s_itb_per_group; tmp++) {
-                if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
+                if (ext4_block_in_group(sb, tmp, block_group))
                        ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
        }
@@ -242,8 +238,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
         */
        ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group),
                             sb->s_blocksize * 8, bh->b_data);
-        ext4_block_bitmap_csum_set(sb, block_group, gdp, bh);
-        ext4_group_desc_csum_set(sb, block_group, gdp);
        return 0;
 }
@@ -322,6 +316,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
        struct ext4_sb_info *sbi = EXT4_SB(sb);
        ext4_grpblk_t offset;
        ext4_grpblk_t next_zero_bit;
+        ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
        ext4_fsblk_t blk;
        ext4_fsblk_t group_first_block;
@@ -339,20 +334,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
        /* check whether block bitmap block number is set */
        blk = ext4_block_bitmap(sb, desc);
        offset = blk - group_first_block;
-        if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+        if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+            !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
                /* bad block bitmap */
                return blk;
        /* check whether the inode bitmap block number is set */
        blk = ext4_inode_bitmap(sb, desc);
        offset = blk - group_first_block;
-        if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+        if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+            !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
                /* bad block bitmap */
                return blk;
        /* check whether the inode table block number is set */
        blk = ext4_inode_table(sb, desc);
        offset = blk - group_first_block;
+        if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+            EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
+                return blk;
        next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
                        EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
                        EXT4_B2C(sbi, offset));
@@ -378,6 +378,8 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
                return -EFSCORRUPTED;
        ext4_lock_group(sb, block_group);
+        if (buffer_verified(bh))
+                goto verified;
        if (unlikely(!ext4_block_bitmap_csum_verify(sb, block_group,
                        desc, bh))) {
                ext4_unlock_group(sb, block_group);
@@ -400,6 +402,7 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
                return -EFSCORRUPTED;
        }
        set_buffer_verified(bh);
+verified:
        ext4_unlock_group(sb, block_group);
        return 0;
 }
@@ -418,6 +421,7 @@ struct buffer_head *
 ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
 {
        struct ext4_group_desc *desc;
+        struct ext4_sb_info *sbi = EXT4_SB(sb);
        struct buffer_head *bh;
        ext4_fsblk_t bitmap_blk;
        int err;
@@ -426,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
        if (!desc)
                return ERR_PTR(-EFSCORRUPTED);
        bitmap_blk = ext4_block_bitmap(sb, desc);
+        if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+            (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+                ext4_error(sb, "Invalid block bitmap block %llu in "
+                           "block_group %u", bitmap_blk, block_group);
+                return ERR_PTR(-EFSCORRUPTED);
+        }
        bh = sb_getblk(sb, bitmap_blk);
        if (unlikely(!bh)) {
                ext4_error(sb, "Cannot get buffer for block bitmap - "
@@ -443,10 +453,20 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
                goto verify;
        }
        ext4_lock_group(sb, block_group);
-        if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+        if (ext4_has_group_desc_csum(sb) &&
+            (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
+                if (block_group == 0) {
+                        ext4_unlock_group(sb, block_group);
+                        unlock_buffer(bh);
+                        ext4_error(sb, "Block bitmap for bg 0 marked "
+                                   "uninitialized");
+                        err = -EFSCORRUPTED;
+                        goto out;
+                }
                err = ext4_init_block_bitmap(sb, bh, block_group, desc);
                set_bitmap_uptodate(bh);
                set_buffer_uptodate(bh);
+                set_buffer_verified(bh);
                ext4_unlock_group(sb, block_group);
                unlock_buffer(bh);
                if (err) {
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index c8ad14c697c4..f5d9f82b173a 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1468,11 +1468,6 @@ static inline struct timespec ext4_current_time(struct inode *inode)
 static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
 {
        return ino == EXT4_ROOT_INO ||
-                ino == EXT4_USR_QUOTA_INO ||
-                ino == EXT4_GRP_QUOTA_INO ||
-                ino == EXT4_BOOT_LOADER_INO ||
-                ino == EXT4_JOURNAL_INO ||
-                ino == EXT4_RESIZE_INO ||
                (ino >= EXT4_FIRST_INO(sb) &&
                 ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
 }
diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
index 3c9381547094..2d8e73793512 100644
--- a/fs/ext4/ext4_extents.h
+++ b/fs/ext4/ext4_extents.h
@@ -103,6 +103,7 @@ struct ext4_extent_header {
 };
 #define EXT4_EXT_MAGIC          cpu_to_le16(0xf30a)
+#define EXT4_MAX_EXTENT_DEPTH 5
 #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
        (sizeof(struct ext4_extent_header) + \
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 403c4bae3e18..1708597659a1 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -876,6 +876,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
        eh = ext_inode_hdr(inode);
        depth = ext_depth(inode);
+        if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
+                EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
+                                 depth);
+                ret = -EFSCORRUPTED;
+                goto err;
+        }
        if (path) {
                ext4_ext_drop_refs(path);
@@ -5380,8 +5386,9 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
        stop = le32_to_cpu(extent->ee_block);
       /*
-         * In case of left shift, Don't start shifting extents until we make
+        * For left shifts, make sure the hole on the left is big enough to
-         * sure the hole is big enough to accommodate the shift.
+        * accommodate the shift.  For right shifts, make sure the last extent
+        * won't be shifted beyond EXT_MAX_BLOCKS.
        */
        if (SHIFT == SHIFT_LEFT) {
                path = ext4_find_extent(inode, start - 1, &path,
@@ -5401,9 +5408,14 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
                if ((start == ex_start && shift > ex_start) ||
                    (shift > start - ex_end)) {
-                        ext4_ext_drop_refs(path);
+                        ret = -EINVAL;
-                        kfree(path);
+                        goto out;
-                        return -EINVAL;
+                }
+        } else {
+                if (shift > EXT_MAX_BLOCKS -
+                    (stop + ext4_ext_get_actual_len(extent))) {
+                        ret = -EINVAL;
+                        goto out;
                }
        }
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index a8b1749d79a8..debf0707789d 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -460,7 +460,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
                int i, num;
                unsigned long nr_pages;
-                num = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
+                num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1;
                nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
                                          (pgoff_t)num);
                if (nr_pages == 0)
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index 5388207d2832..0963213e9cd3 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -63,44 +63,6 @@ void ext4_mark_bitmap_end(int start_bit, int end_bit, char *bitmap)
                memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3);
 }
-/* Initializes an uninitialized inode bitmap */
-static int ext4_init_inode_bitmap(struct super_block *sb,
-                                       struct buffer_head *bh,
-                                       ext4_group_t block_group,
-                                       struct ext4_group_desc *gdp)
-{
-        struct ext4_group_info *grp;
-        struct ext4_sb_info *sbi = EXT4_SB(sb);
-        J_ASSERT_BH(bh, buffer_locked(bh));
-        /* If checksum is bad mark all blocks and inodes use to prevent
-         * allocation, essentially implementing a per-group read-only flag. */
-        if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) {
-                grp = ext4_get_group_info(sb, block_group);
-                if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
-                        percpu_counter_sub(&sbi->s_freeclusters_counter,
-                                           grp->bb_free);
-                set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state);
-                if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) {
-                        int count;
-                        count = ext4_free_inodes_count(sb, gdp);
-                        percpu_counter_sub(&sbi->s_freeinodes_counter,
-                                           count);
-                }
-                set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state);
-                return -EFSBADCRC;
-        }
-        memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
-        ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8,
-                        bh->b_data);
-        ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh,
-                                   EXT4_INODES_PER_GROUP(sb) / 8);
-        ext4_group_desc_csum_set(sb, block_group, gdp);
-        return 0;
-}
 void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate)
 {
        if (uptodate) {
@@ -126,6 +88,8 @@ static int ext4_validate_inode_bitmap(struct super_block *sb,
                return -EFSCORRUPTED;
        ext4_lock_group(sb, block_group);
+        if (buffer_verified(bh))
+                goto verified;
        blk = ext4_inode_bitmap(sb, desc);
        if (!ext4_inode_bitmap_csum_verify(sb, block_group, desc, bh,
                                           EXT4_INODES_PER_GROUP(sb) / 8)) {
@@ -143,6 +107,7 @@ static int ext4_validate_inode_bitmap(struct super_block *sb,
                return -EFSBADCRC;
        }
        set_buffer_verified(bh);
+verified:
        ext4_unlock_group(sb, block_group);
        return 0;
 }
@@ -157,6 +122,7 @@ static struct buffer_head *
 ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
 {
        struct ext4_group_desc *desc;
+        struct ext4_sb_info *sbi = EXT4_SB(sb);
        struct buffer_head *bh = NULL;
        ext4_fsblk_t bitmap_blk;
        int err;
@@ -166,6 +132,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
                return ERR_PTR(-EFSCORRUPTED);
        bitmap_blk = ext4_inode_bitmap(sb, desc);
+        if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+            (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+                ext4_error(sb, "Invalid inode bitmap blk %llu in "
+                           "block_group %u", bitmap_blk, block_group);
+                return ERR_PTR(-EFSCORRUPTED);
+        }
        bh = sb_getblk(sb, bitmap_blk);
        if (unlikely(!bh)) {
                ext4_error(sb, "Cannot read inode bitmap - "
@@ -183,18 +155,24 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
        }
        ext4_lock_group(sb, block_group);
-        if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) {
+        if (ext4_has_group_desc_csum(sb) &&
-                err = ext4_init_inode_bitmap(sb, bh, block_group, desc);
+            (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) {
+                if (block_group == 0) {
+                        ext4_unlock_group(sb, block_group);
+                        unlock_buffer(bh);
+                        ext4_error(sb, "Inode bitmap for bg 0 marked "
+                                   "uninitialized");
+                        err = -EFSCORRUPTED;
+                        goto out;
+                }
+                memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
+                ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
+                                     sb->s_blocksize * 8, bh->b_data);
                set_bitmap_uptodate(bh);
                set_buffer_uptodate(bh);
                set_buffer_verified(bh);
                ext4_unlock_group(sb, block_group);
                unlock_buffer(bh);
-                if (err) {
-                        ext4_error(sb, "Failed to init inode bitmap for group "
-                                   "%u: %d", block_group, err);
-                        goto out;
-                }
                return bh;
        }
        ext4_unlock_group(sb, block_group);
@@ -953,7 +931,8 @@ got:
                /* recheck and clear flag under lock if we still need to */
                ext4_lock_group(sb, group);
-                if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+                if (ext4_has_group_desc_csum(sb) &&
+                    (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
                        gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
                        ext4_free_group_clusters_set(sb, gdp,
                                ext4_free_clusters_after_init(sb, group, gdp));
@@ -1329,7 +1308,10 @@ int ext4_init_inode_table(struct super_block *sb, ext4_group_t group,
                            ext4_itable_unused_count(sb, gdp)),
                            sbi->s_inodes_per_block);
-        if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group)) {
+        if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) ||
+            ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) -
+                               ext4_itable_unused_count(sb, gdp)) <
+                              EXT4_FIRST_INO(sb)))) {
                ext4_error(sb, "Something is wrong with group %u: "
                           "used itable blocks: %d; "
                           "itable unused count: %u",
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index dad8e7bdf0a6..c449bc089c94 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -376,7 +376,7 @@ out:
 static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
                                    unsigned int len)
 {
-        int ret, size;
+        int ret, size, no_expand;
        struct ext4_inode_info *ei = EXT4_I(inode);
        if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
@@ -386,15 +386,14 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
        if (size < len)
                return -ENOSPC;
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        if (ei->i_inline_off)
                ret = ext4_update_inline_data(handle, inode, len);
        else
                ret = ext4_create_inline_data(handle, inode, len);
-        up_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_unlock_xattr(inode, &no_expand);
        return ret;
 }
@@ -435,6 +434,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
        memset((void *)ext4_raw_inode(&is.iloc)->i_block,
                0, EXT4_MIN_INLINE_DATA_SIZE);
+        memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
        if (ext4_has_feature_extents(inode->i_sb)) {
                if (S_ISDIR(inode->i_mode) ||
@@ -523,7 +523,7 @@ static int ext4_convert_inline_data_to_extent(struct address_space *mapping,
                                              struct inode *inode,
                                              unsigned flags)
 {
-        int ret, needed_blocks;
+        int ret, needed_blocks, no_expand;
        handle_t *handle = NULL;
        int retries = 0, sem_held = 0;
        struct page *page = NULL;
@@ -563,7 +563,7 @@ retry:
                goto out;
        }
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        sem_held = 1;
        /* If some one has already done this for us, just exit. */
        if (!ext4_has_inline_data(inode)) {
@@ -599,7 +599,7 @@ retry:
                page_cache_release(page);
                page = NULL;
                ext4_orphan_add(handle, inode);
-                up_write(&EXT4_I(inode)->xattr_sem);
+                ext4_write_unlock_xattr(inode, &no_expand);
                sem_held = 0;
                ext4_journal_stop(handle);
                handle = NULL;
@@ -625,7 +625,7 @@ out:
                page_cache_release(page);
        }
        if (sem_held)
-                up_write(&EXT4_I(inode)->xattr_sem);
+                ext4_write_unlock_xattr(inode, &no_expand);
        if (handle)
                ext4_journal_stop(handle);
        brelse(iloc.bh);
@@ -678,6 +678,10 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
                goto convert;
        }
+        ret = ext4_journal_get_write_access(handle, iloc.bh);
+        if (ret)
+                goto out;
        flags |= AOP_FLAG_NOFS;
        page = grab_cache_page_write_begin(mapping, 0, flags);
@@ -706,7 +710,7 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
 out_up_read:
        up_read(&EXT4_I(inode)->xattr_sem);
 out:
-        if (handle)
+        if (handle && (ret != 1))
                ext4_journal_stop(handle);
        brelse(iloc.bh);
        return ret;
@@ -718,7 +722,7 @@ convert:
 int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
                               unsigned copied, struct page *page)
 {
-        int ret;
+        int ret, no_expand;
        void *kaddr;
        struct ext4_iloc iloc;
@@ -736,7 +740,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
                goto out;
        }
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        BUG_ON(!ext4_has_inline_data(inode));
        kaddr = kmap_atomic(page);
@@ -746,8 +750,9 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
        /* clear page dirty so that writepages wouldn't work for us. */
        ClearPageDirty(page);
-        up_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_unlock_xattr(inode, &no_expand);
        brelse(iloc.bh);
+        mark_inode_dirty(inode);
 out:
        return copied;
 }
@@ -757,7 +762,7 @@ ext4_journalled_write_inline_data(struct inode *inode,
                                  unsigned len,
                                  struct page *page)
 {
-        int ret;
+        int ret, no_expand;
        void *kaddr;
        struct ext4_iloc iloc;
@@ -767,11 +772,11 @@ ext4_journalled_write_inline_data(struct inode *inode,
                return NULL;
        }
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        kaddr = kmap_atomic(page);
        ext4_write_inline_data(inode, &iloc, kaddr, 0, len);
        kunmap_atomic(kaddr);
-        up_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_unlock_xattr(inode, &no_expand);
        return iloc.bh;
 }
@@ -894,7 +899,6 @@ retry_journal:
                goto out;
        }
        page = grab_cache_page_write_begin(mapping, 0, flags);
        if (!page) {
                ret = -ENOMEM;
@@ -912,6 +916,9 @@ retry_journal:
                if (ret < 0)
                        goto out_release_page;
        }
+        ret = ext4_journal_get_write_access(handle, iloc.bh);
+        if (ret)
+                goto out_release_page;
        up_read(&EXT4_I(inode)->xattr_sem);
        *pagep = page;
@@ -932,7 +939,6 @@ int ext4_da_write_inline_data_end(struct inode *inode, loff_t pos,
                                  unsigned len, unsigned copied,
                                  struct page *page)
 {
-        int i_size_changed = 0;
        int ret;
        ret = ext4_write_inline_data_end(inode, pos, len, copied, page);
@@ -950,10 +956,8 @@ int ext4_da_write_inline_data_end(struct inode *inode, loff_t pos,
         * But it's important to update i_size while still holding page lock:
         * page writeout could otherwise come in and zero beyond i_size.
         */
-        if (pos+copied > inode->i_size) {
+        if (pos+copied > inode->i_size)
                i_size_write(inode, pos+copied);
-                i_size_changed = 1;
-        }
        unlock_page(page);
        page_cache_release(page);
@@ -963,8 +967,7 @@ int ext4_da_write_inline_data_end(struct inode *inode, loff_t pos,
         * ordering of page lock and transaction start for journaling
         * filesystems.
         */
-        if (i_size_changed)
+        mark_inode_dirty(inode);
-                mark_inode_dirty(inode);
        return copied;
 }
@@ -1255,7 +1258,7 @@ out:
 int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
                              struct dentry *dentry, struct inode *inode)
 {
-        int ret, inline_size;
+        int ret, inline_size, no_expand;
        void *inline_start;
        struct ext4_iloc iloc;
        struct inode *dir = d_inode(dentry->d_parent);
@@ -1264,7 +1267,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
        if (ret)
                return ret;
-        down_write(&EXT4_I(dir)->xattr_sem);
+        ext4_write_lock_xattr(dir, &no_expand);
        if (!ext4_has_inline_data(dir))
                goto out;
@@ -1310,7 +1313,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
 out:
        ext4_mark_inode_dirty(handle, dir);
-        up_write(&EXT4_I(dir)->xattr_sem);
+        ext4_write_unlock_xattr(dir, &no_expand);
        brelse(iloc.bh);
        return ret;
 }
@@ -1670,7 +1673,7 @@ int ext4_delete_inline_entry(handle_t *handle,
                             struct buffer_head *bh,
                             int *has_inline_data)
 {
-        int err, inline_size;
+        int err, inline_size, no_expand;
        struct ext4_iloc iloc;
        void *inline_start;
@@ -1678,7 +1681,7 @@ int ext4_delete_inline_entry(handle_t *handle,
        if (err)
                return err;
-        down_write(&EXT4_I(dir)->xattr_sem);
+        ext4_write_lock_xattr(dir, &no_expand);
        if (!ext4_has_inline_data(dir)) {
                *has_inline_data = 0;
                goto out;
@@ -1713,7 +1716,7 @@ int ext4_delete_inline_entry(handle_t *handle,
        ext4_show_inline_dir(dir, iloc.bh, inline_start, inline_size);
 out:
-        up_write(&EXT4_I(dir)->xattr_sem);
+        ext4_write_unlock_xattr(dir, &no_expand);
        brelse(iloc.bh);
        if (err != -ENOENT)
                ext4_std_error(dir->i_sb, err);
@@ -1812,11 +1815,11 @@ out:
 int ext4_destroy_inline_data(handle_t *handle, struct inode *inode)
 {
-        int ret;
+        int ret, no_expand;
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        ret = ext4_destroy_inline_data_nolock(handle, inode);
-        up_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_unlock_xattr(inode, &no_expand);
        return ret;
 }
@@ -1901,7 +1904,7 @@ out:
 void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
 {
        handle_t *handle;
-        int inline_size, value_len, needed_blocks;
+        int inline_size, value_len, needed_blocks, no_expand;
        size_t i_size;
        void *value = NULL;
        struct ext4_xattr_ibody_find is = {
@@ -1918,7 +1921,7 @@ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
        if (IS_ERR(handle))
                return;
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
        if (!ext4_has_inline_data(inode)) {
                *has_inline = 0;
                ext4_journal_stop(handle);
@@ -1976,7 +1979,7 @@ out_error:
        up_write(&EXT4_I(inode)->i_data_sem);
 out:
        brelse(is.iloc.bh);
-        up_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_unlock_xattr(inode, &no_expand);
        kfree(value);
        if (inode->i_nlink)
                ext4_orphan_del(handle, inode);
@@ -1992,7 +1995,7 @@ out:
 int ext4_convert_inline_data(struct inode *inode)
 {
-        int error, needed_blocks;
+        int error, needed_blocks, no_expand;
        handle_t *handle;
        struct ext4_iloc iloc;
@@ -2014,15 +2017,10 @@ int ext4_convert_inline_data(struct inode *inode)
                goto out_free;
        }
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
-        if (!ext4_has_inline_data(inode)) {
+        if (ext4_has_inline_data(inode))
-                up_write(&EXT4_I(inode)->xattr_sem);
+                error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
-                goto out;
+        ext4_write_unlock_xattr(inode, &no_expand);
-        }
-        error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
-        up_write(&EXT4_I(inode)->xattr_sem);
-out:
        ext4_journal_stop(handle);
 out_free:
        brelse(iloc.bh);
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 4df1cb19a243..181db3c7f5d1 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -380,9 +380,9 @@ static int __check_block_validity(struct inode *inode, const char *func,
        if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
                                   map->m_len)) {
                ext4_error_inode(inode, func, line, map->m_pblk,
-                                 "lblock %lu mapped to illegal pblock "
+                                 "lblock %lu mapped to illegal pblock %llu "
                                 "(length %d)", (unsigned long) map->m_lblk,
-                                 map->m_len);
+                                 map->m_pblk, map->m_len);
                return -EFSCORRUPTED;
        }
        return 0;
@@ -1164,9 +1164,10 @@ static int ext4_write_end(struct file *file,
        loff_t old_size = inode->i_size;
        int ret = 0, ret2;
        int i_size_changed = 0;
+        int inline_data = ext4_has_inline_data(inode);
        trace_ext4_write_end(inode, pos, len, copied);
-        if (ext4_has_inline_data(inode)) {
+        if (inline_data) {
                ret = ext4_write_inline_data_end(inode, pos, len,
                                                 copied, page);
                if (ret < 0) {
@@ -1194,7 +1195,7 @@ static int ext4_write_end(struct file *file,
         * ordering of page lock and transaction start for journaling
         * filesystems.
         */
-        if (i_size_changed)
+        if (i_size_changed || inline_data)
                ext4_mark_inode_dirty(handle, inode);
        if (pos + len > inode->i_size && ext4_can_truncate(inode))
@@ -1268,6 +1269,7 @@ static int ext4_journalled_write_end(struct file *file,
        int partial = 0;
        unsigned from, to;
        int size_changed = 0;
+        int inline_data = ext4_has_inline_data(inode);
        trace_ext4_journalled_write_end(inode, pos, len, copied);
        from = pos & (PAGE_CACHE_SIZE - 1);
@@ -1275,7 +1277,7 @@ static int ext4_journalled_write_end(struct file *file,
        BUG_ON(!ext4_handle_valid(handle));
-        if (ext4_has_inline_data(inode)) {
+        if (inline_data) {
                ret = ext4_write_inline_data_end(inode, pos, len,
                                                 copied, page);
                if (ret < 0) {
@@ -1306,7 +1308,7 @@ static int ext4_journalled_write_end(struct file *file,
        if (old_size < pos)
                pagecache_isize_extended(inode, old_size, pos);
-        if (size_changed) {
+        if (size_changed || inline_data) {
                ret2 = ext4_mark_inode_dirty(handle, inode);
                if (!ret)
                        ret = ret2;
@@ -1515,6 +1517,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd,
                        BUG_ON(!PageLocked(page));
                        BUG_ON(PageWriteback(page));
                        if (invalidate) {
+                                if (page_mapped(page))
+                                        clear_page_dirty_for_io(page);
                                block_invalidatepage(page, 0, PAGE_CACHE_SIZE);
                                ClearPageUptodate(page);
                        }
@@ -1802,11 +1806,7 @@ static int __ext4_journalled_writepage(struct page *page,
        }
        if (inline_data) {
-                BUFFER_TRACE(inode_bh, "get write access");
+                ret = ext4_mark_inode_dirty(handle, inode);
-                ret = ext4_journal_get_write_access(handle, inode_bh);
-                err = ext4_handle_dirty_metadata(handle, inode, inode_bh);
        } else {
                ret = ext4_walk_page_buffers(handle, page_bufs, 0, len, NULL,
                                             do_journal_get_write_access);
@@ -3256,29 +3256,29 @@ static ssize_t ext4_ext_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
         * case, we allocate an io_end structure to hook to the iocb.
         */
        iocb->private = NULL;
-        ext4_inode_aio_set(inode, NULL);
-        if (!is_sync_kiocb(iocb)) {
-                io_end = ext4_init_io_end(inode, GFP_NOFS);
-                if (!io_end) {
-                        ret = -ENOMEM;
-                        goto retake_lock;
-                }
-                /*
-                 * Grab reference for DIO. Will be dropped in ext4_end_io_dio()
-                 */
-                iocb->private = ext4_get_io_end(io_end);
-                /*
-                 * we save the io structure for current async direct
-                 * IO, so that later ext4_map_blocks() could flag the
-                 * io structure whether there is a unwritten extents
-                 * needs to be converted when IO is completed.
-                 */
-                ext4_inode_aio_set(inode, io_end);
-        }
        if (overwrite) {
                get_block_func = ext4_get_block_write_nolock;
        } else {
+                ext4_inode_aio_set(inode, NULL);
+                if (!is_sync_kiocb(iocb)) {
+                        io_end = ext4_init_io_end(inode, GFP_NOFS);
+                        if (!io_end) {
+                                ret = -ENOMEM;
+                                goto retake_lock;
+                        }
+                        /*
+                         * Grab reference for DIO. Will be dropped in
+                         * ext4_end_io_dio()
+                         */
+                        iocb->private = ext4_get_io_end(io_end);
+                        /*
+                         * we save the io structure for current async direct
+                         * IO, so that later ext4_map_blocks() could flag the
+                         * io structure whether there is a unwritten extents
+                         * needs to be converted when IO is completed.
+                         */
+                        ext4_inode_aio_set(inode, io_end);
+                }
                get_block_func = ext4_get_block_write;
                dio_flags = DIO_LOCKING;
        }
@@ -3785,28 +3785,28 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
                EXT4_BLOCK_SIZE_BITS(sb);
        stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);
-        /* If there are no blocks to remove, return now */
+        /* If there are blocks to remove, do it */
-        if (first_block >= stop_block)
+        if (stop_block > first_block) {
-                goto out_stop;
-        down_write(&EXT4_I(inode)->i_data_sem);
+                down_write(&EXT4_I(inode)->i_data_sem);
-        ext4_discard_preallocations(inode);
+                ext4_discard_preallocations(inode);
-        ret = ext4_es_remove_extent(inode, first_block,
+                ret = ext4_es_remove_extent(inode, first_block,
-                                    stop_block - first_block);
+                                            stop_block - first_block);
-        if (ret) {
+                if (ret) {
-                up_write(&EXT4_I(inode)->i_data_sem);
+                        up_write(&EXT4_I(inode)->i_data_sem);
-                goto out_stop;
+                        goto out_stop;
-        }
+                }
-        if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+                if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
-                ret = ext4_ext_remove_space(inode, first_block,
+                        ret = ext4_ext_remove_space(inode, first_block,
-                                            stop_block - 1);
+                                                    stop_block - 1);
-        else
+                else
-                ret = ext4_ind_remove_space(handle, inode, first_block,
+                        ret = ext4_ind_remove_space(handle, inode, first_block,
-                                            stop_block);
+                                                    stop_block);
-        up_write(&EXT4_I(inode)->i_data_sem);
+                up_write(&EXT4_I(inode)->i_data_sem);
+        }
        if (IS_SYNC(inode))
                ext4_handle_sync(handle);
@@ -3989,7 +3989,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
        int                     inodes_per_block, inode_offset;
        iloc->bh = NULL;
-        if (!ext4_valid_inum(sb, inode->i_ino))
+        if (inode->i_ino < EXT4_ROOT_INO ||
+            inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
                return -EFSCORRUPTED;
        iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
@@ -4231,6 +4232,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
                goto bad_inode;
        raw_inode = ext4_raw_inode(&iloc);
+        if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
+                EXT4_ERROR_INODE(inode, "root inode unallocated");
+                ret = -EFSCORRUPTED;
+                goto bad_inode;
+        }
        if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
                ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
                if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
@@ -4417,6 +4424,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
                        inode->i_op = &ext4_symlink_inode_operations;
                        ext4_set_aops(inode);
                }
+                inode_nohighmem(inode);
        } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
              S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
                inode->i_op = &ext4_special_inode_operations;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 1ba82dc5afa3..75f79ff29ce0 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2445,7 +2445,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
         * initialize bb_free to be able to skip
         * empty groups without initialization
         */
-        if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+        if (ext4_has_group_desc_csum(sb) &&
+            (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
                meta_group_info[i]->bb_free =
                        ext4_free_clusters_after_init(sb, group, desc);
        } else {
@@ -2966,7 +2967,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
 #endif
        ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start,
                      ac->ac_b_ex.fe_len);
-        if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
+        if (ext4_has_group_desc_csum(sb) &&
+            (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
                gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
                ext4_free_group_clusters_set(sb, gdp,
                                             ext4_free_clusters_after_init(sb,
@@ -3874,7 +3876,8 @@ ext4_mb_discard_group_preallocations(struct super_block *sb,
        err = ext4_mb_load_buddy(sb, group, &e4b);
        if (err) {
-                ext4_error(sb, "Error loading buddy information for %u", group);
+                ext4_warning(sb, "Error %d loading buddy information for %u",
+                             err, group);
                put_bh(bitmap_bh);
                return 0;
        }
@@ -4031,10 +4034,11 @@ repeat:
                BUG_ON(pa->pa_type != MB_INODE_PA);
                group = ext4_get_group_number(sb, pa->pa_pstart);
-                err = ext4_mb_load_buddy(sb, group, &e4b);
+                err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
+                                             GFP_NOFS|__GFP_NOFAIL);
                if (err) {
-                        ext4_error(sb, "Error loading buddy information for %u",
+                        ext4_error(sb, "Error %d loading buddy information for %u",
-                                        group);
+                                   err, group);
                        continue;
                }
@@ -4290,11 +4294,14 @@ ext4_mb_discard_lg_preallocations(struct super_block *sb,
        spin_unlock(&lg->lg_prealloc_lock);
        list_for_each_entry_safe(pa, tmp, &discard_list, u.pa_tmp_list) {
+                int err;
                group = ext4_get_group_number(sb, pa->pa_pstart);
-                if (ext4_mb_load_buddy(sb, group, &e4b)) {
+                err = ext4_mb_load_buddy_gfp(sb, group, &e4b,
-                        ext4_error(sb, "Error loading buddy information for %u",
+                                             GFP_NOFS|__GFP_NOFAIL);
-                                        group);
+                if (err) {
+                        ext4_error(sb, "Error %d loading buddy information for %u",
+                                   err, group);
                        continue;
                }
                ext4_lock_group(sb, group);
@@ -5116,8 +5123,8 @@ ext4_trim_all_free(struct super_block *sb, ext4_group_t group,
        ret = ext4_mb_load_buddy(sb, group, &e4b);
        if (ret) {
-                ext4_error(sb, "Error in loading buddy "
+                ext4_warning(sb, "Error %d loading buddy information for %u",
-                                "information for %u", group);
+                             ret, group);
                return ret;
        }
        bitmap = e4b.bd_bitmap;
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 4c36dca486cc..97472088d65a 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2429,8 +2429,7 @@ static int ext4_add_nondir(handle_t *handle,
        int err = ext4_add_entry(handle, dentry, inode);
        if (!err) {
                ext4_mark_inode_dirty(handle, inode);
-                unlock_new_inode(inode);
+                d_instantiate_new(dentry, inode);
-                d_instantiate(dentry, inode);
                return 0;
        }
        drop_nlink(inode);
@@ -2669,8 +2668,7 @@ out_clear_inode:
        err = ext4_mark_inode_dirty(handle, dir);
        if (err)
                goto out_clear_inode;
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        if (IS_DIRSYNC(dir))
                ext4_handle_sync(handle);
@@ -3151,6 +3149,7 @@ static int ext4_symlink(struct inode *dir,
        if ((disk_link.len > EXT4_N_BLOCKS * 4)) {
                if (!encryption_required)
                        inode->i_op = &ext4_symlink_inode_operations;
+                inode_nohighmem(inode);
                ext4_set_aops(inode);
                /*
                 * We cannot call page_symlink() with transaction started
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 74516efd874c..d2421fd38833 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1903,7 +1903,7 @@ retry:
                return 0;
        n_group = ext4_get_group_number(sb, n_blocks_count - 1);
-        if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
+        if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
                ext4_warning(sb, "resize would cause inodes_count overflow");
                return -EINVAL;
        }
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 8bdb0cc2722f..8d18f6142da5 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -688,6 +688,7 @@ __acquires(bitlock)
        }
        ext4_unlock_group(sb, grp);
+        ext4_commit_super(sb, 1);
        ext4_handle_error(sb);
        /*
         * We only get here in the ERRORS_RO case; relocking the group
@@ -2101,6 +2102,7 @@ static int ext4_check_descriptors(struct super_block *sb,
        struct ext4_sb_info *sbi = EXT4_SB(sb);
        ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block);
        ext4_fsblk_t last_block;
+        ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0);
        ext4_fsblk_t block_bitmap;
        ext4_fsblk_t inode_bitmap;
        ext4_fsblk_t inode_table;
@@ -2130,6 +2132,16 @@ static int ext4_check_descriptors(struct super_block *sb,
                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
                                 "Block bitmap for group %u overlaps "
                                 "superblock", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
+                }
+                if (block_bitmap >= sb_block + 1 &&
+                    block_bitmap <= last_bg_block) {
+                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+                                 "Block bitmap for group %u overlaps "
+                                 "block group descriptors", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
                }
                if (block_bitmap < first_block || block_bitmap > last_block) {
                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -2142,6 +2154,16 @@ static int ext4_check_descriptors(struct super_block *sb,
                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
                                 "Inode bitmap for group %u overlaps "
                                 "superblock", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
+                }
+                if (inode_bitmap >= sb_block + 1 &&
+                    inode_bitmap <= last_bg_block) {
+                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+                                 "Inode bitmap for group %u overlaps "
+                                 "block group descriptors", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
                }
                if (inode_bitmap < first_block || inode_bitmap > last_block) {
                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -2154,6 +2176,16 @@ static int ext4_check_descriptors(struct super_block *sb,
                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
                                 "Inode table for group %u overlaps "
                                 "superblock", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
+                }
+                if (inode_table >= sb_block + 1 &&
+                    inode_table <= last_bg_block) {
+                        ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+                                 "Inode table for group %u overlaps "
+                                 "block group descriptors", i);
+                        if (!(sb->s_flags & MS_RDONLY))
+                                return 0;
                }
                if (inode_table < first_block ||
                    inode_table + sbi->s_itb_per_group - 1 > last_block) {
@@ -2835,6 +2867,9 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb)
        ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count;
        struct ext4_group_desc *gdp = NULL;
+        if (!ext4_has_group_desc_csum(sb))
+                return ngroups;
        for (group = 0; group < ngroups; group++) {
                gdp = ext4_get_group_desc(sb, group, NULL);
                if (!gdp)
@@ -3444,6 +3479,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                         le32_to_cpu(es->s_log_block_size));
                goto failed_mount;
        }
+        if (le32_to_cpu(es->s_log_cluster_size) >
+            (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+                ext4_msg(sb, KERN_ERR,
+                         "Invalid log cluster size: %u",
+                         le32_to_cpu(es->s_log_cluster_size));
+                goto failed_mount;
+        }
        if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
                ext4_msg(sb, KERN_ERR,
@@ -3508,6 +3550,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
        } else {
                sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
                sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
+                if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
+                        ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
+                                 sbi->s_first_ino);
+                        goto failed_mount;
+                }
                if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
                    (!is_power_of_2(sbi->s_inode_size)) ||
                    (sbi->s_inode_size > blocksize)) {
@@ -3584,13 +3631,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                                 "block size (%d)", clustersize, blocksize);
                        goto failed_mount;
                }
-                if (le32_to_cpu(es->s_log_cluster_size) >
-                    (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
-                        ext4_msg(sb, KERN_ERR,
-                                 "Invalid log cluster size: %u",
-                                 le32_to_cpu(es->s_log_cluster_size));
-                        goto failed_mount;
-                }
                sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
                        le32_to_cpu(es->s_log_block_size);
                sbi->s_clusters_per_group =
@@ -3611,10 +3651,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                }
        } else {
                if (clustersize != blocksize) {
-                        ext4_warning(sb, "fragment/cluster size (%d) != "
+                        ext4_msg(sb, KERN_ERR,
-                                     "block size (%d)", clustersize,
+                                 "fragment/cluster size (%d) != "
-                                     blocksize);
+                                 "block size (%d)", clustersize, blocksize);
-                        clustersize = blocksize;
+                        goto failed_mount;
                }
                if (sbi->s_blocks_per_group > blocksize * 8) {
                        ext4_msg(sb, KERN_ERR,
@@ -3668,6 +3708,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                         ext4_blocks_count(es));
                goto failed_mount;
        }
+        if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) &&
+            (sbi->s_cluster_ratio == 1)) {
+                ext4_msg(sb, KERN_WARNING, "bad geometry: first data "
+                         "block is 0 with a 1k block and cluster size");
+                goto failed_mount;
+        }
        blocks_count = (ext4_blocks_count(es) -
                        le32_to_cpu(es->s_first_data_block) +
                        EXT4_BLOCKS_PER_GROUP(sb) - 1);
@@ -3703,6 +3750,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                ret = -ENOMEM;
                goto failed_mount;
        }
+        if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+            le32_to_cpu(es->s_inodes_count)) {
+                ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+                         le32_to_cpu(es->s_inodes_count),
+                         ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+                ret = -EINVAL;
+                goto failed_mount;
+        }
        bgl_lock_init(sbi->s_blockgroup_lock);
@@ -3716,13 +3771,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                        goto failed_mount2;
                }
        }
+        sbi->s_gdb_count = db_count;
        if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
                ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
                ret = -EFSCORRUPTED;
                goto failed_mount2;
        }
-        sbi->s_gdb_count = db_count;
        get_random_bytes(&sbi->s_next_generation, sizeof(u32));
        spin_lock_init(&sbi->s_next_gen_lock);
@@ -4381,6 +4436,14 @@ static int ext4_commit_super(struct super_block *sb, int sync)
        if (!sbh || block_device_ejected(sb))
                return error;
+        /*
+         * The superblock bh should be mapped, but it might not be if the
+         * device was hot-removed. Not much we can do but fail the I/O.
+         */
+        if (!buffer_mapped(sbh))
+                return error;
        if (buffer_write_io_error(sbh)) {
                /*
                 * Oh, dear.  A previous attempt to write the
diff --git a/fs/ext4/symlink.c b/fs/ext4/symlink.c
index e8e7af62ac95..287c3980fa0b 100644
--- a/fs/ext4/symlink.c
+++ b/fs/ext4/symlink.c
@@ -45,7 +45,7 @@ static const char *ext4_encrypted_follow_link(struct dentry *dentry, void **cook
                cpage = read_mapping_page(inode->i_mapping, 0, NULL);
                if (IS_ERR(cpage))
                        return ERR_CAST(cpage);
-                caddr = kmap(cpage);
+                caddr = page_address(cpage);
                caddr[size] = 0;
        }
@@ -75,16 +75,12 @@ static const char *ext4_encrypted_follow_link(struct dentry *dentry, void **cook
        /* Null-terminate the name */
        if (res <= plen)
                paddr[res] = '\0';
-        if (cpage) {
+        if (cpage)
-                kunmap(cpage);
                page_cache_release(cpage);
-        }
        return *cookie = paddr;
 errout:
-        if (cpage) {
+        if (cpage)
-                kunmap(cpage);
                page_cache_release(cpage);
-        }
        kfree(paddr);
        return ERR_PTR(res);
 }
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 7c23363ecf19..c7cad05aed27 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -828,8 +828,6 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
                                if (!IS_LAST_ENTRY(s->first))
                                        ext4_xattr_rehash(header(s->base),
                                                          s->here);
-                                ext4_xattr_cache_insert(ext4_mb_cache,
-                                        bs->bh);
                        }
                        unlock_buffer(bs->bh);
                        if (error == -EFSCORRUPTED)
@@ -918,6 +916,7 @@ inserted:
                } else if (bs->bh && s->base == bs->bh->b_data) {
                        /* We were modifying this block in-place. */
                        ea_bdebug(bs->bh, "keeping this block");
+                        ext4_xattr_cache_insert(ext4_mb_cache, bs->bh);
                        new_bh = bs->bh;
                        get_bh(new_bh);
                } else {
@@ -1118,16 +1117,14 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
        struct ext4_xattr_block_find bs = {
                .s = { .not_found = -ENODATA, },
        };
-        unsigned long no_expand;
+        int no_expand;
        int error;
        if (!name)
                return -EINVAL;
        if (strlen(name) > 255)
                return -ERANGE;
-        down_write(&EXT4_I(inode)->xattr_sem);
+        ext4_write_lock_xattr(inode, &no_expand);
-        no_expand = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
-        ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
        error = ext4_reserve_inode_write(handle, inode, &is.iloc);
        if (error)
@@ -1188,7 +1185,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
                ext4_xattr_update_super_block(handle, inode->i_sb);
                inode->i_ctime = ext4_current_time(inode);
                if (!value)
-                        ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
+                        no_expand = 0;
                error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
                /*
                 * The bh is consumed by ext4_mark_iloc_dirty, even with
@@ -1202,9 +1199,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
 cleanup:
        brelse(is.iloc.bh);
        brelse(bs.bh);
-        if (no_expand == 0)
+        ext4_write_unlock_xattr(inode, &no_expand);
-                ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
-        up_write(&EXT4_I(inode)->xattr_sem);
        return error;
 }
@@ -1288,12 +1283,11 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
        int error = 0, tried_min_extra_isize = 0;
        int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize);
        int isize_diff; /* How much do we need to grow i_extra_isize */
+        int no_expand;
+        if (ext4_write_trylock_xattr(inode, &no_expand) == 0)
+                return 0;
-        down_write(&EXT4_I(inode)->xattr_sem);
-        /*
-         * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty
-         */
-        ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
 retry:
        isize_diff = new_extra_isize - EXT4_I(inode)->i_extra_isize;
        if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
@@ -1487,8 +1481,7 @@ retry:
        }
        brelse(bh);
 out:
-        ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
+        ext4_write_unlock_xattr(inode, &no_expand);
-        up_write(&EXT4_I(inode)->xattr_sem);
        return 0;
 cleanup:
@@ -1500,10 +1493,10 @@ cleanup:
        kfree(bs);
        brelse(bh);
        /*
-         * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode
+         * Inode size expansion failed; don't try again
-         * size expansion failed.
         */
-        up_write(&EXT4_I(inode)->xattr_sem);
+        no_expand = 1;
+        ext4_write_unlock_xattr(inode, &no_expand);
        return error;
 }
diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
index ddc0957760ba..c000ed398555 100644
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -101,6 +101,38 @@ extern const struct xattr_handler ext4_xattr_security_handler;
 #define EXT4_XATTR_NAME_ENCRYPTION_CONTEXT "c"
+/*
+ * The EXT4_STATE_NO_EXPAND is overloaded and used for two purposes.
+ * The first is to signal that there the inline xattrs and data are
+ * taking up so much space that we might as well not keep trying to
+ * expand it.  The second is that xattr_sem is taken for writing, so
+ * we shouldn't try to recurse into the inode expansion.  For this
+ * second case, we need to make sure that we take save and restore the
+ * NO_EXPAND state flag appropriately.
+ */
+static inline void ext4_write_lock_xattr(struct inode *inode, int *save)
+{
+        down_write(&EXT4_I(inode)->xattr_sem);
+        *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
+        ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
+}
+static inline int ext4_write_trylock_xattr(struct inode *inode, int *save)
+{
+        if (down_write_trylock(&EXT4_I(inode)->xattr_sem) == 0)
+                return 0;
+        *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
+        ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
+        return 1;
+}
+static inline void ext4_write_unlock_xattr(struct inode *inode, int *save)
+{
+        if (*save == 0)
+                ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
+        up_write(&EXT4_I(inode)->xattr_sem);
+}
 extern ssize_t ext4_listxattr(struct dentry *, char *, size_t);
 extern int ext4_xattr_get(struct inode *, int, const char *, void *, size_t);
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 98b2fc2678ff..f6ccb21f286b 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -721,7 +721,7 @@ static int __get_data_block(struct inode *inode, sector_t iblock,
        if (!ret) {
                map_bh(bh, inode->i_sb, map.m_pblk);
                bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags;
-                bh->b_size = map.m_len << inode->i_blkbits;
+                bh->b_size = (u64)map.m_len << inode->i_blkbits;
        }
        return ret;
 }
diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
index 7ddba812e11b..6827b9c942dc 100644
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -172,7 +172,7 @@ void f2fs_drop_largest_extent(struct inode *inode, pgoff_t fofs)
        __drop_largest_extent(inode, fofs, 1);
 }
-void f2fs_init_extent_tree(struct inode *inode, struct f2fs_extent *i_ext)
+static void __f2fs_init_extent_tree(struct inode *inode, struct f2fs_extent *i_ext)
 {
        struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
        struct extent_tree *et;
@@ -204,6 +204,14 @@ out:
        write_unlock(&et->lock);
 }
+void f2fs_init_extent_tree(struct inode *inode, struct f2fs_extent *i_ext)
+{
+        __f2fs_init_extent_tree(inode, i_ext);
+        if (!F2FS_I(inode)->extent_tree)
+                set_inode_flag(F2FS_I(inode), FI_NO_EXTENT);
+}
 static bool f2fs_lookup_extent_tree(struct inode *inode, pgoff_t pgofs,
                                                        struct extent_info *ei)
 {
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index fedbf67a0842..928b9e046d8a 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -522,8 +522,10 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
        get_node_info(sbi, nid, dni);
        if (sum->version != dni->version) {
-                f2fs_put_page(node_page, 1);
+                f2fs_msg(sbi->sb, KERN_WARNING,
-                return false;
+                                "%s: valid data with mismatched node version.",
+                                __func__);
+                set_sbi_flag(sbi, SBI_NEED_FSCK);
        }
        *nofs = ofs_of_node(node_page);
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 97e20decacb4..5528801a5baf 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -202,6 +202,7 @@ make_now:
                        inode->i_op = &f2fs_encrypted_symlink_inode_operations;
                else
                        inode->i_op = &f2fs_symlink_inode_operations;
+                inode_nohighmem(inode);
                inode->i_mapping->a_ops = &f2fs_dblock_aops;
        } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
                        S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index 2c32110f9fc0..e5553cd8fe4e 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -150,8 +150,7 @@ static int f2fs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
        alloc_nid_done(sbi, ino);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        unlock_new_inode(inode);
        if (IS_DIRSYNC(dir))
                f2fs_sync_fs(sbi->sb, 1);
@@ -351,6 +350,7 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
                inode->i_op = &f2fs_encrypted_symlink_inode_operations;
        else
                inode->i_op = &f2fs_symlink_inode_operations;
+        inode_nohighmem(inode);
        inode->i_mapping->a_ops = &f2fs_dblock_aops;
        f2fs_lock_op(sbi);
@@ -398,8 +398,7 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
        err = page_symlink(inode, p_str, p_len);
 err_out:
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        unlock_new_inode(inode);
        /*
         * Let's flush symlink data in order to avoid broken symlink as much as
@@ -453,8 +452,7 @@ static int f2fs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
        alloc_nid_done(sbi, inode->i_ino);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        unlock_new_inode(inode);
        if (IS_DIRSYNC(dir))
                f2fs_sync_fs(sbi->sb, 1);
@@ -498,8 +496,7 @@ static int f2fs_mknod(struct inode *dir, struct dentry *dentry,
        alloc_nid_done(sbi, inode->i_ino);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        unlock_new_inode(inode);
        if (IS_DIRSYNC(dir))
                f2fs_sync_fs(sbi->sb, 1);
@@ -942,7 +939,7 @@ static const char *f2fs_encrypted_follow_link(struct dentry *dentry, void **cook
        cpage = read_mapping_page(inode->i_mapping, 0, NULL);
        if (IS_ERR(cpage))
                return ERR_CAST(cpage);
-        caddr = kmap(cpage);
+        caddr = page_address(cpage);
        caddr[size] = 0;
        /* Symlink is encrypted */
@@ -982,13 +979,11 @@ static const char *f2fs_encrypted_follow_link(struct dentry *dentry, void **cook
        /* Null-terminate the name */
        paddr[res] = '\0';
-        kunmap(cpage);
        page_cache_release(cpage);
        return *cookie = paddr;
 errout:
        kfree(cstr.name);
        f2fs_fname_crypto_free_buffer(&pstr);
-        kunmap(cpage);
        page_cache_release(cpage);
        return ERR_PTR(res);
 }
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index f77b3258454a..2bba0c4ef4b7 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -295,6 +295,9 @@ void f2fs_balance_fs(struct f2fs_sb_info *sbi)
 void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi)
 {
+        if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING)))
+                return;
        /* try to shrink extent cache when there is no enough memory */
        if (!available_free_memory(sbi, EXTENT_CACHE))
                f2fs_shrink_extent_tree(sbi, EXTENT_CACHE_SHRINK_NUMBER);
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 4f666368aa85..6cc67e1bbb41 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1566,6 +1566,12 @@ static int __init init_f2fs_fs(void)
 {
        int err;
+        if (PAGE_SIZE != F2FS_BLKSIZE) {
+                printk("F2FS not supported on PAGE_SIZE(%lu) != %d\n",
+                                PAGE_SIZE, F2FS_BLKSIZE);
+                return -EINVAL;
+        }
        f2fs_build_trace_ios();
        err = init_inodecache();
diff --git a/fs/fat/inode.c b/fs/fat/inode.c
index cf644d52c0cf..c81cfb79a339 100644
--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -613,13 +613,21 @@ static void fat_set_state(struct super_block *sb,
        brelse(bh);
 }
+static void fat_reset_iocharset(struct fat_mount_options *opts)
+{
+        if (opts->iocharset != fat_default_iocharset) {
+                /* Note: opts->iocharset can be NULL here */
+                kfree(opts->iocharset);
+                opts->iocharset = fat_default_iocharset;
+        }
+}
 static void delayed_free(struct rcu_head *p)
 {
        struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu);
        unload_nls(sbi->nls_disk);
        unload_nls(sbi->nls_io);
-        if (sbi->options.iocharset != fat_default_iocharset)
+        fat_reset_iocharset(&sbi->options);
-                kfree(sbi->options.iocharset);
        kfree(sbi);
 }
@@ -1034,7 +1042,7 @@ static int parse_options(struct super_block *sb, char *options, int is_vfat,
        opts->fs_fmask = opts->fs_dmask = current_umask();
        opts->allow_utime = -1;
        opts->codepage = fat_default_codepage;
-        opts->iocharset = fat_default_iocharset;
+        fat_reset_iocharset(opts);
        if (is_vfat) {
                opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95;
                opts->rodir = 0;
@@ -1184,8 +1192,7 @@ static int parse_options(struct super_block *sb, char *options, int is_vfat,
                /* vfat specific */
                case Opt_charset:
-                        if (opts->iocharset != fat_default_iocharset)
+                        fat_reset_iocharset(opts);
-                                kfree(opts->iocharset);
                        iocharset = match_strdup(&args[0]);
                        if (!iocharset)
                                return -ENOMEM;
@@ -1776,8 +1783,7 @@ out_fail:
                iput(fat_inode);
        unload_nls(sbi->nls_io);
        unload_nls(sbi->nls_disk);
-        if (sbi->options.iocharset != fat_default_iocharset)
+        fat_reset_iocharset(&sbi->options);
-                kfree(sbi->options.iocharset);
        sb->s_fs_info = NULL;
        kfree(sbi);
        return error;
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 62376451bbce..5df914943d96 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -113,6 +113,10 @@ void f_setown(struct file *filp, unsigned long arg, int force)
        int who = arg;
        type = PIDTYPE_PID;
        if (who < 0) {
+                /* avoid overflow below */
+                if (who == INT_MIN)
+                        return;
                type = PIDTYPE_PGID;
                who = -who;
        }
diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 22b30249fbcb..cfb75dbb96f5 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -747,11 +747,12 @@ int inode_congested(struct inode *inode, int cong_bits)
         */
        if (inode && inode_to_wb_is_valid(inode)) {
                struct bdi_writeback *wb;
-                bool locked, congested;
+                struct wb_lock_cookie lock_cookie = {};
+                bool congested;
-                wb = unlocked_inode_to_wb_begin(inode, &locked);
+                wb = unlocked_inode_to_wb_begin(inode, &lock_cookie);
                congested = wb_congested(wb, cong_bits);
-                unlocked_inode_to_wb_end(inode, locked);
+                unlocked_inode_to_wb_end(inode, &lock_cookie);
                return congested;
        }
@@ -1905,7 +1906,7 @@ void wb_workfn(struct work_struct *work)
        }
        if (!list_empty(&wb->work_list))
-                mod_delayed_work(bdi_wq, &wb->dwork, 0);
+                wb_wakeup(wb);
        else if (wb_has_dirty_io(wb) && dirty_writeback_interval)
                wb_wakeup_delayed(wb);
diff --git a/fs/fscache/page.c b/fs/fscache/page.c
index 6b35fc4860a0..1de16a5a5c4e 100644
--- a/fs/fscache/page.c
+++ b/fs/fscache/page.c
@@ -776,6 +776,7 @@ static void fscache_write_op(struct fscache_operation *_op)
        _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage));
+again:
        spin_lock(&object->lock);
        cookie = object->cookie;
@@ -816,10 +817,6 @@ static void fscache_write_op(struct fscache_operation *_op)
                goto superseded;
        page = results[0];
        _debug("gang %d [%lx]", n, page->index);
-        if (page->index >= op->store_limit) {
-                fscache_stat(&fscache_n_store_pages_over_limit);
-                goto superseded;
-        }
        radix_tree_tag_set(&cookie->stores, page->index,
                           FSCACHE_COOKIE_STORING_TAG);
@@ -829,6 +826,9 @@ static void fscache_write_op(struct fscache_operation *_op)
        spin_unlock(&cookie->stores_lock);
        spin_unlock(&object->lock);
+        if (page->index >= op->store_limit)
+                goto discard_page;
        fscache_stat(&fscache_n_store_pages);
        fscache_stat(&fscache_n_cop_write_page);
        ret = object->cache->ops->write_page(op, page);
@@ -844,6 +844,11 @@ static void fscache_write_op(struct fscache_operation *_op)
        _leave("");
        return;
+discard_page:
+        fscache_stat(&fscache_n_store_pages_over_limit);
+        fscache_end_page_write(object, page);
+        goto again;
 superseded:
        /* this writer is going away and there aren't any more things to
         * write */
diff --git a/fs/fuse/control.c b/fs/fuse/control.c
index f863ac6647ac..89a4b231e79c 100644
--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
        if (!dentry)
                return NULL;
-        fc->ctl_dentry[fc->ctl_ndents++] = dentry;
        inode = new_inode(fuse_control_sb);
-        if (!inode)
+        if (!inode) {
+                dput(dentry);
                return NULL;
+        }
        inode->i_ino = get_next_ino();
        inode->i_mode = mode;
@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
        set_nlink(inode, nlink);
        inode->i_private = fc;
        d_add(dentry, inode);
+        fc->ctl_dentry[fc->ctl_ndents++] = dentry;
        return dentry;
 }
@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc)
        for (i = fc->ctl_ndents - 1; i >= 0; i--) {
                struct dentry *dentry = fc->ctl_dentry[i];
                d_inode(dentry)->i_private = NULL;
-                d_drop(dentry);
+                if (!i) {
+                        /* Get rid of submounts: */
+                        d_invalidate(dentry);
+                }
                dput(dentry);
        }
        drop_nlink(d_inode(fuse_control_sb->s_root));
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 5068dbf80ff8..49b7b40f7598 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1609,8 +1609,19 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
                return err;
        if (attr->ia_valid & ATTR_OPEN) {
-                if (fc->atomic_o_trunc)
+                /* This is coming from open(..., ... | O_TRUNC); */
+                WARN_ON(!(attr->ia_valid & ATTR_SIZE));
+                WARN_ON(attr->ia_size != 0);
+                if (fc->atomic_o_trunc) {
+                        /*
+                         * No need to send request to userspace, since actual
+                         * truncation has already been done by OPEN.  But still
+                         * need to truncate page cache.
+                         */
+                        i_size_write(inode, 0);
+                        truncate_pagecache(inode, 0);
                        return 0;
+                }
                file = NULL;
        }
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 0d5e8e59b390..f0b73e0c6d48 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1158,6 +1158,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 err_put_conn:
        fuse_bdi_destroy(fc);
        fuse_conn_put(fc);
+        sb->s_fs_info = NULL;
 err_fput:
        fput(file);
 err:
diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
index 1543aa1b2a93..8744bd773823 100644
--- a/fs/gfs2/file.c
+++ b/fs/gfs2/file.c
@@ -806,7 +806,7 @@ static long __gfs2_fallocate(struct file *file, int mode, loff_t offset, loff_t
        struct gfs2_inode *ip = GFS2_I(inode);
        struct gfs2_alloc_parms ap = { .aflags = 0, };
        unsigned int data_blocks = 0, ind_blocks = 0, rblocks;
-        loff_t bytes, max_bytes, max_blks = UINT_MAX;
+        loff_t bytes, max_bytes, max_blks;
        int error;
        const loff_t pos = offset;
        const loff_t count = len;
@@ -858,7 +858,8 @@ static long __gfs2_fallocate(struct file *file, int mode, loff_t offset, loff_t
                        return error;
                /* ap.allowed tells us how many blocks quota will allow
                 * us to write. Check if this reduces max_blks */
-                if (ap.allowed && ap.allowed < max_blks)
+                max_blks = UINT_MAX;
+                if (ap.allowed)
                        max_blks = ap.allowed;
                error = gfs2_inplace_reserve(ip, &ap);
diff --git a/fs/gfs2/quota.h b/fs/gfs2/quota.h
index ad04b3acae2b..a81ed38d8442 100644
--- a/fs/gfs2/quota.h
+++ b/fs/gfs2/quota.h
@@ -43,6 +43,8 @@ static inline int gfs2_quota_lock_check(struct gfs2_inode *ip,
 {
        struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
        int ret;
+        ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */
        if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF)
                return 0;
        ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE);
diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c
index 7302d96ae8bf..fa40e756c501 100644
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -585,6 +585,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent)
        return 0;
 out_put_hidden_dir:
+        cancel_delayed_work_sync(&sbi->sync_work);
        iput(sbi->hidden_dir);
 out_put_root:
        dput(sb->s_root);
diff --git a/fs/inode.c b/fs/inode.c
index 2c16b758831d..b5c3a6473aaa 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1943,8 +1943,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
        inode->i_uid = current_fsuid();
        if (dir && dir->i_mode & S_ISGID) {
                inode->i_gid = dir->i_gid;
+                /* Directories are special, and always inherit S_ISGID */
                if (S_ISDIR(mode))
                        mode |= S_ISGID;
+                else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
+                         !in_group_p(inode->i_gid) &&
+                         !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+                        mode &= ~S_ISGID;
        } else
                inode->i_gid = current_fsgid();
        inode->i_mode = mode;
@@ -2034,3 +2040,9 @@ void inode_set_flags(struct inode *inode, unsigned int flags,
                                  new_flags) != old_flags));
 }
 EXPORT_SYMBOL(inode_set_flags);
+void inode_nohighmem(struct inode *inode)
+{
+        mapping_set_gfp_mask(inode->i_mapping, GFP_USER);
+}
+EXPORT_SYMBOL(inode_nohighmem);
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 624a57a9c4aa..9398d1b70545 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -275,11 +275,11 @@ loop:
        goto loop;
 end_loop:
-        write_unlock(&journal->j_state_lock);
        del_timer_sync(&journal->j_commit_timer);
        journal->j_task = NULL;
        wake_up(&journal->j_wait_done_commit);
        jbd_debug(1, "Journal thread exiting.\n");
+        write_unlock(&journal->j_state_lock);
        return 0;
 }
@@ -914,7 +914,7 @@ out:
 }
 /*
- * This is a variaon of __jbd2_update_log_tail which checks for validity of
+ * This is a variation of __jbd2_update_log_tail which checks for validity of
 * provided log tail and locks j_checkpoint_mutex. So it is safe against races
 * with other threads updating log tail.
 */
@@ -1384,6 +1384,9 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid,
        journal_superblock_t *sb = journal->j_superblock;
        int ret;
+        if (is_journal_aborted(journal))
+                return -EIO;
        BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
        jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n",
                  tail_block, tail_tid);
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index a2e724053919..bce343febb9e 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -527,6 +527,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type,
         */
        ret = start_this_handle(journal, handle, GFP_NOFS);
        if (ret < 0) {
+                handle->h_journal = journal;
                jbd2_journal_free_reserved(handle);
                return ret;
        }
@@ -1362,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
                if (jh->b_transaction == transaction &&
                    jh->b_jlist != BJ_Metadata) {
                        jbd_lock_bh_state(bh);
+                        if (jh->b_transaction == transaction &&
+                            jh->b_jlist != BJ_Metadata)
+                                pr_err("JBD2: assertion failure: h_type=%u "
+                                       "h_line_no=%u block_no=%llu jlist=%u\n",
+                                       handle->h_type, handle->h_line_no,
+                                       (unsigned long long) bh->b_blocknr,
+                                       jh->b_jlist);
                        J_ASSERT_JH(jh, jh->b_transaction != transaction ||
                                        jh->b_jlist == BJ_Metadata);
                        jbd_unlock_bh_state(bh);
@@ -1381,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
                 * of the transaction. This needs to be done
                 * once a transaction -bzzz
                 */
-                jh->b_modified = 1;
                if (handle->h_buffer_credits <= 0) {
                        ret = -ENOSPC;
                        goto out_unlock_bh;
                }
+                jh->b_modified = 1;
                handle->h_buffer_credits--;
        }
diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
index 30c4c9ebb693..e27317169697 100644
--- a/fs/jffs2/dir.c
+++ b/fs/jffs2/dir.c
@@ -207,8 +207,7 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry,
                  __func__, inode->i_ino, inode->i_mode, inode->i_nlink,
                  f->inocache->pino_nlink, inode->i_mapping->nrpages);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 fail:
@@ -428,8 +427,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
        mutex_unlock(&dir_f->sem);
        jffs2_complete_reservation(c);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 fail:
@@ -573,8 +571,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, umode_t mode
        mutex_unlock(&dir_f->sem);
        jffs2_complete_reservation(c);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 fail:
@@ -745,8 +742,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, umode_t mode
        mutex_unlock(&dir_f->sem);
        jffs2_complete_reservation(c);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 fail:
diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index 2caf1682036d..85e2594fe95c 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -361,7 +361,6 @@ error_io:
        ret = -EIO;
 error:
        mutex_unlock(&f->sem);
-        jffs2_do_clear_inode(c, f);
        iget_failed(inode);
        return ERR_PTR(ret);
 }
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index d86c5e3176a1..600da1a4df29 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -345,7 +345,7 @@ static void jffs2_put_super (struct super_block *sb)
 static void jffs2_kill_sb(struct super_block *sb)
 {
        struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
-        if (!(sb->s_flags & MS_RDONLY))
+        if (c && !(sb->s_flags & MS_RDONLY))
                jffs2_stop_garbage_collect_thread(c);
        kill_mtd_super(sb);
        kfree(c);
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 9d7551f5c32a..f217ae750adb 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -178,8 +178,7 @@ static int jfs_create(struct inode *dip, struct dentry *dentry, umode_t mode,
                unlock_new_inode(ip);
                iput(ip);
        } else {
-                unlock_new_inode(ip);
+                d_instantiate_new(dentry, ip);
-                d_instantiate(dentry, ip);
        }
      out2:
@@ -313,8 +312,7 @@ static int jfs_mkdir(struct inode *dip, struct dentry *dentry, umode_t mode)
                unlock_new_inode(ip);
                iput(ip);
        } else {
-                unlock_new_inode(ip);
+                d_instantiate_new(dentry, ip);
-                d_instantiate(dentry, ip);
        }
      out2:
@@ -1058,8 +1056,7 @@ static int jfs_symlink(struct inode *dip, struct dentry *dentry,
                unlock_new_inode(ip);
                iput(ip);
        } else {
-                unlock_new_inode(ip);
+                d_instantiate_new(dentry, ip);
-                d_instantiate(dentry, ip);
        }
      out2:
@@ -1443,8 +1440,7 @@ static int jfs_mknod(struct inode *dir, struct dentry *dentry,
                unlock_new_inode(ip);
                iput(ip);
        } else {
-                unlock_new_inode(ip);
+                d_instantiate_new(dentry, ip);
-                d_instantiate(dentry, ip);
        }
      out1:
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index 48b15a6e5558..40a26a542341 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -493,15 +493,17 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
        if (size > PSIZE) {
                /*
                 * To keep the rest of the code simple.  Allocate a
-                 * contiguous buffer to work with
+                 * contiguous buffer to work with. Make the buffer large
+                 * enough to make use of the whole extent.
                 */
-                ea_buf->xattr = kmalloc(size, GFP_KERNEL);
+                ea_buf->max_size = (size + sb->s_blocksize - 1) &
+                    ~(sb->s_blocksize - 1);
+                ea_buf->xattr = kmalloc(ea_buf->max_size, GFP_KERNEL);
                if (ea_buf->xattr == NULL)
                        return -ENOMEM;
                ea_buf->flag = EA_MALLOC;
-                ea_buf->max_size = (size + sb->s_blocksize - 1) &
-                    ~(sb->s_blocksize - 1);
                if (ea_size == 0)
                        return 0;
diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index 6e9a912d394c..6875bd5d35f6 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
 {
        struct kernfs_open_file *of = kernfs_of(file);
        const struct kernfs_ops *ops;
-        size_t len;
+        ssize_t len;
        char *buf;
        if (of->atomic_write_len) {
diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
index 5f31ebd96c06..f038d4ac9aec 100644
--- a/fs/lockd/svc.c
+++ b/fs/lockd/svc.c
@@ -129,6 +129,8 @@ lockd(void *vrqstp)
 {
        int             err = 0;
        struct svc_rqst *rqstp = vrqstp;
+        struct net *net = &init_net;
+        struct lockd_net *ln = net_generic(net, lockd_net_id);
        /* try_to_freeze() is called from svc_recv() */
        set_freezable();
@@ -173,6 +175,8 @@ lockd(void *vrqstp)
        if (nlmsvc_ops)
                nlmsvc_invalidate_all();
        nlm_shutdown_hosts();
+        cancel_delayed_work_sync(&ln->grace_period_end);
+        locks_end_grace(&ln->lockd_manager);
        return 0;
 }
diff --git a/fs/namei.c b/fs/namei.c
index 3f96ae087488..de57dd59d95f 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -219,9 +219,10 @@ getname_kernel(const char * filename)
        if (len <= EMBEDDED_NAME_MAX) {
                result->name = (char *)result->iname;
        } else if (len <= PATH_MAX) {
+                const size_t size = offsetof(struct filename, iname[1]);
                struct filename *tmp;
-                tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
+                tmp = kmalloc(size, GFP_KERNEL);
                if (unlikely(!tmp)) {
                        __putname(result);
                        return ERR_PTR(-ENOMEM);
@@ -570,9 +571,10 @@ static int __nd_alloc_stack(struct nameidata *nd)
 static bool path_connected(const struct path *path)
 {
        struct vfsmount *mnt = path->mnt;
+        struct super_block *sb = mnt->mnt_sb;
-        /* Only bind mounts can have disconnected paths */
+        /* Bind mounts and multi-root filesystems can have disconnected paths */
-        if (mnt->mnt_root == mnt->mnt_sb->s_root)
+        if (!(sb->s_iflags & SB_I_MULTIROOT) && (mnt->mnt_root == sb->s_root))
                return true;
        return is_subdir(path->dentry, mnt->mnt_root);
@@ -2000,6 +2002,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
        int retval = 0;
        const char *s = nd->name->name;
+        if (!*s)
+                flags &= ~LOOKUP_RCU;
        nd->last_type = LAST_ROOT; /* if there are only slashes... */
        nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
        nd->depth = 0;
diff --git a/fs/namespace.c b/fs/namespace.c
index ec4078d16eb7..b56b50e3da11 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -603,12 +603,21 @@ int __legitimize_mnt(struct vfsmount *bastard, unsigned seq)
                return 0;
        mnt = real_mount(bastard);
        mnt_add_count(mnt, 1);
+        smp_mb();                       // see mntput_no_expire()
        if (likely(!read_seqretry(&mount_lock, seq)))
                return 0;
        if (bastard->mnt_flags & MNT_SYNC_UMOUNT) {
                mnt_add_count(mnt, -1);
                return 1;
        }
+        lock_mount_hash();
+        if (unlikely(bastard->mnt_flags & MNT_DOOMED)) {
+                mnt_add_count(mnt, -1);
+                unlock_mount_hash();
+                return 1;
+        }
+        unlock_mount_hash();
+        /* caller will mntput() */
        return -1;
 }
@@ -1018,7 +1027,8 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
                        goto out_free;
        }
-        mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
+        mnt->mnt.mnt_flags = old->mnt.mnt_flags;
+        mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
        /* Don't allow unprivileged users to change mount flags */
        if (flag & CL_UNPRIVILEGED) {
                mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
@@ -1123,12 +1133,27 @@ static DECLARE_DELAYED_WORK(delayed_mntput_work, delayed_mntput);
 static void mntput_no_expire(struct mount *mnt)
 {
        rcu_read_lock();
-        mnt_add_count(mnt, -1);
+        if (likely(READ_ONCE(mnt->mnt_ns))) {
-        if (likely(mnt->mnt_ns)) { /* shouldn't be the last one */
+                /*
+                 * Since we don't do lock_mount_hash() here,
+                 * ->mnt_ns can change under us.  However, if it's
+                 * non-NULL, then there's a reference that won't
+                 * be dropped until after an RCU delay done after
+                 * turning ->mnt_ns NULL.  So if we observe it
+                 * non-NULL under rcu_read_lock(), the reference
+                 * we are dropping is not the final one.
+                 */
+                mnt_add_count(mnt, -1);
                rcu_read_unlock();
                return;
        }
        lock_mount_hash();
+        /*
+         * make sure that if __legitimize_mnt() has not seen us grab
+         * mount_lock, we'll see their refcount increment here.
+         */
+        smp_mb();
+        mnt_add_count(mnt, -1);
        if (mnt_get_count(mnt)) {
                rcu_read_unlock();
                unlock_mount_hash();
diff --git a/fs/ncpfs/dir.c b/fs/ncpfs/dir.c
index 03446c5a3ec1..4e1144512522 100644
--- a/fs/ncpfs/dir.c
+++ b/fs/ncpfs/dir.c
@@ -133,12 +133,11 @@ ncp_hash_dentry(const struct dentry *dentry, struct qstr *this)
                return 0;
        if (!ncp_case_sensitive(inode)) {
-                struct super_block *sb = dentry->d_sb;
                struct nls_table *t;
                unsigned long hash;
                int i;
-                t = NCP_IO_TABLE(sb);
+                t = NCP_IO_TABLE(dentry->d_sb);
                hash = init_name_hash();
                for (i=0; i<this->len ; i++)
                        hash = partial_name_hash(ncp_tolower(t, this->name[i]),
diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c
index 88dbbc9fcf4d..f571570a2e72 100644
--- a/fs/ncpfs/ncplib_kernel.c
+++ b/fs/ncpfs/ncplib_kernel.c
@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id,
                goto out;
        }
        *bytes_read = ncp_reply_be16(server, 0);
+        if (*bytes_read > to_read) {
+                result = -EINVAL;
+                goto out;
+        }
        source = ncp_reply_data(server, 2 + (offset & 1));
        memcpy(target, source, *bytes_read);
diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
index 4b1d08f56aba..211440722e24 100644
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -86,9 +86,9 @@ struct nfs_direct_req {
        struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX];
        int                     mirror_count;
+        loff_t                  io_start;       /* Start offset for I/O */
        ssize_t                 count,          /* bytes actually processed */
                                bytes_left,     /* bytes left to be sent */
-                                io_start,       /* start of IO */
                                error;          /* any reported error */
        struct completion       completion;     /* wait for i/o completion */
@@ -787,10 +787,8 @@ static void nfs_direct_write_completion(struct nfs_pgio_header *hdr)
        spin_lock(&dreq->lock);
-        if (test_bit(NFS_IOHDR_ERROR, &hdr->flags)) {
+        if (test_bit(NFS_IOHDR_ERROR, &hdr->flags))
-                dreq->flags = 0;
                dreq->error = hdr->error;
-        }
        if (dreq->error == 0) {
                nfs_direct_good_bytes(dreq, hdr);
                if (nfs_write_need_commit(hdr)) {
diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
index 54313322ee5b..c8e90152b61b 100644
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -461,6 +461,7 @@ ff_layout_alloc_lseg(struct pnfs_layout_hdr *lh,
                        goto out_err_free;
                /* fh */
+                rc = -EIO;
                p = xdr_inline_decode(&stream, 4);
                if (!p)
                        goto out_err_free;
diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
index 5ba22c6b0ffa..c99a887100db 100644
--- a/fs/nfs/nfs4idmap.c
+++ b/fs/nfs/nfs4idmap.c
@@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u32 id, const char *type, char *buf,
        int id_len;
        ssize_t ret;
-        id_len = snprintf(id_str, sizeof(id_str), "%u", id);
+        id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
        ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
        if (ret < 0)
                return -EINVAL;
@@ -567,9 +567,13 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons,
        struct idmap_msg *im;
        struct idmap *idmap = (struct idmap *)aux;
        struct key *key = cons->key;
-        int ret = -ENOMEM;
+        int ret = -ENOKEY;
+        if (!aux)
+                goto out1;
        /* msg and im are freed in idmap_pipe_destroy_msg */
+        ret = -ENOMEM;
        data = kzalloc(sizeof(*data), GFP_KERNEL);
        if (!data)
                goto out1;
@@ -622,7 +626,8 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im,
                if (strcmp(upcall->im_name, im->im_name) != 0)
                        break;
                /* Note: here we store the NUL terminator too */
-                len = sprintf(id_str, "%d", im->im_id) + 1;
+                len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
+                                                    sizeof(id_str));
                ret = nfs_idmap_instantiate(key, authkey, id_str, len);
                break;
        case IDMAP_CONV_IDTONAME:
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 8ef6f70c9e25..41c8ddbc80dc 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1780,7 +1780,7 @@ static int nfs4_open_reclaim(struct nfs4_state_owner *sp, struct nfs4_state *sta
        return ret;
 }
-static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, int err)
+static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err)
 {
        switch (err) {
                default:
@@ -1827,7 +1827,11 @@ static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct
                        return -EAGAIN;
                case -ENOMEM:
                case -NFS4ERR_DENIED:
-                        /* kill_proc(fl->fl_pid, SIGLOST, 1); */
+                        if (fl) {
+                                struct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner;
+                                if (lsp)
+                                        set_bit(NFS_LOCK_LOST, &lsp->ls_flags);
+                        }
                        return 0;
        }
        return err;
@@ -1863,7 +1867,7 @@ int nfs4_open_delegation_recall(struct nfs_open_context *ctx,
                err = nfs4_open_recover_helper(opendata, FMODE_READ);
        }
        nfs4_opendata_put(opendata);
-        return nfs4_handle_delegation_recall_error(server, state, stateid, err);
+        return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err);
 }
 static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata)
@@ -3025,6 +3029,7 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
                .rpc_resp = &res,
        };
        int status;
+        int i;
        bitmask[0] = FATTR4_WORD0_SUPPORTED_ATTRS |
                     FATTR4_WORD0_FH_EXPIRE_TYPE |
@@ -3090,8 +3095,13 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
                server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;
                server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY;
                server->cache_consistency_bitmask[2] = 0;
+                /* Avoid a regression due to buggy server */
+                for (i = 0; i < ARRAY_SIZE(res.exclcreat_bitmask); i++)
+                        res.exclcreat_bitmask[i] &= res.attr_bitmask[i];
                memcpy(server->exclcreat_bitmask, res.exclcreat_bitmask,
                        sizeof(server->exclcreat_bitmask));
                server->acl_bitmask = res.acl_bitmask;
                server->fh_expire_type = res.fh_expire_type;
        }
@@ -6151,7 +6161,7 @@ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state,
        if (err != 0)
                return err;
        err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW);
-        return nfs4_handle_delegation_recall_error(server, state, stateid, err);
+        return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err);
 }
 struct nfs_release_lockowner_data {
@@ -7670,6 +7680,12 @@ static int nfs41_reclaim_complete_handle_errors(struct rpc_task *task, struct nf
                /* fall through */
        case -NFS4ERR_RETRY_UNCACHED_REP:
                return -EAGAIN;
+        case -NFS4ERR_BADSESSION:
+        case -NFS4ERR_DEADSESSION:
+        case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
+                nfs4_schedule_session_recovery(clp->cl_session,
+                                task->tk_status);
+                break;
        default:
                nfs4_schedule_lease_recovery(clp);
        }
@@ -7748,7 +7764,6 @@ static int nfs41_proc_reclaim_complete(struct nfs_client *clp,
        if (status == 0)
                status = task->tk_status;
        rpc_put_task(task);
-        return 0;
 out:
        dprintk("<-- %s status=%d\n", __func__, status);
        return status;
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 9a0b219ff74d..44f5cea49699 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1386,6 +1386,7 @@ static int nfs4_reclaim_locks(struct nfs4_state *state, const struct nfs4_state_
        struct inode *inode = state->inode;
        struct nfs_inode *nfsi = NFS_I(inode);
        struct file_lock *fl;
+        struct nfs4_lock_state *lsp;
        int status = 0;
        struct file_lock_context *flctx = inode->i_flctx;
        struct list_head *list;
@@ -1426,7 +1427,9 @@ restart:
                case -NFS4ERR_DENIED:
                case -NFS4ERR_RECLAIM_BAD:
                case -NFS4ERR_RECLAIM_CONFLICT:
-                        /* kill_proc(fl->fl_pid, SIGLOST, 1); */
+                        lsp = fl->fl_u.nfs4_fl.owner;
+                        if (lsp)
+                                set_bit(NFS_LOCK_LOST, &lsp->ls_flags);
                        status = 0;
                }
                spin_lock(&flctx->flc_lock);
@@ -1593,13 +1596,14 @@ static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp)
        nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot);
 }
-static void nfs4_reclaim_complete(struct nfs_client *clp,
+static int nfs4_reclaim_complete(struct nfs_client *clp,
                                 const struct nfs4_state_recovery_ops *ops,
                                 struct rpc_cred *cred)
 {
        /* Notify the server we're done reclaiming our state */
        if (ops->reclaim_complete)
-                (void)ops->reclaim_complete(clp, cred);
+                return ops->reclaim_complete(clp, cred);
+        return 0;
 }
 static void nfs4_clear_reclaim_server(struct nfs_server *server)
@@ -1646,13 +1650,16 @@ static void nfs4_state_end_reclaim_reboot(struct nfs_client *clp)
 {
        const struct nfs4_state_recovery_ops *ops;
        struct rpc_cred *cred;
+        int err;
        if (!nfs4_state_clear_reclaim_reboot(clp))
                return;
        ops = clp->cl_mvops->reboot_recovery_ops;
        cred = nfs4_get_clid_cred(clp);
-        nfs4_reclaim_complete(clp, ops, cred);
+        err = nfs4_reclaim_complete(clp, ops, cred);
        put_rpccred(cred);
+        if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION)
+                set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state);
 }
 static void nfs_delegation_clear_all(struct nfs_client *clp)
diff --git a/fs/nfs/nfs4sysctl.c b/fs/nfs/nfs4sysctl.c
index 0fbd3ab1be22..44a7bbbf92f8 100644
--- a/fs/nfs/nfs4sysctl.c
+++ b/fs/nfs/nfs4sysctl.c
@@ -31,7 +31,7 @@ static struct ctl_table nfs4_cb_sysctls[] = {
                .data = &nfs_idmap_cache_timeout,
                .maxlen = sizeof(int),
                .mode = 0644,
-                .proc_handler = proc_dointvec_jiffies,
+                .proc_handler = proc_dointvec,
        },
        { }
 };
diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
index 8ebfdd00044b..4bdc2fc86280 100644
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -1273,8 +1273,10 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index)
                mirror = &desc->pg_mirrors[midx];
                if (!list_empty(&mirror->pg_list)) {
                        prev = nfs_list_entry(mirror->pg_list.prev);
-                        if (index != prev->wb_index + 1)
+                        if (index != prev->wb_index + 1) {
-                                nfs_pageio_complete_mirror(desc, midx);
+                                nfs_pageio_complete(desc);
+                                break;
+                        }
                }
        }
 }
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 7af7bedd7c02..c8e75e5e6a67 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1943,7 +1943,7 @@ pnfs_write_through_mds(struct nfs_pageio_descriptor *desc,
                nfs_pageio_reset_write_mds(desc);
                mirror->pg_recoalesce = 1;
        }
-        hdr->release(hdr);
+        hdr->completion_ops->completion(hdr);
 }
 static enum pnfs_try_status
@@ -2058,7 +2058,7 @@ pnfs_read_through_mds(struct nfs_pageio_descriptor *desc,
                nfs_pageio_reset_read_mds(desc);
                mirror->pg_recoalesce = 1;
        }
-        hdr->release(hdr);
+        hdr->completion_ops->completion(hdr);
 }
 /*
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 3149f7e58d6f..62f358f67764 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2581,6 +2581,8 @@ struct dentry *nfs_fs_mount_common(struct nfs_server *server,
                /* initial superblock/root creation */
                mount_info->fill_super(s, mount_info);
                nfs_get_cache_cookie(s, mount_info->parsed, mount_info->cloned);
+                if (!(server->flags & NFS_MOUNT_UNSHARED))
+                        s->s_iflags |= SB_I_MULTIROOT;
        }
        mntroot = nfs_get_root(s, mount_info->mntfh, dev_name);
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 7a9b6e347249..6e81a5b5858e 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -1746,6 +1746,8 @@ static void nfs_commit_release_pages(struct nfs_commit_data *data)
                set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags);
        next:
                nfs_unlock_and_release_request(req);
+                /* Latency breaker */
+                cond_resched();
        }
        nfss = NFS_SERVER(data->inode);
        if (atomic_long_read(&nfss->writeback) < NFS_CONGESTION_OFF_THRESH)
diff --git a/fs/nfs_common/grace.c b/fs/nfs_common/grace.c
index fd8c9a5bcac4..77d136ac8909 100644
--- a/fs/nfs_common/grace.c
+++ b/fs/nfs_common/grace.c
@@ -30,7 +30,11 @@ locks_start_grace(struct net *net, struct lock_manager *lm)
        struct list_head *grace_list = net_generic(net, grace_net_id);
        spin_lock(&grace_lock);
-        list_add(&lm->list, grace_list);
+        if (list_empty(&lm->list))
+                list_add(&lm->list, grace_list);
+        else
+                WARN(1, "double list_add attempt detected in net %x %s\n",
+                     net->ns.inum, (net == &init_net) ? "(init_net)" : "");
        spin_unlock(&grace_lock);
 }
 EXPORT_SYMBOL_GPL(locks_start_grace);
@@ -104,7 +108,9 @@ grace_exit_net(struct net *net)
 {
        struct list_head *grace_list = net_generic(net, grace_net_id);
-        BUG_ON(!list_empty(grace_list));
+        WARN_ONCE(!list_empty(grace_list),
+                  "net %x %s: grace_list is not empty\n",
+                  net->ns.inum, __func__);
 }
 static struct pernet_operations grace_net_ops = {
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index a260060042ad..67eb154af881 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -60,9 +60,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
                        else
                                GROUP_AT(gi, i) = GROUP_AT(rqgi, i);
-                        /* Each thread allocates its own gi, no race */
-                        groups_sort(gi);
                }
+                /* Each thread allocates its own gi, no race */
+                groups_sort(gi);
        } else {
                gi = get_group_info(rqgi);
        }
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 209dbfc50cd4..bfbee8ddf978 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1245,14 +1245,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp,
        const struct nfsd4_layout_ops *ops;
        struct nfs4_layout_stateid *ls;
        __be32 nfserr;
-        int accmode;
+        int accmode = NFSD_MAY_READ_IF_EXEC;
        switch (lgp->lg_seg.iomode) {
        case IOMODE_READ:
-                accmode = NFSD_MAY_READ;
+                accmode |= NFSD_MAY_READ;
                break;
        case IOMODE_RW:
-                accmode = NFSD_MAY_READ | NFSD_MAY_WRITE;
+                accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE;
                break;
        default:
                dprintk("%s: invalid iomode %d\n",
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 11c67e8b939d..ba27a5ff8677 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -63,12 +63,16 @@ static const stateid_t zero_stateid = {
 static const stateid_t currentstateid = {
        .si_generation = 1,
 };
+static const stateid_t close_stateid = {
+        .si_generation = 0xffffffffU,
+};
 static u64 current_sessionid = 1;
 #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t)))
 #define ONE_STATEID(stateid)  (!memcmp((stateid), &one_stateid, sizeof(stateid_t)))
 #define CURRENT_STATEID(stateid) (!memcmp((stateid), &currentstateid, sizeof(stateid_t)))
+#define CLOSE_STATEID(stateid)  (!memcmp((stateid), &close_stateid, sizeof(stateid_t)))
 /* forward declarations */
 static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
@@ -4701,7 +4705,8 @@ static __be32 nfsd4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
        struct nfs4_stid *s;
        __be32 status = nfserr_bad_stateid;
-        if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+        if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
+                CLOSE_STATEID(stateid))
                return status;
        /* Client debugging aid. */
        if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) {
@@ -4759,7 +4764,8 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
        else if (typemask & NFS4_DELEG_STID)
                typemask |= NFS4_REVOKED_DELEG_STID;
-        if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+        if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
+                CLOSE_STATEID(stateid))
                return nfserr_bad_stateid;
        status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn);
        if (status == nfserr_stale_clientid) {
@@ -5011,15 +5017,9 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
        status = nfsd4_check_seqid(cstate, sop, seqid);
        if (status)
                return status;
-        if (stp->st_stid.sc_type == NFS4_CLOSED_STID
+        status = nfsd4_lock_ol_stateid(stp);
-                || stp->st_stid.sc_type == NFS4_REVOKED_DELEG_STID)
+        if (status != nfs_ok)
-                /*
+                return status;
-                 * "Closed" stateid's exist *only* to return
-                 * nfserr_replay_me from the previous step, and
-                 * revoked delegations are kept only for free_stateid.
-                 */
-                return nfserr_bad_stateid;
-        mutex_lock(&stp->st_mutex);
        status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
        if (status == nfs_ok)
                status = nfs4_check_fh(current_fh, &stp->st_stid);
@@ -5243,6 +5243,11 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
        nfsd4_close_open_stateid(stp);
        mutex_unlock(&stp->st_mutex);
+        /* See RFC5661 sectionm 18.2.4 */
+        if (stp->st_stid.sc_client->cl_minorversion)
+                memcpy(&close->cl_stateid, &close_stateid,
+                                sizeof(close->cl_stateid));
        /* put reference from nfs4_preprocess_seqid_op */
        nfs4_put_stid(&stp->st_stid);
 out:
@@ -6787,6 +6792,10 @@ static int nfs4_state_create_net(struct net *net)
                INIT_LIST_HEAD(&nn->sessionid_hashtbl[i]);
        nn->conf_name_tree = RB_ROOT;
        nn->unconf_name_tree = RB_ROOT;
+        nn->boot_time = get_seconds();
+        nn->grace_ended = false;
+        nn->nfsd4_manager.block_opens = true;
+        INIT_LIST_HEAD(&nn->nfsd4_manager.list);
        INIT_LIST_HEAD(&nn->client_lru);
        INIT_LIST_HEAD(&nn->close_lru);
        INIT_LIST_HEAD(&nn->del_recall_lru);
@@ -6841,9 +6850,6 @@ nfs4_state_start_net(struct net *net)
        ret = nfs4_state_create_net(net);
        if (ret)
                return ret;
-        nn->boot_time = get_seconds();
-        nn->grace_ended = false;
-        nn->nfsd4_manager.block_opens = true;
        locks_start_grace(net, &nn->nfsd4_manager);
        nfsd4_client_tracking_init(net);
        printk(KERN_INFO "NFSD: starting %ld-second grace period (net %p)\n",
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 544672b440de..ee0da259a3d3 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1538,6 +1538,8 @@ nfsd4_decode_getdeviceinfo(struct nfsd4_compoundargs *argp,
        gdev->gd_maxcount = be32_to_cpup(p++);
        num = be32_to_cpup(p++);
        if (num) {
+                if (num > 1000)
+                        goto xdr_error;
                READ_BUF(4 * num);
                gdev->gd_notify_types = be32_to_cpup(p++);
                for (i = 1; i < num; i++) {
@@ -3595,7 +3597,8 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4
                nfserr = nfserr_resource;
                goto err_no_verf;
        }
-        maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+        maxcount = svc_max_payload(resp->rqstp);
+        maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
        /*
         * Note the rfc defines rd_maxcount as the size of the
         * READDIR4resok structure, which includes the verifier above
@@ -3609,7 +3612,7 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4
        /* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
        if (!readdir->rd_dircount)
-                readdir->rd_dircount = INT_MAX;
+                readdir->rd_dircount = svc_max_payload(resp->rqstp);
        readdir->xdr = xdr;
        readdir->rd_maxcount = maxcount;
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 91e0c5429b4d..17138a97f306 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -92,6 +92,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp,
        err = follow_down(&path);
        if (err < 0)
                goto out;
+        if (path.mnt == exp->ex_path.mnt && path.dentry == dentry &&
+            nfsd_mountpoint(dentry, exp) == 2) {
+                /* This is only a mountpoint in some other namespace */
+                path_put(&path);
+                goto out;
+        }
        exp2 = rqst_exp_get_by_name(rqstp, &path);
        if (IS_ERR(exp2)) {
@@ -165,16 +171,26 @@ static int nfsd_lookup_parent(struct svc_rqst *rqstp, struct dentry *dparent, st
 /*
 * For nfsd purposes, we treat V4ROOT exports as though there was an
 * export at *every* directory.
+ * We return:
+ * '1' if this dentry *must* be an export point,
+ * '2' if it might be, if there is really a mount here, and
+ * '0' if there is no chance of an export point here.
 */
 int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp)
 {
-        if (d_mountpoint(dentry))
+        if (!d_inode(dentry))
+                return 0;
+        if (exp->ex_flags & NFSEXP_V4ROOT)
                return 1;
        if (nfsd4_is_junction(dentry))
                return 1;
-        if (!(exp->ex_flags & NFSEXP_V4ROOT))
+        if (d_mountpoint(dentry))
-                return 0;
+                /*
-        return d_inode(dentry) != NULL;
+                 * Might only be a mountpoint in a different namespace,
+                 * but we need to check.
+                 */
+                return 2;
+        return 0;
 }
 __be32
diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c
index c9a1a491aa91..cd7f5b0abe84 100644
--- a/fs/nilfs2/namei.c
+++ b/fs/nilfs2/namei.c
@@ -50,8 +50,7 @@ static inline int nilfs_add_nondir(struct dentry *dentry, struct inode *inode)
 {
        int err = nilfs_add_link(dentry, inode);
        if (!err) {
-                d_instantiate(dentry, inode);
+                d_instantiate_new(dentry, inode);
-                unlock_new_inode(inode);
                return 0;
        }
        inode_dec_link_count(inode);
@@ -246,8 +245,7 @@ static int nilfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
                goto out_fail;
        nilfs_mark_inode_dirty(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
-        unlock_new_inode(inode);
 out:
        if (!err)
                err = nilfs_transaction_commit(dir->i_sb);
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e0e5f7c3c99f..8a459b179183 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
                                       u32 event_mask,
                                       void *data, int data_type)
 {
-        __u32 marks_mask, marks_ignored_mask;
+        __u32 marks_mask = 0, marks_ignored_mask = 0;
        struct path *path = data;
        pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p"
@@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
            !d_can_lookup(path->dentry))
                return false;
-        if (inode_mark && vfsmnt_mark) {
+        /*
-                marks_mask = (vfsmnt_mark->mask | inode_mark->mask);
+         * if the event is for a child and this inode doesn't care about
-                marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask);
+         * events on the child, don't send it!
-        } else if (inode_mark) {
+         */
-                /*
+        if (inode_mark &&
-                 * if the event is for a child and this inode doesn't care about
+            (!(event_mask & FS_EVENT_ON_CHILD) ||
-                 * events on the child, don't send it!
+             (inode_mark->mask & FS_EVENT_ON_CHILD))) {
-                 */
+                marks_mask |= inode_mark->mask;
-                if ((event_mask & FS_EVENT_ON_CHILD) &&
+                marks_ignored_mask |= inode_mark->ignored_mask;
-                    !(inode_mark->mask & FS_EVENT_ON_CHILD))
+        }
-                        return false;
-                marks_mask = inode_mark->mask;
+        if (vfsmnt_mark) {
-                marks_ignored_mask = inode_mark->ignored_mask;
+                marks_mask |= vfsmnt_mark->mask;
-        } else if (vfsmnt_mark) {
+                marks_ignored_mask |= vfsmnt_mark->ignored_mask;
-                marks_mask = vfsmnt_mark->mask;
-                marks_ignored_mask = vfsmnt_mark->ignored_mask;
-        } else {
-                BUG();
        }
        if (d_is_dir(path->dentry) &&
diff --git a/fs/nsfs.c b/fs/nsfs.c
index 8f20d6016e20..914ca6b2794d 100644
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -95,6 +95,7 @@ slow:
                return ERR_PTR(-ENOMEM);
        }
        d_instantiate(dentry, inode);
+        dentry->d_flags |= DCACHE_RCUACCESS;
        dentry->d_fsdata = (void *)ns_ops;
        d = atomic_long_cmpxchg(&ns->stashed, 0, (unsigned long)dentry);
        if (d) {
diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index 164307b99405..1e0d8da0d3cd 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -314,7 +314,9 @@ struct posix_acl *ocfs2_iop_get_acl(struct inode *inode, int type)
                return ERR_PTR(ret);
        }
+        down_read(&OCFS2_I(inode)->ip_xattr_sem);
        acl = ocfs2_get_acl_nolock(inode, type, di_bh);
+        up_read(&OCFS2_I(inode)->ip_xattr_sem);
        ocfs2_inode_unlock(inode, 0);
        brelse(di_bh);
@@ -333,7 +335,9 @@ int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh)
        if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL))
                return 0;
+        down_read(&OCFS2_I(inode)->ip_xattr_sem);
        acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh);
+        up_read(&OCFS2_I(inode)->ip_xattr_sem);
        if (IS_ERR(acl) || !acl)
                return PTR_ERR(acl);
        ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
@@ -364,8 +368,10 @@ int ocfs2_init_acl(handle_t *handle,
        if (!S_ISLNK(inode->i_mode)) {
                if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) {
+                        down_read(&OCFS2_I(dir)->ip_xattr_sem);
                        acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT,
                                                   dir_bh);
+                        up_read(&OCFS2_I(dir)->ip_xattr_sem);
                        if (IS_ERR(acl))
                                return PTR_ERR(acl);
                }
diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c
index 72afdca3cea7..3c45a9301a09 100644
--- a/fs/ocfs2/cluster/nodemanager.c
+++ b/fs/ocfs2/cluster/nodemanager.c
@@ -40,6 +40,9 @@ char *o2nm_fence_method_desc[O2NM_FENCE_METHODS] = {
                "panic",        /* O2NM_FENCE_PANIC */
 };
+static inline void o2nm_lock_subsystem(void);
+static inline void o2nm_unlock_subsystem(void);
 struct o2nm_node *o2nm_get_node_by_num(u8 node_num)
 {
        struct o2nm_node *node = NULL;
@@ -181,7 +184,10 @@ static struct o2nm_cluster *to_o2nm_cluster_from_node(struct o2nm_node *node)
 {
        /* through the first node_set .parent
         * mycluster/nodes/mynode == o2nm_cluster->o2nm_node_group->o2nm_node */
-        return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+        if (node->nd_item.ci_parent)
+                return to_o2nm_cluster(node->nd_item.ci_parent->ci_parent);
+        else
+                return NULL;
 }
 enum {
@@ -194,7 +200,7 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
                                   size_t count)
 {
        struct o2nm_node *node = to_o2nm_node(item);
-        struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+        struct o2nm_cluster *cluster;
        unsigned long tmp;
        char *p = (char *)page;
        int ret = 0;
@@ -214,6 +220,13 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
            !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
                return -EINVAL; /* XXX */
+        o2nm_lock_subsystem();
+        cluster = to_o2nm_cluster_from_node(node);
+        if (!cluster) {
+                o2nm_unlock_subsystem();
+                return -EINVAL;
+        }
        write_lock(&cluster->cl_nodes_lock);
        if (cluster->cl_nodes[tmp])
                ret = -EEXIST;
@@ -226,6 +239,8 @@ static ssize_t o2nm_node_num_store(struct config_item *item, const char *page,
                set_bit(tmp, cluster->cl_nodes_bitmap);
        }
        write_unlock(&cluster->cl_nodes_lock);
+        o2nm_unlock_subsystem();
        if (ret)
                return ret;
@@ -269,7 +284,7 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
                                            size_t count)
 {
        struct o2nm_node *node = to_o2nm_node(item);
-        struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+        struct o2nm_cluster *cluster;
        int ret, i;
        struct rb_node **p, *parent;
        unsigned int octets[4];
@@ -286,6 +301,13 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
                be32_add_cpu(&ipv4_addr, octets[i] << (i * 8));
        }
+        o2nm_lock_subsystem();
+        cluster = to_o2nm_cluster_from_node(node);
+        if (!cluster) {
+                o2nm_unlock_subsystem();
+                return -EINVAL;
+        }
        ret = 0;
        write_lock(&cluster->cl_nodes_lock);
        if (o2nm_node_ip_tree_lookup(cluster, ipv4_addr, &p, &parent))
@@ -298,6 +320,8 @@ static ssize_t o2nm_node_ipv4_address_store(struct config_item *item,
                rb_insert_color(&node->nd_ip_node, &cluster->cl_node_ip_tree);
        }
        write_unlock(&cluster->cl_nodes_lock);
+        o2nm_unlock_subsystem();
        if (ret)
                return ret;
@@ -315,7 +339,7 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
                                     size_t count)
 {
        struct o2nm_node *node = to_o2nm_node(item);
-        struct o2nm_cluster *cluster = to_o2nm_cluster_from_node(node);
+        struct o2nm_cluster *cluster;
        unsigned long tmp;
        char *p = (char *)page;
        ssize_t ret;
@@ -333,17 +357,26 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
            !test_bit(O2NM_NODE_ATTR_PORT, &node->nd_set_attributes))
                return -EINVAL; /* XXX */
+        o2nm_lock_subsystem();
+        cluster = to_o2nm_cluster_from_node(node);
+        if (!cluster) {
+                ret = -EINVAL;
+                goto out;
+        }
        /* the only failure case is trying to set a new local node
         * when a different one is already set */
        if (tmp && tmp == cluster->cl_has_local &&
-            cluster->cl_local_node != node->nd_num)
+            cluster->cl_local_node != node->nd_num) {
-                return -EBUSY;
+                ret = -EBUSY;
+                goto out;
+        }
        /* bring up the rx thread if we're setting the new local node. */
        if (tmp && !cluster->cl_has_local) {
                ret = o2net_start_listening(node);
                if (ret)
-                        return ret;
+                        goto out;
        }
        if (!tmp && cluster->cl_has_local &&
@@ -358,7 +391,11 @@ static ssize_t o2nm_node_local_store(struct config_item *item, const char *page,
                cluster->cl_local_node = node->nd_num;
        }
-        return count;
+        ret = count;
+out:
+        o2nm_unlock_subsystem();
+        return ret;
 }
 CONFIGFS_ATTR(o2nm_node_, num);
@@ -750,6 +787,16 @@ static struct o2nm_cluster_group o2nm_cluster_group = {
        },
 };
+static inline void o2nm_lock_subsystem(void)
+{
+        mutex_lock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
+static inline void o2nm_unlock_subsystem(void)
+{
+        mutex_unlock(&o2nm_cluster_group.cs_subsys.su_mutex);
+}
 int o2nm_depend_item(struct config_item *item)
 {
        return configfs_depend_item(&o2nm_cluster_group.cs_subsys, item);
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 2ee7fe747cea..c55a9c47ac17 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -674,20 +674,6 @@ static void dlm_leave_domain(struct dlm_ctxt *dlm)
        spin_unlock(&dlm->spinlock);
 }
-int dlm_shutting_down(struct dlm_ctxt *dlm)
-{
-        int ret = 0;
-        spin_lock(&dlm_domain_lock);
-        if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
-                ret = 1;
-        spin_unlock(&dlm_domain_lock);
-        return ret;
-}
 void dlm_unregister_domain(struct dlm_ctxt *dlm)
 {
        int leave = 0;
diff --git a/fs/ocfs2/dlm/dlmdomain.h b/fs/ocfs2/dlm/dlmdomain.h
index fd6122a38dbd..8a9281411c18 100644
--- a/fs/ocfs2/dlm/dlmdomain.h
+++ b/fs/ocfs2/dlm/dlmdomain.h
@@ -28,7 +28,30 @@
 extern spinlock_t dlm_domain_lock;
 extern struct list_head dlm_domains;
-int dlm_shutting_down(struct dlm_ctxt *dlm);
+static inline int dlm_joined(struct dlm_ctxt *dlm)
+{
+        int ret = 0;
+        spin_lock(&dlm_domain_lock);
+        if (dlm->dlm_state == DLM_CTXT_JOINED)
+                ret = 1;
+        spin_unlock(&dlm_domain_lock);
+        return ret;
+}
+static inline int dlm_shutting_down(struct dlm_ctxt *dlm)
+{
+        int ret = 0;
+        spin_lock(&dlm_domain_lock);
+        if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN)
+                ret = 1;
+        spin_unlock(&dlm_domain_lock);
+        return ret;
+}
 void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm,
                                        int node_num);
diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c
index 4a338803e7e9..88149b4387c2 100644
--- a/fs/ocfs2/dlm/dlmrecovery.c
+++ b/fs/ocfs2/dlm/dlmrecovery.c
@@ -1377,6 +1377,15 @@ int dlm_mig_lockres_handler(struct o2net_msg *msg, u32 len, void *data,
        if (!dlm_grab(dlm))
                return -EINVAL;
+        if (!dlm_joined(dlm)) {
+                mlog(ML_ERROR, "Domain %s not joined! "
+                          "lockres %.*s, master %u\n",
+                          dlm->name, mres->lockname_len,
+                          mres->lockname, mres->master);
+                dlm_put(dlm);
+                return -EINVAL;
+        }
        BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION)));
        real_master = mres->master;
diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index 13534f4fe5b5..722eb5bc9b8f 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -666,23 +666,24 @@ static int __ocfs2_journal_access(handle_t *handle,
        /* we can safely remove this assertion after testing. */
        if (!buffer_uptodate(bh)) {
                mlog(ML_ERROR, "giving me a buffer that's not uptodate!\n");
-                mlog(ML_ERROR, "b_blocknr=%llu\n",
+                mlog(ML_ERROR, "b_blocknr=%llu, b_state=0x%lx\n",
-                     (unsigned long long)bh->b_blocknr);
+                     (unsigned long long)bh->b_blocknr, bh->b_state);
                lock_buffer(bh);
                /*
-                 * A previous attempt to write this buffer head failed.
+                 * A previous transaction with a couple of buffer heads fail
-                 * Nothing we can do but to retry the write and hope for
+                 * to checkpoint, so all the bhs are marked as BH_Write_EIO.
-                 * the best.
+                 * For current transaction, the bh is just among those error
+                 * bhs which previous transaction handle. We can't just clear
+                 * its BH_Write_EIO and reuse directly, since other bhs are
+                 * not written to disk yet and that will cause metadata
+                 * inconsistency. So we should set fs read-only to avoid
+                 * further damage.
                 */
                if (buffer_write_io_error(bh) && !buffer_uptodate(bh)) {
-                        clear_buffer_write_io_error(bh);
-                        set_buffer_uptodate(bh);
-                }
-                if (!buffer_uptodate(bh)) {
                        unlock_buffer(bh);
-                        return -EIO;
+                        return ocfs2_error(osb->sb, "A previous attempt to "
+                                        "write this buffer head failed\n");
                }
                unlock_buffer(bh);
        }
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index 2de4c8a9340c..4f5141350af8 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -477,9 +477,8 @@ static int ocfs2_init_global_system_inodes(struct ocfs2_super *osb)
                new = ocfs2_get_system_file_inode(osb, i, osb->slot_num);
                if (!new) {
                        ocfs2_release_system_inodes(osb);
-                        status = -EINVAL;
+                        status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL;
                        mlog_errno(status);
-                        /* FIXME: Should ERROR_RO_FS */
                        mlog(ML_ERROR, "Unable to load system inode %d, "
                             "possibly corrupt fs?", i);
                        goto bail;
@@ -508,7 +507,7 @@ static int ocfs2_init_local_system_inodes(struct ocfs2_super *osb)
                new = ocfs2_get_system_file_inode(osb, i, osb->slot_num);
                if (!new) {
                        ocfs2_release_system_inodes(osb);
-                        status = -EINVAL;
+                        status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL;
                        mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n",
                             status, i, osb->slot_num);
                        goto bail;
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 877830b05e12..4f0788232f2f 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -639,9 +639,11 @@ int ocfs2_calc_xattr_init(struct inode *dir,
                                                     si->value_len);
        if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) {
+                down_read(&OCFS2_I(dir)->ip_xattr_sem);
                acl_len = ocfs2_xattr_get_nolock(dir, dir_bh,
                                        OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT,
                                        "", NULL, 0);
+                up_read(&OCFS2_I(dir)->ip_xattr_sem);
                if (acl_len > 0) {
                        a_size = ocfs2_xattr_entry_real_size(0, acl_len);
                        if (S_ISDIR(mode))
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 220b04f04523..985a4cdae06d 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -272,6 +272,16 @@ ssize_t ovl_getxattr(struct dentry *dentry, const char *name,
        return vfs_getxattr(realpath.dentry, name, value, size);
 }
+static bool ovl_can_list(const char *s)
+{
+        /* List all non-trusted xatts */
+        if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
+                return true;
+        /* Never list trusted.overlay, list other trusted for superuser only */
+        return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
+}
 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
 {
        struct path realpath;
@@ -296,7 +306,7 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
                        return -EIO;
                len -= slen;
-                if (ovl_is_private_xattr(s)) {
+                if (!ovl_can_list(s)) {
                        res -= slen;
                        memmove(s, s + slen, len);
                } else {
diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
index adcb1398c481..299a6e1d6b77 100644
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -441,10 +441,14 @@ static int ovl_dir_fsync(struct file *file, loff_t start, loff_t end,
        struct dentry *dentry = file->f_path.dentry;
        struct file *realfile = od->realfile;
+        /* Nothing to sync for lower */
+        if (!OVL_TYPE_UPPER(ovl_path_type(dentry)))
+                return 0;
        /*
         * Need to check if we started out being a lower dir, but got copied up
         */
-        if (!od->is_upper && OVL_TYPE_UPPER(ovl_path_type(dentry))) {
+        if (!od->is_upper) {
                struct inode *inode = file_inode(file);
                realfile = lockless_dereference(od->upperfile);
diff --git a/fs/pipe.c b/fs/pipe.c
index 39eff9a67253..1e7263bb837a 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -616,6 +616,9 @@ struct pipe_inode_info *alloc_pipe_info(void)
                unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
                struct user_struct *user = get_current_user();
+                if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
+                        pipe_bufs = pipe_max_size >> PAGE_SHIFT;
                if (!too_many_pipe_buffers_hard(user)) {
                        if (too_many_pipe_buffers_soft(user))
                                pipe_bufs = 1;
diff --git a/fs/proc/array.c b/fs/proc/array.c
index b6c00ce0e29e..cb71cbae606d 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -79,6 +79,7 @@
 #include <linux/delayacct.h>
 #include <linux/seq_file.h>
 #include <linux/pid_namespace.h>
+#include <linux/prctl.h>
 #include <linux/ptrace.h>
 #include <linux/tracehook.h>
 #include <linux/string_helpers.h>
@@ -332,6 +333,31 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 #ifdef CONFIG_SECCOMP
        seq_printf(m, "Seccomp:\t%d\n", p->seccomp.mode);
 #endif
+        seq_printf(m, "\nSpeculation_Store_Bypass:\t");
+        switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
+        case -EINVAL:
+                seq_printf(m, "unknown");
+                break;
+        case PR_SPEC_NOT_AFFECTED:
+                seq_printf(m, "not vulnerable");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE:
+                seq_printf(m, "thread force mitigated");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
+                seq_printf(m, "thread mitigated");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_ENABLE:
+                seq_printf(m, "thread vulnerable");
+                break;
+        case PR_SPEC_DISABLE:
+                seq_printf(m, "globally mitigated");
+                break;
+        default:
+                seq_printf(m, "vulnerable");
+                break;
+        }
+        seq_putc(m, '\n');
 }
 static inline void task_context_switch_counts(struct seq_file *m,
diff --git a/fs/proc/base.c b/fs/proc/base.c
index dd732400578e..5f9cec2db6c3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -94,6 +94,8 @@
 #include "internal.h"
 #include "fd.h"
+#include "../../lib/kstrtox.h"
 /* NOTE:
 *      Implementing inode permission operations in /proc is almost
 *      certainly an error.  Permission checks need to happen during
@@ -953,6 +955,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
        unsigned long src = *ppos;
        int ret = 0;
        struct mm_struct *mm = file->private_data;
+        unsigned long env_start, env_end;
        /* Ensure the process spawned far enough to have an environment. */
        if (!mm || !mm->env_end)
@@ -965,19 +968,25 @@ static ssize_t environ_read(struct file *file, char __user *buf,
        ret = 0;
        if (!atomic_inc_not_zero(&mm->mm_users))
                goto free;
+        down_read(&mm->mmap_sem);
+        env_start = mm->env_start;
+        env_end = mm->env_end;
+        up_read(&mm->mmap_sem);
        while (count > 0) {
                size_t this_len, max_len;
                int retval;
-                if (src >= (mm->env_end - mm->env_start))
+                if (src >= (env_end - env_start))
                        break;
-                this_len = mm->env_end - (mm->env_start + src);
+                this_len = env_end - (env_start + src);
                max_len = min_t(size_t, PAGE_SIZE, count);
                this_len = min(max_len, this_len);
-                retval = access_remote_vm(mm, (mm->env_start + src),
+                retval = access_remote_vm(mm, (env_start + src),
                        page, this_len, 0);
                if (retval <= 0) {
@@ -1829,8 +1838,33 @@ end_instantiate:
 static int dname_to_vma_addr(struct dentry *dentry,
                             unsigned long *start, unsigned long *end)
 {
-        if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
+        const char *str = dentry->d_name.name;
+        unsigned long long sval, eval;
+        unsigned int len;
+        len = _parse_integer(str, 16, &sval);
+        if (len & KSTRTOX_OVERFLOW)
                return -EINVAL;
+        if (sval != (unsigned long)sval)
+                return -EINVAL;
+        str += len;
+        if (*str != '-')
+                return -EINVAL;
+        str++;
+        len = _parse_integer(str, 16, &eval);
+        if (len & KSTRTOX_OVERFLOW)
+                return -EINVAL;
+        if (eval != (unsigned long)eval)
+                return -EINVAL;
+        str += len;
+        if (*str != '\0')
+                return -EINVAL;
+        *start = sval;
+        *end = eval;
        return 0;
 }
@@ -3076,6 +3110,44 @@ int proc_pid_readdir(struct file *file, struct dir_context *ctx)
 }
 /*
+ * proc_tid_comm_permission is a special permission function exclusively
+ * used for the node /proc/<pid>/task/<tid>/comm.
+ * It bypasses generic permission checks in the case where a task of the same
+ * task group attempts to access the node.
+ * The rationale behind this is that glibc and bionic access this node for
+ * cross thread naming (pthread_set/getname_np(!self)). However, if
+ * PR_SET_DUMPABLE gets set to 0 this node among others becomes uid=0 gid=0,
+ * which locks out the cross thread naming implementation.
+ * This function makes sure that the node is always accessible for members of
+ * same thread group.
+ */
+static int proc_tid_comm_permission(struct inode *inode, int mask)
+{
+        bool is_same_tgroup;
+        struct task_struct *task;
+        task = get_proc_task(inode);
+        if (!task)
+                return -ESRCH;
+        is_same_tgroup = same_thread_group(current, task);
+        put_task_struct(task);
+        if (likely(is_same_tgroup && !(mask & MAY_EXEC))) {
+                /* This file (/proc/<pid>/task/<tid>/comm) can always be
+                 * read or written by the members of the corresponding
+                 * thread group.
+                 */
+                return 0;
+        }
+        return generic_permission(inode, mask);
+}
+static const struct inode_operations proc_tid_comm_inode_operations = {
+                .permission = proc_tid_comm_permission,
+};
+/*
 * Tasks
 */
 static const struct pid_entry tid_base_stuff[] = {
@@ -3093,7 +3165,9 @@ static const struct pid_entry tid_base_stuff[] = {
 #ifdef CONFIG_SCHED_DEBUG
        REG("sched",     S_IRUGO|S_IWUSR, proc_pid_sched_operations),
 #endif
-        REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
+        NOD("comm",      S_IFREG|S_IRUGO|S_IWUSR,
+                         &proc_tid_comm_inode_operations,
+                         &proc_pid_set_comm_operations, {}),
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
        ONE("syscall",   S_IRUSR, proc_pid_syscall),
 #endif
diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
index 9155a5a0d3b9..df4661abadc4 100644
--- a/fs/proc/meminfo.c
+++ b/fs/proc/meminfo.c
@@ -57,11 +57,8 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
        /*
         * Estimate the amount of memory available for userspace allocations,
         * without causing swapping.
-         *
-         * Free memory cannot be taken below the low watermark, before the
-         * system starts swapping.
         */
-        available = i.freeram - wmark_low;
+        available = i.freeram - totalreserve_pages;
        /*
         * Not all the page cache can be freed, otherwise the system will
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 4dbe1e2daeca..5e1054f028af 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -654,7 +654,10 @@ static bool proc_sys_link_fill_cache(struct file *file,
                                    struct ctl_table *table)
 {
        bool ret = true;
        head = sysctl_head_grab(head);
+        if (IS_ERR(head))
+                return false;
        if (S_ISLNK(table->mode)) {
                /* It is not an error if we can not follow the link ignore it */
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 07ef85e19fbc..75691a20313c 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -253,24 +253,15 @@ static int do_maps_open(struct inode *inode, struct file *file,
 * /proc/PID/maps that is the stack of the main task.
 */
 static int is_stack(struct proc_maps_private *priv,
-                    struct vm_area_struct *vma, int is_pid)
+                    struct vm_area_struct *vma)
 {
-        int stack = 0;
+        /*
+         * We make no effort to guess what a given thread considers to be
-        if (is_pid) {
+         * its "stack".  It's not even well-defined for programs written
-                stack = vma->vm_start <= vma->vm_mm->start_stack &&
+         * languages like Go.
-                        vma->vm_end >= vma->vm_mm->start_stack;
+         */
-        } else {
+        return vma->vm_start <= vma->vm_mm->start_stack &&
-                struct inode *inode = priv->inode;
+                vma->vm_end >= vma->vm_mm->start_stack;
-                struct task_struct *task;
-                rcu_read_lock();
-                task = pid_task(proc_pid(inode), PIDTYPE_PID);
-                if (task)
-                        stack = vma_is_stack_for_task(vma, task);
-                rcu_read_unlock();
-        }
-        return stack;
 }
 static void
@@ -337,7 +328,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
                        goto done;
                }
-                if (is_stack(priv, vma, is_pid))
+                if (is_stack(priv, vma))
                        name = "[stack]";
        }
@@ -1560,7 +1551,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
                seq_file_path(m, file, "\n\t= ");
        } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
                seq_puts(m, " heap");
-        } else if (is_stack(proc_priv, vma, is_pid)) {
+        } else if (is_stack(proc_priv, vma)) {
                seq_puts(m, " stack");
        }
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index faacb0c0d857..37175621e890 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -124,25 +124,17 @@ unsigned long task_statm(struct mm_struct *mm,
 }
 static int is_stack(struct proc_maps_private *priv,
-                    struct vm_area_struct *vma, int is_pid)
+                    struct vm_area_struct *vma)
 {
        struct mm_struct *mm = vma->vm_mm;
-        int stack = 0;
+        /*
-        if (is_pid) {
+         * We make no effort to guess what a given thread considers to be
-                stack = vma->vm_start <= mm->start_stack &&
+         * its "stack".  It's not even well-defined for programs written
-                        vma->vm_end >= mm->start_stack;
+         * languages like Go.
-        } else {
+         */
-                struct inode *inode = priv->inode;
+        return vma->vm_start <= mm->start_stack &&
-                struct task_struct *task;
+                vma->vm_end >= mm->start_stack;
-                rcu_read_lock();
-                task = pid_task(proc_pid(inode), PIDTYPE_PID);
-                if (task)
-                        stack = vma_is_stack_for_task(vma, task);
-                rcu_read_unlock();
-        }
-        return stack;
 }
 /*
@@ -184,7 +176,7 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
        if (file) {
                seq_pad(m, ' ');
                seq_file_path(m, file, "");
-        } else if (mm && is_stack(priv, vma, is_pid)) {
+        } else if (mm && is_stack(priv, vma)) {
                seq_pad(m, ' ');
                seq_printf(m, "[stack]");
        }
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 353ff31dcee1..1cb1d02c5937 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -2919,7 +2919,8 @@ static int __init dquot_init(void)
        pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld,"
                " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order));
-        register_shrinker(&dqcache_shrinker);
+        if (register_shrinker(&dqcache_shrinker))
+                panic("Cannot register dquot shrinker");
        return 0;
 }
diff --git a/fs/reiserfs/bitmap.c b/fs/reiserfs/bitmap.c
index dc198bc64c61..edc8ef78b63f 100644
--- a/fs/reiserfs/bitmap.c
+++ b/fs/reiserfs/bitmap.c
@@ -513,9 +513,17 @@ static void __discard_prealloc(struct reiserfs_transaction_handle *th,
                               "inode has negative prealloc blocks count.");
 #endif
        while (ei->i_prealloc_count > 0) {
-                reiserfs_free_prealloc_block(th, inode, ei->i_prealloc_block);
+                b_blocknr_t block_to_free;
-                ei->i_prealloc_block++;
+                /*
+                 * reiserfs_free_prealloc_block can drop the write lock,
+                 * which could allow another caller to free the same block.
+                 * We can protect against it by modifying the prealloc
+                 * state before calling it.
+                 */
+                block_to_free = ei->i_prealloc_block++;
                ei->i_prealloc_count--;
+                reiserfs_free_prealloc_block(th, inode, block_to_free);
                dirty = 1;
        }
        if (dirty)
@@ -1128,7 +1136,7 @@ static int determine_prealloc_size(reiserfs_blocknr_hint_t * hint)
        hint->prealloc_size = 0;
        if (!hint->formatted_node && hint->preallocate) {
-                if (S_ISREG(hint->inode->i_mode)
+                if (S_ISREG(hint->inode->i_mode) && !IS_PRIVATE(hint->inode)
                    && hint->inode->i_size >=
                    REISERFS_SB(hint->th->t_super)->s_alloc_options.
                    preallocmin * hint->inode->i_sb->s_blocksize)
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 9d6486d416a3..00985f9db9f7 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -1961,7 +1961,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th,
         * will be requeued because superblock is being shutdown and doesn't
         * have MS_ACTIVE set.
         */
-        cancel_delayed_work_sync(&REISERFS_SB(sb)->old_work);
+        reiserfs_cancel_old_flush(sb);
        /* wait for all commits to finish */
        cancel_delayed_work_sync(&SB_JOURNAL(sb)->j_work);
@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super_block *super,
        if (IS_ERR(journal->j_dev_bd)) {
                result = PTR_ERR(journal->j_dev_bd);
                journal->j_dev_bd = NULL;
-                reiserfs_warning(super,
+                reiserfs_warning(super, "sh-457",
                                 "journal_init_dev: Cannot open '%s': %i",
                                 jdev_name, result);
                return result;
diff --git a/fs/reiserfs/lbalance.c b/fs/reiserfs/lbalance.c
index 249594a821e0..f5cebd70d903 100644
--- a/fs/reiserfs/lbalance.c
+++ b/fs/reiserfs/lbalance.c
@@ -475,7 +475,7 @@ static void leaf_item_bottle(struct buffer_info *dest_bi,
                         * 'cpy_bytes'; create new item header;
                         * n_ih = new item_header;
                         */
-                        memcpy(&n_ih, ih, SHORT_KEY_SIZE);
+                        memcpy(&n_ih.ih_key, &ih->ih_key, KEY_SIZE);
                        /* Endian safe, both le */
                        n_ih.ih_version = ih->ih_version;
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 3ebc70167e41..eb611bdd4725 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -687,8 +687,7 @@ static int reiserfs_create(struct inode *dir, struct dentry *dentry, umode_t mod
        reiserfs_update_inode_transaction(inode);
        reiserfs_update_inode_transaction(dir);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        retval = journal_end(&th);
 out_failed:
@@ -771,8 +770,7 @@ static int reiserfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode
                goto out_failed;
        }
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        retval = journal_end(&th);
 out_failed:
@@ -871,8 +869,7 @@ static int reiserfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode
        /* the above add_entry did not update dir's stat data */
        reiserfs_update_sd(&th, dir);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        retval = journal_end(&th);
 out_failed:
        reiserfs_write_unlock(dir->i_sb);
@@ -1186,8 +1183,7 @@ static int reiserfs_symlink(struct inode *parent_dir,
                goto out_failed;
        }
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        retval = journal_end(&th);
 out_failed:
        reiserfs_write_unlock(parent_dir->i_sb);
diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
index 2adcde137c3f..6ca00471afbf 100644
--- a/fs/reiserfs/reiserfs.h
+++ b/fs/reiserfs/reiserfs.h
@@ -1326,7 +1326,6 @@ struct cpu_key {
 #define KEY_NOT_FOUND 0
 #define KEY_SIZE (sizeof(struct reiserfs_key))
-#define SHORT_KEY_SIZE (sizeof (__u32) + sizeof (__u32))
 /* return values for search_by_key and clones */
 #define ITEM_FOUND 1
@@ -2949,6 +2948,7 @@ int reiserfs_allocate_list_bitmaps(struct super_block *s,
                                   struct reiserfs_list_bitmap *, unsigned int);
 void reiserfs_schedule_old_flush(struct super_block *s);
+void reiserfs_cancel_old_flush(struct super_block *s);
 void add_save_link(struct reiserfs_transaction_handle *th,
                   struct inode *inode, int truncate);
 int remove_save_link(struct inode *inode, int truncate);
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index f9f3be50081a..ee095246da4e 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -90,7 +90,9 @@ static void flush_old_commits(struct work_struct *work)
        s = sbi->s_journal->j_work_sb;
        spin_lock(&sbi->old_work_lock);
-        sbi->work_queued = 0;
+        /* Avoid clobbering the cancel state... */
+        if (sbi->work_queued == 1)
+                sbi->work_queued = 0;
        spin_unlock(&sbi->old_work_lock);
        reiserfs_sync_fs(s, 1);
@@ -117,21 +119,22 @@ void reiserfs_schedule_old_flush(struct super_block *s)
        spin_unlock(&sbi->old_work_lock);
 }
-static void cancel_old_flush(struct super_block *s)
+void reiserfs_cancel_old_flush(struct super_block *s)
 {
        struct reiserfs_sb_info *sbi = REISERFS_SB(s);
-        cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
        spin_lock(&sbi->old_work_lock);
-        sbi->work_queued = 0;
+        /* Make sure no new flushes will be queued */
+        sbi->work_queued = 2;
        spin_unlock(&sbi->old_work_lock);
+        cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
 }
 static int reiserfs_freeze(struct super_block *s)
 {
        struct reiserfs_transaction_handle th;
-        cancel_old_flush(s);
+        reiserfs_cancel_old_flush(s);
        reiserfs_write_lock(s);
        if (!(s->s_flags & MS_RDONLY)) {
@@ -152,7 +155,13 @@ static int reiserfs_freeze(struct super_block *s)
 static int reiserfs_unfreeze(struct super_block *s)
 {
+        struct reiserfs_sb_info *sbi = REISERFS_SB(s);
        reiserfs_allow_writes(s);
+        spin_lock(&sbi->old_work_lock);
+        /* Allow old_work to run again */
+        sbi->work_queued = 0;
+        spin_unlock(&sbi->old_work_lock);
        return 0;
 }
@@ -2187,7 +2196,7 @@ error_unlocked:
        if (sbi->commit_wq)
                destroy_workqueue(sbi->commit_wq);
-        cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
+        reiserfs_cancel_old_flush(s);
        reiserfs_free_bitmap_cache(s);
        if (SB_BUFFER_WITH_SB(s))
diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
index 9b1824f35501..91b036902a17 100644
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -37,7 +37,14 @@ reiserfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
        error = journal_begin(&th, inode->i_sb, jcreate_blocks);
        reiserfs_write_unlock(inode->i_sb);
        if (error == 0) {
+                if (type == ACL_TYPE_ACCESS && acl) {
+                        error = posix_acl_update_mode(inode, &inode->i_mode,
+                                                      &acl);
+                        if (error)
+                                goto unlock;
+                }
                error = __reiserfs_set_acl(&th, inode, type, acl);
+unlock:
                reiserfs_write_lock(inode->i_sb);
                error2 = journal_end(&th);
                reiserfs_write_unlock(inode->i_sb);
@@ -245,11 +252,6 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
        switch (type) {
        case ACL_TYPE_ACCESS:
                name = POSIX_ACL_XATTR_ACCESS;
-                if (acl) {
-                        error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
-                        if (error)
-                                return error;
-                }
                break;
        case ACL_TYPE_DEFAULT:
                name = POSIX_ACL_XATTR_DEFAULT;
diff --git a/fs/select.c b/fs/select.c
index 015547330e88..f4dd55fc638c 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -29,6 +29,7 @@
 #include <linux/sched/rt.h>
 #include <linux/freezer.h>
 #include <net/busy_poll.h>
+#include <linux/vmalloc.h>
 #include <asm/uaccess.h>
@@ -550,7 +551,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
        fd_set_bits fds;
        void *bits;
        int ret, max_fds;
-        unsigned int size;
+        size_t size, alloc_size;
        struct fdtable *fdt;
        /* Allocate small arguments on the stack to save memory and be faster */
        long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
@@ -577,7 +578,14 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
        if (size > sizeof(stack_fds) / 6) {
                /* Not enough space in on-stack array; must use kmalloc */
                ret = -ENOMEM;
-                bits = kmalloc(6 * size, GFP_KERNEL);
+                if (size > (SIZE_MAX / 6))
+                        goto out_nofds;
+                alloc_size = 6 * size;
+                bits = kmalloc(alloc_size, GFP_KERNEL|__GFP_NOWARN);
+                if (!bits && alloc_size > PAGE_SIZE)
+                        bits = vmalloc(alloc_size);
                if (!bits)
                        goto out_nofds;
        }
@@ -614,7 +622,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
 out:
        if (bits != stack_fds)
-                kfree(bits);
+                kvfree(bits);
 out_nofds:
        return ret;
 }
diff --git a/fs/squashfs/block.c b/fs/squashfs/block.c
index 0cea9b9236d0..82bc942fc437 100644
--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -166,6 +166,8 @@ int squashfs_read_data(struct super_block *sb, u64 index, int length,
        }
        if (compressed) {
+                if (!msblk->stream)
+                        goto read_failure;
                length = squashfs_decompress(msblk, bh, b, offset, length,
                        output);
                if (length < 0)
diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c
index 1cb70a0b2168..91ce49c05b7c 100644
--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -350,6 +350,9 @@ int squashfs_read_metadata(struct super_block *sb, void *buffer,
        TRACE("Entered squashfs_read_metadata [%llx:%x]\n", *block, *offset);
+        if (unlikely(length < 0))
+                return -EIO;
        while (length) {
                entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
                if (entry->error) {
diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c
index e5c9689062ba..1ec7bae2751d 100644
--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -194,7 +194,11 @@ static long long read_indexes(struct super_block *sb, int n,
                }
                for (i = 0; i < blocks; i++) {
-                        int size = le32_to_cpu(blist[i]);
+                        int size = squashfs_block_size(blist[i]);
+                        if (size < 0) {
+                                err = size;
+                                goto failure;
+                        }
                        block += SQUASHFS_COMPRESSED_SIZE_BLOCK(size);
                }
                n -= blocks;
@@ -367,7 +371,7 @@ static int read_blocklist(struct inode *inode, int index, u64 *block)
                        sizeof(size));
        if (res < 0)
                return res;
-        return le32_to_cpu(size);
+        return squashfs_block_size(size);
 }
 /* Copy data into page cache  */
diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c
index 0ed6edbc5c71..0681feab4a84 100644
--- a/fs/squashfs/fragment.c
+++ b/fs/squashfs/fragment.c
@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment,
                                u64 *fragment_block)
 {
        struct squashfs_sb_info *msblk = sb->s_fs_info;
-        int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+        int block, offset, size;
-        int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
-        u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
        struct squashfs_fragment_entry fragment_entry;
-        int size;
+        u64 start_block;
+        if (fragment >= msblk->fragments)
+                return -EIO;
+        block = SQUASHFS_FRAGMENT_INDEX(fragment);
+        offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+        start_block = le64_to_cpu(msblk->fragment_index[block]);
        size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
                                        &offset, sizeof(fragment_entry));
@@ -61,9 +66,7 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment,
                return size;
        *fragment_block = le64_to_cpu(fragment_entry.start_block);
-        size = le32_to_cpu(fragment_entry.size);
+        return squashfs_block_size(fragment_entry.size);
-        return size;
 }
diff --git a/fs/squashfs/squashfs_fs.h b/fs/squashfs/squashfs_fs.h
index 506f4ba5b983..e66486366f02 100644
--- a/fs/squashfs/squashfs_fs.h
+++ b/fs/squashfs/squashfs_fs.h
@@ -129,6 +129,12 @@
 #define SQUASHFS_COMPRESSED_BLOCK(B)    (!((B) & SQUASHFS_COMPRESSED_BIT_BLOCK))
+static inline int squashfs_block_size(__le32 raw)
+{
+        u32 size = le32_to_cpu(raw);
+        return (size >> 25) ? -EIO : size;
+}
 /*
 * Inode number ops.  Inodes consist of a compressed block number, and an
 * uncompressed offset within that block
diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
index 1da565cb50c3..ef69c31947bf 100644
--- a/fs/squashfs/squashfs_fs_sb.h
+++ b/fs/squashfs/squashfs_fs_sb.h
@@ -75,6 +75,7 @@ struct squashfs_sb_info {
        unsigned short                          block_log;
        long long                               bytes_used;
        unsigned int                            inodes;
+        unsigned int                            fragments;
        int                                     xattr_ids;
 };
 #endif
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index 5056babe00df..93aa3e23c845 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -176,6 +176,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
        msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
        msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
        msblk->inodes = le32_to_cpu(sblk->inodes);
+        msblk->fragments = le32_to_cpu(sblk->fragments);
        flags = le16_to_cpu(sblk->flags);
        TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b));
@@ -186,7 +187,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
        TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
        TRACE("Block size %d\n", msblk->block_size);
        TRACE("Number of inodes %d\n", msblk->inodes);
-        TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
+        TRACE("Number of fragments %d\n", msblk->fragments);
        TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
        TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
        TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
@@ -273,7 +274,7 @@ allocate_id_index_table:
        sb->s_export_op = &squashfs_export_ops;
 handle_fragments:
-        fragments = le32_to_cpu(sblk->fragments);
+        fragments = msblk->fragments;
        if (fragments == 0)
                goto check_directory_table;
diff --git a/fs/super.c b/fs/super.c
index d4d2591b77c8..09b526a50986 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -497,7 +497,11 @@ retry:
        hlist_add_head(&s->s_instances, &type->fs_supers);
        spin_unlock(&sb_lock);
        get_filesystem(type);
-        register_shrinker(&s->s_shrink);
+        err = register_shrinker(&s->s_shrink);
+        if (err) {
+                deactivate_locked_super(s);
+                s = ERR_PTR(err);
+        }
        return s;
 }
diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
index 0b9da5b6e0f9..22dba8837a86 100644
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1107,7 +1107,7 @@ static int recomp_data_node(const struct ubifs_info *c,
        int err, len, compr_type, out_len;
        out_len = le32_to_cpu(dn->size);
-        buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+        buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
        if (!buf)
                return -ENOMEM;
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 1fd90c079537..0bb6de356451 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -1728,8 +1728,11 @@ static void ubifs_remount_ro(struct ubifs_info *c)
        dbg_save_space_info(c);
-        for (i = 0; i < c->jhead_cnt; i++)
+        for (i = 0; i < c->jhead_cnt; i++) {
-                ubifs_wbuf_sync(&c->jheads[i].wbuf);
+                err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
+                if (err)
+                        ubifs_ro_mode(c, err);
+        }
        c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY);
        c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
@@ -1795,8 +1798,11 @@ static void ubifs_put_super(struct super_block *sb)
                        int err;
                        /* Synchronize write-buffers */
-                        for (i = 0; i < c->jhead_cnt; i++)
+                        for (i = 0; i < c->jhead_cnt; i++) {
-                                ubifs_wbuf_sync(&c->jheads[i].wbuf);
+                                err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
+                                if (err)
+                                        ubifs_ro_mode(c, err);
+                        }
                        /*
                         * We are being cleanly unmounted which means the
diff --git a/fs/udf/directory.c b/fs/udf/directory.c
index c763fda257bf..637114e8c7fd 100644
--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -150,6 +150,9 @@ struct fileIdentDesc *udf_fileident_read(struct inode *dir, loff_t *nf_pos,
                               sizeof(struct fileIdentDesc));
                }
        }
+        /* Got last entry outside of dir size - fs is corrupted! */
+        if (*nf_pos > dir->i_size)
+                return NULL;
        return fi;
 }
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index c97b5a8d1e24..f34c545f4e54 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -611,8 +611,7 @@ static int udf_add_nondir(struct dentry *dentry, struct inode *inode)
        if (fibh.sbh != fibh.ebh)
                brelse(fibh.ebh);
        brelse(fibh.sbh);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 }
@@ -722,8 +721,7 @@ static int udf_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
        inc_nlink(dir);
        dir->i_ctime = dir->i_mtime = current_fs_time(dir->i_sb);
        mark_inode_dirty(dir);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        if (fibh.sbh != fibh.ebh)
                brelse(fibh.ebh);
        brelse(fibh.sbh);
diff --git a/fs/udf/super.c b/fs/udf/super.c
index ee09c97f3ab2..159977ec8e54 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -2073,8 +2073,9 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent)
        bool lvid_open = false;
        uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT);
-        uopt.uid = INVALID_UID;
+        /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */
-        uopt.gid = INVALID_GID;
+        uopt.uid = make_kuid(current_user_ns(), overflowuid);
+        uopt.gid = make_kgid(current_user_ns(), overflowgid);
        uopt.umask = 0;
        uopt.fmode = UDF_INVALID_MODE;
        uopt.dmode = UDF_INVALID_MODE;
diff --git a/fs/ufs/namei.c b/fs/ufs/namei.c
index 47966554317c..2ec7689c25cf 100644
--- a/fs/ufs/namei.c
+++ b/fs/ufs/namei.c
@@ -38,8 +38,7 @@ static inline int ufs_add_nondir(struct dentry *dentry, struct inode *inode)
 {
        int err = ufs_add_link(dentry, inode);
        if (!err) {
-                unlock_new_inode(inode);
+                d_instantiate_new(dentry, inode);
-                d_instantiate(dentry, inode);
                return 0;
        }
        inode_dec_link_count(inode);
@@ -191,8 +190,7 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
        if (err)
                goto out_fail;
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
-        d_instantiate(dentry, inode);
        return 0;
 out_fail:
diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index e1e7fe3b5424..b663b756f552 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -1924,6 +1924,93 @@ xfs_alloc_space_available(
 }
 /*
+ * Check the agfl fields of the agf for inconsistency or corruption. The purpose
+ * is to detect an agfl header padding mismatch between current and early v5
+ * kernels. This problem manifests as a 1-slot size difference between the
+ * on-disk flcount and the active [first, last] range of a wrapped agfl. This
+ * may also catch variants of agfl count corruption unrelated to padding. Either
+ * way, we'll reset the agfl and warn the user.
+ *
+ * Return true if a reset is required before the agfl can be used, false
+ * otherwise.
+ */
+static bool
+xfs_agfl_needs_reset(
+        struct xfs_mount        *mp,
+        struct xfs_agf          *agf)
+{
+        uint32_t                f = be32_to_cpu(agf->agf_flfirst);
+        uint32_t                l = be32_to_cpu(agf->agf_fllast);
+        uint32_t                c = be32_to_cpu(agf->agf_flcount);
+        int                     agfl_size = XFS_AGFL_SIZE(mp);
+        int                     active;
+        /* no agfl header on v4 supers */
+        if (!xfs_sb_version_hascrc(&mp->m_sb))
+                return false;
+        /*
+         * The agf read verifier catches severe corruption of these fields.
+         * Repeat some sanity checks to cover a packed -> unpacked mismatch if
+         * the verifier allows it.
+         */
+        if (f >= agfl_size || l >= agfl_size)
+                return true;
+        if (c > agfl_size)
+                return true;
+        /*
+         * Check consistency between the on-disk count and the active range. An
+         * agfl padding mismatch manifests as an inconsistent flcount.
+         */
+        if (c && l >= f)
+                active = l - f + 1;
+        else if (c)
+                active = agfl_size - f + l + 1;
+        else
+                active = 0;
+        return active != c;
+}
+/*
+ * Reset the agfl to an empty state. Ignore/drop any existing blocks since the
+ * agfl content cannot be trusted. Warn the user that a repair is required to
+ * recover leaked blocks.
+ *
+ * The purpose of this mechanism is to handle filesystems affected by the agfl
+ * header padding mismatch problem. A reset keeps the filesystem online with a
+ * relatively minor free space accounting inconsistency rather than suffer the
+ * inevitable crash from use of an invalid agfl block.
+ */
+static void
+xfs_agfl_reset(
+        struct xfs_trans        *tp,
+        struct xfs_buf          *agbp,
+        struct xfs_perag        *pag)
+{
+        struct xfs_mount        *mp = tp->t_mountp;
+        struct xfs_agf          *agf = XFS_BUF_TO_AGF(agbp);
+        ASSERT(pag->pagf_agflreset);
+        trace_xfs_agfl_reset(mp, agf, 0, _RET_IP_);
+        xfs_warn(mp,
+               "WARNING: Reset corrupted AGFL on AG %u. %d blocks leaked. "
+               "Please unmount and run xfs_repair.",
+                 pag->pag_agno, pag->pagf_flcount);
+        agf->agf_flfirst = 0;
+        agf->agf_fllast = cpu_to_be32(XFS_AGFL_SIZE(mp) - 1);
+        agf->agf_flcount = 0;
+        xfs_alloc_log_agf(tp, agbp, XFS_AGF_FLFIRST | XFS_AGF_FLLAST |
+                                    XFS_AGF_FLCOUNT);
+        pag->pagf_flcount = 0;
+        pag->pagf_agflreset = false;
+}
+/*
 * Decide whether to use this allocation group for this allocation.
 * If so, fix up the btree freelist's size.
 */
@@ -1983,6 +2070,10 @@ xfs_alloc_fix_freelist(
                }
        }
+        /* reset a padding mismatched agfl before final free space check */
+        if (pag->pagf_agflreset)
+                xfs_agfl_reset(tp, agbp, pag);
        /* If there isn't enough total space or single-extent, reject it. */
        need = xfs_alloc_min_freelist(mp, pag);
        if (!xfs_alloc_space_available(args, need, flags))
@@ -2121,6 +2212,7 @@ xfs_alloc_get_freelist(
                agf->agf_flfirst = 0;
        pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
+        ASSERT(!pag->pagf_agflreset);
        be32_add_cpu(&agf->agf_flcount, -1);
        xfs_trans_agflist_delta(tp, -1);
        pag->pagf_flcount--;
@@ -2226,6 +2318,7 @@ xfs_alloc_put_freelist(
                agf->agf_fllast = 0;
        pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
+        ASSERT(!pag->pagf_agflreset);
        be32_add_cpu(&agf->agf_flcount, 1);
        xfs_trans_agflist_delta(tp, 1);
        pag->pagf_flcount++;
@@ -2417,6 +2510,7 @@ xfs_alloc_read_agf(
                pag->pagb_count = 0;
                pag->pagb_tree = RB_ROOT;
                pag->pagf_init = 1;
+                pag->pagf_agflreset = xfs_agfl_needs_reset(mp, agf);
        }
 #ifdef DEBUG
        else if (!XFS_FORCED_SHUTDOWN(mp)) {
diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
index f949818fa1c7..fb9636cc927c 100644
--- a/fs/xfs/libxfs/xfs_attr.c
+++ b/fs/xfs/libxfs/xfs_attr.c
@@ -130,9 +130,6 @@ xfs_attr_get(
        if (XFS_FORCED_SHUTDOWN(ip->i_mount))
                return -EIO;
-        if (!xfs_inode_hasattr(ip))
-                return -ENOATTR;
        error = xfs_attr_args_init(&args, ip, name, flags);
        if (error)
                return error;
@@ -417,9 +414,6 @@ xfs_attr_remove(
        if (XFS_FORCED_SHUTDOWN(dp->i_mount))
                return -EIO;
-        if (!xfs_inode_hasattr(dp))
-                return -ENOATTR;
        error = xfs_attr_args_init(&args, dp, name, flags);
        if (error)
                return error;
diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
index a9063ac50c4e..da72090b9ce7 100644
--- a/fs/xfs/xfs_aops.c
+++ b/fs/xfs/xfs_aops.c
@@ -310,7 +310,7 @@ xfs_map_blocks(
               (ip->i_df.if_flags & XFS_IFEXTENTS));
        ASSERT(offset <= mp->m_super->s_maxbytes);
-        if (offset + count > mp->m_super->s_maxbytes)
+        if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes)
                count = mp->m_super->s_maxbytes - offset;
        end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
        offset_fsb = XFS_B_TO_FSBT(mp, offset);
@@ -1360,7 +1360,7 @@ xfs_map_trim_size(
        if (mapping_size > size)
                mapping_size = size;
        if (offset < i_size_read(inode) &&
-            offset + mapping_size >= i_size_read(inode)) {
+            (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) {
                /* limit mapping to block that spans EOF */
                mapping_size = roundup_64(i_size_read(inode) - offset,
                                          i_blocksize(inode));
@@ -1416,7 +1416,7 @@ __xfs_get_blocks(
        }
        ASSERT(offset <= mp->m_super->s_maxbytes);
-        if (offset + size > mp->m_super->s_maxbytes)
+        if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes)
                size = mp->m_super->s_maxbytes - offset;
        end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
        offset_fsb = XFS_B_TO_FSBT(mp, offset);
diff --git a/fs/xfs/xfs_discard.c b/fs/xfs/xfs_discard.c
index e85a9519a5ae..64ad05cb831a 100644
--- a/fs/xfs/xfs_discard.c
+++ b/fs/xfs/xfs_discard.c
@@ -50,19 +50,19 @@ xfs_trim_extents(
        pag = xfs_perag_get(mp, agno);
-        error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
-        if (error || !agbp)
-                goto out_put_perag;
-        cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
        /*
         * Force out the log.  This means any transactions that might have freed
-         * space before we took the AGF buffer lock are now on disk, and the
+         * space before we take the AGF buffer lock are now on disk, and the
         * volatile disk cache is flushed.
         */
        xfs_log_force(mp, XFS_LOG_SYNC);
+        error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp);
+        if (error || !agbp)
+                goto out_put_perag;
+        cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT);
        /*
         * Look up the longest btree in the AGF and start with it.
         */
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 3dd47307363f..e917aec4babe 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -969,22 +969,26 @@ xfs_file_fallocate(
                if (error)
                        goto out_unlock;
        } else if (mode & FALLOC_FL_INSERT_RANGE) {
-                unsigned int blksize_mask = i_blocksize(inode) - 1;
+                unsigned int    blksize_mask = i_blocksize(inode) - 1;
+                loff_t          isize = i_size_read(inode);
-                new_size = i_size_read(inode) + len;
                if (offset & blksize_mask || len & blksize_mask) {
                        error = -EINVAL;
                        goto out_unlock;
                }
-                /* check the new inode size does not wrap through zero */
+                /*
-                if (new_size > inode->i_sb->s_maxbytes) {
+                 * New inode size must not exceed ->s_maxbytes, accounting for
+                 * possible signed overflow.
+                 */
+                if (inode->i_sb->s_maxbytes - isize < len) {
                        error = -EFBIG;
                        goto out_unlock;
                }
+                new_size = isize + len;
                /* Offset should be less than i_size */
-                if (offset >= i_size_read(inode)) {
+                if (offset >= isize) {
                        error = -EINVAL;
                        goto out_unlock;
                }
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
index f52c72a1a06f..73b725f965eb 100644
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -3323,8 +3323,6 @@ maybe_sleep:
                 */
                if (iclog->ic_state & XLOG_STATE_IOERROR)
                        return -EIO;
-                if (log_flushed)
-                        *log_flushed = 1;
        } else {
 no_sleep:
@@ -3432,8 +3430,6 @@ try_again:
                                xlog_wait(&iclog->ic_prev->ic_write_wait,
                                                        &log->l_icloglock);
-                                if (log_flushed)
-                                        *log_flushed = 1;
                                already_slept = 1;
                                goto try_again;
                        }
@@ -3467,9 +3463,6 @@ try_again:
                         */
                        if (iclog->ic_state & XLOG_STATE_IOERROR)
                                return -EIO;
-                        if (log_flushed)
-                                *log_flushed = 1;
                } else {                /* just return */
                        spin_unlock(&log->l_icloglock);
                }
diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
index b57098481c10..ae3e52749f20 100644
--- a/fs/xfs/xfs_mount.h
+++ b/fs/xfs/xfs_mount.h
@@ -278,6 +278,7 @@ typedef struct xfs_perag {
        char            pagi_inodeok;   /* The agi is ok for inodes */
        __uint8_t       pagf_levels[XFS_BTNUM_AGF];
                                        /* # of levels in bno & cnt btree */
+        bool            pagf_agflreset; /* agfl requires reset before use */
        __uint32_t      pagf_flcount;   /* count of blocks in freelist */
        xfs_extlen_t    pagf_freeblks;  /* total free blocks */
        xfs_extlen_t    pagf_longest;   /* longest free space */
diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c
index 572b64a135b3..b148aa0e10f7 100644
--- a/fs/xfs/xfs_qm.c
+++ b/fs/xfs/xfs_qm.c
@@ -47,7 +47,7 @@
 STATIC int      xfs_qm_init_quotainos(xfs_mount_t *);
 STATIC int      xfs_qm_init_quotainfo(xfs_mount_t *);
+STATIC void     xfs_qm_destroy_quotainos(xfs_quotainfo_t *qi);
 STATIC void     xfs_qm_dqfree_one(struct xfs_dquot *dqp);
 /*
 * We use the batch lookup interface to iterate over the dquots as it
@@ -660,9 +660,17 @@ xfs_qm_init_quotainfo(
        qinf->qi_shrinker.scan_objects = xfs_qm_shrink_scan;
        qinf->qi_shrinker.seeks = DEFAULT_SEEKS;
        qinf->qi_shrinker.flags = SHRINKER_NUMA_AWARE;
-        register_shrinker(&qinf->qi_shrinker);
+        error = register_shrinker(&qinf->qi_shrinker);
+        if (error)
+                goto out_free_inos;
        return 0;
+out_free_inos:
+        mutex_destroy(&qinf->qi_quotaofflock);
+        mutex_destroy(&qinf->qi_tree_lock);
+        xfs_qm_destroy_quotainos(qinf);
 out_free_lru:
        list_lru_destroy(&qinf->qi_lru);
 out_free_qinf:
@@ -671,7 +679,6 @@ out_free_qinf:
        return error;
 }
 /*
 * Gets called when unmounting a filesystem or when all quotas get
 * turned off.
@@ -688,19 +695,8 @@ xfs_qm_destroy_quotainfo(
        unregister_shrinker(&qi->qi_shrinker);
        list_lru_destroy(&qi->qi_lru);
+        xfs_qm_destroy_quotainos(qi);
-        if (qi->qi_uquotaip) {
+        mutex_destroy(&qi->qi_tree_lock);
-                IRELE(qi->qi_uquotaip);
-                qi->qi_uquotaip = NULL; /* paranoia */
-        }
-        if (qi->qi_gquotaip) {
-                IRELE(qi->qi_gquotaip);
-                qi->qi_gquotaip = NULL;
-        }
-        if (qi->qi_pquotaip) {
-                IRELE(qi->qi_pquotaip);
-                qi->qi_pquotaip = NULL;
-        }
        mutex_destroy(&qi->qi_quotaofflock);
        kmem_free(qi);
        mp->m_quotainfo = NULL;
@@ -1562,6 +1558,24 @@ error_rele:
 }
 STATIC void
+xfs_qm_destroy_quotainos(
+        xfs_quotainfo_t *qi)
+{
+        if (qi->qi_uquotaip) {
+                IRELE(qi->qi_uquotaip);
+                qi->qi_uquotaip = NULL; /* paranoia */
+        }
+        if (qi->qi_gquotaip) {
+                IRELE(qi->qi_gquotaip);
+                qi->qi_gquotaip = NULL;
+        }
+        if (qi->qi_pquotaip) {
+                IRELE(qi->qi_pquotaip);
+                qi->qi_pquotaip = NULL;
+        }
+}
+STATIC void
 xfs_qm_dqfree_one(
        struct xfs_dquot        *dqp)
 {
diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
index 877079eb0f8f..cc6fa64821d2 100644
--- a/fs/xfs/xfs_trace.h
+++ b/fs/xfs/xfs_trace.h
@@ -1485,7 +1485,7 @@ TRACE_EVENT(xfs_trans_commit_lsn,
                  __entry->lsn)
 );
-TRACE_EVENT(xfs_agf,
+DECLARE_EVENT_CLASS(xfs_agf_class,
        TP_PROTO(struct xfs_mount *mp, struct xfs_agf *agf, int flags,
                 unsigned long caller_ip),
        TP_ARGS(mp, agf, flags, caller_ip),
@@ -1541,6 +1541,13 @@ TRACE_EVENT(xfs_agf,
                  __entry->longest,
                  (void *)__entry->caller_ip)
 );
+#define DEFINE_AGF_EVENT(name) \
+DEFINE_EVENT(xfs_agf_class, name, \
+        TP_PROTO(struct xfs_mount *mp, struct xfs_agf *agf, int flags, \
+                 unsigned long caller_ip), \
+        TP_ARGS(mp, agf, flags, caller_ip))
+DEFINE_AGF_EVENT(xfs_agf);
+DEFINE_AGF_EVENT(xfs_agfl_reset);
 TRACE_EVENT(xfs_free_extent,
        TP_PROTO(struct xfs_mount *mp, xfs_agnumber_t agno, xfs_agblock_t agbno,
diff --git a/include/asm-generic/futex.h b/include/asm-generic/futex.h
index bf2d34c9d804..f0d8b1c51343 100644
--- a/include/asm-generic/futex.h
+++ b/include/asm-generic/futex.h
@@ -13,7 +13,7 @@
 */
 /**
- * futex_atomic_op_inuser() - Atomic arithmetic operation with constant
+ * arch_futex_atomic_op_inuser() - Atomic arithmetic operation with constant
 *                        argument and comparison of the previous
 *                        futex value with another constant.
 *
@@ -25,18 +25,11 @@
 * <0 - On error
 */
 static inline int
-futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval, ret;
        u32 tmp;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
        preempt_disable();
        pagefault_disable();
@@ -74,17 +67,9 @@ out_pagefault_enable:
        pagefault_enable();
        preempt_enable();
-        if (ret == 0) {
+        if (ret == 0)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
@@ -126,18 +111,9 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
 #else
 static inline int
-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+arch_futex_atomic_op_inuser(int op, u32 oparg, int *oval, u32 __user *uaddr)
 {
-        int op = (encoded_op >> 28) & 7;
-        int cmp = (encoded_op >> 24) & 15;
-        int oparg = (encoded_op << 8) >> 20;
-        int cmparg = (encoded_op << 20) >> 20;
        int oldval = 0, ret;
-        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
-                oparg = 1 << oparg;
-        if (! access_ok (VERIFY_WRITE, uaddr, sizeof(u32)))
-                return -EFAULT;
        pagefault_disable();
@@ -153,17 +129,9 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
        pagefault_enable();
-        if (!ret) {
+        if (!ret)
-                switch (cmp) {
+                *oval = oldval;
-                case FUTEX_OP_CMP_EQ: ret = (oldval == cmparg); break;
-                case FUTEX_OP_CMP_NE: ret = (oldval != cmparg); break;
-                case FUTEX_OP_CMP_LT: ret = (oldval < cmparg); break;
-                case FUTEX_OP_CMP_GE: ret = (oldval >= cmparg); break;
-                case FUTEX_OP_CMP_LE: ret = (oldval <= cmparg); break;
-                case FUTEX_OP_CMP_GT: ret = (oldval > cmparg); break;
-                default: ret = -ENOSYS;
-                }
-        }
        return ret;
 }
diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index 14b0ff32fb9f..53a47d75cc43 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -237,6 +237,21 @@ extern void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp,
 extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp);
 #endif
+#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+/*
+ * This is an implementation of pmdp_establish() that is only suitable for an
+ * architecture that doesn't have hardware dirty/accessed bits. In this case we
+ * can't race with CPU which sets these bits and non-atomic aproach is fine.
+ */
+static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma,
+                unsigned long address, pmd_t *pmdp, pmd_t pmd)
+{
+        pmd_t old_pmd = *pmdp;
+        set_pmd_at(vma->vm_mm, address, pmdp, pmd);
+        return old_pmd;
+}
+#endif
 #ifndef __HAVE_ARCH_PMDP_INVALIDATE
 extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
                            pmd_t *pmdp);
@@ -755,6 +770,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot);
 int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot);
 int pud_clear_huge(pud_t *pud);
 int pmd_clear_huge(pmd_t *pmd);
+int pud_free_pmd_page(pud_t *pud, unsigned long addr);
+int pmd_free_pte_page(pmd_t *pmd, unsigned long addr);
 #else   /* !CONFIG_HAVE_ARCH_HUGE_VMAP */
 static inline int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot)
 {
@@ -772,8 +789,28 @@ static inline int pmd_clear_huge(pmd_t *pmd)
 {
        return 0;
 }
+static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr)
+{
+        return 0;
+}
+static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
+{
+        return 0;
+}
 #endif  /* CONFIG_HAVE_ARCH_HUGE_VMAP */
+#ifndef __HAVE_ARCH_PFN_MODIFY_ALLOWED
+static inline bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot)
+{
+        return true;
+}
+static inline bool arch_has_pfn_modify_check(void)
+{
+        return false;
+}
+#endif /* !_HAVE_ARCH_PFN_MODIFY_ALLOWED */
 #endif /* !__ASSEMBLY__ */
 #ifndef io_remap_pfn_range
diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
index 9779c35f8454..dab9569f22bf 100644
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -91,6 +91,8 @@ static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
        return alg->setkey != shash_no_setkey;
 }
+bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
 int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
                            struct hash_alg_common *alg,
                            struct crypto_instance *inst);
diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h
index 894df59b74e4..d586f741cab5 100644
--- a/include/crypto/poly1305.h
+++ b/include/crypto/poly1305.h
@@ -30,8 +30,6 @@ struct poly1305_desc_ctx {
 };
 int crypto_poly1305_init(struct shash_desc *desc);
-int crypto_poly1305_setkey(struct crypto_shash *tfm,
-                           const u8 *key, unsigned int keylen);
 unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
                                        const u8 *src, unsigned int srclen);
 int crypto_poly1305_update(struct shash_desc *desc,
diff --git a/include/crypto/vmac.h b/include/crypto/vmac.h
deleted file mode 100644
index 6b700c7b2fe1..000000000000
--- a/include/crypto/vmac.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Modified to interface to the Linux kernel
- * Copyright (c) 2009, Intel Corporation.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms and conditions of the GNU General Public License,
- * version 2, as published by the Free Software Foundation.
- *
- * This program is distributed in the hope it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307 USA.
- */
-#ifndef __CRYPTO_VMAC_H
-#define __CRYPTO_VMAC_H
-/* --------------------------------------------------------------------------
- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai.
- * This implementation is herby placed in the public domain.
- * The authors offers no warranty. Use at your own risk.
- * Please send bug reports to the authors.
- * Last modified: 17 APR 08, 1700 PDT
- * ----------------------------------------------------------------------- */
-/*
- * User definable settings.
- */
-#define VMAC_TAG_LEN    64
-#define VMAC_KEY_SIZE   128/* Must be 128, 192 or 256                   */
-#define VMAC_KEY_LEN    (VMAC_KEY_SIZE/8)
-#define VMAC_NHBYTES    128/* Must 2^i for any 3 < i < 13 Standard = 128*/
-/*
- * This implementation uses u32 and u64 as names for unsigned 32-
- * and 64-bit integer types. These are defined in C99 stdint.h. The
- * following may need adaptation if you are not running a C99 or
- * Microsoft C environment.
- */
-struct vmac_ctx {
-        u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)];
-        u64 polykey[2*VMAC_TAG_LEN/64];
-        u64 l3key[2*VMAC_TAG_LEN/64];
-        u64 polytmp[2*VMAC_TAG_LEN/64];
-        u64 cached_nonce[2];
-        u64 cached_aes[2];
-        int first_block_processed;
-};
-typedef u64 vmac_t;
-struct vmac_ctx_t {
-        struct crypto_cipher *child;
-        struct vmac_ctx __vmac_ctx;
-        u8 partial[VMAC_NHBYTES];       /* partial block */
-        int partial_size;               /* size of the partial block */
-};
-#endif /* __CRYPTO_VMAC_H */
diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h
index 3febb4b9fce9..d842bec3d271 100644
--- a/include/drm/drm_crtc_helper.h
+++ b/include/drm/drm_crtc_helper.h
@@ -241,5 +241,6 @@ extern void drm_kms_helper_hotplug_event(struct drm_device *dev);
 extern void drm_kms_helper_poll_disable(struct drm_device *dev);
 extern void drm_kms_helper_poll_enable(struct drm_device *dev);
 extern void drm_kms_helper_poll_enable_locked(struct drm_device *dev);
+extern bool drm_kms_helper_is_poll_worker(void);
 #endif
diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
index bb9d0deca07c..0fb4975fae91 100644
--- a/include/drm/drm_dp_helper.h
+++ b/include/drm/drm_dp_helper.h
@@ -342,6 +342,7 @@
 # define DP_PSR_FRAME_CAPTURE               (1 << 3)
 # define DP_PSR_SELECTIVE_UPDATE            (1 << 4)
 # define DP_PSR_IRQ_HPD_WITH_CRC_ERRORS     (1 << 5)
+# define DP_PSR_ENABLE_PSR2                 (1 << 6) /* eDP 1.4a */
 #define DP_ADAPTER_CTRL                     0x1a0
 # define DP_ADAPTER_CTRL_FORCE_LOAD_SENSE   (1 << 0)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index faac391badac..9b95bb222e73 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -26,6 +26,7 @@
 #include <linux/sched.h>
 #include <linux/ptrace.h>
 #include <uapi/linux/audit.h>
+#include <linux/tty.h>
 #define AUDIT_INO_UNSET ((unsigned long)-1)
 #define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -239,6 +240,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
        return tsk->sessionid;
 }
+static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
+{
+        struct tty_struct *tty = NULL;
+        unsigned long flags;
+        spin_lock_irqsave(&tsk->sighand->siglock, flags);
+        if (tsk->signal)
+                tty = tty_kref_get(tsk->signal->tty);
+        spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+        return tty;
+}
+static inline void audit_put_tty(struct tty_struct *tty)
+{
+        tty_kref_put(tty);
+}
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
 extern void __audit_bprm(struct linux_binprm *bprm);
@@ -410,6 +428,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
 {
        return -1;
 }
+static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
+{
+        return NULL;
+}
+static inline void audit_put_tty(struct tty_struct *tty)
+{ }
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 { }
 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h
index 140c29635069..a307c37c2e6c 100644
--- a/include/linux/backing-dev-defs.h
+++ b/include/linux/backing-dev-defs.h
@@ -191,6 +191,11 @@ static inline void set_bdi_congested(struct backing_dev_info *bdi, int sync)
        set_wb_congested(bdi->wb.congested, sync);
 }
+struct wb_lock_cookie {
+        bool locked;
+        unsigned long flags;
+};
 #ifdef CONFIG_CGROUP_WRITEBACK
 /**
diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
index 89d3de3e096b..361274ce5815 100644
--- a/include/linux/backing-dev.h
+++ b/include/linux/backing-dev.h
@@ -366,7 +366,7 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
 /**
 * unlocked_inode_to_wb_begin - begin unlocked inode wb access transaction
 * @inode: target inode
- * @lockedp: temp bool output param, to be passed to the end function
+ * @cookie: output param, to be passed to the end function
 *
 * The caller wants to access the wb associated with @inode but isn't
 * holding inode->i_lock, mapping->tree_lock or wb->list_lock.  This
@@ -374,12 +374,12 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
 * association doesn't change until the transaction is finished with
 * unlocked_inode_to_wb_end().
 *
- * The caller must call unlocked_inode_to_wb_end() with *@lockdep
+ * The caller must call unlocked_inode_to_wb_end() with *@cookie afterwards and
- * afterwards and can't sleep during transaction.  IRQ may or may not be
+ * can't sleep during the transaction.  IRQs may or may not be disabled on
- * disabled on return.
+ * return.
 */
 static inline struct bdi_writeback *
-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
+unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie)
 {
        rcu_read_lock();
@@ -387,10 +387,10 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
         * Paired with store_release in inode_switch_wb_work_fn() and
         * ensures that we see the new wb if we see cleared I_WB_SWITCH.
         */
-        *lockedp = smp_load_acquire(&inode->i_state) & I_WB_SWITCH;
+        cookie->locked = smp_load_acquire(&inode->i_state) & I_WB_SWITCH;
-        if (unlikely(*lockedp))
+        if (unlikely(cookie->locked))
-                spin_lock_irq(&inode->i_mapping->tree_lock);
+                spin_lock_irqsave(&inode->i_mapping->tree_lock, cookie->flags);
        /*
         * Protected by either !I_WB_SWITCH + rcu_read_lock() or tree_lock.
@@ -402,12 +402,14 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
 /**
 * unlocked_inode_to_wb_end - end inode wb access transaction
 * @inode: target inode
- * @locked: *@lockedp from unlocked_inode_to_wb_begin()
+ * @cookie: @cookie from unlocked_inode_to_wb_begin()
 */
-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked)
+static inline void unlocked_inode_to_wb_end(struct inode *inode,
+                                            struct wb_lock_cookie *cookie)
 {
-        if (unlikely(locked))
+        if (unlikely(cookie->locked))
-                spin_unlock_irq(&inode->i_mapping->tree_lock);
+                spin_unlock_irqrestore(&inode->i_mapping->tree_lock,
+                                       cookie->flags);
        rcu_read_unlock();
 }
@@ -454,12 +456,13 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
 }
 static inline struct bdi_writeback *
-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
+unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie)
 {
        return inode_to_wb(inode);
 }
-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked)
+static inline void unlocked_inode_to_wb_end(struct inode *inode,
+                                            struct wb_lock_cookie *cookie)
 {
 }
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index fe14382f9664..1383e1c03ff2 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -882,8 +882,8 @@ static inline unsigned int blk_max_size_offset(struct request_queue *q,
        if (!q->limits.chunk_sectors)
                return q->limits.max_sectors;
-        return q->limits.chunk_sectors -
+        return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
-                        (offset & (q->limits.chunk_sectors - 1));
+                        (offset & (q->limits.chunk_sectors - 1))));
 }
 static inline unsigned int blk_rq_get_max_sectors(struct request *rq)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index f2157159b26f..132585a7fbd8 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -31,17 +31,25 @@ struct bpf_map_ops {
 };
 struct bpf_map {
-        atomic_t refcnt;
+        /* 1st cacheline with read-mostly members of which some
+         * are also accessed in fast-path (e.g. ops, max_entries).
+         */
+        const struct bpf_map_ops *ops ____cacheline_aligned;
        enum bpf_map_type map_type;
        u32 key_size;
        u32 value_size;
        u32 max_entries;
        u32 pages;
        bool unpriv_array;
-        struct user_struct *user;
+        /* 7 bytes hole */
-        const struct bpf_map_ops *ops;
-        struct work_struct work;
+        /* 2nd cacheline with misc members to avoid false sharing
+         * particularly with refcounting.
+         */
+        struct user_struct *user ____cacheline_aligned;
+        atomic_t refcnt;
        atomic_t usercnt;
+        struct work_struct work;
 };
 struct bpf_map_type_list {
diff --git a/include/linux/cacheinfo.h b/include/linux/cacheinfo.h
index 2189935075b4..a951fd10aaaa 100644
--- a/include/linux/cacheinfo.h
+++ b/include/linux/cacheinfo.h
@@ -71,6 +71,7 @@ struct cpu_cacheinfo {
        struct cacheinfo *info_list;
        unsigned int num_levels;
        unsigned int num_leaves;
+        bool cpu_map_populated;
 };
 /*
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index d1e49d52b640..de179993e039 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -10,3 +10,8 @@
 #undef uninitialized_var
 #define uninitialized_var(x) x = *(&(x))
 #endif
+/* same as gcc, this was present in clang-2.6 so we can assume it works
+ * with any version that can compile the kernel
+ */
+#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 287e698c28de..143d40e8a1ea 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -65,21 +65,40 @@
 #endif
 /*
+ * Feature detection for gnu_inline (gnu89 extern inline semantics). Either
+ * __GNUC_STDC_INLINE__ is defined (not using gnu89 extern inline semantics,
+ * and we opt in to the gnu89 semantics), or __GNUC_STDC_INLINE__ is not
+ * defined so the gnu89 semantics are the default.
+ */
+#ifdef __GNUC_STDC_INLINE__
+# define __gnu_inline   __attribute__((gnu_inline))
+#else
+# define __gnu_inline
+#endif
+/*
 * Force always-inline if the user requests it so via the .config,
- * or if gcc is too old:
+ * or if gcc is too old.
+ * GCC does not warn about unused static inline functions for
+ * -Wunused-function.  This turns out to avoid the need for complex #ifdef
+ * directives.  Suppress the warning in clang as well by using "unused"
+ * function attribute, which is redundant but not harmful for gcc.
+ * Prefer gnu_inline, so that extern inline functions do not emit an
+ * externally visible function. This makes extern inline behave as per gnu89
+ * semantics rather than c99. This prevents multiple symbol definition errors
+ * of extern inline functions at link time.
+ * A lot of inline functions can cause havoc with function tracing.
 */
 #if !defined(CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING) ||                \
    !defined(CONFIG_OPTIMIZE_INLINING) || (__GNUC__ < 4)
-#define inline          inline          __attribute__((always_inline)) notrace
+#define inline \
-#define __inline__      __inline__      __attribute__((always_inline)) notrace
+        inline __attribute__((always_inline, unused)) notrace __gnu_inline
-#define __inline        __inline        __attribute__((always_inline)) notrace
 #else
-/* A lot of inline functions can cause havoc with function tracing */
+#define inline inline           __attribute__((unused)) notrace __gnu_inline
-#define inline          inline          notrace
-#define __inline__      __inline__      notrace
-#define __inline        __inline        notrace
 #endif
+#define __inline__ inline
+#define __inline inline
 #define __always_inline inline __attribute__((always_inline))
 #define  noinline       __attribute__((noinline))
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 6fc9a6dd5ed2..0db1fa621d8a 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -111,7 +111,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
 #define unlikely_notrace(x)     __builtin_expect(!!(x), 0)
 #define __branch_check__(x, expect) ({                                  \
-                        int ______r;                                    \
+                        long ______r;                                   \
                        static struct ftrace_branch_data                \
                                __attribute__((__aligned__(4)))         \
                                __attribute__((section("_ftrace_annotated_branch"))) \
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 7e04bcd9af8e..063c73ed6d78 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -46,6 +46,10 @@ extern ssize_t cpu_show_spectre_v1(struct device *dev,
                                   struct device_attribute *attr, char *buf);
 extern ssize_t cpu_show_spectre_v2(struct device *dev,
                                   struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spec_store_bypass(struct device *dev,
+                                          struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_l1tf(struct device *dev,
+                             struct device_attribute *attr, char *buf);
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,
diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
index a91b3b75da0f..bb3a4bb35183 100644
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -661,6 +661,11 @@ void alloc_bootmem_cpumask_var(cpumask_var_t *mask);
 void free_cpumask_var(cpumask_var_t mask);
 void free_bootmem_cpumask_var(cpumask_var_t mask);
+static inline bool cpumask_available(cpumask_var_t mask)
+{
+        return mask != NULL;
+}
 #else
 typedef struct cpumask cpumask_var_t[1];
@@ -701,6 +706,11 @@ static inline void free_cpumask_var(cpumask_var_t mask)
 static inline void free_bootmem_cpumask_var(cpumask_var_t mask)
 {
 }
+static inline bool cpumask_available(cpumask_var_t mask)
+{
+        return true;
+}
 #endif /* CONFIG_CPUMASK_OFFSTACK */
 /* It's common to want to use cpu_all_mask in struct member initializers,
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index d516847e0fae..11f4334ab177 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -236,6 +236,7 @@ extern seqlock_t rename_lock;
 * These are the low-level FS interfaces to the dcache..
 */
 extern void d_instantiate(struct dentry *, struct inode *);
+extern void d_instantiate_new(struct dentry *, struct inode *);
 extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *);
 extern int d_instantiate_no_diralias(struct dentry *, struct inode *);
 extern void __d_drop(struct dentry *dentry);
diff --git a/include/linux/device.h b/include/linux/device.h
index 7075a2485ed3..834000903525 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1272,8 +1272,11 @@ do {									\
                dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__);        \
 } while (0)
 #else
-#define dev_dbg_ratelimited(dev, fmt, ...)                      \
+#define dev_dbg_ratelimited(dev, fmt, ...)                              \
-        no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+do {                                                                    \
+        if (0)                                                          \
+                dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__);        \
+} while (0)
 #endif
 #ifdef VERBOSE_DEBUG
diff --git a/include/linux/dma-iommu.h b/include/linux/dma-iommu.h
index fc481037478a..19baa7f4f403 100644
--- a/include/linux/dma-iommu.h
+++ b/include/linux/dma-iommu.h
@@ -17,6 +17,7 @@
 #define __DMA_IOMMU_H
 #ifdef __KERNEL__
+#include <linux/types.h>
 #include <asm/errno.h>
 #ifdef CONFIG_IOMMU_DMA
diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h
index 16a1cad30c33..cff20d515efe 100644
--- a/include/linux/dmaengine.h
+++ b/include/linux/dmaengine.h
@@ -800,6 +800,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_slave_single(
        sg_dma_address(&sg) = buf;
        sg_dma_len(&sg) = len;
+        if (!chan || !chan->device || !chan->device->device_prep_slave_sg)
+                return NULL;
        return chan->device->device_prep_slave_sg(chan, &sg, 1,
                                                  dir, flags, NULL);
 }
@@ -808,6 +811,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_slave_sg(
        struct dma_chan *chan, struct scatterlist *sgl, unsigned int sg_len,
        enum dma_transfer_direction dir, unsigned long flags)
 {
+        if (!chan || !chan->device || !chan->device->device_prep_slave_sg)
+                return NULL;
        return chan->device->device_prep_slave_sg(chan, sgl, sg_len,
                                                  dir, flags, NULL);
 }
@@ -819,6 +825,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_rio_sg(
        enum dma_transfer_direction dir, unsigned long flags,
        struct rio_dma_ext *rio_ext)
 {
+        if (!chan || !chan->device || !chan->device->device_prep_slave_sg)
+                return NULL;
        return chan->device->device_prep_slave_sg(chan, sgl, sg_len,
                                                  dir, flags, rio_ext);
 }
@@ -829,6 +838,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_cyclic(
                size_t period_len, enum dma_transfer_direction dir,
                unsigned long flags)
 {
+        if (!chan || !chan->device || !chan->device->device_prep_dma_cyclic)
+                return NULL;
        return chan->device->device_prep_dma_cyclic(chan, buf_addr, buf_len,
                                                period_len, dir, flags);
 }
@@ -837,6 +849,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_interleaved_dma(
                struct dma_chan *chan, struct dma_interleaved_template *xt,
                unsigned long flags)
 {
+        if (!chan || !chan->device || !chan->device->device_prep_interleaved_dma)
+                return NULL;
        return chan->device->device_prep_interleaved_dma(chan, xt, flags);
 }
@@ -844,7 +859,7 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_memset(
                struct dma_chan *chan, dma_addr_t dest, int value, size_t len,
                unsigned long flags)
 {
-        if (!chan || !chan->device)
+        if (!chan || !chan->device || !chan->device->device_prep_dma_memset)
                return NULL;
        return chan->device->device_prep_dma_memset(chan, dest, value,
@@ -857,6 +872,9 @@ static inline struct dma_async_tx_descriptor *dmaengine_prep_dma_sg(
                struct scatterlist *src_sg, unsigned int src_nents,
                unsigned long flags)
 {
+        if (!chan || !chan->device || !chan->device->device_prep_dma_sg)
+                return NULL;
        return chan->device->device_prep_dma_sg(chan, dst_sg, dst_nents,
                        src_sg, src_nents, flags);
 }
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 333d0ca6940f..b558bf8f1a7b 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -364,8 +364,8 @@ typedef struct {
        u32 attributes;
        u32 get_bar_attributes;
        u32 set_bar_attributes;
-        uint64_t romsize;
+        u64 romsize;
-        void *romimage;
+        u32 romimage;
 } efi_pci_io_protocol_32;
 typedef struct {
@@ -384,8 +384,8 @@ typedef struct {
        u64 attributes;
        u64 get_bar_attributes;
        u64 set_bar_attributes;
-        uint64_t romsize;
+        u64 romsize;
-        void *romimage;
+        u64 romimage;
 } efi_pci_io_protocol_64;
 typedef struct {
diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
index 5295535b60c6..a7b7a050bfa8 100644
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -9,6 +9,7 @@
 #include <linux/compiler.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
+#include <linux/nospec.h>
 #include <linux/types.h>
 #include <linux/init.h>
 #include <linux/fs.h>
@@ -81,8 +82,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i
 {
        struct fdtable *fdt = rcu_dereference_raw(files->fdt);
-        if (fd < fdt->max_fds)
+        if (fd < fdt->max_fds) {
+                fd = array_index_nospec(fd, fdt->max_fds);
                return rcu_dereference_raw(fdt->fd[fd]);
+        }
        return NULL;
 }
diff --git a/include/linux/fs.h b/include/linux/fs.h
index c8decb7075d6..240cbaee819f 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -926,9 +926,9 @@ static inline struct file *get_file(struct file *f)
 /* Page cache limit. The filesystems should put that into their s_maxbytes 
   limits, otherwise bad things can happen in VM. */ 
 #if BITS_PER_LONG==32
-#define MAX_LFS_FILESIZE        (((loff_t)PAGE_CACHE_SIZE << (BITS_PER_LONG-1))-1) 
+#define MAX_LFS_FILESIZE        ((loff_t)ULONG_MAX << PAGE_SHIFT)
 #elif BITS_PER_LONG==64
-#define MAX_LFS_FILESIZE        ((loff_t)0x7fffffffffffffffLL)
+#define MAX_LFS_FILESIZE        ((loff_t)LLONG_MAX)
 #endif
 #define FL_POSIX        1
@@ -1295,6 +1295,7 @@ struct mm_struct;
 /* sb->s_iflags */
 #define SB_I_CGROUPWB   0x00000001      /* cgroup-aware writeback enabled */
 #define SB_I_NOEXEC     0x00000002      /* Ignore executables on this fs */
+#define SB_I_MULTIROOT  0x00000008      /* Multiple roots to the dentry tree */
 /* Possible states of 'frozen' field */
 enum {
@@ -3066,5 +3067,6 @@ static inline bool dir_relax(struct inode *inode)
 }
 extern bool path_noexec(const struct path *path);
+extern void inode_nohighmem(struct inode *inode);
 #endif /* _LINUX_FS_H */
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 251a1d382e23..fd86687f8119 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_device *hid, unsigned int force);
 extern void hidinput_disconnect(struct hid_device *);
 int hid_set_field(struct hid_field *, unsigned, __s32);
-int hid_input_report(struct hid_device *, int type, u8 *, int, int);
+int hid_input_report(struct hid_device *, int type, u8 *, u32, int);
 int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field);
 struct hid_field *hidinput_get_led_field(struct hid_device *hid);
 unsigned int hidinput_count_leds(struct hid_device *hid);
@@ -1098,13 +1098,13 @@ static inline void hid_hw_wait(struct hid_device *hdev)
 *
 * @report: the report we want to know the length
 */
-static inline int hid_report_len(struct hid_report *report)
+static inline u32 hid_report_len(struct hid_report *report)
 {
        /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
        return ((report->size - 1) >> 3) + 1 + (report->id > 0);
 }
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
                int interrupt);
 /* HID quirks API */
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 19db03dbbd00..dd676ba758ee 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -585,7 +585,7 @@ static inline bool skb_vlan_tagged(const struct sk_buff *skb)
 * Returns true if the skb is tagged with multiple vlan headers, regardless
 * of whether it is hardware accelerated or not.
 */
-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
+static inline bool skb_vlan_tagged_multi(struct sk_buff *skb)
 {
        __be16 protocol = skb->protocol;
@@ -596,6 +596,9 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
                           protocol != htons(ETH_P_8021AD)))
                        return false;
+                if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN)))
+                        return false;
                veh = (struct vlan_ethhdr *)skb->data;
                protocol = veh->h_vlan_encapsulated_proto;
        }
@@ -613,7 +616,7 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
 *
 * Returns features without unsafe ones if the skb has multiple tags.
 */
-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb,
+static inline netdev_features_t vlan_features_check(struct sk_buff *skb,
                                                    netdev_features_t features)
 {
        if (skb_vlan_tagged_multi(skb)) {
diff --git a/include/linux/iio/buffer.h b/include/linux/iio/buffer.h
index 1600c55828e0..93a774ce4922 100644
--- a/include/linux/iio/buffer.h
+++ b/include/linux/iio/buffer.h
@@ -49,7 +49,7 @@ struct iio_buffer_access_funcs {
        int (*request_update)(struct iio_buffer *buffer);
        int (*set_bytes_per_datum)(struct iio_buffer *buffer, size_t bpd);
-        int (*set_length)(struct iio_buffer *buffer, int length);
+        int (*set_length)(struct iio_buffer *buffer, unsigned int length);
        void (*release)(struct iio_buffer *buffer);
@@ -78,8 +78,8 @@ struct iio_buffer_access_funcs {
 * @watermark:          [INTERN] number of datums to wait for poll/read.
 */
 struct iio_buffer {
-        int                                     length;
+        unsigned int                            length;
-        int                                     bytes_per_datum;
+        size_t                                  bytes_per_datum;
        struct attribute_group                  *scan_el_attrs;
        long                                    *scan_mask;
        bool                                    scan_timestamp;
diff --git a/include/linux/init.h b/include/linux/init.h
index aedb254abc37..3561ea30ed8c 100644
--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -4,6 +4,13 @@
 #include <linux/compiler.h>
 #include <linux/types.h>
+/* Built-in __init functions needn't be compiled with retpoline */
+#if defined(RETPOLINE) && !defined(MODULE)
+#define __noretpoline __attribute__((indirect_branch("keep")))
+#else
+#define __noretpoline
+#endif
 /* These macros are used to mark some functions or 
 * initialized data (doesn't apply to uninitialized data)
 * as `initialization' functions. The kernel can take this
@@ -39,7 +46,7 @@
 /* These are for everybody (although not all archs will actually
   discard it in modules) */
-#define __init          __section(.init.text) __cold notrace
+#define __init          __section(.init.text) __cold notrace __noretpoline
 #define __initdata      __section(.init.data)
 #define __initconst     __constsection(.init.rodata)
 #define __exitdata      __section(.exit.data)
diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
index 5fdc55312334..2fb10601febe 100644
--- a/include/linux/jiffies.h
+++ b/include/linux/jiffies.h
@@ -1,6 +1,7 @@
 #ifndef _LINUX_JIFFIES_H
 #define _LINUX_JIFFIES_H
+#include <linux/cache.h>
 #include <linux/math64.h>
 #include <linux/kernel.h>
 #include <linux/types.h>
@@ -63,19 +64,17 @@ extern int register_refined_jiffies(long clock_tick_rate);
 /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */
 #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ)
-/* some arch's have a small-data section that can be accessed register-relative
+#ifndef __jiffy_arch_data
- * but that can only take up to, say, 4-byte variables. jiffies being part of
+#define __jiffy_arch_data
- * an 8-byte variable may not be correctly accessed unless we force the issue
+#endif
- */
-#define __jiffy_data  __attribute__((section(".data")))
 /*
 * The 64-bit value is not atomic - you MUST NOT read it
 * without sampling the sequence number in jiffies_lock.
 * get_jiffies_64() will do this for you as appropriate.
 */
-extern u64 __jiffy_data jiffies_64;
+extern u64 __cacheline_aligned_in_smp jiffies_64;
-extern unsigned long volatile __jiffy_data jiffies;
+extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
 #if (BITS_PER_LONG < 64)
 u64 get_jiffies_64(void);
diff --git a/include/linux/kaiser.h b/include/linux/kaiser.h
index 58c55b1589d0..b56c19010480 100644
--- a/include/linux/kaiser.h
+++ b/include/linux/kaiser.h
@@ -32,7 +32,7 @@ static inline void kaiser_init(void)
 {
 }
 static inline int kaiser_add_mapping(unsigned long addr,
-                                     unsigned long size, unsigned long flags)
+                                     unsigned long size, u64 flags)
 {
        return 0;
 }
diff --git a/include/linux/ktime.h b/include/linux/ktime.h
index 2b6a204bd8d4..3ffc69ebe967 100644
--- a/include/linux/ktime.h
+++ b/include/linux/ktime.h
@@ -64,6 +64,13 @@ static inline ktime_t ktime_set(const s64 secs, const unsigned long nsecs)
                ({ (ktime_t){ .tv64 = (lhs).tv64 + (rhs).tv64 }; })
 /*
+ * Same as ktime_add(), but avoids undefined behaviour on overflow; however,
+ * this means that you must check the result for overflow yourself.
+ */
+#define ktime_add_unsafe(lhs, rhs) \
+                ({ (ktime_t){ .tv64 = (u64) (lhs).tv64 + (rhs).tv64 }; })
+/*
 * Add a ktime_t variable and a scalar nanosecond value.
 * res = kt + nsval:
 */
diff --git a/include/linux/libata.h b/include/linux/libata.h
index b20a2752f934..6428ac4746de 100644
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -210,6 +210,7 @@ enum {
        ATA_FLAG_SLAVE_POSS     = (1 << 0), /* host supports slave dev */
                                            /* (doesn't imply presence) */
        ATA_FLAG_SATA           = (1 << 1),
+        ATA_FLAG_NO_LPM         = (1 << 2), /* host not happy with LPM */
        ATA_FLAG_NO_LOG_PAGE    = (1 << 5), /* do not issue log page read */
        ATA_FLAG_NO_ATAPI       = (1 << 6), /* No ATAPI support */
        ATA_FLAG_PIO_DMA        = (1 << 7), /* PIO cmds via DMA */
diff --git a/include/linux/llist.h b/include/linux/llist.h
index fd4ca0b4fe0f..ac6796138ba0 100644
--- a/include/linux/llist.h
+++ b/include/linux/llist.h
@@ -88,6 +88,23 @@ static inline void init_llist_head(struct llist_head *list)
        container_of(ptr, type, member)
 /**
+ * member_address_is_nonnull - check whether the member address is not NULL
+ * @ptr:        the object pointer (struct type * that contains the llist_node)
+ * @member:     the name of the llist_node within the struct.
+ *
+ * This macro is conceptually the same as
+ *      &ptr->member != NULL
+ * but it works around the fact that compilers can decide that taking a member
+ * address is never a NULL pointer.
+ *
+ * Real objects that start at a high address and have a member at NULL are
+ * unlikely to exist, but such pointers may be returned e.g. by the
+ * container_of() macro.
+ */
+#define member_address_is_nonnull(ptr, member)  \
+        ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0)
+/**
 * llist_for_each - iterate over some deleted entries of a lock-less list
 * @pos:        the &struct llist_node to use as a loop cursor
 * @node:       the first entry of deleted list entries
@@ -121,7 +138,7 @@ static inline void init_llist_head(struct llist_head *list)
 */
 #define llist_for_each_entry(pos, node, member)                         \
        for ((pos) = llist_entry((node), typeof(*(pos)), member);       \
-             &(pos)->member != NULL;                                    \
+             member_address_is_nonnull(pos, member);                    \
             (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
 /**
@@ -143,7 +160,7 @@ static inline void init_llist_head(struct llist_head *list)
 */
 #define llist_for_each_entry_safe(pos, n, node, member)                        \
        for (pos = llist_entry((node), typeof(*pos), member);                  \
-             &pos->member != NULL &&                                           \
+             member_address_is_nonnull(pos, member) &&                         \
                (n = llist_entry(pos->member.next, typeof(*n), member), true); \
             pos = n)
diff --git a/include/linux/mlx4/qp.h b/include/linux/mlx4/qp.h
index fe052e234906..bb1018882199 100644
--- a/include/linux/mlx4/qp.h
+++ b/include/linux/mlx4/qp.h
@@ -465,6 +465,7 @@ struct mlx4_update_qp_params {
        u16     rate_val;
 };
+struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn);
 int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn,
                   enum mlx4_update_qp_attr attr,
                   struct mlx4_update_qp_params *params);
diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h
index a91b67b18a73..5c93f4a89afa 100644
--- a/include/linux/mlx5/device.h
+++ b/include/linux/mlx5/device.h
@@ -635,8 +635,14 @@ enum {
 };
 enum {
-        CQE_RSS_HTYPE_IP        = 0x3 << 6,
+        CQE_RSS_HTYPE_IP        = 0x3 << 2,
-        CQE_RSS_HTYPE_L4        = 0x3 << 2,
+        /* cqe->rss_hash_type[3:2] - IP destination selected for hash
+         * (00 = none,  01 = IPv4, 10 = IPv6, 11 = Reserved)
+         */
+        CQE_RSS_HTYPE_L4        = 0x3 << 6,
+        /* cqe->rss_hash_type[7:6] - L4 destination selected for hash
+         * (00 = none, 01 = TCP. 10 = UDP, 11 = IPSEC.SPI
+         */
 };
 enum {
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 5c2bf9096b7a..5c105bf78aa2 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -225,10 +225,14 @@ extern pgprot_t protection_map[16];
 * ->fault function. The vma's ->fault is responsible for returning a bitmask
 * of VM_FAULT_xxx flags that give details about how the fault was handled.
 *
+ * MM layer fills up gfp_mask for page allocations but fault handler might
+ * alter it if its implementation requires a different allocation context.
+ *
 * pgoff should be used in favour of virtual_address, if possible.
 */
 struct vm_fault {
        unsigned int flags;             /* FAULT_FLAG_xxx flags */
+        gfp_t gfp_mask;                 /* gfp mask to be used for allocations */
        pgoff_t pgoff;                  /* Logical page offset based on vma */
        void __user *virtual_address;   /* Faulting virtual address */
@@ -2079,6 +2083,8 @@ int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
 int vm_insert_page(struct vm_area_struct *, unsigned long addr, struct page *);
 int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr,
                        unsigned long pfn);
+int vm_insert_pfn_prot(struct vm_area_struct *vma, unsigned long addr,
+                        unsigned long pfn, pgprot_t pgprot);
 int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
                        unsigned long pfn);
 int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long len);
diff --git a/include/linux/mmc/sdio_ids.h b/include/linux/mmc/sdio_ids.h
index 83430f2ea757..e0325706b76d 100644
--- a/include/linux/mmc/sdio_ids.h
+++ b/include/linux/mmc/sdio_ids.h
@@ -33,6 +33,7 @@
 #define SDIO_DEVICE_ID_BROADCOM_43341           0xa94d
 #define SDIO_DEVICE_ID_BROADCOM_4335_4339       0x4335
 #define SDIO_DEVICE_ID_BROADCOM_43362           0xa962
+#define SDIO_DEVICE_ID_BROADCOM_43364           0xa9a4
 #define SDIO_DEVICE_ID_BROADCOM_43430           0xa9a6
 #define SDIO_DEVICE_ID_BROADCOM_4345            0x4345
 #define SDIO_DEVICE_ID_BROADCOM_4354            0x4354
diff --git a/include/linux/module.h b/include/linux/module.h
index b229a9961d02..c9f2f85017ad 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -789,6 +789,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
 static inline void module_bug_cleanup(struct module *mod) {}
 #endif  /* CONFIG_GENERIC_BUG */
+#ifdef RETPOLINE
+extern bool retpoline_module_ok(bool has_retpoline);
+#else
+static inline bool retpoline_module_ok(bool has_retpoline)
+{
+        return true;
+}
+#endif
 #ifdef CONFIG_MODULE_SIG
 static inline bool module_sig_ok(struct module *module)
 {
diff --git a/include/linux/msi.h b/include/linux/msi.h
index f0f43ec45ee7..d0d50cf00b4d 100644
--- a/include/linux/msi.h
+++ b/include/linux/msi.h
@@ -17,7 +17,13 @@ struct msi_desc;
 struct pci_dev;
 struct platform_msi_priv_data;
 void __get_cached_msi_msg(struct msi_desc *entry, struct msi_msg *msg);
+#ifdef CONFIG_GENERIC_MSI_IRQ
 void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg);
+#else
+static inline void get_cached_msi_msg(unsigned int irq, struct msi_msg *msg)
+{
+}
+#endif
 typedef void (*irq_write_msi_msg_t)(struct msi_desc *desc,
                                    struct msi_msg *msg);
@@ -105,18 +111,21 @@ struct msi_desc {
 struct pci_dev *msi_desc_to_pci_dev(struct msi_desc *desc);
 void *msi_desc_to_pci_sysdata(struct msi_desc *desc);
+void pci_write_msi_msg(unsigned int irq, struct msi_msg *msg);
 #else /* CONFIG_PCI_MSI */
 static inline void *msi_desc_to_pci_sysdata(struct msi_desc *desc)
 {
        return NULL;
 }
+static inline void pci_write_msi_msg(unsigned int irq, struct msi_msg *msg)
+{
+}
 #endif /* CONFIG_PCI_MSI */
 struct msi_desc *alloc_msi_entry(struct device *dev);
 void free_msi_entry(struct msi_desc *entry);
 void __pci_read_msi_msg(struct msi_desc *entry, struct msi_msg *msg);
 void __pci_write_msi_msg(struct msi_desc *entry, struct msi_msg *msg);
-void pci_write_msi_msg(unsigned int irq, struct msi_msg *msg);
 u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag);
 u32 __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag);
diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h
index b63fa457febd..3529683f691e 100644
--- a/include/linux/mtd/flashchip.h
+++ b/include/linux/mtd/flashchip.h
@@ -85,6 +85,7 @@ struct flchip {
        unsigned int write_suspended:1;
        unsigned int erase_suspended:1;
        unsigned long in_progress_block_addr;
+        unsigned long in_progress_block_mask;
        struct mutex mutex;
        wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
index 806d0ab845e0..676d3d2a1a0a 100644
--- a/include/linux/mtd/map.h
+++ b/include/linux/mtd/map.h
@@ -265,75 +265,67 @@ void map_destroy(struct mtd_info *mtd);
 #define INVALIDATE_CACHED_RANGE(map, from, size) \
        do { if (map->inval_cache) map->inval_cache(map, from, size); } while (0)
+#define map_word_equal(map, val1, val2)                                 \
-static inline int map_word_equal(struct map_info *map, map_word val1, map_word val2)
+({                                                                      \
-{
+        int i, ret = 1;                                                 \
-        int i;
+        for (i = 0; i < map_words(map); i++)                            \
+                if ((val1).x[i] != (val2).x[i]) {                       \
-        for (i = 0; i < map_words(map); i++) {
+                        ret = 0;                                        \
-                if (val1.x[i] != val2.x[i])
+                        break;                                          \
-                        return 0;
+                }                                                       \
-        }
+        ret;                                                            \
+})
-        return 1;
-}
+#define map_word_and(map, val1, val2)                                   \
+({                                                                      \
-static inline map_word map_word_and(struct map_info *map, map_word val1, map_word val2)
+        map_word r;                                                     \
-{
+        int i;                                                          \
-        map_word r;
+        for (i = 0; i < map_words(map); i++)                            \
-        int i;
+                r.x[i] = (val1).x[i] & (val2).x[i];                     \
+        r;                                                              \
-        for (i = 0; i < map_words(map); i++)
+})
-                r.x[i] = val1.x[i] & val2.x[i];
+#define map_word_clr(map, val1, val2)                                   \
-        return r;
+({                                                                      \
-}
+        map_word r;                                                     \
+        int i;                                                          \
-static inline map_word map_word_clr(struct map_info *map, map_word val1, map_word val2)
+        for (i = 0; i < map_words(map); i++)                            \
-{
+                r.x[i] = (val1).x[i] & ~(val2).x[i];                    \
-        map_word r;
+        r;                                                              \
-        int i;
+})
-        for (i = 0; i < map_words(map); i++)
+#define map_word_or(map, val1, val2)                                    \
-                r.x[i] = val1.x[i] & ~val2.x[i];
+({                                                                      \
+        map_word r;                                                     \
-        return r;
+        int i;                                                          \
-}
+        for (i = 0; i < map_words(map); i++)                            \
+                r.x[i] = (val1).x[i] | (val2).x[i];                     \
-static inline map_word map_word_or(struct map_info *map, map_word val1, map_word val2)
+        r;                                                              \
-{
+})
-        map_word r;
-        int i;
+#define map_word_andequal(map, val1, val2, val3)                        \
+({                                                                      \
-        for (i = 0; i < map_words(map); i++)
+        int i, ret = 1;                                                 \
-                r.x[i] = val1.x[i] | val2.x[i];
+        for (i = 0; i < map_words(map); i++) {                          \
+                if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) {       \
-        return r;
+                        ret = 0;                                        \
-}
+                        break;                                          \
+                }                                                       \
-static inline int map_word_andequal(struct map_info *map, map_word val1, map_word val2, map_word val3)
+        }                                                               \
-{
+        ret;                                                            \
-        int i;
+})
-        for (i = 0; i < map_words(map); i++) {
+#define map_word_bitsset(map, val1, val2)                               \
-                if ((val1.x[i] & val2.x[i]) != val3.x[i])
+({                                                                      \
-                        return 0;
+        int i, ret = 0;                                                 \
-        }
+        for (i = 0; i < map_words(map); i++) {                          \
+                if ((val1).x[i] & (val2).x[i]) {                        \
-        return 1;
+                        ret = 1;                                        \
-}
+                        break;                                          \
+                }                                                       \
-static inline int map_word_bitsset(struct map_info *map, map_word val1, map_word val2)
+        }                                                               \
-{
+        ret;                                                            \
-        int i;
+})
-        for (i = 0; i < map_words(map); i++) {
-                if (val1.x[i] & val2.x[i])
-                        return 1;
-        }
-        return 0;
-}
 static inline map_word map_word_load(struct map_info *map, const void *ptr)
 {
diff --git a/include/linux/mtd/sh_flctl.h b/include/linux/mtd/sh_flctl.h
index 1c28f8879b1c..067b37aff4a1 100644
--- a/include/linux/mtd/sh_flctl.h
+++ b/include/linux/mtd/sh_flctl.h
@@ -148,6 +148,7 @@ struct sh_flctl {
        struct platform_device  *pdev;
        struct dev_pm_qos_request pm_qos;
        void __iomem            *reg;
+        resource_size_t         fifo;
        uint8_t done_buff[2048 + 64];   /* max size 2048 + 64 */
        int     read_bytes;
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
index 1d6a935c1ac5..8793f5a7b820 100644
--- a/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -65,8 +65,14 @@ ip_set_timeout_set(unsigned long *timeout, u32 value)
 static inline u32
 ip_set_timeout_get(unsigned long *timeout)
 {
-        return *timeout == IPSET_ELEM_PERMANENT ? 0 :
+        u32 t;
-                jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
+        if (*timeout == IPSET_ELEM_PERMANENT)
+                return 0;
+        t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
+        /* Zero value in userspace means no timeout */
+        return t == 0 ? 1 : t;
 }
 #endif  /* __KERNEL__ */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 04078e8a4803..6923e4049de3 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -243,6 +243,12 @@ int xt_check_entry_offsets(const void *base, const char *elems,
                           unsigned int target_offset,
                           unsigned int next_offset);
+unsigned int *xt_alloc_entry_offsets(unsigned int size);
+bool xt_find_jump_offset(const unsigned int *offsets,
+                         unsigned int target, unsigned int size);
+int xt_check_proc_name(const char *name, unsigned int size);
 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
                   bool inv_proto);
 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
@@ -364,38 +370,14 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
        return ret;
 }
+struct xt_percpu_counter_alloc_state {
+        unsigned int off;
+        const char __percpu *mem;
+};
-/* On SMP, ip(6)t_entry->counters.pcnt holds address of the
+bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
- * real (percpu) counter.  On !SMP, its just the packet count,
+                             struct xt_counters *counter);
- * so nothing needs to be done there.
+void xt_percpu_counter_free(struct xt_counters *cnt);
- *
- * xt_percpu_counter_alloc returns the address of the percpu
- * counter, or 0 on !SMP. We force an alignment of 16 bytes
- * so that bytes/packets share a common cache line.
- *
- * Hence caller must use IS_ERR_VALUE to check for error, this
- * allows us to return 0 for single core systems without forcing
- * callers to deal with SMP vs. NONSMP issues.
- */
-static inline u64 xt_percpu_counter_alloc(void)
-{
-        if (nr_cpu_ids > 1) {
-                void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
-                                                    sizeof(struct xt_counters));
-                if (res == NULL)
-                        return (u64) -ENOMEM;
-                return (u64) (__force unsigned long) res;
-        }
-        return 0;
-}
-static inline void xt_percpu_counter_free(u64 pcnt)
-{
-        if (nr_cpu_ids > 1)
-                free_percpu((void __percpu *) (unsigned long) pcnt);
-}
 static inline struct xt_counters *
 xt_get_this_cpu_counter(struct xt_counters *cnt)
diff --git a/include/linux/nospec.h b/include/linux/nospec.h
new file mode 100644
index 000000000000..0c5ef54fd416
--- /dev/null
+++ b/include/linux/nospec.h
@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright(c) 2018 Linus Torvalds. All rights reserved.
+// Copyright(c) 2018 Alexei Starovoitov. All rights reserved.
+// Copyright(c) 2018 Intel Corporation. All rights reserved.
+#ifndef _LINUX_NOSPEC_H
+#define _LINUX_NOSPEC_H
+#include <asm/barrier.h>
+struct task_struct;
+/**
+ * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
+ * @index: array element index
+ * @size: number of elements in array
+ *
+ * When @index is out of bounds (@index >= @size), the sign bit will be
+ * set.  Extend the sign bit to all bits and invert, giving a result of
+ * zero for an out of bounds index, or ~0 if within bounds [0, @size).
+ */
+#ifndef array_index_mask_nospec
+static inline unsigned long array_index_mask_nospec(unsigned long index,
+                                                    unsigned long size)
+{
+        /*
+         * Always calculate and emit the mask even if the compiler
+         * thinks the mask is not needed. The compiler does not take
+         * into account the value of @index under speculation.
+         */
+        OPTIMIZER_HIDE_VAR(index);
+        return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1);
+}
+#endif
+/*
+ * array_index_nospec - sanitize an array index after a bounds check
+ *
+ * For a code sequence like:
+ *
+ *     if (index < size) {
+ *         index = array_index_nospec(index, size);
+ *         val = array[index];
+ *     }
+ *
+ * ...if the CPU speculates past the bounds check then
+ * array_index_nospec() will clamp the index within the range of [0,
+ * size).
+ */
+#define array_index_nospec(index, size)                                 \
+({                                                                      \
+        typeof(index) _i = (index);                                     \
+        typeof(size) _s = (size);                                       \
+        unsigned long _mask = array_index_mask_nospec(_i, _s);          \
+                                                                        \
+        BUILD_BUG_ON(sizeof(_i) > sizeof(long));                        \
+        BUILD_BUG_ON(sizeof(_s) > sizeof(long));                        \
+                                                                        \
+        (typeof(_i)) (_i & _mask);                                      \
+})
+/* Speculation control prctl */
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                             unsigned long ctrl);
+/* Speculation control for seccomp enforced mitigation */
+void arch_seccomp_spec_mitigate(struct task_struct *task);
+#endif /* _LINUX_NOSPEC_H */
diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index fbfadba81c5a..771774e13f10 100644
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -153,7 +153,7 @@ static inline int page_cache_get_speculative(struct page *page)
 #ifdef CONFIG_TINY_RCU
 # ifdef CONFIG_PREEMPT_COUNT
-        VM_BUG_ON(!in_atomic());
+        VM_BUG_ON(!in_atomic() && !irqs_disabled());
 # endif
        /*
         * Preempt must be disabled here - we rely on rcu_read_lock doing
@@ -191,7 +191,7 @@ static inline int page_cache_add_speculative(struct page *page, int count)
 #if !defined(CONFIG_SMP) && defined(CONFIG_TREE_RCU)
 # ifdef CONFIG_PREEMPT_COUNT
-        VM_BUG_ON(!in_atomic());
+        VM_BUG_ON(!in_atomic() && !irqs_disabled());
 # endif
        VM_BUG_ON_PAGE(page_count(page) == 0, page);
        atomic_add(count, &page->_count);
diff --git a/include/linux/platform_data/isl9305.h b/include/linux/platform_data/isl9305.h
index 1419133fa69e..4ac1a070af0a 100644
--- a/include/linux/platform_data/isl9305.h
+++ b/include/linux/platform_data/isl9305.h
@@ -24,7 +24,7 @@
 struct regulator_init_data;
 struct isl9305_pdata {
-        struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR];
+        struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR + 1];
 };
 #endif
diff --git a/include/linux/posix-clock.h b/include/linux/posix-clock.h
index 34c4498b800f..83b22ae9ae12 100644
--- a/include/linux/posix-clock.h
+++ b/include/linux/posix-clock.h
@@ -59,23 +59,23 @@ struct posix_clock_operations {
        int  (*clock_adjtime)(struct posix_clock *pc, struct timex *tx);
-        int  (*clock_gettime)(struct posix_clock *pc, struct timespec *ts);
+        int  (*clock_gettime)(struct posix_clock *pc, struct timespec64 *ts);
-        int  (*clock_getres) (struct posix_clock *pc, struct timespec *ts);
+        int  (*clock_getres) (struct posix_clock *pc, struct timespec64 *ts);
        int  (*clock_settime)(struct posix_clock *pc,
-                              const struct timespec *ts);
+                              const struct timespec64 *ts);
        int  (*timer_create) (struct posix_clock *pc, struct k_itimer *kit);
        int  (*timer_delete) (struct posix_clock *pc, struct k_itimer *kit);
        void (*timer_gettime)(struct posix_clock *pc,
-                              struct k_itimer *kit, struct itimerspec *tsp);
+                              struct k_itimer *kit, struct itimerspec64 *tsp);
        int  (*timer_settime)(struct posix_clock *pc,
                              struct k_itimer *kit, int flags,
-                              struct itimerspec *tsp, struct itimerspec *old);
+                              struct itimerspec64 *tsp, struct itimerspec64 *old);
        /*
         * Optional character device methods:
         */
diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
index 4acc552e9279..19d0778ec382 100644
--- a/include/linux/ring_buffer.h
+++ b/include/linux/ring_buffer.h
@@ -162,6 +162,7 @@ void ring_buffer_record_enable(struct ring_buffer *buffer);
 void ring_buffer_record_off(struct ring_buffer *buffer);
 void ring_buffer_record_on(struct ring_buffer *buffer);
 int ring_buffer_record_is_on(struct ring_buffer *buffer);
+int ring_buffer_record_is_set_on(struct ring_buffer *buffer);
 void ring_buffer_record_disable_cpu(struct ring_buffer *buffer, int cpu);
 void ring_buffer_record_enable_cpu(struct ring_buffer *buffer, int cpu);
diff --git a/include/linux/sched.h b/include/linux/sched.h
index e887c8d6f395..725498cc5d30 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1313,6 +1313,7 @@ struct sched_dl_entity {
        u64 dl_deadline;        /* relative deadline of each instance   */
        u64 dl_period;          /* separation of two instances (period) */
        u64 dl_bw;              /* dl_runtime / dl_deadline             */
+        u64 dl_density;         /* dl_runtime / dl_deadline             */
        /*
         * Actual scheduling parameters. Initialized with the values above,
@@ -2166,6 +2167,8 @@ static inline void memalloc_noio_restore(unsigned int flags)
 #define PFA_NO_NEW_PRIVS 0      /* May not gain new privileges. */
 #define PFA_SPREAD_PAGE  1      /* Spread page cache over cpuset */
 #define PFA_SPREAD_SLAB  2      /* Spread some slab caches over cpuset */
+#define PFA_SPEC_SSB_DISABLE            4       /* Speculative Store Bypass disabled */
+#define PFA_SPEC_SSB_FORCE_DISABLE      5       /* Speculative Store Bypass force disabled*/
 #define TASK_PFA_TEST(name, func)                                       \
@@ -2189,6 +2192,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab)
 TASK_PFA_SET(SPREAD_SLAB, spread_slab)
 TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
+TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable)
+TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable)
+TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
+TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
+TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
 /*
 * task->jobctl flags
 */
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index 2296e6b2f690..5a53d34bba26 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -3,7 +3,8 @@
 #include <uapi/linux/seccomp.h>
-#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC)
+#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC      | \
+                                         SECCOMP_FILTER_FLAG_SPEC_ALLOW)
 #ifdef CONFIG_SECCOMP
diff --git a/include/linux/signal.h b/include/linux/signal.h
index d80259afb9e5..bcc094cb697c 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -97,6 +97,23 @@ static inline int sigisemptyset(sigset_t *set)
        }
 }
+static inline int sigequalsets(const sigset_t *set1, const sigset_t *set2)
+{
+        switch (_NSIG_WORDS) {
+        case 4:
+                return  (set1->sig[3] == set2->sig[3]) &&
+                        (set1->sig[2] == set2->sig[2]) &&
+                        (set1->sig[1] == set2->sig[1]) &&
+                        (set1->sig[0] == set2->sig[0]);
+        case 2:
+                return  (set1->sig[1] == set2->sig[1]) &&
+                        (set1->sig[0] == set2->sig[0]);
+        case 1:
+                return  set1->sig[0] == set2->sig[0];
+        }
+        return 0;
+}
 #define sigmask(sig)    (1UL << ((sig) - 1))
 #ifndef __HAVE_ARCH_SIG_SETOPS
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index b5421f6f155a..c28bd8be290a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -514,6 +514,7 @@ static inline bool skb_mstamp_after(const struct skb_mstamp *t1,
 *      @hash: the packet hash
 *      @queue_mapping: Queue mapping for multiqueue devices
 *      @xmit_more: More SKBs are pending for this queue
+ *      @pfmemalloc: skbuff was allocated from PFMEMALLOC reserves
 *      @ndisc_nodetype: router type (from link layer)
 *      @ooo_okay: allow the mapping of a socket to a queue to be changed
 *      @l4_hash: indicate hash is a canonical 4-tuple hash over transport
@@ -594,8 +595,8 @@ struct sk_buff {
                                fclone:2,
                                peeked:1,
                                head_frag:1,
-                                xmit_more:1;
+                                xmit_more:1,
-        /* one bit hole */
+                                pfmemalloc:1;
        kmemcheck_bitfield_end(flags1);
        /* fields enclosed in headers_start/headers_end are copied
@@ -615,19 +616,18 @@ struct sk_buff {
        __u8                    __pkt_type_offset[0];
        __u8                    pkt_type:3;
-        __u8                    pfmemalloc:1;
        __u8                    ignore_df:1;
        __u8                    nfctinfo:3;
        __u8                    nf_trace:1;
        __u8                    ip_summed:2;
        __u8                    ooo_okay:1;
        __u8                    l4_hash:1;
        __u8                    sw_hash:1;
        __u8                    wifi_acked_valid:1;
        __u8                    wifi_acked:1;
        __u8                    no_fcs:1;
        /* Indicates the inner headers are valid in the skbuff. */
        __u8                    encapsulation:1;
        __u8                    encap_hdr_csum:1;
@@ -635,11 +635,11 @@ struct sk_buff {
        __u8                    csum_complete_sw:1;
        __u8                    csum_level:2;
        __u8                    csum_bad:1;
 #ifdef CONFIG_IPV6_NDISC_NODETYPE
        __u8                    ndisc_nodetype:2;
 #endif
        __u8                    ipvs_property:1;
        __u8                    inner_protocol_type:1;
        __u8                    remcsum_offload:1;
        /* 3 or 5 bit hole */
@@ -879,10 +879,10 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,
                                     unsigned int headroom);
 struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
                                int newtailroom, gfp_t priority);
-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
-                        int offset, int len);
+                                     int offset, int len);
-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
+int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
-                 int len);
+                              int offset, int len);
 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
 int skb_pad(struct sk_buff *skb, int pad);
 #define dev_kfree_skb(a)        consume_skb(a)
diff --git a/include/linux/string.h b/include/linux/string.h
index aa30789b0f65..98bb781a2eff 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -122,6 +122,7 @@ extern char *kstrdup(const char *s, gfp_t gfp);
 extern const char *kstrdup_const(const char *s, gfp_t gfp);
 extern char *kstrndup(const char *s, size_t len, gfp_t gfp);
 extern void *kmemdup(const void *src, size_t len, gfp_t gfp);
+extern char *kmemdup_nul(const char *s, size_t len, gfp_t gfp);
 extern char **argv_split(gfp_t gfp, const char *str, int *argcp);
 extern void argv_free(char **argv);
diff --git a/include/linux/suspend.h b/include/linux/suspend.h
index 8b6ec7ef0854..4a69bca7c6ab 100644
--- a/include/linux/suspend.h
+++ b/include/linux/suspend.h
@@ -377,6 +377,8 @@ extern int swsusp_page_is_forbidden(struct page *);
 extern void swsusp_set_page_free(struct page *);
 extern void swsusp_unset_page_free(struct page *);
 extern unsigned long get_safe_page(gfp_t gfp_mask);
+extern asmlinkage int swsusp_arch_suspend(void);
+extern asmlinkage int swsusp_arch_resume(void);
 extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
 extern int hibernate(void);
diff --git a/include/linux/swapfile.h b/include/linux/swapfile.h
index 388293a91e8c..e4594de79bc4 100644
--- a/include/linux/swapfile.h
+++ b/include/linux/swapfile.h
@@ -9,5 +9,7 @@ extern spinlock_t swap_lock;
 extern struct plist_head swap_active_head;
 extern struct swap_info_struct *swap_info[];
 extern int try_to_unuse(unsigned int, bool, unsigned long);
+extern unsigned long generic_max_swapfile_size(void);
+extern unsigned long max_swapfile_size(void);
 #endif /* _LINUX_SWAPFILE_H */
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 318c24612458..5b6df1a8dc74 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -29,9 +29,14 @@ static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
        return (struct tcphdr *)skb_transport_header(skb);
 }
+static inline unsigned int __tcp_hdrlen(const struct tcphdr *th)
+{
+        return th->doff * 4;
+}
 static inline unsigned int tcp_hdrlen(const struct sk_buff *skb)
 {
-        return tcp_hdr(skb)->doff * 4;
+        return __tcp_hdrlen(tcp_hdr(skb));
 }
 static inline struct tcphdr *inner_tcp_hdr(const struct sk_buff *skb)
@@ -319,7 +324,7 @@ struct tcp_sock {
 /* Receiver queue space */
        struct {
-                int     space;
+                u32     space;
                u32     seq;
                u32     time;
        } rcvq_space;
diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index eded095fe81e..1cfa07c86bc5 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);
 #ifdef __KERNEL__
-#ifdef CONFIG_DEBUG_STACK_USAGE
+#define THREADINFO_GFP          (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-# define THREADINFO_GFP         (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
-#else
-# define THREADINFO_GFP         (GFP_KERNEL | __GFP_NOTRACK)
-#endif
 /*
 * flag set/clear/test wrappers
diff --git a/include/linux/timekeeper_internal.h b/include/linux/timekeeper_internal.h
index f0f1793cfa49..115216ec7cfe 100644
--- a/include/linux/timekeeper_internal.h
+++ b/include/linux/timekeeper_internal.h
@@ -56,7 +56,7 @@ struct tk_read_base {
 *                      interval.
 * @xtime_remainder:    Shifted nano seconds left over when rounding
 *                      @cycle_interval
- * @raw_interval:       Raw nano seconds accumulated per NTP interval.
+ * @raw_interval:       Shifted raw nano seconds accumulated per NTP interval.
 * @ntp_error:          Difference between accumulated time and NTP time in ntp
 *                      shifted nano seconds.
 * @ntp_error_shift:    Shift conversion between clock shifted nano seconds and
@@ -97,7 +97,7 @@ struct timekeeper {
        cycle_t                 cycle_interval;
        u64                     xtime_interval;
        s64                     xtime_remainder;
-        u32                     raw_interval;
+        u64                     raw_interval;
        /* The ntp_tick_length() value currently being used.
         * This cached copy ensures we consistently apply the tick
         * length for an entire tick, as ntp_tick_length may change
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 83b264c52898..812cdd8cff22 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -342,6 +342,7 @@ struct tty_file_private {
 #define TTY_PTY_LOCK            16      /* pty private */
 #define TTY_NO_WRITE_SPLIT      17      /* Preserve write boundaries to driver */
 #define TTY_HUPPED              18      /* Post driver->hangup() */
+#define TTY_HUPPING             19      /* Hangup in progress */
 #define TTY_LDISC_HALTED        22      /* Line discipline is halted */
 #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty))
@@ -372,6 +373,7 @@ extern void proc_clear_tty(struct task_struct *p);
 extern struct tty_struct *get_current_tty(void);
 /* tty_io.c */
 extern int __init tty_init(void);
+extern const char *tty_name(const struct tty_struct *tty);
 #else
 static inline void console_init(void)
 { }
@@ -392,6 +394,8 @@ static inline struct tty_struct *get_current_tty(void)
 /* tty_io.c */
 static inline int __init tty_init(void)
 { return 0; }
+static inline const char *tty_name(const struct tty_struct *tty)
+{ return "(none)"; }
 #endif
 extern void tty_write_flush(struct tty_struct *);
@@ -420,7 +424,6 @@ static inline struct tty_struct *tty_kref_get(struct tty_struct *tty)
 extern int tty_paranoia_check(struct tty_struct *tty, struct inode *inode,
                              const char *routine);
-extern const char *tty_name(const struct tty_struct *tty);
 extern void tty_wait_until_sent(struct tty_struct *tty, long timeout);
 extern int __tty_check_change(struct tty_struct *tty, int sig);
 extern int tty_check_change(struct tty_struct *tty);
@@ -583,7 +586,7 @@ extern int tty_unregister_ldisc(int disc);
 extern int tty_set_ldisc(struct tty_struct *tty, int ldisc);
 extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty);
 extern void tty_ldisc_release(struct tty_struct *tty);
-extern void tty_ldisc_init(struct tty_struct *tty);
+extern int __must_check tty_ldisc_init(struct tty_struct *tty);
 extern void tty_ldisc_deinit(struct tty_struct *tty);
 extern void tty_ldisc_begin(void);
diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h
index 1074b8921a5d..69c728883266 100644
--- a/include/linux/usb/composite.h
+++ b/include/linux/usb/composite.h
@@ -53,6 +53,9 @@
 /* big enough to hold our biggest descriptor */
 #define USB_COMP_EP0_BUFSIZ     1024
+/* OS feature descriptor length <= 4kB */
+#define USB_COMP_EP0_OS_DESC_BUFSIZ     4096
 #define USB_MS_TO_HS_INTERVAL(x)        (ilog2((x * 1000 / 125)) + 1)
 struct usb_configuration;
diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
index 59af12e0f767..f3e6b6fd1c68 100644
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -663,8 +663,20 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev)
        list_for_each_entry(tmp, &(gadget)->ep_list, ep_list)
 /**
+ * usb_ep_align - returns @len aligned to ep's maxpacketsize.
+ * @ep: the endpoint whose maxpacketsize is used to align @len
+ * @len: buffer size's length to align to @ep's maxpacketsize
+ *
+ * This helper is used to align buffer's size to an ep's maxpacketsize.
+ */
+static inline size_t usb_ep_align(struct usb_ep *ep, size_t len)
+{
+        return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize));
+}
+/**
 * usb_ep_align_maybe - returns @len aligned to ep's maxpacketsize if gadget
- *      requires quirk_ep_out_aligned_size, otherwise reguens len.
+ *      requires quirk_ep_out_aligned_size, otherwise returns len.
 * @g: controller to check for quirk
 * @ep: the endpoint whose maxpacketsize is used to align @len
 * @len: buffer size's length to align to @ep's maxpacketsize
@@ -675,8 +687,7 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev)
 static inline size_t
 usb_ep_align_maybe(struct usb_gadget *g, struct usb_ep *ep, size_t len)
 {
-        return !g->quirk_ep_out_aligned_size ? len :
+        return g->quirk_ep_out_aligned_size ? usb_ep_align(ep, len) : len;
-                        round_up(len, (size_t)ep->desc->wMaxPacketSize);
 }
 /**
diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
index de2a722fe3cf..ea4f81c2a6d5 100644
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -56,4 +56,7 @@
 */
 #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL   BIT(11)
+/* Device needs a pause after every control message. */
+#define USB_QUIRK_DELAY_CTRL_MSG                BIT(13)
 #endif /* __LINUX_USB_QUIRKS_H */
diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
index a3d04934aa96..6f8fbcf10dfb 100644
--- a/include/linux/vermagic.h
+++ b/include/linux/vermagic.h
@@ -24,16 +24,10 @@
 #ifndef MODULE_ARCH_VERMAGIC
 #define MODULE_ARCH_VERMAGIC ""
 #endif
-#ifdef RETPOLINE
-#define MODULE_VERMAGIC_RETPOLINE "retpoline "
-#else
-#define MODULE_VERMAGIC_RETPOLINE ""
-#endif
 #define VERMAGIC_STRING                                                 \
        UTS_RELEASE " "                                                 \
        MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT                     \
        MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS       \
-        MODULE_ARCH_VERMAGIC                                            \
+        MODULE_ARCH_VERMAGIC
-        MODULE_VERMAGIC_RETPOLINE
diff --git a/include/linux/virtio.h b/include/linux/virtio.h
index 24e6d3db70da..1fcaf70c8fb7 100644
--- a/include/linux/virtio.h
+++ b/include/linux/virtio.h
@@ -134,6 +134,9 @@ int virtio_device_freeze(struct virtio_device *dev);
 int virtio_device_restore(struct virtio_device *dev);
 #endif
+#define virtio_device_for_each_vq(vdev, vq) \
+        list_for_each_entry(vq, &vdev->vqs, list)
 /**
 * virtio_driver - operations for a virtio I/O driver
 * @driver: underlying device driver (populate name and owner).
diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h
index 217abe56e711..f63ce973b27b 100644
--- a/include/linux/workqueue.h
+++ b/include/linux/workqueue.h
@@ -451,6 +451,7 @@ extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
 extern void workqueue_set_max_active(struct workqueue_struct *wq,
                                     int max_active);
+extern struct work_struct *current_work(void);
 extern bool current_is_workqueue_rescuer(void);
 extern bool workqueue_congested(int cpu, struct workqueue_struct *wq);
 extern unsigned int work_busy(struct work_struct *work);
diff --git a/include/net/arp.h b/include/net/arp.h
index 5e0f891d476c..1b3f86981757 100644
--- a/include/net/arp.h
+++ b/include/net/arp.h
@@ -19,6 +19,9 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32
 static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
 {
+        if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
+                key = INADDR_ANY;
        return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev);
 }
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 1878d0a96333..876688b5a356 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -878,7 +878,7 @@ struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
                                     u16 conn_timeout, u8 role);
 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
                                u8 dst_type, u8 sec_level, u16 conn_timeout,
-                                u8 role);
+                                u8 role, bdaddr_t *direct_rpa);
 struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
                                 u8 sec_level, u8 auth_type);
 struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index b5f3693fe5b6..c05748cc1b20 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -933,9 +933,9 @@ enum rate_info_flags {
 * @RATE_INFO_BW_160: 160 MHz bandwidth
 */
 enum rate_info_bw {
+        RATE_INFO_BW_20 = 0,
        RATE_INFO_BW_5,
        RATE_INFO_BW_10,
-        RATE_INFO_BW_20,
        RATE_INFO_BW_40,
        RATE_INFO_BW_80,
        RATE_INFO_BW_160,
diff --git a/include/net/dst_cache.h b/include/net/dst_cache.h
new file mode 100644
index 000000000000..151accae708b
--- /dev/null
+++ b/include/net/dst_cache.h
@@ -0,0 +1,97 @@
+#ifndef _NET_DST_CACHE_H
+#define _NET_DST_CACHE_H
+#include <linux/jiffies.h>
+#include <net/dst.h>
+#if IS_ENABLED(CONFIG_IPV6)
+#include <net/ip6_fib.h>
+#endif
+struct dst_cache {
+        struct dst_cache_pcpu __percpu *cache;
+        unsigned long reset_ts;
+};
+/**
+ *      dst_cache_get - perform cache lookup
+ *      @dst_cache: the cache
+ *
+ *      The caller should use dst_cache_get_ip4() if it need to retrieve the
+ *      source address to be used when xmitting to the cached dst.
+ *      local BH must be disabled.
+ */
+struct dst_entry *dst_cache_get(struct dst_cache *dst_cache);
+/**
+ *      dst_cache_get_ip4 - perform cache lookup and fetch ipv4 source address
+ *      @dst_cache: the cache
+ *      @saddr: return value for the retrieved source address
+ *
+ *      local BH must be disabled.
+ */
+struct rtable *dst_cache_get_ip4(struct dst_cache *dst_cache, __be32 *saddr);
+/**
+ *      dst_cache_set_ip4 - store the ipv4 dst into the cache
+ *      @dst_cache: the cache
+ *      @dst: the entry to be cached
+ *      @saddr: the source address to be stored inside the cache
+ *
+ *      local BH must be disabled.
+ */
+void dst_cache_set_ip4(struct dst_cache *dst_cache, struct dst_entry *dst,
+                       __be32 saddr);
+#if IS_ENABLED(CONFIG_IPV6)
+/**
+ *      dst_cache_set_ip6 - store the ipv6 dst into the cache
+ *      @dst_cache: the cache
+ *      @dst: the entry to be cached
+ *      @saddr: the source address to be stored inside the cache
+ *
+ *      local BH must be disabled.
+ */
+void dst_cache_set_ip6(struct dst_cache *dst_cache, struct dst_entry *dst,
+                       const struct in6_addr *addr);
+/**
+ *      dst_cache_get_ip6 - perform cache lookup and fetch ipv6 source address
+ *      @dst_cache: the cache
+ *      @saddr: return value for the retrieved source address
+ *
+ *      local BH must be disabled.
+ */
+struct dst_entry *dst_cache_get_ip6(struct dst_cache *dst_cache,
+                                    struct in6_addr *saddr);
+#endif
+/**
+ *      dst_cache_reset - invalidate the cache contents
+ *      @dst_cache: the cache
+ *
+ *      This do not free the cached dst to avoid races and contentions.
+ *      the dst will be freed on later cache lookup.
+ */
+static inline void dst_cache_reset(struct dst_cache *dst_cache)
+{
+        dst_cache->reset_ts = jiffies;
+}
+/**
+ *      dst_cache_init - initialize the cache, allocating the required storage
+ *      @dst_cache: the cache
+ *      @gfp: allocation flags
+ */
+int dst_cache_init(struct dst_cache *dst_cache, gfp_t gfp);
+/**
+ *      dst_cache_destroy - empty the cache and free the allocated storage
+ *      @dst_cache: the cache
+ *
+ *      No synchronization is enforced: it must be called only when the cache
+ *      is unsed.
+ */
+void dst_cache_destroy(struct dst_cache *dst_cache);
+#endif
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
index c9b3eb70f340..567017b5fc9e 100644
--- a/include/net/inet_timewait_sock.h
+++ b/include/net/inet_timewait_sock.h
@@ -55,6 +55,7 @@ struct inet_timewait_sock {
 #define tw_family               __tw_common.skc_family
 #define tw_state                __tw_common.skc_state
 #define tw_reuse                __tw_common.skc_reuse
+#define tw_reuseport            __tw_common.skc_reuseport
 #define tw_ipv6only             __tw_common.skc_ipv6only
 #define tw_bound_dev_if         __tw_common.skc_bound_dev_if
 #define tw_node                 __tw_common.skc_nulls_node
diff --git a/include/net/ip.h b/include/net/ip.h
index 639398af273b..0530bcdbc212 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -279,6 +279,13 @@ int ip_decrease_ttl(struct iphdr *iph)
        return --iph->ttl;
 }
+static inline int ip_mtu_locked(const struct dst_entry *dst)
+{
+        const struct rtable *rt = (const struct rtable *)dst;
+        return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU);
+}
 static inline
 int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst)
 {
@@ -286,7 +293,7 @@ int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst)
        return  pmtudisc == IP_PMTUDISC_DO ||
                (pmtudisc == IP_PMTUDISC_WANT &&
-                 !(dst_metric_locked(dst, RTAX_MTU)));
+                 !ip_mtu_locked(dst));
 }
 static inline bool ip_sk_accept_pmtu(const struct sock *sk)
@@ -312,7 +319,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
        struct net *net = dev_net(dst->dev);
        if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
-            dst_metric_locked(dst, RTAX_MTU) ||
+            ip_mtu_locked(dst) ||
            !forwarding)
                return dst_mtu(dst);
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 9c2c044153f6..d143c8480681 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -5,6 +5,8 @@
 #include <linux/netdevice.h>
 #include <linux/if_tunnel.h>
 #include <linux/ip6_tunnel.h>
+#include <net/ip_tunnels.h>
+#include <net/dst_cache.h>
 #define IP6TUNNEL_ERR_TIMEO (30*HZ)
@@ -32,12 +34,6 @@ struct __ip6_tnl_parm {
        __be32                  o_key;
 };
-struct ip6_tnl_dst {
-        seqlock_t lock;
-        struct dst_entry __rcu *dst;
-        u32 cookie;
-};
 /* IPv6 tunnel */
 struct ip6_tnl {
        struct ip6_tnl __rcu *next;     /* next tunnel in list */
@@ -45,7 +41,7 @@ struct ip6_tnl {
        struct net *net;        /* netns for packet i/o */
        struct __ip6_tnl_parm parms;    /* tunnel configuration parameters */
        struct flowi fl;        /* flowi template for xmit */
-        struct ip6_tnl_dst __percpu *dst_cache; /* cached dst */
+        struct dst_cache dst_cache;     /* cached dst */
        int err_count;
        unsigned long err_time;
@@ -65,11 +61,6 @@ struct ipv6_tlv_tnl_enc_lim {
        __u8 encap_limit;       /* tunnel encapsulation limit   */
 } __packed;
-struct dst_entry *ip6_tnl_dst_get(struct ip6_tnl *t);
-int ip6_tnl_dst_init(struct ip6_tnl *t);
-void ip6_tnl_dst_destroy(struct ip6_tnl *t);
-void ip6_tnl_dst_reset(struct ip6_tnl *t);
-void ip6_tnl_dst_set(struct ip6_tnl *t, struct dst_entry *dst);
 int ip6_tnl_rcv_ctl(struct ip6_tnl *t, const struct in6_addr *laddr,
                const struct in6_addr *raddr);
 int ip6_tnl_xmit_ctl(struct ip6_tnl *t, const struct in6_addr *laddr,
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index bda1721e9622..3afb7c4c7098 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -56,6 +56,7 @@ struct fib_nh_exception {
        int                             fnhe_genid;
        __be32                          fnhe_daddr;
        u32                             fnhe_pmtu;
+        bool                            fnhe_mtu_locked;
        __be32                          fnhe_gw;
        unsigned long                   fnhe_expires;
        struct rtable __rcu             *fnhe_rth_input;
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index 86a7bdd61d1a..74bc08d82e14 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -13,6 +13,7 @@
 #include <net/netns/generic.h>
 #include <net/rtnetlink.h>
 #include <net/lwtunnel.h>
+#include <net/dst_cache.h>
 #if IS_ENABLED(CONFIG_IPV6)
 #include <net/ipv6.h>
@@ -85,11 +86,6 @@ struct ip_tunnel_prl_entry {
        struct rcu_head                 rcu_head;
 };
-struct ip_tunnel_dst {
-        struct dst_entry __rcu          *dst;
-        __be32                           saddr;
-};
 struct metadata_dst;
 struct ip_tunnel {
@@ -108,7 +104,7 @@ struct ip_tunnel {
        int             tun_hlen;       /* Precalculated header length */
        int             mlink;
-        struct ip_tunnel_dst __percpu *dst_cache;
+        struct dst_cache dst_cache;
        struct ip_tunnel_parm parms;
@@ -248,7 +244,6 @@ int ip_tunnel_changelink(struct net_device *dev, struct nlattr *tb[],
 int ip_tunnel_newlink(struct net_device *dev, struct nlattr *tb[],
                      struct ip_tunnel_parm *p);
 void ip_tunnel_setup(struct net_device *dev, int net_id);
-void ip_tunnel_dst_reset_all(struct ip_tunnel *t);
 int ip_tunnel_encap_setup(struct ip_tunnel *t,
                          struct ip_tunnel_encap *ipencap);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 7a8066b90289..0e01d570fa22 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -281,6 +281,7 @@ int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq,
                           int flags);
 int ip6_flowlabel_init(void);
 void ip6_flowlabel_cleanup(void);
+bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np);
 static inline void fl6_sock_release(struct ip6_flowlabel *fl)
 {
@@ -761,7 +762,7 @@ static inline __be32 ip6_make_flowlabel(struct net *net, struct sk_buff *skb,
         * to minimize possbility that any useful information to an
         * attacker is leaked. Only lower 20 bits are relevant.
         */
-        rol32(hash, 16);
+        hash = rol32(hash, 16);
        flowlabel = (__force __be32)hash & IPV6_FLOWLABEL_MASK;
diff --git a/include/net/llc_conn.h b/include/net/llc_conn.h
index fe994d2e5286..df528a623548 100644
--- a/include/net/llc_conn.h
+++ b/include/net/llc_conn.h
@@ -97,13 +97,14 @@ static __inline__ char llc_backlog_type(struct sk_buff *skb)
 struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
                          struct proto *prot, int kern);
+void llc_sk_stop_all_timers(struct sock *sk, bool sync);
 void llc_sk_free(struct sock *sk);
 void llc_sk_reset(struct sock *sk);
 /* Access to a connection */
 int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
 void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
 void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
 void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index c493b7c0d3c8..4889398a0f62 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -975,7 +975,7 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info)
 * @RX_FLAG_DECRYPTED: This frame was decrypted in hardware.
 * @RX_FLAG_MMIC_STRIPPED: the Michael MIC is stripped off this frame,
 *      verification has been done by the hardware.
- * @RX_FLAG_IV_STRIPPED: The IV/ICV are stripped from this frame.
+ * @RX_FLAG_IV_STRIPPED: The IV and ICV are stripped from this frame.
 *      If this flag is set, the stack cannot do any replay detection
 *      hence the driver or hardware will have to do that.
 * @RX_FLAG_PN_VALIDATED: Currently only valid for CCMP/GCMP frames, this
@@ -1013,6 +1013,8 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info)
 *      on this subframe
 * @RX_FLAG_AMPDU_DELIM_CRC_KNOWN: The delimiter CRC field is known (the CRC
 *      is stored in the @ampdu_delimiter_crc field)
+ * @RX_FLAG_MIC_STRIPPED: The mic was stripped of this packet. Decryption was
+ *      done by the hardware
 * @RX_FLAG_LDPC: LDPC was used
 * @RX_FLAG_STBC_MASK: STBC 2 bit bitmask. 1 - Nss=1, 2 - Nss=2, 3 - Nss=3
 * @RX_FLAG_10MHZ: 10 MHz (half channel) was used
@@ -1029,6 +1031,11 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info)
 * @RX_FLAG_RADIOTAP_VENDOR_DATA: This frame contains vendor-specific
 *      radiotap data in the skb->data (before the frame) as described by
 *      the &struct ieee80211_vendor_radiotap.
+ * @RX_FLAG_ALLOW_SAME_PN: Allow the same PN as same packet before.
+ *      This is used for AMSDU subframes which can have the same PN as
+ *      the first subframe.
+ * @RX_FLAG_ICV_STRIPPED: The ICV is stripped from this frame. CRC checking must
+ *      be done in the hardware.
 */
 enum mac80211_rx_flags {
        RX_FLAG_MMIC_ERROR              = BIT(0),
@@ -1059,6 +1066,9 @@ enum mac80211_rx_flags {
        RX_FLAG_5MHZ                    = BIT(29),
        RX_FLAG_AMSDU_MORE              = BIT(30),
        RX_FLAG_RADIOTAP_VENDOR_DATA    = BIT(31),
+        RX_FLAG_MIC_STRIPPED            = BIT_ULL(32),
+        RX_FLAG_ALLOW_SAME_PN           = BIT_ULL(33),
+        RX_FLAG_ICV_STRIPPED            = BIT_ULL(34),
 };
 #define RX_FLAG_STBC_SHIFT              26
@@ -1113,7 +1123,7 @@ struct ieee80211_rx_status {
        u64 mactime;
        u32 device_timestamp;
        u32 ampdu_reference;
-        u32 flag;
+        u64 flag;
        u16 freq;
        u8 vht_flag;
        u8 rate_idx;
@@ -3888,7 +3898,7 @@ static inline int ieee80211_sta_ps_transition_ni(struct ieee80211_sta *sta,
 * The TX headroom reserved by mac80211 for its own tx_status functions.
 * This is enough for the radiotap header.
 */
-#define IEEE80211_TX_STATUS_HEADROOM    14
+#define IEEE80211_TX_STATUS_HEADROOM    ALIGN(14, 4)
 /**
 * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 2dcea635ecce..93328c61934a 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -209,6 +209,11 @@ int net_eq(const struct net *net1, const struct net *net2)
        return net1 == net2;
 }
+static inline int check_net(const struct net *net)
+{
+        return atomic_read(&net->count) != 0;
+}
 void net_drop_ns(void *);
 #else
@@ -233,6 +238,11 @@ int net_eq(const struct net *net1, const struct net *net2)
        return 1;
 }
+static inline int check_net(const struct net *net)
+{
+        return 1;
+}
 #define net_drop_ns NULL
 #endif
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 9c5638ad872e..0dbce55437f2 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -28,8 +28,8 @@ struct nf_queue_handler {
                                                struct nf_hook_ops *ops);
 };
-void nf_register_queue_handler(const struct nf_queue_handler *qh);
+void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);
-void nf_unregister_queue_handler(void);
+void nf_unregister_queue_handler(struct net *net);
 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
 void nf_queue_entry_get_refs(struct nf_queue_entry *entry);
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 0e3172751755..5ffaea4665f8 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -745,7 +745,10 @@ static inline int nla_parse_nested(struct nlattr *tb[], int maxtype,
 */
 static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
 {
-        return nla_put(skb, attrtype, sizeof(u8), &value);
+        /* temporary variables to work around GCC PR81715 with asan-stack=1 */
+        u8 tmp = value;
+        return nla_put(skb, attrtype, sizeof(u8), &tmp);
 }
 /**
@@ -756,7 +759,9 @@ static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
 */
 static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
 {
-        return nla_put(skb, attrtype, sizeof(u16), &value);
+        u16 tmp = value;
+        return nla_put(skb, attrtype, sizeof(u16), &tmp);
 }
 /**
@@ -767,7 +772,9 @@ static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
 */
 static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
 {
-        return nla_put(skb, attrtype, sizeof(__be16), &value);
+        __be16 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__be16), &tmp);
 }
 /**
@@ -778,7 +785,9 @@ static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
 */
 static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
 {
-        return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
+        __be16 tmp = value;
+        return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
 }
 /**
@@ -789,7 +798,9 @@ static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
 */
 static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
 {
-        return nla_put(skb, attrtype, sizeof(__le16), &value);
+        __le16 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__le16), &tmp);
 }
 /**
@@ -800,7 +811,9 @@ static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
 */
 static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
 {
-        return nla_put(skb, attrtype, sizeof(u32), &value);
+        u32 tmp = value;
+        return nla_put(skb, attrtype, sizeof(u32), &tmp);
 }
 /**
@@ -811,7 +824,9 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
 */
 static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
 {
-        return nla_put(skb, attrtype, sizeof(__be32), &value);
+        __be32 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__be32), &tmp);
 }
 /**
@@ -822,7 +837,9 @@ static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
 */
 static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
 {
-        return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
+        __be32 tmp = value;
+        return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
 }
 /**
@@ -833,7 +850,9 @@ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
 */
 static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
 {
-        return nla_put(skb, attrtype, sizeof(__le32), &value);
+        __le32 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__le32), &tmp);
 }
 /**
@@ -844,7 +863,9 @@ static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
 */
 static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value)
 {
-        return nla_put(skb, attrtype, sizeof(u64), &value);
+        u64 tmp = value;
+        return nla_put(skb, attrtype, sizeof(u64), &tmp);
 }
 /**
@@ -855,7 +876,9 @@ static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value)
 */
 static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value)
 {
-        return nla_put(skb, attrtype, sizeof(__be64), &value);
+        __be64 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__be64), &tmp);
 }
 /**
@@ -866,7 +889,9 @@ static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value)
 */
 static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value)
 {
-        return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value);
+        __be64 tmp = value;
+        return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
 }
 /**
@@ -877,7 +902,9 @@ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value)
 */
 static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value)
 {
-        return nla_put(skb, attrtype, sizeof(__le64), &value);
+        __le64 tmp = value;
+        return nla_put(skb, attrtype, sizeof(__le64), &tmp);
 }
 /**
@@ -888,7 +915,9 @@ static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value)
 */
 static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
 {
-        return nla_put(skb, attrtype, sizeof(s8), &value);
+        s8 tmp = value;
+        return nla_put(skb, attrtype, sizeof(s8), &tmp);
 }
 /**
@@ -899,7 +928,9 @@ static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
 */
 static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
 {
-        return nla_put(skb, attrtype, sizeof(s16), &value);
+        s16 tmp = value;
+        return nla_put(skb, attrtype, sizeof(s16), &tmp);
 }
 /**
@@ -910,7 +941,9 @@ static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
 */
 static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
 {
-        return nla_put(skb, attrtype, sizeof(s32), &value);
+        s32 tmp = value;
+        return nla_put(skb, attrtype, sizeof(s32), &tmp);
 }
 /**
@@ -921,7 +954,9 @@ static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
 */
 static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value)
 {
-        return nla_put(skb, attrtype, sizeof(s64), &value);
+        s64 tmp = value;
+        return nla_put(skb, attrtype, sizeof(s64), &tmp);
 }
 /**
@@ -969,7 +1004,9 @@ static inline int nla_put_msecs(struct sk_buff *skb, int attrtype,
 static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype,
                                  __be32 addr)
 {
-        return nla_put_be32(skb, attrtype, addr);
+        __be32 tmp = addr;
+        return nla_put_be32(skb, attrtype, tmp);
 }
 /**
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index 38aa4983e2a9..36d723579af2 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -5,11 +5,13 @@
 struct proc_dir_entry;
 struct nf_logger;
+struct nf_queue_handler;
 struct netns_nf {
 #if defined CONFIG_PROC_FS
        struct proc_dir_entry *proc_netfilter;
 #endif
+        const struct nf_queue_handler __rcu *queue_handler;
        const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];
 #ifdef CONFIG_SYSCTL
        struct ctl_table_header *nf_log_dir_header;
diff --git a/include/net/nexthop.h b/include/net/nexthop.h
index 3334dbfa5aa4..7fc78663ec9d 100644
--- a/include/net/nexthop.h
+++ b/include/net/nexthop.h
@@ -6,7 +6,7 @@
 static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
 {
-        return remaining >= sizeof(*rtnh) &&
+        return remaining >= (int)sizeof(*rtnh) &&
               rtnh->rtnh_len >= sizeof(*rtnh) &&
               rtnh->rtnh_len <= remaining;
 }
diff --git a/include/net/red.h b/include/net/red.h
index 76e0b5f922c6..3618cdfec884 100644
--- a/include/net/red.h
+++ b/include/net/red.h
@@ -167,6 +167,17 @@ static inline void red_set_vars(struct red_vars *v)
        v->qcount       = -1;
 }
+static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog)
+{
+        if (fls(qth_min) + Wlog > 32)
+                return false;
+        if (fls(qth_max) + Wlog > 32)
+                return false;
+        if (qth_max < qth_min)
+                return false;
+        return true;
+}
 static inline void red_set_parms(struct red_parms *p,
                                 u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog,
                                 u8 Scell_log, u8 *stab, u32 max_P)
@@ -178,7 +189,7 @@ static inline void red_set_parms(struct red_parms *p,
        p->qth_max      = qth_max << Wlog;
        p->Wlog         = Wlog;
        p->Plog         = Plog;
-        if (delta < 0)
+        if (delta <= 0)
                delta = 1;
        p->qth_delta    = delta;
        if (!max_P) {
diff --git a/include/net/regulatory.h b/include/net/regulatory.h
index ebc5a2ed8631..f83cacce3308 100644
--- a/include/net/regulatory.h
+++ b/include/net/regulatory.h
@@ -78,7 +78,7 @@ struct regulatory_request {
        int wiphy_idx;
        enum nl80211_reg_initiator initiator;
        enum nl80211_user_reg_hint_type user_reg_hint_type;
-        char alpha2[2];
+        char alpha2[3];
        enum nl80211_dfs_regions dfs_region;
        bool intersect;
        bool processed;
diff --git a/include/net/route.h b/include/net/route.h
index a3b9ef74a389..d2a92d94ff72 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -64,7 +64,8 @@ struct rtable {
        __be32                  rt_gateway;
        /* Miscellaneous cached information */
-        u32                     rt_pmtu;
+        u32                     rt_mtu_locked:1,
+                                rt_pmtu:31;
        u32                     rt_table_id;
diff --git a/include/net/slhc_vj.h b/include/net/slhc_vj.h
index 8716d5942b65..8fcf8908a694 100644
--- a/include/net/slhc_vj.h
+++ b/include/net/slhc_vj.h
@@ -127,6 +127,7 @@ typedef __u32 int32;
 */
 struct cstate {
        byte_t  cs_this;        /* connection id number (xmit) */
+        bool    initialized;    /* true if initialized */
        struct cstate *next;    /* next in ring (xmit) */
        struct iphdr cs_ip;     /* ip/tcp hdr from most recent packet */
        struct tcphdr cs_tcp;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index cecb0e0eff06..cac4a6ad5db3 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -376,6 +376,7 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos,
                        struct pipe_inode_info *pipe, size_t len,
                        unsigned int flags);
+void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks);
 static inline void tcp_dec_quickack_mode(struct sock *sk,
                                         const unsigned int pkts)
 {
@@ -559,6 +560,7 @@ void tcp_send_fin(struct sock *sk);
 void tcp_send_active_reset(struct sock *sk, gfp_t priority);
 int tcp_send_synack(struct sock *);
 void tcp_push_one(struct sock *, unsigned int mss_now);
+void __tcp_send_ack(struct sock *sk, u32 rcv_nxt);
 void tcp_send_ack(struct sock *sk);
 void tcp_send_delayed_ack(struct sock *sk);
 void tcp_send_loss_probe(struct sock *sk);
@@ -1199,9 +1201,11 @@ void tcp_select_initial_window(int __space, __u32 mss, __u32 *rcv_wnd,
 static inline int tcp_win_from_space(int space)
 {
-        return sysctl_tcp_adv_win_scale<=0 ?
+        int tcp_adv_win_scale = sysctl_tcp_adv_win_scale;
-                (space>>(-sysctl_tcp_adv_win_scale)) :
-                space - (space>>sysctl_tcp_adv_win_scale);
+        return tcp_adv_win_scale <= 0 ?
+                (space>>(-tcp_adv_win_scale)) :
+                space - (space>>tcp_adv_win_scale);
 }
 /* Note: caller must be prepared to deal with negative returns */
diff --git a/include/net/udplite.h b/include/net/udplite.h
index 80761938b9a7..8228155b305e 100644
--- a/include/net/udplite.h
+++ b/include/net/udplite.h
@@ -62,6 +62,7 @@ static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh)
                UDP_SKB_CB(skb)->cscov = cscov;
                if (skb->ip_summed == CHECKSUM_COMPLETE)
                        skb->ip_summed = CHECKSUM_NONE;
+                skb->csum_valid = 0;
        }
        return 0;
diff --git a/include/net/x25.h b/include/net/x25.h
index c383aa4edbf0..6d30a01d281d 100644
--- a/include/net/x25.h
+++ b/include/net/x25.h
@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *);
 /* sysctl_net_x25.c */
 #ifdef CONFIG_SYSCTL
-void x25_register_sysctl(void);
+int x25_register_sysctl(void);
 void x25_unregister_sysctl(void);
 #else
-static inline void x25_register_sysctl(void) {};
+static inline int x25_register_sysctl(void) { return 0; };
 static inline void x25_unregister_sysctl(void) {};
 #endif /* CONFIG_SYSCTL */
diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h
index a78ff97eb249..d77416963f05 100644
--- a/include/rdma/ib_addr.h
+++ b/include/rdma/ib_addr.h
@@ -123,6 +123,8 @@ int rdma_copy_addr(struct rdma_dev_addr *dev_addr, struct net_device *dev,
              const unsigned char *dst_dev_addr);
 int rdma_addr_size(struct sockaddr *addr);
+int rdma_addr_size_in6(struct sockaddr_in6 *addr);
+int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
 int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id);
 int rdma_addr_find_dmac_by_grh(const union ib_gid *sgid, const union ib_gid *dgid,
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 120da1d7f57e..10fefb0dc640 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -3007,6 +3007,20 @@ static inline int ib_check_mr_access(int flags)
        return 0;
 }
+static inline bool ib_access_writable(int access_flags)
+{
+        /*
+         * We have writable memory backing the MR if any of the following
+         * access flags are set.  "Local write" and "remote write" obviously
+         * require write access.  "Remote atomic" can do things like fetch and
+         * add, which will modify memory, and "MW bind" can change permissions
+         * by binding a window.
+         */
+        return access_flags &
+                (IB_ACCESS_LOCAL_WRITE   | IB_ACCESS_REMOTE_WRITE |
+                 IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND);
+}
 /**
 * ib_check_mr_status: lightweight check of MR status.
 *     This routine may provide status checks on a selected
diff --git a/include/soc/tegra/mc.h b/include/soc/tegra/mc.h
index 44202ff897fd..f759e0918037 100644
--- a/include/soc/tegra/mc.h
+++ b/include/soc/tegra/mc.h
@@ -99,6 +99,8 @@ struct tegra_mc_soc {
        u8 client_id_mask;
        const struct tegra_smmu_soc *smmu;
+        u32 intmask;
 };
 struct tegra_mc {
diff --git a/include/sound/control.h b/include/sound/control.h
index 21d047f229a1..4142757080f8 100644
--- a/include/sound/control.h
+++ b/include/sound/control.h
@@ -22,6 +22,7 @@
 *
 */
+#include <linux/nospec.h>
 #include <sound/asound.h>
 #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data)
@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type);
 static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
 {
-        return id->numid - kctl->id.numid;
+        unsigned int ioff = id->numid - kctl->id.numid;
+        return array_index_nospec(ioff, kctl->count);
 }
 static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
 {
-        return id->index - kctl->id.index;
+        unsigned int ioff = id->index - kctl->id.index;
+        return array_index_nospec(ioff, kctl->count);
 }
 static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
diff --git a/include/sound/pcm_oss.h b/include/sound/pcm_oss.h
index 760c969d885d..12bbf8c81112 100644
--- a/include/sound/pcm_oss.h
+++ b/include/sound/pcm_oss.h
@@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime {
        char *buffer;                           /* vmallocated period */
        size_t buffer_used;                     /* used length from period buffer */
        struct mutex params_lock;
+        atomic_t rw_ref;                /* concurrent read/write accesses */
 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
        struct snd_pcm_plugin *plugin_first;
        struct snd_pcm_plugin *plugin_last;
diff --git a/include/trace/events/clk.h b/include/trace/events/clk.h
index 758607226bfd..2cd449328aee 100644
--- a/include/trace/events/clk.h
+++ b/include/trace/events/clk.h
@@ -134,12 +134,12 @@ DECLARE_EVENT_CLASS(clk_parent,
        TP_STRUCT__entry(
                __string(        name,           core->name                )
-                __string(        pname,          parent->name              )
+                __string(        pname, parent ? parent->name : "none"     )
        ),
        TP_fast_assign(
                __assign_str(name, core->name);
-                __assign_str(pname, parent->name);
+                __assign_str(pname, parent ? parent->name : "none");
        ),
        TP_printk("%s %s", __get_str(name), __get_str(pname))
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index 073b9ac245ba..e844556794dc 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -125,6 +125,20 @@ DEFINE_EVENT(timer_class, timer_cancel,
        TP_ARGS(timer)
 );
+#define decode_clockid(type)                                            \
+        __print_symbolic(type,                                          \
+                { CLOCK_REALTIME,       "CLOCK_REALTIME"        },      \
+                { CLOCK_MONOTONIC,      "CLOCK_MONOTONIC"       },      \
+                { CLOCK_BOOTTIME,       "CLOCK_BOOTTIME"        },      \
+                { CLOCK_TAI,            "CLOCK_TAI"             })
+#define decode_hrtimer_mode(mode)                                       \
+        __print_symbolic(mode,                                          \
+                { HRTIMER_MODE_ABS,             "ABS"           },      \
+                { HRTIMER_MODE_REL,             "REL"           },      \
+                { HRTIMER_MODE_ABS_PINNED,      "ABS|PINNED"    },      \
+                { HRTIMER_MODE_REL_PINNED,      "REL|PINNED"    })
 /**
 * hrtimer_init - called when the hrtimer is initialized
 * @hrtimer:    pointer to struct hrtimer
@@ -151,10 +165,8 @@ TRACE_EVENT(hrtimer_init,
        ),
        TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer,
-                  __entry->clockid == CLOCK_REALTIME ?
+                  decode_clockid(__entry->clockid),
-                        "CLOCK_REALTIME" : "CLOCK_MONOTONIC",
+                  decode_hrtimer_mode(__entry->mode))
-                  __entry->mode == HRTIMER_MODE_ABS ?
-                        "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL")
 );
 /**
diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h
index bce990f5a35d..d6be935caa50 100644
--- a/include/trace/events/xen.h
+++ b/include/trace/events/xen.h
@@ -377,22 +377,6 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd,
 DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin);
 DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin);
-TRACE_EVENT(xen_mmu_flush_tlb_all,
-            TP_PROTO(int x),
-            TP_ARGS(x),
-            TP_STRUCT__entry(__array(char, x, 0)),
-            TP_fast_assign((void)x),
-            TP_printk("%s", "")
-        );
-TRACE_EVENT(xen_mmu_flush_tlb,
-            TP_PROTO(int x),
-            TP_ARGS(x),
-            TP_STRUCT__entry(__array(char, x, 0)),
-            TP_fast_assign((void)x),
-            TP_printk("%s", "")
-        );
 TRACE_EVENT(xen_mmu_flush_tlb_single,
            TP_PROTO(unsigned long addr),
            TP_ARGS(addr),
diff --git a/include/uapi/drm/virtgpu_drm.h b/include/uapi/drm/virtgpu_drm.h
index fc9e2d6e5e2f..232367124712 100644
--- a/include/uapi/drm/virtgpu_drm.h
+++ b/include/uapi/drm/virtgpu_drm.h
@@ -60,6 +60,7 @@ struct drm_virtgpu_execbuffer {
 };
 #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */
+#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */
 struct drm_virtgpu_getparam {
        uint64_t param;
diff --git a/include/uapi/linux/eventpoll.h b/include/uapi/linux/eventpoll.h
index bc81fb2e1f0e..6f04cb419115 100644
--- a/include/uapi/linux/eventpoll.h
+++ b/include/uapi/linux/eventpoll.h
@@ -26,6 +26,19 @@
 #define EPOLL_CTL_DEL 2
 #define EPOLL_CTL_MOD 3
+/* Epoll event masks */
+#define EPOLLIN         0x00000001
+#define EPOLLPRI        0x00000002
+#define EPOLLOUT        0x00000004
+#define EPOLLERR        0x00000008
+#define EPOLLHUP        0x00000010
+#define EPOLLRDNORM     0x00000040
+#define EPOLLRDBAND     0x00000080
+#define EPOLLWRNORM     0x00000100
+#define EPOLLWRBAND     0x00000200
+#define EPOLLMSG        0x00000400
+#define EPOLLRDHUP      0x00002000
 /*
 * Request the handling of system wakeup events so as to prevent system suspends
 * from happening while those events are being processed.
diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
index ea9221b0331a..064d2026ab38 100644
--- a/include/uapi/linux/if_ether.h
+++ b/include/uapi/linux/if_ether.h
@@ -29,6 +29,7 @@
 */
 #define ETH_ALEN        6               /* Octets in one ethernet addr   */
+#define ETH_TLEN        2               /* Octets in ethernet type field */
 #define ETH_HLEN        14              /* Total octets in header.       */
 #define ETH_ZLEN        60              /* Min. octets in frame sans FCS */
 #define ETH_DATA_LEN    1500            /* Max. octets in payload        */
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 03f3618612aa..376d0ab5b9f2 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -831,6 +831,7 @@ struct kvm_ppc_smmu_info {
 #define KVM_CAP_GUEST_DEBUG_HW_WPS 120
 #define KVM_CAP_SPLIT_IRQCHIP 121
 #define KVM_CAP_IOEVENTFD_ANY_LENGTH 122
+#define KVM_CAP_S390_BPB 152
 #ifdef KVM_CAP_IRQ_ROUTING
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 1f0b4cf5dd03..d3aea4f10faf 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -2195,6 +2195,8 @@ enum nl80211_attrs {
 #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
 #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
+#define NL80211_WIPHY_NAME_MAXLEN               64
 #define NL80211_MAX_SUPP_RATES                  32
 #define NL80211_MAX_SUPP_HT_RATES               77
 #define NL80211_MAX_SUPP_REG_RULES              64
diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
index 1becea86c73c..eb3c786afa70 100644
--- a/include/uapi/linux/pci_regs.h
+++ b/include/uapi/linux/pci_regs.h
@@ -106,7 +106,7 @@
 #define PCI_SUBSYSTEM_ID        0x2e
 #define PCI_ROM_ADDRESS         0x30    /* Bits 31..11 are address, 10..1 reserved */
 #define  PCI_ROM_ADDRESS_ENABLE 0x01
-#define PCI_ROM_ADDRESS_MASK    (~0x7ffUL)
+#define PCI_ROM_ADDRESS_MASK    (~0x7ffU)
 #define PCI_CAPABILITY_LIST     0x34    /* Offset of first capability list entry */
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index a8d0759a9e40..64776b72e1eb 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -197,4 +197,16 @@ struct prctl_mm_map {
 # define PR_CAP_AMBIENT_LOWER           3
 # define PR_CAP_AMBIENT_CLEAR_ALL       4
+/* Per task speculation control */
+#define PR_GET_SPECULATION_CTRL         52
+#define PR_SET_SPECULATION_CTRL         53
+/* Speculation control variants */
+# define PR_SPEC_STORE_BYPASS           0
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+# define PR_SPEC_NOT_AFFECTED           0
+# define PR_SPEC_PRCTL                  (1UL << 0)
+# define PR_SPEC_ENABLE                 (1UL << 1)
+# define PR_SPEC_DISABLE                (1UL << 2)
+# define PR_SPEC_FORCE_DISABLE          (1UL << 3)
 #endif /* _LINUX_PRCTL_H */
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index 0f238a43ff1e..e4acb615792b 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -15,7 +15,9 @@
 #define SECCOMP_SET_MODE_FILTER 1
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC       1
+#define SECCOMP_FILTER_FLAG_TSYNC       (1UL << 0)
+/* In v4.14+ SECCOMP_FILTER_FLAG_LOG is (1UL << 1) */
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW  (1UL << 2)
 /*
 * All BPF programs must return a 32-bit value.
diff --git a/include/uapi/linux/usb/audio.h b/include/uapi/linux/usb/audio.h
index d2314be4f0c0..19f9dc2c06f6 100644
--- a/include/uapi/linux/usb/audio.h
+++ b/include/uapi/linux/usb/audio.h
@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_bControlSize(struct uac_processing_unit_d
 {
        return (protocol == UAC_VERSION_1) ?
                desc->baSourceID[desc->bNrInPins + 4] :
-                desc->baSourceID[desc->bNrInPins + 6];
+                2; /* in UAC2, this value is constant */
 }
 static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc,
@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_de
 {
        return (protocol == UAC_VERSION_1) ?
                &desc->baSourceID[desc->bNrInPins + 5] :
-                &desc->baSourceID[desc->bNrInPins + 7];
+                &desc->baSourceID[desc->bNrInPins + 6];
 }
 static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc,
diff --git a/init/Kconfig b/init/Kconfig
index e1d1d6936f92..9f9b1f6734b8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1308,6 +1308,17 @@ source "usr/Kconfig"
 endif
+choice
+        prompt "Compiler optimization level"
+        default CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE
+config CC_OPTIMIZE_FOR_PERFORMANCE
+        bool "Optimize for performance"
+        help
+          This is the default optimization level for the kernel, building
+          with the "-O2" compiler flag for best performance and most
+          helpful compile-time warnings.
 config CC_OPTIMIZE_FOR_SIZE
        bool "Optimize for size"
        help
@@ -1316,6 +1327,8 @@ config CC_OPTIMIZE_FOR_SIZE
          If unsure, say N.
+endchoice
 config SYSCTL
        bool
@@ -1556,6 +1569,13 @@ config BPF_SYSCALL
          Enable the bpf() system call that allows to manipulate eBPF
          programs and maps via file descriptors.
+config BPF_JIT_ALWAYS_ON
+        bool "Permanently enable BPF JIT and remove BPF interpreter"
+        depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
+        help
+          Enables BPF JIT and removes BPF interpreter to avoid
+          speculative execution of BPF instructions by the interpreter
 config SHMEM
        bool "Use full shmem filesystem" if EXPERT
        default y
diff --git a/ipc/msg.c b/ipc/msg.c
index c6521c205cb4..f993f441f852 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -742,7 +742,10 @@ static inline int convert_mode(long *msgtyp, int msgflg)
        if (*msgtyp == 0)
                return SEARCH_ANY;
        if (*msgtyp < 0) {
-                *msgtyp = -*msgtyp;
+                if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */
+                        *msgtyp = LONG_MAX;
+                else
+                        *msgtyp = -*msgtyp;
                return SEARCH_LESSEQUAL;
        }
        if (msgflg & MSG_EXCEPT)
diff --git a/ipc/shm.c b/ipc/shm.c
index 4982a4e7f009..32974cfe5947 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -198,6 +198,12 @@ static int __shm_open(struct vm_area_struct *vma)
        if (IS_ERR(shp))
                return PTR_ERR(shp);
+        if (shp->shm_file != sfd->file) {
+                /* ID was reused */
+                shm_unlock(shp);
+                return -EINVAL;
+        }
        shp->shm_atim = get_seconds();
        shp->shm_lprid = task_tgid_vnr(current);
        shp->shm_nattch++;
@@ -414,8 +420,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma)
        int ret;
        /*
-         * In case of remap_file_pages() emulation, the file can represent
+         * In case of remap_file_pages() emulation, the file can represent an
-         * removed IPC ID: propogate shm_lock() error to caller.
+         * IPC ID that was removed, and possibly even reused by another shm
+         * segment already.  Propagate this case as an error to caller.
         */
        ret =__shm_open(vma);
        if (ret)
@@ -439,6 +446,7 @@ static int shm_release(struct inode *ino, struct file *file)
        struct shm_file_data *sfd = shm_file_data(file);
        put_ipc_ns(sfd->ns);
+        fput(sfd->file);
        shm_file_data(file) = NULL;
        kfree(sfd);
        return 0;
@@ -1105,14 +1113,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
                goto out;
        else if ((addr = (ulong)shmaddr)) {
                if (addr & (shmlba - 1)) {
-                        /*
+                        if (shmflg & SHM_RND) {
-                         * Round down to the nearest multiple of shmlba.
+                                addr &= ~(shmlba - 1);  /* round down */
-                         * For sane do_mmap_pgoff() parameters, avoid
-                         * round downs that trigger nil-page and MAP_FIXED.
+                                /*
-                         */
+                                 * Ensure that the round-down is non-nil
-                        if ((shmflg & SHM_RND) && addr >= shmlba)
+                                 * when remapping. This can happen for
-                                addr &= ~(shmlba - 1);
+                                 * cases when addr < shmlba.
-                        else
+                                 */
+                                if (!addr && (shmflg & SHM_REMAP))
+                                        goto out;
+                        } else
 #ifndef __ARCH_FORCE_SHMLBA
                                if (addr & ~PAGE_MASK)
 #endif
@@ -1198,7 +1209,16 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
        file->f_mapping = shp->shm_file->f_mapping;
        sfd->id = shp->shm_perm.id;
        sfd->ns = get_ipc_ns(ns);
-        sfd->file = shp->shm_file;
+        /*
+         * We need to take a reference to the real shm file to prevent the
+         * pointer from becoming stale in cases where the lifetime of the outer
+         * file extends beyond that of the shm segment.  It's not usually
+         * possible, but it can happen during remap_file_pages() emulation as
+         * that unmaps the memory, then does ->mmap() via file reference only.
+         * We'll deny the ->mmap() if the shm segment was since removed, but to
+         * detect shm ID reuse we need to compare the file pointers.
+         */
+        sfd->file = get_file(shp->shm_file);
        sfd->vm_ops = NULL;
        err = security_mmap_file(file, prot, flags);
diff --git a/kernel/async.c b/kernel/async.c
index 4c3773c0bf63..f1fd155abff6 100644
--- a/kernel/async.c
+++ b/kernel/async.c
@@ -84,20 +84,24 @@ static atomic_t entry_count;
 static async_cookie_t lowest_in_progress(struct async_domain *domain)
 {
-        struct list_head *pending;
+        struct async_entry *first = NULL;
        async_cookie_t ret = ASYNC_COOKIE_MAX;
        unsigned long flags;
        spin_lock_irqsave(&async_lock, flags);
-        if (domain)
+        if (domain) {
-                pending = &domain->pending;
+                if (!list_empty(&domain->pending))
-        else
+                        first = list_first_entry(&domain->pending,
-                pending = &async_global_pending;
+                                        struct async_entry, domain_list);
+        } else {
+                if (!list_empty(&async_global_pending))
+                        first = list_first_entry(&async_global_pending,
+                                        struct async_entry, global_list);
+        }
-        if (!list_empty(pending))
+        if (first)
-                ret = list_first_entry(pending, struct async_entry,
+                ret = first->cookie;
-                                       domain_list)->cookie;
        spin_unlock_irqrestore(&async_lock, flags);
        return ret;
diff --git a/kernel/audit.c b/kernel/audit.c
index 41f9a38bb800..bdf0cf463815 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,7 +64,6 @@
 #include <linux/security.h>
 #endif
 #include <linux/freezer.h>
-#include <linux/tty.h>
 #include <linux/pid_namespace.h>
 #include <net/netns/generic.h>
@@ -745,6 +744,8 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
                return;
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+        if (!ab)
+                return;
        audit_log_task_info(ab, current);
        audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
                         audit_feature_names[which], !!old_feature, !!new_feature,
@@ -1876,21 +1877,14 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 {
        const struct cred *cred;
        char comm[sizeof(tsk->comm)];
-        char *tty;
+        struct tty_struct *tty;
        if (!ab)
                return;
        /* tsk == current */
        cred = current_cred();
+        tty = audit_get_tty(tsk);
-        spin_lock_irq(&tsk->sighand->siglock);
-        if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
-                tty = tsk->signal->tty->name;
-        else
-                tty = "(none)";
-        spin_unlock_irq(&tsk->sighand->siglock);
        audit_log_format(ab,
                         " ppid=%d pid=%d auid=%u uid=%u gid=%u"
                         " euid=%u suid=%u fsuid=%u"
@@ -1906,11 +1900,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
                         from_kgid(&init_user_ns, cred->egid),
                         from_kgid(&init_user_ns, cred->sgid),
                         from_kgid(&init_user_ns, cred->fsgid),
-                         tty, audit_get_sessionid(tsk));
+                         tty ? tty_name(tty) : "(none)",
+                         audit_get_sessionid(tsk));
+        audit_put_tty(tty);
        audit_log_format(ab, " comm=");
        audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
        audit_log_d_path_exe(ab, tsk->mm);
        audit_log_task_context(ab);
 }
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e193753..b57f929f1b46 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -406,7 +406,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
                        return -EINVAL;
                break;
        case AUDIT_EXE:
-                if (f->op != Audit_equal)
+                if (f->op != Audit_not_equal && f->op != Audit_equal)
                        return -EINVAL;
                if (entry->rule.listnr != AUDIT_FILTER_EXIT)
                        return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 48f45987dc6c..0fe8b337291a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -470,6 +470,8 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_EXE:
                        result = audit_exe_compare(tsk, rule->exe);
+                        if (f->op == Audit_not_equal)
+                                result = !result;
                        break;
                case AUDIT_UID:
                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
@@ -1976,21 +1978,26 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
 {
        struct audit_buffer *ab;
        uid_t uid, oldloginuid, loginuid;
+        struct tty_struct *tty;
        if (!audit_enabled)
                return;
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+        if (!ab)
+                return;
        uid = from_kuid(&init_user_ns, task_uid(current));
        oldloginuid = from_kuid(&init_user_ns, koldloginuid);
        loginuid = from_kuid(&init_user_ns, kloginuid),
+        tty = audit_get_tty(current);
-        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
-        if (!ab)
-                return;
        audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
        audit_log_task_context(ab);
-        audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
+        audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
-                         oldloginuid, loginuid, oldsessionid, sessionid, !rc);
+                         oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
+                         oldsessionid, sessionid, !rc);
+        audit_put_tty(tty);
        audit_log_end(ab);
 }
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 3608fa1aec8a..0eb11b4ac4c7 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -102,7 +102,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key)
 static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
 {
        struct bpf_array *array = container_of(map, struct bpf_array, map);
-        u32 index = *(u32 *)key;
+        u32 index = key ? *(u32 *)key : U32_MAX;
        u32 *next = (u32 *)next_key;
        if (index >= array->map.max_entries) {
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 3fd76cf0c21e..eb52d11fdaa7 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -256,6 +256,7 @@ noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 }
 EXPORT_SYMBOL_GPL(__bpf_call_base);
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
 /**
 *      __bpf_prog_run - run eBPF program on a given context
 *      @ctx: is the data we are operating on
@@ -443,7 +444,7 @@ select_insn:
                DST = tmp;
                CONT;
        ALU_MOD_X:
-                if (unlikely(SRC == 0))
+                if (unlikely((u32)SRC == 0))
                        return 0;
                tmp = (u32) DST;
                DST = do_div(tmp, (u32) SRC);
@@ -462,7 +463,7 @@ select_insn:
                DST = div64_u64(DST, SRC);
                CONT;
        ALU_DIV_X:
-                if (unlikely(SRC == 0))
+                if (unlikely((u32)SRC == 0))
                        return 0;
                tmp = (u32) DST;
                do_div(tmp, (u32) SRC);
@@ -517,7 +518,7 @@ select_insn:
                struct bpf_map *map = (struct bpf_map *) (unsigned long) BPF_R2;
                struct bpf_array *array = container_of(map, struct bpf_array, map);
                struct bpf_prog *prog;
-                u64 index = BPF_R3;
+                u32 index = BPF_R3;
                if (unlikely(index >= array->map.max_entries))
                        goto out;
@@ -725,6 +726,13 @@ load_byte:
                return 0;
 }
+#else
+static unsigned int __bpf_prog_ret0(void *ctx, const struct bpf_insn *insn)
+{
+        return 0;
+}
+#endif
 bool bpf_prog_array_compatible(struct bpf_array *array,
                               const struct bpf_prog *fp)
 {
@@ -771,9 +779,23 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)
 */
 int bpf_prog_select_runtime(struct bpf_prog *fp)
 {
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
        fp->bpf_func = (void *) __bpf_prog_run;
+#else
+        fp->bpf_func = (void *) __bpf_prog_ret0;
+#endif
+        /* eBPF JITs can rewrite the program in case constant
+         * blinding is active. However, in case of error during
+         * blinding, bpf_int_jit_compile() must always return a
+         * valid program, which in this case would simply not
+         * be JITed, but falls back to the interpreter.
+         */
        bpf_int_jit_compile(fp);
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+        if (!fp->jited)
+                return -ENOTSUPP;
+#endif
        bpf_prog_lock_ro(fp);
        /* The tail call compatibility check can only be done at
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 34777b3746fa..a35abe048239 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -169,12 +169,15 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
        struct hlist_head *head;
        struct htab_elem *l, *next_l;
        u32 hash, key_size;
-        int i;
+        int i = 0;
        WARN_ON_ONCE(!rcu_read_lock_held());
        key_size = map->key_size;
+        if (!key)
+                goto find_first_elem;
        hash = htab_map_hash(key, key_size);
        head = select_bucket(htab, hash);
@@ -182,10 +185,8 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
        /* lookup the key */
        l = lookup_elem_raw(head, hash, key, key_size);
-        if (!l) {
+        if (!l)
-                i = 0;
                goto find_first_elem;
-        }
        /* key was found, get next key in the same bucket */
        next_l = hlist_entry_safe(rcu_dereference_raw(hlist_next_rcu(&l->hash_node)),
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 424accd20c2d..4b9bbfe764e8 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -390,14 +390,18 @@ static int map_get_next_key(union bpf_attr *attr)
        if (IS_ERR(map))
                return PTR_ERR(map);
-        err = -ENOMEM;
+        if (ukey) {
-        key = kmalloc(map->key_size, GFP_USER);
+                err = -ENOMEM;
-        if (!key)
+                key = kmalloc(map->key_size, GFP_USER);
-                goto err_put;
+                if (!key)
+                        goto err_put;
-        err = -EFAULT;
-        if (copy_from_user(key, ukey, map->key_size) != 0)
+                err = -EFAULT;
-                goto free_key;
+                if (copy_from_user(key, ukey, map->key_size) != 0)
+                        goto free_key;
+        } else {
+                key = NULL;
+        }
        err = -ENOMEM;
        next_key = kmalloc(map->key_size, GFP_USER);
@@ -673,7 +677,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
        union bpf_attr attr = {};
        int err;
-        if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled)
+        if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
                return -EPERM;
        if (!access_ok(VERIFY_READ, uattr, 1))
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 014c2d759916..35dfa9e9d69e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -191,6 +191,7 @@ struct bpf_insn_aux_data {
                enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
                struct bpf_map *map_ptr;        /* pointer for call insn into lookup_elem */
        };
+        bool seen; /* this insn was processed by the verifier */
 };
 #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
@@ -682,6 +683,13 @@ static bool is_pointer_value(struct verifier_env *env, int regno)
        }
 }
+static bool is_ctx_reg(struct verifier_env *env, int regno)
+{
+        const struct reg_state *reg = &env->cur_state.regs[regno];
+        return reg->type == PTR_TO_CTX;
+}
 /* check whether memory at (regno + off) is accessible for t = (read | write)
 * if t==write, value_regno is a register which value is stored into memory
 * if t==read, value_regno is a register which will receive the value from memory
@@ -778,6 +786,12 @@ static int check_xadd(struct verifier_env *env, struct bpf_insn *insn)
                return -EACCES;
        }
+        if (is_ctx_reg(env, insn->dst_reg)) {
+                verbose("BPF_XADD stores into R%d context is not allowed\n",
+                        insn->dst_reg);
+                return -EACCES;
+        }
        /* check whether atomic_add can read the memory */
        err = check_mem_access(env, insn->dst_reg, insn->off,
                               BPF_SIZE(insn->code), BPF_READ, -1);
@@ -1121,7 +1135,8 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                                regs[insn->dst_reg].type = UNKNOWN_VALUE;
                                regs[insn->dst_reg].map_ptr = NULL;
                        }
-                } else {
+                } else if (BPF_CLASS(insn->code) == BPF_ALU64 ||
+                           insn->imm >= 0) {
                        /* case: R = imm
                         * remember the value we stored into this reg
                         */
@@ -1164,6 +1179,11 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                        return -EINVAL;
                }
+                if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
+                        verbose("BPF_ARSH not supported for 32 bit ALU\n");
+                        return -EINVAL;
+                }
                if ((opcode == BPF_LSH || opcode == BPF_RSH ||
                     opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
                        int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
@@ -1793,6 +1813,7 @@ static int do_check(struct verifier_env *env)
                        print_bpf_insn(env, insn);
                }
+                env->insn_aux_data[insn_idx].seen = true;
                if (class == BPF_ALU || class == BPF_ALU64) {
                        err = check_alu_op(env, insn);
                        if (err)
@@ -1902,6 +1923,12 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
+                        if (is_ctx_reg(env, insn->dst_reg)) {
+                                verbose("BPF_ST stores into R%d context is not allowed\n",
+                                        insn->dst_reg);
+                                return -EACCES;
+                        }
                        /* check that memory (dst_reg + off) is writeable */
                        err = check_mem_access(env, insn->dst_reg, insn->off,
                                               BPF_SIZE(insn->code), BPF_WRITE,
@@ -1988,6 +2015,7 @@ process_bpf_exit:
                                        return err;
                                insn_idx++;
+                                env->insn_aux_data[insn_idx].seen = true;
                        } else {
                                verbose("invalid BPF_LD mode\n");
                                return -EINVAL;
@@ -2073,7 +2101,7 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
                        /* hold the map. If the program is rejected by verifier,
                         * the map will be released by release_maps() or it
                         * will be used by the valid program until it's unloaded
-                         * and all maps are released in free_bpf_prog_info()
+                         * and all maps are released in free_used_maps()
                         */
                        map = bpf_map_inc(map, false);
                        if (IS_ERR(map)) {
@@ -2125,6 +2153,7 @@ static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
                                u32 off, u32 cnt)
 {
        struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
+        int i;
        if (cnt == 1)
                return 0;
@@ -2134,6 +2163,8 @@ static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
        memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
        memcpy(new_data + off + cnt - 1, old_data + off,
               sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+        for (i = off; i < off + cnt - 1; i++)
+                new_data[i].seen = true;
        env->insn_aux_data = new_data;
        vfree(old_data);
        return 0;
@@ -2152,6 +2183,25 @@ static struct bpf_prog *bpf_patch_insn_data(struct verifier_env *env, u32 off,
        return new_prog;
 }
+/* The verifier does more data flow analysis than llvm and will not explore
+ * branches that are dead at run time. Malicious programs can have dead code
+ * too. Therefore replace all dead at-run-time code with nops.
+ */
+static void sanitize_dead_code(struct verifier_env *env)
+{
+        struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
+        struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
+        struct bpf_insn *insn = env->prog->insnsi;
+        const int insn_cnt = env->prog->len;
+        int i;
+        for (i = 0; i < insn_cnt; i++) {
+                if (aux_data[i].seen)
+                        continue;
+                memcpy(insn + i, &nop, sizeof(nop));
+        }
+}
 /* convert load instructions that access fields of 'struct __sk_buff'
 * into sequence of instructions that access fields of 'struct sk_buff'
 */
@@ -2218,6 +2268,24 @@ static int fixup_bpf_calls(struct verifier_env *env)
        int i, cnt, delta = 0;
        for (i = 0; i < insn_cnt; i++, insn++) {
+                if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
+                    insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
+                        /* due to JIT bugs clear upper 32-bits of src register
+                         * before div/mod operation
+                         */
+                        insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
+                        insn_buf[1] = *insn;
+                        cnt = 2;
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
                if (insn->code != (BPF_JMP | BPF_CALL))
                        continue;
@@ -2371,6 +2439,9 @@ skip_full_check:
        free_states(env);
        if (ret == 0)
+                sanitize_dead_code(env);
+        if (ret == 0)
                /* program is valid, convert *(u32*)(ctx + off) accesses */
                ret = convert_ctx_accesses(env);
@@ -2416,7 +2487,7 @@ free_log_buf:
                vfree(log_buf);
        if (!env->prog->aux->used_maps)
                /* if we didn't copy map pointers into bpf_prog_info, release
-                 * them now. Otherwise free_bpf_prog_info() will release them.
+                 * them now. Otherwise free_used_maps() will release them.
                 */
                release_maps(env);
        *prog = env->prog;
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index 4121345498e0..ebc52c7bd8a6 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1564,6 +1564,7 @@ static int kdb_md(int argc, const char **argv)
        int symbolic = 0;
        int valid = 0;
        int phys = 0;
+        int raw = 0;
        kdbgetintenv("MDCOUNT", &mdcount);
        kdbgetintenv("RADIX", &radix);
@@ -1573,9 +1574,10 @@ static int kdb_md(int argc, const char **argv)
        repeat = mdcount * 16 / bytesperword;
        if (strcmp(argv[0], "mdr") == 0) {
-                if (argc != 2)
+                if (argc == 2 || (argc == 0 && last_addr != 0))
+                        valid = raw = 1;
+                else
                        return KDB_ARGCOUNT;
-                valid = 1;
        } else if (isdigit(argv[0][2])) {
                bytesperword = (int)(argv[0][2] - '0');
                if (bytesperword == 0) {
@@ -1611,7 +1613,10 @@ static int kdb_md(int argc, const char **argv)
                radix = last_radix;
                bytesperword = last_bytesperword;
                repeat = last_repeat;
-                mdcount = ((repeat * bytesperword) + 15) / 16;
+                if (raw)
+                        mdcount = repeat;
+                else
+                        mdcount = ((repeat * bytesperword) + 15) / 16;
        }
        if (argc) {
@@ -1628,7 +1633,10 @@ static int kdb_md(int argc, const char **argv)
                        diag = kdbgetularg(argv[nextarg], &val);
                        if (!diag) {
                                mdcount = (int) val;
-                                repeat = mdcount * 16 / bytesperword;
+                                if (raw)
+                                        repeat = mdcount;
+                                else
+                                        repeat = mdcount * 16 / bytesperword;
                        }
                }
                if (argc >= nextarg+1) {
@@ -1638,8 +1646,15 @@ static int kdb_md(int argc, const char **argv)
                }
        }
-        if (strcmp(argv[0], "mdr") == 0)
+        if (strcmp(argv[0], "mdr") == 0) {
-                return kdb_mdr(addr, mdcount);
+                int ret;
+                last_addr = addr;
+                ret = kdb_mdr(addr, mdcount);
+                last_addr += mdcount;
+                last_repeat = mdcount;
+                last_bytesperword = bytesperword; // to make REPEAT happy
+                return ret;
+        }
        switch (radix) {
        case 10:
diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c
index 9c418002b8c1..75f835d353db 100644
--- a/kernel/events/callchain.c
+++ b/kernel/events/callchain.c
@@ -107,14 +107,8 @@ int get_callchain_buffers(void)
                goto exit;
        }
-        if (count > 1) {
+        if (count == 1)
-                /* If the allocation failed, give up */
+                err = alloc_callchain_buffers();
-                if (!callchain_cpus_entries)
-                        err = -ENOMEM;
-                goto exit;
-        }
-        err = alloc_callchain_buffers();
 exit:
        if (err)
                atomic_dec(&nr_callchain_events);
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 936419f24652..0d800be8959a 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -229,7 +229,7 @@ int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
                                void __user *buffer, size_t *lenp,
                                loff_t *ppos)
 {
-        int ret = proc_dointvec(table, write, buffer, lenp, ppos);
+        int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
        if (ret || !write)
                return ret;
@@ -419,9 +419,15 @@ static inline void __update_cgrp_time(struct perf_cgroup *cgrp)
 static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx)
 {
-        struct perf_cgroup *cgrp_out = cpuctx->cgrp;
+        struct perf_cgroup *cgrp = cpuctx->cgrp;
-        if (cgrp_out)
+        struct cgroup_subsys_state *css;
-                __update_cgrp_time(cgrp_out);
+        if (cgrp) {
+                for (css = &cgrp->css; css; css = css->parent) {
+                        cgrp = container_of(css, struct perf_cgroup, css);
+                        __update_cgrp_time(cgrp);
+                }
+        }
 }
 static inline void update_cgrp_time_from_event(struct perf_event *event)
@@ -449,6 +455,7 @@ perf_cgroup_set_timestamp(struct task_struct *task,
 {
        struct perf_cgroup *cgrp;
        struct perf_cgroup_info *info;
+        struct cgroup_subsys_state *css;
        /*
         * ctx->lock held by caller
@@ -459,8 +466,12 @@ perf_cgroup_set_timestamp(struct task_struct *task,
                return;
        cgrp = perf_cgroup_from_task(task, ctx);
-        info = this_cpu_ptr(cgrp->info);
-        info->timestamp = ctx->timestamp;
+        for (css = &cgrp->css; css; css = css->parent) {
+                cgrp = container_of(css, struct perf_cgroup, css);
+                info = this_cpu_ptr(cgrp->info);
+                info->timestamp = ctx->timestamp;
+        }
 }
 #define PERF_CGROUP_SWOUT       0x1 /* cgroup switch out every event */
@@ -5322,9 +5333,6 @@ static void perf_output_read_one(struct perf_output_handle *handle,
        __output_copy(handle, values, n * sizeof(u64));
 }
-/*
- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult.
- */
 static void perf_output_read_group(struct perf_output_handle *handle,
                            struct perf_event *event,
                            u64 enabled, u64 running)
@@ -5342,7 +5350,8 @@ static void perf_output_read_group(struct perf_output_handle *handle,
        if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING)
                values[n++] = running;
-        if (leader != event)
+        if ((leader != event) &&
+            (leader->state == PERF_EVENT_STATE_ACTIVE))
                leader->pmu->read(leader);
        values[n++] = perf_event_count(leader);
@@ -5369,6 +5378,13 @@ static void perf_output_read_group(struct perf_output_handle *handle,
 #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
                                 PERF_FORMAT_TOTAL_TIME_RUNNING)
+/*
+ * XXX PERF_SAMPLE_READ vs inherited events seems difficult.
+ *
+ * The problem is that its both hard and excessively expensive to iterate the
+ * child list, not to mention that its impossible to IPI the children running
+ * on another CPU, from interrupt/NMI context.
+ */
 static void perf_output_read(struct perf_output_handle *handle,
                             struct perf_event *event)
 {
@@ -8093,9 +8109,10 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
        local64_set(&hwc->period_left, hwc->sample_period);
        /*
-         * we currently do not support PERF_FORMAT_GROUP on inherited events
+         * We currently do not support PERF_SAMPLE_READ on inherited events.
+         * See perf_output_read().
         */
-        if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
+        if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ))
                goto err_ns;
        if (!has_branch_stack(event))
@@ -8263,9 +8280,9 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
                 * __u16 sample size limit.
                 */
                if (attr->sample_stack_user >= USHRT_MAX)
-                        ret = -EINVAL;
+                        return -EINVAL;
                else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64)))
-                        ret = -EINVAL;
+                        return -EINVAL;
        }
        if (attr->sample_type & PERF_SAMPLE_REGS_INTR)
diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c
index 92ce5f4ccc26..a27245fdcd81 100644
--- a/kernel/events/hw_breakpoint.c
+++ b/kernel/events/hw_breakpoint.c
@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_breakpoint);
 * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
 * @bp: the breakpoint structure to modify
 * @attr: new breakpoint attributes
- * @triggered: callback to trigger when we hit the breakpoint
- * @tsk: pointer to 'task_struct' of the process to which the address belongs
 */
 int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
 {
-        u64 old_addr = bp->attr.bp_addr;
-        u64 old_len = bp->attr.bp_len;
-        int old_type = bp->attr.bp_type;
-        int err = 0;
        /*
         * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
         * will not be possible to raise IPIs that invoke __perf_event_disable.
@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *att
        bp->attr.bp_addr = attr->bp_addr;
        bp->attr.bp_type = attr->bp_type;
        bp->attr.bp_len = attr->bp_len;
+        bp->attr.disabled = 1;
-        if (attr->disabled)
+        if (!attr->disabled) {
-                goto end;
+                int err = validate_hw_breakpoint(bp);
-        err = validate_hw_breakpoint(bp);
-        if (!err)
-                perf_event_enable(bp);
-        if (err) {
+                if (err)
-                bp->attr.bp_addr = old_addr;
+                        return err;
-                bp->attr.bp_type = old_type;
-                bp->attr.bp_len = old_len;
-                if (!bp->attr.disabled)
-                        perf_event_enable(bp);
-                return err;
+                perf_event_enable(bp);
+                bp->attr.disabled = 0;
        }
-end:
-        bp->attr.disabled = attr->disabled;
        return 0;
 }
 EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index 8c60a4eb4080..f4b9a369c8c3 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -14,6 +14,7 @@
 #include <linux/slab.h>
 #include <linux/circ_buf.h>
 #include <linux/poll.h>
+#include <linux/nospec.h>
 #include "internal.h"
@@ -781,8 +782,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff)
                        return NULL;
                /* AUX space */
-                if (pgoff >= rb->aux_pgoff)
+                if (pgoff >= rb->aux_pgoff) {
-                        return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]);
+                        int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages);
+                        return virt_to_page(rb->aux_pages[aux_pgoff]);
+                }
        }
        return __perf_mmap_to_page(rb, pgoff);
diff --git a/kernel/exit.c b/kernel/exit.c
index ffba5df4abd5..f20e6339761b 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1608,6 +1608,10 @@ SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr,
                        __WNOTHREAD|__WCLONE|__WALL))
                return -EINVAL;
+        /* -INT_MIN is not defined */
+        if (upid == INT_MIN)
+                return -ESRCH;
        if (upid == -1)
                type = PIDTYPE_MAX;
        else if (upid < 0) {
diff --git a/kernel/futex.c b/kernel/futex.c
index a09c1dd1f659..aedb36c0fd92 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -470,6 +470,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
        unsigned long address = (unsigned long)uaddr;
        struct mm_struct *mm = current->mm;
        struct page *page, *page_head;
+        struct address_space *mapping;
        int err, ro = 0;
        /*
@@ -555,7 +556,19 @@ again:
        }
 #endif
-        lock_page(page_head);
+        /*
+         * The treatment of mapping from this point on is critical. The page
+         * lock protects many things but in this context the page lock
+         * stabilizes mapping, prevents inode freeing in the shared
+         * file-backed region case and guards against movement to swap cache.
+         *
+         * Strictly speaking the page lock is not needed in all cases being
+         * considered here and page lock forces unnecessarily serialization
+         * From this point on, mapping will be re-verified if necessary and
+         * page lock will be acquired only if it is unavoidable
+         */
+        mapping = READ_ONCE(page_head->mapping);
        /*
         * If page_head->mapping is NULL, then it cannot be a PageAnon
@@ -572,18 +585,31 @@ again:
         * shmem_writepage move it from filecache to swapcache beneath us:
         * an unlikely race, but we do need to retry for page_head->mapping.
         */
-        if (!page_head->mapping) {
+        if (unlikely(!mapping)) {
-                int shmem_swizzled = PageSwapCache(page_head);
+                int shmem_swizzled;
+                /*
+                 * Page lock is required to identify which special case above
+                 * applies. If this is really a shmem page then the page lock
+                 * will prevent unexpected transitions.
+                 */
+                lock_page(page);
+                shmem_swizzled = PageSwapCache(page) || page->mapping;
                unlock_page(page_head);
                put_page(page_head);
                if (shmem_swizzled)
                        goto again;
                return -EFAULT;
        }
        /*
         * Private mappings are handled in a simple way.
         *
+         * If the futex key is stored on an anonymous page, then the associated
+         * object is the mm which is implicitly pinned by the calling process.
+         *
         * NOTE: When userspace waits on a MAP_SHARED mapping, even if
         * it's a read-only handle, it's expected that futexes attach to
         * the object not the particular process.
@@ -601,16 +627,75 @@ again:
                key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
                key->private.mm = mm;
                key->private.address = address;
+                get_futex_key_refs(key); /* implies smp_mb(); (B) */
        } else {
+                struct inode *inode;
+                /*
+                 * The associated futex object in this case is the inode and
+                 * the page->mapping must be traversed. Ordinarily this should
+                 * be stabilised under page lock but it's not strictly
+                 * necessary in this case as we just want to pin the inode, not
+                 * update the radix tree or anything like that.
+                 *
+                 * The RCU read lock is taken as the inode is finally freed
+                 * under RCU. If the mapping still matches expectations then the
+                 * mapping->host can be safely accessed as being a valid inode.
+                 */
+                rcu_read_lock();
+                if (READ_ONCE(page_head->mapping) != mapping) {
+                        rcu_read_unlock();
+                        put_page(page_head);
+                        goto again;
+                }
+                inode = READ_ONCE(mapping->host);
+                if (!inode) {
+                        rcu_read_unlock();
+                        put_page(page_head);
+                        goto again;
+                }
+                /*
+                 * Take a reference unless it is about to be freed. Previously
+                 * this reference was taken by ihold under the page lock
+                 * pinning the inode in place so i_lock was unnecessary. The
+                 * only way for this check to fail is if the inode was
+                 * truncated in parallel which is almost certainly an
+                 * application bug. In such a case, just retry.
+                 *
+                 * We are not calling into get_futex_key_refs() in file-backed
+                 * cases, therefore a successful atomic_inc return below will
+                 * guarantee that get_futex_key() will still imply smp_mb(); (B).
+                 */
+                if (!atomic_inc_not_zero(&inode->i_count)) {
+                        rcu_read_unlock();
+                        put_page(page_head);
+                        goto again;
+                }
+                /* Should be impossible but lets be paranoid for now */
+                if (WARN_ON_ONCE(inode->i_mapping != mapping)) {
+                        err = -EFAULT;
+                        rcu_read_unlock();
+                        iput(inode);
+                        goto out;
+                }
                key->both.offset |= FUT_OFF_INODE; /* inode-based key */
-                key->shared.inode = page_head->mapping->host;
+                key->shared.inode = inode;
                key->shared.pgoff = basepage_index(page);
+                rcu_read_unlock();
        }
-        get_futex_key_refs(key); /* implies MB (B) */
 out:
-        unlock_page(page_head);
        put_page(page_head);
        return err;
 }
@@ -1368,6 +1453,45 @@ out:
        return ret;
 }
+static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
+{
+        unsigned int op =         (encoded_op & 0x70000000) >> 28;
+        unsigned int cmp =        (encoded_op & 0x0f000000) >> 24;
+        int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 11);
+        int cmparg = sign_extend32(encoded_op & 0x00000fff, 11);
+        int oldval, ret;
+        if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
+                if (oparg < 0 || oparg > 31)
+                        return -EINVAL;
+                oparg = 1 << oparg;
+        }
+        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+                return -EFAULT;
+        ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
+        if (ret)
+                return ret;
+        switch (cmp) {
+        case FUTEX_OP_CMP_EQ:
+                return oldval == cmparg;
+        case FUTEX_OP_CMP_NE:
+                return oldval != cmparg;
+        case FUTEX_OP_CMP_LT:
+                return oldval < cmparg;
+        case FUTEX_OP_CMP_GE:
+                return oldval >= cmparg;
+        case FUTEX_OP_CMP_LE:
+                return oldval <= cmparg;
+        case FUTEX_OP_CMP_GT:
+                return oldval > cmparg;
+        default:
+                return -ENOSYS;
+        }
+}
 /*
 * Wake up all waiters hashed on the physical page that is mapped
 * to this virtual address:
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index a079ed14f230..0df2b44dac7c 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -836,7 +836,7 @@ irq_thread_check_affinity(struct irq_desc *desc, struct irqaction *action)
         * This code is triggered unconditionally. Check the affinity
         * mask pointer. For CPU_MASK_OFFSTACK=n this is optimized out.
         */
-        if (desc->irq_common_data.affinity)
+        if (cpumask_available(desc->irq_common_data.affinity))
                cpumask_copy(mask, desc->irq_common_data.affinity);
        else
                valid = false;
@@ -1012,6 +1012,13 @@ static int irq_setup_forced_threading(struct irqaction *new)
        if (new->flags & (IRQF_NO_THREAD | IRQF_PERCPU | IRQF_ONESHOT))
                return 0;
+        /*
+         * No further action required for interrupts which are requested as
+         * threaded interrupts already
+         */
+        if (new->handler == irq_default_primary_handler)
+                return 0;
        new->flags |= IRQF_ONESHOT;
        /*
@@ -1019,7 +1026,7 @@ static int irq_setup_forced_threading(struct irqaction *new)
         * thread handler. We force thread them as well by creating a
         * secondary action.
         */
-        if (new->handler != irq_default_primary_handler && new->thread_fn) {
+        if (new->handler && new->thread_fn) {
                /* Allocate the secondary action */
                new->secondary = kzalloc(sizeof(struct irqaction), GFP_KERNEL);
                if (!new->secondary)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 695763516908..bbe9dd0886bd 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
        return module_alloc(PAGE_SIZE);
 }
-static void free_insn_page(void *page)
+void __weak free_insn_page(void *page)
 {
        module_memfree(page);
 }
diff --git a/kernel/locking/qspinlock.c b/kernel/locking/qspinlock.c
index 8173bc7fec92..3b40c8809e52 100644
--- a/kernel/locking/qspinlock.c
+++ b/kernel/locking/qspinlock.c
@@ -423,6 +423,14 @@ queue:
        tail = encode_tail(smp_processor_id(), idx);
        node += idx;
+        /*
+         * Ensure that we increment the head node->count before initialising
+         * the actual node. If the compiler is kind enough to reorder these
+         * stores, then an IRQ could overwrite our assignments.
+         */
+        barrier();
        node->locked = 0;
        node->next = NULL;
        pv_init_node(node);
diff --git a/kernel/module.c b/kernel/module.c
index 0a56098d3738..aa81f41f2b19 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2869,6 +2869,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
        return mod;
 }
+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
+{
+        if (retpoline_module_ok(get_modinfo(info, "retpoline")))
+                return;
+        pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+                mod->name);
+}
 static int check_modinfo(struct module *mod, struct load_info *info, int flags)
 {
        const char *modmagic = get_modinfo(info, "vermagic");
@@ -2895,6 +2904,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
                add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
        }
+        check_modinfo_retpoline(mod, info);
        if (get_modinfo(info, "staging")) {
                add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
                pr_warn("%s: module is from the staging directory, the quality "
diff --git a/kernel/pid.c b/kernel/pid.c
index b17263be9082..5fe7cdb6d05f 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -322,8 +322,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
        }
        if (unlikely(is_child_reaper(pid))) {
-                if (pid_ns_prepare_proc(ns))
+                if (pid_ns_prepare_proc(ns)) {
+                        disable_pid_allocation(ns);
                        goto out_free;
+                }
        }
        get_pid_ns(ns);
diff --git a/kernel/power/power.h b/kernel/power/power.h
index efe1b3b17c88..9557977f58b2 100644
--- a/kernel/power/power.h
+++ b/kernel/power/power.h
@@ -94,9 +94,6 @@ extern int in_suspend;
 extern dev_t swsusp_resume_device;
 extern sector_t swsusp_resume_block;
-extern asmlinkage int swsusp_arch_suspend(void);
-extern asmlinkage int swsusp_arch_resume(void);
 extern int create_basic_memory_bitmaps(void);
 extern void free_basic_memory_bitmaps(void);
 extern int hibernate_preallocate_memory(void);
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 526e8911460a..f83c1876b39c 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -184,6 +184,11 @@ static ssize_t snapshot_write(struct file *filp, const char __user *buf,
                res = PAGE_SIZE - pg_offp;
        }
+        if (!data_of(data->handle)) {
+                res = -EINVAL;
+                goto unlock;
+        }
        res = simple_write_to_buffer(data_of(data->handle), res, &pg_offp,
                        buf, count);
        if (res > 0)
diff --git a/kernel/printk/braille.c b/kernel/printk/braille.c
index d5760c42f042..61d41ca41844 100644
--- a/kernel/printk/braille.c
+++ b/kernel/printk/braille.c
@@ -2,12 +2,13 @@
 #include <linux/kernel.h>
 #include <linux/console.h>
+#include <linux/errno.h>
 #include <linux/string.h>
 #include "console_cmdline.h"
 #include "braille.h"
-char *_braille_console_setup(char **str, char **brl_options)
+int _braille_console_setup(char **str, char **brl_options)
 {
        if (!strncmp(*str, "brl,", 4)) {
                *brl_options = "";
@@ -15,14 +16,14 @@ char *_braille_console_setup(char **str, char **brl_options)
        } else if (!strncmp(*str, "brl=", 4)) {
                *brl_options = *str + 4;
                *str = strchr(*brl_options, ',');
-                if (!*str)
+                if (!*str) {
                        pr_err("need port name after brl=\n");
-                else
+                        return -EINVAL;
-                        *((*str)++) = 0;
+                }
-        } else
+                *((*str)++) = 0;
-                return NULL;
+        }
-        return *str;
+        return 0;
 }
 int
diff --git a/kernel/printk/braille.h b/kernel/printk/braille.h
index 769d771145c8..749a6756843a 100644
--- a/kernel/printk/braille.h
+++ b/kernel/printk/braille.h
@@ -9,7 +9,14 @@ braille_set_options(struct console_cmdline *c, char *brl_options)
        c->brl_options = brl_options;
 }
-char *
+/*
+ * Setup console according to braille options.
+ * Return -EINVAL on syntax error, 0 on success (or no braille option was
+ * actually given).
+ * Modifies str to point to the serial options
+ * Sets brl_options to the parsed braille options.
+ */
+int
 _braille_console_setup(char **str, char **brl_options);
 int
@@ -25,10 +32,10 @@ braille_set_options(struct console_cmdline *c, char *brl_options)
 {
 }
-static inline char *
+static inline int
 _braille_console_setup(char **str, char **brl_options)
 {
-        return NULL;
+        return 0;
 }
 static inline int
diff --git a/kernel/profile.c b/kernel/profile.c
index 99513e1160e5..9cd8e18e6f18 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -44,7 +44,7 @@ int prof_on __read_mostly;
 EXPORT_SYMBOL_GPL(prof_on);
 static cpumask_var_t prof_cpu_mask;
-#ifdef CONFIG_SMP
+#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
 static DEFINE_PER_CPU(struct profile_hit *[2], cpu_profile_hits);
 static DEFINE_PER_CPU(int, cpu_profile_flip);
 static DEFINE_MUTEX(profile_flip_mutex);
@@ -201,7 +201,7 @@ int profile_event_unregister(enum profile_type type, struct notifier_block *n)
 }
 EXPORT_SYMBOL_GPL(profile_event_unregister);
-#ifdef CONFIG_SMP
+#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
 /*
 * Each cpu has a pair of open-addressed hashtables for pending
 * profile hits. read_profile() IPI's all cpus to request them
diff --git a/kernel/relay.c b/kernel/relay.c
index 0b4570cfacae..f6d5f08bdfaa 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
 {
        struct rchan_buf *buf;
-        if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+        if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
                return NULL;
        buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
diff --git a/kernel/resource.c b/kernel/resource.c
index a4a94e700fb9..41718cd8cab5 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -611,7 +611,8 @@ static int __find_resource(struct resource *root, struct resource *old,
                        alloc.start = constraint->alignf(constraint->alignf_data, &avail,
                                        size, constraint->align);
                        alloc.end = alloc.start + size - 1;
-                        if (resource_contains(&avail, &alloc)) {
+                        if (alloc.start <= alloc.end &&
+                            resource_contains(&avail, &alloc)) {
                                new->start = alloc.start;
                                new->end = alloc.end;
                                return 0;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 9d6b3d869592..65ed3501c2ca 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -601,7 +601,8 @@ void resched_cpu(int cpu)
        unsigned long flags;
        raw_spin_lock_irqsave(&rq->lock, flags);
-        resched_curr(rq);
+        if (cpu_online(cpu) || cpu == smp_processor_id())
+                resched_curr(rq);
        raw_spin_unlock_irqrestore(&rq->lock, flags);
 }
@@ -2109,6 +2110,7 @@ void __dl_clear_params(struct task_struct *p)
        dl_se->dl_period = 0;
        dl_se->flags = 0;
        dl_se->dl_bw = 0;
+        dl_se->dl_density = 0;
        dl_se->dl_throttled = 0;
        dl_se->dl_new = 1;
@@ -3647,6 +3649,7 @@ __setparam_dl(struct task_struct *p, const struct sched_attr *attr)
        dl_se->dl_period = attr->sched_period ?: dl_se->dl_deadline;
        dl_se->flags = attr->sched_flags;
        dl_se->dl_bw = to_ratio(dl_se->dl_period, dl_se->dl_runtime);
+        dl_se->dl_density = to_ratio(dl_se->dl_deadline, dl_se->dl_runtime);
        /*
         * Changing the parameters of a task is 'tricky' and we're not doing
@@ -5894,6 +5897,19 @@ static void rq_attach_root(struct rq *rq, struct root_domain *rd)
                call_rcu_sched(&old_rd->rcu, free_rootdomain);
 }
+void sched_get_rd(struct root_domain *rd)
+{
+        atomic_inc(&rd->refcount);
+}
+void sched_put_rd(struct root_domain *rd)
+{
+        if (!atomic_dec_and_test(&rd->refcount))
+                return;
+        call_rcu_sched(&rd->rcu, free_rootdomain);
+}
 static int init_rootdomain(struct root_domain *rd)
 {
        memset(rd, 0, sizeof(*rd));
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 6be2afd9bfd6..e12b0a4df891 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -480,13 +480,84 @@ static bool dl_entity_overflow(struct sched_dl_entity *dl_se,
 }
 /*
- * When a -deadline entity is queued back on the runqueue, its runtime and
+ * Revised wakeup rule [1]: For self-suspending tasks, rather then
- * deadline might need updating.
+ * re-initializing task's runtime and deadline, the revised wakeup
+ * rule adjusts the task's runtime to avoid the task to overrun its
+ * density.
 *
- * The policy here is that we update the deadline of the entity only if:
+ * Reasoning: a task may overrun the density if:
- *  - the current deadline is in the past,
+ *    runtime / (deadline - t) > dl_runtime / dl_deadline
- *  - using the remaining runtime with the current deadline would make
+ *
- *    the entity exceed its bandwidth.
+ * Therefore, runtime can be adjusted to:
+ *     runtime = (dl_runtime / dl_deadline) * (deadline - t)
+ *
+ * In such way that runtime will be equal to the maximum density
+ * the task can use without breaking any rule.
+ *
+ * [1] Luca Abeni, Giuseppe Lipari, and Juri Lelli. 2015. Constant
+ * bandwidth server revisited. SIGBED Rev. 11, 4 (January 2015), 19-24.
+ */
+static void
+update_dl_revised_wakeup(struct sched_dl_entity *dl_se, struct rq *rq)
+{
+        u64 laxity = dl_se->deadline - rq_clock(rq);
+        /*
+         * If the task has deadline < period, and the deadline is in the past,
+         * it should already be throttled before this check.
+         *
+         * See update_dl_entity() comments for further details.
+         */
+        WARN_ON(dl_time_before(dl_se->deadline, rq_clock(rq)));
+        dl_se->runtime = (dl_se->dl_density * laxity) >> 20;
+}
+/*
+ * Regarding the deadline, a task with implicit deadline has a relative
+ * deadline == relative period. A task with constrained deadline has a
+ * relative deadline <= relative period.
+ *
+ * We support constrained deadline tasks. However, there are some restrictions
+ * applied only for tasks which do not have an implicit deadline. See
+ * update_dl_entity() to know more about such restrictions.
+ *
+ * The dl_is_implicit() returns true if the task has an implicit deadline.
+ */
+static inline bool dl_is_implicit(struct sched_dl_entity *dl_se)
+{
+        return dl_se->dl_deadline == dl_se->dl_period;
+}
+/*
+ * When a deadline entity is placed in the runqueue, its runtime and deadline
+ * might need to be updated. This is done by a CBS wake up rule. There are two
+ * different rules: 1) the original CBS; and 2) the Revisited CBS.
+ *
+ * When the task is starting a new period, the Original CBS is used. In this
+ * case, the runtime is replenished and a new absolute deadline is set.
+ *
+ * When a task is queued before the begin of the next period, using the
+ * remaining runtime and deadline could make the entity to overflow, see
+ * dl_entity_overflow() to find more about runtime overflow. When such case
+ * is detected, the runtime and deadline need to be updated.
+ *
+ * If the task has an implicit deadline, i.e., deadline == period, the Original
+ * CBS is applied. the runtime is replenished and a new absolute deadline is
+ * set, as in the previous cases.
+ *
+ * However, the Original CBS does not work properly for tasks with
+ * deadline < period, which are said to have a constrained deadline. By
+ * applying the Original CBS, a constrained deadline task would be able to run
+ * runtime/deadline in a period. With deadline < period, the task would
+ * overrun the runtime/period allowed bandwidth, breaking the admission test.
+ *
+ * In order to prevent this misbehave, the Revisited CBS is used for
+ * constrained deadline tasks when a runtime overflow is detected. In the
+ * Revisited CBS, rather than replenishing & setting a new absolute deadline,
+ * the remaining runtime of the task is reduced to avoid runtime overflow.
+ * Please refer to the comments update_dl_revised_wakeup() function to find
+ * more about the Revised CBS rule.
 */
 static void update_dl_entity(struct sched_dl_entity *dl_se,
                             struct sched_dl_entity *pi_se)
@@ -505,6 +576,14 @@ static void update_dl_entity(struct sched_dl_entity *dl_se,
        if (dl_time_before(dl_se->deadline, rq_clock(rq)) ||
            dl_entity_overflow(dl_se, pi_se, rq_clock(rq))) {
+                if (unlikely(!dl_is_implicit(dl_se) &&
+                             !dl_time_before(dl_se->deadline, rq_clock(rq)) &&
+                             !dl_se->dl_boosted)){
+                        update_dl_revised_wakeup(dl_se, rq);
+                        return;
+                }
                dl_se->deadline = rq_clock(rq) + pi_se->dl_deadline;
                dl_se->runtime = pi_se->dl_runtime;
        }
@@ -991,11 +1070,6 @@ static void dequeue_dl_entity(struct sched_dl_entity *dl_se)
        __dequeue_dl_entity(dl_se);
 }
-static inline bool dl_is_constrained(struct sched_dl_entity *dl_se)
-{
-        return dl_se->dl_deadline < dl_se->dl_period;
-}
 static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
 {
        struct task_struct *pi_task = rt_mutex_get_top_task(p);
@@ -1027,7 +1101,7 @@ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
         * If that is the case, the task will be throttled and
         * the replenishment timer will be set to the next period.
         */
-        if (!p->dl.dl_throttled && dl_is_constrained(&p->dl))
+        if (!p->dl.dl_throttled && !dl_is_implicit(&p->dl))
                dl_check_constrained_dl(&p->dl);
        /*
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 812069b66f47..3b136fb4422c 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -2223,7 +2223,8 @@ void task_numa_work(struct callback_head *work)
                return;
-        down_read(&mm->mmap_sem);
+        if (!down_read_trylock(&mm->mmap_sem))
+                return;
        vma = find_vma(mm, start);
        if (!vma) {
                reset_ptenuma_scan(p);
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 95fefb364dab..801b4ec40702 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -822,6 +822,8 @@ static int do_sched_rt_period_timer(struct rt_bandwidth *rt_b, int overrun)
                struct rq *rq = rq_of_rt_rq(rt_rq);
                raw_spin_lock(&rq->lock);
+                update_rq_clock(rq);
                if (rt_rq->rt_time) {
                        u64 runtime;
@@ -1833,9 +1835,8 @@ static void push_rt_tasks(struct rq *rq)
 * the rt_loop_next will cause the iterator to perform another scan.
 *
 */
-static int rto_next_cpu(struct rq *rq)
+static int rto_next_cpu(struct root_domain *rd)
 {
-        struct root_domain *rd = rq->rd;
        int next;
        int cpu;
@@ -1911,19 +1912,24 @@ static void tell_cpu_to_push(struct rq *rq)
         * Otherwise it is finishing up and an ipi needs to be sent.
         */
        if (rq->rd->rto_cpu < 0)
-                cpu = rto_next_cpu(rq);
+                cpu = rto_next_cpu(rq->rd);
        raw_spin_unlock(&rq->rd->rto_lock);
        rto_start_unlock(&rq->rd->rto_loop_start);
-        if (cpu >= 0)
+        if (cpu >= 0) {
+                /* Make sure the rd does not get freed while pushing */
+                sched_get_rd(rq->rd);
                irq_work_queue_on(&rq->rd->rto_push_work, cpu);
+        }
 }
 /* Called from hardirq context */
 void rto_push_irq_work_func(struct irq_work *work)
 {
+        struct root_domain *rd =
+                container_of(work, struct root_domain, rto_push_work);
        struct rq *rq;
        int cpu;
@@ -1939,18 +1945,20 @@ void rto_push_irq_work_func(struct irq_work *work)
                raw_spin_unlock(&rq->lock);
        }
-        raw_spin_lock(&rq->rd->rto_lock);
+        raw_spin_lock(&rd->rto_lock);
        /* Pass the IPI to the next rt overloaded queue */
-        cpu = rto_next_cpu(rq);
+        cpu = rto_next_cpu(rd);
-        raw_spin_unlock(&rq->rd->rto_lock);
+        raw_spin_unlock(&rd->rto_lock);
-        if (cpu < 0)
+        if (cpu < 0) {
+                sched_put_rd(rd);
                return;
+        }
        /* Try the next RT overloaded CPU */
-        irq_work_queue_on(&rq->rd->rto_push_work, cpu);
+        irq_work_queue_on(&rd->rto_push_work, cpu);
 }
 #endif /* HAVE_RT_PUSH_IPI */
@@ -2138,7 +2146,7 @@ static void switched_to_rt(struct rq *rq, struct task_struct *p)
                if (p->nr_cpus_allowed > 1 && rq->rt.overloaded)
                        queue_push_tasks(rq);
 #endif /* CONFIG_SMP */
-                if (p->prio < rq->curr->prio)
+                if (p->prio < rq->curr->prio && cpu_online(cpu_of(rq)))
                        resched_curr(rq);
        }
 }
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index 448a8266ceea..0c9ebd82a684 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -553,6 +553,8 @@ struct root_domain {
 };
 extern struct root_domain def_root_domain;
+extern void sched_get_rd(struct root_domain *rd);
+extern void sched_put_rd(struct root_domain *rd);
 #ifdef HAVE_RT_PUSH_IPI
 extern void rto_push_irq_work_func(struct irq_work *work);
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index efd384f3f852..9a9203b15cde 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -16,6 +16,8 @@
 #include <linux/atomic.h>
 #include <linux/audit.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
+#include <linux/prctl.h>
 #include <linux/sched.h>
 #include <linux/seccomp.h>
 #include <linux/slab.h>
@@ -214,8 +216,11 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
        return true;
 }
+void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { }
 static inline void seccomp_assign_mode(struct task_struct *task,
-                                       unsigned long seccomp_mode)
+                                       unsigned long seccomp_mode,
+                                       unsigned long flags)
 {
        assert_spin_locked(&task->sighand->siglock);
@@ -225,6 +230,9 @@ static inline void seccomp_assign_mode(struct task_struct *task,
         * filter) is set.
         */
        smp_mb__before_atomic();
+        /* Assume default seccomp processes want spec flaw mitigation. */
+        if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
+                arch_seccomp_spec_mitigate(task);
        set_tsk_thread_flag(task, TIF_SECCOMP);
 }
@@ -292,7 +300,7 @@ static inline pid_t seccomp_can_sync_threads(void)
 * without dropping the locks.
 *
 */
-static inline void seccomp_sync_threads(void)
+static inline void seccomp_sync_threads(unsigned long flags)
 {
        struct task_struct *thread, *caller;
@@ -333,7 +341,8 @@ static inline void seccomp_sync_threads(void)
                 * allow one thread to transition the other.
                 */
                if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
-                        seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
+                        seccomp_assign_mode(thread, SECCOMP_MODE_FILTER,
+                                            flags);
        }
 }
@@ -452,7 +461,7 @@ static long seccomp_attach_filter(unsigned int flags,
        /* Now that the new filter is in place, synchronize to all threads. */
        if (flags & SECCOMP_FILTER_FLAG_TSYNC)
-                seccomp_sync_threads();
+                seccomp_sync_threads(flags);
        return 0;
 }
@@ -747,7 +756,7 @@ static long seccomp_set_mode_strict(void)
 #ifdef TIF_NOTSC
        disable_TSC();
 #endif
-        seccomp_assign_mode(current, seccomp_mode);
+        seccomp_assign_mode(current, seccomp_mode, 0);
        ret = 0;
 out:
@@ -805,7 +814,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
        /* Do not free the successfully attached filter. */
        prepared = NULL;
-        seccomp_assign_mode(current, seccomp_mode);
+        seccomp_assign_mode(current, seccomp_mode, flags);
 out:
        spin_unlock_irq(&current->sighand->siglock);
        if (flags & SECCOMP_FILTER_FLAG_TSYNC)
diff --git a/kernel/signal.c b/kernel/signal.c
index 4a548c6a4118..8bfbc47f0a23 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1392,6 +1392,10 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid)
                return ret;
        }
+        /* -INT_MIN is undefined.  Exclude this case to avoid a UBSAN warning */
+        if (pid == INT_MIN)
+                return -ESRCH;
        read_lock(&tasklist_lock);
        if (pid != -1) {
                ret = __kill_pgrp_info(sig, info,
@@ -2495,6 +2499,13 @@ void __set_current_blocked(const sigset_t *newset)
 {
        struct task_struct *tsk = current;
+        /*
+         * In case the signal mask hasn't changed, there is nothing we need
+         * to do. The current->blocked shouldn't be modified by other task.
+         */
+        if (sigequalsets(&tsk->blocked, newset))
+                return;
        spin_lock_irq(&tsk->sighand->siglock);
        __set_task_blocked(tsk, newset);
        spin_unlock_irq(&tsk->sighand->siglock);
diff --git a/kernel/sys.c b/kernel/sys.c
index 78947de6f969..f718742e55e6 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -53,6 +53,8 @@
 #include <linux/uidgid.h>
 #include <linux/cred.h>
+#include <linux/nospec.h>
 #include <linux/kmsg_dump.h>
 /* Move somewhere else to avoid recompiling? */
 #include <generated/utsrelease.h>
@@ -1311,6 +1313,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
        if (resource >= RLIM_NLIMITS)
                return -EINVAL;
+        resource = array_index_nospec(resource, RLIM_NLIMITS);
        task_lock(current->group_leader);
        x = current->signal->rlim[resource];
        task_unlock(current->group_leader);
@@ -2072,6 +2075,17 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr)
 }
 #endif
+int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
+{
+        return -EINVAL;
+}
+int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
+                                    unsigned long ctrl)
+{
+        return -EINVAL;
+}
 SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
                unsigned long, arg4, unsigned long, arg5)
 {
@@ -2266,6 +2280,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
        case PR_GET_FP_MODE:
                error = GET_FP_MODE(me);
                break;
+        case PR_GET_SPECULATION_CTRL:
+                if (arg3 || arg4 || arg5)
+                        return -EINVAL;
+                error = arch_prctl_spec_ctrl_get(me, arg2);
+                break;
+        case PR_SET_SPECULATION_CTRL:
+                if (arg4 || arg5)
+                        return -EINVAL;
+                error = arch_prctl_spec_ctrl_set(me, arg2, arg3);
+                break;
        default:
                error = -EINVAL;
                break;
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 17f7bcff1e02..8c4e27cbfe7f 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -312,7 +312,7 @@ EXPORT_SYMBOL_GPL(__ktime_divns);
 */
 ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
 {
-        ktime_t res = ktime_add(lhs, rhs);
+        ktime_t res = ktime_add_unsafe(lhs, rhs);
        /*
         * We use KTIME_SEC_MAX here, the maximum timeout which we can
@@ -669,7 +669,9 @@ static void hrtimer_reprogram(struct hrtimer *timer,
 static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
 {
        base->expires_next.tv64 = KTIME_MAX;
+        base->hang_detected = 0;
        base->hres_active = 0;
+        base->next_timer = NULL;
 }
 /*
@@ -1137,7 +1139,12 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
        cpu_base = raw_cpu_ptr(&hrtimer_bases);
-        if (clock_id == CLOCK_REALTIME && mode != HRTIMER_MODE_ABS)
+        /*
+         * POSIX magic: Relative CLOCK_REALTIME timers are not affected by
+         * clock modifications, so they needs to become CLOCK_MONOTONIC to
+         * ensure POSIX compliance.
+         */
+        if (clock_id == CLOCK_REALTIME && mode & HRTIMER_MODE_REL)
                clock_id = CLOCK_MONOTONIC;
        base = hrtimer_clockid_to_base(clock_id);
@@ -1615,6 +1622,7 @@ static void init_hrtimers_cpu(int cpu)
                timerqueue_init_head(&cpu_base->clock_base[i].active);
        }
+        cpu_base->active_bases = 0;
        cpu_base->cpu = cpu;
        hrtimer_init_hres(cpu_base);
 }
diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
index 9cff0ab82b63..e24008c098c6 100644
--- a/kernel/time/posix-clock.c
+++ b/kernel/time/posix-clock.c
@@ -300,14 +300,17 @@ out:
 static int pc_clock_gettime(clockid_t id, struct timespec *ts)
 {
        struct posix_clock_desc cd;
+        struct timespec64 ts64;
        int err;
        err = get_clock_desc(id, &cd);
        if (err)
                return err;
-        if (cd.clk->ops.clock_gettime)
+        if (cd.clk->ops.clock_gettime) {
-                err = cd.clk->ops.clock_gettime(cd.clk, ts);
+                err = cd.clk->ops.clock_gettime(cd.clk, &ts64);
+                *ts = timespec64_to_timespec(ts64);
+        }
        else
                err = -EOPNOTSUPP;
@@ -319,14 +322,17 @@ static int pc_clock_gettime(clockid_t id, struct timespec *ts)
 static int pc_clock_getres(clockid_t id, struct timespec *ts)
 {
        struct posix_clock_desc cd;
+        struct timespec64 ts64;
        int err;
        err = get_clock_desc(id, &cd);
        if (err)
                return err;
-        if (cd.clk->ops.clock_getres)
+        if (cd.clk->ops.clock_getres) {
-                err = cd.clk->ops.clock_getres(cd.clk, ts);
+                err = cd.clk->ops.clock_getres(cd.clk, &ts64);
+                *ts = timespec64_to_timespec(ts64);
+        }
        else
                err = -EOPNOTSUPP;
@@ -337,6 +343,7 @@ static int pc_clock_getres(clockid_t id, struct timespec *ts)
 static int pc_clock_settime(clockid_t id, const struct timespec *ts)
 {
+        struct timespec64 ts64 = timespec_to_timespec64(*ts);
        struct posix_clock_desc cd;
        int err;
@@ -350,7 +357,7 @@ static int pc_clock_settime(clockid_t id, const struct timespec *ts)
        }
        if (cd.clk->ops.clock_settime)
-                err = cd.clk->ops.clock_settime(cd.clk, ts);
+                err = cd.clk->ops.clock_settime(cd.clk, &ts64);
        else
                err = -EOPNOTSUPP;
 out:
@@ -403,29 +410,36 @@ static void pc_timer_gettime(struct k_itimer *kit, struct itimerspec *ts)
 {
        clockid_t id = kit->it_clock;
        struct posix_clock_desc cd;
+        struct itimerspec64 ts64;
        if (get_clock_desc(id, &cd))
                return;
-        if (cd.clk->ops.timer_gettime)
+        if (cd.clk->ops.timer_gettime) {
-                cd.clk->ops.timer_gettime(cd.clk, kit, ts);
+                cd.clk->ops.timer_gettime(cd.clk, kit, &ts64);
+                *ts = itimerspec64_to_itimerspec(&ts64);
+        }
        put_clock_desc(&cd);
 }
 static int pc_timer_settime(struct k_itimer *kit, int flags,
                            struct itimerspec *ts, struct itimerspec *old)
 {
+        struct itimerspec64 ts64 = itimerspec_to_itimerspec64(ts);
        clockid_t id = kit->it_clock;
        struct posix_clock_desc cd;
+        struct itimerspec64 old64;
        int err;
        err = get_clock_desc(id, &cd);
        if (err)
                return err;
-        if (cd.clk->ops.timer_settime)
+        if (cd.clk->ops.timer_settime) {
-                err = cd.clk->ops.timer_settime(cd.clk, kit, flags, ts, old);
+                err = cd.clk->ops.timer_settime(cd.clk, kit, flags, &ts64, &old64);
+                if (old)
+                        *old = itimerspec64_to_itimerspec(&old64);
+        }
        else
                err = -EOPNOTSUPP;
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index f2826c35e918..fc7c37ad90a0 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -507,17 +507,22 @@ static struct pid *good_sigevent(sigevent_t * event)
 {
        struct task_struct *rtn = current->group_leader;
-        if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
+        switch (event->sigev_notify) {
-                (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
+        case SIGEV_SIGNAL | SIGEV_THREAD_ID:
-                 !same_thread_group(rtn, current) ||
+                rtn = find_task_by_vpid(event->sigev_notify_thread_id);
-                 (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
+                if (!rtn || !same_thread_group(rtn, current))
+                        return NULL;
+                /* FALLTHRU */
+        case SIGEV_SIGNAL:
+        case SIGEV_THREAD:
+                if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
+                        return NULL;
+                /* FALLTHRU */
+        case SIGEV_NONE:
+                return task_pid(rtn);
+        default:
                return NULL;
+        }
-        if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
-            ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
-                return NULL;
-        return task_pid(rtn);
 }
 void posix_timers_register_clock(const clockid_t clock_id,
@@ -745,8 +750,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
        /* interval timer ? */
        if (iv.tv64)
                cur_setting->it_interval = ktime_to_timespec(iv);
-        else if (!hrtimer_active(timer) &&
+        else if (!hrtimer_active(timer) && timr->it_sigev_notify != SIGEV_NONE)
-                 (timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
                return;
        now = timer->base->get_time();
@@ -757,7 +761,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
         * expiry is > now.
         */
        if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
-            (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE))
+                        timr->it_sigev_notify == SIGEV_NONE))
                timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
        remaining = __hrtimer_expires_remaining_adjusted(timer, now);
@@ -767,7 +771,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
                 * A single shot SIGEV_NONE timer must return 0, when
                 * it is expired !
                 */
-                if ((timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
+                if (timr->it_sigev_notify != SIGEV_NONE)
                        cur_setting->it_value.tv_nsec = 1;
        } else
                cur_setting->it_value = ktime_to_timespec(remaining);
@@ -865,7 +869,7 @@ common_timer_set(struct k_itimer *timr, int flags,
        timr->it.real.interval = timespec_to_ktime(new_setting->it_interval);
        /* SIGEV_NONE timers are not queued ! See common_timer_get */
-        if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
+        if (timr->it_sigev_notify == SIGEV_NONE) {
                /* Setup correct expiry time for relative timers */
                if (mode == HRTIMER_MODE_REL) {
                        hrtimer_add_expires(timer, timer->base->get_time());
diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c
index a26036d37a38..382b159d8592 100644
--- a/kernel/time/sched_clock.c
+++ b/kernel/time/sched_clock.c
@@ -205,6 +205,11 @@ sched_clock_register(u64 (*read)(void), int bits, unsigned long rate)
        update_clock_read_data(&rd);
+        if (sched_clock_timer.function != NULL) {
+                /* update timeout for clock wrap */
+                hrtimer_start(&sched_clock_timer, cd.wrap_kt, HRTIMER_MODE_REL);
+        }
        r = rate;
        if (r >= 4000000) {
                r /= 1000000;
diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
index d2a20e83ebae..22d7454b387b 100644
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -610,6 +610,14 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev)
        now = ktime_get();
        /* Find all expired events */
        for_each_cpu(cpu, tick_broadcast_oneshot_mask) {
+                /*
+                 * Required for !SMP because for_each_cpu() reports
+                 * unconditionally CPU0 as set on UP kernels.
+                 */
+                if (!IS_ENABLED(CONFIG_SMP) &&
+                    cpumask_empty(tick_broadcast_oneshot_mask))
+                        break;
                td = &per_cpu(tick_cpu_device, cpu);
                if (td->evtdev->next_event.tv64 <= now.tv64) {
                        cpumask_set_cpu(cpu, tmpmask);
diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
index e5d228f7224c..5ad2e852e9f6 100644
--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -570,7 +570,7 @@ static void tick_nohz_restart(struct tick_sched *ts, ktime_t now)
 static inline bool local_timer_softirq_pending(void)
 {
-        return local_softirq_pending() & TIMER_SOFTIRQ;
+        return local_softirq_pending() & BIT(TIMER_SOFTIRQ);
 }
 static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,
diff --git a/kernel/time/time.c b/kernel/time/time.c
index 86751c68e08d..de70ac1f84d0 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -28,6 +28,7 @@
 */
 #include <linux/export.h>
+#include <linux/kernel.h>
 #include <linux/timex.h>
 #include <linux/capability.h>
 #include <linux/timekeeper_internal.h>
@@ -258,9 +259,10 @@ unsigned int jiffies_to_msecs(const unsigned long j)
        return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
 #else
 # if BITS_PER_LONG == 32
-        return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
+        return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
+               HZ_TO_MSEC_SHR32;
 # else
-        return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
+        return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
 # endif
 #endif
 }
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 6e4866834d26..fed86b2dfc89 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -277,8 +277,7 @@ static void tk_setup_internals(struct timekeeper *tk, struct clocksource *clock)
        /* Go back from cycles -> shifted ns */
        tk->xtime_interval = (u64) interval * clock->mult;
        tk->xtime_remainder = ntpinterval - tk->xtime_interval;
-        tk->raw_interval =
+        tk->raw_interval = interval * clock->mult;
-                ((u64) interval * clock->mult) >> clock->shift;
         /* if changing clocks, convert xtime_nsec shift units */
        if (old_clock) {
@@ -1767,7 +1766,7 @@ static cycle_t logarithmic_accumulation(struct timekeeper *tk, cycle_t offset,
                                                unsigned int *clock_set)
 {
        cycle_t interval = tk->cycle_interval << shift;
-        u64 raw_nsecs;
+        u64 snsec_per_sec;
        /* If the offset is smaller than a shifted interval, do nothing */
        if (offset < interval)
@@ -1782,14 +1781,15 @@ static cycle_t logarithmic_accumulation(struct timekeeper *tk, cycle_t offset,
        *clock_set |= accumulate_nsecs_to_secs(tk);
        /* Accumulate raw time */
-        raw_nsecs = (u64)tk->raw_interval << shift;
+        tk->tkr_raw.xtime_nsec += (u64)tk->raw_time.tv_nsec << tk->tkr_raw.shift;
-        raw_nsecs += tk->raw_time.tv_nsec;
+        tk->tkr_raw.xtime_nsec += tk->raw_interval << shift;
-        if (raw_nsecs >= NSEC_PER_SEC) {
+        snsec_per_sec = (u64)NSEC_PER_SEC << tk->tkr_raw.shift;
-                u64 raw_secs = raw_nsecs;
+        while (tk->tkr_raw.xtime_nsec >= snsec_per_sec) {
-                raw_nsecs = do_div(raw_secs, NSEC_PER_SEC);
+                tk->tkr_raw.xtime_nsec -= snsec_per_sec;
-                tk->raw_time.tv_sec += raw_secs;
+                tk->raw_time.tv_sec++;
        }
-        tk->raw_time.tv_nsec = raw_nsecs;
+        tk->raw_time.tv_nsec = tk->tkr_raw.xtime_nsec >> tk->tkr_raw.shift;
+        tk->tkr_raw.xtime_nsec -= (u64)tk->raw_time.tv_nsec << tk->tkr_raw.shift;
        /* Accumulate error between NTP and clock interval */
        tk->ntp_error += tk->ntp_tick << shift;
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 125407144c01..3d7588a2e97c 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -764,8 +764,15 @@ static struct tvec_base *lock_timer_base(struct timer_list *timer,
        __acquires(timer->base->lock)
 {
        for (;;) {
-                u32 tf = timer->flags;
                struct tvec_base *base;
+                u32 tf;
+                /*
+                 * We need to use READ_ONCE() here, otherwise the compiler
+                 * might re-read @tf between the check for TIMER_MIGRATING
+                 * and spin_lock().
+                 */
+                tf = READ_ONCE(timer->flags);
                if (!(tf & TIMER_MIGRATING)) {
                        base = per_cpu_ptr(&tvec_bases, tf & TIMER_CPUMASK);
diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
index ba7d8b288bb3..ef4f16e81283 100644
--- a/kernel/time/timer_list.c
+++ b/kernel/time/timer_list.c
@@ -16,6 +16,7 @@
 #include <linux/sched.h>
 #include <linux/seq_file.h>
 #include <linux/kallsyms.h>
+#include <linux/nmi.h>
 #include <asm/uaccess.h>
@@ -96,6 +97,9 @@ print_active_timers(struct seq_file *m, struct hrtimer_clock_base *base,
 next_one:
        i = 0;
+        touch_nmi_watchdog();
        raw_spin_lock_irqsave(&base->cpu_base->lock, flags);
        curr = timerqueue_getnext(&base->active);
@@ -207,6 +211,8 @@ print_tickdevice(struct seq_file *m, struct tick_device *td, int cpu)
 {
        struct clock_event_device *dev = td->evtdev;
+        touch_nmi_watchdog();
        SEQ_printf(m, "Tick Device: mode:     %d\n", td->mode);
        if (cpu < 0)
                SEQ_printf(m, "Broadcast device\n");
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index a990824c8604..7ab5eafea8b2 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -57,7 +57,8 @@ static struct tracer_flags blk_tracer_flags = {
 };
 /* Global reference count of probes */
-static atomic_t blk_probes_ref = ATOMIC_INIT(0);
+static DEFINE_MUTEX(blk_probe_mutex);
+static int blk_probes_ref;
 static void blk_register_tracepoints(void);
 static void blk_unregister_tracepoints(void);
@@ -300,11 +301,26 @@ static void blk_trace_free(struct blk_trace *bt)
        kfree(bt);
 }
+static void get_probe_ref(void)
+{
+        mutex_lock(&blk_probe_mutex);
+        if (++blk_probes_ref == 1)
+                blk_register_tracepoints();
+        mutex_unlock(&blk_probe_mutex);
+}
+static void put_probe_ref(void)
+{
+        mutex_lock(&blk_probe_mutex);
+        if (!--blk_probes_ref)
+                blk_unregister_tracepoints();
+        mutex_unlock(&blk_probe_mutex);
+}
 static void blk_trace_cleanup(struct blk_trace *bt)
 {
        blk_trace_free(bt);
-        if (atomic_dec_and_test(&blk_probes_ref))
+        put_probe_ref();
-                blk_unregister_tracepoints();
 }
 int blk_trace_remove(struct request_queue *q)
@@ -522,8 +538,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
        if (cmpxchg(&q->blk_trace, NULL, bt))
                goto err;
-        if (atomic_inc_return(&blk_probes_ref) == 1)
+        get_probe_ref();
-                blk_register_tracepoints();
        return 0;
 err:
@@ -1466,9 +1481,7 @@ static int blk_trace_remove_queue(struct request_queue *q)
        if (bt == NULL)
                return -EINVAL;
-        if (atomic_dec_and_test(&blk_probes_ref))
+        put_probe_ref();
-                blk_unregister_tracepoints();
        blk_trace_free(bt);
        return 0;
 }
@@ -1499,8 +1512,7 @@ static int blk_trace_setup_queue(struct request_queue *q,
        if (cmpxchg(&q->blk_trace, NULL, bt))
                goto free_bt;
-        if (atomic_inc_return(&blk_probes_ref) == 1)
+        get_probe_ref();
-                blk_register_tracepoints();
        return 0;
 free_bt:
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index fc0051fd672d..ac758a53fcea 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3845,7 +3845,6 @@ __unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
                func_g.type = filter_parse_regex(glob, strlen(glob),
                                                 &func_g.search, &not);
                func_g.len = strlen(func_g.search);
-                func_g.search = glob;
                /* we do not support '!' for function probes */
                if (WARN_ON(not))
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index d9cd6191760b..fdaa88f38aec 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -3142,6 +3142,22 @@ int ring_buffer_record_is_on(struct ring_buffer *buffer)
 }
 /**
+ * ring_buffer_record_is_set_on - return true if the ring buffer is set writable
+ * @buffer: The ring buffer to see if write is set enabled
+ *
+ * Returns true if the ring buffer is set writable by ring_buffer_record_on().
+ * Note that this does NOT mean it is in a writable state.
+ *
+ * It may return true when the ring buffer has been disabled by
+ * ring_buffer_record_disable(), as that is a temporary disabling of
+ * the ring buffer.
+ */
+int ring_buffer_record_is_set_on(struct ring_buffer *buffer)
+{
+        return !(atomic_read(&buffer->record_disabled) & RB_BUFFER_OFF);
+}
+/**
 * ring_buffer_record_disable_cpu - stop all writes into the cpu_buffer
 * @buffer: The ring buffer to stop writes to.
 * @cpu: The CPU buffer to stop
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 8aef4e63ac57..1b980a8ef791 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1088,6 +1088,12 @@ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
        arch_spin_lock(&tr->max_lock);
+        /* Inherit the recordable setting from trace_buffer */
+        if (ring_buffer_record_is_set_on(tr->trace_buffer.buffer))
+                ring_buffer_record_on(tr->max_buffer.buffer);
+        else
+                ring_buffer_record_off(tr->max_buffer.buffer);
        buf = tr->trace_buffer.buffer;
        tr->trace_buffer.buffer = tr->max_buffer.buffer;
        tr->max_buffer.buffer = buf;
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index f0e5408499b6..1ab2db6c127b 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -322,6 +322,9 @@ static int regex_match_full(char *str, struct regex *r, int len)
 static int regex_match_front(char *str, struct regex *r, int len)
 {
+        if (len < r->len)
+                return 0;
        if (strncmp(str, r->pattern, r->len) == 0)
                return 1;
        return 0;
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index 42a4009fd75a..b8a894adab2c 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -469,9 +469,10 @@ clear_event_triggers(struct trace_array *tr)
        struct trace_event_file *file;
        list_for_each_entry(file, &tr->events, list) {
-                struct event_trigger_data *data;
+                struct event_trigger_data *data, *n;
-                list_for_each_entry_rcu(data, &file->triggers, list) {
+                list_for_each_entry_safe(data, n, &file->triggers, list) {
                        trace_event_trigger_enable_disable(file, 0);
+                        list_del_rcu(&data->list);
                        if (data->ops->free)
                                data->ops->free(data->ops, data);
                }
@@ -662,6 +663,8 @@ event_trigger_callback(struct event_command *cmd_ops,
                goto out_free;
 out_reg:
+        /* Up the trigger_data count to make sure reg doesn't free it on failure */
+        event_trigger_init(trigger_ops, trigger_data);
        ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
        /*
         * The above returns on success the # of functions enabled,
@@ -669,11 +672,13 @@ event_trigger_callback(struct event_command *cmd_ops,
         * Consider no functions a failure too.
         */
        if (!ret) {
+                cmd_ops->unreg(glob, trigger_ops, trigger_data, file);
                ret = -ENOENT;
-                goto out_free;
+        } else if (ret > 0)
-        } else if (ret < 0)
+                ret = 0;
-                goto out_free;
-        ret = 0;
+        /* Down the counter of trigger_data or free it if not used anymore */
+        event_trigger_free(trigger_ops, trigger_data);
 out:
        return ret;
@@ -1226,6 +1231,9 @@ event_enable_trigger_func(struct event_command *cmd_ops,
                goto out;
        }
+        /* Up the trigger_data count to make sure nothing frees it on failure */
+        event_trigger_init(trigger_ops, trigger_data);
        if (trigger) {
                number = strsep(&trigger, ":");
@@ -1276,6 +1284,7 @@ event_enable_trigger_func(struct event_command *cmd_ops,
                goto out_disable;
        /* Just return zero, not the number of enabled functions */
        ret = 0;
+        event_trigger_free(trigger_ops, trigger_data);
 out:
        return ret;
@@ -1286,7 +1295,7 @@ event_enable_trigger_func(struct event_command *cmd_ops,
 out_free:
        if (cmd_ops->set_filter)
                cmd_ops->set_filter(NULL, trigger_data, NULL);
-        kfree(trigger_data);
+        event_trigger_free(trigger_ops, trigger_data);
        kfree(enable_data);
        goto out;
 }
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 7fd6f5a26143..e212ec4cfb4e 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -768,6 +768,7 @@ print_graph_entry_leaf(struct trace_iterator *iter,
        struct ftrace_graph_ret *graph_ret;
        struct ftrace_graph_ent *call;
        unsigned long long duration;
+        int cpu = iter->cpu;
        int i;
        graph_ret = &ret_entry->ret;
@@ -776,7 +777,6 @@ print_graph_entry_leaf(struct trace_iterator *iter,
        if (data) {
                struct fgraph_cpu_data *cpu_data;
-                int cpu = iter->cpu;
                cpu_data = per_cpu_ptr(data->cpu_data, cpu);
@@ -806,6 +806,9 @@ print_graph_entry_leaf(struct trace_iterator *iter,
        trace_seq_printf(s, "%ps();\n", (void *)call->func);
+        print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET,
+                        cpu, iter->ent->pid, flags);
        return trace_handle_return(s);
 }
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index e9092a0247bf..f0ee722be520 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -349,11 +349,10 @@ static struct trace_kprobe *find_trace_kprobe(const char *event,
 static int
 enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
 {
+        struct event_file_link *link = NULL;
        int ret = 0;
        if (file) {
-                struct event_file_link *link;
                link = kmalloc(sizeof(*link), GFP_KERNEL);
                if (!link) {
                        ret = -ENOMEM;
@@ -373,6 +372,18 @@ enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
                else
                        ret = enable_kprobe(&tk->rp.kp);
        }
+        if (ret) {
+                if (file) {
+                        /* Notice the if is true on not WARN() */
+                        if (!WARN_ON_ONCE(!link))
+                                list_del_rcu(&link->list);
+                        kfree(link);
+                        tk->tp.flags &= ~TP_FLAG_TRACE;
+                } else {
+                        tk->tp.flags &= ~TP_FLAG_PROFILE;
+                }
+        }
 out:
        return ret;
 }
@@ -599,7 +610,7 @@ static int create_trace_kprobe(int argc, char **argv)
        bool is_return = false, is_delete = false;
        char *symbol = NULL, *event = NULL, *group = NULL;
        char *arg;
-        unsigned long offset = 0;
+        long offset = 0;
        void *addr = NULL;
        char buf[MAX_EVENT_NAME_LEN];
@@ -667,7 +678,7 @@ static int create_trace_kprobe(int argc, char **argv)
                symbol = argv[1];
                /* TODO: support .init module functions */
                ret = traceprobe_split_symbol_offset(symbol, &offset);
-                if (ret) {
+                if (ret || offset < 0 || offset > UINT_MAX) {
                        pr_info("Failed to parse either an address or a symbol.\n");
                        return ret;
                }
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index 1769a81da8a7..741c00b90fdc 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -293,7 +293,7 @@ static fetch_func_t get_fetch_size_function(const struct fetch_type *type,
 }
 /* Split symbol and offset. */
-int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
+int traceprobe_split_symbol_offset(char *symbol, long *offset)
 {
        char *tmp;
        int ret;
@@ -301,13 +301,11 @@ int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
        if (!offset)
                return -EINVAL;
-        tmp = strchr(symbol, '+');
+        tmp = strpbrk(symbol, "+-");
        if (tmp) {
-                /* skip sign because kstrtoul doesn't accept '+' */
+                ret = kstrtol(tmp, 0, offset);
-                ret = kstrtoul(tmp + 1, 0, offset);
                if (ret)
                        return ret;
                *tmp = '\0';
        } else
                *offset = 0;
diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
index f6398db09114..0afe921df8c8 100644
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -335,7 +335,7 @@ extern int traceprobe_conflict_field_name(const char *name,
 extern void traceprobe_update_arg(struct probe_arg *arg);
 extern void traceprobe_free_probe_arg(struct probe_arg *arg);
-extern int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset);
+extern int traceprobe_split_symbol_offset(char *symbol, long *offset);
 extern ssize_t traceprobe_probes_write(struct file *file,
                const char __user *buffer, size_t count, loff_t *ppos,
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index d2f6d0be3503..68bb89ad9d28 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs,
                return;
        ret = strncpy_from_user(dst, src, maxlen);
+        if (ret == maxlen)
+                dst[--ret] = '\0';
        if (ret < 0) {  /* Failed to fetch string */
                ((u8 *)get_rloc_data(dest))[0] = '\0';
diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
index ecd536de603a..eda85bbf1c2e 100644
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -202,7 +202,7 @@ static int tracepoint_add_func(struct tracepoint *tp,
                        lockdep_is_held(&tracepoints_mutex));
        old = func_add(&tp_funcs, func, prio);
        if (IS_ERR(old)) {
-                WARN_ON_ONCE(1);
+                WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
                return PTR_ERR(old);
        }
@@ -235,7 +235,7 @@ static int tracepoint_remove_func(struct tracepoint *tp,
                        lockdep_is_held(&tracepoints_mutex));
        old = func_remove(&tp_funcs, func);
        if (IS_ERR(old)) {
-                WARN_ON_ONCE(1);
+                WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
                return PTR_ERR(old);
        }
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 85555eb4d3cb..d8a2084b88db 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4048,6 +4048,22 @@ void workqueue_set_max_active(struct workqueue_struct *wq, int max_active)
 EXPORT_SYMBOL_GPL(workqueue_set_max_active);
 /**
+ * current_work - retrieve %current task's work struct
+ *
+ * Determine if %current task is a workqueue worker and what it's working on.
+ * Useful to find out the context that the %current task is running in.
+ *
+ * Return: work struct if %current task is a workqueue worker, %NULL otherwise.
+ */
+struct work_struct *current_work(void)
+{
+        struct worker *worker = current_wq_worker();
+        return worker ? worker->current_work : NULL;
+}
+EXPORT_SYMBOL(current_work);
+/**
 * current_is_workqueue_rescuer - is %current workqueue rescuer?
 *
 * Determine whether %current is a workqueue rescuer.  Can be used from
@@ -5183,7 +5199,7 @@ int workqueue_sysfs_register(struct workqueue_struct *wq)
        ret = device_register(&wq_dev->dev);
        if (ret) {
-                kfree(wq_dev);
+                put_device(&wq_dev->dev);
                wq->wq_dev = NULL;
                return ret;
        }
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index b53b375e14bd..f0602beeba26 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -197,7 +197,7 @@ config ENABLE_MUST_CHECK
 config FRAME_WARN
        int "Warn for stack frames larger than (needs gcc 4.4)"
        range 0 8192
-        default 0 if KASAN
+        default 2048 if GCC_PLUGIN_LATENT_ENTROPY
        default 1024 if !64BIT
        default 2048 if 64BIT
        help
diff --git a/lib/Makefile b/lib/Makefile
index 7f1de26613d2..cb4f6aa95013 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -58,8 +58,6 @@ obj-$(CONFIG_HAS_IOMEM) += iomap_copy.o devres.o
 obj-$(CONFIG_CHECK_SIGNATURE) += check_signature.o
 obj-$(CONFIG_DEBUG_LOCKING_API_SELFTESTS) += locking-selftest.o
-GCOV_PROFILE_hweight.o := n
-CFLAGS_hweight.o = $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS))
 obj-$(CONFIG_GENERIC_HWEIGHT) += hweight.o
 obj-$(CONFIG_BTREE) += btree.o
diff --git a/lib/atomic64_test.c b/lib/atomic64_test.c
index 83c33a5bcffb..de67fea3cf46 100644
--- a/lib/atomic64_test.c
+++ b/lib/atomic64_test.c
@@ -16,6 +16,10 @@
 #include <linux/kernel.h>
 #include <linux/atomic.h>
+#ifdef CONFIG_X86
+#include <asm/cpufeature.h>     /* for boot_cpu_has below */
+#endif
 #define TEST(bit, op, c_op, val)                                \
 do {                                                            \
        atomic##bit##_set(&v, v0);                              \
diff --git a/lib/hweight.c b/lib/hweight.c
index 9a5c1f221558..43273a7d83cf 100644
--- a/lib/hweight.c
+++ b/lib/hweight.c
@@ -9,6 +9,7 @@
 * The Hamming Weight of a number is the total number of bits set in it.
 */
+#ifndef __HAVE_ARCH_SW_HWEIGHT
 unsigned int __sw_hweight32(unsigned int w)
 {
 #ifdef CONFIG_ARCH_HAS_FAST_MULTIPLIER
@@ -25,6 +26,7 @@ unsigned int __sw_hweight32(unsigned int w)
 #endif
 }
 EXPORT_SYMBOL(__sw_hweight32);
+#endif
 unsigned int __sw_hweight16(unsigned int w)
 {
@@ -43,6 +45,7 @@ unsigned int __sw_hweight8(unsigned int w)
 }
 EXPORT_SYMBOL(__sw_hweight8);
+#ifndef __HAVE_ARCH_SW_HWEIGHT
 unsigned long __sw_hweight64(__u64 w)
 {
 #if BITS_PER_LONG == 32
@@ -65,3 +68,4 @@ unsigned long __sw_hweight64(__u64 w)
 #endif
 }
 EXPORT_SYMBOL(__sw_hweight64);
+#endif
diff --git a/lib/ioremap.c b/lib/ioremap.c
index 86c8911b0e3a..b9462037868d 100644
--- a/lib/ioremap.c
+++ b/lib/ioremap.c
@@ -83,7 +83,8 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
                if (ioremap_pmd_enabled() &&
                    ((next - addr) == PMD_SIZE) &&
-                    IS_ALIGNED(phys_addr + addr, PMD_SIZE)) {
+                    IS_ALIGNED(phys_addr + addr, PMD_SIZE) &&
+                    pmd_free_pte_page(pmd, addr)) {
                        if (pmd_set_huge(pmd, phys_addr + addr, prot))
                                continue;
                }
@@ -109,7 +110,8 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
                if (ioremap_pud_enabled() &&
                    ((next - addr) == PUD_SIZE) &&
-                    IS_ALIGNED(phys_addr + addr, PUD_SIZE)) {
+                    IS_ALIGNED(phys_addr + addr, PUD_SIZE) &&
+                    pud_free_pmd_page(pud, addr)) {
                        if (pud_set_huge(pud, phys_addr + addr, prot))
                                continue;
                }
diff --git a/lib/kobject.c b/lib/kobject.c
index 7cbccd2b4c72..895edb63fba4 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj)
                /* be noisy on error issues */
                if (error == -EEXIST)
-                        WARN(1, "%s failed for %s with "
+                        pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n",
-                             "-EEXIST, don't try to register things with "
+                               __func__, kobject_name(kobj));
-                             "the same name in the same directory.\n",
-                             __func__, kobject_name(kobj));
                else
-                        WARN(1, "%s failed for %s (error: %d parent: %s)\n",
+                        pr_err("%s failed for %s (error: %d parent: %s)\n",
-                             __func__, kobject_name(kobj), error,
+                               __func__, kobject_name(kobj), error,
-                             parent ? kobject_name(parent) : "'none'");
+                               parent ? kobject_name(parent) : "'none'");
        } else
                kobj->state_in_sysfs = 1;
diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h
index b90e255c2a68..d2ecf0a09180 100644
--- a/lib/mpi/longlong.h
+++ b/lib/mpi/longlong.h
@@ -671,7 +671,23 @@ do {						\
        **************  MIPS/64  **************
        ***************************************/
 #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64
-#if (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4)
+#if defined(__mips_isa_rev) && __mips_isa_rev >= 6
+/*
+ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C
+ * code below, so we special case MIPS64r6 until the compiler can do better.
+ */
+#define umul_ppmm(w1, w0, u, v)                                         \
+do {                                                                    \
+        __asm__ ("dmulu %0,%1,%2"                                       \
+                 : "=d" ((UDItype)(w0))                                 \
+                 : "d" ((UDItype)(u)),                                  \
+                   "d" ((UDItype)(v)));                                 \
+        __asm__ ("dmuhu %0,%1,%2"                                       \
+                 : "=d" ((UDItype)(w1))                                 \
+                 : "d" ((UDItype)(u)),                                  \
+                   "d" ((UDItype)(v)));                                 \
+} while (0)
+#elif (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4)
 #define umul_ppmm(w1, w0, u, v) \
 do {                                                                    \
        typedef unsigned int __ll_UTItype __attribute__((mode(TI)));    \
diff --git a/lib/oid_registry.c b/lib/oid_registry.c
index 318f382a010d..150e04d70303 100644
--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
        int count;
        if (v >= end)
-                return -EBADMSG;
+                goto bad;
        n = *v++;
        ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
                        num = n & 0x7f;
                        do {
                                if (v >= end)
-                                        return -EBADMSG;
+                                        goto bad;
                                n = *v++;
                                num <<= 7;
                                num |= n & 0x7f;
@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
        }
        return ret;
+bad:
+        snprintf(buffer, bufsize, "(bad)");
+        return -EBADMSG;
 }
 EXPORT_SYMBOL_GPL(sprint_oid);
diff --git a/lib/rhashtable.c b/lib/rhashtable.c
index 51282f579760..37ea94b636a3 100644
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
@@ -670,8 +670,16 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_stop);
 static size_t rounded_hashtable_size(const struct rhashtable_params *params)
 {
-        return max(roundup_pow_of_two(params->nelem_hint * 4 / 3),
+        size_t retsize;
-                   (unsigned long)params->min_size);
+        if (params->nelem_hint)
+                retsize = max(roundup_pow_of_two(params->nelem_hint * 4 / 3),
+                              (unsigned long)params->min_size);
+        else
+                retsize = max(HASH_DEFAULT_SIZE,
+                              (unsigned long)params->min_size);
+        return retsize;
 }
 static u32 rhashtable_jhash2(const void *key, u32 length, u32 seed)
@@ -728,8 +736,6 @@ int rhashtable_init(struct rhashtable *ht,
        struct bucket_table *tbl;
        size_t size;
-        size = HASH_DEFAULT_SIZE;
        if ((!params->key_len && !params->obj_hashfn) ||
            (params->obj_hashfn && !params->obj_cmpfn))
                return -EINVAL;
@@ -756,8 +762,7 @@ int rhashtable_init(struct rhashtable *ht,
        ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE);
-        if (params->nelem_hint)
+        size = rounded_hashtable_size(&ht->p);
-                size = rounded_hashtable_size(&ht->p);
        /* The maximum (not average) chain length grows with the
         * size of the hash table, at a rate of (log N)/(log log N).
diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index 7e26aea3e404..b1495f586f29 100644
--- a/lib/test_bpf.c
+++ b/lib/test_bpf.c
@@ -83,6 +83,7 @@ struct bpf_test {
                __u32 result;
        } test[MAX_SUBTESTS];
        int (*fill_helper)(struct bpf_test *self);
+        int expected_errcode; /* used when FLAG_EXPECTED_FAIL is set in the aux */
        __u8 frag_data[MAX_DATA];
 };
@@ -1780,7 +1781,9 @@ static struct bpf_test tests[] = {
                },
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
-                { }
+                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {
                "check: div_k_0",
@@ -1790,7 +1793,9 @@ static struct bpf_test tests[] = {
                },
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
-                { }
+                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {
                "check: unknown insn",
@@ -1801,7 +1806,9 @@ static struct bpf_test tests[] = {
                },
                CLASSIC | FLAG_EXPECTED_FAIL,
                { },
-                { }
+                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {
                "check: out of range spill/fill",
@@ -1811,7 +1818,9 @@ static struct bpf_test tests[] = {
                },
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
-                { }
+                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {
                "JUMPS + HOLES",
@@ -1903,6 +1912,8 @@ static struct bpf_test tests[] = {
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {
                "check: LDX + RET X",
@@ -1913,6 +1924,8 @@ static struct bpf_test tests[] = {
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {       /* Mainly checking JIT here. */
                "M[]: alt STX + LDX",
@@ -2087,6 +2100,8 @@ static struct bpf_test tests[] = {
                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
                { },
                { },
+                .fill_helper = NULL,
+                .expected_errcode = -EINVAL,
        },
        {       /* Passes checker but fails during runtime. */
                "LD [SKF_AD_OFF-1]",
@@ -4462,6 +4477,7 @@ static struct bpf_test tests[] = {
                { },
                { },
                .fill_helper = bpf_fill_maxinsns4,
+                .expected_errcode = -EINVAL,
        },
        {       /* Mainly checking JIT here. */
                "BPF_MAXINSNS: Very long jump",
@@ -4517,10 +4533,15 @@ static struct bpf_test tests[] = {
        {
                "BPF_MAXINSNS: Jump, gap, jump, ...",
                { },
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+                CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL,
+#else
                CLASSIC | FLAG_NO_DATA,
+#endif
                { },
                { { 0, 0xababcbac } },
                .fill_helper = bpf_fill_maxinsns11,
+                .expected_errcode = -ENOTSUPP,
        },
        {
                "BPF_MAXINSNS: ld_abs+get_processor_id",
@@ -5290,7 +5311,7 @@ static struct bpf_prog *generate_filter(int which, int *err)
                *err = bpf_prog_create(&fp, &fprog);
                if (tests[which].aux & FLAG_EXPECTED_FAIL) {
-                        if (*err == -EINVAL) {
+                        if (*err == tests[which].expected_errcode) {
                                pr_cont("PASS\n");
                                /* Verifier rejected filter as expected. */
                                *err = 0;
@@ -5304,9 +5325,8 @@ static struct bpf_prog *generate_filter(int which, int *err)
                                return NULL;
                        }
                }
-                /* We don't expect to fail. */
                if (*err) {
-                        pr_cont("FAIL to attach err=%d len=%d\n",
+                        pr_cont("FAIL to prog_create err=%d len=%d\n",
                                *err, fprog.len);
                        return NULL;
                }
@@ -5325,7 +5345,11 @@ static struct bpf_prog *generate_filter(int which, int *err)
                fp->type = BPF_PROG_TYPE_SOCKET_FILTER;
                memcpy(fp->insnsi, fptr, fp->len * sizeof(struct bpf_insn));
-                bpf_prog_select_runtime(fp);
+                *err = bpf_prog_select_runtime(fp);
+                if (*err) {
+                        pr_cont("FAIL to select_runtime err=%d\n", *err);
+                        return NULL;
+                }
                break;
        }
@@ -5511,8 +5535,8 @@ static __init int test_bpf(void)
                                pass_cnt++;
                                continue;
                        }
+                        err_cnt++;
-                        return err;
+                        continue;
                }
                pr_cont("jited:%u ", fp->jited);
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index f9cee8e1233c..646009db4198 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1345,9 +1345,6 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
                return string(buf, end, NULL, spec);
        switch (fmt[1]) {
-        case 'r':
-                return number(buf, end, clk_get_rate(clk), spec);
        case 'n':
        default:
 #ifdef CONFIG_COMMON_CLK
diff --git a/mm/Kconfig b/mm/Kconfig
index 97a4e06b15c0..5753f69b23f4 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -628,6 +628,7 @@ config DEFERRED_STRUCT_PAGE_INIT
        default n
        depends on ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
        depends on MEMORY_HOTPLUG
+        depends on !NEED_PER_CPU_KM
        help
          Ordinarily all struct pages are initialised during early boot in a
          single thread. On very large machines this can take a considerable
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index a988d4ef39da..7f80b1a1bc34 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -922,7 +922,7 @@ static atomic_t nr_wb_congested[2];
 void clear_wb_congested(struct bdi_writeback_congested *congested, int sync)
 {
        wait_queue_head_t *wqh = &congestion_wqh[sync];
-        enum wb_state bit;
+        enum wb_congested_state bit;
        bit = sync ? WB_sync_congested : WB_async_congested;
        if (test_and_clear_bit(bit, &congested->state))
@@ -935,7 +935,7 @@ EXPORT_SYMBOL(clear_wb_congested);
 void set_wb_congested(struct bdi_writeback_congested *congested, int sync)
 {
-        enum wb_state bit;
+        enum wb_congested_state bit;
        bit = sync ? WB_sync_congested : WB_async_congested;
        if (!test_and_set_bit(bit, &congested->state))
diff --git a/mm/cma.c b/mm/cma.c
index 384c2cb51b56..488b6c62463b 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -54,7 +54,7 @@ unsigned long cma_get_size(const struct cma *cma)
 }
 static unsigned long cma_bitmap_aligned_mask(const struct cma *cma,
-                                             int align_order)
+                                             unsigned int align_order)
 {
        if (align_order <= cma->order_per_bit)
                return 0;
@@ -62,17 +62,14 @@ static unsigned long cma_bitmap_aligned_mask(const struct cma *cma,
 }
 /*
- * Find a PFN aligned to the specified order and return an offset represented in
+ * Find the offset of the base PFN from the specified align_order.
- * order_per_bits.
+ * The value returned is represented in order_per_bits.
 */
 static unsigned long cma_bitmap_aligned_offset(const struct cma *cma,
-                                               int align_order)
+                                               unsigned int align_order)
 {
-        if (align_order <= cma->order_per_bit)
+        return (cma->base_pfn & ((1UL << align_order) - 1))
-                return 0;
+                >> cma->order_per_bit;
-        return (ALIGN(cma->base_pfn, (1UL << align_order))
-                - cma->base_pfn) >> cma->order_per_bit;
 }
 static unsigned long cma_bitmap_pages_to_bits(const struct cma *cma,
diff --git a/mm/early_ioremap.c b/mm/early_ioremap.c
index 6d5717bd7197..57540de2b44c 100644
--- a/mm/early_ioremap.c
+++ b/mm/early_ioremap.c
@@ -103,7 +103,7 @@ __early_ioremap(resource_size_t phys_addr, unsigned long size, pgprot_t prot)
        enum fixed_addresses idx;
        int i, slot;
-        WARN_ON(system_state != SYSTEM_BOOTING);
+        WARN_ON(system_state >= SYSTEM_RUNNING);
        slot = -1;
        for (i = 0; i < FIX_BTMAPS_SLOTS; i++) {
diff --git a/mm/filemap.c b/mm/filemap.c
index 69f75c77c098..21e750b6e810 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -571,7 +571,7 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
        VM_BUG_ON_PAGE(!PageLocked(new), new);
        VM_BUG_ON_PAGE(new->mapping, new);
-        error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
+        error = radix_tree_preload(gfp_mask & GFP_RECLAIM_MASK);
        if (!error) {
                struct address_space *mapping = old->mapping;
                void (*freepage)(struct page *);
@@ -630,7 +630,7 @@ static int __add_to_page_cache_locked(struct page *page,
                        return error;
        }
-        error = radix_tree_maybe_preload(gfp_mask & ~__GFP_HIGHMEM);
+        error = radix_tree_maybe_preload(gfp_mask & GFP_RECLAIM_MASK);
        if (error) {
                if (!huge)
                        mem_cgroup_cancel_charge(page, memcg);
@@ -1192,8 +1192,7 @@ no_page:
                if (fgp_flags & FGP_ACCESSED)
                        __SetPageReferenced(page);
-                err = add_to_page_cache_lru(page, mapping, offset,
+                err = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
-                                gfp_mask & GFP_RECLAIM_MASK);
                if (unlikely(err)) {
                        page_cache_release(page);
                        page = NULL;
@@ -1582,6 +1581,15 @@ find_page:
                                        index, last_index - index);
                }
                if (!PageUptodate(page)) {
+                        /*
+                         * See comment in do_read_cache_page on why
+                         * wait_on_page_locked is used to avoid unnecessarily
+                         * serialisations and why it's safe.
+                         */
+                        wait_on_page_locked_killable(page);
+                        if (PageUptodate(page))
+                                goto page_ok;
                        if (inode->i_blkbits == PAGE_CACHE_SHIFT ||
                                        !mapping->a_ops->is_partially_uptodate)
                                goto page_not_up_to_date;
@@ -1827,19 +1835,18 @@ EXPORT_SYMBOL(generic_file_read_iter);
 * This adds the requested page to the page cache if it isn't already there,
 * and schedules an I/O to read in its contents from disk.
 */
-static int page_cache_read(struct file *file, pgoff_t offset)
+static int page_cache_read(struct file *file, pgoff_t offset, gfp_t gfp_mask)
 {
        struct address_space *mapping = file->f_mapping;
        struct page *page;
        int ret;
        do {
-                page = page_cache_alloc_cold(mapping);
+                page = __page_cache_alloc(gfp_mask|__GFP_COLD);
                if (!page)
                        return -ENOMEM;
-                ret = add_to_page_cache_lru(page, mapping, offset,
+                ret = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
-                                mapping_gfp_constraint(mapping, GFP_KERNEL));
                if (ret == 0)
                        ret = mapping->a_ops->readpage(file, page);
                else if (ret == -EEXIST)
@@ -2020,7 +2027,7 @@ no_cached_page:
         * We're only likely to ever get here if MADV_RANDOM is in
         * effect.
         */
-        error = page_cache_read(file, offset);
+        error = page_cache_read(file, offset, vmf->gfp_mask);
        /*
         * The page we want has now been added to the page cache.
@@ -2217,7 +2224,7 @@ static struct page *wait_on_page_read(struct page *page)
        return page;
 }
-static struct page *__read_cache_page(struct address_space *mapping,
+static struct page *do_read_cache_page(struct address_space *mapping,
                                pgoff_t index,
                                int (*filler)(void *, struct page *),
                                void *data,
@@ -2239,53 +2246,74 @@ repeat:
                        /* Presumably ENOMEM for radix tree node */
                        return ERR_PTR(err);
                }
+filler:
                err = filler(data, page);
                if (err < 0) {
                        page_cache_release(page);
-                        page = ERR_PTR(err);
+                        return ERR_PTR(err);
-                } else {
-                        page = wait_on_page_read(page);
                }
-        }
-        return page;
-}
-static struct page *do_read_cache_page(struct address_space *mapping,
+                page = wait_on_page_read(page);
-                                pgoff_t index,
+                if (IS_ERR(page))
-                                int (*filler)(void *, struct page *),
+                        return page;
-                                void *data,
+                goto out;
-                                gfp_t gfp)
+        }
+        if (PageUptodate(page))
-{
+                goto out;
-        struct page *page;
-        int err;
-retry:
+        /*
-        page = __read_cache_page(mapping, index, filler, data, gfp);
+         * Page is not up to date and may be locked due one of the following
-        if (IS_ERR(page))
+         * case a: Page is being filled and the page lock is held
-                return page;
+         * case b: Read/write error clearing the page uptodate status
+         * case c: Truncation in progress (page locked)
+         * case d: Reclaim in progress
+         *
+         * Case a, the page will be up to date when the page is unlocked.
+         *    There is no need to serialise on the page lock here as the page
+         *    is pinned so the lock gives no additional protection. Even if the
+         *    the page is truncated, the data is still valid if PageUptodate as
+         *    it's a race vs truncate race.
+         * Case b, the page will not be up to date
+         * Case c, the page may be truncated but in itself, the data may still
+         *    be valid after IO completes as it's a read vs truncate race. The
+         *    operation must restart if the page is not uptodate on unlock but
+         *    otherwise serialising on page lock to stabilise the mapping gives
+         *    no additional guarantees to the caller as the page lock is
+         *    released before return.
+         * Case d, similar to truncation. If reclaim holds the page lock, it
+         *    will be a race with remove_mapping that determines if the mapping
+         *    is valid on unlock but otherwise the data is valid and there is
+         *    no need to serialise with page lock.
+         *
+         * As the page lock gives no additional guarantee, we optimistically
+         * wait on the page to be unlocked and check if it's up to date and
+         * use the page if it is. Otherwise, the page lock is required to
+         * distinguish between the different cases. The motivation is that we
+         * avoid spurious serialisations and wakeups when multiple processes
+         * wait on the same page for IO to complete.
+         */
+        wait_on_page_locked(page);
        if (PageUptodate(page))
                goto out;
+        /* Distinguish between all the cases under the safety of the lock */
        lock_page(page);
+        /* Case c or d, restart the operation */
        if (!page->mapping) {
                unlock_page(page);
                page_cache_release(page);
-                goto retry;
+                goto repeat;
        }
+        /* Someone else locked and filled the page in a very small window */
        if (PageUptodate(page)) {
                unlock_page(page);
                goto out;
        }
-        err = filler(data, page);
+        goto filler;
-        if (err < 0) {
-                page_cache_release(page);
-                return ERR_PTR(err);
-        } else {
-                page = wait_on_page_read(page);
-                if (IS_ERR(page))
-                        return page;
-        }
 out:
        mark_page_accessed(page);
        return page;
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 7294301d8495..a813b03021b7 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2038,6 +2038,7 @@ static void __init gather_bootmem_prealloc(void)
                 */
                if (hstate_is_gigantic(h))
                        adjust_managed_page_count(page, 1 << h->order);
+                cond_resched();
        }
 }
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index bc0a8d8b8f42..ba9adce1422a 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -548,5 +548,5 @@ static int __init kasan_memhotplug_init(void)
        return 0;
 }
-module_init(kasan_memhotplug_init);
+core_initcall(kasan_memhotplug_init);
 #endif
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index ae113cf8f3b9..b403bf406b41 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1441,6 +1441,8 @@ static void kmemleak_scan(void)
                        if (page_count(page) == 0)
                                continue;
                        scan_block(page, page + 1, NULL);
+                        if (!(pfn % (MAX_SCAN_SIZE / sizeof(*page))))
+                                cond_resched();
                }
        }
        put_online_mems();
@@ -1569,8 +1571,7 @@ static void start_scan_thread(void)
 }
 /*
- * Stop the automatic memory scanning thread. This function must be called
+ * Stop the automatic memory scanning thread.
- * with the scan_mutex held.
 */
 static void stop_scan_thread(void)
 {
@@ -1833,12 +1834,15 @@ static void kmemleak_do_cleanup(struct work_struct *work)
 {
        stop_scan_thread();
+        mutex_lock(&scan_mutex);
        /*
-         * Once the scan thread has stopped, it is safe to no longer track
+         * Once it is made sure that kmemleak_scan has stopped, it is safe to no
-         * object freeing. Ordering of the scan thread stopping and the memory
+         * longer track object freeing. Ordering of the scan thread stopping and
-         * accesses below is guaranteed by the kthread_stop() function.
+         * the memory accesses below is guaranteed by the kthread_stop()
+         * function.
         */
        kmemleak_free_enabled = 0;
+        mutex_unlock(&scan_mutex);
        if (!kmemleak_found_leaks)
                __kmemleak_do_cleanup();
diff --git a/mm/ksm.c b/mm/ksm.c
index 2f028e6d0831..0b496edc704b 100644
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -1494,8 +1494,22 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
        tree_rmap_item =
                unstable_tree_search_insert(rmap_item, page, &tree_page);
        if (tree_rmap_item) {
+                bool split;
                kpage = try_to_merge_two_pages(rmap_item, page,
                                                tree_rmap_item, tree_page);
+                /*
+                 * If both pages we tried to merge belong to the same compound
+                 * page, then we actually ended up increasing the reference
+                 * count of the same compound page twice, and split_huge_page
+                 * failed.
+                 * Here we set a flag if that happened, and we use it later to
+                 * try split_huge_page again. Since we call put_page right
+                 * afterwards, the reference count will be correct and
+                 * split_huge_page should succeed.
+                 */
+                split = PageTransCompound(page)
+                        && compound_head(page) == compound_head(tree_page);
                put_page(tree_page);
                if (kpage) {
                        /*
@@ -1520,6 +1534,20 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
                                break_cow(tree_rmap_item);
                                break_cow(rmap_item);
                        }
+                } else if (split) {
+                        /*
+                         * We are here if we tried to merge two pages and
+                         * failed because they both belonged to the same
+                         * compound page. We will split the page now, but no
+                         * merging will take place.
+                         * We do not want to add the cost of a full lock; if
+                         * the page is locked, it is better to skip it and
+                         * perhaps try again later.
+                         */
+                        if (!trylock_page(page))
+                                return;
+                        split_huge_page(page);
+                        unlock_page(page);
                }
        }
 }
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index e25b93a4267d..9a8e688724b1 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -996,7 +996,7 @@ static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg)
        int nid, zid;
        int i;
-        while ((memcg = parent_mem_cgroup(memcg))) {
+        for (; memcg; memcg = parent_mem_cgroup(memcg)) {
                for_each_node(nid) {
                        for (zid = 0; zid < MAX_NR_ZONES; zid++) {
                                mz = &memcg->nodeinfo[nid]->zoneinfo[zid];
@@ -5576,7 +5576,7 @@ static void uncharge_list(struct list_head *page_list)
                next = page->lru.next;
                VM_BUG_ON_PAGE(PageLRU(page), page);
-                VM_BUG_ON_PAGE(page_count(page), page);
+                VM_BUG_ON_PAGE(!PageHWPoison(page) && page_count(page), page);
                if (!page->mem_cgroup)
                        continue;
diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 091fe9b06663..92a647957f91 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -539,6 +539,13 @@ static int delete_from_lru_cache(struct page *p)
                 */
                ClearPageActive(p);
                ClearPageUnevictable(p);
+                /*
+                 * Poisoned page might never drop its ref count to 0 so we have
+                 * to uncharge it manually from its memcg.
+                 */
+                mem_cgroup_uncharge(p);
                /*
                 * drop the page count elevated by isolate_lru_page()
                 */
diff --git a/mm/memory.c b/mm/memory.c
index 9ac55172aa7b..d5bb1465d30c 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -72,7 +72,7 @@
 #include "internal.h"
-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS
+#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST)
 #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid.
 #endif
@@ -1605,8 +1605,29 @@ out:
 int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr,
                        unsigned long pfn)
 {
+        return vm_insert_pfn_prot(vma, addr, pfn, vma->vm_page_prot);
+}
+EXPORT_SYMBOL(vm_insert_pfn);
+/**
+ * vm_insert_pfn_prot - insert single pfn into user vma with specified pgprot
+ * @vma: user vma to map to
+ * @addr: target user address of this page
+ * @pfn: source kernel pfn
+ * @pgprot: pgprot flags for the inserted page
+ *
+ * This is exactly like vm_insert_pfn, except that it allows drivers to
+ * to override pgprot on a per-page basis.
+ *
+ * This only makes sense for IO mappings, and it makes no sense for
+ * cow mappings.  In general, using multiple vmas is preferable;
+ * vm_insert_pfn_prot should only be used if using multiple VMAs is
+ * impractical.
+ */
+int vm_insert_pfn_prot(struct vm_area_struct *vma, unsigned long addr,
+                        unsigned long pfn, pgprot_t pgprot)
+{
        int ret;
-        pgprot_t pgprot = vma->vm_page_prot;
        /*
         * Technically, architectures with pte_special can avoid all these
         * restrictions (same for remap_pfn_range).  However we would like
@@ -1624,19 +1645,29 @@ int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr,
        if (track_pfn_insert(vma, &pgprot, pfn))
                return -EINVAL;
+        if (!pfn_modify_allowed(pfn, pgprot))
+                return -EACCES;
        ret = insert_pfn(vma, addr, pfn, pgprot);
        return ret;
 }
-EXPORT_SYMBOL(vm_insert_pfn);
+EXPORT_SYMBOL(vm_insert_pfn_prot);
 int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
                        unsigned long pfn)
 {
+        pgprot_t pgprot = vma->vm_page_prot;
        BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
        if (addr < vma->vm_start || addr >= vma->vm_end)
                return -EFAULT;
+        if (track_pfn_insert(vma, &pgprot, pfn))
+                return -EINVAL;
+        if (!pfn_modify_allowed(pfn, pgprot))
+                return -EACCES;
        /*
         * If we don't have pte special, then we have to use the pfn_valid()
@@ -1649,9 +1680,9 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
                struct page *page;
                page = pfn_to_page(pfn);
-                return insert_page(vma, addr, page, vma->vm_page_prot);
+                return insert_page(vma, addr, page, pgprot);
        }
-        return insert_pfn(vma, addr, pfn, vma->vm_page_prot);
+        return insert_pfn(vma, addr, pfn, pgprot);
 }
 EXPORT_SYMBOL(vm_insert_mixed);
@@ -1666,6 +1697,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd,
 {
        pte_t *pte;
        spinlock_t *ptl;
+        int err = 0;
        pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);
        if (!pte)
@@ -1673,12 +1705,16 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd,
        arch_enter_lazy_mmu_mode();
        do {
                BUG_ON(!pte_none(*pte));
+                if (!pfn_modify_allowed(pfn, prot)) {
+                        err = -EACCES;
+                        break;
+                }
                set_pte_at(mm, addr, pte, pte_mkspecial(pfn_pte(pfn, prot)));
                pfn++;
        } while (pte++, addr += PAGE_SIZE, addr != end);
        arch_leave_lazy_mmu_mode();
        pte_unmap_unlock(pte - 1, ptl);
-        return 0;
+        return err;
 }
 static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud,
@@ -1687,6 +1723,7 @@ static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud,
 {
        pmd_t *pmd;
        unsigned long next;
+        int err;
        pfn -= addr >> PAGE_SHIFT;
        pmd = pmd_alloc(mm, pud, addr);
@@ -1695,9 +1732,10 @@ static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud,
        VM_BUG_ON(pmd_trans_huge(*pmd));
        do {
                next = pmd_addr_end(addr, end);
-                if (remap_pte_range(mm, pmd, addr, next,
+                err = remap_pte_range(mm, pmd, addr, next,
-                                pfn + (addr >> PAGE_SHIFT), prot))
+                                pfn + (addr >> PAGE_SHIFT), prot);
-                        return -ENOMEM;
+                if (err)
+                        return err;
        } while (pmd++, addr = next, addr != end);
        return 0;
 }
@@ -1708,6 +1746,7 @@ static inline int remap_pud_range(struct mm_struct *mm, pgd_t *pgd,
 {
        pud_t *pud;
        unsigned long next;
+        int err;
        pfn -= addr >> PAGE_SHIFT;
        pud = pud_alloc(mm, pgd, addr);
@@ -1715,9 +1754,10 @@ static inline int remap_pud_range(struct mm_struct *mm, pgd_t *pgd,
                return -ENOMEM;
        do {
                next = pud_addr_end(addr, end);
-                if (remap_pmd_range(mm, pud, addr, next,
+                err = remap_pmd_range(mm, pud, addr, next,
-                                pfn + (addr >> PAGE_SHIFT), prot))
+                                pfn + (addr >> PAGE_SHIFT), prot);
-                        return -ENOMEM;
+                if (err)
+                        return err;
        } while (pud++, addr = next, addr != end);
        return 0;
 }
@@ -1990,6 +2030,20 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
                copy_user_highpage(dst, src, va, vma);
 }
+static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma)
+{
+        struct file *vm_file = vma->vm_file;
+        if (vm_file)
+                return mapping_gfp_mask(vm_file->f_mapping) | __GFP_FS | __GFP_IO;
+        /*
+         * Special mappings (e.g. VDSO) do not have any file so fake
+         * a default GFP_KERNEL for them.
+         */
+        return GFP_KERNEL;
+}
 /*
 * Notify the address space that the page is about to become writable so that
 * it can prohibit this or wait for the page to get into an appropriate state.
@@ -2005,6 +2059,7 @@ static int do_page_mkwrite(struct vm_area_struct *vma, struct page *page,
        vmf.virtual_address = (void __user *)(address & PAGE_MASK);
        vmf.pgoff = page->index;
        vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE;
+        vmf.gfp_mask = __get_fault_gfp_mask(vma);
        vmf.page = page;
        vmf.cow_page = NULL;
@@ -2770,6 +2825,7 @@ static int __do_fault(struct vm_area_struct *vma, unsigned long address,
        vmf.pgoff = pgoff;
        vmf.flags = flags;
        vmf.page = NULL;
+        vmf.gfp_mask = __get_fault_gfp_mask(vma);
        vmf.cow_page = cow_page;
        ret = vma->vm_ops->fault(vma, &vmf);
@@ -2936,6 +2992,7 @@ static void do_fault_around(struct vm_area_struct *vma, unsigned long address,
        vmf.pgoff = pgoff;
        vmf.max_pgoff = max_pgoff;
        vmf.flags = flags;
+        vmf.gfp_mask = __get_fault_gfp_mask(vma);
        vma->vm_ops->map_pages(vma, &vmf);
 }
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index c947014d128a..b777590c3e13 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1232,6 +1232,7 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask,
                     unsigned long maxnode)
 {
        unsigned long k;
+        unsigned long t;
        unsigned long nlongs;
        unsigned long endmask;
@@ -1248,13 +1249,19 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask,
        else
                endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1;
-        /* When the user specified more nodes than supported just check
+        /*
-           if the non supported part is all zero. */
+         * When the user specified more nodes than supported just check
+         * if the non supported part is all zero.
+         *
+         * If maxnode have more longs than MAX_NUMNODES, check
+         * the bits in that area first. And then go through to
+         * check the rest bits which equal or bigger than MAX_NUMNODES.
+         * Otherwise, just check bits [MAX_NUMNODES, maxnode).
+         */
        if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) {
                if (nlongs > PAGE_SIZE/sizeof(long))
                        return -EINVAL;
                for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) {
-                        unsigned long t;
                        if (get_user(t, nmask + k))
                                return -EFAULT;
                        if (k == nlongs - 1) {
@@ -1267,6 +1274,16 @@ static int get_nodes(nodemask_t *nodes, const unsigned long __user *nmask,
                endmask = ~0UL;
        }
+        if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) {
+                unsigned long valid_mask = endmask;
+                valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1);
+                if (get_user(t, nmask + nlongs - 1))
+                        return -EFAULT;
+                if (t & valid_mask)
+                        return -EINVAL;
+        }
        if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long)))
                return -EFAULT;
        nodes_addr(*nodes)[nlongs-1] &= endmask;
@@ -1393,10 +1410,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
                goto out_put;
        }
-        if (!nodes_subset(*new, node_states[N_MEMORY])) {
+        task_nodes = cpuset_mems_allowed(current);
-                err = -EINVAL;
+        nodes_and(*new, *new, task_nodes);
+        if (nodes_empty(*new))
+                goto out_put;
+        nodes_and(*new, *new, node_states[N_MEMORY]);
+        if (nodes_empty(*new))
                goto out_put;
-        }
        err = security_task_movememory(task);
        if (err)
@@ -2121,6 +2142,9 @@ bool __mpol_equal(struct mempolicy *a, struct mempolicy *b)
        case MPOL_INTERLEAVE:
                return !!nodes_equal(a->v.nodes, b->v.nodes);
        case MPOL_PREFERRED:
+                /* a's ->flags is the same as b's */
+                if (a->flags & MPOL_F_LOCAL)
+                        return true;
                return a->v.preferred_node == b->v.preferred_node;
        default:
                BUG();
diff --git a/mm/mmap.c b/mm/mmap.c
index eaa460ddcaf9..39f5fbd07486 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1275,6 +1275,35 @@ static inline int mlock_future_check(struct mm_struct *mm,
        return 0;
 }
+static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
+{
+        if (S_ISREG(inode->i_mode))
+                return MAX_LFS_FILESIZE;
+        if (S_ISBLK(inode->i_mode))
+                return MAX_LFS_FILESIZE;
+        /* Special "we do even unsigned file positions" case */
+        if (file->f_mode & FMODE_UNSIGNED_OFFSET)
+                return 0;
+        /* Yes, random drivers might want more. But I'm tired of buggy drivers */
+        return ULONG_MAX;
+}
+static inline bool file_mmap_ok(struct file *file, struct inode *inode,
+                                unsigned long pgoff, unsigned long len)
+{
+        u64 maxsize = file_mmap_size_max(file, inode);
+        if (maxsize && len > maxsize)
+                return false;
+        maxsize -= len;
+        if (pgoff > maxsize >> PAGE_SHIFT)
+                return false;
+        return true;
+}
 /*
 * The caller must hold down_write(&current->mm->mmap_sem).
 */
@@ -1340,6 +1369,9 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
        if (file) {
                struct inode *inode = file_inode(file);
+                if (!file_mmap_ok(file, inode, pgoff, len))
+                        return -EOVERFLOW;
                switch (flags & MAP_TYPE) {
                case MAP_SHARED:
                        if ((prot&PROT_WRITE) && !(file->f_mode&FMODE_WRITE))
@@ -2188,7 +2220,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
                gap_addr = TASK_SIZE;
        next = vma->vm_next;
-        if (next && next->vm_start < gap_addr) {
+        if (next && next->vm_start < gap_addr &&
+                        (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
                if (!(next->vm_flags & VM_GROWSUP))
                        return -ENOMEM;
                /* Check that both stack segments have the same anon_vma? */
@@ -2273,7 +2306,8 @@ int expand_downwards(struct vm_area_struct *vma,
        if (gap_addr > address)
                return -ENOMEM;
        prev = vma->vm_prev;
-        if (prev && prev->vm_end > gap_addr) {
+        if (prev && prev->vm_end > gap_addr &&
+                        (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
                if (!(prev->vm_flags & VM_GROWSDOWN))
                        return -ENOMEM;
                /* Check that both stack segments have the same anon_vma? */
diff --git a/mm/mprotect.c b/mm/mprotect.c
index c0b4b2a49462..a277f3412a5d 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -255,6 +255,42 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
        return pages;
 }
+static int prot_none_pte_entry(pte_t *pte, unsigned long addr,
+                               unsigned long next, struct mm_walk *walk)
+{
+        return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ?
+                0 : -EACCES;
+}
+static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask,
+                                   unsigned long addr, unsigned long next,
+                                   struct mm_walk *walk)
+{
+        return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ?
+                0 : -EACCES;
+}
+static int prot_none_test(unsigned long addr, unsigned long next,
+                          struct mm_walk *walk)
+{
+        return 0;
+}
+static int prot_none_walk(struct vm_area_struct *vma, unsigned long start,
+                           unsigned long end, unsigned long newflags)
+{
+        pgprot_t new_pgprot = vm_get_page_prot(newflags);
+        struct mm_walk prot_none_walk = {
+                .pte_entry = prot_none_pte_entry,
+                .hugetlb_entry = prot_none_hugetlb_entry,
+                .test_walk = prot_none_test,
+                .mm = current->mm,
+                .private = &new_pgprot,
+        };
+        return walk_page_range(start, end, &prot_none_walk);
+}
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
        unsigned long start, unsigned long end, unsigned long newflags)
@@ -273,6 +309,19 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
        }
        /*
+         * Do PROT_NONE PFN permission checks here when we can still
+         * bail out without undoing a lot of state. This is a rather
+         * uncommon case, so doesn't need to be very optimized.
+         */
+        if (arch_has_pfn_modify_check() &&
+            (vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&
+            (newflags & (VM_READ|VM_WRITE|VM_EXEC)) == 0) {
+                error = prot_none_walk(vma, start, end, newflags);
+                if (error)
+                        return error;
+        }
+        /*
         * If we make a private mapping writable we increase our commit;
         * but (without finer accounting) cannot reduce our commit if we
         * make it unwritable again. hugetlb mapping were accounted for
diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index 71b0f525180a..8e80ea58c7e7 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2520,13 +2520,13 @@ void account_page_redirty(struct page *page)
        if (mapping && mapping_cap_account_dirty(mapping)) {
                struct inode *inode = mapping->host;
                struct bdi_writeback *wb;
-                bool locked;
+                struct wb_lock_cookie cookie = {};
-                wb = unlocked_inode_to_wb_begin(inode, &locked);
+                wb = unlocked_inode_to_wb_begin(inode, &cookie);
                current->nr_dirtied--;
                dec_zone_page_state(page, NR_DIRTIED);
                dec_wb_stat(wb, WB_DIRTIED);
-                unlocked_inode_to_wb_end(inode, locked);
+                unlocked_inode_to_wb_end(inode, &cookie);
        }
 }
 EXPORT_SYMBOL(account_page_redirty);
@@ -2632,15 +2632,15 @@ void cancel_dirty_page(struct page *page)
                struct inode *inode = mapping->host;
                struct bdi_writeback *wb;
                struct mem_cgroup *memcg;
-                bool locked;
+                struct wb_lock_cookie cookie = {};
                memcg = mem_cgroup_begin_page_stat(page);
-                wb = unlocked_inode_to_wb_begin(inode, &locked);
+                wb = unlocked_inode_to_wb_begin(inode, &cookie);
                if (TestClearPageDirty(page))
                        account_page_cleaned(page, mapping, memcg, wb);
-                unlocked_inode_to_wb_end(inode, locked);
+                unlocked_inode_to_wb_end(inode, &cookie);
                mem_cgroup_end_page_stat(memcg);
        } else {
                ClearPageDirty(page);
@@ -2673,7 +2673,7 @@ int clear_page_dirty_for_io(struct page *page)
                struct inode *inode = mapping->host;
                struct bdi_writeback *wb;
                struct mem_cgroup *memcg;
-                bool locked;
+                struct wb_lock_cookie cookie = {};
                /*
                 * Yes, Virginia, this is indeed insane.
@@ -2711,14 +2711,14 @@ int clear_page_dirty_for_io(struct page *page)
                 * exclusion.
                 */
                memcg = mem_cgroup_begin_page_stat(page);
-                wb = unlocked_inode_to_wb_begin(inode, &locked);
+                wb = unlocked_inode_to_wb_begin(inode, &cookie);
                if (TestClearPageDirty(page)) {
                        mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_DIRTY);
                        dec_zone_page_state(page, NR_FILE_DIRTY);
                        dec_wb_stat(wb, WB_RECLAIMABLE);
                        ret = 1;
                }
-                unlocked_inode_to_wb_end(inode, locked);
+                unlocked_inode_to_wb_end(inode, &cookie);
                mem_cgroup_end_page_stat(memcg);
                return ret;
        }
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 417700241e52..bf2d9272b7ba 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2461,9 +2461,6 @@ static bool __zone_watermark_ok(struct zone *z, unsigned int order,
                if (!area->nr_free)
                        continue;
-                if (alloc_harder)
-                        return true;
                for (mt = 0; mt < MIGRATE_PCPTYPES; mt++) {
                        if (!list_empty(&area->free_list[mt]))
                                return true;
@@ -2475,6 +2472,9 @@ static bool __zone_watermark_ok(struct zone *z, unsigned int order,
                        return true;
                }
 #endif
+                if (alloc_harder &&
+                        !list_empty(&area->free_list[MIGRATE_HIGHATOMIC]))
+                        return true;
        }
        return false;
 }
@@ -3102,8 +3102,6 @@ retry:
                 * the allocation is high priority and these type of
                 * allocations are system rather than user orientated
                 */
-                ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
                page = __alloc_pages_high_priority(gfp_mask, order, ac);
                if (page) {
diff --git a/mm/percpu.c b/mm/percpu.c
index ef6353f0adbd..1c784df3bdfe 100644
--- a/mm/percpu.c
+++ b/mm/percpu.c
@@ -68,6 +68,7 @@
 #include <linux/vmalloc.h>
 #include <linux/workqueue.h>
 #include <linux/kmemleak.h>
+#include <linux/sched.h>
 #include <asm/cacheflush.h>
 #include <asm/sections.h>
diff --git a/mm/slab.c b/mm/slab.c
index 462938fc7cb9..78f082453481 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3919,7 +3919,8 @@ next:
        next_reap_node();
 out:
        /* Set up the next iteration */
-        schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_AC));
+        schedule_delayed_work_on(smp_processor_id(), work,
+                                round_jiffies_relative(REAPTIMEOUT_AC));
 }
 #ifdef CONFIG_SLABINFO
diff --git a/mm/slub.c b/mm/slub.c
index d6fe997c0577..490825fd931a 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -689,7 +689,7 @@ void object_err(struct kmem_cache *s, struct page *page,
        print_trailer(s, page, object);
 }
-static void slab_err(struct kmem_cache *s, struct page *page,
+static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page,
                        const char *fmt, ...)
 {
        va_list args;
diff --git a/mm/swapfile.c b/mm/swapfile.c
index c1a0f3dea8b5..8e25ff2b693a 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2206,6 +2206,35 @@ static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
        return 0;
 }
+/*
+ * Find out how many pages are allowed for a single swap device. There
+ * are two limiting factors:
+ * 1) the number of bits for the swap offset in the swp_entry_t type, and
+ * 2) the number of bits in the swap pte, as defined by the different
+ * architectures.
+ *
+ * In order to find the largest possible bit mask, a swap entry with
+ * swap type 0 and swap offset ~0UL is created, encoded to a swap pte,
+ * decoded to a swp_entry_t again, and finally the swap offset is
+ * extracted.
+ *
+ * This will mask all the bits from the initial ~0UL mask that can't
+ * be encoded in either the swp_entry_t or the architecture definition
+ * of a swap pte.
+ */
+unsigned long generic_max_swapfile_size(void)
+{
+        return swp_offset(pte_to_swp_entry(
+                        swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
+}
+/* Can be overridden by an architecture for additional checks. */
+__weak unsigned long max_swapfile_size(void)
+{
+        return generic_max_swapfile_size();
+}
 static unsigned long read_swap_header(struct swap_info_struct *p,
                                        union swap_header *swap_header,
                                        struct inode *inode)
@@ -2241,23 +2270,12 @@ static unsigned long read_swap_header(struct swap_info_struct *p,
        p->cluster_next = 1;
        p->cluster_nr = 0;
-        /*
+        maxpages = max_swapfile_size();
-         * Find out how many pages are allowed for a single swap
-         * device. There are two limiting factors: 1) the number
-         * of bits for the swap offset in the swp_entry_t type, and
-         * 2) the number of bits in the swap pte as defined by the
-         * different architectures. In order to find the
-         * largest possible bit mask, a swap entry with swap type 0
-         * and swap offset ~0UL is created, encoded to a swap pte,
-         * decoded to a swp_entry_t again, and finally the swap
-         * offset is extracted. This will mask all the bits from
-         * the initial ~0UL mask that can't be encoded in either
-         * the swp_entry_t or the architecture definition of a
-         * swap pte.
-         */
-        maxpages = swp_offset(pte_to_swp_entry(
-                        swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1;
        last_page = swap_header->info.last_page;
+        if (!last_page) {
+                pr_warn("Empty swap-file\n");
+                return 0;
+        }
        if (last_page > maxpages) {
                pr_warn("Truncating oversized swap area, only using %luk out of %luk\n",
                        maxpages << (PAGE_SHIFT - 10),
diff --git a/mm/util.c b/mm/util.c
index d5259b62f8d7..5fae5b9c2885 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -80,6 +80,8 @@ EXPORT_SYMBOL(kstrdup_const);
 * @s: the string to duplicate
 * @max: read at most @max chars from @s
 * @gfp: the GFP mask used in the kmalloc() call when allocating memory
+ *
+ * Note: Use kmemdup_nul() instead if the size is known exactly.
 */
 char *kstrndup(const char *s, size_t max, gfp_t gfp)
 {
@@ -118,6 +120,28 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp)
 EXPORT_SYMBOL(kmemdup);
 /**
+ * kmemdup_nul - Create a NUL-terminated string from unterminated data
+ * @s: The data to stringify
+ * @len: The size of the data
+ * @gfp: the GFP mask used in the kmalloc() call when allocating memory
+ */
+char *kmemdup_nul(const char *s, size_t len, gfp_t gfp)
+{
+        char *buf;
+        if (!s)
+                return NULL;
+        buf = kmalloc_track_caller(len + 1, gfp);
+        if (buf) {
+                memcpy(buf, s, len);
+                buf[len] = '\0';
+        }
+        return buf;
+}
+EXPORT_SYMBOL(kmemdup_nul);
+/**
 * memdup_user - duplicate memory region from user space
 *
 * @src: source address in user space
@@ -404,17 +428,25 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen)
        int res = 0;
        unsigned int len;
        struct mm_struct *mm = get_task_mm(task);
+        unsigned long arg_start, arg_end, env_start, env_end;
        if (!mm)
                goto out;
        if (!mm->arg_end)
                goto out_mm;    /* Shh! No looking before we're done */
-        len = mm->arg_end - mm->arg_start;
+        down_read(&mm->mmap_sem);
+        arg_start = mm->arg_start;
+        arg_end = mm->arg_end;
+        env_start = mm->env_start;
+        env_end = mm->env_end;
+        up_read(&mm->mmap_sem);
+        len = arg_end - arg_start;
        if (len > buflen)
                len = buflen;
-        res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+        res = access_process_vm(task, arg_start, buffer, len, 0);
        /*
         * If the nul at the end of args has been overwritten, then
@@ -425,10 +457,10 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen)
                if (len < res) {
                        res = len;
                } else {
-                        len = mm->env_end - mm->env_start;
+                        len = env_end - env_start;
                        if (len > buflen - res)
                                len = buflen - res;
-                        res += access_process_vm(task, mm->env_start,
+                        res += access_process_vm(task, env_start,
                                                 buffer+res, len, 0);
                        res = strnlen(buffer, res);
                }
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 8e3c9c5a3042..de8e372ece04 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1460,7 +1460,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
                        addr))
                return;
-        area = remove_vm_area(addr);
+        area = find_vmap_area((unsigned long)addr)->vm;
        if (unlikely(!area)) {
                WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n",
                                addr);
@@ -1470,6 +1470,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
        debug_check_no_locks_freed(addr, get_vm_area_size(area));
        debug_check_no_obj_freed(addr, get_vm_area_size(area));
+        remove_vm_area(addr);
        if (deallocate_pages) {
                int i;
diff --git a/mm/vmscan.c b/mm/vmscan.c
index 440c2df9be82..76853088f66b 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -254,10 +254,13 @@ EXPORT_SYMBOL(register_shrinker);
 */
 void unregister_shrinker(struct shrinker *shrinker)
 {
+        if (!shrinker->nr_deferred)
+                return;
        down_write(&shrinker_rwsem);
        list_del(&shrinker->list);
        up_write(&shrinker_rwsem);
        kfree(shrinker->nr_deferred);
+        shrinker->nr_deferred = NULL;
 }
 EXPORT_SYMBOL(unregister_shrinker);
@@ -1309,6 +1312,7 @@ int __isolate_lru_page(struct page *page, isolate_mode_t mode)
                if (PageDirty(page)) {
                        struct address_space *mapping;
+                        bool migrate_dirty;
                        /* ISOLATE_CLEAN means only clean pages */
                        if (mode & ISOLATE_CLEAN)
@@ -1317,10 +1321,19 @@ int __isolate_lru_page(struct page *page, isolate_mode_t mode)
                        /*
                         * Only pages without mappings or that have a
                         * ->migratepage callback are possible to migrate
-                         * without blocking
+                         * without blocking. However, we can be racing with
+                         * truncation so it's necessary to lock the page
+                         * to stabilise the mapping as truncation holds
+                         * the page lock until after the page is removed
+                         * from the page cache.
                         */
+                        if (!trylock_page(page))
+                                return ret;
                        mapping = page_mapping(page);
-                        if (mapping && !mapping->a_ops->migratepage)
+                        migrate_dirty = !mapping || mapping->a_ops->migratepage;
+                        unlock_page(page);
+                        if (!migrate_dirty)
                                return ret;
                }
        }
@@ -2054,10 +2067,16 @@ static void get_scan_count(struct lruvec *lruvec, int swappiness,
        }
        /*
-         * There is enough inactive page cache, do not reclaim
+         * If there is enough inactive page cache, i.e. if the size of the
-         * anything from the anonymous working set right now.
+         * inactive list is greater than that of the active list *and* the
+         * inactive list actually has some pages to scan on this priority, we
+         * do not reclaim anything from the anonymous working set right now.
+         * Without the second condition we could end up never scanning an
+         * lruvec even if it has plenty of old anonymous pages unless the
+         * system is under heavy pressure.
         */
-        if (!inactive_file_is_low(lruvec)) {
+        if (!inactive_file_is_low(lruvec) &&
+            get_lru_size(lruvec, LRU_INACTIVE_FILE) >> sc->priority) {
                scan_balance = SCAN_FILE;
                goto out;
        }
@@ -3822,7 +3841,13 @@ int zone_reclaim(struct zone *zone, gfp_t gfp_mask, unsigned int order)
 */
 int page_evictable(struct page *page)
 {
-        return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
+        int ret;
+        /* Prevent address_space of inode and swap cache from being freed */
+        rcu_read_lock();
+        ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page);
+        rcu_read_unlock();
+        return ret;
 }
 #ifdef CONFIG_SHMEM
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index ca4dc9031073..ac9791dd4768 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -29,6 +29,7 @@
 #include <linux/net_tstamp.h>
 #include <linux/etherdevice.h>
 #include <linux/ethtool.h>
+#include <linux/phy.h>
 #include <net/arp.h>
 #include "vlan.h"
@@ -559,8 +560,7 @@ static int vlan_dev_init(struct net_device *dev)
                           NETIF_F_HIGHDMA | NETIF_F_SCTP_CSUM |
                           NETIF_F_ALL_FCOE;
-        dev->features |= real_dev->vlan_features | NETIF_F_LLTX |
+        dev->features |= dev->hw_features | NETIF_F_LLTX;
-                         NETIF_F_GSO_SOFTWARE;
        dev->gso_max_size = real_dev->gso_max_size;
        if (dev->features & NETIF_F_VLAN_FEATURES)
                netdev_warn(real_dev, "VLAN features are set incorrectly.  Q-in-Q configurations may not work correctly.\n");
@@ -655,8 +655,11 @@ static int vlan_ethtool_get_ts_info(struct net_device *dev,
 {
        const struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
        const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops;
+        struct phy_device *phydev = vlan->real_dev->phydev;
-        if (ops->get_ts_info) {
+        if (phydev && phydev->drv && phydev->drv->ts_info) {
+                 return phydev->drv->ts_info(phydev, info);
+        } else if (ops->get_ts_info) {
                return ops->get_ts_info(vlan->real_dev, info);
        } else {
                info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
diff --git a/net/Kconfig b/net/Kconfig
index 127da94ae25e..129b9fcbf1d0 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -383,8 +383,15 @@ config LWTUNNEL
          weight tunnel endpoint. Tunnel encapsulation parameters are stored
          with light weight tunnel state associated with fib routes.
+config DST_CACHE
+        bool
+        default n
 endif   # if NET
 # Used by archs to tell that they support BPF_JIT
 config HAVE_BPF_JIT
        bool
+config HAVE_EBPF_JIT
+        bool
diff --git a/net/atm/lec.c b/net/atm/lec.c
index cd3b37989057..10e4066991b8 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 };
 #include <linux/module.h>
 #include <linux/init.h>
+/* Hardening for Spectre-v1 */
+#include <linux/nospec.h>
 #include "lec.h"
 #include "lec_arpc.h"
 #include "resources.h"
@@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
        bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc));
        if (bytes_left != 0)
                pr_info("copy from user failed for %d bytes\n", bytes_left);
-        if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF ||
+        if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF)
-            !dev_lec[ioc_data.dev_num])
+                return -EINVAL;
+        ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF);
+        if (!dev_lec[ioc_data.dev_num])
                return -EINVAL;
        vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL);
        if (!vpriv)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index f5d2fe5e31cc..c5208136e3fc 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1603,10 +1603,22 @@ int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
                /* if yes, the client has roamed and we have
                 * to unclaim it.
                 */
-                batadv_handle_unclaim(bat_priv, primary_if,
+                if (batadv_has_timed_out(claim->lasttime, 100)) {
-                                      primary_if->net_dev->dev_addr,
+                        /* only unclaim if the last claim entry is
-                                      ethhdr->h_source, vid);
+                         * older than 100 ms to make sure we really
-                goto allow;
+                         * have a roaming client here.
+                         */
+                        batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Roaming client %pM detected. Unclaim it.\n",
+                                   ethhdr->h_source);
+                        batadv_handle_unclaim(bat_priv, primary_if,
+                                              primary_if->net_dev->dev_addr,
+                                              ethhdr->h_source, vid);
+                        goto allow;
+                } else {
+                        batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Race for claim %pM detected. Drop packet.\n",
+                                   ethhdr->h_source);
+                        goto handled;
+                }
        }
        /* check if it is a multicast/broadcast frame */
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 5f19133c5530..c2dff7c6e960 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -374,7 +374,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
                   batadv_arp_hw_src(skb, hdr_size), &ip_src,
                   batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
-        if (hdr_size == 0)
+        if (hdr_size < sizeof(struct batadv_unicast_packet))
                return;
        unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 700c96c82a15..5d2f9d4879b2 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -278,7 +278,8 @@ batadv_frag_merge_packets(struct hlist_head *chain)
        /* Move the existing MAC header to just before the payload. (Override
         * the fragment header.)
         */
-        skb_pull_rcsum(skb_out, hdr_size);
+        skb_pull(skb_out, hdr_size);
+        skb_out->ip_summed = CHECKSUM_NONE;
        memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
        skb_set_mac_header(skb_out, -ETH_HLEN);
        skb_reset_network_header(skb_out);
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index e6c8382c79ba..6abfba1e227f 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -798,6 +798,9 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
        vid = batadv_get_vid(skb, 0);
+        if (is_multicast_ether_addr(ethhdr->h_dest))
+                goto out;
        orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
                                                 ethhdr->h_dest, vid);
        if (!orig_dst_node)
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index eb76386f8d4b..8aa2d65df86f 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -428,8 +428,8 @@ static struct batadv_orig_node *
 batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv,
                              struct ethhdr *ethhdr)
 {
-        return batadv_transtable_search(bat_priv, ethhdr->h_source,
+        return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest,
-                                        ethhdr->h_dest, BATADV_NO_FLAGS);
+                                        BATADV_NO_FLAGS);
 }
 /**
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 720f1a5b81ac..9f1fe6169bef 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -430,13 +430,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
        /* skb->dev & skb->pkt_type are set here */
        skb->protocol = eth_type_trans(skb, soft_iface);
+        skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
-        /* should not be necessary anymore as we use skb_pull_rcsum()
-         * TODO: please verify this and remove this TODO
-         * -- Dec 21st 2009, Simon Wunderlich
-         */
-        /* skb->ip_summed = CHECKSUM_UNNECESSARY; */
        batadv_inc_counter(bat_priv, BATADV_CNT_RX);
        batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 24e9410923d0..80be0ee17ff3 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -708,7 +708,8 @@ done:
 }
 static void hci_req_add_le_create_conn(struct hci_request *req,
-                                       struct hci_conn *conn)
+                                       struct hci_conn *conn,
+                                       bdaddr_t *direct_rpa)
 {
        struct hci_cp_le_create_conn cp;
        struct hci_dev *hdev = conn->hdev;
@@ -716,11 +717,23 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
        memset(&cp, 0, sizeof(cp));
-        /* Update random address, but set require_privacy to false so
+        /* If direct address was provided we use it instead of current
-         * that we never connect with an non-resolvable address.
+         * address.
         */
-        if (hci_update_random_address(req, false, &own_addr_type))
+        if (direct_rpa) {
-                return;
+                if (bacmp(&req->hdev->random_addr, direct_rpa))
+                        hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
+                                                                direct_rpa);
+                /* direct address is always RPA */
+                own_addr_type = ADDR_LE_DEV_RANDOM;
+        } else {
+                /* Update random address, but set require_privacy to false so
+                 * that we never connect with an non-resolvable address.
+                 */
+                if (hci_update_random_address(req, false, &own_addr_type))
+                        return;
+        }
        /* Set window to be the same value as the interval to enable
         * continuous scanning.
@@ -782,7 +795,7 @@ static void hci_req_directed_advertising(struct hci_request *req,
 struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
                                u8 dst_type, u8 sec_level, u16 conn_timeout,
-                                u8 role)
+                                u8 role, bdaddr_t *direct_rpa)
 {
        struct hci_conn_params *params;
        struct hci_conn *conn, *conn_unfinished;
@@ -913,7 +926,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
                hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
        }
-        hci_req_add_le_create_conn(&req, conn);
+        hci_req_add_le_create_conn(&req, conn, direct_rpa);
 create_conn:
        err = hci_req_run(&req, create_le_conn_complete);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 62edbf1b114e..5d0b1358c754 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -716,6 +716,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
 {
        struct hci_dev *hdev = req->hdev;
        u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+        bool changed = false;
        /* If Connectionless Slave Broadcast master role is supported
         * enable all necessary events for it.
@@ -725,6 +726,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
                events[1] |= 0x80;      /* Synchronization Train Complete */
                events[2] |= 0x10;      /* Slave Page Response Timeout */
                events[2] |= 0x20;      /* CSB Channel Map Change */
+                changed = true;
        }
        /* If Connectionless Slave Broadcast slave role is supported
@@ -735,13 +737,24 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
                events[2] |= 0x02;      /* CSB Receive */
                events[2] |= 0x04;      /* CSB Timeout */
                events[2] |= 0x08;      /* Truncated Page Complete */
+                changed = true;
        }
        /* Enable Authenticated Payload Timeout Expired event if supported */
-        if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
+        if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
                events[2] |= 0x80;
+                changed = true;
+        }
-        hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
+        /* Some Broadcom based controllers indicate support for Set Event
+         * Mask Page 2 command, but then actually do not support it. Since
+         * the default value is all bits set to zero, the command is only
+         * required if the event mask has to be changed. In case no change
+         * to the event mask is needed, skip this command.
+         */
+        if (changed)
+                hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
+                            sizeof(events), events);
 }
 static void hci_init3_req(struct hci_request *req, unsigned long opt)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index d57c11c1c6b5..d40d32a2c12d 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4632,7 +4632,8 @@ static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
 /* This function requires the caller holds hdev->lock */
 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
                                              bdaddr_t *addr,
-                                              u8 addr_type, u8 adv_type)
+                                              u8 addr_type, u8 adv_type,
+                                              bdaddr_t *direct_rpa)
 {
        struct hci_conn *conn;
        struct hci_conn_params *params;
@@ -4683,7 +4684,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
        }
        conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
-                              HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
+                              HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
+                              direct_rpa);
        if (!IS_ERR(conn)) {
                /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
                 * by higher layer that tried to connect, if no then
@@ -4780,8 +4782,13 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
                bdaddr_type = irk->addr_type;
        }
-        /* Check if we have been requested to connect to this device */
+        /* Check if we have been requested to connect to this device.
-        conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
+         *
+         * direct_addr is set only for directed advertising reports (it is NULL
+         * for advertising reports) and is already verified to be RPA above.
+         */
+        conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
+                                                                direct_addr);
        if (conn && type == LE_ADV_IND) {
                /* Store report for later inclusion by
                 * mgmt_device_connected
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 1fc076420d1e..1811f8e7ddf4 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_session *session)
                del_timer(&session->timer);
 }
-static void hidp_process_report(struct hidp_session *session,
+static void hidp_process_report(struct hidp_session *session, int type,
-                                int type, const u8 *data, int len, int intr)
+                                const u8 *data, unsigned int len, int intr)
 {
        if (len > HID_MAX_BUFFER_SIZE)
                len = HID_MAX_BUFFER_SIZE;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 906f88550cd8..0dc27d2e8f18 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2251,8 +2251,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        else
                sec_level = authreq_to_seclevel(auth);
-        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
+        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
+                /* If link is already encrypted with sufficient security we
+                 * still need refresh encryption as per Core Spec 5.0 Vol 3,
+                 * Part H 2.4.6
+                 */
+                smp_ltk_encrypt(conn, hcon->sec_level);
                return 0;
+        }
        if (sec_level > hcon->pending_sec_level)
                hcon->pending_sec_level = sec_level;
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index ec02f5869a78..3400b1e47668 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -456,8 +456,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        if (dev->netdev_ops->ndo_start_xmit == br_dev_xmit)
                return -ELOOP;
-        /* Device is already being bridged */
+        /* Device has master upper dev */
-        if (br_port_exists(dev))
+        if (netdev_master_upper_dev_get(dev))
                return -EBUSY;
        /* No bridging devices that dislike that (e.g. wireless) */
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index efe415ad842a..83bb695f9645 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -229,6 +229,9 @@ static ssize_t brport_show(struct kobject *kobj,
        struct brport_attribute *brport_attr = to_brport_attr(attr);
        struct net_bridge_port *p = to_brport(kobj);
+        if (!brport_attr->show)
+                return -EINVAL;
        return brport_attr->show(p, buf);
 }
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 9024283d2bca..9adf16258cab 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -172,18 +172,69 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
        return true;
 }
+static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
+{
+        return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
+}
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+        if (off == 0) /* not present */
+                return false;
+        if (off < (int)sizeof(struct ebt_among_info) ||
+            off % __alignof__(struct ebt_mac_wormhash))
+                return true;
+        off += sizeof(struct ebt_mac_wormhash);
+        return off > len;
+}
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
+{
+        if (a == 0)
+                a = sizeof(struct ebt_among_info);
+        return ebt_mac_wormhash_size(wh) + a == b;
+}
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_among_info *info = par->matchinfo;
        const struct ebt_entry_match *em =
                container_of(par->matchinfo, const struct ebt_entry_match, data);
-        int expected_length = sizeof(struct ebt_among_info);
+        unsigned int expected_length = sizeof(struct ebt_among_info);
        const struct ebt_mac_wormhash *wh_dst, *wh_src;
        int err;
+        if (expected_length > em->match_size)
+                return -EINVAL;
+        if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+            wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+                return -EINVAL;
        wh_dst = ebt_among_wh_dst(info);
-        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_dst))
+                return -EINVAL;
        expected_length += ebt_mac_wormhash_size(wh_dst);
+        if (expected_length > em->match_size)
+                return -EINVAL;
+        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_src))
+                return -EINVAL;
+        if (info->wh_src_ofs < info->wh_dst_ofs) {
+                if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
+                        return -EINVAL;
+        } else {
+                if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
+                        return -EINVAL;
+        }
        expected_length += ebt_mac_wormhash_size(wh_src);
        if (em->match_size != EBT_ALIGN(expected_length)) {
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f46ca417bf2d..8b8a43fda6ca 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -404,6 +404,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
        watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
        if (IS_ERR(watcher))
                return PTR_ERR(watcher);
+        if (watcher->family != NFPROTO_BRIDGE) {
+                module_put(watcher->me);
+                return -ENOENT;
+        }
        w->u.watcher = watcher;
        par->target   = watcher;
@@ -701,6 +707,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
        }
        i = 0;
+        memset(&mtpar, 0, sizeof(mtpar));
+        memset(&tgpar, 0, sizeof(tgpar));
        mtpar.net       = tgpar.net       = net;
        mtpar.table     = tgpar.table     = name;
        mtpar.entryinfo = tgpar.entryinfo = e;
@@ -722,6 +730,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
                goto cleanup_watchers;
        }
+        /* Reject UNSPEC, xtables verdicts/return values are incompatible */
+        if (target->family != NFPROTO_BRIDGE) {
+                module_put(target->me);
+                ret = -ENOENT;
+                goto cleanup_watchers;
+        }
        t->u.target = target;
        if (t->u.target == &ebt_standard_target) {
                if (gap < sizeof(struct ebt_standard_target)) {
@@ -1614,7 +1629,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
        int off = ebt_compat_match_offset(match, m->match_size);
        compat_uint_t msize = m->match_size - off;
-        BUG_ON(off >= m->match_size);
+        if (WARN_ON(off >= m->match_size))
+                return -EINVAL;
        if (copy_to_user(cm->u.name, match->name,
            strlen(match->name) + 1) || put_user(msize, &cm->match_size))
@@ -1641,7 +1657,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
        int off = xt_compat_target_offset(target);
        compat_uint_t tsize = t->target_size - off;
-        BUG_ON(off >= t->target_size);
+        if (WARN_ON(off >= t->target_size))
+                return -EINVAL;
        if (copy_to_user(cm->u.name, target->name,
            strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
@@ -1869,7 +1886,8 @@ static int ebt_buf_add(struct ebt_entries_buf_state *state,
        if (state->buf_kern_start == NULL)
                goto count_only;
-        BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
+        if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
+                return -EINVAL;
        memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
@@ -1882,7 +1900,8 @@ static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
 {
        char *b = state->buf_kern_start;
-        BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
+        if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
+                return -EINVAL;
        if (b != NULL && sz > 0)
                memset(b + state->buf_kern_offset, 0, sz);
@@ -1908,7 +1927,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        int off, pad = 0;
        unsigned int size_kern, match_size = mwt->match_size;
-        strlcpy(name, mwt->u.name, sizeof(name));
+        if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
+                return -EINVAL;
        if (state->buf_kern_start)
                dst = state->buf_kern_start + state->buf_kern_offset;
@@ -1959,8 +1979,10 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        pad = XT_ALIGN(size_kern) - size_kern;
        if (pad > 0 && dst) {
-                BUG_ON(state->buf_kern_len <= pad);
+                if (WARN_ON(state->buf_kern_len <= pad))
-                BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
+                        return -EINVAL;
+                if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
+                        return -EINVAL;
                memset(dst + size_kern, 0, pad);
        }
        return off + match_size;
@@ -2011,7 +2033,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                if (ret < 0)
                        return ret;
-                BUG_ON(ret < match32->match_size);
+                if (WARN_ON(ret < match32->match_size))
+                        return -EINVAL;
                growth += ret - match32->match_size;
                growth += ebt_compat_entry_padsize();
@@ -2021,7 +2044,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                if (match_kern)
                        match_kern->match_size = ret;
-                WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+                if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+                        return -EINVAL;
                match32 = (struct compat_ebt_entry_mwt *) buf;
        }
@@ -2078,6 +2103,19 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
         *
         * offsets are relative to beginning of struct ebt_entry (i.e., 0).
         */
+        for (i = 0; i < 4 ; ++i) {
+                if (offsets[i] > *total)
+                        return -EINVAL;
+                if (i < 3 && offsets[i] == *total)
+                        return -EINVAL;
+                if (i == 0)
+                        continue;
+                if (offsets[i-1] > offsets[i])
+                        return -EINVAL;
+        }
        for (i = 0, j = 1 ; j < 4 ; j++, i++) {
                struct compat_ebt_entry_mwt *match32;
                unsigned int size;
@@ -2110,7 +2148,8 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
        startoff = state->buf_user_offset - startoff;
-        BUG_ON(*total < startoff);
+        if (WARN_ON(*total < startoff))
+                return -EINVAL;
        *total -= startoff;
        return 0;
 }
@@ -2238,7 +2277,8 @@ static int compat_do_replace(struct net *net, void __user *user,
        state.buf_kern_len = size64;
        ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-        BUG_ON(ret < 0);        /* parses same data again */
+        if (WARN_ON(ret < 0))
+                goto out_unlock;
        vfree(entries_tmp);
        tmp.entries_size = size64;
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 928f58064098..c866e761651a 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -722,13 +722,12 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
        if (unlikely(!net_eq(dev_net(dev), &init_net)))
                goto drop;
-        if (WARN_ONCE(dev->type != ARPHRD_CAN ||
+        if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU ||
-                      skb->len != CAN_MTU ||
+                     cfd->len > CAN_MAX_DLEN)) {
-                      cfd->len > CAN_MAX_DLEN,
+                pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n",
-                      "PF_CAN: dropped non conform CAN skbuf: "
+                             dev->type, skb->len, cfd->len);
-                      "dev type %d, len %d, datalen %d\n",
-                      dev->type, skb->len, cfd->len))
                goto drop;
+        }
        can_receive(skb, dev);
        return NET_RX_SUCCESS;
@@ -746,13 +745,12 @@ static int canfd_rcv(struct sk_buff *skb, struct net_device *dev,
        if (unlikely(!net_eq(dev_net(dev), &init_net)))
                goto drop;
-        if (WARN_ONCE(dev->type != ARPHRD_CAN ||
+        if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU ||
-                      skb->len != CANFD_MTU ||
+                     cfd->len > CANFD_MAX_DLEN)) {
-                      cfd->len > CANFD_MAX_DLEN,
+                pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n",
-                      "PF_CAN: dropped non conform CAN FD skbuf: "
+                             dev->type, skb->len, cfd->len);
-                      "dev type %d, len %d, datalen %d\n",
-                      dev->type, skb->len, cfd->len))
                goto drop;
+        }
        can_receive(skb, dev);
        return NET_RX_SUCCESS;
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index a6b2f2138c9d..ad3c9e96a275 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connection *con)
        int ret = 1;
        dout("try_write start %p state %lu\n", con, con->state);
+        if (con->state != CON_STATE_PREOPEN &&
+            con->state != CON_STATE_CONNECTING &&
+            con->state != CON_STATE_NEGOTIATING &&
+            con->state != CON_STATE_OPEN)
+                return 0;
 more:
        dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
@@ -2556,6 +2561,8 @@ more:
        }
 more_kvec:
+        BUG_ON(!con->sock);
        /* kvec data queued? */
        if (con->out_kvec_left) {
                ret = write_partial_kvec(con);
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index bc95e48d5cfb..378c9ed00d40 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -295,6 +295,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
                u32 yes;
                struct crush_rule *r;
+                err = -EINVAL;
                ceph_decode_32_safe(p, end, yes, bad);
                if (!yes) {
                        dout("crush_decode NO rule %d off %x %p to %p\n",
diff --git a/net/compat.c b/net/compat.c
index 0ccf3ecf6bbb..17e97b106458 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -358,7 +358,8 @@ static int compat_sock_setsockopt(struct socket *sock, int level, int optname,
        if (optname == SO_ATTACH_FILTER)
                return do_set_attach_filter(sock, level, optname,
                                            optval, optlen);
-        if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)
+        if (!COMPAT_USE_64BIT_TIME &&
+            (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO))
                return do_set_sock_timeout(sock, level, optname, optval, optlen);
        return sock_setsockopt(sock, level, optname, optval, optlen);
@@ -423,7 +424,8 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
 static int compat_sock_getsockopt(struct socket *sock, int level, int optname,
                                char __user *optval, int __user *optlen)
 {
-        if (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO)
+        if (!COMPAT_USE_64BIT_TIME &&
+            (optname == SO_RCVTIMEO || optname == SO_SNDTIMEO))
                return do_get_sock_timeout(sock, level, optname, optval, optlen);
        return sock_getsockopt(sock, level, optname, optval, optlen);
 }
diff --git a/net/core/Makefile b/net/core/Makefile
index 086b01fbe1bd..0d8ad4d0261b 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -24,3 +24,4 @@ obj-$(CONFIG_NET_PTP_CLASSIFY) += ptp_classifier.o
 obj-$(CONFIG_CGROUP_NET_PRIO) += netprio_cgroup.o
 obj-$(CONFIG_CGROUP_NET_CLASSID) += netclassid_cgroup.o
 obj-$(CONFIG_LWTUNNEL) += lwtunnel.o
+obj-$(CONFIG_DST_CACHE) += dst_cache.o
diff --git a/net/core/dev.c b/net/core/dev.c
index 3b67c1e5756f..3bcbf931a910 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -989,7 +989,7 @@ bool dev_valid_name(const char *name)
 {
        if (*name == '\0')
                return false;
-        if (strlen(name) >= IFNAMSIZ)
+        if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
                return false;
        if (!strcmp(name, ".") || !strcmp(name, ".."))
                return false;
@@ -2183,8 +2183,11 @@ EXPORT_SYMBOL(netif_set_xps_queue);
 */
 int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
 {
+        bool disabling;
        int rc;
+        disabling = txq < dev->real_num_tx_queues;
        if (txq < 1 || txq > dev->num_tx_queues)
                return -EINVAL;
@@ -2200,15 +2203,19 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
                if (dev->num_tc)
                        netif_setup_tc(dev, txq);
-                if (txq < dev->real_num_tx_queues) {
+                dev->real_num_tx_queues = txq;
+                if (disabling) {
+                        synchronize_net();
                        qdisc_reset_all_tx_gt(dev, txq);
 #ifdef CONFIG_XPS
                        netif_reset_xps_queues_gt(dev, txq);
 #endif
                }
+        } else {
+                dev->real_num_tx_queues = txq;
        }
-        dev->real_num_tx_queues = txq;
        return 0;
 }
 EXPORT_SYMBOL(netif_set_real_num_tx_queues);
@@ -2508,7 +2515,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
                if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
                        return 0;
-                eth = (struct ethhdr *)skb_mac_header(skb);
+                eth = (struct ethhdr *)skb->data;
                type = eth->h_proto;
        }
@@ -2598,7 +2605,7 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
        segs = skb_mac_gso_segment(skb, features);
-        if (unlikely(skb_needs_check(skb, tx_path)))
+        if (unlikely(skb_needs_check(skb, tx_path) && !IS_ERR(segs)))
                skb_warn_bad_offload(skb);
        return segs;
@@ -2699,7 +2706,7 @@ netdev_features_t passthru_features_check(struct sk_buff *skb,
 }
 EXPORT_SYMBOL(passthru_features_check);
-static netdev_features_t dflt_features_check(const struct sk_buff *skb,
+static netdev_features_t dflt_features_check(struct sk_buff *skb,
                                             struct net_device *dev,
                                             netdev_features_t features)
 {
@@ -2889,10 +2896,21 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
                hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
                /* + transport layer */
-                if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
+                if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
-                        hdr_len += tcp_hdrlen(skb);
+                        const struct tcphdr *th;
-                else
+                        struct tcphdr _tcphdr;
-                        hdr_len += sizeof(struct udphdr);
+                        th = skb_header_pointer(skb, skb_transport_offset(skb),
+                                                sizeof(_tcphdr), &_tcphdr);
+                        if (likely(th))
+                                hdr_len += __tcp_hdrlen(th);
+                } else {
+                        struct udphdr _udphdr;
+                        if (skb_header_pointer(skb, skb_transport_offset(skb),
+                                               sizeof(_udphdr), &_udphdr))
+                                hdr_len += sizeof(struct udphdr);
+                }
                if (shinfo->gso_type & SKB_GSO_DODGY)
                        gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index c0548d268e1a..e3e6a3e2ca22 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
                return -EINVAL;
        list_for_each_entry(ha, &list->list, list) {
-                if (!memcmp(ha->addr, addr, addr_len) &&
+                if (ha->type == addr_type &&
-                    ha->type == addr_type) {
+                    !memcmp(ha->addr, addr, addr_len)) {
                        if (global) {
                                /* check if addr is already used as global */
                                if (ha->global_use)
diff --git a/net/core/dst_cache.c b/net/core/dst_cache.c
new file mode 100644
index 000000000000..554d36449231
--- /dev/null
+++ b/net/core/dst_cache.c
@@ -0,0 +1,168 @@
+/*
+ * net/core/dst_cache.c - dst entry cache
+ *
+ * Copyright (c) 2016 Paolo Abeni <pabeni@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+#include <linux/kernel.h>
+#include <linux/percpu.h>
+#include <net/dst_cache.h>
+#include <net/route.h>
+#if IS_ENABLED(CONFIG_IPV6)
+#include <net/ip6_fib.h>
+#endif
+#include <uapi/linux/in.h>
+struct dst_cache_pcpu {
+        unsigned long refresh_ts;
+        struct dst_entry *dst;
+        u32 cookie;
+        union {
+                struct in_addr in_saddr;
+                struct in6_addr in6_saddr;
+        };
+};
+static void dst_cache_per_cpu_dst_set(struct dst_cache_pcpu *dst_cache,
+                                      struct dst_entry *dst, u32 cookie)
+{
+        dst_release(dst_cache->dst);
+        if (dst)
+                dst_hold(dst);
+        dst_cache->cookie = cookie;
+        dst_cache->dst = dst;
+}
+static struct dst_entry *dst_cache_per_cpu_get(struct dst_cache *dst_cache,
+                                               struct dst_cache_pcpu *idst)
+{
+        struct dst_entry *dst;
+        dst = idst->dst;
+        if (!dst)
+                goto fail;
+        /* the cache already hold a dst reference; it can't go away */
+        dst_hold(dst);
+        if (unlikely(!time_after(idst->refresh_ts, dst_cache->reset_ts) ||
+                     (dst->obsolete && !dst->ops->check(dst, idst->cookie)))) {
+                dst_cache_per_cpu_dst_set(idst, NULL, 0);
+                dst_release(dst);
+                goto fail;
+        }
+        return dst;
+fail:
+        idst->refresh_ts = jiffies;
+        return NULL;
+}
+struct dst_entry *dst_cache_get(struct dst_cache *dst_cache)
+{
+        if (!dst_cache->cache)
+                return NULL;
+        return dst_cache_per_cpu_get(dst_cache, this_cpu_ptr(dst_cache->cache));
+}
+EXPORT_SYMBOL_GPL(dst_cache_get);
+struct rtable *dst_cache_get_ip4(struct dst_cache *dst_cache, __be32 *saddr)
+{
+        struct dst_cache_pcpu *idst;
+        struct dst_entry *dst;
+        if (!dst_cache->cache)
+                return NULL;
+        idst = this_cpu_ptr(dst_cache->cache);
+        dst = dst_cache_per_cpu_get(dst_cache, idst);
+        if (!dst)
+                return NULL;
+        *saddr = idst->in_saddr.s_addr;
+        return container_of(dst, struct rtable, dst);
+}
+EXPORT_SYMBOL_GPL(dst_cache_get_ip4);
+void dst_cache_set_ip4(struct dst_cache *dst_cache, struct dst_entry *dst,
+                       __be32 saddr)
+{
+        struct dst_cache_pcpu *idst;
+        if (!dst_cache->cache)
+                return;
+        idst = this_cpu_ptr(dst_cache->cache);
+        dst_cache_per_cpu_dst_set(idst, dst, 0);
+        idst->in_saddr.s_addr = saddr;
+}
+EXPORT_SYMBOL_GPL(dst_cache_set_ip4);
+#if IS_ENABLED(CONFIG_IPV6)
+void dst_cache_set_ip6(struct dst_cache *dst_cache, struct dst_entry *dst,
+                       const struct in6_addr *addr)
+{
+        struct dst_cache_pcpu *idst;
+        if (!dst_cache->cache)
+                return;
+        idst = this_cpu_ptr(dst_cache->cache);
+        dst_cache_per_cpu_dst_set(this_cpu_ptr(dst_cache->cache), dst,
+                                  rt6_get_cookie((struct rt6_info *)dst));
+        idst->in6_saddr = *addr;
+}
+EXPORT_SYMBOL_GPL(dst_cache_set_ip6);
+struct dst_entry *dst_cache_get_ip6(struct dst_cache *dst_cache,
+                                    struct in6_addr *saddr)
+{
+        struct dst_cache_pcpu *idst;
+        struct dst_entry *dst;
+        if (!dst_cache->cache)
+                return NULL;
+        idst = this_cpu_ptr(dst_cache->cache);
+        dst = dst_cache_per_cpu_get(dst_cache, idst);
+        if (!dst)
+                return NULL;
+        *saddr = idst->in6_saddr;
+        return dst;
+}
+EXPORT_SYMBOL_GPL(dst_cache_get_ip6);
+#endif
+int dst_cache_init(struct dst_cache *dst_cache, gfp_t gfp)
+{
+        dst_cache->cache = alloc_percpu_gfp(struct dst_cache_pcpu,
+                                            gfp | __GFP_ZERO);
+        if (!dst_cache->cache)
+                return -ENOMEM;
+        dst_cache_reset(dst_cache);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(dst_cache_init);
+void dst_cache_destroy(struct dst_cache *dst_cache)
+{
+        int i;
+        if (!dst_cache->cache)
+                return;
+        for_each_possible_cpu(i)
+                dst_release(per_cpu_ptr(dst_cache->cache, i)->dst);
+        free_percpu(dst_cache->cache);
+}
+EXPORT_SYMBOL_GPL(dst_cache_destroy);
diff --git a/net/core/filter.c b/net/core/filter.c
index e94355452166..1a9ded6af138 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -430,6 +430,10 @@ do_pass:
                            convert_bpf_extensions(fp, &insn))
                                break;
+                        if (fp->code == (BPF_ALU | BPF_DIV | BPF_X) ||
+                            fp->code == (BPF_ALU | BPF_MOD | BPF_X))
+                                *insn++ = BPF_MOV32_REG(BPF_REG_X, BPF_REG_X);
                        *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k);
                        break;
@@ -984,7 +988,9 @@ static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
                 */
                goto out_err_free;
-        bpf_prog_select_runtime(fp);
+        err = bpf_prog_select_runtime(fp);
+        if (err)
+                goto out_err_free;
        kfree(old_prog);
        return fp;
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index ee9082792530..4d14908afaec 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -492,8 +492,8 @@ ip_proto_again:
 out_good:
        ret = true;
-        key_control->thoff = (u16)nhoff;
 out:
+        key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
        key_basic->n_proto = proto;
        key_basic->ip_proto = ip_proto;
@@ -501,7 +501,6 @@ out:
 out_bad:
        ret = false;
-        key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
        goto out;
 }
 EXPORT_SYMBOL(__skb_flow_dissect);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index ae92131c4f89..f60b93627876 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -54,7 +54,8 @@ do {						\
 static void neigh_timer_handler(unsigned long arg);
 static void __neigh_notify(struct neighbour *n, int type, int flags);
 static void neigh_update_notify(struct neighbour *neigh);
-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
+static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
+                                    struct net_device *dev);
 #ifdef CONFIG_PROC_FS
 static const struct file_operations neigh_stat_seq_fops;
@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
 {
        write_lock_bh(&tbl->lock);
        neigh_flush_dev(tbl, dev);
-        pneigh_ifdown(tbl, dev);
+        pneigh_ifdown_and_unlock(tbl, dev);
-        write_unlock_bh(&tbl->lock);
        del_timer_sync(&tbl->proxy_timer);
        pneigh_queue_purge(&tbl->proxy_queue);
@@ -496,7 +496,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
        if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
                nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
-        hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
+        hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
        if (n->parms->dead) {
                rc = ERR_PTR(-EINVAL);
@@ -508,7 +508,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
             n1 != NULL;
             n1 = rcu_dereference_protected(n1->next,
                        lockdep_is_held(&tbl->lock))) {
-                if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) {
+                if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
                        if (want_ref)
                                neigh_hold(n1);
                        rc = n1;
@@ -645,9 +645,10 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
        return -ENOENT;
 }
-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
+static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
+                                    struct net_device *dev)
 {
-        struct pneigh_entry *n, **np;
+        struct pneigh_entry *n, **np, *freelist = NULL;
        u32 h;
        for (h = 0; h <= PNEIGH_HASHMASK; h++) {
@@ -655,16 +656,23 @@ static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
                while ((n = *np) != NULL) {
                        if (!dev || n->dev == dev) {
                                *np = n->next;
-                                if (tbl->pdestructor)
+                                n->next = freelist;
-                                        tbl->pdestructor(n);
+                                freelist = n;
-                                if (n->dev)
-                                        dev_put(n->dev);
-                                kfree(n);
                                continue;
                        }
                        np = &n->next;
                }
        }
+        write_unlock_bh(&tbl->lock);
+        while ((n = freelist)) {
+                freelist = n->next;
+                n->next = NULL;
+                if (tbl->pdestructor)
+                        tbl->pdestructor(n);
+                if (n->dev)
+                        dev_put(n->dev);
+                kfree(n);
+        }
        return -ENOENT;
 }
@@ -1132,10 +1140,6 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                lladdr = neigh->ha;
        }
-        if (new & NUD_CONNECTED)
-                neigh->confirmed = jiffies;
-        neigh->updated = jiffies;
        /* If entry was valid and address is not changed,
           do not change entry state, if new one is STALE.
         */
@@ -1159,6 +1163,16 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                }
        }
+        /* Update timestamps only once we know we will make a change to the
+         * neighbour entry. Otherwise we risk to move the locktime window with
+         * noop updates and ignore relevant ARP updates.
+         */
+        if (new != old || lladdr != neigh->ha) {
+                if (new & NUD_CONNECTED)
+                        neigh->confirmed = jiffies;
+                neigh->updated = jiffies;
+        }
        if (new != old) {
                neigh_del_timer(neigh);
                if (new & NUD_PROBE)
@@ -2274,12 +2288,16 @@ static int neigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
        err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL);
        if (!err) {
-                if (tb[NDA_IFINDEX])
+                if (tb[NDA_IFINDEX]) {
+                        if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32))
+                                return -EINVAL;
                        filter_idx = nla_get_u32(tb[NDA_IFINDEX]);
+                }
-                if (tb[NDA_MASTER])
+                if (tb[NDA_MASTER]) {
+                        if (nla_len(tb[NDA_MASTER]) != sizeof(u32))
+                                return -EINVAL;
                        filter_master_idx = nla_get_u32(tb[NDA_MASTER]);
+                }
                if (filter_idx || filter_master_idx)
                        flags |= NLM_F_DUMP_FILTERED;
        }
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index b5c351d2830b..ccd20669ac00 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -310,6 +310,25 @@ out_undo:
        goto out;
 }
+static int __net_init net_defaults_init_net(struct net *net)
+{
+        net->core.sysctl_somaxconn = SOMAXCONN;
+        return 0;
+}
+static struct pernet_operations net_defaults_ops = {
+        .init = net_defaults_init_net,
+};
+static __init int net_defaults_init(void)
+{
+        if (register_pernet_subsys(&net_defaults_ops))
+                panic("Cannot initialize net default settings");
+        return 0;
+}
+core_initcall(net_defaults_init);
 #ifdef CONFIG_NET_NS
 static struct kmem_cache *net_cachep;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5b3d611d8b5f..96c9c0f0905a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1691,6 +1691,10 @@ static int do_setlink(const struct sk_buff *skb,
        const struct net_device_ops *ops = dev->netdev_ops;
        int err;
+        err = validate_linkmsg(dev, tb);
+        if (err < 0)
+                return err;
        if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
                struct net *net = rtnl_link_get_net(dev_net(dev), tb);
                if (IS_ERR(net)) {
@@ -1982,10 +1986,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh)
                goto errout;
        }
-        err = validate_linkmsg(dev, tb);
-        if (err < 0)
-                goto errout;
        err = do_setlink(skb, dev, ifm, tb, ifname, 0);
 errout:
        return err;
@@ -2087,9 +2087,12 @@ int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm)
                        return err;
        }
-        dev->rtnl_link_state = RTNL_LINK_INITIALIZED;
+        if (dev->rtnl_link_state == RTNL_LINK_INITIALIZED) {
+                __dev_notify_flags(dev, old_flags, 0U);
-        __dev_notify_flags(dev, old_flags, ~0U);
+        } else {
+                dev->rtnl_link_state = RTNL_LINK_INITIALIZED;
+                __dev_notify_flags(dev, old_flags, ~0U);
+        }
        return 0;
 }
 EXPORT_SYMBOL(rtnl_configure_link);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 86b619501350..55be076706e5 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -827,6 +827,8 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
        n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
        n->cloned = 1;
        n->nohdr = 0;
+        n->peeked = 0;
+        C(pfmemalloc);
        n->destructor = NULL;
        C(tail);
        C(end);
@@ -2551,7 +2553,8 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len)
 {
        int pos = skb_headlen(skb);
-        skb_shinfo(skb1)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
+        skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags &
+                                      SKBTX_SHARED_FRAG;
        if (len < pos)  /* Split line is inside header. */
                skb_split_inside_header(skb, skb1, len, pos);
        else            /* Second chunk has no header, nothing to copy. */
@@ -3115,8 +3118,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
                skb_copy_from_linear_data_offset(head_skb, offset,
                                                 skb_put(nskb, hsize), hsize);
-                skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags &
+                skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
-                        SKBTX_SHARED_FRAG;
+                                              SKBTX_SHARED_FRAG;
                while (pos < offset + len) {
                        if (i >= nfrags) {
@@ -3329,24 +3332,18 @@ void __init skb_init(void)
                                                NULL);
 }
-/**
- *      skb_to_sgvec - Fill a scatter-gather list from a socket buffer
- *      @skb: Socket buffer containing the buffers to be mapped
- *      @sg: The scatter-gather list to map into
- *      @offset: The offset into the buffer's contents to start mapping
- *      @len: Length of buffer space to be mapped
- *
- *      Fill the specified scatter-gather list with mappings/pointers into a
- *      region of the buffer space attached to a socket buffer.
- */
 static int
-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
+__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
+               unsigned int recursion_level)
 {
        int start = skb_headlen(skb);
        int i, copy = start - offset;
        struct sk_buff *frag_iter;
        int elt = 0;
+        if (unlikely(recursion_level >= 24))
+                return -EMSGSIZE;
        if (copy > 0) {
                if (copy > len)
                        copy = len;
@@ -3365,6 +3362,8 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
                end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
                if ((copy = end - offset) > 0) {
                        skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+                        if (unlikely(elt && sg_is_last(&sg[elt - 1])))
+                                return -EMSGSIZE;
                        if (copy > len)
                                copy = len;
@@ -3379,16 +3378,22 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
        }
        skb_walk_frags(skb, frag_iter) {
-                int end;
+                int end, ret;
                WARN_ON(start > offset + len);
                end = start + frag_iter->len;
                if ((copy = end - offset) > 0) {
+                        if (unlikely(elt && sg_is_last(&sg[elt - 1])))
+                                return -EMSGSIZE;
                        if (copy > len)
                                copy = len;
-                        elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
+                        ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
-                                              copy);
+                                              copy, recursion_level + 1);
+                        if (unlikely(ret < 0))
+                                return ret;
+                        elt += ret;
                        if ((len -= copy) == 0)
                                return elt;
                        offset += copy;
@@ -3399,6 +3404,31 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
        return elt;
 }
+/**
+ *      skb_to_sgvec - Fill a scatter-gather list from a socket buffer
+ *      @skb: Socket buffer containing the buffers to be mapped
+ *      @sg: The scatter-gather list to map into
+ *      @offset: The offset into the buffer's contents to start mapping
+ *      @len: Length of buffer space to be mapped
+ *
+ *      Fill the specified scatter-gather list with mappings/pointers into a
+ *      region of the buffer space attached to a socket buffer. Returns either
+ *      the number of scatterlist items used, or -EMSGSIZE if the contents
+ *      could not fit.
+ */
+int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
+{
+        int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
+        if (nsg <= 0)
+                return nsg;
+        sg_mark_end(&sg[nsg - 1]);
+        return nsg;
+}
+EXPORT_SYMBOL_GPL(skb_to_sgvec);
 /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
 * sglist without mark the sg which contain last skb data as the end.
 * So the caller can mannipulate sg list as will when padding new data after
@@ -3421,19 +3451,11 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
                        int offset, int len)
 {
-        return __skb_to_sgvec(skb, sg, offset, len);
+        return __skb_to_sgvec(skb, sg, offset, len, 0);
 }
 EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
-{
-        int nsg = __skb_to_sgvec(skb, sg, offset, len);
-        sg_mark_end(&sg[nsg - 1]);
-        return nsg;
-}
-EXPORT_SYMBOL_GPL(skb_to_sgvec);
 /**
 *      skb_cow_data - Check that a socket buffer's data buffers are writable
@@ -3571,7 +3593,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
-                sk->sk_data_ready(sk);
+                sk->sk_error_report(sk);
        return 0;
 }
 EXPORT_SYMBOL(sock_queue_err_skb);
@@ -3715,7 +3737,8 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
                return;
        if (tsonly) {
-                skb_shinfo(skb)->tx_flags = skb_shinfo(orig_skb)->tx_flags;
+                skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags &
+                                             SKBTX_ANY_TSTAMP;
                skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey;
        }
@@ -4273,13 +4296,18 @@ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
 {
+        int mac_len;
        if (skb_cow(skb, skb_headroom(skb)) < 0) {
                kfree_skb(skb);
                return NULL;
        }
-        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+        mac_len = skb->data - skb_mac_header(skb);
-                2 * ETH_ALEN);
+        if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
+                memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+                        mac_len - VLAN_HLEN - ETH_TLEN);
+        }
        skb->mac_header += VLAN_HLEN;
        return skb;
 }
diff --git a/net/core/sock.c b/net/core/sock.c
index cd12cb6fe366..4238835a0e4e 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1474,7 +1474,7 @@ void sk_destruct(struct sock *sk)
 static void __sk_free(struct sock *sk)
 {
-        if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt))
+        if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk)))
                sock_diag_broadcast_destroy(sk);
        else
                sk_destruct(sk);
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index f5ef2115871f..32898247d8bf 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -292,7 +292,13 @@ static struct ctl_table net_core_table[] = {
                .data           = &bpf_jit_enable,
                .maxlen         = sizeof(int),
                .mode           = 0644,
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
                .proc_handler   = proc_dointvec
+#else
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &one,
+                .extra2         = &one,
+#endif
        },
 #endif
        {
@@ -423,8 +429,6 @@ static __net_init int sysctl_core_net_init(struct net *net)
 {
        struct ctl_table *tbl;
-        net->core.sysctl_somaxconn = SOMAXCONN;
        tbl = netns_core_table;
        if (!net_eq(net, &init_net)) {
                tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index 5e3a7302f774..86a2ed0fb219 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -126,6 +126,16 @@ static void ccid2_change_l_seq_window(struct sock *sk, u64 val)
                                                  DCCPF_SEQ_WMAX));
 }
+static void dccp_tasklet_schedule(struct sock *sk)
+{
+        struct tasklet_struct *t = &dccp_sk(sk)->dccps_xmitlet;
+        if (!test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
+                sock_hold(sk);
+                __tasklet_schedule(t);
+        }
+}
 static void ccid2_hc_tx_rto_expire(unsigned long data)
 {
        struct sock *sk = (struct sock *)data;
@@ -140,6 +150,9 @@ static void ccid2_hc_tx_rto_expire(unsigned long data)
        ccid2_pr_debug("RTO_EXPIRE\n");
+        if (sk->sk_state == DCCP_CLOSED)
+                goto out;
        /* back-off timer */
        hc->tx_rto <<= 1;
        if (hc->tx_rto > DCCP_RTO_MAX)
@@ -163,7 +176,7 @@ static void ccid2_hc_tx_rto_expire(unsigned long data)
        /* if we were blocked before, we may now send cwnd=1 packet */
        if (sender_was_blocked)
-                tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+                dccp_tasklet_schedule(sk);
        /* restart backed-off timer */
        sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
 out:
@@ -703,7 +716,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
 done:
        /* check if incoming Acks allow pending packets to be sent */
        if (sender_was_blocked && !ccid2_cwnd_network_limited(hc))
-                tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+                dccp_tasklet_schedule(sk);
        dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
 }
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index 119c04317d48..03fcf3ee1534 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -599,7 +599,7 @@ static void ccid3_hc_rx_send_feedback(struct sock *sk,
 {
        struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk);
        struct dccp_sock *dp = dccp_sk(sk);
-        ktime_t now = ktime_get_real();
+        ktime_t now = ktime_get();
        s64 delta = 0;
        switch (fbtype) {
@@ -624,15 +624,14 @@ static void ccid3_hc_rx_send_feedback(struct sock *sk,
        case CCID3_FBACK_PERIODIC:
                delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback);
                if (delta <= 0)
-                        DCCP_BUG("delta (%ld) <= 0", (long)delta);
+                        delta = 1;
-                else
+                hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta);
-                        hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta);
                break;
        default:
                return;
        }
-        ccid3_pr_debug("Interval %ldusec, X_recv=%u, 1/p=%u\n", (long)delta,
+        ccid3_pr_debug("Interval %lldusec, X_recv=%u, 1/p=%u\n", delta,
                       hc->rx_x_recv, hc->rx_pinv);
        hc->rx_tstamp_last_feedback = now;
@@ -679,7 +678,8 @@ static int ccid3_hc_rx_insert_options(struct sock *sk, struct sk_buff *skb)
 static u32 ccid3_first_li(struct sock *sk)
 {
        struct ccid3_hc_rx_sock *hc = ccid3_hc_rx_sk(sk);
-        u32 x_recv, p, delta;
+        u32 x_recv, p;
+        s64 delta;
        u64 fval;
        if (hc->rx_rtt == 0) {
@@ -687,7 +687,9 @@ static u32 ccid3_first_li(struct sock *sk)
                hc->rx_rtt = DCCP_FALLBACK_RTT;
        }
-        delta  = ktime_to_us(net_timedelta(hc->rx_tstamp_last_feedback));
+        delta = ktime_us_delta(ktime_get(), hc->rx_tstamp_last_feedback);
+        if (delta <= 0)
+                delta = 1;
        x_recv = scaled_div32(hc->rx_bytes_recv, delta);
        if (x_recv == 0) {              /* would also trigger divide-by-zero */
                DCCP_WARN("X_recv==0\n");
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 6eb2bbf9873b..45fd82e61e79 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -618,6 +618,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
        ireq = inet_rsk(req);
        sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
        sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
+        ireq->ir_mark = inet_request_mark(sk, skb);
        ireq->ireq_family = AF_INET;
        ireq->ir_iif = sk->sk_bound_dev_if;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 09a9ab65f4e1..0bf41faeffc4 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -345,6 +345,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
        ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
        ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
        ireq->ireq_family = AF_INET6;
+        ireq->ir_mark = inet_request_mark(sk, skb);
        if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
            np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index b68168fcc06a..936dab12f99f 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct inet_sock *inet = inet_sk(sk);
+        struct dccp_sock *dp = dccp_sk(sk);
        int err = 0;
        const int old_state = sk->sk_state;
@@ -278,6 +279,8 @@ int dccp_disconnect(struct sock *sk, int flags)
                sk->sk_err = ECONNRESET;
        dccp_clear_xmit_timers(sk);
+        ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+        dp->dccps_hc_rx_ccid = NULL;
        __skb_queue_purge(&sk->sk_receive_queue);
        __skb_queue_purge(&sk->sk_write_queue);
@@ -784,6 +787,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        if (skb == NULL)
                goto out_release;
+        if (sk->sk_state == DCCP_CLOSED) {
+                rc = -ENOTCONN;
+                goto out_discard;
+        }
        skb_reserve(skb, sk->sk_prot->max_header);
        rc = memcpy_from_msg(skb_put(skb, len), msg, len);
        if (rc != 0)
diff --git a/net/dccp/timer.c b/net/dccp/timer.c
index 3ef7acef3ce8..aa7c7dad7f96 100644
--- a/net/dccp/timer.c
+++ b/net/dccp/timer.c
@@ -230,12 +230,12 @@ static void dccp_write_xmitlet(unsigned long data)
        else
                dccp_write_xmit(sk);
        bh_unlock_sock(sk);
+        sock_put(sk);
 }
 static void dccp_write_xmit_timer(unsigned long data)
 {
        dccp_write_xmitlet(data);
-        sock_put((struct sock *)data);
 }
 void dccp_init_xmit_timers(struct sock *sk)
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 13d6b1a6e0fc..9d8fcdefefc0 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1337,6 +1337,12 @@ static int dn_setsockopt(struct socket *sock, int level, int optname, char __use
        lock_sock(sk);
        err = __dn_setsockopt(sock, level, optname, optval, optlen, 0);
        release_sock(sk);
+#ifdef CONFIG_NETFILTER
+        /* we need to exclude all possible ENOPROTOOPTs except default case */
+        if (err == -ENOPROTOOPT && optname != DSO_LINKINFO &&
+            optname != DSO_STREAM && optname != DSO_SEQPACKET)
+                err = nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
+#endif
        return err;
 }
@@ -1444,15 +1450,6 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
                dn_nsp_send_disc(sk, 0x38, 0, sk->sk_allocation);
                break;
-        default:
-#ifdef CONFIG_NETFILTER
-                return nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
-#endif
-        case DSO_LINKINFO:
-        case DSO_STREAM:
-        case DSO_SEQPACKET:
-                return -ENOPROTOOPT;
        case DSO_MAXWINDOW:
                if (optlen != sizeof(unsigned long))
                        return -EINVAL;
@@ -1500,6 +1497,12 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
                        return -EINVAL;
                scp->info_loc = u.info;
                break;
+        case DSO_LINKINFO:
+        case DSO_STREAM:
+        case DSO_SEQPACKET:
+        default:
+                return -ENOPROTOOPT;
        }
        return 0;
@@ -1513,6 +1516,20 @@ static int dn_getsockopt(struct socket *sock, int level, int optname, char __use
        lock_sock(sk);
        err = __dn_getsockopt(sock, level, optname, optval, optlen, 0);
        release_sock(sk);
+#ifdef CONFIG_NETFILTER
+        if (err == -ENOPROTOOPT && optname != DSO_STREAM &&
+            optname != DSO_SEQPACKET && optname != DSO_CONACCEPT &&
+            optname != DSO_CONREJECT) {
+                int len;
+                if (get_user(len, optlen))
+                        return -EFAULT;
+                err = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
+                if (err >= 0)
+                        err = put_user(len, optlen);
+        }
+#endif
        return err;
 }
@@ -1578,26 +1595,6 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                r_data = &link;
                break;
-        default:
-#ifdef CONFIG_NETFILTER
-        {
-                int ret, len;
-                if (get_user(len, optlen))
-                        return -EFAULT;
-                ret = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
-                if (ret >= 0)
-                        ret = put_user(len, optlen);
-                return ret;
-        }
-#endif
-        case DSO_STREAM:
-        case DSO_SEQPACKET:
-        case DSO_CONACCEPT:
-        case DSO_CONREJECT:
-                return -ENOPROTOOPT;
        case DSO_MAXWINDOW:
                if (r_len > sizeof(unsigned long))
                        r_len = sizeof(unsigned long);
@@ -1629,6 +1626,13 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                        r_len = sizeof(unsigned char);
                r_data = &scp->info_rem;
                break;
+        case DSO_STREAM:
+        case DSO_SEQPACKET:
+        case DSO_CONACCEPT:
+        case DSO_CONREJECT:
+        default:
+                return -ENOPROTOOPT;
        }
        if (r_data) {
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 6abc5012200b..1689c7bdf1c9 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -25,6 +25,7 @@
 #include <linux/moduleparam.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/ratelimit.h>
 #include <linux/kernel.h>
 #include <linux/keyctl.h>
 #include <linux/err.h>
@@ -86,35 +87,39 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
                opt++;
                kdebug("options: '%s'", opt);
                do {
+                        int opt_len, opt_nlen;
                        const char *eq;
-                        int opt_len, opt_nlen, opt_vlen, tmp;
+                        char optval[128];
                        next_opt = memchr(opt, '#', end - opt) ?: end;
                        opt_len = next_opt - opt;
-                        if (!opt_len) {
+                        if (opt_len <= 0 || opt_len > sizeof(optval)) {
-                                printk(KERN_WARNING
+                                pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
-                                       "Empty option to dns_resolver key\n");
+                                                    opt_len);
                                return -EINVAL;
                        }
-                        eq = memchr(opt, '=', opt_len) ?: end;
+                        eq = memchr(opt, '=', opt_len);
-                        opt_nlen = eq - opt;
+                        if (eq) {
-                        eq++;
+                                opt_nlen = eq - opt;
-                        opt_vlen = next_opt - eq; /* will be -1 if no value */
+                                eq++;
+                                memcpy(optval, eq, next_opt - eq);
+                                optval[next_opt - eq] = '\0';
+                        } else {
+                                opt_nlen = opt_len;
+                                optval[0] = '\0';
+                        }
-                        tmp = opt_vlen >= 0 ? opt_vlen : 0;
+                        kdebug("option '%*.*s' val '%s'",
-                        kdebug("option '%*.*s' val '%*.*s'",
+                               opt_nlen, opt_nlen, opt, optval);
-                               opt_nlen, opt_nlen, opt, tmp, tmp, eq);
                        /* see if it's an error number representing a DNS error
                         * that's to be recorded as the result in this key */
                        if (opt_nlen == sizeof(DNS_ERRORNO_OPTION) - 1 &&
                            memcmp(opt, DNS_ERRORNO_OPTION, opt_nlen) == 0) {
                                kdebug("dns error number option");
-                                if (opt_vlen <= 0)
-                                        goto bad_option_value;
-                                ret = kstrtoul(eq, 10, &derrno);
+                                ret = kstrtoul(optval, 10, &derrno);
                                if (ret < 0)
                                        goto bad_option_value;
@@ -127,10 +132,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
                        }
                bad_option_value:
-                        printk(KERN_WARNING
+                        pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
-                               "Option '%*.*s' to dns_resolver key:"
+                                            opt_nlen, opt_nlen, opt);
-                               " bad/missing value\n",
-                               opt_nlen, opt_nlen, opt);
                        return -EINVAL;
                } while (opt = next_opt + 1, opt < end);
        }
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 554c2a961ad5..48b28a7ecc7a 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -1099,6 +1099,9 @@ int dsa_slave_suspend(struct net_device *slave_dev)
 {
        struct dsa_slave_priv *p = netdev_priv(slave_dev);
+        if (!netif_running(slave_dev))
+                return 0;
        netif_device_detach(slave_dev);
        if (p->phy) {
@@ -1116,6 +1119,9 @@ int dsa_slave_resume(struct net_device *slave_dev)
 {
        struct dsa_slave_priv *p = netdev_priv(slave_dev);
+        if (!netif_running(slave_dev))
+                return 0;
        netif_device_attach(slave_dev);
        if (p->phy) {
diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
index 20c49c724ba0..e8b279443d37 100644
--- a/net/ieee802154/6lowpan/core.c
+++ b/net/ieee802154/6lowpan/core.c
@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(void)
 static int lowpan_device_event(struct notifier_block *unused,
                               unsigned long event, void *ptr)
 {
-        struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
+        struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
+        struct wpan_dev *wpan_dev;
-        if (wdev->type != ARPHRD_IEEE802154)
+        if (ndev->type != ARPHRD_IEEE802154)
+                return NOTIFY_DONE;
+        wpan_dev = ndev->ieee802154_ptr;
+        if (!wpan_dev)
                goto out;
        switch (event) {
@@ -217,8 +221,8 @@ static int lowpan_device_event(struct notifier_block *unused,
                 * also delete possible lowpan interfaces which belongs
                 * to the wpan interface.
                 */
-                if (wdev->ieee802154_ptr->lowpan_dev)
+                if (wpan_dev->lowpan_dev)
-                        lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
+                        lowpan_dellink(wpan_dev->lowpan_dev, NULL);
                break;
        default:
                break;
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index a548be247e15..47b397264f24 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -302,12 +302,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
        skb->sk  = sk;
        skb->protocol = htons(ETH_P_IEEE802154);
-        dev_put(dev);
        err = dev_queue_xmit(skb);
        if (err > 0)
                err = net_xmit_errno(err);
+        dev_put(dev);
        return err ?: size;
 out_skb:
@@ -689,12 +689,12 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
        skb->sk  = sk;
        skb->protocol = htons(ETH_P_IEEE802154);
-        dev_put(dev);
        err = dev_queue_xmit(skb);
        if (err > 0)
                err = net_xmit_errno(err);
+        dev_put(dev);
        return err ?: size;
 out_skb:
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 416dfa004cfb..09d6c4a6b53d 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -186,6 +186,7 @@ config NET_IPGRE_DEMUX
 config NET_IP_TUNNEL
        tristate
+        select DST_CACHE
        default n
 config NET_IPGRE
@@ -353,6 +354,7 @@ config INET_ESP
        select CRYPTO_CBC
        select CRYPTO_SHA1
        select CRYPTO_DES
+        select CRYPTO_ECHAINIV
        ---help---
          Support for IPsec ESP.
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index 22377c8ff14b..e8f862358518 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags + sglists);
-        skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        if (unlikely(err < 0))
+                goto out_free;
        if (x->props.flags & XFRM_STATE_ESN) {
                /* Attach seqhi sg right after packet payload */
@@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
        skb_push(skb, ihl);
        sg_init_table(sg, nfrags + sglists);
-        skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        if (unlikely(err < 0))
+                goto out_free;
        if (x->props.flags & XFRM_STATE_ESN) {
                /* Attach seqhi sg right after packet payload */
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 711b4dfa17c3..bfa79831873f 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -223,11 +223,16 @@ static bool arp_key_eq(const struct neighbour *neigh, const void *pkey)
 static int arp_constructor(struct neighbour *neigh)
 {
-        __be32 addr = *(__be32 *)neigh->primary_key;
+        __be32 addr;
        struct net_device *dev = neigh->dev;
        struct in_device *in_dev;
        struct neigh_parms *parms;
+        u32 inaddr_any = INADDR_ANY;
+        if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
+                memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len);
+        addr = *(__be32 *)neigh->primary_key;
        rcu_read_lock();
        in_dev = __in_dev_get_rcu(dev);
        if (!in_dev) {
@@ -432,7 +437,7 @@ static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
        /*unsigned long now; */
        struct net *net = dev_net(dev);
-        rt = ip_route_output(net, sip, tip, 0, 0);
+        rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev));
        if (IS_ERR(rt))
                return 1;
        if (rt->dst.dev != dev) {
@@ -653,6 +658,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
        unsigned char *arp_ptr;
        struct rtable *rt;
        unsigned char *sha;
+        unsigned char *tha = NULL;
        __be32 sip, tip;
        u16 dev_type = dev->type;
        int addr_type;
@@ -724,6 +730,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
                break;
 #endif
        default:
+                tha = arp_ptr;
                arp_ptr += dev->addr_len;
        }
        memcpy(&tip, arp_ptr, 4);
@@ -834,8 +841,18 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
                   It is possible, that this option should be enabled for some
                   devices (strip is candidate)
                 */
-                is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip &&
+                is_garp = tip == sip && addr_type == RTN_UNICAST;
-                          addr_type == RTN_UNICAST;
+                /* Unsolicited ARP _replies_ also require target hwaddr to be
+                 * the same as source.
+                 */
+                if (is_garp && arp->ar_op == htons(ARPOP_REPLY))
+                        is_garp =
+                                /* IPv4 over IEEE 1394 doesn't provide target
+                                 * hardware address field in its ARP payload.
+                                 */
+                                tha &&
+                                !memcmp(tha, sha, dev->addr_len);
                if (!n &&
                    ((arp->ar_op == htons(ARPOP_REPLY)  &&
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 20fb25e3027b..3d8021d55336 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -268,10 +268,11 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        esph->spi = x->id.spi;
        sg_init_table(sg, nfrags);
-        skb_to_sgvec(skb, sg,
+        err = skb_to_sgvec(skb, sg,
-                     (unsigned char *)esph - skb->data,
+                           (unsigned char *)esph - skb->data,
-                     assoclen + ivlen + clen + alen);
+                           assoclen + ivlen + clen + alen);
+        if (unlikely(err < 0))
+                goto error;
        aead_request_set_crypt(req, sg, sg, ivlen + clen, iv);
        aead_request_set_ad(req, assoclen);
@@ -481,7 +482,9 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        }
        sg_init_table(sg, nfrags);
-        skb_to_sgvec(skb, sg, 0, skb->len);
+        err = skb_to_sgvec(skb, sg, 0, skb->len);
+        if (unlikely(err < 0))
+                goto out;
        aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
        aead_request_set_ad(req, assoclen);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index c9e68ff48a72..015c33712803 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -289,18 +289,19 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb)
                return ip_hdr(skb)->daddr;
        in_dev = __in_dev_get_rcu(dev);
-        BUG_ON(!in_dev);
        net = dev_net(dev);
        scope = RT_SCOPE_UNIVERSE;
        if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
+                bool vmark = in_dev && IN_DEV_SRC_VMARK(in_dev);
                struct flowi4 fl4 = {
                        .flowi4_iif = LOOPBACK_IFINDEX,
+                        .flowi4_oif = l3mdev_master_ifindex_rcu(dev),
                        .daddr = ip_hdr(skb)->saddr,
                        .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
                        .flowi4_scope = scope,
-                        .flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0,
+                        .flowi4_mark = vmark ? skb->mark : 0,
                };
                if (!fib_lookup(net, &fl4, &res, 0))
                        return FIB_RES_PREFSRC(net, res);
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 313e3c11a15a..03ebff3950d8 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -640,6 +640,11 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi)
                                            fi->fib_nh, cfg))
                            return 1;
                }
+#ifdef CONFIG_IP_ROUTE_CLASSID
+                if (cfg->fc_flow &&
+                    cfg->fc_flow != fi->fib_nh->nh_tclassid)
+                        return 1;
+#endif
                if ((!cfg->fc_oif || cfg->fc_oif == fi->fib_nh->nh_oif) &&
                    (!cfg->fc_gw  || cfg->fc_gw == fi->fib_nh->nh_gw))
                        return 0;
@@ -974,6 +979,8 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
                        if (val == TCP_CA_UNSPEC)
                                return -EINVAL;
                } else {
+                        if (nla_len(nla) != sizeof(u32))
+                                return -EINVAL;
                        val = nla_get_u32(nla);
                }
                if (type == RTAX_ADVMSS && val > 65535 - 40)
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index b60106d34346..c67efa3e79dd 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -338,7 +338,7 @@ static __be32 igmpv3_get_srcaddr(struct net_device *dev,
                return htonl(INADDR_ANY);
        for_ifa(in_dev) {
-                if (inet_ifa_match(fl4->saddr, ifa))
+                if (fl4->saddr == ifa->ifa_local)
                        return fl4->saddr;
        } endfor_ifa(in_dev);
@@ -392,7 +392,11 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
        pip->frag_off = htons(IP_DF);
        pip->ttl      = 1;
        pip->daddr    = fl4.daddr;
+        rcu_read_lock();
        pip->saddr    = igmpv3_get_srcaddr(dev, &fl4);
+        rcu_read_unlock();
        pip->protocol = IPPROTO_IGMP;
        pip->tot_len  = 0;      /* filled in later */
        ip_select_ident(net, skb, NULL);
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index c5fb2f694ed0..b2001b20e029 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ out:
 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+        if (!hlist_unhashed(&q->list_evictor))
+                return false;
        return q->net->low_thresh == 0 ||
               frag_mem_limit(q->net) >= q->net->low_thresh;
 }
@@ -361,11 +364,6 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
 {
        struct inet_frag_queue *q;
-        if (frag_mem_limit(nf) > nf->high_thresh) {
-                inet_frag_schedule_worker(f);
-                return NULL;
-        }
        q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
        if (!q)
                return NULL;
@@ -402,6 +400,11 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
        struct inet_frag_queue *q;
        int depth = 0;
+        if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+                inet_frag_schedule_worker(f);
+                return NULL;
+        }
        if (frag_mem_limit(nf) > nf->low_thresh)
                inet_frag_schedule_worker(f);
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index c67f9bd7699c..d8316869947a 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -182,6 +182,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
                tw->tw_dport        = inet->inet_dport;
                tw->tw_family       = sk->sk_family;
                tw->tw_reuse        = sk->sk_reuse;
+                tw->tw_reuseport    = sk->sk_reuseport;
                tw->tw_hash         = sk->sk_hash;
                tw->tw_ipv6only     = 0;
                tw->tw_transparent  = inet->transparent;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 09c73dd541c5..c11bb6d2d00a 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -480,6 +480,8 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        to->dev = from->dev;
        to->mark = from->mark;
+        skb_copy_hash(to, from);
        /* Copy the flags to each fragment. */
        IPCB(to)->flags = IPCB(from)->flags;
@@ -1062,7 +1064,8 @@ alloc_new_skb:
                if (copy > length)
                        copy = length;
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                        unsigned int off;
                        off = skb->len;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 097a1243c16c..88426a6a7a85 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -135,15 +135,18 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 {
        struct sockaddr_in sin;
        const struct iphdr *iph = ip_hdr(skb);
-        __be16 *ports = (__be16 *)skb_transport_header(skb);
+        __be16 *ports;
+        int end;
-        if (skb_transport_offset(skb) + 4 > skb->len)
+        end = skb_transport_offset(skb) + 4;
+        if (end > 0 && !pskb_may_pull(skb, end))
                return;
        /* All current transport protocols have the port numbers in the
         * first four bytes of the transport header and this function is
         * written with this assumption in mind.
         */
+        ports = (__be16 *)skb_transport_header(skb);
        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = iph->daddr;
@@ -241,7 +244,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
                        src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
                        if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
                                return -EINVAL;
-                        ipc->oif = src_info->ipi6_ifindex;
+                        if (src_info->ipi6_ifindex)
+                                ipc->oif = src_info->ipi6_ifindex;
                        ipc->addr = src_info->ipi6_addr.s6_addr32[3];
                        continue;
                }
@@ -264,7 +268,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
                        if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
                                return -EINVAL;
                        info = (struct in_pktinfo *)CMSG_DATA(cmsg);
-                        ipc->oif = info->ipi_ifindex;
+                        if (info->ipi_ifindex)
+                                ipc->oif = info->ipi_ifindex;
                        ipc->addr = info->ipi_spec_dst.s_addr;
                        break;
                }
@@ -491,8 +496,6 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
        int err;
        int copied;
-        WARN_ON_ONCE(sk->sk_family == AF_INET6);
        err = -EAGAIN;
        skb = sock_dequeue_err_skb(sk);
        if (!skb)
@@ -1221,11 +1224,8 @@ int ip_setsockopt(struct sock *sk, int level,
        if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
                        optname != IP_IPSEC_POLICY &&
                        optname != IP_XFRM_POLICY &&
-                        !ip_mroute_opt(optname)) {
+                        !ip_mroute_opt(optname))
-                lock_sock(sk);
                err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
-                release_sock(sk);
-        }
 #endif
        return err;
 }
@@ -1250,12 +1250,9 @@ int compat_ip_setsockopt(struct sock *sk, int level, int optname,
        if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
                        optname != IP_IPSEC_POLICY &&
                        optname != IP_XFRM_POLICY &&
-                        !ip_mroute_opt(optname)) {
+                        !ip_mroute_opt(optname))
-                lock_sock(sk);
+                err = compat_nf_setsockopt(sk, PF_INET, optname, optval,
-                err = compat_nf_setsockopt(sk, PF_INET, optname,
+                                           optlen);
-                                           optval, optlen);
-                release_sock(sk);
-        }
 #endif
        return err;
 }
@@ -1533,10 +1530,7 @@ int ip_getsockopt(struct sock *sk, int level,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
-                err = nf_getsockopt(sk, PF_INET, optname, optval,
-                                &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
                return err;
@@ -1568,9 +1562,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
                err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
                return err;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index c18245e05d26..3d62feb65932 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -69,61 +69,6 @@ static unsigned int ip_tunnel_hash(__be32 key, __be32 remote)
                         IP_TNL_HASH_BITS);
 }
-static void __tunnel_dst_set(struct ip_tunnel_dst *idst,
-                             struct dst_entry *dst, __be32 saddr)
-{
-        struct dst_entry *old_dst;
-        dst_clone(dst);
-        old_dst = xchg((__force struct dst_entry **)&idst->dst, dst);
-        dst_release(old_dst);
-        idst->saddr = saddr;
-}
-static noinline void tunnel_dst_set(struct ip_tunnel *t,
-                           struct dst_entry *dst, __be32 saddr)
-{
-        __tunnel_dst_set(raw_cpu_ptr(t->dst_cache), dst, saddr);
-}
-static void tunnel_dst_reset(struct ip_tunnel *t)
-{
-        tunnel_dst_set(t, NULL, 0);
-}
-void ip_tunnel_dst_reset_all(struct ip_tunnel *t)
-{
-        int i;
-        for_each_possible_cpu(i)
-                __tunnel_dst_set(per_cpu_ptr(t->dst_cache, i), NULL, 0);
-}
-EXPORT_SYMBOL(ip_tunnel_dst_reset_all);
-static struct rtable *tunnel_rtable_get(struct ip_tunnel *t,
-                                        u32 cookie, __be32 *saddr)
-{
-        struct ip_tunnel_dst *idst;
-        struct dst_entry *dst;
-        rcu_read_lock();
-        idst = raw_cpu_ptr(t->dst_cache);
-        dst = rcu_dereference(idst->dst);
-        if (dst && !atomic_inc_not_zero(&dst->__refcnt))
-                dst = NULL;
-        if (dst) {
-                if (!dst->obsolete || dst->ops->check(dst, cookie)) {
-                        *saddr = idst->saddr;
-                } else {
-                        tunnel_dst_reset(t);
-                        dst_release(dst);
-                        dst = NULL;
-                }
-        }
-        rcu_read_unlock();
-        return (struct rtable *)dst;
-}
 static bool ip_tunnel_key_match(const struct ip_tunnel_parm *p,
                                __be16 flags, __be32 key)
 {
@@ -308,13 +253,14 @@ static struct net_device *__ip_tunnel_create(struct net *net,
        struct net_device *dev;
        char name[IFNAMSIZ];
-        if (parms->name[0])
+        err = -E2BIG;
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        goto failed;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else {
+        } else {
-                if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
+                if (strlen(ops->kind) > (IFNAMSIZ - 3))
-                        err = -E2BIG;
                        goto failed;
-                }
                strlcpy(name, ops->kind, IFNAMSIZ);
                strncat(name, "%d", 2);
        }
@@ -382,11 +328,12 @@ static int ip_tunnel_bind_dev(struct net_device *dev)
                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
-                        tunnel_dst_set(tunnel, &rt->dst, fl4.saddr);
                        ip_rt_put(rt);
                }
                if (dev->type != ARPHRD_ETHER)
                        dev->flags |= IFF_POINTOPOINT;
+                dst_cache_reset(&tunnel->dst_cache);
        }
        if (!tdev && tunnel->parms.link)
@@ -733,7 +680,8 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
        if (ip_tunnel_encap(skb, tunnel, &protocol, &fl4) < 0)
                goto tx_error;
-        rt = connected ? tunnel_rtable_get(tunnel, 0, &fl4.saddr) : NULL;
+        rt = connected ? dst_cache_get_ip4(&tunnel->dst_cache, &fl4.saddr) :
+                         NULL;
        if (!rt) {
                rt = ip_route_output_key(tunnel->net, &fl4);
@@ -743,7 +691,8 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                        goto tx_error;
                }
                if (connected)
-                        tunnel_dst_set(tunnel, &rt->dst, fl4.saddr);
+                        dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst,
+                                          fl4.saddr);
        }
        if (rt->dst.dev == dev) {
@@ -841,7 +790,7 @@ static void ip_tunnel_update(struct ip_tunnel_net *itn,
                if (set_mtu)
                        dev->mtu = mtu;
        }
-        ip_tunnel_dst_reset_all(t);
+        dst_cache_reset(&t->dst_cache);
        netdev_state_change(dev);
 }
@@ -980,7 +929,7 @@ static void ip_tunnel_dev_free(struct net_device *dev)
        struct ip_tunnel *tunnel = netdev_priv(dev);
        gro_cells_destroy(&tunnel->gro_cells);
-        free_percpu(tunnel->dst_cache);
+        dst_cache_destroy(&tunnel->dst_cache);
        free_percpu(dev->tstats);
        free_netdev(dev);
 }
@@ -1174,15 +1123,15 @@ int ip_tunnel_init(struct net_device *dev)
        if (!dev->tstats)
                return -ENOMEM;
-        tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
+        err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL);
-        if (!tunnel->dst_cache) {
+        if (err) {
                free_percpu(dev->tstats);
-                return -ENOMEM;
+                return err;
        }
        err = gro_cells_init(&tunnel->gro_cells, dev);
        if (err) {
-                free_percpu(tunnel->dst_cache);
+                dst_cache_destroy(&tunnel->dst_cache);
                free_percpu(dev->tstats);
                return err;
        }
@@ -1212,7 +1161,7 @@ void ip_tunnel_uninit(struct net_device *dev)
        if (itn->fb_tunnel_dev != dev)
                ip_tunnel_del(itn, netdev_priv(dev));
-        ip_tunnel_dst_reset_all(tunnel);
+        dst_cache_reset(&tunnel->dst_cache);
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_uninit);
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index a03f834f16d5..4b7c81f88abf 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -366,7 +366,6 @@ static int vti_tunnel_init(struct net_device *dev)
        memcpy(dev->dev_addr, &iph->saddr, 4);
        memcpy(dev->broadcast, &iph->daddr, 4);
-        dev->hard_header_len    = LL_MAX_HEADER + sizeof(struct iphdr);
        dev->mtu                = ETH_DATA_LEN;
        dev->flags              = IFF_NOARP;
        dev->addr_len           = 4;
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 0bc7412d9e14..60f564db25a3 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -152,7 +152,11 @@ static char dhcp_client_identifier[253] __initdata;
 /* Persistent data: */
+#ifdef IPCONFIG_DYNAMIC
 static int ic_proto_used;                       /* Protocol used, if any */
+#else
+#define ic_proto_used 0
+#endif
 static __be32 ic_nameservers[CONF_NAMESERVERS_MAX]; /* DNS Server IP addresses */
 static u8 ic_domain[64];                /* DNS (not NIS) domain name */
@@ -786,6 +790,11 @@ static void __init ic_bootp_init_ext(u8 *e)
 */
 static inline void __init ic_bootp_init(void)
 {
+        /* Re-initialise all name servers to NONE, in case any were set via the
+         * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses
+         * specified there will already have been decoded but are no longer
+         * needed
+         */
        ic_nameservers_predef();
        dev_add_pack(&bootp_packet_type);
@@ -1419,6 +1428,13 @@ static int __init ip_auto_config(void)
        int err;
        unsigned int i;
+        /* Initialise all name servers to NONE (but only if the "ip=" or
+         * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise
+         * we'll overwrite the IP addresses specified there)
+         */
+        if (ic_set_manually == 0)
+                ic_nameservers_predef();
 #ifdef CONFIG_PROC_FS
        proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops);
 #endif /* CONFIG_PROC_FS */
@@ -1636,6 +1652,7 @@ static int __init ip_auto_config_setup(char *addrs)
                return 1;
        }
+        /* Initialise all name servers to NONE */
        ic_nameservers_predef();
        /* Parse string for static IP assignment.  */
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c3776ff6749f..699f8a5457a3 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -23,7 +23,8 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
        struct rtable *rt;
        struct flowi4 fl4 = {};
        __be32 saddr = iph->saddr;
-        __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+        const struct sock *sk = skb_to_full_sk(skb);
+        __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;
        unsigned int hh_len;
        if (addr_type == RTN_UNSPEC)
@@ -39,7 +40,7 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
        fl4.daddr = iph->daddr;
        fl4.saddr = saddr;
        fl4.flowi4_tos = RT_TOS(iph->tos);
-        fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+        fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
        fl4.flowi4_mark = skb->mark;
        fl4.flowi4_flags = flags;
        rt = ip_route_output_key(net, &fl4);
@@ -58,7 +59,7 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
            xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) {
                struct dst_entry *dst = skb_dst(skb);
                skb_dst_set(skb, NULL);
-                dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0);
+                dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0);
                if (IS_ERR(dst))
                        return PTR_ERR(dst);
                skb_dst_set(skb, dst);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 6e3e0e8b1ce3..f51b32ed353c 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -329,6 +329,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                        }
                        if (table_base + v
                            != arpt_next_entry(e)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
                        }
@@ -367,23 +371,12 @@ static inline bool unconditional(const struct arpt_entry *e)
               memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
 }
-static bool find_jump_target(const struct xt_table_info *t,
-                             const struct arpt_entry *target)
-{
-        struct arpt_entry *iter;
-        xt_entry_foreach(iter, t->entries, t->size) {
-                 if (iter == target)
-                        return true;
-        }
-        return false;
-}
 /* Figures out from what hook each rule can be called: returns 0 if
 * there are loops.  Puts hook bitmask in comefrom.
 */
 static int mark_source_chains(const struct xt_table_info *newinfo,
-                              unsigned int valid_hooks, void *entry0)
+                              unsigned int valid_hooks, void *entry0,
+                              unsigned int *offsets)
 {
        unsigned int hook;
@@ -472,10 +465,11 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
                                        /* This a jump; chase it. */
                                        duprintf("Jump rule %u -> %u\n",
                                                 pos, newpos);
+                                        if (!xt_find_jump_offset(offsets, newpos,
+                                                                 newinfo->number))
+                                                return 0;
                                        e = (struct arpt_entry *)
                                                (entry0 + newpos);
-                                        if (!find_jump_target(newinfo, e))
-                                                return 0;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
@@ -517,14 +511,14 @@ static inline int check_target(struct arpt_entry *e, const char *name)
 }
 static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
+find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
+                 struct xt_percpu_counter_alloc_state *alloc_state)
 {
        struct xt_entry_target *t;
        struct xt_target *target;
        int ret;
-        e->counters.pcnt = xt_percpu_counter_alloc();
+        if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
-        if (IS_ERR_VALUE(e->counters.pcnt))
                return -ENOMEM;
        t = arpt_get_target(e);
@@ -544,7 +538,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
 err:
        module_put(t->u.kernel.target->me);
 out:
-        xt_percpu_counter_free(e->counters.pcnt);
+        xt_percpu_counter_free(&e->counters);
        return ret;
 }
@@ -632,7 +626,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
        if (par.target->destroy != NULL)
                par.target->destroy(&par);
        module_put(par.target->me);
-        xt_percpu_counter_free(e->counters.pcnt);
+        xt_percpu_counter_free(&e->counters);
 }
 /* Checks and translates the user-supplied table segment (held in
@@ -641,7 +635,9 @@ static inline void cleanup_entry(struct arpt_entry *e)
 static int translate_table(struct xt_table_info *newinfo, void *entry0,
                           const struct arpt_replace *repl)
 {
+        struct xt_percpu_counter_alloc_state alloc_state = { 0 };
        struct arpt_entry *iter;
+        unsigned int *offsets;
        unsigned int i;
        int ret = 0;
@@ -655,6 +651,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
        }
        duprintf("translate_table: size %u\n", newinfo->size);
+        offsets = xt_alloc_entry_offsets(newinfo->number);
+        if (!offsets)
+                return -ENOMEM;
        i = 0;
        /* Walk through entries, checking offsets. */
@@ -665,7 +664,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
                                                 repl->underflow,
                                                 repl->valid_hooks);
                if (ret != 0)
-                        break;
+                        goto out_free;
+                if (i < repl->num_entries)
+                        offsets[i] = (void *)iter - entry0;
                ++i;
                if (strcmp(arpt_get_target(iter)->u.user.name,
                    XT_ERROR_TARGET) == 0)
@@ -673,12 +674,13 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
        }
        duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
        if (ret != 0)
-                return ret;
+                goto out_free;
+        ret = -EINVAL;
        if (i != repl->num_entries) {
                duprintf("translate_table: %u not %u entries\n",
                         i, repl->num_entries);
-                return -EINVAL;
+                goto out_free;
        }
        /* Check hooks all assigned */
@@ -689,22 +691,26 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
                if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
                        duprintf("Invalid hook entry %u %u\n",
                                 i, repl->hook_entry[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
                if (newinfo->underflow[i] == 0xFFFFFFFF) {
                        duprintf("Invalid underflow %u %u\n",
                                 i, repl->underflow[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
        }
-        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
+        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-                return -ELOOP;
+                ret = -ELOOP;
+                goto out_free;
+        }
+        kvfree(offsets);
        /* Finally, each sanity check must pass */
        i = 0;
        xt_entry_foreach(iter, entry0, newinfo->size) {
-                ret = find_check_entry(iter, repl->name, repl->size);
+                ret = find_check_entry(iter, repl->name, repl->size,
+                                       &alloc_state);
                if (ret != 0)
                        break;
                ++i;
@@ -720,6 +726,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
        }
        return ret;
+ out_free:
+        kvfree(offsets);
+        return ret;
 }
 static void get_counters(const struct xt_table_info *t,
@@ -1336,8 +1345,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
        newinfo->number = compatr->num_entries;
        for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-                newinfo->hook_entry[i] = info->hook_entry[i];
+                newinfo->hook_entry[i] = compatr->hook_entry[i];
-                newinfo->underflow[i] = info->underflow[i];
+                newinfo->underflow[i] = compatr->underflow[i];
        }
        entry1 = newinfo->entries;
        pos = entry1;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a399c5419622..9363c1a70f16 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -408,6 +408,10 @@ ipt_do_table(struct sk_buff *skb,
                        }
                        if (table_base + v != ipt_next_entry(e) &&
                            !(e->ip.flags & IPT_F_GOTO)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
                                pr_debug("Pushed %p into pos %u\n",
                                         e, stackidx - 1);
@@ -443,23 +447,12 @@ ipt_do_table(struct sk_buff *skb,
 #endif
 }
-static bool find_jump_target(const struct xt_table_info *t,
-                             const struct ipt_entry *target)
-{
-        struct ipt_entry *iter;
-        xt_entry_foreach(iter, t->entries, t->size) {
-                 if (iter == target)
-                        return true;
-        }
-        return false;
-}
 /* Figures out from what hook each rule can be called: returns 0 if
   there are loops.  Puts hook bitmask in comefrom. */
 static int
 mark_source_chains(const struct xt_table_info *newinfo,
-                   unsigned int valid_hooks, void *entry0)
+                   unsigned int valid_hooks, void *entry0,
+                   unsigned int *offsets)
 {
        unsigned int hook;
@@ -552,10 +545,11 @@ mark_source_chains(const struct xt_table_info *newinfo,
                                        /* This a jump; chase it. */
                                        duprintf("Jump rule %u -> %u\n",
                                                 pos, newpos);
+                                        if (!xt_find_jump_offset(offsets, newpos,
+                                                                 newinfo->number))
+                                                return 0;
                                        e = (struct ipt_entry *)
                                                (entry0 + newpos);
-                                        if (!find_jump_target(newinfo, e))
-                                                return 0;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
@@ -655,7 +649,8 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
 static int
 find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
-                 unsigned int size)
+                 unsigned int size,
+                 struct xt_percpu_counter_alloc_state *alloc_state)
 {
        struct xt_entry_target *t;
        struct xt_target *target;
@@ -664,11 +659,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
        struct xt_mtchk_param mtpar;
        struct xt_entry_match *ematch;
-        e->counters.pcnt = xt_percpu_counter_alloc();
+        if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
-        if (IS_ERR_VALUE(e->counters.pcnt))
                return -ENOMEM;
        j = 0;
+        memset(&mtpar, 0, sizeof(mtpar));
        mtpar.net       = net;
        mtpar.table     = name;
        mtpar.entryinfo = &e->ip;
@@ -705,7 +700,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
                cleanup_match(ematch, net);
        }
-        xt_percpu_counter_free(e->counters.pcnt);
+        xt_percpu_counter_free(&e->counters);
        return ret;
 }
@@ -801,7 +796,7 @@ cleanup_entry(struct ipt_entry *e, struct net *net)
        if (par.target->destroy != NULL)
                par.target->destroy(&par);
        module_put(par.target->me);
-        xt_percpu_counter_free(e->counters.pcnt);
+        xt_percpu_counter_free(&e->counters);
 }
 /* Checks and translates the user-supplied table segment (held in
@@ -810,7 +805,9 @@ static int
 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                const struct ipt_replace *repl)
 {
+        struct xt_percpu_counter_alloc_state alloc_state = { 0 };
        struct ipt_entry *iter;
+        unsigned int *offsets;
        unsigned int i;
        int ret = 0;
@@ -824,6 +821,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
        }
        duprintf("translate_table: size %u\n", newinfo->size);
+        offsets = xt_alloc_entry_offsets(newinfo->number);
+        if (!offsets)
+                return -ENOMEM;
        i = 0;
        /* Walk through entries, checking offsets. */
        xt_entry_foreach(iter, entry0, newinfo->size) {
@@ -833,17 +833,20 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                                                 repl->underflow,
                                                 repl->valid_hooks);
                if (ret != 0)
-                        return ret;
+                        goto out_free;
+                if (i < repl->num_entries)
+                        offsets[i] = (void *)iter - entry0;
                ++i;
                if (strcmp(ipt_get_target(iter)->u.user.name,
                    XT_ERROR_TARGET) == 0)
                        ++newinfo->stacksize;
        }
+        ret = -EINVAL;
        if (i != repl->num_entries) {
                duprintf("translate_table: %u not %u entries\n",
                         i, repl->num_entries);
-                return -EINVAL;
+                goto out_free;
        }
        /* Check hooks all assigned */
@@ -854,22 +857,26 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
                        duprintf("Invalid hook entry %u %u\n",
                                 i, repl->hook_entry[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
                if (newinfo->underflow[i] == 0xFFFFFFFF) {
                        duprintf("Invalid underflow %u %u\n",
                                 i, repl->underflow[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
        }
-        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
+        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-                return -ELOOP;
+                ret = -ELOOP;
+                goto out_free;
+        }
+        kvfree(offsets);
        /* Finally, each sanity check must pass */
        i = 0;
        xt_entry_foreach(iter, entry0, newinfo->size) {
-                ret = find_check_entry(iter, net, repl->name, repl->size);
+                ret = find_check_entry(iter, net, repl->name, repl->size,
+                                       &alloc_state);
                if (ret != 0)
                        break;
                ++i;
@@ -885,6 +892,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
        }
        return ret;
+ out_free:
+        kvfree(offsets);
+        return ret;
 }
 static void
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 4a9e6db9df8d..16599bae11dd 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -365,7 +365,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
        struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
        struct clusterip_config *config;
-        int ret;
+        int ret, i;
        if (par->nft_compat) {
                pr_err("cannot use CLUSTERIP target from nftables compat\n");
@@ -384,8 +384,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
                pr_info("Please specify destination IP\n");
                return -EINVAL;
        }
+        if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
-        /* FIXME: further sanity checks */
+                pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
+                return -EINVAL;
+        }
+        for (i = 0; i < cipinfo->num_local_nodes; i++) {
+                if (cipinfo->local_nodes[i] - 1 >=
+                    sizeof(config->local_nodes) * 8) {
+                        pr_info("bad local_nodes[%d] %u\n",
+                                i, cipinfo->local_nodes[i]);
+                        return -EINVAL;
+                }
+        }
        config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
        if (!config) {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 6a20195a3a2a..3fe8c951f427 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -259,15 +259,19 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
        struct nf_conntrack_tuple tuple;
        memset(&tuple, 0, sizeof(tuple));
+        lock_sock(sk);
        tuple.src.u3.ip = inet->inet_rcv_saddr;
        tuple.src.u.tcp.port = inet->inet_sport;
        tuple.dst.u3.ip = inet->inet_daddr;
        tuple.dst.u.tcp.port = inet->inet_dport;
        tuple.src.l3num = PF_INET;
        tuple.dst.protonum = sk->sk_protocol;
+        release_sock(sk);
        /* We only do TCP and SCTP at the moment: is there a better way? */
-        if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
+        if (tuple.dst.protonum != IPPROTO_TCP &&
+            tuple.dst.protonum != IPPROTO_SCTP) {
                pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
                return -ENOPROTOOPT;
        }
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 574f7ebba0b6..ac8342dcb55e 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
        if (set_h245_addr(skb, protoff, data, dataoff, taddr,
                          &ct->tuplehash[!dir].tuple.dst.u3,
                          htons((port & htons(1)) ? nated_port + 1 :
-                                                    nated_port)) == 0) {
+                                                    nated_port))) {
-                /* Save ports */
-                info->rtp_port[i][dir] = rtp_port;
-                info->rtp_port[i][!dir] = htons(nated_port);
-        } else {
                nf_ct_unexpect_related(rtp_exp);
                nf_ct_unexpect_related(rtcp_exp);
                return -1;
        }
+        /* Save ports */
+        info->rtp_port[i][dir] = rtp_port;
+        info->rtp_port[i][!dir] = htons(nated_port);
        /* Success */
        pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
                 &rtp_exp->tuple.src.u3.ip,
@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
        /* Modify signal */
        if (set_h225_addr(skb, protoff, data, dataoff, taddr,
                          &ct->tuplehash[!dir].tuple.dst.u3,
-                          htons(nated_port)) == 0) {
+                          htons(nated_port))) {
-                /* Save ports */
-                info->sig_port[dir] = port;
-                info->sig_port[!dir] = htons(nated_port);
-        } else {
                nf_ct_unexpect_related(exp);
                return -1;
        }
+        /* Save ports */
+        info->sig_port[dir] = port;
+        info->sig_port[!dir] = htons(nated_port);
        pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
                 &exp->tuple.src.u3.ip,
                 ntohs(exp->tuple.src.u.tcp.port),
@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
        /* Modify signal */
        if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
                          &ct->tuplehash[!dir].tuple.dst.u3,
-                          htons(nated_port)) == 0) {
+                          htons(nated_port))) {
-                /* Save ports */
-                info->sig_port[dir] = port;
-                info->sig_port[!dir] = htons(nated_port);
-                /* Fix for Gnomemeeting */
-                if (idx > 0 &&
-                    get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
-                    (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
-                        set_h225_addr(skb, protoff, data, 0, &taddr[0],
-                                      &ct->tuplehash[!dir].tuple.dst.u3,
-                                      info->sig_port[!dir]);
-                }
-        } else {
                nf_ct_unexpect_related(exp);
                return -1;
        }
+        /* Save ports */
+        info->sig_port[dir] = port;
+        info->sig_port[!dir] = htons(nated_port);
+        /* Fix for Gnomemeeting */
+        if (idx > 0 &&
+            get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
+            (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
+                if (set_h225_addr(skb, protoff, data, 0, &taddr[0],
+                                  &ct->tuplehash[!dir].tuple.dst.u3,
+                                  info->sig_port[!dir])) {
+                        nf_ct_unexpect_related(exp);
+                        return -1;
+                }
+        }
        /* Success */
        pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
                 &exp->tuple.src.u3.ip,
@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
        }
        /* Modify signal */
-        if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
+        if (set_h225_addr(skb, protoff, data, dataoff, taddr,
-                           &ct->tuplehash[!dir].tuple.dst.u3,
+                          &ct->tuplehash[!dir].tuple.dst.u3,
-                           htons(nated_port)) == 0) {
+                          htons(nated_port))) {
                nf_ct_unexpect_related(exp);
                return -1;
        }
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index c747b2d9eb77..d4acf38b60fd 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -124,6 +124,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
        /* ip_route_me_harder expects skb->dst to be set */
        skb_dst_set_noref(nskb, skb_dst(oldskb));
+        nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
        skb_reserve(nskb, LL_MAX_HEADER);
        niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
                                   ip4_dst_hoplimit(skb_dst(nskb)));
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 37a3b05d175c..82c878224bfc 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -777,8 +777,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        ipc.addr = faddr = daddr;
        if (ipc.opt && ipc.opt->opt.srr) {
-                if (!daddr)
+                if (!daddr) {
-                        return -EINVAL;
+                        err = -EINVAL;
+                        goto out_free;
+                }
                faddr = ipc.opt->opt.faddr;
        }
        tos = get_rttos(&ipc, inet);
@@ -843,6 +845,7 @@ back_from_confirm:
 out:
        ip_rt_put(rt);
+out_free:
        if (free)
                kfree(ipc.opt);
        if (!err) {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 52d718e3f077..3251dede1815 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -126,10 +126,13 @@ static int ip_rt_redirect_silence __read_mostly	= ((HZ / 50) << (9 + 1));
 static int ip_rt_error_cost __read_mostly       = HZ;
 static int ip_rt_error_burst __read_mostly      = 5 * HZ;
 static int ip_rt_mtu_expires __read_mostly      = 10 * 60 * HZ;
-static int ip_rt_min_pmtu __read_mostly         = 512 + 20 + 20;
+static u32 ip_rt_min_pmtu __read_mostly         = 512 + 20 + 20;
 static int ip_rt_min_advmss __read_mostly       = 256;
 static int ip_rt_gc_timeout __read_mostly       = RT_GC_TIMEOUT;
+static int ip_min_valid_pmtu __read_mostly      = IPV4_MIN_MTU;
 /*
 *      Interface to generic destination cache.
 */
@@ -609,6 +612,7 @@ static inline u32 fnhe_hashfun(__be32 daddr)
 static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
 {
        rt->rt_pmtu = fnhe->fnhe_pmtu;
+        rt->rt_mtu_locked = fnhe->fnhe_mtu_locked;
        rt->dst.expires = fnhe->fnhe_expires;
        if (fnhe->fnhe_gw) {
@@ -619,7 +623,7 @@ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnh
 }
 static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
-                                  u32 pmtu, unsigned long expires)
+                                  u32 pmtu, bool lock, unsigned long expires)
 {
        struct fnhe_hash_bucket *hash;
        struct fib_nh_exception *fnhe;
@@ -656,8 +660,10 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
                        fnhe->fnhe_genid = genid;
                if (gw)
                        fnhe->fnhe_gw = gw;
-                if (pmtu)
+                if (pmtu) {
                        fnhe->fnhe_pmtu = pmtu;
+                        fnhe->fnhe_mtu_locked = lock;
+                }
                fnhe->fnhe_expires = max(1UL, expires);
                /* Update all cached dsts too */
                rt = rcu_dereference(fnhe->fnhe_rth_input);
@@ -681,6 +687,7 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
                fnhe->fnhe_daddr = daddr;
                fnhe->fnhe_gw = gw;
                fnhe->fnhe_pmtu = pmtu;
+                fnhe->fnhe_mtu_locked = lock;
                fnhe->fnhe_expires = expires;
                /* Exception created; mark the cached routes for the nexthop
@@ -762,7 +769,8 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
                                struct fib_nh *nh = &FIB_RES_NH(res);
                                update_or_create_fnhe(nh, fl4->daddr, new_gw,
-                                                0, jiffies + ip_rt_gc_timeout);
+                                                0, false,
+                                                jiffies + ip_rt_gc_timeout);
                        }
                        if (kill_route)
                                rt->dst.obsolete = DST_OBSOLETE_KILL;
@@ -974,15 +982,18 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
 {
        struct dst_entry *dst = &rt->dst;
        struct fib_result res;
+        bool lock = false;
-        if (dst_metric_locked(dst, RTAX_MTU))
+        if (ip_mtu_locked(dst))
                return;
        if (ipv4_mtu(dst) < mtu)
                return;
-        if (mtu < ip_rt_min_pmtu)
+        if (mtu < ip_rt_min_pmtu) {
+                lock = true;
                mtu = ip_rt_min_pmtu;
+        }
        if (rt->rt_pmtu == mtu &&
            time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
@@ -992,7 +1003,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
        if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
                struct fib_nh *nh = &FIB_RES_NH(res);
-                update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
+                update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
                                      jiffies + ip_rt_mtu_expires);
        }
        rcu_read_unlock();
@@ -1247,7 +1258,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
        mtu = READ_ONCE(dst->dev->mtu);
-        if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
+        if (unlikely(ip_mtu_locked(dst))) {
                if (rt->rt_uses_gateway && mtu > 576)
                        mtu = 576;
        }
@@ -1470,6 +1481,7 @@ static struct rtable *rt_dst_alloc(struct net_device *dev,
                rt->rt_is_input = 0;
                rt->rt_iif = 0;
                rt->rt_pmtu = 0;
+                rt->rt_mtu_locked = 0;
                rt->rt_gateway = 0;
                rt->rt_uses_gateway = 0;
                rt->rt_table_id = 0;
@@ -2390,6 +2402,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
                rt->rt_is_input = ort->rt_is_input;
                rt->rt_iif = ort->rt_iif;
                rt->rt_pmtu = ort->rt_pmtu;
+                rt->rt_mtu_locked = ort->rt_mtu_locked;
                rt->rt_genid = rt_genid_ipv4(net);
                rt->rt_flags = ort->rt_flags;
@@ -2492,6 +2505,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src, u32 table_id,
        memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics));
        if (rt->rt_pmtu && expires)
                metrics[RTAX_MTU - 1] = rt->rt_pmtu;
+        if (rt->rt_mtu_locked && expires)
+                metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU);
        if (rtnetlink_put_metrics(skb, metrics) < 0)
                goto nla_put_failure;
@@ -2765,7 +2780,8 @@ static struct ctl_table ipv4_route_table[] = {
                .data           = &ip_rt_min_pmtu,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &ip_min_valid_pmtu,
        },
        {
                .procname       = "min_adv_mss",
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 70fb352e317f..da90c74d12ef 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -141,8 +141,9 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write,
        if (write && ret == 0) {
                low = make_kgid(user_ns, urange[0]);
                high = make_kgid(user_ns, urange[1]);
-                if (!gid_valid(low) || !gid_valid(high) ||
+                if (!gid_valid(low) || !gid_valid(high))
-                    (urange[1] < urange[0]) || gid_lt(high, low)) {
+                        return -EINVAL;
+                if (urange[1] < urange[0] || gid_lt(high, low)) {
                        low = make_kgid(&init_user_ns, 1);
                        high = make_kgid(&init_user_ns, 0);
                }
@@ -213,8 +214,9 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
 {
        struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
        struct tcp_fastopen_context *ctxt;
-        int ret;
        u32  user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
+        __le32 key[4];
+        int ret, i;
        tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
        if (!tbl.data)
@@ -223,11 +225,14 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
        rcu_read_lock();
        ctxt = rcu_dereference(tcp_fastopen_ctx);
        if (ctxt)
-                memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
+                memcpy(key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
        else
-                memset(user_key, 0, sizeof(user_key));
+                memset(key, 0, sizeof(key));
        rcu_read_unlock();
+        for (i = 0; i < ARRAY_SIZE(key); i++)
+                user_key[i] = le32_to_cpu(key[i]);
        snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",
                user_key[0], user_key[1], user_key[2], user_key[3]);
        ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
@@ -243,12 +248,16 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
                 * first invocation of tcp_fastopen_cookie_gen
                 */
                tcp_fastopen_init_key_once(false);
-                tcp_fastopen_reset_cipher(user_key, TCP_FASTOPEN_KEY_LENGTH);
+                for (i = 0; i < ARRAY_SIZE(user_key); i++)
+                        key[i] = cpu_to_le32(user_key[i]);
+                tcp_fastopen_reset_cipher(key, TCP_FASTOPEN_KEY_LENGTH);
        }
 bad_key:
        pr_debug("proc FO key set 0x%x-%x-%x-%x <- 0x%s: %u\n",
-               user_key[0], user_key[1], user_key[2], user_key[3],
+                 user_key[0], user_key[1], user_key[2], user_key[3],
               (char *)tbl.data, ret);
        kfree(tbl.data);
        return ret;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 5597120c8ffd..a0f0a7db946b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1108,7 +1108,7 @@ int tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
        lock_sock(sk);
        flags = msg->msg_flags;
-        if (flags & MSG_FASTOPEN) {
+        if ((flags & MSG_FASTOPEN) && !tp->repair) {
                err = tcp_sendmsg_fastopen(sk, msg, &copied_syn, size);
                if (err == -EINPROGRESS && copied_syn > 0)
                        goto out;
@@ -2176,6 +2176,9 @@ adjudge_to_death:
                        tcp_send_active_reset(sk, GFP_ATOMIC);
                        NET_INC_STATS_BH(sock_net(sk),
                                        LINUX_MIB_TCPABORTONMEMORY);
+                } else if (!check_net(sock_net(sk))) {
+                        /* Not possible to send reset; just close */
+                        tcp_set_state(sk, TCP_CLOSE);
                }
        }
@@ -2273,6 +2276,12 @@ int tcp_disconnect(struct sock *sk, int flags)
        WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+        if (sk->sk_frag.page) {
+                put_page(sk->sk_frag.page);
+                sk->sk_frag.page = NULL;
+                sk->sk_frag.offset = 0;
+        }
        sk->sk_error_report(sk);
        return err;
 }
@@ -2441,7 +2450,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
        case TCP_REPAIR_QUEUE:
                if (!tp->repair)
                        err = -EPERM;
-                else if (val < TCP_QUEUES_NR)
+                else if ((unsigned int)val < TCP_QUEUES_NR)
                        tp->repair_queue = val;
                else
                        err = -EINVAL;
@@ -2580,8 +2589,10 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 #ifdef CONFIG_TCP_MD5SIG
        case TCP_MD5SIG:
-                /* Read the IP->Key mappings from userspace */
+                if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
-                err = tp->af_specific->md5_parse(sk, optval, optlen);
+                        err = tp->af_specific->md5_parse(sk, optval, optlen);
+                else
+                        err = -EINVAL;
                break;
 #endif
        case TCP_USER_TIMEOUT:
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
index 55d7da1d2ce9..6300edf90e60 100644
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -131,23 +131,14 @@ static void dctcp_ce_state_0_to_1(struct sock *sk)
        struct dctcp *ca = inet_csk_ca(sk);
        struct tcp_sock *tp = tcp_sk(sk);
-        /* State has changed from CE=0 to CE=1 and delayed
+        if (!ca->ce_state) {
-         * ACK has not sent yet.
+                /* State has changed from CE=0 to CE=1, force an immediate
-         */
+                 * ACK to reflect the new CE state. If an ACK was delayed,
-        if (!ca->ce_state && ca->delayed_ack_reserved) {
+                 * send that first to reflect the prior CE state.
-                u32 tmp_rcv_nxt;
+                 */
+                if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
-                /* Save current rcv_nxt. */
+                        __tcp_send_ack(sk, ca->prior_rcv_nxt);
-                tmp_rcv_nxt = tp->rcv_nxt;
+                tcp_enter_quickack_mode(sk, 1);
-                /* Generate previous ack with CE=0. */
-                tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
-                tp->rcv_nxt = ca->prior_rcv_nxt;
-                tcp_send_ack(sk);
-                /* Recover current rcv_nxt. */
-                tp->rcv_nxt = tmp_rcv_nxt;
        }
        ca->prior_rcv_nxt = tp->rcv_nxt;
@@ -161,23 +152,14 @@ static void dctcp_ce_state_1_to_0(struct sock *sk)
        struct dctcp *ca = inet_csk_ca(sk);
        struct tcp_sock *tp = tcp_sk(sk);
-        /* State has changed from CE=1 to CE=0 and delayed
+        if (ca->ce_state) {
-         * ACK has not sent yet.
+                /* State has changed from CE=1 to CE=0, force an immediate
-         */
+                 * ACK to reflect the new CE state. If an ACK was delayed,
-        if (ca->ce_state && ca->delayed_ack_reserved) {
+                 * send that first to reflect the prior CE state.
-                u32 tmp_rcv_nxt;
+                 */
+                if (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_TIMER)
-                /* Save current rcv_nxt. */
+                        __tcp_send_ack(sk, ca->prior_rcv_nxt);
-                tmp_rcv_nxt = tp->rcv_nxt;
+                tcp_enter_quickack_mode(sk, 1);
-                /* Generate previous ack with CE=1. */
-                tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
-                tp->rcv_nxt = ca->prior_rcv_nxt;
-                tcp_send_ack(sk);
-                /* Recover current rcv_nxt. */
-                tp->rcv_nxt = tmp_rcv_nxt;
        }
        ca->prior_rcv_nxt = tp->rcv_nxt;
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 2ab9bbb6faff..5ed6a89894fd 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -6,7 +6,7 @@
 * The algorithm is described in:
 * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm
 *  for High-Speed Networks"
- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf
+ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf
 *
 * Implemented from description in paper and ns-2 simulation.
 * Copyright (C) 2007 Stephen Hemminger <shemminger@linux-foundation.org>
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 71290fb7d500..9c4c6cd0316e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -117,6 +117,7 @@ int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2;
 #define FLAG_DSACKING_ACK       0x800 /* SACK blocks contained D-SACK info */
 #define FLAG_SACK_RENEGING      0x2000 /* snd_una advanced to a sacked seq */
 #define FLAG_UPDATE_TS_RECENT   0x4000 /* tcp_replace_ts_recent() */
+#define FLAG_NO_CHALLENGE_ACK   0x8000 /* do not call tcp_send_challenge_ack()  */
 #define FLAG_ACKED              (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
 #define FLAG_NOT_DUP            (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
@@ -175,24 +176,27 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb)
        }
 }
-static void tcp_incr_quickack(struct sock *sk)
+static void tcp_incr_quickack(struct sock *sk, unsigned int max_quickacks)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
        unsigned int quickacks = tcp_sk(sk)->rcv_wnd / (2 * icsk->icsk_ack.rcv_mss);
        if (quickacks == 0)
                quickacks = 2;
+        quickacks = min(quickacks, max_quickacks);
        if (quickacks > icsk->icsk_ack.quick)
-                icsk->icsk_ack.quick = min(quickacks, TCP_MAX_QUICKACKS);
+                icsk->icsk_ack.quick = quickacks;
 }
-static void tcp_enter_quickack_mode(struct sock *sk)
+void tcp_enter_quickack_mode(struct sock *sk, unsigned int max_quickacks)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
-        tcp_incr_quickack(sk);
+        tcp_incr_quickack(sk, max_quickacks);
        icsk->icsk_ack.pingpong = 0;
        icsk->icsk_ack.ato = TCP_ATO_MIN;
 }
+EXPORT_SYMBOL(tcp_enter_quickack_mode);
 /* Send ACKs quickly, if "quick" count is not exhausted
 * and the session is not interactive.
@@ -224,8 +228,10 @@ static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp)
        tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
 }
-static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
+        struct tcp_sock *tp = tcp_sk(sk);
        switch (TCP_SKB_CB(skb)->ip_dsfield & INET_ECN_MASK) {
        case INET_ECN_NOT_ECT:
                /* Funny extension: if ECT is not set on a segment,
@@ -233,31 +239,31 @@ static void __tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
                 * it is probably a retransmit.
                 */
                if (tp->ecn_flags & TCP_ECN_SEEN)
-                        tcp_enter_quickack_mode((struct sock *)tp);
+                        tcp_enter_quickack_mode(sk, 2);
                break;
        case INET_ECN_CE:
-                if (tcp_ca_needs_ecn((struct sock *)tp))
+                if (tcp_ca_needs_ecn(sk))
-                        tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_IS_CE);
+                        tcp_ca_event(sk, CA_EVENT_ECN_IS_CE);
                if (!(tp->ecn_flags & TCP_ECN_DEMAND_CWR)) {
                        /* Better not delay acks, sender can have a very low cwnd */
-                        tcp_enter_quickack_mode((struct sock *)tp);
+                        tcp_enter_quickack_mode(sk, 2);
                        tp->ecn_flags |= TCP_ECN_DEMAND_CWR;
                }
                tp->ecn_flags |= TCP_ECN_SEEN;
                break;
        default:
-                if (tcp_ca_needs_ecn((struct sock *)tp))
+                if (tcp_ca_needs_ecn(sk))
-                        tcp_ca_event((struct sock *)tp, CA_EVENT_ECN_NO_CE);
+                        tcp_ca_event(sk, CA_EVENT_ECN_NO_CE);
                tp->ecn_flags |= TCP_ECN_SEEN;
                break;
        }
 }
-static void tcp_ecn_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)
+static void tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
 {
-        if (tp->ecn_flags & TCP_ECN_OK)
+        if (tcp_sk(sk)->ecn_flags & TCP_ECN_OK)
-                __tcp_ecn_check_ce(tp, skb);
+                __tcp_ecn_check_ce(sk, skb);
 }
 static void tcp_ecn_rcv_synack(struct tcp_sock *tp, const struct tcphdr *th)
@@ -556,8 +562,8 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk,
 void tcp_rcv_space_adjust(struct sock *sk)
 {
        struct tcp_sock *tp = tcp_sk(sk);
+        u32 copied;
        int time;
-        int copied;
        time = tcp_time_stamp - tp->rcvq_space.time;
        if (time < (tp->rcv_rtt_est.rtt >> 3) || tp->rcv_rtt_est.rtt == 0)
@@ -579,12 +585,13 @@ void tcp_rcv_space_adjust(struct sock *sk)
        if (sysctl_tcp_moderate_rcvbuf &&
            !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
-                int rcvwin, rcvmem, rcvbuf;
+                int rcvmem, rcvbuf;
+                u64 rcvwin;
                /* minimal window to cope with packet losses, assuming
                 * steady state. Add some cushion because of small variations.
                 */
-                rcvwin = (copied << 1) + 16 * tp->advmss;
+                rcvwin = ((u64)copied << 1) + 16 * tp->advmss;
                /* If rate increased by 25%,
                 *      assume slow start, rcvwin = 3 * copied
@@ -604,12 +611,13 @@ void tcp_rcv_space_adjust(struct sock *sk)
                while (tcp_win_from_space(rcvmem) < tp->advmss)
                        rcvmem += 128;
-                rcvbuf = min(rcvwin / tp->advmss * rcvmem, sysctl_tcp_rmem[2]);
+                do_div(rcvwin, tp->advmss);
+                rcvbuf = min_t(u64, rcvwin * rcvmem, sysctl_tcp_rmem[2]);
                if (rcvbuf > sk->sk_rcvbuf) {
                        sk->sk_rcvbuf = rcvbuf;
                        /* Make the window clamp follow along.  */
-                        tp->window_clamp = rcvwin;
+                        tp->window_clamp = tcp_win_from_space(rcvbuf);
                }
        }
        tp->rcvq_space.space = copied;
@@ -647,7 +655,7 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)
                /* The _first_ data packet received, initialize
                 * delayed ACK engine.
                 */
-                tcp_incr_quickack(sk);
+                tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
                icsk->icsk_ack.ato = TCP_ATO_MIN;
        } else {
                int m = now - icsk->icsk_ack.lrcvtime;
@@ -663,13 +671,13 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)
                        /* Too long gap. Apparently sender failed to
                         * restart window, so that we send ACKs quickly.
                         */
-                        tcp_incr_quickack(sk);
+                        tcp_incr_quickack(sk, TCP_MAX_QUICKACKS);
                        sk_mem_reclaim(sk);
                }
        }
        icsk->icsk_ack.lrcvtime = now;
-        tcp_ecn_check_ce(tp, skb);
+        tcp_ecn_check_ce(sk, skb);
        if (skb->len >= 128)
                tcp_grow_window(sk, skb);
@@ -3215,6 +3223,15 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                if (tcp_is_reno(tp)) {
                        tcp_remove_reno_sacks(sk, pkts_acked);
+                        /* If any of the cumulatively ACKed segments was
+                         * retransmitted, non-SACK case cannot confirm that
+                         * progress was due to original transmission due to
+                         * lack of TCPCB_SACKED_ACKED bits even if some of
+                         * the packets may have been never retransmitted.
+                         */
+                        if (flag & FLAG_RETRANS_DATA_ACKED)
+                                flag &= ~FLAG_ORIG_SACK_ACKED;
                } else {
                        int delta;
@@ -3543,7 +3560,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        if (before(ack, prior_snd_una)) {
                /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */
                if (before(ack, prior_snd_una - tp->max_window)) {
-                        tcp_send_challenge_ack(sk, skb);
+                        if (!(flag & FLAG_NO_CHALLENGE_ACK))
+                                tcp_send_challenge_ack(sk, skb);
                        return -1;
                }
                goto old_ack;
@@ -3867,11 +3885,8 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th)
        int length = (th->doff << 2) - sizeof(*th);
        const u8 *ptr = (const u8 *)(th + 1);
-        /* If the TCP option is too short, we can short cut */
+        /* If not enough data remaining, we can short cut */
-        if (length < TCPOLEN_MD5SIG)
+        while (length >= TCPOLEN_MD5SIG) {
-                return NULL;
-        while (length > 0) {
                int opcode = *ptr++;
                int opsize;
@@ -4125,7 +4140,7 @@ static void tcp_send_dupack(struct sock *sk, const struct sk_buff *skb)
        if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&
            before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);
-                tcp_enter_quickack_mode(sk);
+                tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
                if (tcp_is_sack(tp) && sysctl_tcp_dsack) {
                        u32 end_seq = TCP_SKB_CB(skb)->end_seq;
@@ -4353,7 +4368,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
        struct sk_buff *skb1;
        u32 seq, end_seq;
-        tcp_ecn_check_ce(tp, skb);
+        tcp_ecn_check_ce(sk, skb);
        if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) {
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPOFODROP);
@@ -4627,7 +4642,7 @@ queue_and_out:
                tcp_dsack_set(sk, TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq);
 out_of_window:
-                tcp_enter_quickack_mode(sk);
+                tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
                inet_csk_schedule_ack(sk);
 drop:
                __kfree_skb(skb);
@@ -4638,8 +4653,6 @@ drop:
        if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt + tcp_receive_window(tp)))
                goto out_of_window;
-        tcp_enter_quickack_mode(sk);
        if (before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
                /* Partial packet, seq < rcv_next < end_seq */
                SOCK_DEBUG(sk, "partial packet: rcv_next %X seq %X - %X\n",
@@ -4778,6 +4791,7 @@ restart:
 static void tcp_collapse_ofo_queue(struct sock *sk)
 {
        struct tcp_sock *tp = tcp_sk(sk);
+        u32 range_truesize, sum_tiny = 0;
        struct sk_buff *skb = skb_peek(&tp->out_of_order_queue);
        struct sk_buff *head;
        u32 start, end;
@@ -4787,6 +4801,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
        start = TCP_SKB_CB(skb)->seq;
        end = TCP_SKB_CB(skb)->end_seq;
+        range_truesize = skb->truesize;
        head = skb;
        for (;;) {
@@ -4801,15 +4816,26 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
                if (!skb ||
                    after(TCP_SKB_CB(skb)->seq, end) ||
                    before(TCP_SKB_CB(skb)->end_seq, start)) {
-                        tcp_collapse(sk, &tp->out_of_order_queue,
+                        /* Do not attempt collapsing tiny skbs */
-                                     head, skb, start, end);
+                        if (range_truesize != head->truesize ||
+                            end - start >= SKB_WITH_OVERHEAD(SK_MEM_QUANTUM)) {
+                                tcp_collapse(sk, &tp->out_of_order_queue,
+                                             head, skb, start, end);
+                        } else {
+                                sum_tiny += range_truesize;
+                                if (sum_tiny > sk->sk_rcvbuf >> 3)
+                                        return;
+                        }
                        head = skb;
                        if (!skb)
                                break;
                        /* Start new segment */
                        start = TCP_SKB_CB(skb)->seq;
                        end = TCP_SKB_CB(skb)->end_seq;
+                        range_truesize = skb->truesize;
                } else {
+                        range_truesize += skb->truesize;
                        if (before(TCP_SKB_CB(skb)->seq, start))
                                start = TCP_SKB_CB(skb)->seq;
                        if (after(TCP_SKB_CB(skb)->end_seq, end))
@@ -4864,6 +4890,9 @@ static int tcp_prune_queue(struct sock *sk)
        else if (tcp_under_memory_pressure(sk))
                tp->rcv_ssthresh = min(tp->rcv_ssthresh, 4U * tp->advmss);
+        if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)
+                return 0;
        tcp_collapse_ofo_queue(sk);
        if (!skb_queue_empty(&sk->sk_receive_queue))
                tcp_collapse(sk, &sk->sk_receive_queue,
@@ -5464,10 +5493,6 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
        else
                tp->pred_flags = 0;
-        if (!sock_flag(sk, SOCK_DEAD)) {
-                sk->sk_state_change(sk);
-                sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
-        }
 }
 static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
@@ -5531,6 +5556,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_fastopen_cookie foc = { .len = -1 };
        int saved_clamp = tp->rx_opt.mss_clamp;
+        bool fastopen_fail;
        tcp_parse_options(skb, &tp->rx_opt, 0, &foc);
        if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
@@ -5633,10 +5659,15 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
                tcp_finish_connect(sk, skb);
-                if ((tp->syn_fastopen || tp->syn_data) &&
+                fastopen_fail = (tp->syn_fastopen || tp->syn_data) &&
-                    tcp_rcv_fastopen_synack(sk, skb, &foc))
+                                tcp_rcv_fastopen_synack(sk, skb, &foc);
-                        return -1;
+                if (!sock_flag(sk, SOCK_DEAD)) {
+                        sk->sk_state_change(sk);
+                        sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
+                }
+                if (fastopen_fail)
+                        return -1;
                if (sk->sk_write_pending ||
                    icsk->icsk_accept_queue.rskq_defer_accept ||
                    icsk->icsk_ack.pingpong) {
@@ -5648,7 +5679,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
                         * to stand against the temptation 8)     --ANK
                         */
                        inet_csk_schedule_ack(sk);
-                        tcp_enter_quickack_mode(sk);
+                        tcp_enter_quickack_mode(sk, TCP_MAX_QUICKACKS);
                        inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,
                                                  TCP_DELACK_MAX, TCP_RTO_MAX);
@@ -5830,13 +5861,17 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
        /* step 5: check the ACK field */
        acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
-                                      FLAG_UPDATE_TS_RECENT) > 0;
+                                      FLAG_UPDATE_TS_RECENT |
+                                      FLAG_NO_CHALLENGE_ACK) > 0;
+        if (!acceptable) {
+                if (sk->sk_state == TCP_SYN_RECV)
+                        return 1;       /* send one RST */
+                tcp_send_challenge_ack(sk, skb);
+                goto discard;
+        }
        switch (sk->sk_state) {
        case TCP_SYN_RECV:
-                if (!acceptable)
-                        return 1;
                if (!tp->srtt_us)
                        tcp_synack_rtt_meas(sk, req);
@@ -5905,14 +5940,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
                 * our SYNACK so stop the SYNACK timer.
                 */
                if (req) {
-                        /* Return RST if ack_seq is invalid.
-                         * Note that RFC793 only says to generate a
-                         * DUPACK for it but for TCP Fast Open it seems
-                         * better to treat this case like TCP_SYN_RECV
-                         * above.
-                         */
-                        if (!acceptable)
-                                return 1;
                        /* We no longer need the request sock. */
                        reqsk_fastopen_remove(sk, req, false);
                        tcp_rearm_rto(sk);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 61c93a93f228..eeda67c3dd11 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1627,6 +1627,10 @@ process:
                        reqsk_put(req);
                        goto discard_it;
                }
+                if (tcp_checksum_complete(skb)) {
+                        reqsk_put(req);
+                        goto csum_error;
+                }
                if (unlikely(sk->sk_state != TCP_LISTEN)) {
                        inet_csk_reqsk_queue_drop_and_put(sk, req);
                        goto lookup;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 39c2919fe0d3..6fa749ce231f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -177,8 +177,13 @@ static void tcp_event_data_sent(struct tcp_sock *tp,
 }
 /* Account for an ACK we sent. */
-static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts)
+static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts,
+                                      u32 rcv_nxt)
 {
+        struct tcp_sock *tp = tcp_sk(sk);
+        if (unlikely(rcv_nxt != tp->rcv_nxt))
+                return;  /* Special ACK sent by DCTCP to reflect ECN */
        tcp_dec_quickack_mode(sk, pkts);
        inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK);
 }
@@ -901,8 +906,8 @@ out:
 * We are working here with either a clone of the original
 * SKB, or a fresh unique copy made by the retransmit engine.
 */
-static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
+static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
-                            gfp_t gfp_mask)
+                              int clone_it, gfp_t gfp_mask, u32 rcv_nxt)
 {
        const struct inet_connection_sock *icsk = inet_csk(sk);
        struct inet_sock *inet;
@@ -962,7 +967,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        th->source              = inet->inet_sport;
        th->dest                = inet->inet_dport;
        th->seq                 = htonl(tcb->seq);
-        th->ack_seq             = htonl(tp->rcv_nxt);
+        th->ack_seq             = htonl(rcv_nxt);
        *(((__be16 *)th) + 6)   = htons(((tcp_header_size >> 2) << 12) |
                                        tcb->tcp_flags);
@@ -1005,7 +1010,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        icsk->icsk_af_ops->send_check(sk, skb);
        if (likely(tcb->tcp_flags & TCPHDR_ACK))
-                tcp_event_ack_sent(sk, tcp_skb_pcount(skb));
+                tcp_event_ack_sent(sk, tcp_skb_pcount(skb), rcv_nxt);
        if (skb->len != tcp_header_size)
                tcp_event_data_sent(tp, sk);
@@ -1036,6 +1041,13 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        return net_xmit_eval(err);
 }
+static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
+                            gfp_t gfp_mask)
+{
+        return __tcp_transmit_skb(sk, skb, clone_it, gfp_mask,
+                                  tcp_sk(sk)->rcv_nxt);
+}
 /* This routine just queues the buffer for sending.
 *
 * NOTE: probe0 timer is not checked, do not forget tcp_push_pending_frames,
@@ -2587,8 +2599,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                return -EBUSY;
        if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
-                if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
+                if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
-                        BUG();
+                        WARN_ON_ONCE(1);
+                        return -EINVAL;
+                }
                if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
                        return -ENOMEM;
        }
@@ -3117,6 +3131,7 @@ static void tcp_connect_init(struct sock *sk)
        sock_reset_flag(sk, SOCK_DONE);
        tp->snd_wnd = 0;
        tcp_init_wl(tp, 0);
+        tcp_write_queue_purge(sk);
        tp->snd_una = tp->write_seq;
        tp->snd_sml = tp->write_seq;
        tp->snd_up = tp->write_seq;
@@ -3351,7 +3366,7 @@ void tcp_send_delayed_ack(struct sock *sk)
 }
 /* This routine sends an ack and also updates the window. */
-void tcp_send_ack(struct sock *sk)
+void __tcp_send_ack(struct sock *sk, u32 rcv_nxt)
 {
        struct sk_buff *buff;
@@ -3388,9 +3403,14 @@ void tcp_send_ack(struct sock *sk)
        /* Send it off, this clears delayed acks for us. */
        skb_mstamp_get(&buff->skb_mstamp);
-        tcp_transmit_skb(sk, buff, 0, sk_gfp_atomic(sk, GFP_ATOMIC));
+        __tcp_transmit_skb(sk, buff, 0, sk_gfp_atomic(sk, GFP_ATOMIC), rcv_nxt);
+}
+EXPORT_SYMBOL_GPL(__tcp_send_ack);
+void tcp_send_ack(struct sock *sk)
+{
+        __tcp_send_ack(sk, tcp_sk(sk)->rcv_nxt);
 }
-EXPORT_SYMBOL_GPL(tcp_send_ack);
 /* This routine sends a packet with an out of date sequence
 * number. It assumes the other end will try to ack it.
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 1ec12a4f327e..35f638cfc675 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -46,11 +46,19 @@ static void tcp_write_err(struct sock *sk)
 * to prevent DoS attacks. It is called when a retransmission timeout
 * or zero probe timeout occurs on orphaned socket.
 *
+ * Also close if our net namespace is exiting; in that case there is no
+ * hope of ever communicating again since all netns interfaces are already
+ * down (or about to be down), and we need to release our dst references,
+ * which have been moved to the netns loopback interface, so the namespace
+ * can finish exiting.  This condition is only possible if we are a kernel
+ * socket, as those do not hold references to the namespace.
+ *
 * Criteria is still not confirmed experimentally and may change.
 * We kill the socket, if:
 * 1. If number of orphaned sockets exceeds an administratively configured
 *    limit.
 * 2. If we have strong memory pressure.
+ * 3. If our net namespace is exiting.
 */
 static int tcp_out_of_resources(struct sock *sk, bool do_reset)
 {
@@ -79,6 +87,13 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset)
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY);
                return 1;
        }
+        if (!check_net(sock_net(sk))) {
+                /* Not possible to send reset; just close */
+                tcp_done(sk);
+                return 1;
+        }
        return 0;
 }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 301e60829c7e..6f929689fd03 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -991,8 +991,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        ipc.addr = faddr = daddr;
        if (ipc.opt && ipc.opt->opt.srr) {
-                if (!daddr)
+                if (!daddr) {
-                        return -EINVAL;
+                        err = -EINVAL;
+                        goto out_free;
+                }
                faddr = ipc.opt->opt.faddr;
                connected = 0;
        }
@@ -1105,6 +1107,7 @@ do_append_data:
 out:
        ip_rt_put(rt);
+out_free:
        if (free)
                kfree(ipc.opt);
        if (!err)
@@ -1744,6 +1747,11 @@ static inline int udp4_csum_init(struct sk_buff *skb, struct udphdr *uh,
                err = udplite_checksum_init(skb, uh);
                if (err)
                        return err;
+                if (UDP_SKB_CB(skb)->partial_cov) {
+                        skb->csum = inet_compute_pseudo(skb, proto);
+                        return 0;
+                }
        }
        return skb_checksum_init_zero_check(skb, proto, uh->check,
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 7b0edb37a115..fddae0164b91 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -97,6 +97,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
        xdst->u.rt.rt_gateway = rt->rt_gateway;
        xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
        xdst->u.rt.rt_pmtu = rt->rt_pmtu;
+        xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked;
        xdst->u.rt.rt_table_id = rt->rt_table_id;
        INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 983bb999738c..0f50248bad17 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -69,6 +69,7 @@ config INET6_ESP
        select CRYPTO_CBC
        select CRYPTO_SHA1
        select CRYPTO_DES
+        select CRYPTO_ECHAINIV
        ---help---
          Support for IPsec ESP.
@@ -205,6 +206,7 @@ config IPV6_NDISC_NODETYPE
 config IPV6_TUNNEL
        tristate "IPv6: IP-in-IPv6 tunnel (RFC2473)"
        select INET6_TUNNEL
+        select DST_CACHE
        ---help---
          Support for IPv6-in-IPv6 and IPv4-in-IPv6 tunnels described in
          RFC 2473.
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 92174881844d..0613be57513e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -957,7 +957,10 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
        INIT_HLIST_NODE(&ifa->addr_lst);
        ifa->scope = scope;
        ifa->prefix_len = pfxlen;
-        ifa->flags = flags | IFA_F_TENTATIVE;
+        ifa->flags = flags;
+        /* No need to add the TENTATIVE flag for addresses with NODAD */
+        if (!(flags & IFA_F_NODAD))
+                ifa->flags |= IFA_F_TENTATIVE;
        ifa->valid_lft = valid_lft;
        ifa->prefered_lft = prefered_lft;
        ifa->cstamp = ifa->tstamp = jiffies;
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 0630a4d5daaa..0edc44cb254e 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags + sglists);
-        skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        if (unlikely(err < 0))
+                goto out_free;
        if (x->props.flags & XFRM_STATE_ESN) {
                /* Attach seqhi sg right after packet payload */
@@ -603,7 +605,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
        ip6h->hop_limit   = 0;
        sg_init_table(sg, nfrags + sglists);
-        skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+        if (unlikely(err < 0))
+                goto out_free;
        if (x->props.flags & XFRM_STATE_ESN) {
                /* Attach seqhi sg right after packet payload */
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index cae37bfd12ab..9f6e57ded338 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -657,13 +657,16 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
        }
        if (np->rxopt.bits.rxorigdstaddr) {
                struct sockaddr_in6 sin6;
-                __be16 *ports = (__be16 *) skb_transport_header(skb);
+                __be16 *ports;
+                int end;
-                if (skb_transport_offset(skb) + 4 <= skb->len) {
+                end = skb_transport_offset(skb) + 4;
+                if (end <= 0 || pskb_may_pull(skb, end)) {
                        /* All current transport protocols have the port numbers in the
                         * first four bytes of the transport header and this function is
                         * written with this assumption in mind.
                         */
+                        ports = (__be16 *)skb_transport_header(skb);
                        sin6.sin6_family = AF_INET6;
                        sin6.sin6_addr = ipv6_hdr(skb)->daddr;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 111ba55fd512..6a924be66e37 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -248,9 +248,11 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        esph->spi = x->id.spi;
        sg_init_table(sg, nfrags);
-        skb_to_sgvec(skb, sg,
+        err = skb_to_sgvec(skb, sg,
-                     (unsigned char *)esph - skb->data,
+                           (unsigned char *)esph - skb->data,
-                     assoclen + ivlen + clen + alen);
+                           assoclen + ivlen + clen + alen);
+        if (unlikely(err < 0))
+                goto error;
        aead_request_set_crypt(req, sg, sg, ivlen + clen, iv);
        aead_request_set_ad(req, assoclen);
@@ -423,7 +425,9 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        }
        sg_init_table(sg, nfrags);
-        skb_to_sgvec(skb, sg, 0, skb->len);
+        ret = skb_to_sgvec(skb, sg, 0, skb->len);
+        if (unlikely(ret < 0))
+                goto out;
        aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
        aead_request_set_ad(req, assoclen);
diff --git a/net/ipv6/ip6_checksum.c b/net/ipv6/ip6_checksum.c
index 9a4d7322fb22..391a8fedb27e 100644
--- a/net/ipv6/ip6_checksum.c
+++ b/net/ipv6/ip6_checksum.c
@@ -73,6 +73,11 @@ int udp6_csum_init(struct sk_buff *skb, struct udphdr *uh, int proto)
                err = udplite_checksum_init(skb, uh);
                if (err)
                        return err;
+                if (UDP_SKB_CB(skb)->partial_cov) {
+                        skb->csum = ip6_compute_pseudo(skb, proto);
+                        return 0;
+                }
        }
        /* To support RFC 6936 (allow zero checksum in UDP/IPV6 for tunnels)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index c878cbf65485..b25f4ad28b03 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -320,11 +320,13 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net,
        if (t || !create)
                return t;
-        if (parms->name[0])
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        return NULL;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else
+        } else {
                strcpy(name, "ip6gre%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ip6gre_tunnel_setup);
        if (!dev)
@@ -362,7 +364,7 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
        struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
        ip6gre_tunnel_unlink(ign, t);
-        ip6_tnl_dst_reset(t);
+        dst_cache_reset(&t->dst_cache);
        dev_put(dev);
 }
@@ -640,7 +642,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
        }
        if (!fl6->flowi6_mark)
-                dst = ip6_tnl_dst_get(tunnel);
+                dst = dst_cache_get(&tunnel->dst_cache);
        if (!dst) {
                dst = ip6_route_output(net, NULL, fl6);
@@ -709,7 +711,7 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
        }
        if (!fl6->flowi6_mark && ndst)
-                ip6_tnl_dst_set(tunnel, ndst);
+                dst_cache_set_ip6(&tunnel->dst_cache, ndst, &fl6->saddr);
        skb_dst_set(skb, dst);
        proto = NEXTHDR_GRE;
@@ -1017,7 +1019,7 @@ static int ip6gre_tnl_change(struct ip6_tnl *t,
        t->parms.o_key = p->o_key;
        t->parms.i_flags = p->i_flags;
        t->parms.o_flags = p->o_flags;
-        ip6_tnl_dst_reset(t);
+        dst_cache_reset(&t->dst_cache);
        ip6gre_tnl_link_config(t, set_mtu);
        return 0;
 }
@@ -1228,7 +1230,7 @@ static void ip6gre_dev_free(struct net_device *dev)
 {
        struct ip6_tnl *t = netdev_priv(dev);
-        ip6_tnl_dst_destroy(t);
+        dst_cache_destroy(&t->dst_cache);
        free_percpu(dev->tstats);
        free_netdev(dev);
 }
@@ -1266,7 +1268,7 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
        if (!dev->tstats)
                return -ENOMEM;
-        ret = ip6_tnl_dst_init(tunnel);
+        ret = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL);
        if (ret) {
                free_percpu(dev->tstats);
                dev->tstats = NULL;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index b809958f7388..0feede45bd28 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -148,7 +148,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
-static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
 {
        if (!np->autoflowlabel_set)
                return ip6_default_np_autolabel(net);
@@ -340,6 +340,10 @@ static int ip6_forward_proxy_check(struct sk_buff *skb)
 static inline int ip6_forward_finish(struct net *net, struct sock *sk,
                                     struct sk_buff *skb)
 {
+        struct dst_entry *dst = skb_dst(skb);
+        IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
+        IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
        skb_sender_cpu_clear(skb);
        return dst_output(net, sk, skb);
 }
@@ -534,8 +538,6 @@ int ip6_forward(struct sk_buff *skb)
        hdr->hop_limit--;
-        IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
-        IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
        return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
                       net, NULL, skb, skb->dev, dst->dev,
                       ip6_forward_finish);
@@ -557,6 +559,8 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        to->dev = from->dev;
        to->mark = from->mark;
+        skb_copy_hash(to, from);
 #ifdef CONFIG_NET_SCHED
        to->tc_index = from->tc_index;
 #endif
@@ -1246,14 +1250,16 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
        v6_cork->tclass = tclass;
        if (rt->dst.flags & DST_XFRM_TUNNEL)
                mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-                      rt->dst.dev->mtu : dst_mtu(&rt->dst);
+                      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
        else
                mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-                      rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+                      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
        if (np->frag_size < mtu) {
                if (np->frag_size)
                        mtu = np->frag_size;
        }
+        if (mtu < IPV6_MIN_MTU)
+                return -EINVAL;
        cork->base.fragsize = mtu;
        if (dst_allfrag(rt->dst.path))
                cork->base.flags |= IPCORK_ALLFRAG;
@@ -1274,7 +1280,7 @@ static int __ip6_append_data(struct sock *sk,
                             unsigned int flags, int dontfrag)
 {
        struct sk_buff *skb, *skb_prev = NULL;
-        unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
+        unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
        int exthdrlen = 0;
        int dst_exthdrlen = 0;
        int hh_len;
@@ -1310,6 +1316,12 @@ static int __ip6_append_data(struct sock *sk,
                      sizeof(struct frag_hdr) : 0) +
                     rt->rt6i_nfheader_len;
+        /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
+         * the first fragment
+         */
+        if (headersize + transhdrlen > mtu)
+                goto emsgsize;
        if (cork->length + length > mtu - headersize && dontfrag &&
            (sk->sk_protocol == IPPROTO_UDP ||
             sk->sk_protocol == IPPROTO_RAW)) {
@@ -1325,9 +1337,8 @@ static int __ip6_append_data(struct sock *sk,
        if (cork->length + length > maxnonfragsize - headersize) {
 emsgsize:
-                ipv6_local_error(sk, EMSGSIZE, fl6,
+                pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
-                                 mtu - headersize +
+                ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
-                                 sizeof(struct ipv6hdr));
                return -EMSGSIZE;
        }
@@ -1520,7 +1531,8 @@ alloc_new_skb:
                if (copy > length)
                        copy = length;
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                        unsigned int off;
                        off = skb->len;
@@ -1783,6 +1795,7 @@ struct sk_buff *ip6_make_skb(struct sock *sk,
        cork.base.flags = 0;
        cork.base.addr = 0;
        cork.base.opt = NULL;
+        cork.base.dst = NULL;
        v6_cork.opt = NULL;
        err = ip6_setup_cork(sk, &cork, &v6_cork, hlimit, tclass, opt, rt, fl6);
        if (err) {
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index a7170a23ab0b..e8f21dd520b2 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -122,97 +122,6 @@ static struct net_device_stats *ip6_get_stats(struct net_device *dev)
        return &dev->stats;
 }
-/*
- * Locking : hash tables are protected by RCU and RTNL
- */
-static void ip6_tnl_per_cpu_dst_set(struct ip6_tnl_dst *idst,
-                                    struct dst_entry *dst)
-{
-        write_seqlock_bh(&idst->lock);
-        dst_release(rcu_dereference_protected(
-                            idst->dst,
-                            lockdep_is_held(&idst->lock.lock)));
-        if (dst) {
-                dst_hold(dst);
-                idst->cookie = rt6_get_cookie((struct rt6_info *)dst);
-        } else {
-                idst->cookie = 0;
-        }
-        rcu_assign_pointer(idst->dst, dst);
-        write_sequnlock_bh(&idst->lock);
-}
-struct dst_entry *ip6_tnl_dst_get(struct ip6_tnl *t)
-{
-        struct ip6_tnl_dst *idst;
-        struct dst_entry *dst;
-        unsigned int seq;
-        u32 cookie;
-        idst = raw_cpu_ptr(t->dst_cache);
-        rcu_read_lock();
-        do {
-                seq = read_seqbegin(&idst->lock);
-                dst = rcu_dereference(idst->dst);
-                cookie = idst->cookie;
-        } while (read_seqretry(&idst->lock, seq));
-        if (dst && !atomic_inc_not_zero(&dst->__refcnt))
-                dst = NULL;
-        rcu_read_unlock();
-        if (dst && dst->obsolete && !dst->ops->check(dst, cookie)) {
-                ip6_tnl_per_cpu_dst_set(idst, NULL);
-                dst_release(dst);
-                dst = NULL;
-        }
-        return dst;
-}
-EXPORT_SYMBOL_GPL(ip6_tnl_dst_get);
-void ip6_tnl_dst_reset(struct ip6_tnl *t)
-{
-        int i;
-        for_each_possible_cpu(i)
-                ip6_tnl_per_cpu_dst_set(per_cpu_ptr(t->dst_cache, i), NULL);
-}
-EXPORT_SYMBOL_GPL(ip6_tnl_dst_reset);
-void ip6_tnl_dst_set(struct ip6_tnl *t, struct dst_entry *dst)
-{
-        ip6_tnl_per_cpu_dst_set(raw_cpu_ptr(t->dst_cache), dst);
-}
-EXPORT_SYMBOL_GPL(ip6_tnl_dst_set);
-void ip6_tnl_dst_destroy(struct ip6_tnl *t)
-{
-        if (!t->dst_cache)
-                return;
-        ip6_tnl_dst_reset(t);
-        free_percpu(t->dst_cache);
-}
-EXPORT_SYMBOL_GPL(ip6_tnl_dst_destroy);
-int ip6_tnl_dst_init(struct ip6_tnl *t)
-{
-        int i;
-        t->dst_cache = alloc_percpu(struct ip6_tnl_dst);
-        if (!t->dst_cache)
-                return -ENOMEM;
-        for_each_possible_cpu(i)
-                seqlock_init(&per_cpu_ptr(t->dst_cache, i)->lock);
-        return 0;
-}
-EXPORT_SYMBOL_GPL(ip6_tnl_dst_init);
 /**
 * ip6_tnl_lookup - fetch tunnel matching the end-point addresses
 *   @remote: the address of the tunnel exit-point
@@ -331,7 +240,7 @@ static void ip6_dev_free(struct net_device *dev)
 {
        struct ip6_tnl *t = netdev_priv(dev);
-        ip6_tnl_dst_destroy(t);
+        dst_cache_destroy(&t->dst_cache);
        free_percpu(dev->tstats);
        free_netdev(dev);
 }
@@ -377,13 +286,16 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
        struct net_device *dev;
        struct ip6_tnl *t;
        char name[IFNAMSIZ];
-        int err = -ENOMEM;
+        int err = -E2BIG;
-        if (p->name[0])
+        if (p->name[0]) {
+                if (!dev_valid_name(p->name))
+                        goto failed;
                strlcpy(name, p->name, IFNAMSIZ);
-        else
+        } else {
                sprintf(name, "ip6tnl%%d");
+        }
+        err = -ENOMEM;
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ip6_tnl_dev_setup);
        if (!dev)
@@ -464,7 +376,7 @@ ip6_tnl_dev_uninit(struct net_device *dev)
                RCU_INIT_POINTER(ip6n->tnls_wc[0], NULL);
        else
                ip6_tnl_unlink(ip6n, t);
-        ip6_tnl_dst_reset(t);
+        dst_cache_reset(&t->dst_cache);
        dev_put(dev);
 }
@@ -1053,7 +965,6 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
        struct ipv6_tel_txoption opt;
        struct dst_entry *dst = NULL, *ndst = NULL;
        struct net_device *tdev;
-        bool use_cache = false;
        int mtu;
        unsigned int max_headroom = sizeof(struct ipv6hdr);
        u8 proto;
@@ -1061,39 +972,28 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
        /* NBMA tunnel */
        if (ipv6_addr_any(&t->parms.raddr)) {
-                if (skb->protocol == htons(ETH_P_IPV6)) {
+                struct in6_addr *addr6;
-                        struct in6_addr *addr6;
+                struct neighbour *neigh;
-                        struct neighbour *neigh;
+                int addr_type;
-                        int addr_type;
-                        if (!skb_dst(skb))
+                if (!skb_dst(skb))
-                                goto tx_err_link_failure;
+                        goto tx_err_link_failure;
-                        neigh = dst_neigh_lookup(skb_dst(skb),
-                                                 &ipv6_hdr(skb)->daddr);
-                        if (!neigh)
-                                goto tx_err_link_failure;
-                        addr6 = (struct in6_addr *)&neigh->primary_key;
+                neigh = dst_neigh_lookup(skb_dst(skb),
-                        addr_type = ipv6_addr_type(addr6);
+                                         &ipv6_hdr(skb)->daddr);
+                if (!neigh)
+                        goto tx_err_link_failure;
-                        if (addr_type == IPV6_ADDR_ANY)
+                addr6 = (struct in6_addr *)&neigh->primary_key;
-                                addr6 = &ipv6_hdr(skb)->daddr;
+                addr_type = ipv6_addr_type(addr6);
-                        memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
+                if (addr_type == IPV6_ADDR_ANY)
-                        neigh_release(neigh);
+                        addr6 = &ipv6_hdr(skb)->daddr;
-                }
-        } else if (t->parms.proto != 0 && !(t->parms.flags &
-                                            (IP6_TNL_F_USE_ORIG_TCLASS |
-                                             IP6_TNL_F_USE_ORIG_FWMARK))) {
-                /* enable the cache only if neither the outer protocol nor the
-                 * routing decision depends on the current inner header value
-                 */
-                use_cache = true;
-        }
-        if (use_cache)
+                memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
-                dst = ip6_tnl_dst_get(t);
+                neigh_release(neigh);
+        } else if (!fl6->flowi6_mark)
+                dst = dst_cache_get(&t->dst_cache);
        if (!ip6_tnl_xmit_ctl(t, &fl6->saddr, &fl6->daddr))
                goto tx_err_link_failure;
@@ -1156,8 +1056,8 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
                skb = new_skb;
        }
-        if (use_cache && ndst)
+        if (!fl6->flowi6_mark && ndst)
-                ip6_tnl_dst_set(t, ndst);
+                dst_cache_set_ip6(&t->dst_cache, ndst, &fl6->saddr);
        skb_dst_set(skb, dst);
        skb->transport_header = skb->network_header;
@@ -1392,7 +1292,7 @@ ip6_tnl_change(struct ip6_tnl *t, const struct __ip6_tnl_parm *p)
        t->parms.flowinfo = p->flowinfo;
        t->parms.link = p->link;
        t->parms.proto = p->proto;
-        ip6_tnl_dst_reset(t);
+        dst_cache_reset(&t->dst_cache);
        ip6_tnl_link_config(t);
        return 0;
 }
@@ -1663,7 +1563,7 @@ ip6_tnl_dev_init_gen(struct net_device *dev)
        if (!dev->tstats)
                return -ENOMEM;
-        ret = ip6_tnl_dst_init(t);
+        ret = dst_cache_init(&t->dst_cache, GFP_KERNEL);
        if (ret) {
                free_percpu(dev->tstats);
                dev->tstats = NULL;
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 24dfc2de0165..40bb7a5e6d47 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(struct net *net, struct __ip6_tnl_parm *p
        char name[IFNAMSIZ];
        int err;
-        if (p->name[0])
+        if (p->name[0]) {
+                if (!dev_valid_name(p->name))
+                        goto failed;
                strlcpy(name, p->name, IFNAMSIZ);
-        else
+        } else {
                sprintf(name, "ip6_vti%%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
        if (!dev)
@@ -645,7 +648,7 @@ vti6_tnl_change(struct ip6_tnl *t, const struct __ip6_tnl_parm *p)
        t->parms.i_key = p->i_key;
        t->parms.o_key = p->o_key;
        t->parms.proto = p->proto;
-        ip6_tnl_dst_reset(t);
+        dst_cache_reset(&t->dst_cache);
        vti6_link_config(t);
        return 0;
 }
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8361d73ab653..9b92960f024d 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -495,6 +495,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos)
                return ERR_PTR(-ENOENT);
        it->mrt = mrt;
+        it->cache = NULL;
        return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
                : SEQ_START_TOKEN;
 }
@@ -1786,7 +1787,8 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                ret = 0;
                if (!ip6mr_new_table(net, v))
                        ret = -ENOMEM;
-                raw6_sk(sk)->ip6mr_table = v;
+                else
+                        raw6_sk(sk)->ip6mr_table = v;
                rtnl_unlock();
                return ret;
        }
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 435e26210587..8d11a034ca3f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -905,12 +905,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname,
 #ifdef CONFIG_NETFILTER
        /* we need to exclude all possible ENOPROTOOPTs except default case */
        if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
-                        optname != IPV6_XFRM_POLICY) {
+                        optname != IPV6_XFRM_POLICY)
-                lock_sock(sk);
+                err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen);
-                err = nf_setsockopt(sk, PF_INET6, optname, optval,
-                                optlen);
-                release_sock(sk);
-        }
 #endif
        return err;
 }
@@ -940,12 +936,9 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
 #ifdef CONFIG_NETFILTER
        /* we need to exclude all possible ENOPROTOOPTs except default case */
        if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
-            optname != IPV6_XFRM_POLICY) {
+            optname != IPV6_XFRM_POLICY)
-                lock_sock(sk);
+                err = compat_nf_setsockopt(sk, PF_INET6, optname, optval,
-                err = compat_nf_setsockopt(sk, PF_INET6, optname,
+                                           optlen);
-                                           optval, optlen);
-                release_sock(sk);
-        }
 #endif
        return err;
 }
@@ -1313,7 +1306,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
                break;
        case IPV6_AUTOFLOWLABEL:
-                val = np->autoflowlabel;
+                val = ip6_autoflowlabel(sock_net(sk), np);
                break;
        default:
@@ -1347,10 +1340,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = nf_getsockopt(sk, PF_INET6, optname, optval, &len);
-                err = nf_getsockopt(sk, PF_INET6, optname, optval,
-                                &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
        }
@@ -1389,10 +1379,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len);
-                err = compat_nf_getsockopt(sk, PF_INET6,
-                                           optname, optval, &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
        }
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 84afb9a77278..3db8d7d1a986 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1478,7 +1478,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
        *(opt++) = (rd_len >> 3);
        opt += 6;
-        memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
+        skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
+                      rd_len - 8);
 }
 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
@@ -1686,6 +1687,8 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
        case NETDEV_CHANGEADDR:
                neigh_changeaddr(&nd_tbl, dev);
                fib6_run_gc(0, net, false);
+                /* fallthrough */
+        case NETDEV_UP:
                idev = in6_dev_get(dev);
                if (!idev)
                        break;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 22f39e00bef3..6cb9e35d23ac 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -425,6 +425,10 @@ ip6t_do_table(struct sk_buff *skb,
                        }
                        if (table_base + v != ip6t_next_entry(e) &&
                            !(e->ipv6.flags & IP6T_F_GOTO)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
                        }
@@ -455,23 +459,12 @@ ip6t_do_table(struct sk_buff *skb,
 #endif
 }
-static bool find_jump_target(const struct xt_table_info *t,
-                             const struct ip6t_entry *target)
-{
-        struct ip6t_entry *iter;
-        xt_entry_foreach(iter, t->entries, t->size) {
-                 if (iter == target)
-                        return true;
-        }
-        return false;
-}
 /* Figures out from what hook each rule can be called: returns 0 if
   there are loops.  Puts hook bitmask in comefrom. */
 static int
 mark_source_chains(const struct xt_table_info *newinfo,
-                   unsigned int valid_hooks, void *entry0)
+                   unsigned int valid_hooks, void *entry0,
+                   unsigned int *offsets)
 {
        unsigned int hook;
@@ -564,10 +557,11 @@ mark_source_chains(const struct xt_table_info *newinfo,
                                        /* This a jump; chase it. */
                                        duprintf("Jump rule %u -> %u\n",
                                                 pos, newpos);
+                                        if (!xt_find_jump_offset(offsets, newpos,
+                                                                 newinfo->number))
+                                                return 0;
                                        e = (struct ip6t_entry *)
                                                (entry0 + newpos);
-                                        if (!find_jump_target(newinfo, e))
-                                                return 0;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
@@ -668,7 +662,8 @@ static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
 static int
 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
-                 unsigned int size)
+                 unsigned int size,
+                 struct xt_percpu_counter_alloc_state *alloc_state)
 {
        struct xt_entry_target *t;
        struct xt_target *target;
@@ -677,11 +672,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
        struct xt_mtchk_param mtpar;
        struct xt_entry_match *ematch;
-        e->counters.pcnt = xt_percpu_counter_alloc();
+        if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
-        if (IS_ERR_VALUE(e->counters.pcnt))
                return -ENOMEM;
        j = 0;
+        memset(&mtpar, 0, sizeof(mtpar));
        mtpar.net       = net;
        mtpar.table     = name;
        mtpar.entryinfo = &e->ipv6;
@@ -717,7 +712,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
                cleanup_match(ematch, net);
        }
-        xt_percpu_counter_free(e->counters.pcnt);
+        xt_percpu_counter_free(&e->counters);
        return ret;
 }
@@ -812,8 +807,7 @@ static void cleanup_entry(struct ip6t_entry *e, struct net *net)
        if (par.target->destroy != NULL)
                par.target->destroy(&par);
        module_put(par.target->me);
+        xt_percpu_counter_free(&e->counters);
-        xt_percpu_counter_free(e->counters.pcnt);
 }
 /* Checks and translates the user-supplied table segment (held in
@@ -822,7 +816,9 @@ static int
 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                const struct ip6t_replace *repl)
 {
+        struct xt_percpu_counter_alloc_state alloc_state = { 0 };
        struct ip6t_entry *iter;
+        unsigned int *offsets;
        unsigned int i;
        int ret = 0;
@@ -836,6 +832,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
        }
        duprintf("translate_table: size %u\n", newinfo->size);
+        offsets = xt_alloc_entry_offsets(newinfo->number);
+        if (!offsets)
+                return -ENOMEM;
        i = 0;
        /* Walk through entries, checking offsets. */
        xt_entry_foreach(iter, entry0, newinfo->size) {
@@ -845,17 +844,20 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                                                 repl->underflow,
                                                 repl->valid_hooks);
                if (ret != 0)
-                        return ret;
+                        goto out_free;
+                if (i < repl->num_entries)
+                        offsets[i] = (void *)iter - entry0;
                ++i;
                if (strcmp(ip6t_get_target(iter)->u.user.name,
                    XT_ERROR_TARGET) == 0)
                        ++newinfo->stacksize;
        }
+        ret = -EINVAL;
        if (i != repl->num_entries) {
                duprintf("translate_table: %u not %u entries\n",
                         i, repl->num_entries);
-                return -EINVAL;
+                goto out_free;
        }
        /* Check hooks all assigned */
@@ -866,22 +868,26 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
                        duprintf("Invalid hook entry %u %u\n",
                                 i, repl->hook_entry[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
                if (newinfo->underflow[i] == 0xFFFFFFFF) {
                        duprintf("Invalid underflow %u %u\n",
                                 i, repl->underflow[i]);
-                        return -EINVAL;
+                        goto out_free;
                }
        }
-        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
+        if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
-                return -ELOOP;
+                ret = -ELOOP;
+                goto out_free;
+        }
+        kvfree(offsets);
        /* Finally, each sanity check must pass */
        i = 0;
        xt_entry_foreach(iter, entry0, newinfo->size) {
-                ret = find_check_entry(iter, net, repl->name, repl->size);
+                ret = find_check_entry(iter, net, repl->name, repl->size,
+                                       &alloc_state);
                if (ret != 0)
                        break;
                ++i;
@@ -897,6 +903,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
        }
        return ret;
+ out_free:
+        kvfree(offsets);
+        return ret;
 }
 static void
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 1aa5848764a7..aa051d9d4a96 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -226,20 +226,27 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
 static int
 ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
 {
-        const struct inet_sock *inet = inet_sk(sk);
+        struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
        const struct ipv6_pinfo *inet6 = inet6_sk(sk);
+        const struct inet_sock *inet = inet_sk(sk);
        const struct nf_conntrack_tuple_hash *h;
        struct sockaddr_in6 sin6;
-        struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
        struct nf_conn *ct;
+        __be32 flow_label;
+        int bound_dev_if;
+        lock_sock(sk);
        tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
        tuple.src.u.tcp.port = inet->inet_sport;
        tuple.dst.u3.in6 = sk->sk_v6_daddr;
        tuple.dst.u.tcp.port = inet->inet_dport;
        tuple.dst.protonum = sk->sk_protocol;
+        bound_dev_if = sk->sk_bound_dev_if;
+        flow_label = inet6->flow_label;
+        release_sock(sk);
-        if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP)
+        if (tuple.dst.protonum != IPPROTO_TCP &&
+            tuple.dst.protonum != IPPROTO_SCTP)
                return -ENOPROTOOPT;
        if (*len < 0 || (unsigned int) *len < sizeof(sin6))
@@ -257,14 +264,13 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
        sin6.sin6_family = AF_INET6;
        sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
-        sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK;
+        sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
        memcpy(&sin6.sin6_addr,
                &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
                                        sizeof(sin6.sin6_addr));
        nf_ct_put(ct);
-        sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
+        sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
-                                                 sk->sk_bound_dev_if);
        return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
 }
diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
index 6989c70ae29f..4a84b5ad9ecb 100644
--- a/net/ipv6/netfilter/nf_dup_ipv6.c
+++ b/net/ipv6/netfilter/nf_dup_ipv6.c
@@ -33,6 +33,7 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
        fl6.daddr = *gw;
        fl6.flowlabel = (__force __be32)(((iph->flow_lbl[0] & 0xF) << 16) |
                        (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]);
+        fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH;
        dst = ip6_route_output(net, NULL, &fl6);
        if (dst->error) {
                dst_release(dst);
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 238e70c3f7b7..7b9c2cabd495 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
            !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
                                target, maniptype))
                return false;
+        /* must reload, offset might have changed */
+        ipv6h = (void *)skb->data + iphdroff;
 manip_addr:
        if (maniptype == NF_NAT_MANIP_SRC)
                ipv6h->saddr = target->src.u3.in6;
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index e0f922b777e3..7117e5bef412 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -157,6 +157,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
        fl6.daddr = oip6h->saddr;
        fl6.fl6_sport = otcph->dest;
        fl6.fl6_dport = otcph->source;
+        fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
        security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
        dst = ip6_route_output(net, NULL, &fl6);
        if (dst == NULL || dst->error) {
@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
        skb_dst_set(nskb, dst);
+        nskb->mark = fl6.flowi6_mark;
        skb_reserve(nskb, hh_len + dst->header_len);
        ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
                                    ip6_dst_hoplimit(dst));
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 7336a7311038..2f6d8f57fdd4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -851,6 +851,9 @@ static struct rt6_info *ip6_pol_route_lookup(struct net *net,
        struct fib6_node *fn;
        struct rt6_info *rt;
+        if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF)
+                flags &= ~RT6_LOOKUP_F_IFACE;
        read_lock_bh(&table->tb6_lock);
        fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
 restart:
@@ -1614,6 +1617,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
        }
        rt->dst.flags |= DST_HOST;
+        rt->dst.input = ip6_input;
        rt->dst.output  = ip6_output;
        atomic_set(&rt->dst.__refcnt, 1);
        rt->rt6i_gateway  = fl6->daddr;
@@ -2707,6 +2711,7 @@ void rt6_mtu_change(struct net_device *dev, unsigned int mtu)
 static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
        [RTA_GATEWAY]           = { .len = sizeof(struct in6_addr) },
+        [RTA_PREFSRC]           = { .len = sizeof(struct in6_addr) },
        [RTA_OIF]               = { .type = NLA_U32 },
        [RTA_IIF]               = { .type = NLA_U32 },
        [RTA_PRIORITY]          = { .type = NLA_U32 },
@@ -2715,6 +2720,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
        [RTA_PREF]              = { .type = NLA_U8 },
        [RTA_ENCAP_TYPE]        = { .type = NLA_U16 },
        [RTA_ENCAP]             = { .type = NLA_NESTED },
+        [RTA_TABLE]             = { .type = NLA_U32 },
 };
 static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index b7ea5eaa4fd1..11282ffca567 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -176,7 +176,7 @@ static void ipip6_tunnel_clone_6rd(struct net_device *dev, struct sit_net *sitn)
 #ifdef CONFIG_IPV6_SIT_6RD
        struct ip_tunnel *t = netdev_priv(dev);
-        if (t->dev == sitn->fb_tunnel_dev) {
+        if (dev == sitn->fb_tunnel_dev) {
                ipv6_addr_set(&t->ip6rd.prefix, htonl(0x20020000), 0, 0, 0);
                t->ip6rd.relay_prefix = 0;
                t->ip6rd.prefixlen = 16;
@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net,
        if (!create)
                goto failed;
-        if (parms->name[0])
+        if (parms->name[0]) {
+                if (!dev_valid_name(parms->name))
+                        goto failed;
                strlcpy(name, parms->name, IFNAMSIZ);
-        else
+        } else {
                strcpy(name, "sit%d");
+        }
        dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
                           ipip6_tunnel_setup);
        if (!dev)
@@ -475,7 +477,7 @@ static void ipip6_tunnel_uninit(struct net_device *dev)
                ipip6_tunnel_unlink(sitn, tunnel);
                ipip6_tunnel_del_prl(tunnel, NULL);
        }
-        ip_tunnel_dst_reset_all(tunnel);
+        dst_cache_reset(&tunnel->dst_cache);
        dev_put(dev);
 }
@@ -1098,7 +1100,7 @@ static void ipip6_tunnel_update(struct ip_tunnel *t, struct ip_tunnel_parm *p)
                t->parms.link = p->link;
                ipip6_tunnel_bind_dev(t->dev);
        }
-        ip_tunnel_dst_reset_all(t);
+        dst_cache_reset(&t->dst_cache);
        netdev_state_change(t->dev);
 }
@@ -1129,7 +1131,7 @@ static int ipip6_tunnel_update_6rd(struct ip_tunnel *t,
        t->ip6rd.relay_prefix = relay_prefix;
        t->ip6rd.prefixlen = ip6rd->prefixlen;
        t->ip6rd.relay_prefixlen = ip6rd->relay_prefixlen;
-        ip_tunnel_dst_reset_all(t);
+        dst_cache_reset(&t->dst_cache);
        netdev_state_change(t->dev);
        return 0;
 }
@@ -1283,7 +1285,7 @@ ipip6_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                        err = ipip6_tunnel_add_prl(t, &prl, cmd == SIOCCHGPRL);
                        break;
                }
-                ip_tunnel_dst_reset_all(t);
+                dst_cache_reset(&t->dst_cache);
                netdev_state_change(dev);
                break;
@@ -1344,7 +1346,7 @@ static void ipip6_dev_free(struct net_device *dev)
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
-        free_percpu(tunnel->dst_cache);
+        dst_cache_destroy(&tunnel->dst_cache);
        free_percpu(dev->tstats);
        free_netdev(dev);
 }
@@ -1377,6 +1379,7 @@ static void ipip6_tunnel_setup(struct net_device *dev)
 static int ipip6_tunnel_init(struct net_device *dev)
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
+        int err;
        tunnel->dev = dev;
        tunnel->net = dev_net(dev);
@@ -1387,11 +1390,11 @@ static int ipip6_tunnel_init(struct net_device *dev)
        if (!dev->tstats)
                return -ENOMEM;
-        tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
+        err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL);
-        if (!tunnel->dst_cache) {
+        if (err) {
                free_percpu(dev->tstats);
                dev->tstats = NULL;
-                return -ENOMEM;
+                return err;
        }
        return 0;
@@ -1570,6 +1573,13 @@ static int ipip6_newlink(struct net *src_net, struct net_device *dev,
        if (err < 0)
                return err;
+        if (tb[IFLA_MTU]) {
+                u32 mtu = nla_get_u32(tb[IFLA_MTU]);
+                if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len)
+                        dev->mtu = mtu;
+        }
 #ifdef CONFIG_IPV6_SIT_6RD
        if (ipip6_netlink_6rd_parms(data, &ip6rd))
                err = ipip6_tunnel_update_6rd(nt, &ip6rd);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 74cbcc4b399c..90abe88e1b40 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1415,6 +1415,10 @@ process:
                        reqsk_put(req);
                        goto discard_it;
                }
+                if (tcp_checksum_complete(skb)) {
+                        reqsk_put(req);
+                        goto csum_error;
+                }
                if (unlikely(sk->sk_state != TCP_LISTEN)) {
                        inet_csk_reqsk_queue_drop_and_put(sk, req);
                        goto lookup;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index c074771a10f7..1ca0c2f3d92b 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        const struct ipv6hdr *hdr = ipv6_hdr(skb);
-        u16 offset = sizeof(*hdr);
+        u32 offset = sizeof(*hdr);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u16 nhoff = IP6CB(skb)->nhoff;
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 20ab7b2ec463..aeffb65181f5 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -2381,9 +2381,11 @@ static int afiucv_iucv_init(void)
        af_iucv_dev->driver = &af_iucv_driver;
        err = device_register(af_iucv_dev);
        if (err)
-                goto out_driver;
+                goto out_iucv_dev;
        return 0;
+out_iucv_dev:
+        put_device(af_iucv_dev);
 out_driver:
        driver_unregister(&af_iucv_driver);
 out_iucv:
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 6482b001f19a..3ba903ff2bb0 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -437,6 +437,24 @@ static int verify_address_len(const void *p)
        return 0;
 }
+static inline int sadb_key_len(const struct sadb_key *key)
+{
+        int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
+        return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
+                            sizeof(uint64_t));
+}
+static int verify_key_len(const void *p)
+{
+        const struct sadb_key *key = p;
+        if (sadb_key_len(key) > key->sadb_key_len)
+                return -EINVAL;
+        return 0;
+}
 static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
 {
        return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void *
                                return -EINVAL;
                        if (ext_hdrs[ext_type-1] != NULL)
                                return -EINVAL;
-                        if (ext_type == SADB_EXT_ADDRESS_SRC ||
+                        switch (ext_type) {
-                            ext_type == SADB_EXT_ADDRESS_DST ||
+                        case SADB_EXT_ADDRESS_SRC:
-                            ext_type == SADB_EXT_ADDRESS_PROXY ||
+                        case SADB_EXT_ADDRESS_DST:
-                            ext_type == SADB_X_EXT_NAT_T_OA) {
+                        case SADB_EXT_ADDRESS_PROXY:
+                        case SADB_X_EXT_NAT_T_OA:
                                if (verify_address_len(p))
                                        return -EINVAL;
-                        }
+                                break;
-                        if (ext_type == SADB_X_EXT_SEC_CTX) {
+                        case SADB_X_EXT_SEC_CTX:
                                if (verify_sec_ctx_len(p))
                                        return -EINVAL;
+                                break;
+                        case SADB_EXT_KEY_AUTH:
+                        case SADB_EXT_KEY_ENCRYPT:
+                                if (verify_key_len(p))
+                                        return -EINVAL;
+                                break;
+                        default:
+                                break;
                        }
                        ext_hdrs[ext_type-1] = (void *) p;
                }
@@ -1111,14 +1138,12 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
        key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
        if (key != NULL &&
            sa->sadb_sa_auth != SADB_X_AALG_NULL &&
-            ((key->sadb_key_bits+7) / 8 == 0 ||
+            key->sadb_key_bits == 0)
-             (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
                return ERR_PTR(-EINVAL);
        key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
        if (key != NULL &&
            sa->sadb_sa_encrypt != SADB_EALG_NULL &&
-            ((key->sadb_key_bits+7) / 8 == 0 ||
+            key->sadb_key_bits == 0)
-             (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
                return ERR_PTR(-EINVAL);
        x = xfrm_state_alloc(net);
@@ -3305,7 +3330,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
                p += pol->sadb_x_policy_len*8;
                sec_ctx = (struct sadb_x_sec_ctx *)p;
                if (len < pol->sadb_x_policy_len*8 +
-                    sec_ctx->sadb_x_sec_len) {
+                    sec_ctx->sadb_x_sec_len*8) {
                        *dir = -EINVAL;
                        goto out;
                }
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index ec8f6a6485e3..92df832a1896 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1518,9 +1518,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                encap = cfg->encap;
        /* Quick sanity checks */
+        err = -EPROTONOSUPPORT;
+        if (sk->sk_type != SOCK_DGRAM) {
+                pr_debug("tunl %hu: fd %d wrong socket type\n",
+                         tunnel_id, fd);
+                goto err;
+        }
        switch (encap) {
        case L2TP_ENCAPTYPE_UDP:
-                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_UDP) {
                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
@@ -1528,7 +1533,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                }
                break;
        case L2TP_ENCAPTYPE_IP:
-                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_L2TP) {
                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 67f2e72723b2..2764c4bd072c 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -606,6 +606,13 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
        lock_sock(sk);
        error = -EINVAL;
+        if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
+            sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
+            sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
+            sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
+                goto end;
        if (sp->sa_protocol != PX_PROTO_OL2TP)
                goto end;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index bb8edb9ef506..83e8a295c806 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -197,9 +197,19 @@ static int llc_ui_release(struct socket *sock)
                llc->laddr.lsap, llc->daddr.lsap);
        if (!llc_send_disc(sk))
                llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
-        if (!sock_flag(sk, SOCK_ZAPPED))
+        if (!sock_flag(sk, SOCK_ZAPPED)) {
+                struct llc_sap *sap = llc->sap;
+                /* Hold this for release_sock(), so that llc_backlog_rcv()
+                 * could still use it.
+                 */
+                llc_sap_hold(sap);
                llc_sap_remove_socket(llc->sap, sk);
-        release_sock(sk);
+                release_sock(sk);
+                llc_sap_put(sap);
+        } else {
+                release_sock(sk);
+        }
        if (llc->dev)
                dev_put(llc->dev);
        sock_put(sk);
@@ -309,6 +319,8 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
        int rc = -EINVAL;
        dprintk("%s: binding %02X\n", __func__, addr->sllc_sap);
+        lock_sock(sk);
        if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr)))
                goto out;
        rc = -EAFNOSUPPORT;
@@ -380,6 +392,7 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
 out_put:
        llc_sap_put(sap);
 out:
+        release_sock(sk);
        return rc;
 }
@@ -913,6 +926,9 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
        if (size > llc->dev->mtu)
                size = llc->dev->mtu;
        copied = size - hdrlen;
+        rc = -EINVAL;
+        if (copied < 0)
+                goto release;
        release_sock(sk);
        skb = sock_alloc_send_skb(sk, size, noblock, &rc);
        lock_sock(sk);
diff --git a/net/llc/llc_c_ac.c b/net/llc/llc_c_ac.c
index ea225bd2672c..4b60f68cb492 100644
--- a/net/llc/llc_c_ac.c
+++ b/net/llc/llc_c_ac.c
@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb)
        llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
        rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
        if (likely(!rc)) {
-                llc_conn_send_pdu(sk, skb);
+                rc = llc_conn_send_pdu(sk, skb);
                llc_conn_ac_inc_vs_by_1(sk, skb);
        }
        return rc;
@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk,
        llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
        rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
        if (likely(!rc)) {
-                llc_conn_send_pdu(sk, skb);
+                rc = llc_conn_send_pdu(sk, skb);
                llc_conn_ac_inc_vs_by_1(sk, skb);
        }
        return rc;
@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk,
 int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb)
 {
        struct llc_sock *llc = llc_sk(sk);
+        int ret;
        if (llc->ack_must_be_send) {
-                llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
+                ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
                llc->ack_must_be_send = 0 ;
                llc->ack_pf = 0;
-        } else
+        } else {
-                llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
+                ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
-        return 0;
+        }
+        return ret;
 }
 /**
@@ -1096,14 +1099,7 @@ int llc_conn_ac_inc_tx_win_size(struct sock *sk, struct sk_buff *skb)
 int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)
 {
-        struct llc_sock *llc = llc_sk(sk);
+        llc_sk_stop_all_timers(sk, false);
-        del_timer(&llc->pf_cycle_timer.timer);
-        del_timer(&llc->ack_timer.timer);
-        del_timer(&llc->rej_sent_timer.timer);
-        del_timer(&llc->busy_state_timer.timer);
-        llc->ack_must_be_send = 0;
-        llc->ack_pf = 0;
        return 0;
 }
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 8bc5a1bd2d45..79c346fd859b 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -30,7 +30,7 @@
 #endif
 static int llc_find_offset(int state, int ev_type);
-static void llc_conn_send_pdus(struct sock *sk);
+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
 static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
 static int llc_exec_conn_trans_actions(struct sock *sk,
                                       struct llc_conn_state_trans *trans,
@@ -193,11 +193,11 @@ out_skb_put:
        return rc;
 }
-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
+int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
 {
        /* queue PDU to send to MAC layer */
        skb_queue_tail(&sk->sk_write_queue, skb);
-        llc_conn_send_pdus(sk);
+        return llc_conn_send_pdus(sk, skb);
 }
 /**
@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit)
        if (howmany_resend > 0)
                llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
        /* any PDUs to re-send are queued up; start sending to MAC */
-        llc_conn_send_pdus(sk);
+        llc_conn_send_pdus(sk, NULL);
 out:;
 }
@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit)
        if (howmany_resend > 0)
                llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
        /* any PDUs to re-send are queued up; start sending to MAC */
-        llc_conn_send_pdus(sk);
+        llc_conn_send_pdus(sk, NULL);
 out:;
 }
@@ -340,12 +340,16 @@ out:
 /**
 *      llc_conn_send_pdus - Sends queued PDUs
 *      @sk: active connection
+ *      @hold_skb: the skb held by caller, or NULL if does not care
 *
- *      Sends queued pdus to MAC layer for transmission.
+ *      Sends queued pdus to MAC layer for transmission. When @hold_skb is
+ *      NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
+ *      successfully, or 1 for failure.
 */
-static void llc_conn_send_pdus(struct sock *sk)
+static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
 {
        struct sk_buff *skb;
+        int ret = 0;
        while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
                struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct sock *sk)
                        skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
                        if (!skb2)
                                break;
-                        skb = skb2;
+                        dev_queue_xmit(skb2);
+                } else {
+                        bool is_target = skb == hold_skb;
+                        int rc;
+                        if (is_target)
+                                skb_get(skb);
+                        rc = dev_queue_xmit(skb);
+                        if (is_target)
+                                ret = rc;
                }
-                dev_queue_xmit(skb);
        }
+        return ret;
 }
 /**
@@ -951,6 +965,26 @@ out:
        return sk;
 }
+void llc_sk_stop_all_timers(struct sock *sk, bool sync)
+{
+        struct llc_sock *llc = llc_sk(sk);
+        if (sync) {
+                del_timer_sync(&llc->pf_cycle_timer.timer);
+                del_timer_sync(&llc->ack_timer.timer);
+                del_timer_sync(&llc->rej_sent_timer.timer);
+                del_timer_sync(&llc->busy_state_timer.timer);
+        } else {
+                del_timer(&llc->pf_cycle_timer.timer);
+                del_timer(&llc->ack_timer.timer);
+                del_timer(&llc->rej_sent_timer.timer);
+                del_timer(&llc->busy_state_timer.timer);
+        }
+        llc->ack_must_be_send = 0;
+        llc->ack_pf = 0;
+}
 /**
 *      llc_sk_free - Frees a LLC socket
 *      @sk - socket to free
@@ -963,7 +997,7 @@ void llc_sk_free(struct sock *sk)
        llc->state = LLC_CONN_OUT_OF_SVC;
        /* Stop all (possibly) running timers */
-        llc_conn_ac_stop_all_timers(sk, NULL);
+        llc_sk_stop_all_timers(sk, true);
 #ifdef DEBUG_LLC_CONN_ALLOC
        printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,
                skb_queue_len(&llc->pdu_unack_q),
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index cb6439fd62dd..b55ce0dfb742 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2943,7 +2943,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
        }
        if (beacon->probe_resp_len) {
                new_beacon->probe_resp_len = beacon->probe_resp_len;
-                beacon->probe_resp = pos;
+                new_beacon->probe_resp = pos;
                memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
                pos += beacon->probe_resp_len;
        }
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index bcb0a1b64556..58588a610b05 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1441,7 +1441,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
                break;
        case NL80211_IFTYPE_UNSPECIFIED:
        case NUM_NL80211_IFTYPES:
-                BUG();
+                WARN_ON(1);
                break;
        }
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index c6be0b4f4058..e68a409fc351 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -776,7 +776,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
        struct mesh_path *mpath;
        u8 ttl, flags, hopcount;
        const u8 *orig_addr;
-        u32 orig_sn, metric, metric_txsta, interval;
+        u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval;
        bool root_is_gate;
        ttl = rann->rann_ttl;
@@ -787,7 +787,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
        interval = le32_to_cpu(rann->rann_interval);
        hopcount = rann->rann_hopcount;
        hopcount++;
-        metric = le32_to_cpu(rann->rann_metric);
+        orig_metric = le32_to_cpu(rann->rann_metric);
        /*  Ignore our own RANNs */
        if (ether_addr_equal(orig_addr, sdata->vif.addr))
@@ -804,7 +804,10 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
                return;
        }
-        metric_txsta = airtime_link_metric_get(local, sta);
+        last_hop_metric = airtime_link_metric_get(local, sta);
+        new_metric = orig_metric + last_hop_metric;
+        if (new_metric < orig_metric)
+                new_metric = MAX_METRIC;
        mpath = mesh_path_lookup(sdata, orig_addr);
        if (!mpath) {
@@ -817,7 +820,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
        }
        if (!(SN_LT(mpath->sn, orig_sn)) &&
-            !(mpath->sn == orig_sn && metric < mpath->rann_metric)) {
+            !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) {
                rcu_read_unlock();
                return;
        }
@@ -835,7 +838,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
        }
        mpath->sn = orig_sn;
-        mpath->rann_metric = metric + metric_txsta;
+        mpath->rann_metric = new_metric;
        mpath->is_root = true;
        /* Recording RANNs sender address to send individually
         * addressed PREQs destined for root mesh STA */
@@ -855,7 +858,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
                mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr,
                                       orig_sn, 0, NULL, 0, broadcast_addr,
                                       hopcount, ttl, interval,
-                                       metric + metric_txsta, 0, sdata);
+                                       new_metric, 0, sdata);
        }
        rcu_read_unlock();
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 23095d5e0199..005cd8796505 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4326,6 +4326,10 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
        if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
                return -EINVAL;
+        /* If a reconfig is happening, bail out */
+        if (local->in_reconfig)
+                return -EBUSY;
        if (assoc) {
                rcu_read_lock();
                have_sta = sta_info_get(sdata, cbss->bssid);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3bcabc2ba4a6..f8406c37fc1d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3367,6 +3367,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
                }
                return true;
        case NL80211_IFTYPE_MESH_POINT:
+                if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
+                        return false;
                if (multicast)
                        return true;
                return ether_addr_equal(sdata->vif.addr, hdr->addr1);
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 5bad05e9af90..45fb1abdb265 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -194,6 +194,7 @@ static void ieee80211_frame_acked(struct sta_info *sta, struct sk_buff *skb)
        }
        if (ieee80211_is_action(mgmt->frame_control) &&
+            !ieee80211_has_protected(mgmt->frame_control) &&
            mgmt->u.action.category == WLAN_CATEGORY_HT &&
            mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS &&
            ieee80211_sdata_running(sdata)) {
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 33344f5a66a8..ec26a84b00e2 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2663,8 +2663,9 @@ u64 ieee80211_calculate_rx_timestamp(struct ieee80211_local *local,
        rate = cfg80211_calculate_bitrate(&ri);
        if (WARN_ONCE(!rate,
-                      "Invalid bitrate: flags=0x%x, idx=%d, vht_nss=%d\n",
+                      "Invalid bitrate: flags=0x%llx, idx=%d, vht_nss=%d\n",
-                      status->flag, status->rate_idx, status->vht_nss))
+                      (unsigned long long)status->flag, status->rate_idx,
+                      status->vht_nss))
                return 0;
        /* rewind from end of MPDU */
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index efa3f48f1ec5..73e8f347802e 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -293,7 +293,8 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx)
                        return RX_DROP_UNUSABLE;
                ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key);
                /* remove ICV */
-                if (pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN))
+                if (!(status->flag & RX_FLAG_ICV_STRIPPED) &&
+                    pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN))
                        return RX_DROP_UNUSABLE;
        }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index e19ea1c53afa..cb439e06919f 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -298,7 +298,8 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
                return RX_DROP_UNUSABLE;
        /* Trim ICV */
-        skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
+        if (!(status->flag & RX_FLAG_ICV_STRIPPED))
+                skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
        /* Remove IV */
        memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
@@ -508,25 +509,31 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
            !ieee80211_is_robust_mgmt_frame(skb))
                return RX_CONTINUE;
-        data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
-        if (!rx->sta || data_len < 0)
-                return RX_DROP_UNUSABLE;
        if (status->flag & RX_FLAG_DECRYPTED) {
                if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
                        return RX_DROP_UNUSABLE;
+                if (status->flag & RX_FLAG_MIC_STRIPPED)
+                        mic_len = 0;
        } else {
                if (skb_linearize(rx->skb))
                        return RX_DROP_UNUSABLE;
        }
+        data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
+        if (!rx->sta || data_len < 0)
+                return RX_DROP_UNUSABLE;
        if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
+                int res;
                ccmp_hdr2pn(pn, skb->data + hdrlen);
                queue = rx->security_idx;
-                if (memcmp(pn, key->u.ccmp.rx_pn[queue],
+                res = memcmp(pn, key->u.ccmp.rx_pn[queue],
-                           IEEE80211_CCMP_PN_LEN) <= 0) {
+                             IEEE80211_CCMP_PN_LEN);
+                if (res < 0 ||
+                    (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
                        key->u.ccmp.replays++;
                        return RX_DROP_UNUSABLE;
                }
@@ -724,8 +731,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        u8 pn[IEEE80211_GCMP_PN_LEN];
-        int data_len;
+        int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
-        int queue;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
@@ -733,26 +739,31 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
            !ieee80211_is_robust_mgmt_frame(skb))
                return RX_CONTINUE;
-        data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN -
-                   IEEE80211_GCMP_MIC_LEN;
-        if (!rx->sta || data_len < 0)
-                return RX_DROP_UNUSABLE;
        if (status->flag & RX_FLAG_DECRYPTED) {
                if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
                        return RX_DROP_UNUSABLE;
+                if (status->flag & RX_FLAG_MIC_STRIPPED)
+                        mic_len = 0;
        } else {
                if (skb_linearize(rx->skb))
                        return RX_DROP_UNUSABLE;
        }
+        data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
+        if (!rx->sta || data_len < 0)
+                return RX_DROP_UNUSABLE;
        if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
+                int res;
                gcmp_hdr2pn(pn, skb->data + hdrlen);
                queue = rx->security_idx;
-                if (memcmp(pn, key->u.gcmp.rx_pn[queue],
+                res = memcmp(pn, key->u.gcmp.rx_pn[queue],
-                           IEEE80211_GCMP_PN_LEN) <= 0) {
+                             IEEE80211_GCMP_PN_LEN);
+                if (res < 0 ||
+                    (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
                        key->u.gcmp.replays++;
                        return RX_DROP_UNUSABLE;
                }
@@ -776,7 +787,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
        }
        /* Remove GCMP header and MIC */
-        if (pskb_trim(skb, skb->len - IEEE80211_GCMP_MIC_LEN))
+        if (pskb_trim(skb, skb->len - mic_len))
                return RX_DROP_UNUSABLE;
        memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
        skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 52cfc4478511..c2ce7dec5198 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -7,6 +7,7 @@
 #include <linux/if_arp.h>
 #include <linux/ipv6.h>
 #include <linux/mpls.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <net/ip.h>
 #include <net/dst.h>
@@ -714,6 +715,22 @@ errout:
        return err;
 }
+static bool mpls_label_ok(struct net *net, unsigned int *index)
+{
+        bool is_ok = true;
+        /* Reserved labels may not be set */
+        if (*index < MPLS_LABEL_FIRST_UNRESERVED)
+                is_ok = false;
+        /* The full 20 bit range may not be supported. */
+        if (is_ok && *index >= net->mpls.platform_labels)
+                is_ok = false;
+        *index = array_index_nospec(*index, net->mpls.platform_labels);
+        return is_ok;
+}
 static int mpls_route_add(struct mpls_route_config *cfg)
 {
        struct mpls_route __rcu **platform_label;
@@ -732,12 +749,7 @@ static int mpls_route_add(struct mpls_route_config *cfg)
                index = find_free_label(net);
        }
-        /* Reserved labels may not be set */
+        if (!mpls_label_ok(net, &index))
-        if (index < MPLS_LABEL_FIRST_UNRESERVED)
-                goto errout;
-        /* The full 20 bit range may not be supported. */
-        if (index >= net->mpls.platform_labels)
                goto errout;
        /* Append makes no sense with mpls */
@@ -798,12 +810,7 @@ static int mpls_route_del(struct mpls_route_config *cfg)
        index = cfg->rc_label;
-        /* Reserved labels may not be removed */
+        if (!mpls_label_ok(net, &index))
-        if (index < MPLS_LABEL_FIRST_UNRESERVED)
-                goto errout;
-        /* The full 20 bit range may not be supported */
-        if (index >= net->mpls.platform_labels)
                goto errout;
        mpls_route_update(net, index, NULL, &cfg->rc_nlinfo);
@@ -1162,10 +1169,9 @@ static int rtm_to_route_config(struct sk_buff *skb,  struct nlmsghdr *nlh,
                                           &cfg->rc_label))
                                goto errout;
-                        /* Reserved labels may not be set */
+                        if (!mpls_label_ok(cfg->rc_nlinfo.nl_net,
-                        if (cfg->rc_label < MPLS_LABEL_FIRST_UNRESERVED)
+                                           &cfg->rc_label))
                                goto errout;
                        break;
                }
                case RTA_VIA:
diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c
index 0328f7250693..299edc6add5a 100644
--- a/net/netfilter/ipvs/ip_vs_app.c
+++ b/net/netfilter/ipvs/ip_vs_app.c
@@ -605,17 +605,13 @@ static const struct file_operations ip_vs_app_fops = {
 int __net_init ip_vs_app_net_init(struct netns_ipvs *ipvs)
 {
-        struct net *net = ipvs->net;
        INIT_LIST_HEAD(&ipvs->app_list);
-        proc_create("ip_vs_app", 0, net->proc_net, &ip_vs_app_fops);
+        proc_create("ip_vs_app", 0, ipvs->net->proc_net, &ip_vs_app_fops);
        return 0;
 }
 void __net_exit ip_vs_app_net_cleanup(struct netns_ipvs *ipvs)
 {
-        struct net *net = ipvs->net;
        unregister_ip_vs_app(ipvs, NULL /* all */);
-        remove_proc_entry("ip_vs_app", net->proc_net);
+        remove_proc_entry("ip_vs_app", ipvs->net->proc_net);
 }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 2c937c16dc27..3167ec76903a 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2349,14 +2349,12 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
                        struct ipvs_sync_daemon_cfg cfg;
                        memset(&cfg, 0, sizeof(cfg));
-                        strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+                        ret = -EINVAL;
-                                sizeof(cfg.mcast_ifn));
+                        if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
+                                    sizeof(cfg.mcast_ifn)) <= 0)
+                                goto out_dec;
                        cfg.syncid = dm->syncid;
-                        rtnl_lock();
-                        mutex_lock(&ipvs->sync_mutex);
                        ret = start_sync_thread(ipvs, &cfg, dm->state);
-                        mutex_unlock(&ipvs->sync_mutex);
-                        rtnl_unlock();
                } else {
                        mutex_lock(&ipvs->sync_mutex);
                        ret = stop_sync_thread(ipvs, dm->state);
@@ -2392,12 +2390,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
                }
        }
+        if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
+            strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
+            IP_VS_SCHEDNAME_MAXLEN) {
+                ret = -EINVAL;
+                goto out_unlock;
+        }
        /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
        if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
            usvc.protocol != IPPROTO_SCTP) {
-                pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
+                pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
                       usvc.protocol, &usvc.addr.ip,
-                       ntohs(usvc.port), usvc.sched_name);
+                       ntohs(usvc.port));
                ret = -EFAULT;
                goto out_unlock;
        }
@@ -2826,7 +2831,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
 static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
        [IPVS_DAEMON_ATTR_STATE]        = { .type = NLA_U32 },
        [IPVS_DAEMON_ATTR_MCAST_IFN]    = { .type = NLA_NUL_STRING,
-                                            .len = IP_VS_IFNAME_MAXLEN },
+                                            .len = IP_VS_IFNAME_MAXLEN - 1 },
        [IPVS_DAEMON_ATTR_SYNC_ID]      = { .type = NLA_U32 },
        [IPVS_DAEMON_ATTR_SYNC_MAXLEN]  = { .type = NLA_U16 },
        [IPVS_DAEMON_ATTR_MCAST_GROUP]  = { .type = NLA_U32 },
@@ -2844,7 +2849,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
        [IPVS_SVC_ATTR_PORT]            = { .type = NLA_U16 },
        [IPVS_SVC_ATTR_FWMARK]          = { .type = NLA_U32 },
        [IPVS_SVC_ATTR_SCHED_NAME]      = { .type = NLA_NUL_STRING,
-                                            .len = IP_VS_SCHEDNAME_MAXLEN },
+                                            .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
        [IPVS_SVC_ATTR_PE_NAME]         = { .type = NLA_NUL_STRING,
                                            .len = IP_VS_PENAME_MAXLEN },
        [IPVS_SVC_ATTR_FLAGS]           = { .type = NLA_BINARY,
@@ -3435,12 +3440,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
        if (ipvs->mixed_address_family_dests > 0)
                return -EINVAL;
-        rtnl_lock();
-        mutex_lock(&ipvs->sync_mutex);
        ret = start_sync_thread(ipvs, &c,
                                nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
-        mutex_unlock(&ipvs->sync_mutex);
-        rtnl_unlock();
        return ret;
 }
@@ -3951,7 +3952,6 @@ static struct notifier_block ip_vs_dst_notifier = {
 int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
 {
-        struct net *net = ipvs->net;
        int i, idx;
        /* Initialize rs_table */
@@ -3978,9 +3978,9 @@ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
        spin_lock_init(&ipvs->tot_stats.lock);
-        proc_create("ip_vs", 0, net->proc_net, &ip_vs_info_fops);
+        proc_create("ip_vs", 0, ipvs->net->proc_net, &ip_vs_info_fops);
-        proc_create("ip_vs_stats", 0, net->proc_net, &ip_vs_stats_fops);
+        proc_create("ip_vs_stats", 0, ipvs->net->proc_net, &ip_vs_stats_fops);
-        proc_create("ip_vs_stats_percpu", 0, net->proc_net,
+        proc_create("ip_vs_stats_percpu", 0, ipvs->net->proc_net,
                    &ip_vs_stats_percpu_fops);
        if (ip_vs_control_net_init_sysctl(ipvs))
@@ -3995,13 +3995,11 @@ err:
 void __net_exit ip_vs_control_net_cleanup(struct netns_ipvs *ipvs)
 {
-        struct net *net = ipvs->net;
        ip_vs_trash_cleanup(ipvs);
        ip_vs_control_net_cleanup_sysctl(ipvs);
-        remove_proc_entry("ip_vs_stats_percpu", net->proc_net);
+        remove_proc_entry("ip_vs_stats_percpu", ipvs->net->proc_net);
-        remove_proc_entry("ip_vs_stats", net->proc_net);
+        remove_proc_entry("ip_vs_stats", ipvs->net->proc_net);
-        remove_proc_entry("ip_vs", net->proc_net);
+        remove_proc_entry("ip_vs", ipvs->net->proc_net);
        free_percpu(ipvs->tot_stats.cpustats);
 }
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index 1b07578bedf3..cec7234b7a1d 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -48,6 +48,7 @@
 #include <linux/kthread.h>
 #include <linux/wait.h>
 #include <linux/kernel.h>
+#include <linux/sched.h>
 #include <asm/unaligned.h>              /* Used for ntoh_seq and hton_seq */
@@ -1356,15 +1357,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val)
 /*
 *      Specifiy default interface for outgoing multicasts
 */
-static int set_mcast_if(struct sock *sk, char *ifname)
+static int set_mcast_if(struct sock *sk, struct net_device *dev)
 {
-        struct net_device *dev;
        struct inet_sock *inet = inet_sk(sk);
-        struct net *net = sock_net(sk);
-        dev = __dev_get_by_name(net, ifname);
-        if (!dev)
-                return -ENODEV;
        if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
                return -EINVAL;
@@ -1392,19 +1387,14 @@ static int set_mcast_if(struct sock *sk, char *ifname)
 *      in the in_addr structure passed in as a parameter.
 */
 static int
-join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
+join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev)
 {
-        struct net *net = sock_net(sk);
        struct ip_mreqn mreq;
-        struct net_device *dev;
        int ret;
        memset(&mreq, 0, sizeof(mreq));
        memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr));
-        dev = __dev_get_by_name(net, ifname);
-        if (!dev)
-                return -ENODEV;
        if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
                return -EINVAL;
@@ -1419,15 +1409,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
 #ifdef CONFIG_IP_VS_IPV6
 static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
-                             char *ifname)
+                             struct net_device *dev)
 {
-        struct net *net = sock_net(sk);
-        struct net_device *dev;
        int ret;
-        dev = __dev_get_by_name(net, ifname);
-        if (!dev)
-                return -ENODEV;
        if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
                return -EINVAL;
@@ -1439,24 +1424,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
 }
 #endif
-static int bind_mcastif_addr(struct socket *sock, char *ifname)
+static int bind_mcastif_addr(struct socket *sock, struct net_device *dev)
 {
-        struct net *net = sock_net(sock->sk);
-        struct net_device *dev;
        __be32 addr;
        struct sockaddr_in sin;
-        dev = __dev_get_by_name(net, ifname);
-        if (!dev)
-                return -ENODEV;
        addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE);
        if (!addr)
                pr_err("You probably need to specify IP address on "
                       "multicast interface.\n");
        IP_VS_DBG(7, "binding socket with (%s) %pI4\n",
-                  ifname, &addr);
+                  dev->name, &addr);
        /* Now bind the socket with the address of multicast interface */
        sin.sin_family       = AF_INET;
@@ -1489,7 +1468,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen,
 /*
 *      Set up sending multicast socket over UDP
 */
-static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+static int make_send_sock(struct netns_ipvs *ipvs, int id,
+                          struct net_device *dev, struct socket **sock_ret)
 {
        /* multicast addr */
        union ipvs_sockaddr mcast_addr;
@@ -1501,9 +1481,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
                                  IPPROTO_UDP, &sock);
        if (result < 0) {
                pr_err("Error during creation of socket; terminating\n");
-                return ERR_PTR(result);
+                goto error;
        }
-        result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn);
+        *sock_ret = sock;
+        result = set_mcast_if(sock->sk, dev);
        if (result < 0) {
                pr_err("Error setting outbound mcast interface\n");
                goto error;
@@ -1518,7 +1499,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
                set_sock_size(sock->sk, 1, result);
        if (AF_INET == ipvs->mcfg.mcast_af)
-                result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn);
+                result = bind_mcastif_addr(sock, dev);
        else
                result = 0;
        if (result < 0) {
@@ -1534,19 +1515,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
                goto error;
        }
-        return sock;
+        return 0;
 error:
-        sock_release(sock);
+        return result;
-        return ERR_PTR(result);
 }
 /*
 *      Set up receiving multicast socket over UDP
 */
-static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+static int make_receive_sock(struct netns_ipvs *ipvs, int id,
-                                        int ifindex)
+                             struct net_device *dev, struct socket **sock_ret)
 {
        /* multicast addr */
        union ipvs_sockaddr mcast_addr;
@@ -1558,8 +1538,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
                                  IPPROTO_UDP, &sock);
        if (result < 0) {
                pr_err("Error during creation of socket; terminating\n");
-                return ERR_PTR(result);
+                goto error;
        }
+        *sock_ret = sock;
        /* it is equivalent to the REUSEADDR option in user-space */
        sock->sk->sk_reuse = SK_CAN_REUSE;
        result = sysctl_sync_sock_size(ipvs);
@@ -1567,7 +1548,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
                set_sock_size(sock->sk, 0, result);
        get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
-        sock->sk->sk_bound_dev_if = ifindex;
+        sock->sk->sk_bound_dev_if = dev->ifindex;
        result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
        if (result < 0) {
                pr_err("Error binding to the multicast addr\n");
@@ -1578,21 +1559,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
 #ifdef CONFIG_IP_VS_IPV6
        if (ipvs->bcfg.mcast_af == AF_INET6)
                result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr,
-                                           ipvs->bcfg.mcast_ifn);
+                                           dev);
        else
 #endif
                result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr,
-                                          ipvs->bcfg.mcast_ifn);
+                                          dev);
        if (result < 0) {
                pr_err("Error joining to the multicast group\n");
                goto error;
        }
-        return sock;
+        return 0;
 error:
-        sock_release(sock);
+        return result;
-        return ERR_PTR(result);
 }
@@ -1777,13 +1757,12 @@ static int sync_thread_backup(void *data)
 int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
                      int state)
 {
-        struct ip_vs_sync_thread_data *tinfo;
+        struct ip_vs_sync_thread_data *tinfo = NULL;
        struct task_struct **array = NULL, *task;
-        struct socket *sock;
        struct net_device *dev;
        char *name;
        int (*threadfn)(void *data);
-        int id, count, hlen;
+        int id = 0, count, hlen;
        int result = -ENOMEM;
        u16 mtu, min_mtu;
@@ -1791,6 +1770,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
        IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n",
                  sizeof(struct ip_vs_sync_conn_v0));
+        /* Do not hold one mutex and then to block on another */
+        for (;;) {
+                rtnl_lock();
+                if (mutex_trylock(&ipvs->sync_mutex))
+                        break;
+                rtnl_unlock();
+                mutex_lock(&ipvs->sync_mutex);
+                if (rtnl_trylock())
+                        break;
+                mutex_unlock(&ipvs->sync_mutex);
+        }
        if (!ipvs->sync_state) {
                count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX);
                ipvs->threads_mask = count - 1;
@@ -1809,7 +1800,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
        dev = __dev_get_by_name(ipvs->net, c->mcast_ifn);
        if (!dev) {
                pr_err("Unknown mcast interface: %s\n", c->mcast_ifn);
-                return -ENODEV;
+                result = -ENODEV;
+                goto out_early;
        }
        hlen = (AF_INET6 == c->mcast_af) ?
               sizeof(struct ipv6hdr) + sizeof(struct udphdr) :
@@ -1826,26 +1818,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
                c->sync_maxlen = mtu - hlen;
        if (state == IP_VS_STATE_MASTER) {
+                result = -EEXIST;
                if (ipvs->ms)
-                        return -EEXIST;
+                        goto out_early;
                ipvs->mcfg = *c;
                name = "ipvs-m:%d:%d";
                threadfn = sync_thread_master;
        } else if (state == IP_VS_STATE_BACKUP) {
+                result = -EEXIST;
                if (ipvs->backup_threads)
-                        return -EEXIST;
+                        goto out_early;
                ipvs->bcfg = *c;
                name = "ipvs-b:%d:%d";
                threadfn = sync_thread_backup;
        } else {
-                return -EINVAL;
+                result = -EINVAL;
+                goto out_early;
        }
        if (state == IP_VS_STATE_MASTER) {
                struct ipvs_master_sync_state *ms;
+                result = -ENOMEM;
                ipvs->ms = kzalloc(count * sizeof(ipvs->ms[0]), GFP_KERNEL);
                if (!ipvs->ms)
                        goto out;
@@ -1861,39 +1857,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
        } else {
                array = kzalloc(count * sizeof(struct task_struct *),
                                GFP_KERNEL);
+                result = -ENOMEM;
                if (!array)
                        goto out;
        }
-        tinfo = NULL;
        for (id = 0; id < count; id++) {
-                if (state == IP_VS_STATE_MASTER)
+                result = -ENOMEM;
-                        sock = make_send_sock(ipvs, id);
-                else
-                        sock = make_receive_sock(ipvs, id, dev->ifindex);
-                if (IS_ERR(sock)) {
-                        result = PTR_ERR(sock);
-                        goto outtinfo;
-                }
                tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
                if (!tinfo)
-                        goto outsocket;
+                        goto out;
                tinfo->ipvs = ipvs;
-                tinfo->sock = sock;
+                tinfo->sock = NULL;
                if (state == IP_VS_STATE_BACKUP) {
                        tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
                                             GFP_KERNEL);
                        if (!tinfo->buf)
-                                goto outtinfo;
+                                goto out;
                } else {
                        tinfo->buf = NULL;
                }
                tinfo->id = id;
+                if (state == IP_VS_STATE_MASTER)
+                        result = make_send_sock(ipvs, id, dev, &tinfo->sock);
+                else
+                        result = make_receive_sock(ipvs, id, dev, &tinfo->sock);
+                if (result < 0)
+                        goto out;
                task = kthread_run(threadfn, tinfo, name, ipvs->gen, id);
                if (IS_ERR(task)) {
                        result = PTR_ERR(task);
-                        goto outtinfo;
+                        goto out;
                }
                tinfo = NULL;
                if (state == IP_VS_STATE_MASTER)
@@ -1910,20 +1905,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
        ipvs->sync_state |= state;
        spin_unlock_bh(&ipvs->sync_buff_lock);
+        mutex_unlock(&ipvs->sync_mutex);
+        rtnl_unlock();
        /* increase the module use count */
        ip_vs_use_count_inc();
        return 0;
-outsocket:
+out:
-        sock_release(sock);
+        /* We do not need RTNL lock anymore, release it here so that
+         * sock_release below and in the kthreads can use rtnl_lock
-outtinfo:
+         * to leave the mcast group.
-        if (tinfo) {
+         */
-                sock_release(tinfo->sock);
+        rtnl_unlock();
-                kfree(tinfo->buf);
-                kfree(tinfo);
-        }
        count = id;
        while (count-- > 0) {
                if (state == IP_VS_STATE_MASTER)
@@ -1931,13 +1926,23 @@ outtinfo:
                else
                        kthread_stop(array[count]);
        }
-        kfree(array);
-out:
        if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
                kfree(ipvs->ms);
                ipvs->ms = NULL;
        }
+        mutex_unlock(&ipvs->sync_mutex);
+        if (tinfo) {
+                if (tinfo->sock)
+                        sock_release(tinfo->sock);
+                kfree(tinfo->buf);
+                kfree(tinfo);
+        }
+        kfree(array);
+        return result;
+out_early:
+        mutex_unlock(&ipvs->sync_mutex);
+        rtnl_unlock();
        return result;
 }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 86a3c6f0c871..5f747089024f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -719,6 +719,7 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
         * least once for the stats anyway.
         */
        rcu_read_lock_bh();
+ begin:
        hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
                ct = nf_ct_tuplehash_to_ctrack(h);
                if (ct != ignored_conntrack &&
@@ -730,6 +731,12 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
                }
                NF_CT_STAT_INC(net, searched);
        }
+        if (get_nulls_value(n) != hash) {
+                NF_CT_STAT_INC(net, search_restart);
+                goto begin;
+        }
        rcu_read_unlock_bh();
        return 0;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 7f16d19d6198..a91f8bd51d05 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -560,7 +560,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
        helper = rcu_dereference(nfct_help(expect->master)->helper);
        if (helper) {
                seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
-                if (helper->expect_policy[expect->class].name)
+                if (helper->expect_policy[expect->class].name[0])
                        seq_printf(s, "/%s",
                                   helper->expect_policy[expect->class].name);
        }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 660939df7c94..c68e020427ab 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -887,8 +887,13 @@ restart:
        }
 out:
        local_bh_enable();
-        if (last)
+        if (last) {
+                /* nf ct hash resize happened, now clear the leftover. */
+                if ((struct nf_conn *)cb->args[1] == last)
+                        cb->args[1] = 0;
                nf_ct_put(last);
+        }
        return skb->len;
 }
@@ -999,9 +1004,8 @@ static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
 static int
 ctnetlink_parse_tuple(const struct nlattr * const cda[],
-                      struct nf_conntrack_tuple *tuple,
+                      struct nf_conntrack_tuple *tuple, u32 type,
-                      enum ctattr_type type, u_int8_t l3num,
+                      u_int8_t l3num, struct nf_conntrack_zone *zone)
-                      struct nf_conntrack_zone *zone)
 {
        struct nlattr *tb[CTA_TUPLE_MAX+1];
        int err;
@@ -2416,7 +2420,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = {
 static inline int
 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
                         const struct nf_conntrack_tuple *tuple,
-                         enum ctattr_expect type)
+                         u32 type)
 {
        struct nlattr *nest_parms;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 885b4aba3695..1665c2159e4b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1434,9 +1434,12 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
                handler = &sip_handlers[i];
                if (handler->request == NULL)
                        continue;
-                if (*datalen < handler->len ||
+                if (*datalen < handler->len + 2 ||
                    strncasecmp(*dptr, handler->method, handler->len))
                        continue;
+                if ((*dptr)[handler->len] != ' ' ||
+                    !isalpha((*dptr)[handler->len+1]))
+                        continue;
                if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
                                      &matchoff, &matchlen) <= 0) {
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 2c89f90cd7bc..f94a2e1172f0 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -422,14 +422,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
                rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
                mutex_unlock(&nf_log_mutex);
        } else {
+                struct ctl_table tmp = *table;
+                tmp.data = buf;
                mutex_lock(&nf_log_mutex);
                logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
                if (!logger)
-                        table->data = "NONE";
+                        strlcpy(buf, "NONE", sizeof(buf));
                else
-                        table->data = logger->name;
+                        strlcpy(buf, logger->name, sizeof(buf));
-                r = proc_dostring(table, write, buffer, lenp, ppos);
                mutex_unlock(&nf_log_mutex);
+                r = proc_dostring(&tmp, write, buffer, lenp, ppos);
        }
        return r;
diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index fbce552a796e..7d7466dbf663 100644
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
                                 const struct nf_conn *ct,
                                 u16 *rover)
 {
-        unsigned int range_size, min, i;
+        unsigned int range_size, min, max, i;
        __be16 *portptr;
        u_int16_t off;
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
                }
        } else {
                min = ntohs(range->min_proto.all);
-                range_size = ntohs(range->max_proto.all) - min + 1;
+                max = ntohs(range->max_proto.all);
+                if (unlikely(max < min))
+                        swap(max, min);
+                range_size = max - min + 1;
        }
        if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 5baa8e24e6ac..b19ad20a705c 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -26,23 +26,21 @@
 * Once the queue is registered it must reinject all packets it
 * receives, no matter what.
 */
-static const struct nf_queue_handler __rcu *queue_handler __read_mostly;
 /* return EBUSY when somebody else is registered, return EEXIST if the
 * same handler is registered, return 0 in case of success. */
-void nf_register_queue_handler(const struct nf_queue_handler *qh)
+void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh)
 {
        /* should never happen, we only have one queueing backend in kernel */
-        WARN_ON(rcu_access_pointer(queue_handler));
+        WARN_ON(rcu_access_pointer(net->nf.queue_handler));
-        rcu_assign_pointer(queue_handler, qh);
+        rcu_assign_pointer(net->nf.queue_handler, qh);
 }
 EXPORT_SYMBOL(nf_register_queue_handler);
 /* The caller must flush their queue before this */
-void nf_unregister_queue_handler(void)
+void nf_unregister_queue_handler(struct net *net)
 {
-        RCU_INIT_POINTER(queue_handler, NULL);
+        RCU_INIT_POINTER(net->nf.queue_handler, NULL);
-        synchronize_rcu();
 }
 EXPORT_SYMBOL(nf_unregister_queue_handler);
@@ -103,7 +101,7 @@ void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops)
        const struct nf_queue_handler *qh;
        rcu_read_lock();
-        qh = rcu_dereference(queue_handler);
+        qh = rcu_dereference(net->nf.queue_handler);
        if (qh)
                qh->nf_hook_drop(net, ops);
        rcu_read_unlock();
@@ -122,9 +120,10 @@ int nf_queue(struct sk_buff *skb,
        struct nf_queue_entry *entry = NULL;
        const struct nf_afinfo *afinfo;
        const struct nf_queue_handler *qh;
+        struct net *net = state->net;
        /* QUEUE == DROP if no one is waiting, to be safe. */
-        qh = rcu_dereference(queue_handler);
+        qh = rcu_dereference(net->nf.queue_handler);
        if (!qh) {
                status = -ESRCH;
                goto err;
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index f3695a497408..99bc2f87a974 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -167,7 +167,8 @@ next_rule:
        switch (regs.verdict.code) {
        case NFT_JUMP:
-                BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);
+                if (WARN_ON_ONCE(stackptr >= NFT_JUMP_STACK_SIZE))
+                        return NF_DROP;
                jumpstack[stackptr].chain = chain;
                jumpstack[stackptr].rule  = rule;
                jumpstack[stackptr].rulenum = rulenum;
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 8d34a488efc0..ac143ae4f7b6 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/errno.h>
+#include <linux/capability.h>
 #include <net/netlink.h>
 #include <net/sock.h>
@@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
        struct nfnl_cthelper *nlcth;
        int ret = 0;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
                return -EINVAL;
@@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
        struct nfnl_cthelper *nlcth;
        bool tuple_set = false;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (nlh->nlmsg_flags & NLM_F_DUMP) {
                struct netlink_dump_control c = {
                        .dump = nfnl_cthelper_dump_table,
@@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
        struct nfnl_cthelper *nlcth, *n;
        int j = 0, ret;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (tb[NFCTH_NAME])
                helper_name = nla_data(tb[NFCTH_NAME]);
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index f6837f9b6d6c..54cde78c2718 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -501,7 +501,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
        if (entskb->tstamp.tv64) {
                struct nfqnl_msg_packet_timestamp ts;
-                struct timespec64 kts = ktime_to_timespec64(skb->tstamp);
+                struct timespec64 kts = ktime_to_timespec64(entskb->tstamp);
                ts.sec = cpu_to_be64(kts.tv_sec);
                ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC);
@@ -1053,10 +1053,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
        struct net *net = sock_net(ctnl);
        struct nfnl_queue_net *q = nfnl_queue_pernet(net);
-        queue = instance_lookup(q, queue_num);
+        queue = verdict_instance_lookup(q, queue_num,
-        if (!queue)
+                                        NETLINK_CB(skb).portid);
-                queue = verdict_instance_lookup(q, queue_num,
-                                                NETLINK_CB(skb).portid);
        if (IS_ERR(queue))
                return PTR_ERR(queue);
@@ -1108,6 +1106,9 @@ nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
 static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
        [NFQA_CFG_CMD]          = { .len = sizeof(struct nfqnl_msg_config_cmd) },
        [NFQA_CFG_PARAMS]       = { .len = sizeof(struct nfqnl_msg_config_params) },
+        [NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 },
+        [NFQA_CFG_MASK]         = { .type = NLA_U32 },
+        [NFQA_CFG_FLAGS]        = { .type = NLA_U32 },
 };
 static const struct nf_queue_handler nfqh = {
@@ -1384,21 +1385,29 @@ static int __net_init nfnl_queue_net_init(struct net *net)
                         net->nf.proc_netfilter, &nfqnl_file_ops))
                return -ENOMEM;
 #endif
+        nf_register_queue_handler(net, &nfqh);
        return 0;
 }
 static void __net_exit nfnl_queue_net_exit(struct net *net)
 {
+        nf_unregister_queue_handler(net);
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
 #endif
 }
+static void nfnl_queue_net_exit_batch(struct list_head *net_exit_list)
+{
+        synchronize_rcu();
+}
 static struct pernet_operations nfnl_queue_net_ops = {
-        .init   = nfnl_queue_net_init,
+        .init           = nfnl_queue_net_init,
-        .exit   = nfnl_queue_net_exit,
+        .exit           = nfnl_queue_net_exit,
-        .id     = &nfnl_queue_net_id,
+        .exit_batch     = nfnl_queue_net_exit_batch,
-        .size   = sizeof(struct nfnl_queue_net),
+        .id             = &nfnl_queue_net_id,
+        .size           = sizeof(struct nfnl_queue_net),
 };
 static int __init nfnetlink_queue_init(void)
@@ -1419,7 +1428,6 @@ static int __init nfnetlink_queue_init(void)
        }
        register_netdevice_notifier(&nfqnl_dev_notifier);
-        nf_register_queue_handler(&nfqh);
        return status;
 cleanup_netlink_notifier:
@@ -1431,7 +1439,6 @@ out:
 static void __exit nfnetlink_queue_fini(void)
 {
-        nf_unregister_queue_handler();
        unregister_netdevice_notifier(&nfqnl_dev_notifier);
        nfnetlink_subsys_unregister(&nfqnl_subsys);
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2fc6ca9d1286..1f3c305df45d 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -38,7 +38,7 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
+#define XT_PCPU_BLOCK_SIZE 4096
 struct compat_delta {
        unsigned int offset; /* offset in kernel */
@@ -208,6 +208,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
 {
        struct xt_match *match;
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
        match = xt_find_match(nfproto, name, revision);
        if (IS_ERR(match)) {
                request_module("%st_%s", xt_prefix[nfproto], name);
@@ -250,6 +253,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
 {
        struct xt_target *target;
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
        target = xt_find_target(af, name, revision);
        if (IS_ERR(target)) {
                request_module("%st_%s", xt_prefix[af], name);
@@ -360,6 +366,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
        return buf;
 }
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+        if (name[0] == '\0')
+                return -EINVAL;
+        if (strnlen(name, size) == size)
+                return -ENAMETOOLONG;
+        if (strcmp(name, ".") == 0 ||
+            strcmp(name, "..") == 0 ||
+            strchr(name, '/'))
+                return -EINVAL;
+        return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
 int xt_check_match(struct xt_mtchk_param *par,
                   unsigned int size, u_int8_t proto, bool inv_proto)
 {
@@ -701,6 +737,56 @@ int xt_check_entry_offsets(const void *base,
 }
 EXPORT_SYMBOL(xt_check_entry_offsets);
+/**
+ * xt_alloc_entry_offsets - allocate array to store rule head offsets
+ *
+ * @size: number of entries
+ *
+ * Return: NULL or kmalloc'd or vmalloc'd array
+ */
+unsigned int *xt_alloc_entry_offsets(unsigned int size)
+{
+        unsigned int *off;
+        off = kcalloc(size, sizeof(unsigned int), GFP_KERNEL | __GFP_NOWARN);
+        if (off)
+                return off;
+        if (size < (SIZE_MAX / sizeof(unsigned int)))
+                off = vmalloc(size * sizeof(unsigned int));
+        return off;
+}
+EXPORT_SYMBOL(xt_alloc_entry_offsets);
+/**
+ * xt_find_jump_offset - check if target is a valid jump offset
+ *
+ * @offsets: array containing all valid rule start offsets of a rule blob
+ * @target: the jump target to search for
+ * @size: entries in @offset
+ */
+bool xt_find_jump_offset(const unsigned int *offsets,
+                         unsigned int target, unsigned int size)
+{
+        int m, low = 0, hi = size;
+        while (hi > low) {
+                m = (low + hi) / 2u;
+                if (offsets[m] > target)
+                        hi = m;
+                else if (offsets[m] < target)
+                        low = m + 1;
+                else
+                        return true;
+        }
+        return false;
+}
+EXPORT_SYMBOL(xt_find_jump_offset);
 int xt_check_target(struct xt_tgchk_param *par,
                    unsigned int size, u_int8_t proto, bool inv_proto)
 {
@@ -904,7 +990,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
                return NULL;
        /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
-        if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+        if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
                return NULL;
        if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
@@ -1538,6 +1624,59 @@ void xt_proto_fini(struct net *net, u_int8_t af)
 }
 EXPORT_SYMBOL_GPL(xt_proto_fini);
+/**
+ * xt_percpu_counter_alloc - allocate x_tables rule counter
+ *
+ * @state: pointer to xt_percpu allocation state
+ * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
+ *
+ * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
+ * contain the address of the real (percpu) counter.
+ *
+ * Rule evaluation needs to use xt_get_this_cpu_counter() helper
+ * to fetch the real percpu counter.
+ *
+ * To speed up allocation and improve data locality, a 4kb block is
+ * allocated.
+ *
+ * xt_percpu_counter_alloc_state contains the base address of the
+ * allocated page and the current sub-offset.
+ *
+ * returns false on error.
+ */
+bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
+                             struct xt_counters *counter)
+{
+        BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
+        if (nr_cpu_ids <= 1)
+                return true;
+        if (!state->mem) {
+                state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE,
+                                            XT_PCPU_BLOCK_SIZE);
+                if (!state->mem)
+                        return false;
+        }
+        counter->pcnt = (__force unsigned long)(state->mem + state->off);
+        state->off += sizeof(*counter);
+        if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) {
+                state->mem = NULL;
+                state->off = 0;
+        }
+        return true;
+}
+EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
+void xt_percpu_counter_free(struct xt_counters *counters)
+{
+        unsigned long pcnt = counters->pcnt;
+        if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0)
+                free_percpu((void __percpu *)pcnt);
+}
+EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
 static int __net_init xt_net_init(struct net *net)
 {
        int i;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index e7ac07e53b59..febcfac7e3df 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -168,8 +168,10 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
                goto err_put_timeout;
        }
        timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
-        if (timeout_ext == NULL)
+        if (!timeout_ext) {
                ret = -ENOMEM;
+                goto err_put_timeout;
+        }
        rcu_read_unlock();
        return ret;
@@ -201,6 +203,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
                          struct xt_ct_target_info_v1 *info)
 {
        struct nf_conntrack_zone zone;
+        struct nf_conn_help *help;
        struct nf_conn *ct;
        int ret = -EOPNOTSUPP;
@@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
        if (info->timeout[0]) {
                ret = xt_ct_set_timeout(ct, par, info->timeout);
                if (ret < 0)
-                        goto err3;
+                        goto err4;
        }
        __set_bit(IPS_CONFIRMED_BIT, &ct->status);
        nf_conntrack_get(&ct->ct_general);
@@ -257,6 +260,10 @@ out:
        info->ct = ct;
        return 0;
+err4:
+        help = nfct_help(ct);
+        if (help)
+                module_put(help->helper->me);
 err3:
        nf_ct_tmpl_free(ct);
 err2:
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 29d2c31f406c..1718f536689f 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -147,11 +147,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info)
                    (unsigned long) info->timer);
        info->timer->refcnt = 1;
+        INIT_WORK(&info->timer->work, idletimer_tg_work);
        mod_timer(&info->timer->timer,
                  msecs_to_jiffies(info->timeout * 1000) + jiffies);
-        INIT_WORK(&info->timer->work, idletimer_tg_work);
        return 0;
 out_free_attr:
@@ -192,7 +192,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
                pr_debug("timeout value is zero\n");
                return -EINVAL;
        }
+        if (info->timeout >= INT_MAX / 1000) {
+                pr_debug("timeout value is too big\n");
+                return -EINVAL;
+        }
        if (info->label[0] == '\0' ||
            strnlen(info->label,
                    MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 3ba31c194cce..0858fe17e14a 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -141,10 +141,11 @@ static int led_tg_check(const struct xt_tgchk_param *par)
                goto exit_alloc;
        }
-        /* See if we need to set up a timer */
+        /* Since the letinternal timer can be shared between multiple targets,
-        if (ledinfo->delay > 0)
+         * always set it up, even if the current target does not need it
-                setup_timer(&ledinternal->timer, led_timeout_callback,
+         */
-                            (unsigned long)ledinternal);
+        setup_timer(&ledinternal->timer, led_timeout_callback,
+                    (unsigned long)ledinternal);
        list_add_tail(&ledinternal->list, &xt_led_triggers);
@@ -181,8 +182,7 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
        list_del(&ledinternal->list);
-        if (ledinfo->delay > 0)
+        del_timer_sync(&ledinternal->timer);
-                del_timer_sync(&ledinternal->timer);
        led_trigger_unregister(&ledinternal->netfilter_led_trigger);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 604df6fae6fc..0be96f8475f7 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -40,23 +40,31 @@ static void xt_rateest_hash_insert(struct xt_rateest *est)
        hlist_add_head(&est->list, &rateest_hash[h]);
 }
-struct xt_rateest *xt_rateest_lookup(const char *name)
+static struct xt_rateest *__xt_rateest_lookup(const char *name)
 {
        struct xt_rateest *est;
        unsigned int h;
        h = xt_rateest_hash(name);
-        mutex_lock(&xt_rateest_mutex);
        hlist_for_each_entry(est, &rateest_hash[h], list) {
                if (strcmp(est->name, name) == 0) {
                        est->refcnt++;
-                        mutex_unlock(&xt_rateest_mutex);
                        return est;
                }
        }
-        mutex_unlock(&xt_rateest_mutex);
        return NULL;
 }
+struct xt_rateest *xt_rateest_lookup(const char *name)
+{
+        struct xt_rateest *est;
+        mutex_lock(&xt_rateest_mutex);
+        est = __xt_rateest_lookup(name);
+        mutex_unlock(&xt_rateest_mutex);
+        return est;
+}
 EXPORT_SYMBOL_GPL(xt_rateest_lookup);
 void xt_rateest_put(struct xt_rateest *est)
@@ -104,8 +112,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
                rnd_inited = true;
        }
-        est = xt_rateest_lookup(info->name);
+        mutex_lock(&xt_rateest_mutex);
+        est = __xt_rateest_lookup(info->name);
        if (est) {
+                mutex_unlock(&xt_rateest_mutex);
                /*
                 * If estimator parameters are specified, they must match the
                 * existing estimator.
@@ -143,11 +153,13 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
        info->est = est;
        xt_rateest_hash_insert(est);
+        mutex_unlock(&xt_rateest_mutex);
        return 0;
 err2:
        kfree(est);
 err1:
+        mutex_unlock(&xt_rateest_mutex);
        return ret;
 }
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 178696852bde..7381be0cdcdf 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -668,8 +668,9 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
        if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
                return -EINVAL;
-        if (info->name[sizeof(info->name)-1] != '\0')
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-                return -EINVAL;
+        if (ret)
+                return ret;
        if (par->family == NFPROTO_IPV4) {
                if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
                        return -EINVAL;
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index df8801e02a32..7eae0d0af89a 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
+#include <linux/capability.h>
 #include <linux/if.h>
 #include <linux/inetdevice.h>
 #include <linux/ip.h>
@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
        struct xt_osf_finger *kf = NULL, *sf;
        int err = 0;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!osf_attrs[OSF_ATTR_FINGER])
                return -EINVAL;
@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
        struct xt_osf_finger *sf;
        int err = -ENOENT;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!osf_attrs[OSF_ATTR_FINGER])
                return -EINVAL;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index d725a27743a1..cd53b861a15c 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -364,9 +364,9 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
                        info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
                return -EINVAL;
        }
-        if (info->name[0] == '\0' ||
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-            strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
+        if (ret)
-                return -EINVAL;
+                return ret;
        if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
                nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index b0380927f05f..3f33ec44bd28 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1469,6 +1469,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
                iface = rcu_dereference(netlbl_unlhsh_def);
        if (iface == NULL || !iface->valid)
                goto unlabel_getattr_nolabel;
+#if IS_ENABLED(CONFIG_IPV6)
+        /* When resolving a fallback label, check the sk_buff version as
+         * it is possible (e.g. SCTP) to have family = PF_INET6 while
+         * receiving ip_hdr(skb)->version = 4.
+         */
+        if (family == PF_INET6 && ip_hdr(skb)->version == 4)
+                family = PF_INET;
+#endif /* IPv6 */
        switch (family) {
        case PF_INET: {
                struct iphdr *hdr4;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 48e1608414e6..bf292010760a 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -62,6 +62,7 @@
 #include <asm/cacheflush.h>
 #include <linux/hash.h>
 #include <linux/genetlink.h>
+#include <linux/nospec.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -654,6 +655,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
        if (protocol < 0 || protocol >= MAX_LINKS)
                return -EPROTONOSUPPORT;
+        protocol = array_index_nospec(protocol, MAX_LINKS);
        netlink_lock_table();
 #ifdef CONFIG_MODULES
@@ -984,6 +986,11 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
                        return err;
        }
+        if (nlk->ngroups == 0)
+                groups = 0;
+        else if (nlk->ngroups < 8*sizeof(groups))
+                groups &= (1UL << nlk->ngroups) - 1;
        bound = nlk->bound;
        if (bound) {
                /* Ensure nlk->portid is up-to-date. */
@@ -1054,6 +1061,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
        if (addr->sa_family != AF_NETLINK)
                return -EINVAL;
+        if (alen < sizeof(struct sockaddr_nl))
+                return -EINVAL;
        if ((nladdr->nl_groups || nladdr->nl_pid) &&
            !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
                return -EPERM;
@@ -1792,6 +1802,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
        if (msg->msg_namelen) {
                err = -EINVAL;
+                if (msg->msg_namelen < sizeof(struct sockaddr_nl))
+                        goto out;
                if (addr->nl_family != AF_NETLINK)
                        goto out;
                dst_portid = addr->nl_pid;
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 8e63662c6fb0..d681dbaf00c1 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1118,6 +1118,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
 {
        struct sk_buff *tmp;
        struct net *net, *prev = NULL;
+        bool delivered = false;
        int err;
        for_each_net_rcu(net) {
@@ -1129,14 +1130,21 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
                        }
                        err = nlmsg_multicast(prev->genl_sock, tmp,
                                              portid, group, flags);
-                        if (err)
+                        if (!err)
+                                delivered = true;
+                        else if (err != -ESRCH)
                                goto error;
                }
                prev = net;
        }
-        return nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+        err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
+        if (!err)
+                delivered = true;
+        else if (err != -ESRCH)
+                return err;
+        return delivered ? 0 : -ESRCH;
 error:
        kfree_skb(skb);
        return err;
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 3621a902cb6e..04f060488686 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
        pr_debug("uri: %s, len: %zu\n", uri, uri_len);
+        /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+        if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+                return NULL;
        sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
        if (sdreq == NULL)
                return NULL;
@@ -750,11 +754,14 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
                pr_debug("Fragment %zd bytes remaining %zd",
                         frag_len, remaining_len);
-                pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, MSG_DONTWAIT,
+                pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, 0,
                                         frag_len + LLCP_HEADER_SIZE, &err);
                if (pdu == NULL) {
-                        pr_err("Could not allocate PDU\n");
+                        pr_err("Could not allocate PDU (error=%d)\n", err);
-                        continue;
+                        len -= remaining_len;
+                        if (len == 0)
+                                len = err;
+                        break;
                }
                pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 12dfb457275d..32cb0c87e852 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -68,7 +68,8 @@ static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = {
 };
 static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
-        [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+        [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+                               .len = U8_MAX - 4 },
        [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
 };
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 6a2507f24b0f..1829adb23505 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -361,10 +361,38 @@ ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
                   u16 proto, const struct sk_buff *skb)
 {
        struct nf_conntrack_tuple tuple;
+        struct nf_conntrack_expect *exp;
        if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
                return NULL;
-        return __nf_ct_expect_find(net, zone, &tuple);
+        exp = __nf_ct_expect_find(net, zone, &tuple);
+        if (exp) {
+                struct nf_conntrack_tuple_hash *h;
+                /* Delete existing conntrack entry, if it clashes with the
+                 * expectation.  This can happen since conntrack ALGs do not
+                 * check for clashes between (new) expectations and existing
+                 * conntrack entries.  nf_conntrack_in() will check the
+                 * expectations only if a conntrack entry can not be found,
+                 * which can lead to OVS finding the expectation (here) in the
+                 * init direction, but which will not be removed by the
+                 * nf_conntrack_in() call, if a matching conntrack entry is
+                 * found instead.  In this case all init direction packets
+                 * would be reported as new related packets, while reply
+                 * direction packets would be reported as un-related
+                 * established packets.
+                 */
+                h = nf_conntrack_find_get(net, zone, &tuple);
+                if (h) {
+                        struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+                        nf_ct_delete(ct, 0, 0);
+                        nf_conntrack_put(&ct->ct_general);
+                }
+        }
+        return exp;
 }
 /* Determine whether skb->nfct is equal to the result of conntrack lookup. */
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index d26b28def310..624c4719e404 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -1141,13 +1141,10 @@ static void nlattr_set(struct nlattr *attr, u8 val,
        /* The nlattr stream should already have been validated */
        nla_for_each_nested(nla, attr, rem) {
-                if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) {
+                if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED)
-                        if (tbl[nla_type(nla)].next)
+                        nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl);
-                                tbl = tbl[nla_type(nla)].next;
+                else
-                        nlattr_set(nla, val, tbl);
-                } else {
                        memset(nla_data(nla), val, nla_len(nla));
-                }
                if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE)
                        *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK;
@@ -1672,14 +1669,11 @@ int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb)
 #define MAX_ACTIONS_BUFSIZE     (32 * 1024)
-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log)
+static struct sw_flow_actions *nla_alloc_flow_actions(int size)
 {
        struct sw_flow_actions *sfa;
-        if (size > MAX_ACTIONS_BUFSIZE) {
+        WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
-                OVS_NLERR(log, "Flow action size %u bytes exceeds max", size);
-                return ERR_PTR(-EINVAL);
-        }
        sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
        if (!sfa)
@@ -1752,12 +1746,15 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
        new_acts_size = ksize(*sfa) * 2;
        if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
-                if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size)
+                if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
+                        OVS_NLERR(log, "Flow action size exceeds max %u",
+                                  MAX_ACTIONS_BUFSIZE);
                        return ERR_PTR(-EMSGSIZE);
+                }
                new_acts_size = MAX_ACTIONS_BUFSIZE;
        }
-        acts = nla_alloc_flow_actions(new_acts_size, log);
+        acts = nla_alloc_flow_actions(new_acts_size);
        if (IS_ERR(acts))
                return (void *)acts;
@@ -2369,7 +2366,7 @@ int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
 {
        int err;
-        *sfa = nla_alloc_flow_actions(nla_len(attr), log);
+        *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
        if (IS_ERR(*sfa))
                return PTR_ERR(*sfa);
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 92ca3e106c2b..3a63f33698d3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -332,11 +332,11 @@ static void packet_pick_tx_queue(struct net_device *dev, struct sk_buff *skb)
        skb_set_queue_mapping(skb, queue_index);
 }
-/* register_prot_hook must be invoked with the po->bind_lock held,
+/* __register_prot_hook must be invoked through register_prot_hook
 * or from a context in which asynchronous accesses to the packet
 * socket is not possible (packet_create()).
 */
-static void register_prot_hook(struct sock *sk)
+static void __register_prot_hook(struct sock *sk)
 {
        struct packet_sock *po = pkt_sk(sk);
@@ -351,8 +351,13 @@ static void register_prot_hook(struct sock *sk)
        }
 }
-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
+static void register_prot_hook(struct sock *sk)
- * held.   If the sync parameter is true, we will temporarily drop
+{
+        lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
+        __register_prot_hook(sk);
+}
+/* If the sync parameter is true, we will temporarily drop
 * the po->bind_lock and do a synchronize_net to make sure no
 * asynchronous packet processing paths still refer to the elements
 * of po->prot_hook.  If the sync parameter is false, it is the
@@ -362,6 +367,8 @@ static void __unregister_prot_hook(struct sock *sk, bool sync)
 {
        struct packet_sock *po = pkt_sk(sk);
+        lockdep_assert_held_once(&po->bind_lock);
        po->running = 0;
        if (po->fanout)
@@ -2764,13 +2771,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
        if (skb == NULL)
                goto out_unlock;
-        skb_set_network_header(skb, reserve);
+        skb_reset_network_header(skb);
        err = -EINVAL;
        if (sock->type == SOCK_DGRAM) {
                offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
                if (unlikely(offset < 0))
                        goto out_free;
+        } else if (reserve) {
+                skb_reserve(skb, -reserve);
        }
        /* Returns -EFAULT on error */
@@ -2892,6 +2901,7 @@ static int packet_release(struct socket *sock)
        packet_flush_mclist(sk);
+        lock_sock(sk);
        if (po->rx_ring.pg_vec) {
                memset(&req_u, 0, sizeof(req_u));
                packet_set_ring(sk, &req_u, 1, 0);
@@ -2901,6 +2911,7 @@ static int packet_release(struct socket *sock)
                memset(&req_u, 0, sizeof(req_u));
                packet_set_ring(sk, &req_u, 1, 1);
        }
+        release_sock(sk);
        f = fanout_release(sk);
@@ -3134,7 +3145,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
        if (proto) {
                po->prot_hook.type = proto;
-                register_prot_hook(sk);
+                __register_prot_hook(sk);
        }
        mutex_lock(&net->packet.sklist_lock);
@@ -3570,6 +3581,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                union tpacket_req_u req_u;
                int len;
+                lock_sock(sk);
                switch (po->tp_version) {
                case TPACKET_V1:
                case TPACKET_V2:
@@ -3580,14 +3592,21 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                        len = sizeof(req_u.req3);
                        break;
                }
-                if (optlen < len)
+                if (optlen < len) {
-                        return -EINVAL;
+                        ret = -EINVAL;
-                if (pkt_sk(sk)->has_vnet_hdr)
+                } else {
-                        return -EINVAL;
+                        if (pkt_sk(sk)->has_vnet_hdr) {
-                if (copy_from_user(&req_u.req, optval, len))
+                                ret = -EINVAL;
-                        return -EFAULT;
+                        } else {
-                return packet_set_ring(sk, &req_u, 0,
+                                if (copy_from_user(&req_u.req, optval, len))
-                        optname == PACKET_TX_RING);
+                                        ret = -EFAULT;
+                                else
+                                        ret = packet_set_ring(sk, &req_u, 0,
+                                                              optname == PACKET_TX_RING);
+                        }
+                }
+                release_sock(sk);
+                return ret;
        }
        case PACKET_COPY_THRESH:
        {
@@ -3653,12 +3672,18 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                if (optlen != sizeof(val))
                        return -EINVAL;
-                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-                        return -EBUSY;
                if (copy_from_user(&val, optval, sizeof(val)))
                        return -EFAULT;
-                po->tp_loss = !!val;
-                return 0;
+                lock_sock(sk);
+                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+                        ret = -EBUSY;
+                } else {
+                        po->tp_loss = !!val;
+                        ret = 0;
+                }
+                release_sock(sk);
+                return ret;
        }
        case PACKET_AUXDATA:
        {
@@ -3669,7 +3694,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                if (copy_from_user(&val, optval, sizeof(val)))
                        return -EFAULT;
+                lock_sock(sk);
                po->auxdata = !!val;
+                release_sock(sk);
                return 0;
        }
        case PACKET_ORIGDEV:
@@ -3681,7 +3708,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                if (copy_from_user(&val, optval, sizeof(val)))
                        return -EFAULT;
+                lock_sock(sk);
                po->origdev = !!val;
+                release_sock(sk);
                return 0;
        }
        case PACKET_VNET_HDR:
@@ -3690,15 +3719,20 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                if (sock->type != SOCK_RAW)
                        return -EINVAL;
-                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-                        return -EBUSY;
                if (optlen < sizeof(val))
                        return -EINVAL;
                if (copy_from_user(&val, optval, sizeof(val)))
                        return -EFAULT;
-                po->has_vnet_hdr = !!val;
+                lock_sock(sk);
-                return 0;
+                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+                        ret = -EBUSY;
+                } else {
+                        po->has_vnet_hdr = !!val;
+                        ret = 0;
+                }
+                release_sock(sk);
+                return ret;
        }
        case PACKET_TIMESTAMP:
        {
@@ -3736,11 +3770,17 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                if (optlen != sizeof(val))
                        return -EINVAL;
-                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-                        return -EBUSY;
                if (copy_from_user(&val, optval, sizeof(val)))
                        return -EFAULT;
-                po->tp_tx_has_off = !!val;
+                lock_sock(sk);
+                if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+                        ret = -EBUSY;
+                } else {
+                        po->tp_tx_has_off = !!val;
+                        ret = 0;
+                }
+                release_sock(sk);
                return 0;
        }
        case PACKET_QDISC_BYPASS:
@@ -4116,7 +4156,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
        /* Added to avoid minimal code churn */
        struct tpacket_req *req = &req_u->req;
-        lock_sock(sk);
        /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
        if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
                WARN(1, "Tx-ring is not supported.\n");
@@ -4159,7 +4198,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                        goto out;
                if (po->tp_version >= TPACKET_V3 &&
                    req->tp_block_size <=
-                          BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+                    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
                        goto out;
                if (unlikely(req->tp_frame_size < po->tp_hdrlen +
                                        po->tp_reserve))
@@ -4252,7 +4291,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
        if (pg_vec)
                free_pg_vec(pg_vec, order, req->tp_block_nr);
 out:
-        release_sock(sk);
        return err;
 }
diff --git a/net/packet/internal.h b/net/packet/internal.h
index d55bfc34d6b3..1309e2a7baad 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -109,10 +109,12 @@ struct packet_sock {
        int                     copy_thresh;
        spinlock_t              bind_lock;
        struct mutex            pg_vec_lock;
-        unsigned int            running:1,      /* prot_hook is attached*/
+        unsigned int            running;        /* bind_lock must be held */
-                                auxdata:1,
+        unsigned int            auxdata:1,      /* writer must hold sock lock */
                                origdev:1,
-                                has_vnet_hdr:1;
+                                has_vnet_hdr:1,
+                                tp_loss:1,
+                                tp_tx_has_off:1;
        int                     pressure;
        int                     ifindex;        /* bound device         */
        __be16                  num;
@@ -122,8 +124,6 @@ struct packet_sock {
        enum tpacket_versions   tp_version;
        unsigned int            tp_hdrlen;
        unsigned int            tp_reserve;
-        unsigned int            tp_loss:1;
-        unsigned int            tp_tx_has_off:1;
        unsigned int            tp_tstamp;
        struct net_device __rcu *cached_dev;
        int                     (*xmit)(struct sk_buff *skb);
diff --git a/net/rds/bind.c b/net/rds/bind.c
index b22ea956522b..e29b47193645 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -108,6 +108,7 @@ static int rds_add_bound(struct rds_sock *rs, __be32 addr, __be16 *port)
                          rs, &addr, (int)ntohs(*port));
                        break;
                } else {
+                        rs->rs_bound_addr = 0;
                        rds_sock_put(rs);
                        ret = -ENOMEM;
                        break;
diff --git a/net/rds/ib.c b/net/rds/ib.c
index f222885ac0c7..ed51ccc84b3a 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -336,7 +336,8 @@ static int rds_ib_laddr_check(struct net *net, __be32 addr)
        /* Create a CMA ID and try to bind it. This catches both
         * IB and iWARP capable NICs.
         */
-        cm_id = rdma_create_id(&init_net, NULL, NULL, RDMA_PS_TCP, IB_QPT_RC);
+        cm_id = rdma_create_id(&init_net, rds_rdma_cm_event_handler,
+                               NULL, RDMA_PS_TCP, IB_QPT_RC);
        if (IS_ERR(cm_id))
                return PTR_ERR(cm_id);
diff --git a/net/rds/loop.c b/net/rds/loop.c
index 6b12b68541ae..05cab8c5a379 100644
--- a/net/rds/loop.c
+++ b/net/rds/loop.c
@@ -191,4 +191,5 @@ struct rds_transport rds_loop_transport = {
        .inc_copy_to_user       = rds_message_inc_copy_to_user,
        .inc_free               = rds_loop_inc_free,
        .t_name                 = "loopback",
+        .t_type                 = RDS_TRANS_LOOP,
 };
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 4588860f4c3b..254f1345cf7e 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -401,6 +401,11 @@ struct rds_notifier {
        int                     n_status;
 };
+/* Available as part of RDS core, so doesn't need to participate
+ * in get_preferred transport etc
+ */
+#define RDS_TRANS_LOOP  3
 /**
 * struct rds_transport -  transport specific behavioural hooks
 *
diff --git a/net/rds/recv.c b/net/rds/recv.c
index 0514af3ab378..6275de19689c 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -76,6 +76,11 @@ static void rds_recv_rcvbuf_delta(struct rds_sock *rs, struct sock *sk,
                return;
        rs->rs_rcv_bytes += delta;
+        /* loop transport doesn't send/recv congestion updates */
+        if (rs->rs_transport->t_type == RDS_TRANS_LOOP)
+                return;
        now_congested = rs->rs_rcv_bytes > rds_sk_rcvbuf(rs);
        rdsdebug("rs %p (%pI4:%u) recv bytes %d buf %d "
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
index 93127220cb54..e6e249cc651c 100644
--- a/net/rfkill/rfkill-gpio.c
+++ b/net/rfkill/rfkill-gpio.c
@@ -140,13 +140,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev)
        ret = rfkill_register(rfkill->rfkill_dev);
        if (ret < 0)
-                return ret;
+                goto err_destroy;
        platform_set_drvdata(pdev, rfkill);
        dev_info(&pdev->dev, "%s device registered.\n", rfkill->name);
        return 0;
+err_destroy:
+        rfkill_destroy(rfkill->rfkill_dev);
+        return ret;
 }
 static int rfkill_gpio_remove(struct platform_device *pdev)
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index d7a9ab5a9d9c..6c65fb229e50 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -209,7 +209,7 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
        struct sk_buff *trailer;
        unsigned int len;
        u16 check;
-        int nsg;
+        int nsg, err;
        sp = rxrpc_skb(skb);
@@ -240,7 +240,9 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
        len &= ~(call->conn->size_align - 1);
        sg_init_table(sg, nsg);
-        skb_to_sgvec(skb, sg, 0, len);
+        err = skb_to_sgvec(skb, sg, 0, len);
+        if (unlikely(err < 0))
+                return err;
        crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
        _leave(" = 0");
@@ -336,7 +338,7 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
        struct sk_buff *trailer;
        u32 data_size, buf;
        u16 check;
-        int nsg;
+        int nsg, ret;
        _enter("");
@@ -348,7 +350,9 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
                goto nomem;
        sg_init_table(sg, nsg);
-        skb_to_sgvec(skb, sg, 0, 8);
+        ret = skb_to_sgvec(skb, sg, 0, 8);
+        if (unlikely(ret < 0))
+                return ret;
        /* start the decryption afresh */
        memset(&iv, 0, sizeof(iv));
@@ -411,7 +415,7 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
        struct sk_buff *trailer;
        u32 data_size, buf;
        u16 check;
-        int nsg;
+        int nsg, ret;
        _enter(",{%d}", skb->len);
@@ -430,7 +434,12 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
        }
        sg_init_table(sg, nsg);
-        skb_to_sgvec(skb, sg, 0, skb->len);
+        ret = skb_to_sgvec(skb, sg, 0, skb->len);
+        if (unlikely(ret < 0)) {
+                if (sg != _sg)
+                        kfree(sg);
+                return ret;
+        }
        /* decrypt from the session key */
        token = call->conn->key->payload.data[0];
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 694a06f1e0d5..f44fea22d69c 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -101,8 +101,10 @@ static int tcf_dump_walker(struct sk_buff *skb, struct netlink_callback *cb,
                        a->order = n_i;
                        nest = nla_nest_start(skb, a->order);
-                        if (nest == NULL)
+                        if (nest == NULL) {
+                                index--;
                                goto nla_put_failure;
+                        }
                        err = tcf_action_dump_1(skb, a, 0, 0);
                        if (err < 0) {
                                index--;
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 0bc6f912f870..bd155e59be1c 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -249,10 +249,14 @@ static int tcf_bpf_init_from_efd(struct nlattr **tb, struct tcf_bpf_cfg *cfg)
 static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg)
 {
-        if (cfg->is_ebpf)
+        struct bpf_prog *filter = cfg->filter;
-                bpf_prog_put(cfg->filter);
-        else
+        if (filter) {
-                bpf_prog_destroy(cfg->filter);
+                if (cfg->is_ebpf)
+                        bpf_prog_put(filter);
+                else
+                        bpf_prog_destroy(filter);
+        }
        kfree(cfg->bpf_ops);
        kfree(cfg->bpf_name);
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index eeb3eb3ea9eb..024d6cf342c5 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -175,6 +175,9 @@ static int tcf_csum_ipv4_tcp(struct sk_buff *skb,
        struct tcphdr *tcph;
        const struct iphdr *iph;
+        if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)
+                return 1;
        tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph));
        if (tcph == NULL)
                return 0;
@@ -196,6 +199,9 @@ static int tcf_csum_ipv6_tcp(struct sk_buff *skb,
        struct tcphdr *tcph;
        const struct ipv6hdr *ip6h;
+        if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
+                return 1;
        tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph));
        if (tcph == NULL)
                return 0;
@@ -219,6 +225,9 @@ static int tcf_csum_ipv4_udp(struct sk_buff *skb,
        const struct iphdr *iph;
        u16 ul;
+        if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
+                return 1;
        /*
         * Support both UDP and UDPLITE checksum algorithms, Don't use
         * udph->len to get the real length without any protocol check,
@@ -272,6 +281,9 @@ static int tcf_csum_ipv6_udp(struct sk_buff *skb,
        const struct ipv6hdr *ip6h;
        u16 ul;
+        if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
+                return 1;
        /*
         * Support both UDP and UDPLITE checksum algorithms, Don't use
         * udph->len to get the real length without any protocol check,
diff --git a/net/sched/sch_blackhole.c b/net/sched/sch_blackhole.c
index 3fee70d9814f..562edd50fa94 100644
--- a/net/sched/sch_blackhole.c
+++ b/net/sched/sch_blackhole.c
@@ -20,7 +20,7 @@
 static int blackhole_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        qdisc_drop(skb, sch);
-        return NET_XMIT_SUCCESS;
+        return NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
 }
 static struct sk_buff *blackhole_dequeue(struct Qdisc *sch)
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index 0a08c860eee4..e8dcf94a23c8 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -438,6 +438,9 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt)
        ctl = nla_data(tb[TCA_CHOKE_PARMS]);
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (ctl->limit > CHOKE_MAX_QUEUE)
                return -EINVAL;
diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
index 3c6a47d66a04..117ed90c5f21 100644
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -126,6 +126,28 @@ static bool fq_flow_is_detached(const struct fq_flow *f)
        return f->next == &detached;
 }
+static bool fq_flow_is_throttled(const struct fq_flow *f)
+{
+        return f->next == &throttled;
+}
+static void fq_flow_add_tail(struct fq_flow_head *head, struct fq_flow *flow)
+{
+        if (head->first)
+                head->last->next = flow;
+        else
+                head->first = flow;
+        head->last = flow;
+        flow->next = NULL;
+}
+static void fq_flow_unset_throttled(struct fq_sched_data *q, struct fq_flow *f)
+{
+        rb_erase(&f->rate_node, &q->delayed);
+        q->throttled_flows--;
+        fq_flow_add_tail(&q->old_flows, f);
+}
 static void fq_flow_set_throttled(struct fq_sched_data *q, struct fq_flow *f)
 {
        struct rb_node **p = &q->delayed.rb_node, *parent = NULL;
@@ -153,15 +175,6 @@ static void fq_flow_set_throttled(struct fq_sched_data *q, struct fq_flow *f)
 static struct kmem_cache *fq_flow_cachep __read_mostly;
-static void fq_flow_add_tail(struct fq_flow_head *head, struct fq_flow *flow)
-{
-        if (head->first)
-                head->last->next = flow;
-        else
-                head->first = flow;
-        head->last = flow;
-        flow->next = NULL;
-}
 /* limit number of collected flows per round */
 #define FQ_GC_MAX 8
@@ -265,6 +278,8 @@ static struct fq_flow *fq_classify(struct sk_buff *skb, struct fq_sched_data *q)
                                     f->socket_hash != sk->sk_hash)) {
                                f->credit = q->initial_quantum;
                                f->socket_hash = sk->sk_hash;
+                                if (fq_flow_is_throttled(f))
+                                        fq_flow_unset_throttled(q, f);
                                f->time_next_packet = 0ULL;
                        }
                        return f;
@@ -419,9 +434,7 @@ static void fq_check_throttled(struct fq_sched_data *q, u64 now)
                        q->time_next_delayed_flow = f->time_next_packet;
                        break;
                }
-                rb_erase(p, &q->delayed);
+                fq_flow_unset_throttled(q, f);
-                q->throttled_flows--;
-                fq_flow_add_tail(&q->old_flows, f);
        }
 }
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index 80105109f756..f9e8deeeac96 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -389,6 +389,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp,
        struct gred_sched *table = qdisc_priv(sch);
        struct gred_sched_data *q = table->tab[dp];
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (!q) {
                table->tab[dp] = q = *prealloc;
                *prealloc = NULL;
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 8c0508c0e287..0505b8408c8b 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt)
        max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0;
        ctl = nla_data(tb[TCA_RED_PARMS]);
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (ctl->limit > 0) {
                child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit);
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 3f2c3eed04da..8b8c084b32cd 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -633,6 +633,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
        if (ctl->divisor &&
            (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
                return -EINVAL;
+        if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+                                        ctl_v1->Wlog))
+                return -EINVAL;
        if (ctl_v1 && ctl_v1->qth_min) {
                p = kmalloc(sizeof(*p), GFP_KERNEL);
                if (!p)
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 559afd0ee7de..a40b8b0ef0d5 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1000,9 +1000,10 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
        struct sctp_endpoint *ep;
        struct sctp_chunk *chunk;
        struct sctp_inq *inqueue;
-        int state;
        sctp_subtype_t subtype;
+        int first_time = 1;     /* is this the first time through the loop */
        int error = 0;
+        int state;
        /* The association should be held so we should be safe. */
        ep = asoc->ep;
@@ -1013,6 +1014,30 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
                state = asoc->state;
                subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type);
+                /* If the first chunk in the packet is AUTH, do special
+                 * processing specified in Section 6.3 of SCTP-AUTH spec
+                 */
+                if (first_time && subtype.chunk == SCTP_CID_AUTH) {
+                        struct sctp_chunkhdr *next_hdr;
+                        next_hdr = sctp_inq_peek(inqueue);
+                        if (!next_hdr)
+                                goto normal;
+                        /* If the next chunk is COOKIE-ECHO, skip the AUTH
+                         * chunk while saving a pointer to it so we can do
+                         * Authentication later (during cookie-echo
+                         * processing).
+                         */
+                        if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
+                                chunk->auth_chunk = skb_clone(chunk->skb,
+                                                              GFP_ATOMIC);
+                                chunk->auth = 1;
+                                continue;
+                        }
+                }
+normal:
                /* SCTP-AUTH, Section 6.3:
                 *    The receiver has a list of chunk types which it expects
                 *    to be received only after an AUTH-chunk.  This list has
@@ -1051,6 +1076,9 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
                /* If there is an error on chunk, discard this packet. */
                if (error && chunk)
                        chunk->pdiscard = 1;
+                if (first_time)
+                        first_time = 0;
        }
        sctp_association_put(asoc);
 }
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 7e8a16c77039..8d9b7ad25b65 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -178,7 +178,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
        skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
        chunk->subh.v = NULL; /* Subheader is no longer valid.  */
-        if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
+        if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <=
            skb_tail_pointer(chunk->skb)) {
                /* This is not a singleton */
                chunk->singleton = 0;
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 8a61ccc37e12..5ca8309ea7b1 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -323,8 +323,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
                final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
                bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
-                if (!IS_ERR(bdst) &&
+                if (IS_ERR(bdst))
-                    ipv6_chk_addr(dev_net(bdst->dev),
+                        continue;
+                if (ipv6_chk_addr(dev_net(bdst->dev),
                                  &laddr->a.v6.sin6_addr, bdst->dev, 1)) {
                        if (!IS_ERR_OR_NULL(dst))
                                dst_release(dst);
@@ -333,8 +335,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
                }
                bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
-                if (matchlen > bmatchlen)
+                if (matchlen > bmatchlen) {
+                        dst_release(bdst);
                        continue;
+                }
                if (!IS_ERR_OR_NULL(dst))
                        dst_release(dst);
@@ -515,46 +519,49 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
        addr->v6.sin6_scope_id = 0;
 }
-/* Compare addresses exactly.
+static int __sctp_v6_cmp_addr(const union sctp_addr *addr1,
- * v4-mapped-v6 is also in consideration.
+                              const union sctp_addr *addr2)
- */
-static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
-                            const union sctp_addr *addr2)
 {
        if (addr1->sa.sa_family != addr2->sa.sa_family) {
                if (addr1->sa.sa_family == AF_INET &&
                    addr2->sa.sa_family == AF_INET6 &&
-                    ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) {
+                    ipv6_addr_v4mapped(&addr2->v6.sin6_addr) &&
-                        if (addr2->v6.sin6_port == addr1->v4.sin_port &&
+                    addr2->v6.sin6_addr.s6_addr32[3] ==
-                            addr2->v6.sin6_addr.s6_addr32[3] ==
+                    addr1->v4.sin_addr.s_addr)
-                            addr1->v4.sin_addr.s_addr)
+                        return 1;
-                                return 1;
-                }
                if (addr2->sa.sa_family == AF_INET &&
                    addr1->sa.sa_family == AF_INET6 &&
-                    ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) {
+                    ipv6_addr_v4mapped(&addr1->v6.sin6_addr) &&
-                        if (addr1->v6.sin6_port == addr2->v4.sin_port &&
+                    addr1->v6.sin6_addr.s6_addr32[3] ==
-                            addr1->v6.sin6_addr.s6_addr32[3] ==
+                    addr2->v4.sin_addr.s_addr)
-                            addr2->v4.sin_addr.s_addr)
+                        return 1;
-                                return 1;
-                }
                return 0;
        }
-        if (addr1->v6.sin6_port != addr2->v6.sin6_port)
-                return 0;
        if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
                return 0;
        /* If this is a linklocal address, compare the scope_id. */
-        if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+        if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) &&
-                if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
+            addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
-                    (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) {
+            addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)
-                        return 0;
+                return 0;
-                }
-        }
        return 1;
 }
+/* Compare addresses exactly.
+ * v4-mapped-v6 is also in consideration.
+ */
+static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+                            const union sctp_addr *addr2)
+{
+        return __sctp_v6_cmp_addr(addr1, addr2) &&
+               addr1->v6.sin6_port == addr2->v6.sin6_port;
+}
 /* Initialize addr struct to INADDR_ANY. */
 static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port)
 {
@@ -719,8 +726,10 @@ static int sctp_v6_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
                        sctp_v6_map_v4(addr);
        }
-        if (addr->sa.sa_family == AF_INET)
+        if (addr->sa.sa_family == AF_INET) {
+                memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
                return sizeof(struct sockaddr_in);
+        }
        return sizeof(struct sockaddr_in6);
 }
@@ -837,8 +846,8 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1,
                               const union sctp_addr *addr2,
                               struct sctp_sock *opt)
 {
-        struct sctp_af *af1, *af2;
        struct sock *sk = sctp_opt2sk(opt);
+        struct sctp_af *af1, *af2;
        af1 = sctp_get_af_specific(addr1->sa.sa_family);
        af2 = sctp_get_af_specific(addr2->sa.sa_family);
@@ -854,10 +863,10 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1,
        if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
                return 1;
-        if (addr1->sa.sa_family != addr2->sa.sa_family)
+        if (addr1->sa.sa_family == AF_INET && addr2->sa.sa_family == AF_INET)
-                return 0;
+                return addr1->v4.sin_addr.s_addr == addr2->v4.sin_addr.s_addr;
-        return af1->cmp_addr(addr1, addr2);
+        return __sctp_v6_cmp_addr(addr1, addr2);
 }
 /* Verify that the provided sockaddr looks bindable.   Common verification,
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 8b4ff315695e..dc030efa4447 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -508,22 +508,20 @@ static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
                if (IS_ERR(rt))
                        continue;
-                if (!dst)
-                        dst = &rt->dst;
                /* Ensure the src address belongs to the output
                 * interface.
                 */
                odev = __ip_dev_find(sock_net(sk), laddr->a.v4.sin_addr.s_addr,
                                     false);
                if (!odev || odev->ifindex != fl4->flowi4_oif) {
-                        if (&rt->dst != dst)
+                        if (!dst)
+                                dst = &rt->dst;
+                        else
                                dst_release(&rt->dst);
                        continue;
                }
-                if (dst != &rt->dst)
+                dst_release(dst);
-                        dst_release(dst);
                dst = &rt->dst;
                break;
        }
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 5d6a03fad378..509e9426a056 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
        sctp_chunkhdr_t *chunk_hdr;
        struct sk_buff *skb;
        struct sock *sk;
+        int chunklen;
+        chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+        if (chunklen > SCTP_MAX_CHUNK_LEN)
+                goto nodata;
        /* No need to allocate LL here, as this is only a chunk. */
-        skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
+        skb = alloc_skb(chunklen, GFP_ATOMIC);
-                        GFP_ATOMIC);
        if (!skb)
                goto nodata;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 29c7c43de108..df9ac3746c1b 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -144,10 +144,8 @@ static sctp_disposition_t sctp_sf_violation_chunk(
                                     void *arg,
                                     sctp_cmd_seq_t *commands);
-static sctp_ierror_t sctp_sf_authenticate(struct net *net,
+static sctp_ierror_t sctp_sf_authenticate(
-                                    const struct sctp_endpoint *ep,
                                    const struct sctp_association *asoc,
-                                    const sctp_subtype_t type,
                                    struct sctp_chunk *chunk);
 static sctp_disposition_t __sctp_sf_do_9_1_abort(struct net *net,
@@ -615,6 +613,38 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
        return SCTP_DISPOSITION_CONSUME;
 }
+static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
+                                   const struct sctp_association *asoc)
+{
+        struct sctp_chunk auth;
+        if (!chunk->auth_chunk)
+                return true;
+        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
+         * is supposed to be authenticated and we have to do delayed
+         * authentication.  We've just recreated the association using
+         * the information in the cookie and now it's much easier to
+         * do the authentication.
+         */
+        /* Make sure that we and the peer are AUTH capable */
+        if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
+                return false;
+        /* set-up our fake chunk so that we can process it */
+        auth.skb = chunk->auth_chunk;
+        auth.asoc = chunk->asoc;
+        auth.sctp_hdr = chunk->sctp_hdr;
+        auth.chunk_hdr = (struct sctp_chunkhdr *)
+                                skb_push(chunk->auth_chunk,
+                                         sizeof(struct sctp_chunkhdr));
+        skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
+        auth.transport = chunk->transport;
+        return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
+}
 /*
 * Respond to a normal COOKIE ECHO chunk.
 * We are the side that is being asked for an association.
@@ -751,36 +781,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
        if (error)
                goto nomem_init;
-        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
-         * is supposed to be authenticated and we have to do delayed
+                sctp_association_free(new_asoc);
-         * authentication.  We've just recreated the association using
+                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-         * the information in the cookie and now it's much easier to
-         * do the authentication.
-         */
-        if (chunk->auth_chunk) {
-                struct sctp_chunk auth;
-                sctp_ierror_t ret;
-                /* Make sure that we and the peer are AUTH capable */
-                if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
-                        sctp_association_free(new_asoc);
-                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-                }
-                /* set-up our fake chunk so that we can process it */
-                auth.skb = chunk->auth_chunk;
-                auth.asoc = chunk->asoc;
-                auth.sctp_hdr = chunk->sctp_hdr;
-                auth.chunk_hdr = (sctp_chunkhdr_t *)skb_push(chunk->auth_chunk,
-                                            sizeof(sctp_chunkhdr_t));
-                skb_pull(chunk->auth_chunk, sizeof(sctp_chunkhdr_t));
-                auth.transport = chunk->transport;
-                ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
-                if (ret != SCTP_IERROR_NO_ERROR) {
-                        sctp_association_free(new_asoc);
-                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-                }
        }
        repl = sctp_make_cookie_ack(new_asoc, chunk);
@@ -1717,13 +1720,15 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
                               GFP_ATOMIC))
                goto nomem;
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+                return SCTP_DISPOSITION_DISCARD;
        /* Make sure no new addresses are being added during the
         * restart.  Though this is a pretty complicated attack
         * since you'd have to get inside the cookie.
         */
-        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
+        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
                return SCTP_DISPOSITION_CONSUME;
-        }
        /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
         * the peer has restarted (Action A), it MUST NOT setup a new
@@ -1828,6 +1833,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
                               GFP_ATOMIC))
                goto nomem;
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+                return SCTP_DISPOSITION_DISCARD;
        /* Update the content of current association.  */
        sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
@@ -1920,6 +1928,9 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
         * a COOKIE ACK.
         */
+        if (!sctp_auth_chunk_verify(net, chunk, asoc))
+                return SCTP_DISPOSITION_DISCARD;
        /* Don't accidentally move back into established state. */
        if (asoc->state < SCTP_STATE_ESTABLISHED) {
                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
@@ -1959,7 +1970,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_d(struct net *net,
                }
        }
-        repl = sctp_make_cookie_ack(new_asoc, chunk);
+        repl = sctp_make_cookie_ack(asoc, chunk);
        if (!repl)
                goto nomem;
@@ -3985,10 +3996,8 @@ gen_shutdown:
 *
 * The return value is the disposition of the chunk.
 */
-static sctp_ierror_t sctp_sf_authenticate(struct net *net,
+static sctp_ierror_t sctp_sf_authenticate(
-                                    const struct sctp_endpoint *ep,
                                    const struct sctp_association *asoc,
-                                    const sctp_subtype_t type,
                                    struct sctp_chunk *chunk)
 {
        struct sctp_authhdr *auth_hdr;
@@ -4087,7 +4096,7 @@ sctp_disposition_t sctp_sf_eat_auth(struct net *net,
                                                  commands);
        auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
-        error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
+        error = sctp_sf_authenticate(asoc, chunk);
        switch (error) {
        case SCTP_IERROR_AUTH_BAD_HMAC:
                /* Generate the ERROR chunk and discard the rest
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index a870d27ca778..13c7f42b7040 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -83,7 +83,7 @@
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-                                size_t msg_len, struct sock **orig_sk);
+                                size_t msg_len);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -332,14 +332,15 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
        if (len < sizeof (struct sockaddr))
                return NULL;
-        /* V4 mapped address are really of AF_INET family */
+        if (!opt->pf->af_supported(addr->sa.sa_family, opt))
-        if (addr->sa.sa_family == AF_INET6 &&
+                return NULL;
-            ipv6_addr_v4mapped(&addr->v6.sin6_addr)) {
-                if (!opt->pf->af_supported(AF_INET, opt))
+        if (addr->sa.sa_family == AF_INET6) {
+                if (len < SIN6_LEN_RFC2133)
                        return NULL;
-        } else {
+                /* V4 mapped address are really of AF_INET family */
-                /* Does this PF support this AF? */
+                if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
-                if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+                    !opt->pf->af_supported(AF_INET, opt))
                        return NULL;
        }
@@ -1520,7 +1521,7 @@ static void sctp_close(struct sock *sk, long timeout)
        pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout);
-        lock_sock(sk);
+        lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
        sk->sk_shutdown = SHUTDOWN_MASK;
        sk->sk_state = SCTP_SS_CLOSING;
@@ -1571,7 +1572,7 @@ static void sctp_close(struct sock *sk, long timeout)
         * held and that should be grabbed before socket lock.
         */
        spin_lock_bh(&net->sctp.addr_wq_lock);
-        bh_lock_sock(sk);
+        bh_lock_sock_nested(sk);
        /* Hold the sock, since sk_common_release() will put sock_put()
         * and we have just a little more cleanup.
@@ -1954,7 +1955,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
        timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
        if (!sctp_wspace(asoc)) {
                /* sk can be changed by peel off when waiting for buf. */
-                err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+                err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
                if (err) {
                        if (err == -ESRCH) {
                                /* asoc is already dead. */
@@ -4447,7 +4448,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
        len = sizeof(int);
        if (put_user(len, optlen))
                return -EFAULT;
-        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
+        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len))
                return -EFAULT;
        return 0;
 }
@@ -5024,6 +5025,9 @@ copy_getaddrs:
                err = -EFAULT;
                goto out;
        }
+        /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too,
+         * but we can't change it anymore.
+         */
        if (put_user(bytes_copied, optlen))
                err = -EFAULT;
 out:
@@ -5460,7 +5464,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len,
                params.assoc_id = 0;
        } else if (len >= sizeof(struct sctp_assoc_value)) {
                len = sizeof(struct sctp_assoc_value);
-                if (copy_from_user(&params, optval, sizeof(params)))
+                if (copy_from_user(&params, optval, len))
                        return -EFAULT;
        } else
                return -EINVAL;
@@ -5629,7 +5633,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authkeyid))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
+        len = sizeof(struct sctp_authkeyid);
+        if (copy_from_user(&val, optval, len))
                return -EFAULT;
        asoc = sctp_id2assoc(sk, val.scact_assoc_id);
@@ -5641,7 +5647,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
        else
                val.scact_keynumber = ep->active_key_id;
-        len = sizeof(struct sctp_authkeyid);
        if (put_user(len, optlen))
                return -EFAULT;
        if (copy_to_user(optval, &val, len))
@@ -5667,7 +5672,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authchunks))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                return -EFAULT;
        to = p->gauth_chunks;
@@ -5712,7 +5717,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authchunks))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                return -EFAULT;
        to = p->gauth_chunks;
@@ -6976,12 +6981,12 @@ void sctp_sock_rfree(struct sk_buff *skb)
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-                                size_t msg_len, struct sock **orig_sk)
+                                size_t msg_len)
 {
        struct sock *sk = asoc->base.sk;
-        int err = 0;
        long current_timeo = *timeo_p;
        DEFINE_WAIT(wait);
+        int err = 0;
        pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
                 *timeo_p, msg_len);
@@ -7010,17 +7015,13 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
                release_sock(sk);
                current_timeo = schedule_timeout(current_timeo);
                lock_sock(sk);
-                if (sk != asoc->base.sk) {
+                if (sk != asoc->base.sk)
-                        release_sock(sk);
+                        goto do_error;
-                        sk = asoc->base.sk;
-                        lock_sock(sk);
-                }
                *timeo_p = current_timeo;
        }
 out:
-        *orig_sk = sk;
        finish_wait(&asoc->wait, &wait);
        /* Release the association's refcnt.  */
diff --git a/net/socket.c b/net/socket.c
index 2cf4f25f5c2b..0c544ae48eac 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/nospec.h>
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
@@ -2324,6 +2325,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
        if (call < 1 || call > SYS_SENDMMSG)
                return -EINVAL;
+        call = array_index_nospec(call, SYS_SENDMMSG + 1);
        len = nargs[call];
        if (len > sizeof(a))
@@ -2534,6 +2536,15 @@ out_fs:
 core_initcall(sock_init);       /* early initcall */
+static int __init jit_init(void)
+{
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+        bpf_jit_enable = 1;
+#endif
+        return 0;
+}
+pure_initcall(jit_init);
 #ifdef CONFIG_PROC_FS
 void socket_seq_show(struct seq_file *seq)
 {
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index d81186d34558..9103dd15511c 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry)
        struct dentry *clnt_dir = pipe_dentry->d_parent;
        struct dentry *gssd_dir = clnt_dir->d_parent;
+        dget(pipe_dentry);
        __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry);
        __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1);
        __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1);
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 27b6f55fa43a..c9c0976d3bbb 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2360,9 +2360,15 @@ static void xs_tcp_setup_socket(struct work_struct *work)
        case -ECONNREFUSED:
        case -ECONNRESET:
        case -ENETUNREACH:
+        case -EHOSTUNREACH:
        case -EADDRINUSE:
        case -ENOBUFS:
-                /* retry with existing socket, after a delay */
+                /*
+                 * xs_tcp_force_close() wakes tasks with -EIO.
+                 * We need to wake them first to ensure the
+                 * correct error code.
+                 */
+                xprt_wake_pending_tasks(xprt, status);
                xs_tcp_force_close(xprt);
                goto out;
        }
diff --git a/net/tipc/net.c b/net/tipc/net.c
index 77bf9113c7a7..2763bd369b79 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -44,7 +44,8 @@
 static const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
        [TIPC_NLA_NET_UNSPEC]   = { .type = NLA_UNSPEC },
-        [TIPC_NLA_NET_ID]       = { .type = NLA_U32 }
+        [TIPC_NLA_NET_ID]       = { .type = NLA_U32 },
+        [TIPC_NLA_NET_ADDR]     = { .type = NLA_U32 },
 };
 /*
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 8f0bac7e03c4..a1e909ae0f78 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -94,6 +94,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev,
        ASSERT_RTNL();
+        if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
+                return -EINVAL;
        /* prohibit calling the thing phy%d when %d is not its number */
        sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
        if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
@@ -390,6 +393,8 @@ struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
                if (rv)
                        goto use_default_name;
        } else {
+                int rv;
 use_default_name:
                /* NOTE:  This is *probably* safe w/out holding rtnl because of
                 * the restrictions on phy names.  Probably this call could
@@ -397,7 +402,11 @@ use_default_name:
                 * phyX.  But, might should add some locking and check return
                 * value, and use a different name if this one exists?
                 */
-                dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+                rv = dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+                if (rv < 0) {
+                        kfree(rdev);
+                        return NULL;
+                }
        }
        INIT_LIST_HEAD(&rdev->wdev_list);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 7950506395a8..b0b58d1565c2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -16,6 +16,7 @@
 #include <linux/nl80211.h>
 #include <linux/rtnetlink.h>
 #include <linux/netlink.h>
+#include <linux/nospec.h>
 #include <linux/etherdevice.h>
 #include <net/net_namespace.h>
 #include <net/genetlink.h>
@@ -1879,20 +1880,22 @@ static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
 static int parse_txq_params(struct nlattr *tb[],
                            struct ieee80211_txq_params *txq_params)
 {
+        u8 ac;
        if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
            !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
            !tb[NL80211_TXQ_ATTR_AIFS])
                return -EINVAL;
-        txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
+        ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
        txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
        txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
        txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
        txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
-        if (txq_params->ac >= NL80211_NUM_ACS)
+        if (ac >= NL80211_NUM_ACS)
                return -EINVAL;
+        txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
        return 0;
 }
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index a750f330b8dd..c6ab4da4b8e2 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1794,32 +1794,40 @@ void x25_kill_by_neigh(struct x25_neigh *nb)
 static int __init x25_init(void)
 {
-        int rc = proto_register(&x25_proto, 0);
+        int rc;
-        if (rc != 0)
+        rc = proto_register(&x25_proto, 0);
+        if (rc)
                goto out;
        rc = sock_register(&x25_family_ops);
-        if (rc != 0)
+        if (rc)
                goto out_proto;
        dev_add_pack(&x25_packet_type);
        rc = register_netdevice_notifier(&x25_dev_notifier);
-        if (rc != 0)
+        if (rc)
                goto out_sock;
-        pr_info("Linux Version 0.2\n");
+        rc = x25_register_sysctl();
+        if (rc)
+                goto out_dev;
-        x25_register_sysctl();
        rc = x25_proc_init();
-        if (rc != 0)
+        if (rc)
-                goto out_dev;
+                goto out_sysctl;
+        pr_info("Linux Version 0.2\n");
 out:
        return rc;
+out_sysctl:
+        x25_unregister_sysctl();
 out_dev:
        unregister_netdevice_notifier(&x25_dev_notifier);
 out_sock:
+        dev_remove_pack(&x25_packet_type);
        sock_unregister(AF_X25);
 out_proto:
        proto_unregister(&x25_proto);
diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c
index 43239527a205..703d46aae7a2 100644
--- a/net/x25/sysctl_net_x25.c
+++ b/net/x25/sysctl_net_x25.c
@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
        { 0, },
 };
-void __init x25_register_sysctl(void)
+int __init x25_register_sysctl(void)
 {
        x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
+        if (!x25_table_header)
+                return -ENOMEM;
+        return 0;
 }
 void x25_unregister_sysctl(void)
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index ccfdc7115a83..a00ec715aa46 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name)
                struct crypto_comp *tfm;
                /* This can be any valid CPU ID so we don't need locking. */
-                tfm = __this_cpu_read(*pos->tfms);
+                tfm = this_cpu_read(*pos->tfms);
                if (!strcmp(crypto_comp_name(tfm), alg_name)) {
                        pos->users++;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 22df3b51e905..f9a13b67df5e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -626,6 +626,11 @@ static void xfrm_hash_rebuild(struct work_struct *work)
        /* re-insert all policies by order of creation */
        list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+                if (policy->walk.dead ||
+                    xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+                        /* skip socket policies */
+                        continue;
+                }
                newpos = NULL;
                chain = policy_hash_bysel(net, &policy->selector,
                                          policy->family,
@@ -1225,9 +1230,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
        read_lock_bh(&net->xfrm.xfrm_policy_lock);
        pol = rcu_dereference(sk->sk_policy[dir]);
        if (pol != NULL) {
-                bool match = xfrm_selector_match(&pol->selector, fl, family);
+                bool match;
                int err = 0;
+                if (pol->family != family) {
+                        pol = NULL;
+                        goto out;
+                }
+                match = xfrm_selector_match(&pol->selector, fl, family);
                if (match) {
                        if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
                                pol = NULL;
@@ -1307,7 +1318,7 @@ EXPORT_SYMBOL(xfrm_policy_delete);
 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
 {
-        struct net *net = xp_net(pol);
+        struct net *net = sock_net(sk);
        struct xfrm_policy *old_pol;
 #ifdef CONFIG_XFRM_SUB_POLICY
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9895a8c56d8c..d6a11af0bab1 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1159,6 +1159,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig)
        if (orig->aead) {
                x->aead = xfrm_algo_aead_clone(orig->aead);
+                x->geniv = orig->geniv;
                if (!x->aead)
                        goto error;
        }
@@ -1208,6 +1209,8 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig)
        x->curlft.add_time = orig->curlft.add_time;
        x->km.state = orig->km.state;
        x->km.seq = orig->km.seq;
+        x->replay = orig->replay;
+        x->preplay = orig->preplay;
        return x;
@@ -1845,6 +1848,18 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
        struct xfrm_mgr *km;
        struct xfrm_policy *pol = NULL;
+#ifdef CONFIG_COMPAT
+        if (is_compat_task())
+                return -EOPNOTSUPP;
+#endif
+        if (!optval && !optlen) {
+                xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
+                xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
+                __sk_dst_reset(sk);
+                return 0;
+        }
        if (optlen <= 0 || optlen > PAGE_SIZE)
                return -EMSGSIZE;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 76944a4839a5..90270d7110a3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
        struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
        struct xfrm_replay_state_esn *rs;
-        if (p->flags & XFRM_STATE_ESN) {
+        if (!rt)
-                if (!rt)
+                return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
-                        return -EINVAL;
-                rs = nla_data(rt);
-                if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+        rs = nla_data(rt);
-                        return -EINVAL;
-                if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
+        if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
-                    nla_len(rt) != sizeof(*rs))
+                return -EINVAL;
-                        return -EINVAL;
-        }
-        if (!rt)
+        if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
-                return 0;
+            nla_len(rt) != sizeof(*rs))
+                return -EINVAL;
        /* As only ESP and AH support ESN feature. */
        if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
@@ -1376,11 +1371,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
 {
+        u16 prev_family;
        int i;
        if (nr > XFRM_MAX_DEPTH)
                return -EINVAL;
+        prev_family = family;
        for (i = 0; i < nr; i++) {
                /* We never validated the ut->family value, so many
                 * applications simply leave it at zero.  The check was
@@ -1392,6 +1390,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
                if (!ut[i].family)
                        ut[i].family = family;
+                if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+                    (ut[i].family != prev_family))
+                        return -EINVAL;
+                prev_family = ut[i].family;
                switch (ut[i].family) {
                case AF_INET:
                        break;
@@ -1402,6 +1406,21 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
                default:
                        return -EINVAL;
                }
+                switch (ut[i].id.proto) {
+                case IPPROTO_AH:
+                case IPPROTO_ESP:
+                case IPPROTO_COMP:
+#if IS_ENABLED(CONFIG_IPV6)
+                case IPPROTO_ROUTING:
+                case IPPROTO_DSTOPTS:
+#endif
+                case IPSEC_PROTO_ANY:
+                        break;
+                default:
+                        return -EINVAL;
+                }
        }
        return 0;
@@ -2461,7 +2480,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 #ifdef CONFIG_COMPAT
        if (is_compat_task())
-                return -ENOTSUPP;
+                return -EOPNOTSUPP;
 #endif
        type = nlh->nlmsg_type;
diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
index 1db6d73c8dd2..31a981d6229d 100644
--- a/scripts/Kbuild.include
+++ b/scripts/Kbuild.include
@@ -7,6 +7,7 @@ quote   := "
 squote  := '
 empty   :=
 space   := $(empty) $(empty)
+pound   := \#
 ###
 # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o
@@ -236,11 +237,11 @@ endif
 # Replace >$< with >$$< to preserve $ when reloading the .cmd file
 # (needed for make)
-# Replace >#< with >\#< to avoid starting a comment in the .cmd file
+# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file
 # (needed for make)
 # Replace >'< with >'\''< to be able to enclose the whole string in '...'
 # (needed for the shell)
-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1)))))
+make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1)))))
 # Find any prerequisites that is newer than target or that does not exist.
 # PHONY targets skipped in both cases.
diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index 37323b0df374..2624d4bf9a45 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -28,4 +28,7 @@ else
        CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
    endif
 endif
+CFLAGS_KASAN_NOSANITIZE := -fno-builtin
 endif
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 79e86613712f..a2d0e6d32659 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -126,7 +126,7 @@ endif
 ifeq ($(CONFIG_KASAN),y)
 _c_flags += $(if $(patsubst n%,, \
                $(KASAN_SANITIZE_$(basetarget).o)$(KASAN_SANITIZE)y), \
-                $(CFLAGS_KASAN))
+                $(CFLAGS_KASAN), $(CFLAGS_KASAN_NOSANITIZE))
 endif
 # If building the kernel in a separate objtree expand all occurrences
@@ -270,11 +270,11 @@ cmd_dt_S_dtb=						\
        echo '\#include <asm-generic/vmlinux.lds.h>';   \
        echo '.section .dtb.init.rodata,"a"';           \
        echo '.balign STRUCT_ALIGNMENT';                \
-        echo '.global __dtb_$(*F)_begin';               \
+        echo '.global __dtb_$(subst -,_,$(*F))_begin';  \
-        echo '__dtb_$(*F)_begin:';                      \
+        echo '__dtb_$(subst -,_,$(*F))_begin:';         \
        echo '.incbin "$<" ';                           \
-        echo '__dtb_$(*F)_end:';                        \
+        echo '__dtb_$(subst -,_,$(*F))_end:';           \
-        echo '.global __dtb_$(*F)_end';                 \
+        echo '.global __dtb_$(subst -,_,$(*F))_end';    \
        echo '.balign STRUCT_ALIGNMENT';                \
 ) > $@
diff --git a/scripts/depmod.sh b/scripts/depmod.sh
index 122599b1c13b..ea1e96921e3b 100755
--- a/scripts/depmod.sh
+++ b/scripts/depmod.sh
@@ -10,10 +10,16 @@ DEPMOD=$1
 KERNELRELEASE=$2
 SYMBOL_PREFIX=$3
-if ! test -r System.map -a -x "$DEPMOD"; then
+if ! test -r System.map ; then
        exit 0
 fi
+if [ -z $(command -v $DEPMOD) ]; then
+        echo "'make modules_install' requires $DEPMOD. Please install it." >&2
+        echo "This is probably in the kmod package." >&2
+        exit 1
+fi
 # older versions of depmod don't support -P <symbol-prefix>
 # support was added in module-init-tools 3.13
 if test -n "$SYMBOL_PREFIX"; then
diff --git a/scripts/genksyms/parse.tab.c_shipped b/scripts/genksyms/parse.tab.c_shipped
index 99950b5afb0d..632f6d66982d 100644
--- a/scripts/genksyms/parse.tab.c_shipped
+++ b/scripts/genksyms/parse.tab.c_shipped
@@ -1,19 +1,19 @@
-/* A Bison parser, made by GNU Bison 2.7.  */
+/* A Bison parser, made by GNU Bison 3.0.4.  */
 /* Bison implementation for Yacc-like parsers in C
-   
-      Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc.
-   
   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.
-   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
@@ -26,7 +26,7 @@
   special exception, which will cause the skeleton and the resulting
   Bison output files to be licensed under the GNU General Public
   License without this special exception.
-   
   This special exception was added by the Free Software Foundation in
   version 2.2 of Bison.  */
@@ -44,7 +44,7 @@
 #define YYBISON 1
 /* Bison version.  */
-#define YYBISON_VERSION "2.7"
+#define YYBISON_VERSION "3.0.4"
 /* Skeleton name.  */
 #define YYSKELETON_NAME "yacc.c"
@@ -62,7 +62,7 @@
 /* Copy the first part of user declarations.  */
+#line 24 "parse.y" /* yacc.c:339  */
 #include <assert.h>
@@ -113,13 +113,13 @@ static void record_compound(struct string_list **keyw,
 }
+#line 117 "parse.tab.c" /* yacc.c:339  */
+# ifndef YY_NULLPTR
-# ifndef YY_NULL
 #  if defined __cplusplus && 201103L <= __cplusplus
-#   define YY_NULL nullptr
+#   define YY_NULLPTR nullptr
 #  else
-#   define YY_NULL 0
+#   define YY_NULLPTR 0
 #  endif
 # endif
@@ -131,8 +131,11 @@ static void record_compound(struct string_list **keyw,
 # define YYERROR_VERBOSE 0
 #endif
+/* In a future release of Bison, this section will be replaced
-/* Enabling traces.  */
+   by #include "parse.tab.h".  */
+#ifndef YY_YY_PARSE_TAB_H_INCLUDED
+# define YY_YY_PARSE_TAB_H_INCLUDED
+/* Debug traces.  */
 #ifndef YYDEBUG
 # define YYDEBUG 1
 #endif
@@ -140,86 +143,73 @@ static void record_compound(struct string_list **keyw,
 extern int yydebug;
 #endif
-/* Tokens.  */
+/* Token type.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
-   /* Put the tokens into the symbol table, so that GDB and other debuggers
+  enum yytokentype
-      know about them.  */
+  {
-   enum yytokentype {
+    ASM_KEYW = 258,
-     ASM_KEYW = 258,
+    ATTRIBUTE_KEYW = 259,
-     ATTRIBUTE_KEYW = 259,
+    AUTO_KEYW = 260,
-     AUTO_KEYW = 260,
+    BOOL_KEYW = 261,
-     BOOL_KEYW = 261,
+    CHAR_KEYW = 262,
-     CHAR_KEYW = 262,
+    CONST_KEYW = 263,
-     CONST_KEYW = 263,
+    DOUBLE_KEYW = 264,
-     DOUBLE_KEYW = 264,
+    ENUM_KEYW = 265,
-     ENUM_KEYW = 265,
+    EXTERN_KEYW = 266,
-     EXTERN_KEYW = 266,
+    EXTENSION_KEYW = 267,
-     EXTENSION_KEYW = 267,
+    FLOAT_KEYW = 268,
-     FLOAT_KEYW = 268,
+    INLINE_KEYW = 269,
-     INLINE_KEYW = 269,
+    INT_KEYW = 270,
-     INT_KEYW = 270,
+    LONG_KEYW = 271,
-     LONG_KEYW = 271,
+    REGISTER_KEYW = 272,
-     REGISTER_KEYW = 272,
+    RESTRICT_KEYW = 273,
-     RESTRICT_KEYW = 273,
+    SHORT_KEYW = 274,
-     SHORT_KEYW = 274,
+    SIGNED_KEYW = 275,
-     SIGNED_KEYW = 275,
+    STATIC_KEYW = 276,
-     STATIC_KEYW = 276,
+    STRUCT_KEYW = 277,
-     STRUCT_KEYW = 277,
+    TYPEDEF_KEYW = 278,
-     TYPEDEF_KEYW = 278,
+    UNION_KEYW = 279,
-     UNION_KEYW = 279,
+    UNSIGNED_KEYW = 280,
-     UNSIGNED_KEYW = 280,
+    VOID_KEYW = 281,
-     VOID_KEYW = 281,
+    VOLATILE_KEYW = 282,
-     VOLATILE_KEYW = 282,
+    TYPEOF_KEYW = 283,
-     TYPEOF_KEYW = 283,
+    EXPORT_SYMBOL_KEYW = 284,
-     EXPORT_SYMBOL_KEYW = 284,
+    ASM_PHRASE = 285,
-     ASM_PHRASE = 285,
+    ATTRIBUTE_PHRASE = 286,
-     ATTRIBUTE_PHRASE = 286,
+    TYPEOF_PHRASE = 287,
-     TYPEOF_PHRASE = 287,
+    BRACE_PHRASE = 288,
-     BRACE_PHRASE = 288,
+    BRACKET_PHRASE = 289,
-     BRACKET_PHRASE = 289,
+    EXPRESSION_PHRASE = 290,
-     EXPRESSION_PHRASE = 290,
+    CHAR = 291,
-     CHAR = 291,
+    DOTS = 292,
-     DOTS = 292,
+    IDENT = 293,
-     IDENT = 293,
+    INT = 294,
-     INT = 294,
+    REAL = 295,
-     REAL = 295,
+    STRING = 296,
-     STRING = 296,
+    TYPE = 297,
-     TYPE = 297,
+    OTHER = 298,
-     OTHER = 298,
+    FILENAME = 299
-     FILENAME = 299
+  };
-   };
 #endif
+/* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef int YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
-# define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 #endif
 extern YYSTYPE yylval;
-#ifdef YYPARSE_PARAM
-#if defined __STDC__ || defined __cplusplus
-int yyparse (void *YYPARSE_PARAM);
-#else
-int yyparse ();
-#endif
-#else /* ! YYPARSE_PARAM */
-#if defined __STDC__ || defined __cplusplus
 int yyparse (void);
-#else
-int yyparse ();
-#endif
-#endif /* ! YYPARSE_PARAM */
+#endif /* !YY_YY_PARSE_TAB_H_INCLUDED  */
 /* Copy the second part of user declarations.  */
+#line 213 "parse.tab.c" /* yacc.c:358  */
 #ifdef short
 # undef short
@@ -233,11 +223,8 @@ typedef unsigned char yytype_uint8;
 #ifdef YYTYPE_INT8
 typedef YYTYPE_INT8 yytype_int8;
-#elif (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
-typedef signed char yytype_int8;
 #else
-typedef short int yytype_int8;
+typedef signed char yytype_int8;
 #endif
 #ifdef YYTYPE_UINT16
@@ -257,8 +244,7 @@ typedef short int yytype_int16;
 #  define YYSIZE_T __SIZE_TYPE__
 # elif defined size_t
 #  define YYSIZE_T size_t
-# elif ! defined YYSIZE_T && (defined __STDC__ || defined __C99__FUNC__ \
+# elif ! defined YYSIZE_T
-     || defined __cplusplus || defined _MSC_VER)
 #  include <stddef.h> /* INFRINGES ON USER NAME SPACE */
 #  define YYSIZE_T size_t
 # else
@@ -280,6 +266,33 @@ typedef short int yytype_int16;
 # endif
 #endif
+#ifndef YY_ATTRIBUTE
+# if (defined __GNUC__                                               \
+      && (2 < __GNUC__ || (__GNUC__ == 2 && 96 <= __GNUC_MINOR__)))  \
+     || defined __SUNPRO_C && 0x5110 <= __SUNPRO_C
+#  define YY_ATTRIBUTE(Spec) __attribute__(Spec)
+# else
+#  define YY_ATTRIBUTE(Spec) /* empty */
+# endif
+#endif
+#ifndef YY_ATTRIBUTE_PURE
+# define YY_ATTRIBUTE_PURE   YY_ATTRIBUTE ((__pure__))
+#endif
+#ifndef YY_ATTRIBUTE_UNUSED
+# define YY_ATTRIBUTE_UNUSED YY_ATTRIBUTE ((__unused__))
+#endif
+#if !defined _Noreturn \
+     && (!defined __STDC_VERSION__ || __STDC_VERSION__ < 201112)
+# if defined _MSC_VER && 1200 <= _MSC_VER
+#  define _Noreturn __declspec (noreturn)
+# else
+#  define _Noreturn YY_ATTRIBUTE ((__noreturn__))
+# endif
+#endif
 /* Suppress unused-variable warnings by "using" E.  */
 #if ! defined lint || defined __GNUC__
 # define YYUSE(E) ((void) (E))
@@ -287,24 +300,26 @@ typedef short int yytype_int16;
 # define YYUSE(E) /* empty */
 #endif
-/* Identity function, used to suppress warnings about constant conditions.  */
+#if defined __GNUC__ && 407 <= __GNUC__ * 100 + __GNUC_MINOR__
-#ifndef lint
+/* Suppress an incorrect diagnostic about yylval being uninitialized.  */
-# define YYID(N) (N)
+# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN \
-#else
+    _Pragma ("GCC diagnostic push") \
-#if (defined __STDC__ || defined __C99__FUNC__ \
+    _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")\
-     || defined __cplusplus || defined _MSC_VER)
+    _Pragma ("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
-static int
+# define YY_IGNORE_MAYBE_UNINITIALIZED_END \
-YYID (int yyi)
+    _Pragma ("GCC diagnostic pop")
 #else
-static int
+# define YY_INITIAL_VALUE(Value) Value
-YYID (yyi)
-    int yyi;
 #endif
-{
+#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-  return yyi;
+# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-}
+# define YY_IGNORE_MAYBE_UNINITIALIZED_END
+#endif
+#ifndef YY_INITIAL_VALUE
+# define YY_INITIAL_VALUE(Value) /* Nothing. */
 #endif
 #if ! defined yyoverflow || YYERROR_VERBOSE
 /* The parser invokes alloca or malloc; define the necessary symbols.  */
@@ -322,8 +337,7 @@ YYID (yyi)
 #    define alloca _alloca
 #   else
 #    define YYSTACK_ALLOC alloca
-#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+#    if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS
-     || defined __cplusplus || defined _MSC_VER)
 #     include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
      /* Use EXIT_SUCCESS as a witness for stdlib.h.  */
 #     ifndef EXIT_SUCCESS
@@ -335,8 +349,8 @@ YYID (yyi)
 # endif
 # ifdef YYSTACK_ALLOC
-   /* Pacify GCC's `empty if-body' warning.  */
+   /* Pacify GCC's 'empty if-body' warning.  */
-#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (YYID (0))
+#  define YYSTACK_FREE(Ptr) do { /* empty */; } while (0)
 #  ifndef YYSTACK_ALLOC_MAXIMUM
    /* The OS might guarantee only one guard page at the bottom of the stack,
       and a page size can be as small as 4096 bytes.  So we cannot safely
@@ -352,7 +366,7 @@ YYID (yyi)
 #  endif
 #  if (defined __cplusplus && ! defined EXIT_SUCCESS \
       && ! ((defined YYMALLOC || defined malloc) \
-             && (defined YYFREE || defined free)))
+             && (defined YYFREE || defined free)))
 #   include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
 #   ifndef EXIT_SUCCESS
 #    define EXIT_SUCCESS 0
@@ -360,15 +374,13 @@ YYID (yyi)
 #  endif
 #  ifndef YYMALLOC
 #   define YYMALLOC malloc
-#   if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined malloc && ! defined EXIT_SUCCESS
-     || defined __cplusplus || defined _MSC_VER)
 void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
 #  ifndef YYFREE
 #   define YYFREE free
-#   if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
+#   if ! defined free && ! defined EXIT_SUCCESS
-     || defined __cplusplus || defined _MSC_VER)
 void free (void *); /* INFRINGES ON USER NAME SPACE */
 #   endif
 #  endif
@@ -378,7 +390,7 @@ void free (void *); /* INFRINGES ON USER NAME SPACE */
 #if (! defined yyoverflow \
     && (! defined __cplusplus \
-         || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
+         || (defined YYSTYPE_IS_TRIVIAL && YYSTYPE_IS_TRIVIAL)))
 /* A type that is properly aligned for any stack member.  */
 union yyalloc
@@ -403,16 +415,16 @@ union yyalloc
   elements in the stack, and YYPTR gives the new location of the
   stack.  Advance YYPTR to a properly aligned location for the next
   stack.  */
-# define YYSTACK_RELOCATE(Stack_alloc, Stack)                           \
+# define YYSTACK_RELOCATE(Stack_alloc, Stack)                           \
-    do                                                                  \
+    do                                                                  \
-      {                                                                 \
+      {                                                                 \
-        YYSIZE_T yynewbytes;                                            \
+        YYSIZE_T yynewbytes;                                            \
-        YYCOPY (&yyptr->Stack_alloc, Stack, yysize);                    \
+        YYCOPY (&yyptr->Stack_alloc, Stack, yysize);                    \
-        Stack = &yyptr->Stack_alloc;                                    \
+        Stack = &yyptr->Stack_alloc;                                    \
-        yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
+        yynewbytes = yystacksize * sizeof (*Stack) + YYSTACK_GAP_MAXIMUM; \
-        yyptr += yynewbytes / sizeof (*yyptr);                          \
+        yyptr += yynewbytes / sizeof (*yyptr);                          \
-      }                                                                 \
+      }                                                                 \
-    while (YYID (0))
+    while (0)
 #endif
@@ -431,7 +443,7 @@ union yyalloc
          for (yyi = 0; yyi < (Count); yyi++)   \
            (Dst)[yyi] = (Src)[yyi];            \
        }                                       \
-      while (YYID (0))
+      while (0)
 #  endif
 # endif
 #endif /* !YYCOPY_NEEDED */
@@ -439,25 +451,27 @@ union yyalloc
 /* YYFINAL -- State number of the termination state.  */
 #define YYFINAL  4
 /* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   515
+#define YYLAST   513
 /* YYNTOKENS -- Number of terminals.  */
 #define YYNTOKENS  54
 /* YYNNTS -- Number of nonterminals.  */
 #define YYNNTS  49
 /* YYNRULES -- Number of rules.  */
-#define YYNRULES  133
+#define YYNRULES  132
-/* YYNRULES -- Number of states.  */
+/* YYNSTATES -- Number of states.  */
-#define YYNSTATES  188
+#define YYNSTATES  186
-/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
+/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
+   by yylex, with out-of-bounds checking.  */
 #define YYUNDEFTOK  2
 #define YYMAXUTOK   299
-#define YYTRANSLATE(YYX)                                                \
+#define YYTRANSLATE(YYX)                                                \
  ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
-/* YYTRANSLATE[YYLEX] -- Bison symbol number corresponding to YYLEX.  */
+/* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
+   as returned by yylex, without out-of-bounds checking.  */
 static const yytype_uint8 yytranslate[] =
 {
       0,     2,     2,     2,     2,     2,     2,     2,     2,     2,
@@ -493,69 +507,7 @@ static const yytype_uint8 yytranslate[] =
 };
 #if YYDEBUG
-/* YYPRHS[YYN] -- Index of the first RHS symbol of rule number YYN in
+  /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
-   YYRHS.  */
-static const yytype_uint16 yyprhs[] =
-{
-       0,     0,     3,     5,     8,     9,    12,    13,    18,    19,
-      23,    25,    27,    29,    31,    34,    37,    41,    42,    44,
-      46,    50,    55,    56,    58,    60,    63,    65,    67,    69,
-      71,    73,    75,    77,    79,    81,    86,    88,    91,    94,
-      97,   101,   105,   109,   112,   115,   118,   120,   122,   124,
-     126,   128,   130,   132,   134,   136,   138,   140,   143,   144,
-     146,   148,   151,   153,   155,   157,   159,   162,   164,   166,
-     168,   173,   178,   181,   185,   189,   192,   194,   196,   198,
-     203,   208,   211,   215,   219,   222,   224,   228,   229,   231,
-     233,   237,   240,   243,   245,   246,   248,   250,   255,   260,
-     263,   267,   271,   275,   276,   278,   281,   285,   289,   290,
-     292,   294,   297,   301,   304,   305,   307,   309,   313,   316,
-     319,   321,   324,   325,   328,   332,   337,   339,   343,   345,
-     349,   352,   353,   355
-};
-/* YYRHS -- A `-1'-separated list of the rules' RHS.  */
-static const yytype_int8 yyrhs[] =
-{
-      55,     0,    -1,    56,    -1,    55,    56,    -1,    -1,    57,
-      58,    -1,    -1,    12,    23,    59,    61,    -1,    -1,    23,
-      60,    61,    -1,    61,    -1,    85,    -1,   100,    -1,   102,
-      -1,     1,    45,    -1,     1,    46,    -1,    65,    62,    45,
-      -1,    -1,    63,    -1,    64,    -1,    63,    47,    64,    -1,
-      75,   101,    96,    86,    -1,    -1,    66,    -1,    67,    -1,
-      66,    67,    -1,    68,    -1,    69,    -1,     5,    -1,    17,
-      -1,    21,    -1,    11,    -1,    14,    -1,    70,    -1,    74,
-      -1,    28,    48,    82,    49,    -1,    32,    -1,    22,    38,
-      -1,    24,    38,    -1,    10,    38,    -1,    22,    38,    88,
-      -1,    24,    38,    88,    -1,    10,    38,    97,    -1,    10,
-      97,    -1,    22,    88,    -1,    24,    88,    -1,     7,    -1,
-      19,    -1,    15,    -1,    16,    -1,    20,    -1,    25,    -1,
-      13,    -1,     9,    -1,    26,    -1,     6,    -1,    42,    -1,
-      50,    72,    -1,    -1,    73,    -1,    74,    -1,    73,    74,
-      -1,     8,    -1,    27,    -1,    31,    -1,    18,    -1,    71,
-      75,    -1,    76,    -1,    38,    -1,    42,    -1,    76,    48,
-      79,    49,    -1,    76,    48,     1,    49,    -1,    76,    34,
-      -1,    48,    75,    49,    -1,    48,     1,    49,    -1,    71,
-      77,    -1,    78,    -1,    38,    -1,    42,    -1,    78,    48,
-      79,    49,    -1,    78,    48,     1,    49,    -1,    78,    34,
-      -1,    48,    77,    49,    -1,    48,     1,    49,    -1,    80,
-      37,    -1,    80,    -1,    81,    47,    37,    -1,    -1,    81,
-      -1,    82,    -1,    81,    47,    82,    -1,    66,    83,    -1,
-      71,    83,    -1,    84,    -1,    -1,    38,    -1,    42,    -1,
-      84,    48,    79,    49,    -1,    84,    48,     1,    49,    -1,
-      84,    34,    -1,    48,    83,    49,    -1,    48,     1,    49,
-      -1,    65,    75,    33,    -1,    -1,    87,    -1,    51,    35,
-      -1,    52,    89,    46,    -1,    52,     1,    46,    -1,    -1,
-      90,    -1,    91,    -1,    90,    91,    -1,    65,    92,    45,
-      -1,     1,    45,    -1,    -1,    93,    -1,    94,    -1,    93,
-      47,    94,    -1,    77,    96,    -1,    38,    95,    -1,    95,
-      -1,    53,    35,    -1,    -1,    96,    31,    -1,    52,    98,
-      46,    -1,    52,    98,    47,    46,    -1,    99,    -1,    98,
-      47,    99,    -1,    38,    -1,    38,    51,    35,    -1,    30,
-      45,    -1,    -1,    30,    -1,    29,    48,    38,    49,    45,
-      -1
-};
-/* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint16 yyrline[] =
 {
       0,   124,   124,   125,   129,   129,   135,   135,   137,   137,
@@ -565,13 +517,13 @@ static const yytype_uint16 yyrline[] =
     237,   239,   241,   246,   249,   250,   254,   255,   256,   257,
     258,   259,   260,   261,   262,   263,   264,   268,   273,   274,
     278,   279,   283,   283,   283,   284,   292,   293,   297,   306,
-     315,   317,   319,   321,   323,   330,   331,   335,   336,   337,
+     315,   317,   319,   321,   328,   329,   333,   334,   335,   337,
-     339,   341,   343,   345,   350,   351,   352,   356,   357,   361,
+     339,   341,   343,   348,   349,   350,   354,   355,   359,   360,
-     362,   367,   372,   374,   378,   379,   387,   391,   393,   395,
+     365,   370,   372,   376,   377,   385,   389,   391,   393,   395,
-     397,   399,   404,   413,   414,   419,   424,   425,   429,   430,
+     397,   402,   411,   412,   417,   422,   423,   427,   428,   432,
-     434,   435,   439,   441,   446,   447,   451,   452,   456,   457,
+     433,   437,   439,   444,   445,   449,   450,   454,   455,   456,
-     458,   462,   466,   467,   471,   472,   476,   477,   480,   485,
+     460,   464,   465,   469,   470,   474,   475,   478,   483,   491,
-     493,   497,   498,   502
+     495,   496,   500
 };
 #endif
@@ -606,13 +558,13 @@ static const char *const yytname[] =
  "member_declarator_list_opt", "member_declarator_list",
  "member_declarator", "member_bitfield_declarator", "attribute_opt",
  "enum_body", "enumerator_list", "enumerator", "asm_definition",
-  "asm_phrase_opt", "export_definition", YY_NULL
+  "asm_phrase_opt", "export_definition", YY_NULLPTR
 };
 #endif
 # ifdef YYPRINT
-/* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
+/* YYTOKNUM[NUM] -- (External) token number corresponding to the
-   token YYLEX-NUM.  */
+   (internal) symbol number NUM (which must be that of a token).  */
 static const yytype_uint16 yytoknum[] =
 {
       0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
@@ -624,47 +576,44 @@ static const yytype_uint16 yytoknum[] =
 };
 # endif
-/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
+#define YYPACT_NINF -135
-static const yytype_uint8 yyr1[] =
-{
-       0,    54,    55,    55,    57,    56,    59,    58,    60,    58,
-      58,    58,    58,    58,    58,    58,    61,    62,    62,    63,
-      63,    64,    65,    65,    66,    66,    67,    67,    68,    68,
-      68,    68,    68,    69,    69,    69,    69,    69,    69,    69,
-      69,    69,    69,    69,    69,    69,    70,    70,    70,    70,
-      70,    70,    70,    70,    70,    70,    70,    71,    72,    72,
-      73,    73,    74,    74,    74,    74,    75,    75,    76,    76,
-      76,    76,    76,    76,    76,    77,    77,    78,    78,    78,
-      78,    78,    78,    78,    79,    79,    79,    80,    80,    81,
-      81,    82,    83,    83,    84,    84,    84,    84,    84,    84,
-      84,    84,    85,    86,    86,    87,    88,    88,    89,    89,
-      90,    90,    91,    91,    92,    92,    93,    93,    94,    94,
-      94,    95,    96,    96,    97,    97,    98,    98,    99,    99,
-     100,   101,   101,   102
-};
-/* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
+#define yypact_value_is_default(Yystate) \
-static const yytype_uint8 yyr2[] =
+  (!!((Yystate) == (-135)))
+#define YYTABLE_NINF -109
+#define yytable_value_is_error(Yytable_value) \
+  0
+  /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+     STATE-NUM.  */
+static const yytype_int16 yypact[] =
 {
-       0,     2,     1,     2,     0,     2,     0,     4,     0,     3,
+    -135,    38,  -135,   206,  -135,  -135,    22,  -135,  -135,  -135,
-       1,     1,     1,     1,     2,     2,     3,     0,     1,     1,
+    -135,  -135,   -24,  -135,    20,  -135,  -135,  -135,  -135,  -135,
-       3,     4,     0,     1,     1,     2,     1,     1,     1,     1,
+    -135,  -135,  -135,  -135,   -23,  -135,     6,  -135,  -135,  -135,
-       1,     1,     1,     1,     1,     4,     1,     2,     2,     2,
+      -2,    15,    24,  -135,  -135,  -135,  -135,  -135,    41,   471,
-       3,     3,     3,     2,     2,     2,     1,     1,     1,     1,
+    -135,  -135,  -135,  -135,  -135,  -135,  -135,  -135,  -135,  -135,
-       1,     1,     1,     1,     1,     1,     1,     2,     0,     1,
+      13,    36,  -135,  -135,    35,   106,  -135,   471,    35,  -135,
-       1,     2,     1,     1,     1,     1,     2,     1,     1,     1,
+     471,    44,  -135,  -135,  -135,    41,    39,    45,    48,  -135,
-       4,     4,     2,     3,     3,     2,     1,     1,     1,     4,
+      41,   -10,    25,  -135,  -135,    47,    34,  -135,   471,  -135,
-       4,     2,     3,     3,     2,     1,     3,     0,     1,     1,
+      26,   -26,    53,   156,  -135,  -135,    41,  -135,   387,    52,
-       3,     2,     2,     1,     0,     1,     1,     4,     4,     2,
+      57,    59,  -135,    39,  -135,  -135,    41,  -135,  -135,  -135,
-       3,     3,     3,     0,     1,     2,     3,     3,     0,     1,
+    -135,  -135,   252,    67,  -135,   -21,  -135,  -135,  -135,    51,
-       1,     2,     3,     2,     0,     1,     1,     3,     2,     2,
+    -135,    12,    83,    46,  -135,    27,    84,    88,  -135,  -135,
-       1,     2,     0,     2,     3,     4,     1,     3,     1,     3,
+    -135,    91,  -135,   109,  -135,  -135,     3,    55,  -135,    30,
-       2,     0,     1,     5
+    -135,    95,  -135,  -135,  -135,   -20,    92,    93,   108,    96,
+    -135,  -135,  -135,  -135,  -135,    97,  -135,    98,  -135,  -135,
+     118,  -135,   297,  -135,   -26,   101,  -135,   104,  -135,  -135,
+     342,  -135,  -135,   120,  -135,  -135,  -135,  -135,  -135,   433,
+    -135,  -135,   111,   119,  -135,  -135,  -135,   130,   136,  -135,
+    -135,  -135,  -135,  -135,  -135,  -135
 };
-/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+  /* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
-   Performed when YYTABLE doesn't specify something else to do.  Zero
+     Performed when YYTABLE does not specify something else to do.  Zero
-   means the default is an error.  */
+     means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
       4,     4,     2,     0,     1,     3,     0,    28,    55,    46,
@@ -673,191 +622,158 @@ static const yytype_uint8 yydefact[] =
       0,     0,     0,    64,    36,    56,     5,    10,    17,    23,
      24,    26,    27,    33,    34,    11,    12,    13,    14,    15,
      39,     0,    43,     6,    37,     0,    44,    22,    38,    45,
-       0,     0,   130,    68,    69,     0,    58,     0,    18,    19,
+       0,     0,   129,    68,    69,     0,    58,     0,    18,    19,
-       0,   131,    67,    25,    42,   128,     0,   126,    22,    40,
+       0,   130,    67,    25,    42,   127,     0,   125,    22,    40,
-       0,   114,     0,     0,   110,     9,    17,    41,    94,     0,
+       0,   113,     0,     0,   109,     9,    17,    41,    93,     0,
-       0,     0,     0,    57,    59,    60,    16,     0,    66,   132,
+       0,     0,    57,    59,    60,    16,     0,    66,   131,   101,
-     102,   122,    72,     0,     0,   124,     0,     7,   113,   107,
+     121,    72,     0,     0,   123,     0,     7,   112,   106,    76,
-      77,    78,     0,     0,     0,   122,    76,     0,   115,   116,
+      77,     0,     0,     0,   121,    75,     0,   114,   115,   119,
-     120,   106,     0,   111,   131,    95,    56,     0,    94,    91,
+     105,     0,   110,   130,    94,    56,     0,    93,    90,    92,
-      93,    35,     0,    74,    73,    61,    20,   103,     0,     0,
+      35,     0,    73,    61,    20,   102,     0,     0,    84,    87,
-      85,    88,    89,   129,   125,   127,   119,     0,    77,     0,
+      88,   128,   124,   126,   118,     0,    76,     0,   120,    74,
-     121,    75,   118,    81,     0,   112,     0,     0,    96,     0,
+     117,    80,     0,   111,     0,     0,    95,     0,    91,    98,
-      92,    99,     0,   133,   123,     0,    21,   104,    71,    70,
+       0,   132,   122,     0,    21,   103,    71,    70,    83,     0,
-      84,     0,    83,    82,     0,     0,   117,   101,   100,     0,
+      82,    81,     0,     0,   116,   100,    99,     0,     0,   104,
-       0,   105,    86,    90,    80,    79,    98,    97
+      85,    89,    79,    78,    97,    96
-};
-/* YYDEFGOTO[NTERM-NUM].  */
-static const yytype_int16 yydefgoto[] =
-{
-      -1,     1,     2,     3,    36,    78,    57,    37,    67,    68,
-      69,    81,    39,    40,    41,    42,    43,    70,    93,    94,
-      44,   124,    72,   115,   116,   139,   140,   141,   142,   129,
-     130,    45,   166,   167,    56,    82,    83,    84,   117,   118,
-     119,   120,   137,    52,    76,    77,    46,   101,    47
 };
-/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
+  /* YYPGOTO[NTERM-NUM].  */
-   STATE-NUM.  */
+static const yytype_int16 yypgoto[] =
-#define YYPACT_NINF -92
-static const yytype_int16 yypact[] =
 {
-     -92,    19,   -92,   208,   -92,   -92,    39,   -92,   -92,   -92,
+    -135,  -135,   157,  -135,  -135,  -135,  -135,   -48,  -135,  -135,
-     -92,   -92,   -27,   -92,    23,   -92,   -92,   -92,   -92,   -92,
+      90,    -1,   -60,   -33,  -135,  -135,  -135,   -78,  -135,  -135,
-     -92,   -92,   -92,   -92,   -22,   -92,     9,   -92,   -92,   -92,
+     -61,   -31,  -135,   -92,  -135,  -134,  -135,  -135,   -59,   -41,
-      -6,    16,    25,   -92,   -92,   -92,   -92,   -92,    31,   473,
+    -135,  -135,  -135,  -135,   -18,  -135,  -135,   107,  -135,  -135,
-     -92,   -92,   -92,   -92,   -92,   -92,   -92,   -92,   -92,   -92,
+      37,    80,    78,   143,  -135,    94,  -135,  -135,  -135
-      49,    37,   -92,   -92,    51,   108,   -92,   473,    51,   -92,
-     473,    59,   -92,   -92,   -92,    12,    -3,    60,    57,   -92,
-      31,    -7,    24,   -92,   -92,    55,    42,   -92,   473,   -92,
-      46,   -21,    61,   158,   -92,   -92,    31,   -92,   389,    71,
-      82,    88,    89,   -92,    -3,   -92,   -92,    31,   -92,   -92,
-     -92,   -92,   -92,   254,    73,   -92,   -24,   -92,   -92,   -92,
-      90,   -92,    17,    75,    45,   -92,    32,    96,    95,   -92,
-     -92,   -92,    99,   -92,   115,   -92,   -92,     3,    48,   -92,
-      34,   -92,   102,   -92,   -92,   -92,   -92,   -11,   100,   103,
-     111,   104,   -92,   -92,   -92,   -92,   -92,   106,   -92,   113,
-     -92,   -92,   126,   -92,   299,   -92,   -21,   121,   -92,   132,
-     -92,   -92,   344,   -92,   -92,   125,   -92,   -92,   -92,   -92,
-     -92,   435,   -92,   -92,   138,   139,   -92,   -92,   -92,   142,
-     143,   -92,   -92,   -92,   -92,   -92,   -92,   -92
 };
-/* YYPGOTO[NTERM-NUM].  */
+  /* YYDEFGOTO[NTERM-NUM].  */
-static const yytype_int16 yypgoto[] =
+static const yytype_int16 yydefgoto[] =
 {
-     -92,   -92,   192,   -92,   -92,   -92,   -92,   -47,   -92,   -92,
+      -1,     1,     2,     3,    36,    78,    57,    37,    67,    68,
-      97,     0,   -60,   -32,   -92,   -92,   -92,   -79,   -92,   -92,
+      69,    81,    39,    40,    41,    42,    43,    70,    92,    93,
-     -58,   -26,   -92,   -38,   -92,   -91,   -92,   -92,   -59,   -28,
+      44,   123,    72,   114,   115,   137,   138,   139,   140,   128,
-     -92,   -92,   -92,   -92,   -20,   -92,   -92,   112,   -92,   -92,
+     129,    45,   164,   165,    56,    82,    83,    84,   116,   117,
-      41,    91,    83,   149,   -92,   101,   -92,   -92,   -92
+     118,   119,   135,    52,    76,    77,    46,   100,    47
 };
-/* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
+  /* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM.  If
-   positive, shift that token.  If negative, reduce the rule which
+     positive, shift that token.  If negative, reduce the rule whose
-   number is the opposite.  If YYTABLE_NINF, syntax error.  */
+     number is the opposite.  If YYTABLE_NINF, syntax error.  */
-#define YYTABLE_NINF -110
 static const yytype_int16 yytable[] =
 {
-      88,    89,   114,    38,   157,    10,    59,    73,    95,   128,
+      88,    89,    38,   113,   155,    94,    73,    71,    59,    85,
-      85,    50,    71,    91,    75,    20,    54,   110,   147,     4,
+     127,   162,   109,   145,    50,    54,   110,    75,   173,   147,
-     164,   111,   144,    99,    29,    51,   100,   112,    33,    66,
+      98,   149,   111,    99,    66,   142,   178,   112,    51,    55,
-      55,   107,   113,   114,    79,   114,   135,   -94,    87,    92,
+     106,   163,   133,   113,    91,   113,    79,   -93,     4,    97,
-     165,   125,    60,    88,    98,   158,    53,    58,   128,   128,
+      87,   124,    88,    53,    58,   156,    60,    10,   127,   127,
-      63,   127,   -94,    66,    64,   148,    73,    86,   102,   111,
+     146,   126,   -93,    66,   110,    73,    86,    20,    55,   101,
-      65,    55,    66,   175,    61,   112,   153,    66,   161,    63,
+     111,   151,    66,    61,   159,    51,    29,    48,    49,    62,
-      62,   180,   103,    64,   149,    75,   151,   114,    86,    65,
+      33,   107,   108,   102,    75,   152,   113,    86,   160,    63,
-     154,    66,   162,   148,    48,    49,   125,   111,   105,   106,
+     104,   105,    90,    64,   146,   157,   158,    55,   110,    65,
-     158,   108,   109,   112,    88,    66,   127,    90,    66,   159,
+      95,    66,    88,   124,   111,    96,    66,   156,   103,   120,
-     160,    51,    88,    55,    97,    96,   104,   121,   143,    80,
+      88,   130,   141,   126,   112,    66,   131,    80,   132,    88,
-     150,    88,   183,     7,     8,     9,    10,    11,    12,    13,
+     181,     7,     8,     9,    10,    11,    12,    13,   148,    15,
-     131,    15,    16,    17,    18,    19,    20,    21,    22,    23,
+      16,    17,    18,    19,    20,    21,    22,    23,    24,   153,
-      24,   132,    26,    27,    28,    29,    30,   133,   134,    33,
+      26,    27,    28,    29,    30,   154,   107,    33,    34,    98,
-      34,   155,   156,   113,   108,    99,   -22,   163,   170,   168,
+     161,   166,   167,   169,   -22,   168,   170,   171,    35,   162,
-      35,   171,   169,   -22,  -108,   172,   -22,   164,   -22,   122,
+     175,   -22,  -107,   176,   -22,   179,   -22,   121,     5,   -22,
-     181,   -22,   173,     7,     8,     9,    10,    11,    12,    13,
+     182,     7,     8,     9,    10,    11,    12,    13,   183,    15,
-     177,    15,    16,    17,    18,    19,    20,    21,    22,    23,
+      16,    17,    18,    19,    20,    21,    22,    23,    24,   184,
-      24,   178,    26,    27,    28,    29,    30,   184,   185,    33,
+      26,    27,    28,    29,    30,   185,   134,    33,    34,   144,
-      34,   186,   187,     5,   136,   123,   -22,   176,   152,    74,
+     122,   174,   150,    74,   -22,     0,     0,     0,    35,   143,
-      35,   146,     0,   -22,  -109,     0,   -22,   145,   -22,     6,
+       0,   -22,  -108,     0,   -22,     0,   -22,     6,     0,   -22,
-       0,   -22,     0,     7,     8,     9,    10,    11,    12,    13,
+       0,     7,     8,     9,    10,    11,    12,    13,    14,    15,
-      14,    15,    16,    17,    18,    19,    20,    21,    22,    23,
+      16,    17,    18,    19,    20,    21,    22,    23,    24,    25,
-      24,    25,    26,    27,    28,    29,    30,    31,    32,    33,
+      26,    27,    28,    29,    30,    31,    32,    33,    34,     0,
-      34,     0,     0,     0,     0,     0,   -22,     0,     0,     0,
+       0,     0,     0,     0,   -22,     0,     0,     0,    35,     0,
-      35,     0,     0,   -22,     0,   138,   -22,     0,   -22,     7,
+       0,   -22,     0,   136,   -22,     0,   -22,     7,     8,     9,
-       8,     9,    10,    11,    12,    13,     0,    15,    16,    17,
+      10,    11,    12,    13,     0,    15,    16,    17,    18,    19,
-      18,    19,    20,    21,    22,    23,    24,     0,    26,    27,
+      20,    21,    22,    23,    24,     0,    26,    27,    28,    29,
-      28,    29,    30,     0,     0,    33,    34,     0,     0,     0,
+      30,     0,     0,    33,    34,     0,     0,     0,     0,   -86,
-       0,   -87,     0,     0,     0,     0,    35,     0,     0,     0,
+       0,     0,     0,     0,    35,     0,     0,     0,   172,     0,
-     174,     0,     0,   -87,     7,     8,     9,    10,    11,    12,
+       0,   -86,     7,     8,     9,    10,    11,    12,    13,     0,
-      13,     0,    15,    16,    17,    18,    19,    20,    21,    22,
+      15,    16,    17,    18,    19,    20,    21,    22,    23,    24,
-      23,    24,     0,    26,    27,    28,    29,    30,     0,     0,
+       0,    26,    27,    28,    29,    30,     0,     0,    33,    34,
-      33,    34,     0,     0,     0,     0,   -87,     0,     0,     0,
+       0,     0,     0,     0,   -86,     0,     0,     0,     0,    35,
-       0,    35,     0,     0,     0,   179,     0,     0,   -87,     7,
+       0,     0,     0,   177,     0,     0,   -86,     7,     8,     9,
-       8,     9,    10,    11,    12,    13,     0,    15,    16,    17,
+      10,    11,    12,    13,     0,    15,    16,    17,    18,    19,
-      18,    19,    20,    21,    22,    23,    24,     0,    26,    27,
+      20,    21,    22,    23,    24,     0,    26,    27,    28,    29,
-      28,    29,    30,     0,     0,    33,    34,     0,     0,     0,
+      30,     0,     0,    33,    34,     0,     0,     0,     0,   -86,
-       0,   -87,     0,     0,     0,     0,    35,     0,     0,     0,
+       0,     0,     0,     0,    35,     0,     0,     0,     0,     0,
-       0,     0,     0,   -87,     7,     8,     9,    10,    11,    12,
+       0,   -86,     7,     8,     9,    10,    11,    12,    13,     0,
-      13,     0,    15,    16,    17,    18,    19,    20,    21,    22,
+      15,    16,    17,    18,    19,    20,    21,    22,    23,    24,
-      23,    24,     0,    26,    27,    28,    29,    30,     0,     0,
+       0,    26,    27,    28,    29,    30,     0,     0,    33,    34,
-      33,    34,     0,     0,     0,     0,     0,   125,     0,     0,
+       0,     0,     0,     0,     0,   124,     0,     0,     0,   125,
-       0,   126,     0,     0,     0,     0,     0,   127,     0,    66,
+       0,     0,     0,     0,     0,   126,     0,    66,     7,     8,
-       7,     8,     9,    10,    11,    12,    13,     0,    15,    16,
-      17,    18,    19,    20,    21,    22,    23,    24,     0,    26,
-      27,    28,    29,    30,     0,     0,    33,    34,     0,     0,
-       0,     0,   182,     0,     0,     0,     0,    35,     7,     8,
       9,    10,    11,    12,    13,     0,    15,    16,    17,    18,
      19,    20,    21,    22,    23,    24,     0,    26,    27,    28,
      29,    30,     0,     0,    33,    34,     0,     0,     0,     0,
-       0,     0,     0,     0,     0,    35
+     180,     0,     0,     0,     0,    35,     7,     8,     9,    10,
+      11,    12,    13,     0,    15,    16,    17,    18,    19,    20,
+      21,    22,    23,    24,     0,    26,    27,    28,    29,    30,
+       0,     0,    33,    34,     0,     0,     0,     0,     0,     0,
+       0,     0,     0,    35
 };
-#define yypact_value_is_default(Yystate) \
-  (!!((Yystate) == (-92)))
-#define yytable_value_is_error(Yytable_value) \
-  YYID (0)
 static const yytype_int16 yycheck[] =
 {
-      60,    60,    81,     3,     1,     8,    26,    39,    66,    88,
+      60,    60,     3,    81,     1,    66,    39,    38,    26,    57,
-      57,    38,    38,     1,    38,    18,    38,    38,     1,     0,
+      88,    31,    38,     1,    38,    38,    42,    38,   152,   111,
-      31,    42,    46,    30,    27,    52,    33,    48,    31,    50,
+      30,   113,    48,    33,    50,    46,   160,    53,    52,    52,
-      52,    78,    53,   112,    54,   114,    94,    34,    58,    65,
+      78,    51,    93,   111,    65,   113,    54,    34,     0,    70,
-      51,    38,    48,   103,    70,    42,    23,    38,   127,   128,
+      58,    38,   102,    23,    38,    42,    48,     8,   126,   127,
-      38,    48,    49,    50,    42,    38,    88,    57,    34,    42,
+      38,    48,    49,    50,    42,    88,    57,    18,    52,    34,
-      48,    52,    50,   154,    48,    48,    34,    50,    34,    38,
+      48,    34,    50,    48,    34,    52,    27,    45,    46,    45,
-      45,   162,    48,    42,   112,    38,   114,   156,    78,    48,
+      31,    45,    46,    48,    38,    48,   154,    78,    48,    38,
-      48,    50,    48,    38,    45,    46,    38,    42,    46,    47,
+      46,    47,    38,    42,    38,   126,   127,    52,    42,    48,
-      42,    45,    46,    48,   154,    50,    48,    38,    50,   127,
+      45,    50,   152,    38,    48,    47,    50,    42,    51,    46,
-     128,    52,   162,    52,    47,    45,    51,    46,    35,     1,
+     160,    49,    35,    48,    53,    50,    49,     1,    49,   169,
-      35,   171,   171,     5,     6,     7,     8,     9,    10,    11,
+     169,     5,     6,     7,     8,     9,    10,    11,    35,    13,
-      49,    13,    14,    15,    16,    17,    18,    19,    20,    21,
+      14,    15,    16,    17,    18,    19,    20,    21,    22,    45,
-      22,    49,    24,    25,    26,    27,    28,    49,    49,    31,
+      24,    25,    26,    27,    28,    47,    45,    31,    32,    30,
-      32,    45,    47,    53,    45,    30,    38,    45,    37,    49,
+      45,    49,    49,    47,    38,    37,    49,    49,    42,    31,
-      42,    47,    49,    45,    46,    49,    48,    31,    50,     1,
+      49,    45,    46,    49,    48,    35,    50,     1,     1,    53,
-      35,    53,    49,     5,     6,     7,     8,     9,    10,    11,
+      49,     5,     6,     7,     8,     9,    10,    11,    49,    13,
-      49,    13,    14,    15,    16,    17,    18,    19,    20,    21,
+      14,    15,    16,    17,    18,    19,    20,    21,    22,    49,
-      22,    49,    24,    25,    26,    27,    28,    49,    49,    31,
+      24,    25,    26,    27,    28,    49,    96,    31,    32,   109,
-      32,    49,    49,     1,    97,    83,    38,   156,   115,    50,
+      83,   154,   114,    50,    38,    -1,    -1,    -1,    42,   105,
-      42,   110,    -1,    45,    46,    -1,    48,   106,    50,     1,
+      -1,    45,    46,    -1,    48,    -1,    50,     1,    -1,    53,
-      -1,    53,    -1,     5,     6,     7,     8,     9,    10,    11,
+      -1,     5,     6,     7,     8,     9,    10,    11,    12,    13,
-      12,    13,    14,    15,    16,    17,    18,    19,    20,    21,
+      14,    15,    16,    17,    18,    19,    20,    21,    22,    23,
-      22,    23,    24,    25,    26,    27,    28,    29,    30,    31,
+      24,    25,    26,    27,    28,    29,    30,    31,    32,    -1,
-      32,    -1,    -1,    -1,    -1,    -1,    38,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    38,    -1,    -1,    -1,    42,    -1,
-      42,    -1,    -1,    45,    -1,     1,    48,    -1,    50,     5,
+      -1,    45,    -1,     1,    48,    -1,    50,     5,     6,     7,
-       6,     7,     8,     9,    10,    11,    -1,    13,    14,    15,
+       8,     9,    10,    11,    -1,    13,    14,    15,    16,    17,
-      16,    17,    18,    19,    20,    21,    22,    -1,    24,    25,
+      18,    19,    20,    21,    22,    -1,    24,    25,    26,    27,
-      26,    27,    28,    -1,    -1,    31,    32,    -1,    -1,    -1,
+      28,    -1,    -1,    31,    32,    -1,    -1,    -1,    -1,    37,
-      -1,    37,    -1,    -1,    -1,    -1,    42,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    42,    -1,    -1,    -1,     1,    -1,
-       1,    -1,    -1,    49,     5,     6,     7,     8,     9,    10,
+      -1,    49,     5,     6,     7,     8,     9,    10,    11,    -1,
-      11,    -1,    13,    14,    15,    16,    17,    18,    19,    20,
+      13,    14,    15,    16,    17,    18,    19,    20,    21,    22,
-      21,    22,    -1,    24,    25,    26,    27,    28,    -1,    -1,
+      -1,    24,    25,    26,    27,    28,    -1,    -1,    31,    32,
-      31,    32,    -1,    -1,    -1,    -1,    37,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    37,    -1,    -1,    -1,    -1,    42,
-      -1,    42,    -1,    -1,    -1,     1,    -1,    -1,    49,     5,
+      -1,    -1,    -1,     1,    -1,    -1,    49,     5,     6,     7,
-       6,     7,     8,     9,    10,    11,    -1,    13,    14,    15,
+       8,     9,    10,    11,    -1,    13,    14,    15,    16,    17,
-      16,    17,    18,    19,    20,    21,    22,    -1,    24,    25,
+      18,    19,    20,    21,    22,    -1,    24,    25,    26,    27,
-      26,    27,    28,    -1,    -1,    31,    32,    -1,    -1,    -1,
+      28,    -1,    -1,    31,    32,    -1,    -1,    -1,    -1,    37,
-      -1,    37,    -1,    -1,    -1,    -1,    42,    -1,    -1,    -1,
+      -1,    -1,    -1,    -1,    42,    -1,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,    49,     5,     6,     7,     8,     9,    10,
+      -1,    49,     5,     6,     7,     8,     9,    10,    11,    -1,
-      11,    -1,    13,    14,    15,    16,    17,    18,    19,    20,
+      13,    14,    15,    16,    17,    18,    19,    20,    21,    22,
-      21,    22,    -1,    24,    25,    26,    27,    28,    -1,    -1,
+      -1,    24,    25,    26,    27,    28,    -1,    -1,    31,    32,
-      31,    32,    -1,    -1,    -1,    -1,    -1,    38,    -1,    -1,
+      -1,    -1,    -1,    -1,    -1,    38,    -1,    -1,    -1,    42,
-      -1,    42,    -1,    -1,    -1,    -1,    -1,    48,    -1,    50,
+      -1,    -1,    -1,    -1,    -1,    48,    -1,    50,     5,     6,
-       5,     6,     7,     8,     9,    10,    11,    -1,    13,    14,
-      15,    16,    17,    18,    19,    20,    21,    22,    -1,    24,
-      25,    26,    27,    28,    -1,    -1,    31,    32,    -1,    -1,
-      -1,    -1,    37,    -1,    -1,    -1,    -1,    42,     5,     6,
       7,     8,     9,    10,    11,    -1,    13,    14,    15,    16,
      17,    18,    19,    20,    21,    22,    -1,    24,    25,    26,
      27,    28,    -1,    -1,    31,    32,    -1,    -1,    -1,    -1,
-      -1,    -1,    -1,    -1,    -1,    42
+      37,    -1,    -1,    -1,    -1,    42,     5,     6,     7,     8,
+       9,    10,    11,    -1,    13,    14,    15,    16,    17,    18,
+      19,    20,    21,    22,    -1,    24,    25,    26,    27,    28,
+      -1,    -1,    31,    32,    -1,    -1,    -1,    -1,    -1,    -1,
+      -1,    -1,    -1,    42
 };
-/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
+  /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
-   symbol of state STATE-NUM.  */
+     symbol of state STATE-NUM.  */
 static const yytype_uint8 yystos[] =
 {
       0,    55,    56,    57,     0,    56,     1,     5,     6,     7,
@@ -869,42 +785,66 @@ static const yytype_uint8 yystos[] =
      48,    48,    45,    38,    42,    48,    50,    62,    63,    64,
      71,    75,    76,    67,    97,    38,    98,    99,    59,    88,
       1,    65,    89,    90,    91,    61,    65,    88,    66,    82,
-      38,     1,    75,    72,    73,    74,    45,    47,    75,    30,
+      38,    75,    72,    73,    74,    45,    47,    75,    30,    33,
-      33,   101,    34,    48,    51,    46,    47,    61,    45,    46,
+     101,    34,    48,    51,    46,    47,    61,    45,    46,    38,
-      38,    42,    48,    53,    71,    77,    78,    92,    93,    94,
+      42,    48,    53,    71,    77,    78,    92,    93,    94,    95,
-      95,    46,     1,    91,    75,    38,    42,    48,    71,    83,
+      46,     1,    91,    75,    38,    42,    48,    71,    83,    84,
-      84,    49,    49,    49,    49,    74,    64,    96,     1,    79,
+      49,    49,    49,    74,    64,    96,     1,    79,    80,    81,
-      80,    81,    82,    35,    46,    99,    95,     1,    38,    77,
+      82,    35,    46,    99,    95,     1,    38,    77,    35,    77,
-      35,    77,    96,    34,    48,    45,    47,     1,    42,    83,
+      96,    34,    48,    45,    47,     1,    42,    83,    83,    34,
-      83,    34,    48,    45,    31,    51,    86,    87,    49,    49,
+      48,    45,    31,    51,    86,    87,    49,    49,    37,    47,
-      37,    47,    49,    49,     1,    79,    94,    49,    49,     1,
+      49,    49,     1,    79,    94,    49,    49,     1,    79,    35,
-      79,    35,    37,    82,    49,    49,    49,    49
+      37,    82,    49,    49,    49,    49
 };
-#define yyerrok         (yyerrstatus = 0)
+  /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives.  */
-#define yyclearin       (yychar = YYEMPTY)
+static const yytype_uint8 yyr1[] =
-#define YYEMPTY         (-2)
+{
-#define YYEOF           0
+       0,    54,    55,    55,    57,    56,    59,    58,    60,    58,
+      58,    58,    58,    58,    58,    58,    61,    62,    62,    63,
-#define YYACCEPT        goto yyacceptlab
+      63,    64,    65,    65,    66,    66,    67,    67,    68,    68,
-#define YYABORT         goto yyabortlab
+      68,    68,    68,    69,    69,    69,    69,    69,    69,    69,
-#define YYERROR         goto yyerrorlab
+      69,    69,    69,    69,    69,    69,    70,    70,    70,    70,
+      70,    70,    70,    70,    70,    70,    70,    71,    72,    72,
+      73,    73,    74,    74,    74,    74,    75,    75,    76,    76,
-/* Like YYERROR except do call yyerror.  This remains here temporarily
+      76,    76,    76,    76,    77,    77,    78,    78,    78,    78,
-   to ease the transition to the new meaning of YYERROR, for GCC.
+      78,    78,    78,    79,    79,    79,    80,    80,    81,    81,
-   Once GCC version 2 has supplanted version 1, this can go.  However,
+      82,    83,    83,    84,    84,    84,    84,    84,    84,    84,
-   YYFAIL appears to be in use.  Nevertheless, it is formally deprecated
+      84,    85,    86,    86,    87,    88,    88,    89,    89,    90,
-   in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+      90,    91,    91,    92,    92,    93,    93,    94,    94,    94,
-   discussed.  */
+      95,    96,    96,    97,    97,    98,    98,    99,    99,   100,
+     101,   101,   102
-#define YYFAIL          goto yyerrlab
+};
-#if defined YYFAIL
-  /* This is here to suppress warnings from the GCC cpp's
+  /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN.  */
-     -Wunused-macros.  Normally we don't worry about that warning, but
+static const yytype_uint8 yyr2[] =
-     some users do, and we want to make it easy for users to remove
+{
-     YYFAIL uses, which will produce warnings from Bison 2.5.  */
+       0,     2,     1,     2,     0,     2,     0,     4,     0,     3,
-#endif
+       1,     1,     1,     1,     2,     2,     3,     0,     1,     1,
+       3,     4,     0,     1,     1,     2,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     4,     1,     2,     2,     2,
+       3,     3,     3,     2,     2,     2,     1,     1,     1,     1,
+       1,     1,     1,     1,     1,     1,     1,     2,     0,     1,
+       1,     2,     1,     1,     1,     1,     2,     1,     1,     1,
+       4,     4,     2,     3,     2,     1,     1,     1,     4,     4,
+       2,     3,     3,     2,     1,     3,     0,     1,     1,     3,
+       2,     2,     1,     0,     1,     1,     4,     4,     2,     3,
+       3,     3,     0,     1,     2,     3,     3,     0,     1,     1,
+       2,     3,     2,     0,     1,     1,     3,     2,     2,     1,
+       2,     0,     2,     3,     4,     1,     3,     1,     3,     2,
+       0,     1,     5
+};
+#define yyerrok         (yyerrstatus = 0)
+#define yyclearin       (yychar = YYEMPTY)
+#define YYEMPTY         (-2)
+#define YYEOF           0
+#define YYACCEPT        goto yyacceptlab
+#define YYABORT         goto yyabortlab
+#define YYERROR         goto yyerrorlab
 #define YYRECOVERING()  (!!yyerrstatus)
@@ -921,27 +861,15 @@ do                                                              \
  else                                                          \
    {                                                           \
      yyerror (YY_("syntax error: cannot back up")); \
-      YYERROR;                                                  \
+      YYERROR;                                                  \
-    }                                                           \
+    }                                                           \
-while (YYID (0))
+while (0)
 /* Error token number */
-#define YYTERROR        1
+#define YYTERROR        1
-#define YYERRCODE       256
+#define YYERRCODE       256
-/* This macro is provided for backward compatibility. */
-#ifndef YY_LOCATION_PRINT
-# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-#endif
-/* YYLEX -- calling `yylex' with the right arguments.  */
-#ifdef YYLEX_PARAM
-# define YYLEX yylex (YYLEX_PARAM)
-#else
-# define YYLEX yylex ()
-#endif
 /* Enable debugging if requested.  */
 #if YYDEBUG
@@ -951,40 +879,36 @@ while (YYID (0))
 #  define YYFPRINTF fprintf
 # endif
-# define YYDPRINTF(Args)                        \
+# define YYDPRINTF(Args)                        \
-do {                                            \
+do {                                            \
-  if (yydebug)                                  \
+  if (yydebug)                                  \
-    YYFPRINTF Args;                             \
+    YYFPRINTF Args;                             \
-} while (YYID (0))
+} while (0)
+/* This macro is provided for backward compatibility. */
+#ifndef YY_LOCATION_PRINT
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
+#endif
-# define YY_SYMBOL_PRINT(Title, Type, Value, Location)                    \
+# define YY_SYMBOL_PRINT(Title, Type, Value, Location)                    \
-do {                                                                      \
+do {                                                                      \
-  if (yydebug)                                                            \
+  if (yydebug)                                                            \
-    {                                                                     \
+    {                                                                     \
-      YYFPRINTF (stderr, "%s ", Title);                                   \
+      YYFPRINTF (stderr, "%s ", Title);                                   \
-      yy_symbol_print (stderr,                                            \
+      yy_symbol_print (stderr,                                            \
-                  Type, Value); \
+                  Type, Value); \
-      YYFPRINTF (stderr, "\n");                                           \
+      YYFPRINTF (stderr, "\n");                                           \
-    }                                                                     \
+    }                                                                     \
-} while (YYID (0))
+} while (0)
-/*--------------------------------.
+/*----------------------------------------.
-| Print this symbol on YYOUTPUT.  |
+| Print this symbol's value on YYOUTPUT.  |
-`--------------------------------*/
+`----------------------------------------*/
-/*ARGSUSED*/
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_symbol_value_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
-#else
-static void
-yy_symbol_value_print (yyoutput, yytype, yyvaluep)
-    FILE *yyoutput;
-    int yytype;
-    YYSTYPE const * const yyvaluep;
-#endif
 {
  FILE *yyo = yyoutput;
  YYUSE (yyo);
@@ -993,14 +917,8 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep)
 # ifdef YYPRINT
  if (yytype < YYNTOKENS)
    YYPRINT (yyoutput, yytoknum[yytype], *yyvaluep);
-# else
-  YYUSE (yyoutput);
 # endif
-  switch (yytype)
+  YYUSE (yytype);
-    {
-      default:
-        break;
-    }
 }
@@ -1008,22 +926,11 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep)
 | Print this symbol on YYOUTPUT.  |
 `--------------------------------*/
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_symbol_print (FILE *yyoutput, int yytype, YYSTYPE const * const yyvaluep)
-#else
-static void
-yy_symbol_print (yyoutput, yytype, yyvaluep)
-    FILE *yyoutput;
-    int yytype;
-    YYSTYPE const * const yyvaluep;
-#endif
 {
-  if (yytype < YYNTOKENS)
+  YYFPRINTF (yyoutput, "%s %s (",
-    YYFPRINTF (yyoutput, "token %s (", yytname[yytype]);
+             yytype < YYNTOKENS ? "token" : "nterm", yytname[yytype]);
-  else
-    YYFPRINTF (yyoutput, "nterm %s (", yytname[yytype]);
  yy_symbol_value_print (yyoutput, yytype, yyvaluep);
  YYFPRINTF (yyoutput, ")");
@@ -1034,16 +941,8 @@ yy_symbol_print (yyoutput, yytype, yyvaluep)
 | TOP (included).                                                   |
 `------------------------------------------------------------------*/
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static void
 yy_stack_print (yytype_int16 *yybottom, yytype_int16 *yytop)
-#else
-static void
-yy_stack_print (yybottom, yytop)
-    yytype_int16 *yybottom;
-    yytype_int16 *yytop;
-#endif
 {
  YYFPRINTF (stderr, "Stack now");
  for (; yybottom <= yytop; yybottom++)
@@ -1054,49 +953,42 @@ yy_stack_print (yybottom, yytop)
  YYFPRINTF (stderr, "\n");
 }
-# define YY_STACK_PRINT(Bottom, Top)                            \
+# define YY_STACK_PRINT(Bottom, Top)                            \
-do {                                                            \
+do {                                                            \
-  if (yydebug)                                                  \
+  if (yydebug)                                                  \
-    yy_stack_print ((Bottom), (Top));                           \
+    yy_stack_print ((Bottom), (Top));                           \
-} while (YYID (0))
+} while (0)
 /*------------------------------------------------.
 | Report that the YYRULE is going to be reduced.  |
 `------------------------------------------------*/
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static void
-yy_reduce_print (YYSTYPE *yyvsp, int yyrule)
+yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule)
-#else
-static void
-yy_reduce_print (yyvsp, yyrule)
-    YYSTYPE *yyvsp;
-    int yyrule;
-#endif
 {
+  unsigned long int yylno = yyrline[yyrule];
  int yynrhs = yyr2[yyrule];
  int yyi;
-  unsigned long int yylno = yyrline[yyrule];
  YYFPRINTF (stderr, "Reducing stack by rule %d (line %lu):\n",
-             yyrule - 1, yylno);
+             yyrule - 1, yylno);
  /* The symbols being reduced.  */
  for (yyi = 0; yyi < yynrhs; yyi++)
    {
      YYFPRINTF (stderr, "   $%d = ", yyi + 1);
-      yy_symbol_print (stderr, yyrhs[yyprhs[yyrule] + yyi],
+      yy_symbol_print (stderr,
-                       &(yyvsp[(yyi + 1) - (yynrhs)])
+                       yystos[yyssp[yyi + 1 - yynrhs]],
-                                       );
+                       &(yyvsp[(yyi + 1) - (yynrhs)])
+                                              );
      YYFPRINTF (stderr, "\n");
    }
 }
-# define YY_REDUCE_PRINT(Rule)          \
+# define YY_REDUCE_PRINT(Rule)          \
-do {                                    \
+do {                                    \
-  if (yydebug)                          \
+  if (yydebug)                          \
-    yy_reduce_print (yyvsp, Rule); \
+    yy_reduce_print (yyssp, yyvsp, Rule); \
-} while (YYID (0))
+} while (0)
 /* Nonzero means print parse trace.  It is left uninitialized so that
   multiple parsers can coexist.  */
@@ -1110,7 +1002,7 @@ int yydebug;
 /* YYINITDEPTH -- initial size of the parser's stacks.  */
-#ifndef YYINITDEPTH
+#ifndef YYINITDEPTH
 # define YYINITDEPTH 200
 #endif
@@ -1133,15 +1025,8 @@ int yydebug;
 #   define yystrlen strlen
 #  else
 /* Return the length of YYSTR.  */
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static YYSIZE_T
 yystrlen (const char *yystr)
-#else
-static YYSIZE_T
-yystrlen (yystr)
-    const char *yystr;
-#endif
 {
  YYSIZE_T yylen;
  for (yylen = 0; yystr[yylen]; yylen++)
@@ -1157,16 +1042,8 @@ yystrlen (yystr)
 #  else
 /* Copy YYSRC to YYDEST, returning the address of the terminating '\0' in
   YYDEST.  */
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static char *
 yystpcpy (char *yydest, const char *yysrc)
-#else
-static char *
-yystpcpy (yydest, yysrc)
-    char *yydest;
-    const char *yysrc;
-#endif
 {
  char *yyd = yydest;
  const char *yys = yysrc;
@@ -1196,27 +1073,27 @@ yytnamerr (char *yyres, const char *yystr)
      char const *yyp = yystr;
      for (;;)
-        switch (*++yyp)
+        switch (*++yyp)
-          {
+          {
-          case '\'':
+          case '\'':
-          case ',':
+          case ',':
-            goto do_not_strip_quotes;
+            goto do_not_strip_quotes;
-          case '\\':
+          case '\\':
-            if (*++yyp != '\\')
+            if (*++yyp != '\\')
-              goto do_not_strip_quotes;
+              goto do_not_strip_quotes;
-            /* Fall through.  */
+            /* Fall through.  */
-          default:
+          default:
-            if (yyres)
+            if (yyres)
-              yyres[yyn] = *yyp;
+              yyres[yyn] = *yyp;
-            yyn++;
+            yyn++;
-            break;
+            break;
-          case '"':
+          case '"':
-            if (yyres)
+            if (yyres)
-              yyres[yyn] = '\0';
+              yyres[yyn] = '\0';
-            return yyn;
+            return yyn;
-          }
+          }
    do_not_strip_quotes: ;
    }
@@ -1239,11 +1116,11 @@ static int
 yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                yytype_int16 *yyssp, int yytoken)
 {
-  YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]);
+  YYSIZE_T yysize0 = yytnamerr (YY_NULLPTR, yytname[yytoken]);
  YYSIZE_T yysize = yysize0;
  enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
  /* Internationalized format string. */
-  const char *yyformat = YY_NULL;
+  const char *yyformat = YY_NULLPTR;
  /* Arguments of yyformat. */
  char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
  /* Number of reported tokens (one for the "unexpected", one per
@@ -1251,10 +1128,6 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
  int yycount = 0;
  /* There are many possibilities here to consider:
-     - Assume YYFAIL is not used.  It's too flawed to consider.  See
-       <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
-       for details.  YYERROR is fine as it does not invoke this
-       function.
     - If this state is a consistent state with a default action, then
       the only way this function was invoked is if the default action
       is an error action.  In that case, don't check for expected
@@ -1304,7 +1177,7 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
                  }
                yyarg[yycount++] = yytname[yyx];
                {
-                  YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULL, yytname[yyx]);
+                  YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]);
                  if (! (yysize <= yysize1
                         && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
                    return 2;
@@ -1371,31 +1244,17 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
 | Release the memory associated to this symbol.  |
 `-----------------------------------------------*/
-/*ARGSUSED*/
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 static void
 yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep)
-#else
-static void
-yydestruct (yymsg, yytype, yyvaluep)
-    const char *yymsg;
-    int yytype;
-    YYSTYPE *yyvaluep;
-#endif
 {
  YYUSE (yyvaluep);
  if (!yymsg)
    yymsg = "Deleting";
  YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp);
-  switch (yytype)
+  YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-    {
+  YYUSE (yytype);
+  YY_IGNORE_MAYBE_UNINITIALIZED_END
-      default:
-        break;
-    }
 }
@@ -1404,18 +1263,8 @@ yydestruct (yymsg, yytype, yyvaluep)
 /* The lookahead symbol.  */
 int yychar;
-#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-# define YY_IGNORE_MAYBE_UNINITIALIZED_END
-#endif
-#ifndef YY_INITIAL_VALUE
-# define YY_INITIAL_VALUE(Value) /* Nothing. */
-#endif
 /* The semantic value of the lookahead symbol.  */
-YYSTYPE yylval YY_INITIAL_VALUE(yyval_default);
+YYSTYPE yylval;
 /* Number of syntax errors so far.  */
 int yynerrs;
@@ -1424,35 +1273,16 @@ int yynerrs;
 | yyparse.  |
 `----------*/
-#ifdef YYPARSE_PARAM
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
-int
-yyparse (void *YYPARSE_PARAM)
-#else
-int
-yyparse (YYPARSE_PARAM)
-    void *YYPARSE_PARAM;
-#endif
-#else /* ! YYPARSE_PARAM */
-#if (defined __STDC__ || defined __C99__FUNC__ \
-     || defined __cplusplus || defined _MSC_VER)
 int
 yyparse (void)
-#else
-int
-yyparse ()
-#endif
-#endif
 {
    int yystate;
    /* Number of tokens to shift before error messages enabled.  */
    int yyerrstatus;
    /* The stacks and their tools:
-       `yyss': related to states.
+       'yyss': related to states.
-       `yyvs': related to semantic values.
+       'yyvs': related to semantic values.
       Refer to the stacks through separate pointers, to allow yyoverflow
       to reallocate them elsewhere.  */
@@ -1520,23 +1350,23 @@ yyparse ()
 #ifdef yyoverflow
      {
-        /* Give user a chance to reallocate the stack.  Use copies of
+        /* Give user a chance to reallocate the stack.  Use copies of
-           these so that the &'s don't force the real ones into
+           these so that the &'s don't force the real ones into
-           memory.  */
+           memory.  */
-        YYSTYPE *yyvs1 = yyvs;
+        YYSTYPE *yyvs1 = yyvs;
-        yytype_int16 *yyss1 = yyss;
+        yytype_int16 *yyss1 = yyss;
-        /* Each stack pointer address is followed by the size of the
+        /* Each stack pointer address is followed by the size of the
-           data in use in that stack, in bytes.  This used to be a
+           data in use in that stack, in bytes.  This used to be a
-           conditional around just the two extra args, but that might
+           conditional around just the two extra args, but that might
-           be undefined if yyoverflow is a macro.  */
+           be undefined if yyoverflow is a macro.  */
-        yyoverflow (YY_("memory exhausted"),
+        yyoverflow (YY_("memory exhausted"),
-                    &yyss1, yysize * sizeof (*yyssp),
+                    &yyss1, yysize * sizeof (*yyssp),
-                    &yyvs1, yysize * sizeof (*yyvsp),
+                    &yyvs1, yysize * sizeof (*yyvsp),
-                    &yystacksize);
+                    &yystacksize);
-        yyss = yyss1;
+        yyss = yyss1;
-        yyvs = yyvs1;
+        yyvs = yyvs1;
      }
 #else /* no yyoverflow */
 # ifndef YYSTACK_RELOCATE
@@ -1544,22 +1374,22 @@ yyparse ()
 # else
      /* Extend the stack our own way.  */
      if (YYMAXDEPTH <= yystacksize)
-        goto yyexhaustedlab;
+        goto yyexhaustedlab;
      yystacksize *= 2;
      if (YYMAXDEPTH < yystacksize)
-        yystacksize = YYMAXDEPTH;
+        yystacksize = YYMAXDEPTH;
      {
-        yytype_int16 *yyss1 = yyss;
+        yytype_int16 *yyss1 = yyss;
-        union yyalloc *yyptr =
+        union yyalloc *yyptr =
-          (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
+          (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
-        if (! yyptr)
+        if (! yyptr)
-          goto yyexhaustedlab;
+          goto yyexhaustedlab;
-        YYSTACK_RELOCATE (yyss_alloc, yyss);
+        YYSTACK_RELOCATE (yyss_alloc, yyss);
-        YYSTACK_RELOCATE (yyvs_alloc, yyvs);
+        YYSTACK_RELOCATE (yyvs_alloc, yyvs);
 #  undef YYSTACK_RELOCATE
-        if (yyss1 != yyssa)
+        if (yyss1 != yyssa)
-          YYSTACK_FREE (yyss1);
+          YYSTACK_FREE (yyss1);
      }
 # endif
 #endif /* no yyoverflow */
@@ -1568,10 +1398,10 @@ yyparse ()
      yyvsp = yyvs + yysize - 1;
      YYDPRINTF ((stderr, "Stack size increased to %lu\n",
-                  (unsigned long int) yystacksize));
+                  (unsigned long int) yystacksize));
      if (yyss + yystacksize - 1 <= yyssp)
-        YYABORT;
+        YYABORT;
    }
  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
@@ -1600,7 +1430,7 @@ yybackup:
  if (yychar == YYEMPTY)
    {
      YYDPRINTF ((stderr, "Reading a token: "));
-      yychar = YYLEX;
+      yychar = yylex ();
    }
  if (yychar <= YYEOF)
@@ -1665,7 +1495,7 @@ yyreduce:
  yylen = yyr2[yyn];
  /* If YYLEN is nonzero, implement the default value of the action:
-     `$$ = $1'.
+     '$$ = $1'.
     Otherwise, the following line sets YYVAL to garbage.
     This behavior is undocumented and Bison
@@ -1679,483 +1509,560 @@ yyreduce:
  switch (yyn)
    {
        case 4:
+#line 129 "parse.y" /* yacc.c:1646  */
    { is_typedef = 0; is_extern = 0; current_name = NULL; decl_spec = NULL; }
+#line 1515 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 5:
+#line 131 "parse.y" /* yacc.c:1646  */
-    { free_list(*(yyvsp[(2) - (2)]), NULL); *(yyvsp[(2) - (2)]) = NULL; }
+    { free_list(*(yyvsp[0]), NULL); *(yyvsp[0]) = NULL; }
+#line 1521 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 6:
+#line 135 "parse.y" /* yacc.c:1646  */
    { is_typedef = 1; }
+#line 1527 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 7:
+#line 136 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1533 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 8:
+#line 137 "parse.y" /* yacc.c:1646  */
    { is_typedef = 1; }
+#line 1539 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 9:
+#line 138 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1545 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 14:
+#line 143 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1551 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 15:
+#line 144 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1557 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 16:
+#line 149 "parse.y" /* yacc.c:1646  */
    { if (current_name) {
-                    struct string_list *decl = (*(yyvsp[(3) - (3)]))->next;
+                    struct string_list *decl = (*(yyvsp[0]))->next;
-                    (*(yyvsp[(3) - (3)]))->next = NULL;
+                    (*(yyvsp[0]))->next = NULL;
                    add_symbol(current_name,
                               is_typedef ? SYM_TYPEDEF : SYM_NORMAL,
                               decl, is_extern);
                    current_name = NULL;
                  }
-                  (yyval) = (yyvsp[(3) - (3)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1572 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 17:
+#line 162 "parse.y" /* yacc.c:1646  */
    { (yyval) = NULL; }
+#line 1578 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 19:
+#line 168 "parse.y" /* yacc.c:1646  */
-    { struct string_list *decl = *(yyvsp[(1) - (1)]);
+    { struct string_list *decl = *(yyvsp[0]);
-                  *(yyvsp[(1) - (1)]) = NULL;
+                  *(yyvsp[0]) = NULL;
                  add_symbol(current_name,
                             is_typedef ? SYM_TYPEDEF : SYM_NORMAL, decl, is_extern);
                  current_name = NULL;
-                  (yyval) = (yyvsp[(1) - (1)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1590 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 20:
+#line 176 "parse.y" /* yacc.c:1646  */
-    { struct string_list *decl = *(yyvsp[(3) - (3)]);
+    { struct string_list *decl = *(yyvsp[0]);
-                  *(yyvsp[(3) - (3)]) = NULL;
+                  *(yyvsp[0]) = NULL;
-                  free_list(*(yyvsp[(2) - (3)]), NULL);
+                  free_list(*(yyvsp[-1]), NULL);
-                  *(yyvsp[(2) - (3)]) = decl_spec;
+                  *(yyvsp[-1]) = decl_spec;
                  add_symbol(current_name,
                             is_typedef ? SYM_TYPEDEF : SYM_NORMAL, decl, is_extern);
                  current_name = NULL;
-                  (yyval) = (yyvsp[(3) - (3)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1604 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 21:
+#line 189 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]) ? (yyvsp[(4) - (4)]) : (yyvsp[(3) - (4)]) ? (yyvsp[(3) - (4)]) : (yyvsp[(2) - (4)]) ? (yyvsp[(2) - (4)]) : (yyvsp[(1) - (4)]); }
+    { (yyval) = (yyvsp[0]) ? (yyvsp[0]) : (yyvsp[-1]) ? (yyvsp[-1]) : (yyvsp[-2]) ? (yyvsp[-2]) : (yyvsp[-3]); }
+#line 1610 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 22:
+#line 194 "parse.y" /* yacc.c:1646  */
    { decl_spec = NULL; }
+#line 1616 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 24:
+#line 199 "parse.y" /* yacc.c:1646  */
-    { decl_spec = *(yyvsp[(1) - (1)]); }
+    { decl_spec = *(yyvsp[0]); }
+#line 1622 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 25:
+#line 200 "parse.y" /* yacc.c:1646  */
-    { decl_spec = *(yyvsp[(2) - (2)]); }
+    { decl_spec = *(yyvsp[0]); }
+#line 1628 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 26:
+#line 205 "parse.y" /* yacc.c:1646  */
    { /* Version 2 checksumming ignores storage class, as that
                     is really irrelevant to the linkage.  */
-                  remove_node((yyvsp[(1) - (1)]));
+                  remove_node((yyvsp[0]));
-                  (yyval) = (yyvsp[(1) - (1)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1638 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 31:
+#line 217 "parse.y" /* yacc.c:1646  */
-    { is_extern = 1; (yyval) = (yyvsp[(1) - (1)]); }
+    { is_extern = 1; (yyval) = (yyvsp[0]); }
+#line 1644 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 32:
+#line 218 "parse.y" /* yacc.c:1646  */
-    { is_extern = 0; (yyval) = (yyvsp[(1) - (1)]); }
+    { is_extern = 0; (yyval) = (yyvsp[0]); }
+#line 1650 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 37:
+#line 230 "parse.y" /* yacc.c:1646  */
-    { remove_node((yyvsp[(1) - (2)])); (*(yyvsp[(2) - (2)]))->tag = SYM_STRUCT; (yyval) = (yyvsp[(2) - (2)]); }
+    { remove_node((yyvsp[-1])); (*(yyvsp[0]))->tag = SYM_STRUCT; (yyval) = (yyvsp[0]); }
+#line 1656 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 38:
+#line 232 "parse.y" /* yacc.c:1646  */
-    { remove_node((yyvsp[(1) - (2)])); (*(yyvsp[(2) - (2)]))->tag = SYM_UNION; (yyval) = (yyvsp[(2) - (2)]); }
+    { remove_node((yyvsp[-1])); (*(yyvsp[0]))->tag = SYM_UNION; (yyval) = (yyvsp[0]); }
+#line 1662 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 39:
+#line 234 "parse.y" /* yacc.c:1646  */
-    { remove_node((yyvsp[(1) - (2)])); (*(yyvsp[(2) - (2)]))->tag = SYM_ENUM; (yyval) = (yyvsp[(2) - (2)]); }
+    { remove_node((yyvsp[-1])); (*(yyvsp[0]))->tag = SYM_ENUM; (yyval) = (yyvsp[0]); }
+#line 1668 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 40:
+#line 238 "parse.y" /* yacc.c:1646  */
-    { record_compound((yyvsp[(1) - (3)]), (yyvsp[(2) - (3)]), (yyvsp[(3) - (3)]), SYM_STRUCT); (yyval) = (yyvsp[(3) - (3)]); }
+    { record_compound((yyvsp[-2]), (yyvsp[-1]), (yyvsp[0]), SYM_STRUCT); (yyval) = (yyvsp[0]); }
+#line 1674 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 41:
+#line 240 "parse.y" /* yacc.c:1646  */
-    { record_compound((yyvsp[(1) - (3)]), (yyvsp[(2) - (3)]), (yyvsp[(3) - (3)]), SYM_UNION); (yyval) = (yyvsp[(3) - (3)]); }
+    { record_compound((yyvsp[-2]), (yyvsp[-1]), (yyvsp[0]), SYM_UNION); (yyval) = (yyvsp[0]); }
+#line 1680 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 42:
+#line 242 "parse.y" /* yacc.c:1646  */
-    { record_compound((yyvsp[(1) - (3)]), (yyvsp[(2) - (3)]), (yyvsp[(3) - (3)]), SYM_ENUM); (yyval) = (yyvsp[(3) - (3)]); }
+    { record_compound((yyvsp[-2]), (yyvsp[-1]), (yyvsp[0]), SYM_ENUM); (yyval) = (yyvsp[0]); }
+#line 1686 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 43:
+#line 247 "parse.y" /* yacc.c:1646  */
-    { add_symbol(NULL, SYM_ENUM, NULL, 0); (yyval) = (yyvsp[(2) - (2)]); }
+    { add_symbol(NULL, SYM_ENUM, NULL, 0); (yyval) = (yyvsp[0]); }
+#line 1692 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 44:
+#line 249 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1698 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 45:
+#line 250 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1704 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 56:
+#line 264 "parse.y" /* yacc.c:1646  */
-    { (*(yyvsp[(1) - (1)]))->tag = SYM_TYPEDEF; (yyval) = (yyvsp[(1) - (1)]); }
+    { (*(yyvsp[0]))->tag = SYM_TYPEDEF; (yyval) = (yyvsp[0]); }
+#line 1710 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 57:
+#line 269 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]) ? (yyvsp[(2) - (2)]) : (yyvsp[(1) - (2)]); }
+    { (yyval) = (yyvsp[0]) ? (yyvsp[0]) : (yyvsp[-1]); }
+#line 1716 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 58:
+#line 273 "parse.y" /* yacc.c:1646  */
    { (yyval) = NULL; }
+#line 1722 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 61:
+#line 279 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1728 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 65:
+#line 285 "parse.y" /* yacc.c:1646  */
    { /* restrict has no effect in prototypes so ignore it */
-                  remove_node((yyvsp[(1) - (1)]));
+                  remove_node((yyvsp[0]));
-                  (yyval) = (yyvsp[(1) - (1)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1737 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 66:
+#line 292 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1743 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 68:
+#line 298 "parse.y" /* yacc.c:1646  */
    { if (current_name != NULL) {
                    error_with_pos("unexpected second declaration name");
                    YYERROR;
                  } else {
-                    current_name = (*(yyvsp[(1) - (1)]))->string;
+                    current_name = (*(yyvsp[0]))->string;
-                    (yyval) = (yyvsp[(1) - (1)]);
+                    (yyval) = (yyvsp[0]);
                  }
                }
+#line 1756 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 69:
+#line 307 "parse.y" /* yacc.c:1646  */
    { if (current_name != NULL) {
                    error_with_pos("unexpected second declaration name");
                    YYERROR;
                  } else {
-                    current_name = (*(yyvsp[(1) - (1)]))->string;
+                    current_name = (*(yyvsp[0]))->string;
-                    (yyval) = (yyvsp[(1) - (1)]);
+                    (yyval) = (yyvsp[0]);
                  }
                }
+#line 1769 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 70:
+#line 316 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1775 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 71:
+#line 318 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1781 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 72:
+#line 320 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1787 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 73:
+#line 322 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1793 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 74:
+#line 328 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1799 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 75:
+  case 78:
+#line 336 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1805 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 79:
+#line 338 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1811 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 80:
+#line 340 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1817 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 81:
+#line 342 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1823 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 82:
+#line 344 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1829 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 83:
+#line 348 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1835 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 84:
+  case 85:
+#line 350 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1841 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 86:
+#line 354 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = NULL; }
+#line 1847 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 87:
+  case 89:
+#line 361 "parse.y" /* yacc.c:1646  */
-    { (yyval) = NULL; }
+    { (yyval) = (yyvsp[0]); }
+#line 1853 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 90:
+#line 366 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]) ? (yyvsp[0]) : (yyvsp[-1]); }
+#line 1859 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 91:
+#line 371 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]) ? (yyvsp[(2) - (2)]) : (yyvsp[(1) - (2)]); }
+    { (yyval) = (yyvsp[0]) ? (yyvsp[0]) : (yyvsp[-1]); }
+#line 1865 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 92:
+  case 93:
+#line 376 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]) ? (yyvsp[(2) - (2)]) : (yyvsp[(1) - (2)]); }
+    { (yyval) = NULL; }
+#line 1871 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 94:
+#line 378 "parse.y" /* yacc.c:1646  */
-    { (yyval) = NULL; }
+    { /* For version 2 checksums, we don't want to remember
+                     private parameter names.  */
+                  remove_node((yyvsp[0]));
+                  (yyval) = (yyvsp[0]);
+                }
+#line 1881 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 95:
+#line 386 "parse.y" /* yacc.c:1646  */
-    { /* For version 2 checksums, we don't want to remember
+    { remove_node((yyvsp[0]));
-                     private parameter names.  */
+                  (yyval) = (yyvsp[0]);
-                  remove_node((yyvsp[(1) - (1)]));
-                  (yyval) = (yyvsp[(1) - (1)]);
                }
+#line 1889 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 96:
+#line 390 "parse.y" /* yacc.c:1646  */
-    { remove_node((yyvsp[(1) - (1)]));
+    { (yyval) = (yyvsp[0]); }
-                  (yyval) = (yyvsp[(1) - (1)]);
+#line 1895 "parse.tab.c" /* yacc.c:1646  */
-                }
    break;
  case 97:
+#line 392 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1901 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 98:
+#line 394 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1907 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 99:
+#line 396 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1913 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 100:
+#line 398 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1919 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 101:
+#line 403 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { struct string_list *decl = *(yyvsp[-1]);
-    break;
+                  *(yyvsp[-1]) = NULL;
-  case 102:
-    { struct string_list *decl = *(yyvsp[(2) - (3)]);
-                  *(yyvsp[(2) - (3)]) = NULL;
                  add_symbol(current_name, SYM_NORMAL, decl, is_extern);
-                  (yyval) = (yyvsp[(3) - (3)]);
+                  (yyval) = (yyvsp[0]);
                }
+#line 1929 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 103:
+  case 102:
+#line 411 "parse.y" /* yacc.c:1646  */
    { (yyval) = NULL; }
+#line 1935 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 105:
+  case 104:
+#line 418 "parse.y" /* yacc.c:1646  */
+    { remove_list((yyvsp[0]), &(*(yyvsp[-1]))->next); (yyval) = (yyvsp[0]); }
+#line 1941 "parse.tab.c" /* yacc.c:1646  */
+    break;
-    { remove_list((yyvsp[(2) - (2)]), &(*(yyvsp[(1) - (2)]))->next); (yyval) = (yyvsp[(2) - (2)]); }
+  case 105:
+#line 422 "parse.y" /* yacc.c:1646  */
+    { (yyval) = (yyvsp[0]); }
+#line 1947 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 106:
+#line 423 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1953 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 107:
+#line 427 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = NULL; }
+#line 1959 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 108:
+  case 110:
+#line 433 "parse.y" /* yacc.c:1646  */
-    { (yyval) = NULL; }
+    { (yyval) = (yyvsp[0]); }
+#line 1965 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 111:
+#line 438 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1971 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 112:
+#line 440 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 1977 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 113:
+#line 444 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = NULL; }
+#line 1983 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 114:
+  case 116:
+#line 450 "parse.y" /* yacc.c:1646  */
-    { (yyval) = NULL; }
+    { (yyval) = (yyvsp[0]); }
+#line 1989 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 117:
+#line 454 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]) ? (yyvsp[0]) : (yyvsp[-1]); }
+#line 1995 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 118:
+#line 455 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]) ? (yyvsp[(2) - (2)]) : (yyvsp[(1) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 2001 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 119:
+  case 120:
+#line 460 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 2007 "parse.tab.c" /* yacc.c:1646  */
    break;
  case 121:
+#line 464 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
-    break;
-  case 122:
    { (yyval) = NULL; }
+#line 2013 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 124:
+  case 123:
+#line 469 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(3) - (3)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 2019 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 125:
+  case 124:
+#line 470 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(4) - (4)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 2025 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 128:
+  case 127:
+#line 479 "parse.y" /* yacc.c:1646  */
    {
-                        const char *name = strdup((*(yyvsp[(1) - (1)]))->string);
+                        const char *name = strdup((*(yyvsp[0]))->string);
                        add_symbol(name, SYM_ENUM_CONST, NULL, 0);
                }
+#line 2034 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 129:
+  case 128:
+#line 484 "parse.y" /* yacc.c:1646  */
    {
-                        const char *name = strdup((*(yyvsp[(1) - (3)]))->string);
+                        const char *name = strdup((*(yyvsp[-2]))->string);
-                        struct string_list *expr = copy_list_range(*(yyvsp[(3) - (3)]), *(yyvsp[(2) - (3)]));
+                        struct string_list *expr = copy_list_range(*(yyvsp[0]), *(yyvsp[-1]));
                        add_symbol(name, SYM_ENUM_CONST, expr, 0);
                }
+#line 2044 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 130:
+  case 129:
+#line 491 "parse.y" /* yacc.c:1646  */
-    { (yyval) = (yyvsp[(2) - (2)]); }
+    { (yyval) = (yyvsp[0]); }
+#line 2050 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 131:
+  case 130:
+#line 495 "parse.y" /* yacc.c:1646  */
    { (yyval) = NULL; }
+#line 2056 "parse.tab.c" /* yacc.c:1646  */
    break;
-  case 133:
+  case 132:
+#line 501 "parse.y" /* yacc.c:1646  */
-    { export_symbol((*(yyvsp[(3) - (5)]))->string); (yyval) = (yyvsp[(5) - (5)]); }
+    { export_symbol((*(yyvsp[-2]))->string); (yyval) = (yyvsp[0]); }
+#line 2062 "parse.tab.c" /* yacc.c:1646  */
    break;
+#line 2066 "parse.tab.c" /* yacc.c:1646  */
      default: break;
    }
  /* User semantic actions sometimes alter yychar, and that requires
@@ -2177,7 +2084,7 @@ yyreduce:
  *++yyvsp = yyval;
-  /* Now `shift' the result of the reduction.  Determine what state
+  /* Now 'shift' the result of the reduction.  Determine what state
     that goes to, based on the state we popped back to and the rule
     number reduced by.  */
@@ -2192,9 +2099,9 @@ yyreduce:
  goto yynewstate;
-/*------------------------------------.
+/*--------------------------------------.
-| yyerrlab -- here on detecting error |
+| yyerrlab -- here on detecting error.  |
-`------------------------------------*/
+`--------------------------------------*/
 yyerrlab:
  /* Make sure we have latest lookahead translation.  See comments at
     user semantic actions for why this is necessary.  */
@@ -2245,20 +2152,20 @@ yyerrlab:
  if (yyerrstatus == 3)
    {
      /* If just tried and failed to reuse lookahead token after an
-         error, discard it.  */
+         error, discard it.  */
      if (yychar <= YYEOF)
-        {
+        {
-          /* Return failure if at end of input.  */
+          /* Return failure if at end of input.  */
-          if (yychar == YYEOF)
+          if (yychar == YYEOF)
-            YYABORT;
+            YYABORT;
-        }
+        }
      else
-        {
+        {
-          yydestruct ("Error: discarding",
+          yydestruct ("Error: discarding",
-                      yytoken, &yylval);
+                      yytoken, &yylval);
-          yychar = YYEMPTY;
+          yychar = YYEMPTY;
-        }
+        }
    }
  /* Else will try to reuse lookahead token after shifting the error
@@ -2277,7 +2184,7 @@ yyerrorlab:
  if (/*CONSTCOND*/ 0)
     goto yyerrorlab;
-  /* Do not reclaim the symbols of the rule which action triggered
+  /* Do not reclaim the symbols of the rule whose action triggered
     this YYERROR.  */
  YYPOPSTACK (yylen);
  yylen = 0;
@@ -2290,29 +2197,29 @@ yyerrorlab:
 | yyerrlab1 -- common code for both syntax error and YYERROR.  |
 `-------------------------------------------------------------*/
 yyerrlab1:
-  yyerrstatus = 3;      /* Each real token shifted decrements this.  */
+  yyerrstatus = 3;      /* Each real token shifted decrements this.  */
  for (;;)
    {
      yyn = yypact[yystate];
      if (!yypact_value_is_default (yyn))
-        {
+        {
-          yyn += YYTERROR;
+          yyn += YYTERROR;
-          if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
+          if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
-            {
+            {
-              yyn = yytable[yyn];
+              yyn = yytable[yyn];
-              if (0 < yyn)
+              if (0 < yyn)
-                break;
+                break;
-            }
+            }
-        }
+        }
      /* Pop the current state because it cannot handle the error token.  */
      if (yyssp == yyss)
-        YYABORT;
+        YYABORT;
      yydestruct ("Error: popping",
-                  yystos[yystate], yyvsp);
+                  yystos[yystate], yyvsp);
      YYPOPSTACK (1);
      yystate = *yyssp;
      YY_STACK_PRINT (yyss, yyssp);
@@ -2363,14 +2270,14 @@ yyreturn:
      yydestruct ("Cleanup: discarding lookahead",
                  yytoken, &yylval);
    }
-  /* Do not reclaim the symbols of the rule which action triggered
+  /* Do not reclaim the symbols of the rule whose action triggered
     this YYABORT or YYACCEPT.  */
  YYPOPSTACK (yylen);
  YY_STACK_PRINT (yyss, yyssp);
  while (yyssp != yyss)
    {
      yydestruct ("Cleanup: popping",
-                  yystos[*yyssp], yyvsp);
+                  yystos[*yyssp], yyvsp);
      YYPOPSTACK (1);
    }
 #ifndef yyoverflow
@@ -2381,12 +2288,9 @@ yyreturn:
  if (yymsg != yymsgbuf)
    YYSTACK_FREE (yymsg);
 #endif
-  /* Make sure YYID is used.  */
+  return yyresult;
-  return YYID (yyresult);
 }
+#line 505 "parse.y" /* yacc.c:1906  */
 static void
diff --git a/scripts/genksyms/parse.tab.h_shipped b/scripts/genksyms/parse.tab.h_shipped
index 4c00cef6d71d..1751bd03ad26 100644
--- a/scripts/genksyms/parse.tab.h_shipped
+++ b/scripts/genksyms/parse.tab.h_shipped
@@ -1,19 +1,19 @@
-/* A Bison parser, made by GNU Bison 2.7.  */
+/* A Bison parser, made by GNU Bison 3.0.4.  */
 /* Bison interface for Yacc-like parsers in C
-   
-      Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc.
-   
   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.
-   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
-   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
@@ -26,93 +26,80 @@
   special exception, which will cause the skeleton and the resulting
   Bison output files to be licensed under the GNU General Public
   License without this special exception.
-   
   This special exception was added by the Free Software Foundation in
   version 2.2 of Bison.  */
-#ifndef YY_YY_SCRIPTS_GENKSYMS_PARSE_TAB_H_SHIPPED_INCLUDED
+#ifndef YY_YY_PARSE_TAB_H_INCLUDED
-# define YY_YY_SCRIPTS_GENKSYMS_PARSE_TAB_H_SHIPPED_INCLUDED
+# define YY_YY_PARSE_TAB_H_INCLUDED
-/* Enabling traces.  */
+/* Debug traces.  */
 #ifndef YYDEBUG
-# define YYDEBUG 1
+# define YYDEBUG 0
 #endif
 #if YYDEBUG
 extern int yydebug;
 #endif
-/* Tokens.  */
+/* Token type.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
-   /* Put the tokens into the symbol table, so that GDB and other debuggers
+  enum yytokentype
-      know about them.  */
+  {
-   enum yytokentype {
+    ASM_KEYW = 258,
-     ASM_KEYW = 258,
+    ATTRIBUTE_KEYW = 259,
-     ATTRIBUTE_KEYW = 259,
+    AUTO_KEYW = 260,
-     AUTO_KEYW = 260,
+    BOOL_KEYW = 261,
-     BOOL_KEYW = 261,
+    CHAR_KEYW = 262,
-     CHAR_KEYW = 262,
+    CONST_KEYW = 263,
-     CONST_KEYW = 263,
+    DOUBLE_KEYW = 264,
-     DOUBLE_KEYW = 264,
+    ENUM_KEYW = 265,
-     ENUM_KEYW = 265,
+    EXTERN_KEYW = 266,
-     EXTERN_KEYW = 266,
+    EXTENSION_KEYW = 267,
-     EXTENSION_KEYW = 267,
+    FLOAT_KEYW = 268,
-     FLOAT_KEYW = 268,
+    INLINE_KEYW = 269,
-     INLINE_KEYW = 269,
+    INT_KEYW = 270,
-     INT_KEYW = 270,
+    LONG_KEYW = 271,
-     LONG_KEYW = 271,
+    REGISTER_KEYW = 272,
-     REGISTER_KEYW = 272,
+    RESTRICT_KEYW = 273,
-     RESTRICT_KEYW = 273,
+    SHORT_KEYW = 274,
-     SHORT_KEYW = 274,
+    SIGNED_KEYW = 275,
-     SIGNED_KEYW = 275,
+    STATIC_KEYW = 276,
-     STATIC_KEYW = 276,
+    STRUCT_KEYW = 277,
-     STRUCT_KEYW = 277,
+    TYPEDEF_KEYW = 278,
-     TYPEDEF_KEYW = 278,
+    UNION_KEYW = 279,
-     UNION_KEYW = 279,
+    UNSIGNED_KEYW = 280,
-     UNSIGNED_KEYW = 280,
+    VOID_KEYW = 281,
-     VOID_KEYW = 281,
+    VOLATILE_KEYW = 282,
-     VOLATILE_KEYW = 282,
+    TYPEOF_KEYW = 283,
-     TYPEOF_KEYW = 283,
+    EXPORT_SYMBOL_KEYW = 284,
-     EXPORT_SYMBOL_KEYW = 284,
+    ASM_PHRASE = 285,
-     ASM_PHRASE = 285,
+    ATTRIBUTE_PHRASE = 286,
-     ATTRIBUTE_PHRASE = 286,
+    TYPEOF_PHRASE = 287,
-     TYPEOF_PHRASE = 287,
+    BRACE_PHRASE = 288,
-     BRACE_PHRASE = 288,
+    BRACKET_PHRASE = 289,
-     BRACKET_PHRASE = 289,
+    EXPRESSION_PHRASE = 290,
-     EXPRESSION_PHRASE = 290,
+    CHAR = 291,
-     CHAR = 291,
+    DOTS = 292,
-     DOTS = 292,
+    IDENT = 293,
-     IDENT = 293,
+    INT = 294,
-     INT = 294,
+    REAL = 295,
-     REAL = 295,
+    STRING = 296,
-     STRING = 296,
+    TYPE = 297,
-     TYPE = 297,
+    OTHER = 298,
-     OTHER = 298,
+    FILENAME = 299
-     FILENAME = 299
+  };
-   };
 #endif
+/* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef int YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
-# define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 #endif
 extern YYSTYPE yylval;
-#ifdef YYPARSE_PARAM
-#if defined __STDC__ || defined __cplusplus
-int yyparse (void *YYPARSE_PARAM);
-#else
-int yyparse ();
-#endif
-#else /* ! YYPARSE_PARAM */
-#if defined __STDC__ || defined __cplusplus
 int yyparse (void);
-#else
-int yyparse ();
-#endif
-#endif /* ! YYPARSE_PARAM */
-#endif /* !YY_YY_SCRIPTS_GENKSYMS_PARSE_TAB_H_SHIPPED_INCLUDED  */
+#endif /* !YY_YY_PARSE_TAB_H_INCLUDED  */
diff --git a/scripts/genksyms/parse.y b/scripts/genksyms/parse.y
index 723ab30fe9d4..268efe37688a 100644
--- a/scripts/genksyms/parse.y
+++ b/scripts/genksyms/parse.y
@@ -320,8 +320,6 @@ direct_declarator:
                { $$ = $2; }
        | '(' declarator ')'
                { $$ = $3; }
-        | '(' error ')'
-                { $$ = $3; }
        ;
 /* Nested declarators differ from regular declarators in that they do
diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
index dd243d2abd87..138d7f100f7e 100644
--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -743,7 +743,7 @@ int conf_write(const char *name)
        struct menu *menu;
        const char *basename;
        const char *str;
-        char dirname[PATH_MAX+1], tmpname[PATH_MAX+1], newname[PATH_MAX+1];
+        char dirname[PATH_MAX+1], tmpname[PATH_MAX+22], newname[PATH_MAX+8];
        char *env;
        dirname[0] = 0;
diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
index cbf4996dd9c1..ed29bad1f03a 100644
--- a/scripts/kconfig/expr.c
+++ b/scripts/kconfig/expr.c
@@ -113,7 +113,7 @@ void expr_free(struct expr *e)
                break;
        case E_NOT:
                expr_free(e->left.expr);
-                return;
+                break;
        case E_EQUAL:
        case E_GEQ:
        case E_GTH:
diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
index b05cc3d4a9be..8360feaf51ce 100644
--- a/scripts/kconfig/menu.c
+++ b/scripts/kconfig/menu.c
@@ -364,6 +364,7 @@ void menu_finalize(struct menu *parent)
                        menu->parent = parent;
                        last_menu = menu;
                }
+                expr_free(basedep);
                if (last_menu) {
                        parent->list = parent->next;
                        parent->next = last_menu->next;
diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y
index 71bf8bff696a..5122ed2d839a 100644
--- a/scripts/kconfig/zconf.y
+++ b/scripts/kconfig/zconf.y
@@ -107,7 +107,27 @@ static struct menu *current_menu, *current_entry;
 %%
 input: nl start | start;
-start: mainmenu_stmt stmt_list | stmt_list;
+start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list;
+/* mainmenu entry */
+mainmenu_stmt: T_MAINMENU prompt nl
+{
+        menu_add_prompt(P_MENU, $2, NULL);
+};
+/* Default main menu, if there's no mainmenu entry */
+no_mainmenu_stmt: /* empty */
+{
+        /*
+         * Hack: Keep the main menu title on the heap so we can safely free it
+         * later regardless of whether it comes from the 'prompt' in
+         * mainmenu_stmt or here
+         */
+        menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL);
+};
 stmt_list:
          /* empty */
@@ -344,13 +364,6 @@ if_block:
        | if_block choice_stmt
 ;
-/* mainmenu entry */
-mainmenu_stmt: T_MAINMENU prompt nl
-{
-        menu_add_prompt(P_MENU, $2, NULL);
-};
 /* menu entry */
 menu: T_MENU prompt T_EOL
@@ -495,6 +508,7 @@ word_opt: /* empty */			{ $$ = NULL; }
 void conf_parse(const char *name)
 {
+        const char *tmp;
        struct symbol *sym;
        int i;
@@ -502,7 +516,6 @@ void conf_parse(const char *name)
        sym_init();
        _menu_init();
-        rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL);
        if (getenv("ZCONF_DEBUG"))
                zconfdebug = 1;
@@ -512,8 +525,10 @@ void conf_parse(const char *name)
        if (!modules_sym)
                modules_sym = sym_find( "n" );
+        tmp = rootmenu.prompt->text;
        rootmenu.prompt->text = _(rootmenu.prompt->text);
        rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text);
+        free((char*)tmp);
        menu_finalize(&rootmenu);
        for_all_symbols(i, sym) {
diff --git a/scripts/kernel-doc b/scripts/kernel-doc
index 638a38e1b419..bba8ad9c4f2c 100755
--- a/scripts/kernel-doc
+++ b/scripts/kernel-doc
@@ -2742,4 +2742,4 @@ if ($verbose && $warnings) {
  print STDERR "$warnings warnings\n";
 }
-exit($errors);
+exit($output_mode eq "none" ? 0 : $errors);
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index e080746e1a6b..bd5151915e5a 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -594,7 +594,8 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname)
                if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 ||
                    strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 ||
                    strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 ||
-                    strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0)
+                    strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0 ||
+                    strcmp(symname, ".TOC.") == 0)
                        return 1;
        /* Do not ignore this symbol */
        return 0;
@@ -2128,6 +2129,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
                buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
 }
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+        buf_printf(b, "\n#ifdef RETPOLINE\n");
+        buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+        buf_printf(b, "#endif\n");
+}
 static void add_staging_flag(struct buffer *b, const char *name)
 {
        static const char *staging_dir = "drivers/staging";
@@ -2472,6 +2481,7 @@ int main(int argc, char **argv)
                add_header(&buf, mod);
                add_intree_flag(&buf, !external_module);
+                add_retpoline(&buf);
                add_staging_flag(&buf, mod->name);
                err |= add_versions(&buf, mod);
                add_depends(&buf, mod, modules);
diff --git a/scripts/tags.sh b/scripts/tags.sh
index 262889046703..45e246595d10 100755
--- a/scripts/tags.sh
+++ b/scripts/tags.sh
@@ -106,6 +106,7 @@ all_compiled_sources()
                case "$i" in
                        *.[cS])
                                j=${i/\.[cS]/\.o}
+                                j="${j#$tree}"
                                if [ -e $j ]; then
                                        echo $i
                                fi
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index dec607c17b64..6dc4ce47580f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -722,7 +722,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
 /* Maximum pathname length before accesses will start getting rejected */
 unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
 /* Determines how paranoid loading of policy is and how much verification
 * on the loaded policy is done.
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index df303346029b..648a0461f8ed 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -10,6 +10,7 @@ config IMA
        select CRYPTO_HASH_INFO
        select TCG_TPM if HAS_IOMEM && !UML
        select TCG_TIS if TCG_TPM && X86
+        select TCG_CRB if TCG_TPM && ACPI
        select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
        help
          The Trusted Computing Group(TCG) runtime Integrity
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 19014293f927..c36b98b07d6b 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                if (opened & FILE_CREATED)
                        iint->flags |= IMA_NEW_FILE;
                if ((iint->flags & IMA_NEW_FILE) &&
-                    !(iint->flags & IMA_DIGSIG_REQUIRED))
+                    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
+                     (inode->i_size == 0)))
                        status = INTEGRITY_PASS;
                goto out;
        }
@@ -382,14 +383,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
                                   xattr_value_len);
        if (result == 1) {
-                bool digsig;
                if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
                        return -EINVAL;
-                digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+                ima_reset_appraise_flags(d_backing_inode(dentry),
-                if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
+                         (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
-                        return -EPERM;
-                ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
                result = 0;
        }
        return result;
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 6eb62936c672..a29209fa5674 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -78,6 +78,8 @@ int __init ima_init_crypto(void)
                       hash_algo_name[ima_hash_algo], rc);
                return rc;
        }
+        pr_info("Allocated hash algorithm: %s\n",
+                hash_algo_name[ima_hash_algo]);
        return 0;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 98289ba2a2e6..236dce30e517 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -16,6 +16,9 @@
 *      implements the IMA hooks: ima_bprm_check, ima_file_mmap,
 *      and ima_file_check.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/file.h>
 #include <linux/binfmts.h>
@@ -353,6 +356,16 @@ static int __init init_ima(void)
        hash_setup(CONFIG_IMA_DEFAULT_HASH);
        error = ima_init();
+        if (error && strcmp(hash_algo_name[ima_hash_algo],
+                            CONFIG_IMA_DEFAULT_HASH) != 0) {
+                pr_info("Allocating %s failed, going to use default hash algorithm %s\n",
+                        hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH);
+                hash_setup_done = 0;
+                hash_setup(CONFIG_IMA_DEFAULT_HASH);
+                error = ima_init();
+        }
        if (!error) {
                ima_initialized = 1;
                ima_update_policy_flag();
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index ce295c0c1da0..e44e844c8ec4 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
 */
 static int valid_master_desc(const char *new_desc, const char *orig_desc)
 {
-        if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
+        int prefix_len;
-                if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
-                        goto out;
+        if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
-                if (orig_desc)
+                prefix_len = KEY_TRUSTED_PREFIX_LEN;
-                        if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
+        else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
-                                goto out;
+                prefix_len = KEY_USER_PREFIX_LEN;
-        } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
+        else
-                if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
+                return -EINVAL;
-                        goto out;
-                if (orig_desc)
+        if (!new_desc[prefix_len])
-                        if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
+                return -EINVAL;
-                                goto out;
-        } else
+        if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
-                goto out;
+                return -EINVAL;
        return 0;
-out:
-        return -EINVAL;
 }
 /*
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4b56c3b6c25f..99212ff6a568 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -333,18 +333,6 @@ static void superblock_free_security(struct super_block *sb)
        kfree(sbsec);
 }
-/* The file system's label must be initialized prior to use. */
-static const char *labeling_behaviors[7] = {
-        "uses xattr",
-        "uses transition SIDs",
-        "uses task SIDs",
-        "uses genfs_contexts",
-        "not configured for labeling",
-        "uses mountpoint labeling",
-        "uses native labeling",
-};
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 static inline int inode_doinit(struct inode *inode)
@@ -456,10 +444,6 @@ static int sb_finish_set_opts(struct super_block *sb)
                }
        }
-        if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
-                printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
-                       sb->s_id, sb->s_type->name);
        sbsec->flags |= SE_SBINITIALIZED;
        if (selinux_is_sblabel_mnt(sb))
                sbsec->flags |= SBLABEL_MNT;
@@ -1958,8 +1942,9 @@ static inline u32 file_to_av(struct file *file)
 static inline u32 open_file_to_av(struct file *file)
 {
        u32 av = file_to_av(file);
+        struct inode *inode = file_inode(file);
-        if (selinux_policycap_openperm)
+        if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
                av |= FILE__OPEN;
        return av;
@@ -2928,6 +2913,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 {
        const struct cred *cred = current_cred();
+        struct inode *inode = d_backing_inode(dentry);
        unsigned int ia_valid = iattr->ia_valid;
        __u32 av = FILE__WRITE;
@@ -2943,8 +2929,10 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
                return dentry_has_perm(cred, dentry, FILE__SETATTR);
-        if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
+        if (selinux_policycap_openperm &&
-                        && !(ia_valid & ATTR_FILE))
+            inode->i_sb->s_magic != SOCKFS_MAGIC &&
+            (ia_valid & ATTR_SIZE) &&
+            !(ia_valid & ATTR_FILE))
                av |= FILE__OPEN;
        return dentry_has_perm(cred, dentry, av);
@@ -4032,6 +4020,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
        struct lsm_network_audit net = {0,};
        u32 tsid = task_sid(task);
+        if (!sksec)
+                return -EFAULT;
        if (sksec->sid == SECINITSID_KERNEL)
                return 0;
@@ -4122,10 +4112,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                u32 sid, node_perm;
                if (family == PF_INET) {
+                        if (addrlen < sizeof(struct sockaddr_in)) {
+                                err = -EINVAL;
+                                goto out;
+                        }
                        addr4 = (struct sockaddr_in *)address;
                        snum = ntohs(addr4->sin_port);
                        addrp = (char *)&addr4->sin_addr.s_addr;
                } else {
+                        if (addrlen < SIN6_LEN_RFC2133) {
+                                err = -EINVAL;
+                                goto out;
+                        }
                        addr6 = (struct sockaddr_in6 *)address;
                        snum = ntohs(addr6->sin6_port);
                        addrp = (char *)&addr6->sin6_addr.s6_addr;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ebb5eb3c318c..0a258c0602d1 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -155,7 +155,7 @@ static int selinux_set_mapping(struct policydb *pol,
                }
                k = 0;
-                while (p_in->perms && p_in->perms[k]) {
+                while (p_in->perms[k]) {
                        /* An empty permission string skips ahead */
                        if (!*p_in->perms[k]) {
                                k++;
@@ -860,6 +860,9 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
        int index;
        int rc;
+        if (!ss_initialized)
+                return 0;
        read_lock(&policy_rwlock);
        rc = -EINVAL;
@@ -1406,27 +1409,25 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
        if (!scontext_len)
                return -EINVAL;
+        /* Copy the string to allow changes and ensure a NUL terminator */
+        scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
+        if (!scontext2)
+                return -ENOMEM;
        if (!ss_initialized) {
                int i;
                for (i = 1; i < SECINITSID_NUM; i++) {
-                        if (!strcmp(initial_sid_to_string[i], scontext)) {
+                        if (!strcmp(initial_sid_to_string[i], scontext2)) {
                                *sid = i;
-                                return 0;
+                                goto out;
                        }
                }
                *sid = SECINITSID_KERNEL;
-                return 0;
+                goto out;
        }
        *sid = SECSID_NULL;
-        /* Copy the string so that we can modify the copy as we parse it. */
-        scontext2 = kmalloc(scontext_len + 1, gfp_flags);
-        if (!scontext2)
-                return -ENOMEM;
-        memcpy(scontext2, scontext, scontext_len);
-        scontext2[scontext_len] = 0;
        if (force) {
                /* Save another copy for storing in uninterpreted form */
                rc = -ENOMEM;
@@ -1440,7 +1441,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
                                      scontext_len, &context, def_sid);
        if (rc == -EINVAL && force) {
                context.str = str;
-                context.len = scontext_len;
+                context.len = strlen(str) + 1;
                str = NULL;
        } else if (rc)
                goto out_unlock;
diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c
index 0608f216f359..ac0a40b9ba1e 100644
--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -400,8 +400,7 @@ static int snd_ctl_elem_add_compat(struct snd_ctl_file *file,
        if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) ||
            copy_from_user(&data->type, &data32->type, 3 * sizeof(u32)))
                goto error;
-        if (get_user(data->owner, &data32->owner) ||
+        if (get_user(data->owner, &data32->owner))
-            get_user(data->type, &data32->type))
                goto error;
        switch (data->type) {
        case SNDRV_CTL_ELEM_TYPE_BOOLEAN:
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index 494b7b533366..07feb35f1935 100644
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -833,8 +833,25 @@ static int choose_rate(struct snd_pcm_substream *substream,
        return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL);
 }
-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
+/* parameter locking: returns immediately if tried during streaming */
-                                     bool trylock)
+static int lock_params(struct snd_pcm_runtime *runtime)
+{
+        if (mutex_lock_interruptible(&runtime->oss.params_lock))
+                return -ERESTARTSYS;
+        if (atomic_read(&runtime->oss.rw_ref)) {
+                mutex_unlock(&runtime->oss.params_lock);
+                return -EBUSY;
+        }
+        return 0;
+}
+static void unlock_params(struct snd_pcm_runtime *runtime)
+{
+        mutex_unlock(&runtime->oss.params_lock);
+}
+/* call with params_lock held */
+static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
 {
        struct snd_pcm_runtime *runtime = substream->runtime;
        struct snd_pcm_hw_params *params, *sparams;
@@ -848,12 +865,9 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
        struct snd_mask sformat_mask;
        struct snd_mask mask;
-        if (trylock) {
+        if (!runtime->oss.params)
-                if (!(mutex_trylock(&runtime->oss.params_lock)))
+                return 0;
-                        return -EAGAIN;
+        sw_params = kzalloc(sizeof(*sw_params), GFP_KERNEL);
-        } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
-                return -EINTR;
-        sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL);
        params = kmalloc(sizeof(*params), GFP_KERNEL);
        sparams = kmalloc(sizeof(*sparams), GFP_KERNEL);
        if (!sw_params || !params || !sparams) {
@@ -991,7 +1005,6 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
                goto failure;
        }
-        memset(sw_params, 0, sizeof(*sw_params));
        if (runtime->oss.trigger) {
                sw_params->start_threshold = 1;
        } else {
@@ -1079,6 +1092,23 @@ failure:
        kfree(sw_params);
        kfree(params);
        kfree(sparams);
+        return err;
+}
+/* this one takes the lock by itself */
+static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
+                                     bool trylock)
+{
+        struct snd_pcm_runtime *runtime = substream->runtime;
+        int err;
+        if (trylock) {
+                if (!(mutex_trylock(&runtime->oss.params_lock)))
+                        return -EAGAIN;
+        } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
+                return -ERESTARTSYS;
+        err = snd_pcm_oss_change_params_locked(substream);
        mutex_unlock(&runtime->oss.params_lock);
        return err;
 }
@@ -1107,6 +1137,10 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil
        return 0;
 }
+/* call with params_lock held */
+/* NOTE: this always call PREPARE unconditionally no matter whether
+ * runtime->oss.prepare is set or not
+ */
 static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream)
 {
        int err;
@@ -1131,8 +1165,6 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream)
        struct snd_pcm_runtime *runtime;
        int err;
-        if (substream == NULL)
-                return 0;
        runtime = substream->runtime;
        if (runtime->oss.params) {
                err = snd_pcm_oss_change_params(substream, false);
@@ -1140,6 +1172,29 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream)
                        return err;
        }
        if (runtime->oss.prepare) {
+                if (mutex_lock_interruptible(&runtime->oss.params_lock))
+                        return -ERESTARTSYS;
+                err = snd_pcm_oss_prepare(substream);
+                mutex_unlock(&runtime->oss.params_lock);
+                if (err < 0)
+                        return err;
+        }
+        return 0;
+}
+/* call with params_lock held */
+static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream)
+{
+        struct snd_pcm_runtime *runtime;
+        int err;
+        runtime = substream->runtime;
+        if (runtime->oss.params) {
+                err = snd_pcm_oss_change_params_locked(substream);
+                if (err < 0)
+                        return err;
+        }
+        if (runtime->oss.prepare) {
                err = snd_pcm_oss_prepare(substream);
                if (err < 0)
                        return err;
@@ -1361,19 +1416,21 @@ static ssize_t snd_pcm_oss_write2(struct snd_pcm_substream *substream, const cha
 static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
 {
        size_t xfer = 0;
-        ssize_t tmp;
+        ssize_t tmp = 0;
        struct snd_pcm_runtime *runtime = substream->runtime;
        if (atomic_read(&substream->mmap_count))
                return -ENXIO;
-        if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
+        atomic_inc(&runtime->oss.rw_ref);
-                return tmp;
        while (bytes > 0) {
                if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
                        tmp = -ERESTARTSYS;
                        break;
                }
+                tmp = snd_pcm_oss_make_ready_locked(substream);
+                if (tmp < 0)
+                        goto err;
                if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
                        tmp = bytes;
                        if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
@@ -1429,6 +1486,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
                }
                tmp = 0;
        }
+        atomic_dec(&runtime->oss.rw_ref);
        return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
@@ -1468,19 +1526,21 @@ static ssize_t snd_pcm_oss_read2(struct snd_pcm_substream *substream, char *buf,
 static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
 {
        size_t xfer = 0;
-        ssize_t tmp;
+        ssize_t tmp = 0;
        struct snd_pcm_runtime *runtime = substream->runtime;
        if (atomic_read(&substream->mmap_count))
                return -ENXIO;
-        if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
+        atomic_inc(&runtime->oss.rw_ref);
-                return tmp;
        while (bytes > 0) {
                if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
                        tmp = -ERESTARTSYS;
                        break;
                }
+                tmp = snd_pcm_oss_make_ready_locked(substream);
+                if (tmp < 0)
+                        goto err;
                if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
                        if (runtime->oss.buffer_used == 0) {
                                tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
@@ -1521,6 +1581,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
                }
                tmp = 0;
        }
+        atomic_dec(&runtime->oss.rw_ref);
        return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
@@ -1536,10 +1597,12 @@ static int snd_pcm_oss_reset(struct snd_pcm_oss_file *pcm_oss_file)
                        continue;
                runtime = substream->runtime;
                snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
+                mutex_lock(&runtime->oss.params_lock);
                runtime->oss.prepare = 1;
                runtime->oss.buffer_used = 0;
                runtime->oss.prev_hw_ptr_period = 0;
                runtime->oss.period_ptr = 0;
+                mutex_unlock(&runtime->oss.params_lock);
        }
        return 0;
 }
@@ -1625,9 +1688,13 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                        goto __direct;
                if ((err = snd_pcm_oss_make_ready(substream)) < 0)
                        return err;
+                atomic_inc(&runtime->oss.rw_ref);
+                if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+                        atomic_dec(&runtime->oss.rw_ref);
+                        return -ERESTARTSYS;
+                }
                format = snd_pcm_oss_format_from(runtime->oss.format);
                width = snd_pcm_format_physical_width(format);
-                mutex_lock(&runtime->oss.params_lock);
                if (runtime->oss.buffer_used > 0) {
 #ifdef OSS_DEBUG
                        pcm_dbg(substream->pcm, "sync: buffer_used\n");
@@ -1637,10 +1704,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                                                   runtime->oss.buffer + runtime->oss.buffer_used,
                                                   size);
                        err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes);
-                        if (err < 0) {
+                        if (err < 0)
-                                mutex_unlock(&runtime->oss.params_lock);
+                                goto unlock;
-                                return err;
-                        }
                } else if (runtime->oss.period_ptr > 0) {
 #ifdef OSS_DEBUG
                        pcm_dbg(substream->pcm, "sync: period_ptr\n");
@@ -1650,10 +1715,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                                                   runtime->oss.buffer,
                                                   size * 8 / width);
                        err = snd_pcm_oss_sync1(substream, size);
-                        if (err < 0) {
+                        if (err < 0)
-                                mutex_unlock(&runtime->oss.params_lock);
+                                goto unlock;
-                                return err;
-                        }
                }
                /*
                 * The ALSA's period might be a bit large than OSS one.
@@ -1684,7 +1747,11 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                                snd_pcm_lib_writev(substream, buffers, size);
                        }
                }
+unlock:
                mutex_unlock(&runtime->oss.params_lock);
+                atomic_dec(&runtime->oss.rw_ref);
+                if (err < 0)
+                        return err;
                /*
                 * finish sync: drain the buffer
                 */
@@ -1695,7 +1762,9 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                substream->f_flags = saved_f_flags;
                if (err < 0)
                        return err;
+                mutex_lock(&runtime->oss.params_lock);
                runtime->oss.prepare = 1;
+                mutex_unlock(&runtime->oss.params_lock);
        }
        substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
@@ -1706,8 +1775,10 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
                err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
                if (err < 0)
                        return err;
+                mutex_lock(&runtime->oss.params_lock);
                runtime->oss.buffer_used = 0;
                runtime->oss.prepare = 1;
+                mutex_unlock(&runtime->oss.params_lock);
        }
        return 0;
 }
@@ -1719,6 +1790,8 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
        for (idx = 1; idx >= 0; --idx) {
                struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
                struct snd_pcm_runtime *runtime;
+                int err;
                if (substream == NULL)
                        continue;
                runtime = substream->runtime;
@@ -1726,10 +1799,14 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
                        rate = 1000;
                else if (rate > 192000)
                        rate = 192000;
+                err = lock_params(runtime);
+                if (err < 0)
+                        return err;
                if (runtime->oss.rate != rate) {
                        runtime->oss.params = 1;
                        runtime->oss.rate = rate;
                }
+                unlock_params(runtime);
        }
        return snd_pcm_oss_get_rate(pcm_oss_file);
 }
@@ -1754,13 +1831,19 @@ static int snd_pcm_oss_set_channels(struct snd_pcm_oss_file *pcm_oss_file, unsig
        for (idx = 1; idx >= 0; --idx) {
                struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
                struct snd_pcm_runtime *runtime;
+                int err;
                if (substream == NULL)
                        continue;
                runtime = substream->runtime;
+                err = lock_params(runtime);
+                if (err < 0)
+                        return err;
                if (runtime->oss.channels != channels) {
                        runtime->oss.params = 1;
                        runtime->oss.channels = channels;
                }
+                unlock_params(runtime);
        }
        return snd_pcm_oss_get_channels(pcm_oss_file);
 }
@@ -1814,10 +1897,9 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file)
                return -ENOMEM;
        _snd_pcm_hw_params_any(params);
        err = snd_pcm_hw_refine(substream, params);
-        format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); 
-        kfree(params);
        if (err < 0)
-                return err;
+                goto error;
+        format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
        for (fmt = 0; fmt < 32; ++fmt) {
                if (snd_mask_test(&format_mask, fmt)) {
                        int f = snd_pcm_oss_format_to(fmt);
@@ -1825,12 +1907,16 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file)
                                formats |= f;
                }
        }
-        return formats;
+ error:
+        kfree(params);
+        return err < 0 ? err : formats;
 }
 static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format)
 {
        int formats, idx;
+        int err;
        
        if (format != AFMT_QUERY) {
                formats = snd_pcm_oss_get_formats(pcm_oss_file);
@@ -1844,10 +1930,14 @@ static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int for
                        if (substream == NULL)
                                continue;
                        runtime = substream->runtime;
+                        err = lock_params(runtime);
+                        if (err < 0)
+                                return err;
                        if (runtime->oss.format != format) {
                                runtime->oss.params = 1;
                                runtime->oss.format = format;
                        }
+                        unlock_params(runtime);
                }
        }
        return snd_pcm_oss_get_format(pcm_oss_file);
@@ -1867,8 +1957,6 @@ static int snd_pcm_oss_set_subdivide1(struct snd_pcm_substream *substream, int s
 {
        struct snd_pcm_runtime *runtime;
-        if (substream == NULL)
-                return 0;
        runtime = substream->runtime;
        if (subdivide == 0) {
                subdivide = runtime->oss.subdivision;
@@ -1892,9 +1980,17 @@ static int snd_pcm_oss_set_subdivide(struct snd_pcm_oss_file *pcm_oss_file, int
        for (idx = 1; idx >= 0; --idx) {
                struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
+                struct snd_pcm_runtime *runtime;
                if (substream == NULL)
                        continue;
-                if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0)
+                runtime = substream->runtime;
+                err = lock_params(runtime);
+                if (err < 0)
+                        return err;
+                err = snd_pcm_oss_set_subdivide1(substream, subdivide);
+                unlock_params(runtime);
+                if (err < 0)
                        return err;
        }
        return err;
@@ -1904,8 +2000,6 @@ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsign
 {
        struct snd_pcm_runtime *runtime;
-        if (substream == NULL)
-                return 0;
        runtime = substream->runtime;
        if (runtime->oss.subdivision || runtime->oss.fragshift)
                return -EINVAL;
@@ -1925,9 +2019,17 @@ static int snd_pcm_oss_set_fragment(struct snd_pcm_oss_file *pcm_oss_file, unsig
        for (idx = 1; idx >= 0; --idx) {
                struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
+                struct snd_pcm_runtime *runtime;
                if (substream == NULL)
                        continue;
-                if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0)
+                runtime = substream->runtime;
+                err = lock_params(runtime);
+                if (err < 0)
+                        return err;
+                err = snd_pcm_oss_set_fragment1(substream, val);
+                unlock_params(runtime);
+                if (err < 0)
                        return err;
        }
        return err;
@@ -2011,6 +2113,9 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
        }
        if (psubstream) {
                runtime = psubstream->runtime;
+                cmd = 0;
+                if (mutex_lock_interruptible(&runtime->oss.params_lock))
+                        return -ERESTARTSYS;
                if (trigger & PCM_ENABLE_OUTPUT) {
                        if (runtime->oss.trigger)
                                goto _skip1;
@@ -2028,13 +2133,19 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
                        cmd = SNDRV_PCM_IOCTL_DROP;
                        runtime->oss.prepare = 1;
                }
-                err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
-                if (err < 0)
-                        return err;
-        }
 _skip1:
+                mutex_unlock(&runtime->oss.params_lock);
+                if (cmd) {
+                        err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
+                        if (err < 0)
+                                return err;
+                }
+        }
        if (csubstream) {
                runtime = csubstream->runtime;
+                cmd = 0;
+                if (mutex_lock_interruptible(&runtime->oss.params_lock))
+                        return -ERESTARTSYS;
                if (trigger & PCM_ENABLE_INPUT) {
                        if (runtime->oss.trigger)
                                goto _skip2;
@@ -2049,11 +2160,14 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
                        cmd = SNDRV_PCM_IOCTL_DROP;
                        runtime->oss.prepare = 1;
                }
-                err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
-                if (err < 0)
-                        return err;
-        }
 _skip2:
+                mutex_unlock(&runtime->oss.params_lock);
+                if (cmd) {
+                        err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
+                        if (err < 0)
+                                return err;
+                }
+        }
        return 0;
 }
@@ -2305,6 +2419,7 @@ static void snd_pcm_oss_init_substream(struct snd_pcm_substream *substream,
        runtime->oss.maxfrags = 0;
        runtime->oss.subdivision = 0;
        substream->pcm_release = snd_pcm_oss_release_substream;
+        atomic_set(&runtime->oss.rw_ref, 0);
 }
 static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file)
diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 074363b63cc4..6bda8f6c5f84 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -28,6 +28,7 @@
 #include <sound/core.h>
 #include <sound/minors.h>
 #include <sound/pcm.h>
+#include <sound/timer.h>
 #include <sound/control.h>
 #include <sound/info.h>
@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd_pcm_substream *substream)
        snd_free_pages((void*)runtime->control,
                       PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control)));
        kfree(runtime->hw_constraints.rules);
-        kfree(runtime);
+        /* Avoid concurrent access to runtime via PCM timer interface */
+        if (substream->timer)
+                spin_lock_irq(&substream->timer->lock);
        substream->runtime = NULL;
+        if (substream->timer)
+                spin_unlock_irq(&substream->timer->lock);
+        kfree(runtime);
        put_pid(substream->pid);
        substream->pid = NULL;
        substream->pstr->substream_opened--;
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
index 1f64ab0c2a95..7ae080bae15c 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream,
                return -ENOTTY;
        if (substream->stream != dir)
                return -EINVAL;
+        if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
+                return -EBADFD;
        if ((ch = substream->runtime->channels) > 128)
                return -EINVAL;
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 4ba64fd49759..3de88974eeb6 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2727,6 +2727,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream,
        sync_ptr.s.status.hw_ptr = status->hw_ptr;
        sync_ptr.s.status.tstamp = status->tstamp;
        sync_ptr.s.status.suspended_state = status->suspended_state;
+        sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
        snd_pcm_stream_unlock_irq(substream);
        if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
                return -EFAULT;
@@ -3408,7 +3409,7 @@ int snd_pcm_lib_default_mmap(struct snd_pcm_substream *substream,
                                         area,
                                         substream->runtime->dma_area,
                                         substream->runtime->dma_addr,
-                                         area->vm_end - area->vm_start);
+                                         substream->runtime->dma_bytes);
 #endif /* CONFIG_X86 */
        /* mmap with fault handler */
        area->vm_ops = &snd_pcm_vm_ops_data_fault;
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 16f8124b1150..59111cadaec2 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card,
 int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
                              struct snd_rawmidi_params * params)
 {
-        char *newbuf;
+        char *newbuf, *oldbuf;
        struct snd_rawmidi_runtime *runtime = substream->runtime;
        
        if (substream->append && substream->use_count > 1)
@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
                return -EINVAL;
        }
        if (params->buffer_size != runtime->buffer_size) {
-                newbuf = krealloc(runtime->buffer, params->buffer_size,
+                newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
-                                  GFP_KERNEL);
                if (!newbuf)
                        return -ENOMEM;
+                spin_lock_irq(&runtime->lock);
+                oldbuf = runtime->buffer;
                runtime->buffer = newbuf;
                runtime->buffer_size = params->buffer_size;
                runtime->avail = runtime->buffer_size;
+                runtime->appl_ptr = runtime->hw_ptr = 0;
+                spin_unlock_irq(&runtime->lock);
+                kfree(oldbuf);
        }
        runtime->avail_min = params->avail_min;
        substream->active_sensing = !params->no_active_sensing;
@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params);
 int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
                             struct snd_rawmidi_params * params)
 {
-        char *newbuf;
+        char *newbuf, *oldbuf;
        struct snd_rawmidi_runtime *runtime = substream->runtime;
        snd_rawmidi_drain_input(substream);
@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
                return -EINVAL;
        }
        if (params->buffer_size != runtime->buffer_size) {
-                newbuf = krealloc(runtime->buffer, params->buffer_size,
+                newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
-                                  GFP_KERNEL);
                if (!newbuf)
                        return -ENOMEM;
+                spin_lock_irq(&runtime->lock);
+                oldbuf = runtime->buffer;
                runtime->buffer = newbuf;
                runtime->buffer_size = params->buffer_size;
+                runtime->appl_ptr = runtime->hw_ptr = 0;
+                spin_unlock_irq(&runtime->lock);
+                kfree(oldbuf);
        }
        runtime->avail_min = params->avail_min;
        return 0;
diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c
index 09a89094dcf7..4e304a24924a 100644
--- a/sound/core/rawmidi_compat.c
+++ b/sound/core/rawmidi_compat.c
@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
        struct snd_rawmidi_params params;
        unsigned int val;
-        if (rfile->output == NULL)
-                return -EINVAL;
        if (get_user(params.stream, &src->stream) ||
            get_user(params.buffer_size, &src->buffer_size) ||
            get_user(params.avail_min, &src->avail_min) ||
@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
        params.no_active_sensing = val;
        switch (params.stream) {
        case SNDRV_RAWMIDI_STREAM_OUTPUT:
+                if (!rfile->output)
+                        return -EINVAL;
                return snd_rawmidi_output_params(rfile->output, &params);
        case SNDRV_RAWMIDI_STREAM_INPUT:
+                if (!rfile->input)
+                        return -EINVAL;
                return snd_rawmidi_input_params(rfile->input, &params);
        }
        return -EINVAL;
@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile,
        int err;
        struct snd_rawmidi_status status;
-        if (rfile->output == NULL)
-                return -EINVAL;
        if (get_user(status.stream, &src->stream))
                return -EFAULT;
        switch (status.stream) {
        case SNDRV_RAWMIDI_STREAM_OUTPUT:
+                if (!rfile->output)
+                        return -EINVAL;
                err = snd_rawmidi_output_status(rfile->output, &status);
                break;
        case SNDRV_RAWMIDI_STREAM_INPUT:
+                if (!rfile->input)
+                        return -EINVAL;
                err = snd_rawmidi_input_status(rfile->input, &status);
                break;
        default:
@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile,
        int err;
        struct snd_rawmidi_status status;
-        if (rfile->output == NULL)
-                return -EINVAL;
        if (get_user(status.stream, &src->stream))
                return -EFAULT;
        switch (status.stream) {
        case SNDRV_RAWMIDI_STREAM_OUTPUT:
+                if (!rfile->output)
+                        return -EINVAL;
                err = snd_rawmidi_output_status(rfile->output, &status);
                break;
        case SNDRV_RAWMIDI_STREAM_INPUT:
+                if (!rfile->input)
+                        return -EINVAL;
                err = snd_rawmidi_input_status(rfile->input, &status);
                break;
        default:
diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c
index c3908862bc8b..86ca584c27b2 100644
--- a/sound/core/seq/oss/seq_oss_event.c
+++ b/sound/core/seq/oss/seq_oss_event.c
@@ -26,6 +26,7 @@
 #include <sound/seq_oss_legacy.h>
 #include "seq_oss_readq.h"
 #include "seq_oss_writeq.h"
+#include <linux/nospec.h>
 /*
@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
 {
        struct seq_oss_synthinfo *info;
-        if (!snd_seq_oss_synth_is_valid(dp, dev))
+        info = snd_seq_oss_synth_info(dp, dev);
+        if (!info)
                return -ENXIO;
-        info = &dp->synths[dev];
        switch (info->arg.event_passing) {
        case SNDRV_SEQ_OSS_PROCESS_EVENTS:
                if (! info->ch || ch < 0 || ch >= info->nr_voices) {
@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
                        return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
                }
+                ch = array_index_nospec(ch, info->nr_voices);
                if (note == 255 && info->ch[ch].note >= 0) {
                        /* volume control */
                        int type;
@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
 {
        struct seq_oss_synthinfo *info;
-        if (!snd_seq_oss_synth_is_valid(dp, dev))
+        info = snd_seq_oss_synth_info(dp, dev);
+        if (!info)
                return -ENXIO;
-        info = &dp->synths[dev];
        switch (info->arg.event_passing) {
        case SNDRV_SEQ_OSS_PROCESS_EVENTS:
                if (! info->ch || ch < 0 || ch >= info->nr_voices) {
@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
                        return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
                }
+                ch = array_index_nospec(ch, info->nr_voices);
                if (info->ch[ch].note >= 0) {
                        note = info->ch[ch].note;
                        info->ch[ch].vel = 0;
@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
 static int
 set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev)
 {
-        if (! snd_seq_oss_synth_is_valid(dp, dev))
+        if (!snd_seq_oss_synth_info(dp, dev))
                return -ENXIO;
        
        ev->type = type;
@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note,
 static int
 set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev)
 {
-        if (! snd_seq_oss_synth_is_valid(dp, dev))
+        if (!snd_seq_oss_synth_info(dp, dev))
                return -ENXIO;
        
        ev->type = type;
diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
index b30b2139e3f0..9debd1b8fd28 100644
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -29,6 +29,7 @@
 #include "../seq_lock.h"
 #include <linux/init.h>
 #include <linux/slab.h>
+#include <linux/nospec.h>
 /*
@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev)
 {
        if (dev < 0 || dev >= dp->max_mididev)
                return NULL;
+        dev = array_index_nospec(dev, dp->max_mididev);
        return get_mdev(dev);
 }
diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index b16dbef04174..ea545f9291b4 100644
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -26,6 +26,7 @@
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/slab.h>
+#include <linux/nospec.h>
 /*
 * constants
@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp)
        dp->max_synthdev = 0;
 }
-/*
+static struct seq_oss_synthinfo *
- * check if the specified device is MIDI mapped device
+get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev)
- */
-static int
-is_midi_dev(struct seq_oss_devinfo *dp, int dev)
 {
        if (dev < 0 || dev >= dp->max_synthdev)
-                return 0;
+                return NULL;
-        if (dp->synths[dev].is_midi)
+        dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS);
-                return 1;
+        return &dp->synths[dev];
-        return 0;
 }
 /*
@@ -359,14 +356,20 @@ static struct seq_oss_synth *
 get_synthdev(struct seq_oss_devinfo *dp, int dev)
 {
        struct seq_oss_synth *rec;
-        if (dev < 0 || dev >= dp->max_synthdev)
+        struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
-                return NULL;
-        if (! dp->synths[dev].opened)
+        if (!info)
                return NULL;
-        if (dp->synths[dev].is_midi)
+        if (!info->opened)
-                return &midi_synth_dev;
-        if ((rec = get_sdev(dev)) == NULL)
                return NULL;
+        if (info->is_midi) {
+                rec = &midi_synth_dev;
+                snd_use_lock_use(&rec->use_lock);
+        } else {
+                rec = get_sdev(dev);
+                if (!rec)
+                        return NULL;
+        }
        if (! rec->opened) {
                snd_use_lock_free(&rec->use_lock);
                return NULL;
@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev)
        struct seq_oss_synth *rec;
        struct seq_oss_synthinfo *info;
-        if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev))
+        info = get_synthinfo_nospec(dp, dev);
-                return;
+        if (!info || !info->opened)
-        info = &dp->synths[dev];
-        if (! info->opened)
                return;
        if (info->sysex)
                info->sysex->len = 0; /* reset sysex */
@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
                            const char __user *buf, int p, int c)
 {
        struct seq_oss_synth *rec;
+        struct seq_oss_synthinfo *info;
        int rc;
-        if (dev < 0 || dev >= dp->max_synthdev)
+        info = get_synthinfo_nospec(dp, dev);
+        if (!info)
                return -ENXIO;
-        if (is_midi_dev(dp, dev))
+        if (info->is_midi)
                return 0;
        if ((rec = get_synthdev(dp, dev)) == NULL)
                return -ENXIO;
@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
        if (rec->oper.load_patch == NULL)
                rc = -ENXIO;
        else
-                rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c);
+                rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c);
        snd_use_lock_free(&rec->use_lock);
        return rc;
 }
 /*
- * check if the device is valid synth device
+ * check if the device is valid synth device and return the synth info
 */
-int
+struct seq_oss_synthinfo *
-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev)
+snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev)
 {
        struct seq_oss_synth *rec;
        rec = get_synthdev(dp, dev);
        if (rec) {
                snd_use_lock_free(&rec->use_lock);
-                return 1;
+                return get_synthinfo_nospec(dp, dev);
        }
-        return 0;
+        return NULL;
 }
@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
        int i, send;
        unsigned char *dest;
        struct seq_oss_synth_sysex *sysex;
+        struct seq_oss_synthinfo *info;
-        if (! snd_seq_oss_synth_is_valid(dp, dev))
+        info = snd_seq_oss_synth_info(dp, dev);
+        if (!info)
                return -ENXIO;
-        sysex = dp->synths[dev].sysex;
+        sysex = info->sysex;
        if (sysex == NULL) {
                sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
                if (sysex == NULL)
                        return -ENOMEM;
-                dp->synths[dev].sysex = sysex;
+                info->sysex = sysex;
        }
        send = 0;
@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
 int
 snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev)
 {
-        if (! snd_seq_oss_synth_is_valid(dp, dev))
+        struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev);
+        if (!info)
                return -EINVAL;
-        snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client,
+        snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client,
-                              dp->synths[dev].arg.addr.port);
+                              info->arg.addr.port);
        return 0;
 }
@@ -568,16 +576,18 @@ int
 snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr)
 {
        struct seq_oss_synth *rec;
+        struct seq_oss_synthinfo *info;
        int rc;
-        if (is_midi_dev(dp, dev))
+        info = get_synthinfo_nospec(dp, dev);
+        if (!info || info->is_midi)
                return -ENXIO;
        if ((rec = get_synthdev(dp, dev)) == NULL)
                return -ENXIO;
        if (rec->oper.ioctl == NULL)
                rc = -ENXIO;
        else
-                rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr);
+                rc = rec->oper.ioctl(&info->arg, cmd, addr);
        snd_use_lock_free(&rec->use_lock);
        return rc;
 }
@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u
 int
 snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev)
 {
-        if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev))
+        struct seq_oss_synthinfo *info;
+        info = snd_seq_oss_synth_info(dp, dev);
+        if (!info || info->is_midi)
                return -ENXIO;
        ev->type = SNDRV_SEQ_EVENT_OSS;
        memcpy(ev->data.raw8.d, data, 8);
diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h
index 74ac55f166b6..a63f9e22974d 100644
--- a/sound/core/seq/oss/seq_oss_synth.h
+++ b/sound/core/seq/oss/seq_oss_synth.h
@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp);
 void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev);
 int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
                                 const char __user *buf, int p, int c);
-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev);
+struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp,
+                                                 int dev);
 int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
                            struct snd_seq_event *ev);
 int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev);
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index b36de76f24e2..73ee8476584d 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
        rwlock_init(&client->ports_lock);
        mutex_init(&client->ports_mutex);
        INIT_LIST_HEAD(&client->ports_list_head);
+        mutex_init(&client->ioctl_mutex);
        /* find free slot in the client table */
        spin_lock_irqsave(&clients_lock, flags);
@@ -269,12 +270,12 @@ static int seq_free_client1(struct snd_seq_client *client)
        if (!client)
                return 0;
-        snd_seq_delete_all_ports(client);
-        snd_seq_queue_client_leave(client->number);
        spin_lock_irqsave(&clients_lock, flags);
        clienttablock[client->number] = 1;
        clienttab[client->number] = NULL;
        spin_unlock_irqrestore(&clients_lock, flags);
+        snd_seq_delete_all_ports(client);
+        snd_seq_queue_client_leave(client->number);
        snd_use_lock_sync(&client->use_lock);
        snd_seq_queue_client_termination(client->number);
        if (client->pool)
@@ -918,7 +919,8 @@ int snd_seq_dispatch_event(struct snd_seq_event_cell *cell, int atomic, int hop)
 static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
                                        struct snd_seq_event *event,
                                        struct file *file, int blocking,
-                                        int atomic, int hop)
+                                        int atomic, int hop,
+                                        struct mutex *mutexp)
 {
        struct snd_seq_event_cell *cell;
        int err;
@@ -956,7 +958,8 @@ static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
                return -ENXIO; /* queue is not allocated */
        /* allocate an event cell */
-        err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
+        err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
+                                file, mutexp);
        if (err < 0)
                return err;
@@ -1011,7 +1014,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
 {
        struct snd_seq_client *client = file->private_data;
        int written = 0, len;
-        int err = -EINVAL;
+        int err;
        struct snd_seq_event event;
        if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
@@ -1025,12 +1028,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
                return -ENXIO;
        /* allocate the pool now if the pool is not allocated yet */ 
+        mutex_lock(&client->ioctl_mutex);
        if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
-                if (snd_seq_pool_init(client->pool) < 0)
+                err = snd_seq_pool_init(client->pool);
-                        return -ENOMEM;
+                if (err < 0)
+                        goto out;
        }
        /* only process whole events */
+        err = -EINVAL;
        while (count >= sizeof(struct snd_seq_event)) {
                /* Read in the event header from the user */
                len = sizeof(event);
@@ -1077,7 +1083,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
                /* ok, enqueue it */
                err = snd_seq_client_enqueue_event(client, &event, file,
                                                   !(file->f_flags & O_NONBLOCK),
-                                                   0, 0);
+                                                   0, 0, &client->ioctl_mutex);
                if (err < 0)
                        break;
@@ -1088,6 +1094,8 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
                written += len;
        }
+ out:
+        mutex_unlock(&client->ioctl_mutex);
        return written ? written : err;
 }
@@ -1919,6 +1927,9 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client,
            (! snd_seq_write_pool_allocated(client) ||
             info.output_pool != client->pool->size)) {
                if (snd_seq_write_pool_allocated(client)) {
+                        /* is the pool in use? */
+                        if (atomic_read(&client->pool->counter))
+                                return -EBUSY;
                        /* remove all existing cells */
                        snd_seq_pool_mark_closing(client->pool);
                        snd_seq_queue_client_leave_cells(client->number);
@@ -2220,11 +2231,15 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd,
 static long snd_seq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
        struct snd_seq_client *client = file->private_data;
+        long ret;
        if (snd_BUG_ON(!client))
                return -ENXIO;
                
-        return snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+        mutex_lock(&client->ioctl_mutex);
+        ret = snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+        mutex_unlock(&client->ioctl_mutex);
+        return ret;
 }
 #ifdef CONFIG_COMPAT
@@ -2338,7 +2353,8 @@ static int kernel_client_enqueue(int client, struct snd_seq_event *ev,
        if (! cptr->accept_output)
                result = -EPERM;
        else /* send it */
-                result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
+                result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
+                                                      atomic, hop, NULL);
        snd_seq_client_unlock(cptr);
        return result;
diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
index 20f0a725ec7d..91f8f165bfdc 100644
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -59,6 +59,7 @@ struct snd_seq_client {
        struct list_head ports_list_head;
        rwlock_t ports_lock;
        struct mutex ports_mutex;
+        struct mutex ioctl_mutex;
        int convert32;          /* convert 32->64bit */
        /* output pool */
diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
index 3490d21ab9e7..9acbed1ac982 100644
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq_fifo *f,
                return -EINVAL;
        snd_use_lock_use(&f->use_lock);
-        err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
+        err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
        if (err < 0) {
                if ((err == -ENOMEM) || (err == -EAGAIN))
                        atomic_inc(&f->overflow);
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 5847c4475bf3..4c8cbcd89887 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_event_cell * cell)
 */
 static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
                              struct snd_seq_event_cell **cellp,
-                              int nonblock, struct file *file)
+                              int nonblock, struct file *file,
+                              struct mutex *mutexp)
 {
        struct snd_seq_event_cell *cell;
        unsigned long flags;
@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
                set_current_state(TASK_INTERRUPTIBLE);
                add_wait_queue(&pool->output_sleep, &wait);
                spin_unlock_irq(&pool->lock);
+                if (mutexp)
+                        mutex_unlock(mutexp);
                schedule();
+                if (mutexp)
+                        mutex_lock(mutexp);
                spin_lock_irq(&pool->lock);
                remove_wait_queue(&pool->output_sleep, &wait);
                /* interrupted? */
@@ -288,7 +293,7 @@ __error:
 */
 int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
                      struct snd_seq_event_cell **cellp, int nonblock,
-                      struct file *file)
+                      struct file *file, struct mutex *mutexp)
 {
        int ncells, err;
        unsigned int extlen;
@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
        if (ncells >= pool->total_elements)
                return -ENOMEM;
-        err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
+        err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
        if (err < 0)
                return err;
@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
                        int size = sizeof(struct snd_seq_event);
                        if (len < size)
                                size = len;
-                        err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
+                        err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
+                                                 mutexp);
                        if (err < 0)
                                goto __error;
                        if (cell->event.data.ext.ptr == NULL)
diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h
index 32f959c17786..3abe306c394a 100644
--- a/sound/core/seq/seq_memory.h
+++ b/sound/core/seq/seq_memory.h
@@ -66,7 +66,8 @@ struct snd_seq_pool {
 void snd_seq_cell_free(struct snd_seq_event_cell *cell);
 int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
-                      struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
+                      struct snd_seq_event_cell **cellp, int nonblock,
+                      struct file *file, struct mutex *mutexp);
 /* return number of unused (free) cells */
 static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
diff --git a/sound/core/seq/seq_prioq.c b/sound/core/seq/seq_prioq.c
index bc1c8488fc2a..2bc6759e4adc 100644
--- a/sound/core/seq/seq_prioq.c
+++ b/sound/core/seq/seq_prioq.c
@@ -87,7 +87,7 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo)
        if (f->cells > 0) {
                /* drain prioQ */
                while (f->cells > 0)
-                        snd_seq_cell_free(snd_seq_prioq_cell_out(f));
+                        snd_seq_cell_free(snd_seq_prioq_cell_out(f, NULL));
        }
        
        kfree(f);
@@ -214,8 +214,18 @@ int snd_seq_prioq_cell_in(struct snd_seq_prioq * f,
        return 0;
 }
+/* return 1 if the current time >= event timestamp */
+static int event_is_ready(struct snd_seq_event *ev, void *current_time)
+{
+        if ((ev->flags & SNDRV_SEQ_TIME_STAMP_MASK) == SNDRV_SEQ_TIME_STAMP_TICK)
+                return snd_seq_compare_tick_time(current_time, &ev->time.tick);
+        else
+                return snd_seq_compare_real_time(current_time, &ev->time.time);
+}
 /* dequeue cell from prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
+struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
+                                                  void *current_time)
 {
        struct snd_seq_event_cell *cell;
        unsigned long flags;
@@ -227,6 +237,8 @@ struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
        spin_lock_irqsave(&f->lock, flags);
        cell = f->head;
+        if (cell && current_time && !event_is_ready(&cell->event, current_time))
+                cell = NULL;
        if (cell) {
                f->head = cell->next;
@@ -252,18 +264,6 @@ int snd_seq_prioq_avail(struct snd_seq_prioq * f)
        return f->cells;
 }
-/* peek at cell at the head of the prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq * f)
-{
-        if (f == NULL) {
-                pr_debug("ALSA: seq: snd_seq_prioq_cell_in() called with NULL prioq\n");
-                return NULL;
-        }
-        return f->head;
-}
 static inline int prioq_match(struct snd_seq_event_cell *cell,
                              int client, int timestamp)
 {
diff --git a/sound/core/seq/seq_prioq.h b/sound/core/seq/seq_prioq.h
index d38bb78d9345..2c315ca10fc4 100644
--- a/sound/core/seq/seq_prioq.h
+++ b/sound/core/seq/seq_prioq.h
@@ -44,14 +44,12 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo);
 int snd_seq_prioq_cell_in(struct snd_seq_prioq *f, struct snd_seq_event_cell *cell);
 /* dequeue cell from prioq */ 
-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f);
+struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
+                                                  void *current_time);
 /* return number of events available in prioq */
 int snd_seq_prioq_avail(struct snd_seq_prioq *f);
-/* peek at cell at the head of the prioq */
-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq *f);
 /* client left queue */
 void snd_seq_prioq_leave(struct snd_seq_prioq *f, int client, int timestamp);        
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index 79e0c5604ef8..1a6dc4ff44a6 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -277,30 +277,20 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
      __again:
        /* Process tick queue... */
-        while ((cell = snd_seq_prioq_cell_peek(q->tickq)) != NULL) {
+        for (;;) {
-                if (snd_seq_compare_tick_time(&q->timer->tick.cur_tick,
+                cell = snd_seq_prioq_cell_out(q->tickq,
-                                              &cell->event.time.tick)) {
+                                              &q->timer->tick.cur_tick);
-                        cell = snd_seq_prioq_cell_out(q->tickq);
+                if (!cell)
-                        if (cell)
-                                snd_seq_dispatch_event(cell, atomic, hop);
-                } else {
-                        /* event remains in the queue */
                        break;
-                }
+                snd_seq_dispatch_event(cell, atomic, hop);
        }
        /* Process time queue... */
-        while ((cell = snd_seq_prioq_cell_peek(q->timeq)) != NULL) {
+        for (;;) {
-                if (snd_seq_compare_real_time(&q->timer->cur_time,
+                cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time);
-                                              &cell->event.time.time)) {
+                if (!cell)
-                        cell = snd_seq_prioq_cell_out(q->timeq);
-                        if (cell)
-                                snd_seq_dispatch_event(cell, atomic, hop);
-                } else {
-                        /* event remains in the queue */
                        break;
-                }
+                snd_seq_dispatch_event(cell, atomic, hop);
        }
        /* free lock */
diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c
index 3b126af4a026..ef494ffc1369 100644
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
                        }
                        return;
                }
+                spin_lock_irqsave(&substream->runtime->lock, flags);
                if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
                        if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
-                                return;
+                                goto out;
                        vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
                }
-                spin_lock_irqsave(&substream->runtime->lock, flags);
                while (1) {
                        count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
                        if (count <= 0)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 48eaccba82a3..ef850a99d64a 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -318,8 +318,6 @@ int snd_timer_open(struct snd_timer_instance **ti,
        return 0;
 }
-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
 /*
 * close a timer instance
 */
@@ -408,7 +406,6 @@ unsigned long snd_timer_resolution(struct snd_timer_instance *timeri)
 static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
 {
        struct snd_timer *timer;
-        unsigned long flags;
        unsigned long resolution = 0;
        struct snd_timer_instance *ts;
        struct timespec tstamp;
@@ -432,34 +429,66 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
                return;
        if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
                return;
-        spin_lock_irqsave(&timer->lock, flags);
        list_for_each_entry(ts, &ti->slave_active_head, active_list)
                if (ts->ccallback)
                        ts->ccallback(ts, event + 100, &tstamp, resolution);
-        spin_unlock_irqrestore(&timer->lock, flags);
 }
-static int snd_timer_start1(struct snd_timer *timer, struct snd_timer_instance *timeri,
+/* start/continue a master timer */
-                            unsigned long sticks)
+static int snd_timer_start1(struct snd_timer_instance *timeri,
+                            bool start, unsigned long ticks)
 {
+        struct snd_timer *timer;
+        int result;
+        unsigned long flags;
+        timer = timeri->timer;
+        if (!timer)
+                return -EINVAL;
+        spin_lock_irqsave(&timer->lock, flags);
+        if (timer->card && timer->card->shutdown) {
+                result = -ENODEV;
+                goto unlock;
+        }
+        if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+                             SNDRV_TIMER_IFLG_START)) {
+                result = -EBUSY;
+                goto unlock;
+        }
+        if (start)
+                timeri->ticks = timeri->cticks = ticks;
+        else if (!timeri->cticks)
+                timeri->cticks = 1;
+        timeri->pticks = 0;
        list_move_tail(&timeri->active_list, &timer->active_list_head);
        if (timer->running) {
                if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
                        goto __start_now;
                timer->flags |= SNDRV_TIMER_FLG_RESCHED;
                timeri->flags |= SNDRV_TIMER_IFLG_START;
-                return 1;       /* delayed start */
+                result = 1; /* delayed start */
        } else {
-                timer->sticks = sticks;
+                if (start)
+                        timer->sticks = ticks;
                timer->hw.start(timer);
              __start_now:
                timer->running++;
                timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
-                return 0;
+                result = 0;
        }
+        snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
+                          SNDRV_TIMER_EVENT_CONTINUE);
+ unlock:
+        spin_unlock_irqrestore(&timer->lock, flags);
+        return result;
 }
-static int snd_timer_start_slave(struct snd_timer_instance *timeri)
+/* start/continue a slave timer */
+static int snd_timer_start_slave(struct snd_timer_instance *timeri,
+                                 bool start)
 {
        unsigned long flags;
@@ -473,88 +502,37 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
                spin_lock(&timeri->timer->lock);
                list_add_tail(&timeri->active_list,
                              &timeri->master->slave_active_head);
+                snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
+                                  SNDRV_TIMER_EVENT_CONTINUE);
                spin_unlock(&timeri->timer->lock);
        }
        spin_unlock_irqrestore(&slave_active_lock, flags);
        return 1; /* delayed start */
 }
-/*
+/* stop/pause a master timer */
- *  start the timer instance
+static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
- */
-int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
 {
        struct snd_timer *timer;
-        int result = -EINVAL;
+        int result = 0;
        unsigned long flags;
-        if (timeri == NULL || ticks < 1)
-                return -EINVAL;
-        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
-                result = snd_timer_start_slave(timeri);
-                if (result >= 0)
-                        snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
-                return result;
-        }
-        timer = timeri->timer;
-        if (timer == NULL)
-                return -EINVAL;
-        if (timer->card && timer->card->shutdown)
-                return -ENODEV;
-        spin_lock_irqsave(&timer->lock, flags);
-        if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
-                             SNDRV_TIMER_IFLG_START)) {
-                result = -EBUSY;
-                goto unlock;
-        }
-        timeri->ticks = timeri->cticks = ticks;
-        timeri->pticks = 0;
-        result = snd_timer_start1(timer, timeri, ticks);
- unlock:
-        spin_unlock_irqrestore(&timer->lock, flags);
-        if (result >= 0)
-                snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
-        return result;
-}
-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
-{
-        struct snd_timer *timer;
-        unsigned long flags;
-        if (snd_BUG_ON(!timeri))
-                return -ENXIO;
-        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
-                spin_lock_irqsave(&slave_active_lock, flags);
-                if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
-                        spin_unlock_irqrestore(&slave_active_lock, flags);
-                        return -EBUSY;
-                }
-                if (timeri->timer)
-                        spin_lock(&timeri->timer->lock);
-                timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
-                list_del_init(&timeri->ack_list);
-                list_del_init(&timeri->active_list);
-                if (timeri->timer)
-                        spin_unlock(&timeri->timer->lock);
-                spin_unlock_irqrestore(&slave_active_lock, flags);
-                goto __end;
-        }
        timer = timeri->timer;
        if (!timer)
                return -EINVAL;
        spin_lock_irqsave(&timer->lock, flags);
        if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
                               SNDRV_TIMER_IFLG_START))) {
-                spin_unlock_irqrestore(&timer->lock, flags);
+                result = -EBUSY;
-                return -EBUSY;
+                goto unlock;
        }
        list_del_init(&timeri->ack_list);
        list_del_init(&timeri->active_list);
-        if (timer->card && timer->card->shutdown) {
+        if (timer->card && timer->card->shutdown)
-                spin_unlock_irqrestore(&timer->lock, flags);
+                goto unlock;
-                return 0;
+        if (stop) {
+                timeri->cticks = timeri->ticks;
+                timeri->pticks = 0;
        }
        if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
            !(--timer->running)) {
@@ -569,35 +547,60 @@ static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
                }
        }
        timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+        snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+                          SNDRV_TIMER_EVENT_PAUSE);
+ unlock:
        spin_unlock_irqrestore(&timer->lock, flags);
-      __end:
+        return result;
-        if (event != SNDRV_TIMER_EVENT_RESOLUTION)
+}
-                snd_timer_notify1(timeri, event);
+/* stop/pause a slave timer */
+static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
+{
+        unsigned long flags;
+        spin_lock_irqsave(&slave_active_lock, flags);
+        if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
+                spin_unlock_irqrestore(&slave_active_lock, flags);
+                return -EBUSY;
+        }
+        timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+        if (timeri->timer) {
+                spin_lock(&timeri->timer->lock);
+                list_del_init(&timeri->ack_list);
+                list_del_init(&timeri->active_list);
+                snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+                                  SNDRV_TIMER_EVENT_PAUSE);
+                spin_unlock(&timeri->timer->lock);
+        }
+        spin_unlock_irqrestore(&slave_active_lock, flags);
        return 0;
 }
 /*
+ *  start the timer instance
+ */
+int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
+{
+        if (timeri == NULL || ticks < 1)
+                return -EINVAL;
+        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+                return snd_timer_start_slave(timeri, true);
+        else
+                return snd_timer_start1(timeri, true, ticks);
+}
+/*
 * stop the timer instance.
 *
 * do not call this from the timer callback!
 */
 int snd_timer_stop(struct snd_timer_instance *timeri)
 {
-        struct snd_timer *timer;
+        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
-        unsigned long flags;
+                return snd_timer_stop_slave(timeri, true);
-        int err;
+        else
+                return snd_timer_stop1(timeri, true);
-        err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
-        if (err < 0)
-                return err;
-        timer = timeri->timer;
-        if (!timer)
-                return -EINVAL;
-        spin_lock_irqsave(&timer->lock, flags);
-        timeri->cticks = timeri->ticks;
-        timeri->pticks = 0;
-        spin_unlock_irqrestore(&timer->lock, flags);
-        return 0;
 }
 /*
@@ -605,32 +608,10 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
 */
 int snd_timer_continue(struct snd_timer_instance *timeri)
 {
-        struct snd_timer *timer;
-        int result = -EINVAL;
-        unsigned long flags;
-        if (timeri == NULL)
-                return result;
        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
-                return snd_timer_start_slave(timeri);
+                return snd_timer_start_slave(timeri, false);
-        timer = timeri->timer;
+        else
-        if (! timer)
+                return snd_timer_start1(timeri, false, 0);
-                return -EINVAL;
-        if (timer->card && timer->card->shutdown)
-                return -ENODEV;
-        spin_lock_irqsave(&timer->lock, flags);
-        if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
-                result = -EBUSY;
-                goto unlock;
-        }
-        if (!timeri->cticks)
-                timeri->cticks = 1;
-        timeri->pticks = 0;
-        result = snd_timer_start1(timer, timeri, timer->sticks);
- unlock:
-        spin_unlock_irqrestore(&timer->lock, flags);
-        snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE);
-        return result;
 }
 /*
@@ -638,7 +619,10 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
 */
 int snd_timer_pause(struct snd_timer_instance * timeri)
 {
-        return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
+        if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+                return snd_timer_stop_slave(timeri, false);
+        else
+                return snd_timer_stop1(timeri, false);
 }
 /*
diff --git a/sound/core/vmaster.c b/sound/core/vmaster.c
index 6c58e6f73a01..7c6ef879c520 100644
--- a/sound/core/vmaster.c
+++ b/sound/core/vmaster.c
@@ -68,10 +68,13 @@ static int slave_update(struct link_slave *slave)
                return -ENOMEM;
        uctl->id = slave->slave.id;
        err = slave->slave.get(&slave->slave, uctl);
+        if (err < 0)
+                goto error;
        for (ch = 0; ch < slave->info.count; ch++)
                slave->vals[ch] = uctl->value.integer.value[ch];
+ error:
        kfree(uctl);
-        return 0;
+        return err < 0 ? err : 0;
 }
 /* get the slave ctl info and save the initial values */
diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
index cbd20cb8ca11..847f70348d4d 100644
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -192,6 +192,11 @@ static inline void loopback_timer_stop(struct loopback_pcm *dpcm)
        dpcm->timer.expires = 0;
 }
+static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm)
+{
+        del_timer_sync(&dpcm->timer);
+}
 #define CABLE_VALID_PLAYBACK    (1 << SNDRV_PCM_STREAM_PLAYBACK)
 #define CABLE_VALID_CAPTURE     (1 << SNDRV_PCM_STREAM_CAPTURE)
 #define CABLE_VALID_BOTH        (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE)
@@ -291,6 +296,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
                cable->pause |= stream;
                loopback_timer_stop(dpcm);
                spin_unlock(&cable->lock);
+                if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+                        loopback_active_notify(dpcm);
                break;
        case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
        case SNDRV_PCM_TRIGGER_RESUME:
@@ -299,6 +306,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
                cable->pause &= ~stream;
                loopback_timer_start(dpcm);
                spin_unlock(&cable->lock);
+                if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+                        loopback_active_notify(dpcm);
                break;
        default:
                return -EINVAL;
@@ -326,6 +335,8 @@ static int loopback_prepare(struct snd_pcm_substream *substream)
        struct loopback_cable *cable = dpcm->cable;
        int bps, salign;
+        loopback_timer_stop_sync(dpcm);
        salign = (snd_pcm_format_width(runtime->format) *
                                                runtime->channels) / 8;
        bps = salign * runtime->rate;
@@ -659,7 +670,9 @@ static void free_cable(struct snd_pcm_substream *substream)
                return;
        if (cable->streams[!substream->stream]) {
                /* other stream is still alive */
+                spin_lock_irq(&cable->lock);
                cable->streams[substream->stream] = NULL;
+                spin_unlock_irq(&cable->lock);
        } else {
                /* free the cable */
                loopback->cables[substream->number][dev] = NULL;
@@ -699,7 +712,6 @@ static int loopback_open(struct snd_pcm_substream *substream)
                loopback->cables[substream->number][dev] = cable;
        }
        dpcm->cable = cable;
-        cable->streams[substream->stream] = dpcm;
        snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
@@ -731,6 +743,11 @@ static int loopback_open(struct snd_pcm_substream *substream)
                runtime->hw = loopback_pcm_hardware;
        else
                runtime->hw = cable->hw;
+        spin_lock_irq(&cable->lock);
+        cable->streams[substream->stream] = dpcm;
+        spin_unlock_irq(&cable->lock);
 unlock:
        if (err < 0) {
                free_cable(substream);
@@ -745,7 +762,7 @@ static int loopback_close(struct snd_pcm_substream *substream)
        struct loopback *loopback = substream->private_data;
        struct loopback_pcm *dpcm = substream->runtime->private_data;
-        loopback_timer_stop(dpcm);
+        loopback_timer_stop_sync(dpcm);
        mutex_lock(&loopback->cable_lock);
        free_cable(substream);
        mutex_unlock(&loopback->cable_lock);
@@ -815,9 +832,11 @@ static int loopback_rate_shift_get(struct snd_kcontrol *kcontrol,
 {
        struct loopback *loopback = snd_kcontrol_chip(kcontrol);
        
+        mutex_lock(&loopback->cable_lock);
        ucontrol->value.integer.value[0] =
                loopback->setup[kcontrol->id.subdevice]
                               [kcontrol->id.device].rate_shift;
+        mutex_unlock(&loopback->cable_lock);
        return 0;
 }
@@ -849,9 +868,11 @@ static int loopback_notify_get(struct snd_kcontrol *kcontrol,
 {
        struct loopback *loopback = snd_kcontrol_chip(kcontrol);
        
+        mutex_lock(&loopback->cable_lock);
        ucontrol->value.integer.value[0] =
                loopback->setup[kcontrol->id.subdevice]
                               [kcontrol->id.device].notify;
+        mutex_unlock(&loopback->cable_lock);
        return 0;
 }
@@ -863,12 +884,14 @@ static int loopback_notify_put(struct snd_kcontrol *kcontrol,
        int change = 0;
        val = ucontrol->value.integer.value[0] ? 1 : 0;
+        mutex_lock(&loopback->cable_lock);
        if (val != loopback->setup[kcontrol->id.subdevice]
                                [kcontrol->id.device].notify) {
                loopback->setup[kcontrol->id.subdevice]
                        [kcontrol->id.device].notify = val;
                change = 1;
        }
+        mutex_unlock(&loopback->cable_lock);
        return change;
 }
@@ -876,13 +899,18 @@ static int loopback_active_get(struct snd_kcontrol *kcontrol,
                               struct snd_ctl_elem_value *ucontrol)
 {
        struct loopback *loopback = snd_kcontrol_chip(kcontrol);
-        struct loopback_cable *cable = loopback->cables
+        struct loopback_cable *cable;
-                        [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
        unsigned int val = 0;
-        if (cable != NULL)
+        mutex_lock(&loopback->cable_lock);
-                val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+        cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
-                                                                        1 : 0;
+        if (cable != NULL) {
+                unsigned int running = cable->running ^ cable->pause;
+                val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+        }
+        mutex_unlock(&loopback->cable_lock);
        ucontrol->value.integer.value[0] = val;
        return 0;
 }
@@ -925,9 +953,11 @@ static int loopback_rate_get(struct snd_kcontrol *kcontrol,
 {
        struct loopback *loopback = snd_kcontrol_chip(kcontrol);
        
+        mutex_lock(&loopback->cable_lock);
        ucontrol->value.integer.value[0] =
                loopback->setup[kcontrol->id.subdevice]
                               [kcontrol->id.device].rate;
+        mutex_unlock(&loopback->cable_lock);
        return 0;
 }
@@ -947,9 +977,11 @@ static int loopback_channels_get(struct snd_kcontrol *kcontrol,
 {
        struct loopback *loopback = snd_kcontrol_chip(kcontrol);
        
+        mutex_lock(&loopback->cable_lock);
        ucontrol->value.integer.value[0] =
                loopback->setup[kcontrol->id.subdevice]
                               [kcontrol->id.device].channels;
+        mutex_unlock(&loopback->cable_lock);
        return 0;
 }
diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c
index ddcc1a325a61..42920a243328 100644
--- a/sound/drivers/opl3/opl3_synth.c
+++ b/sound/drivers/opl3/opl3_synth.c
@@ -21,6 +21,7 @@
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/nospec.h>
 #include <sound/opl3.h>
 #include <sound/asound_fm.h>
@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
 {
        unsigned short reg_side;
        unsigned char op_offset;
-        unsigned char voice_offset;
+        unsigned char voice_offset, voice_op;
        unsigned short opl3_reg;
        unsigned char reg_val;
@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
                voice_offset = voice->voice - MAX_OPL2_VOICES;
        }
        /* Get register offset of operator */
-        op_offset = snd_opl3_regmap[voice_offset][voice->op];
+        voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
+        voice_op = array_index_nospec(voice->op, 4);
+        op_offset = snd_opl3_regmap[voice_offset][voice_op];
        reg_val = 0x00;
        /* Set amplitude modulation (tremolo) effect */
diff --git a/sound/firewire/digi00x/amdtp-dot.c b/sound/firewire/digi00x/amdtp-dot.c
index b02a5e8cad44..30e4925bf6b0 100644
--- a/sound/firewire/digi00x/amdtp-dot.c
+++ b/sound/firewire/digi00x/amdtp-dot.c
@@ -28,6 +28,9 @@
 */
 #define MAX_MIDI_RX_BLOCKS      8
+/* 3 = MAX(DOT_MIDI_IN_PORTS, DOT_MIDI_OUT_PORTS) + 1. */
+#define MAX_MIDI_PORTS          3
 /*
 * The double-oh-three algorithm was discovered by Robin Gareus and Damien
 * Zammit in 2012, with reverse-engineering for Digi 003 Rack.
@@ -42,10 +45,8 @@ struct amdtp_dot {
        unsigned int pcm_channels;
        struct dot_state state;
-        unsigned int midi_ports;
+        struct snd_rawmidi_substream *midi[MAX_MIDI_PORTS];
-        /* 2 = MAX(DOT_MIDI_IN_PORTS, DOT_MIDI_OUT_PORTS) */
+        int midi_fifo_used[MAX_MIDI_PORTS];
-        struct snd_rawmidi_substream *midi[2];
-        int midi_fifo_used[2];
        int midi_fifo_limit;
        void (*transfer_samples)(struct amdtp_stream *s,
@@ -124,8 +125,8 @@ int amdtp_dot_set_parameters(struct amdtp_stream *s, unsigned int rate,
                return -EBUSY;
        /*
-         * A first data channel is for MIDI conformant data channel, the rest is
+         * A first data channel is for MIDI messages, the rest is Multi Bit
-         * Multi Bit Linear Audio data channel.
+         * Linear Audio data channel.
         */
        err = amdtp_stream_set_parameters(s, rate, pcm_channels + 1);
        if (err < 0)
@@ -135,11 +136,6 @@ int amdtp_dot_set_parameters(struct amdtp_stream *s, unsigned int rate,
        p->pcm_channels = pcm_channels;
-        if (s->direction == AMDTP_IN_STREAM)
-                p->midi_ports = DOT_MIDI_IN_PORTS;
-        else
-                p->midi_ports = DOT_MIDI_OUT_PORTS;
        /*
         * We do not know the actual MIDI FIFO size of most devices.  Just
         * assume two bytes, i.e., one byte can be received over the bus while
@@ -281,13 +277,25 @@ static void write_midi_messages(struct amdtp_stream *s, __be32 *buffer,
                b = (u8 *)&buffer[0];
                len = 0;
-                if (port < p->midi_ports &&
+                if (port < MAX_MIDI_PORTS &&
                    midi_ratelimit_per_packet(s, port) &&
                    p->midi[port] != NULL)
                        len = snd_rawmidi_transmit(p->midi[port], b + 1, 2);
                if (len > 0) {
-                        b[3] = (0x10 << port) | len;
+                        /*
+                         * Upper 4 bits of LSB represent port number.
+                         * - 0000b: physical MIDI port 1.
+                         * - 0010b: physical MIDI port 2.
+                         * - 1110b: console MIDI port.
+                         */
+                        if (port == 2)
+                                b[3] = 0xe0;
+                        else if (port == 1)
+                                b[3] = 0x20;
+                        else
+                                b[3] = 0x00;
+                        b[3] |= len;
                        midi_use_bytes(s, port, len);
                } else {
                        b[1] = 0;
@@ -309,11 +317,22 @@ static void read_midi_messages(struct amdtp_stream *s, __be32 *buffer,
        for (f = 0; f < data_blocks; f++) {
                b = (u8 *)&buffer[0];
-                port = b[3] >> 4;
-                len = b[3] & 0x0f;
-                if (port < p->midi_ports && p->midi[port] && len > 0)
+                len = b[3] & 0x0f;
-                        snd_rawmidi_receive(p->midi[port], b + 1, len);
+                if (len > 0) {
+                        /*
+                         * Upper 4 bits of LSB represent port number.
+                         * - 0000b: physical MIDI port 1. Use port 0.
+                         * - 1110b: console MIDI port. Use port 2.
+                         */
+                        if (b[3] >> 4 > 0)
+                                port = 2;
+                        else
+                                port = 0;
+                        if (port < MAX_MIDI_PORTS && p->midi[port])
+                                snd_rawmidi_receive(p->midi[port], b + 1, len);
+                }
                buffer += s->data_block_quadlets;
        }
@@ -364,7 +383,7 @@ void amdtp_dot_midi_trigger(struct amdtp_stream *s, unsigned int port,
 {
        struct amdtp_dot *p = s->protocol;
-        if (port < p->midi_ports)
+        if (port < MAX_MIDI_PORTS)
                ACCESS_ONCE(p->midi[port]) = midi;
 }
diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c
index 7eb617175fde..a31a70dccecf 100644
--- a/sound/pci/asihpi/hpimsginit.c
+++ b/sound/pci/asihpi/hpimsginit.c
@@ -23,6 +23,7 @@
 #include "hpi_internal.h"
 #include "hpimsginit.h"
+#include <linux/nospec.h>
 /* The actual message size for each object type */
 static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT;
@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object,
 {
        u16 size;
-        if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
+        if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
+                object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
                size = msg_size[object];
-        else
+        } else {
                size = sizeof(*phm);
+        }
        memset(phm, 0, size);
        phm->size = size;
@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function,
 {
        u16 size;
-        if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
+        if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
+                object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
                size = res_size[object];
-        else
+        } else {
                size = sizeof(*phr);
+        }
        memset(phr, 0, sizeof(*phr));
        phr->size = size;
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index d17937b92331..7a32abbe0cef 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -33,6 +33,7 @@
 #include <linux/stringify.h>
 #include <linux/module.h>
 #include <linux/vmalloc.h>
+#include <linux/nospec.h>
 #ifdef MODULE_FIRMWARE
 MODULE_FIRMWARE("asihpi/dsp5000.bin");
@@ -182,7 +183,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                struct hpi_adapter *pa = NULL;
                if (hm->h.adapter_index < ARRAY_SIZE(adapters))
-                        pa = &adapters[hm->h.adapter_index];
+                        pa = &adapters[array_index_nospec(hm->h.adapter_index,
+                                                          ARRAY_SIZE(adapters))];
                if (!pa || !pa->adapter || !pa->adapter->type) {
                        hpi_init_response(&hr->r0, hm->h.object,
diff --git a/sound/pci/emu10k1/emupcm.c b/sound/pci/emu10k1/emupcm.c
index 14a305bd8a98..72e442d86bb1 100644
--- a/sound/pci/emu10k1/emupcm.c
+++ b/sound/pci/emu10k1/emupcm.c
@@ -1850,7 +1850,9 @@ int snd_emu10k1_pcm_efx(struct snd_emu10k1 *emu, int device)
        if (!kctl)
                return -ENOMEM;
        kctl->id.device = device;
-        snd_ctl_add(emu->card, kctl);
+        err = snd_ctl_add(emu->card, kctl);
+        if (err < 0)
+                return err;
        snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(emu->pci), 64*1024, 64*1024);
diff --git a/sound/pci/emu10k1/memory.c b/sound/pci/emu10k1/memory.c
index 4f1f69be1865..8c778fa33031 100644
--- a/sound/pci/emu10k1/memory.c
+++ b/sound/pci/emu10k1/memory.c
@@ -237,13 +237,13 @@ __found_pages:
 static int is_valid_page(struct snd_emu10k1 *emu, dma_addr_t addr)
 {
        if (addr & ~emu->dma_mask) {
-                dev_err(emu->card->dev,
+                dev_err_ratelimited(emu->card->dev,
                        "max memory size is 0x%lx (addr = 0x%lx)!!\n",
                        emu->dma_mask, (unsigned long)addr);
                return 0;
        }
        if (addr & (EMUPAGESIZE-1)) {
-                dev_err(emu->card->dev, "page is not aligned\n");
+                dev_err_ratelimited(emu->card->dev, "page is not aligned\n");
                return 0;
        }
        return 1;
@@ -334,7 +334,7 @@ snd_emu10k1_alloc_pages(struct snd_emu10k1 *emu, struct snd_pcm_substream *subst
                else
                        addr = snd_pcm_sgbuf_get_addr(substream, ofs);
                if (! is_valid_page(emu, addr)) {
-                        dev_err(emu->card->dev,
+                        dev_err_ratelimited(emu->card->dev,
                                "emu: failure page = %d\n", idx);
                        mutex_unlock(&hdr->block_mutex);
                        return NULL;
diff --git a/sound/pci/fm801.c b/sound/pci/fm801.c
index 1fdd92b6f18f..d6e89a6d0bb9 100644
--- a/sound/pci/fm801.c
+++ b/sound/pci/fm801.c
@@ -1050,11 +1050,19 @@ static int snd_fm801_mixer(struct fm801 *chip)
                if ((err = snd_ac97_mixer(chip->ac97_bus, &ac97, &chip->ac97_sec)) < 0)
                        return err;
        }
-        for (i = 0; i < FM801_CONTROLS; i++)
+        for (i = 0; i < FM801_CONTROLS; i++) {
-                snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls[i], chip));
+                err = snd_ctl_add(chip->card,
+                        snd_ctl_new1(&snd_fm801_controls[i], chip));
+                if (err < 0)
+                        return err;
+        }
        if (chip->multichannel) {
-                for (i = 0; i < FM801_CONTROLS_MULTI; i++)
+                for (i = 0; i < FM801_CONTROLS_MULTI; i++) {
-                        snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls_multi[i], chip));
+                        err = snd_ctl_add(chip->card,
+                                snd_ctl_new1(&snd_fm801_controls_multi[i], chip));
+                        if (err < 0)
+                                return err;
+                }
        }
        return 0;
 }
diff --git a/sound/pci/hda/Kconfig b/sound/pci/hda/Kconfig
index e94cfd5c69f7..ebec1a1ae543 100644
--- a/sound/pci/hda/Kconfig
+++ b/sound/pci/hda/Kconfig
@@ -84,7 +84,6 @@ config SND_HDA_PATCH_LOADER
 config SND_HDA_CODEC_REALTEK
        tristate "Build Realtek HD-audio codec support"
        select SND_HDA_GENERIC
-        select INPUT
        help
          Say Y or M here to include Realtek HD-audio codec support in
          snd-hda-intel driver, such as ALC880.
diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
index 9c6e10fb479f..273364c39171 100644
--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -547,8 +547,10 @@ int snd_hda_attach_pcm_stream(struct hda_bus *_bus, struct hda_codec *codec,
                return err;
        strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
        apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
-        if (apcm == NULL)
+        if (apcm == NULL) {
+                snd_device_free(chip->card, pcm);
                return -ENOMEM;
+        }
        apcm->chip = chip;
        apcm->pcm = pcm;
        apcm->codec = codec;
diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
index 57df06e76968..cc009a4a3d1d 100644
--- a/sound/pci/hda/hda_hwdep.c
+++ b/sound/pci/hda/hda_hwdep.c
@@ -21,6 +21,7 @@
 #include <linux/init.h>
 #include <linux/slab.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 #include <sound/core.h>
 #include "hda_codec.h"
 #include "hda_local.h"
@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec,
        
        if (get_user(verb, &arg->verb))
                return -EFAULT;
-        res = get_wcaps(codec, verb >> 24);
+        /* open-code get_wcaps(verb>>24) with nospec */
+        verb >>= 24;
+        if (verb < codec->core.start_nid ||
+            verb >= codec->core.start_nid + codec->core.num_nodes) {
+                res = 0;
+        } else {
+                verb -= codec->core.start_nid;
+                verb = array_index_nospec(verb, codec->core.num_nodes);
+                res = codec->wcaps[verb];
+        }
        if (put_user(res, &arg->res))
                return -EFAULT;
        return 0;
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 20512fe32a97..d0b55c866370 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -184,6 +184,10 @@ module_param(power_save, xint, 0644);
 MODULE_PARM_DESC(power_save, "Automatic power-saving timeout "
                 "(in second, 0 = disable).");
+static bool pm_blacklist = true;
+module_param(pm_blacklist, bool, 0644);
+MODULE_PARM_DESC(pm_blacklist, "Enable power-management blacklist");
 /* reset the HD-audio controller in power save mode.
 * this may give more power-saving, but will take longer time to
 * wake up.
@@ -1545,7 +1549,8 @@ static void azx_check_snoop_available(struct azx *chip)
                 */
                u8 val;
                pci_read_config_byte(chip->pci, 0x42, &val);
-                if (!(val & 0x80) && chip->pci->revision == 0x30)
+                if (!(val & 0x80) && (chip->pci->revision == 0x30 ||
+                                      chip->pci->revision == 0x20))
                        snoop = false;
        }
@@ -2055,6 +2060,26 @@ out_free:
        return err;
 }
+#ifdef CONFIG_PM
+/* On some boards setting power_save to a non 0 value leads to clicking /
+ * popping sounds when ever we enter/leave powersaving mode. Ideally we would
+ * figure out how to avoid these sounds, but that is not always feasible.
+ * So we keep a list of devices where we disable powersaving as its known
+ * to causes problems on these devices.
+ */
+static struct snd_pci_quirk power_save_blacklist[] = {
+        /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+        SND_PCI_QUIRK(0x1849, 0x0c0c, "Asrock B85M-ITX", 0),
+        /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+        SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0),
+        /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */
+        SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0),
+        /* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */
+        SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0),
+        {}
+};
+#endif /* CONFIG_PM */
 /* number of codec slots for each chipset: 0 = default slots (i.e. 4) */
 static unsigned int azx_max_codecs[AZX_NUM_DRIVERS] = {
        [AZX_DRIVER_NVIDIA] = 8,
@@ -2067,6 +2092,7 @@ static int azx_probe_continue(struct azx *chip)
        struct hdac_bus *bus = azx_bus(chip);
        struct pci_dev *pci = chip->pci;
        int dev = chip->dev_index;
+        int val;
        int err;
        hda->probe_continued = 1;
@@ -2142,7 +2168,21 @@ static int azx_probe_continue(struct azx *chip)
        chip->running = 1;
        azx_add_card_list(chip);
-        snd_hda_set_power_save(&chip->bus, power_save * 1000);
+        val = power_save;
+#ifdef CONFIG_PM
+        if (pm_blacklist) {
+                const struct snd_pci_quirk *q;
+                q = snd_pci_quirk_lookup(chip->pci, power_save_blacklist);
+                if (q && val) {
+                        dev_info(chip->card->dev, "device %04x:%04x is on the power_save blacklist, forcing power_save to 0\n",
+                                 q->subvendor, q->subdevice);
+                        val = 0;
+                }
+        }
+#endif /* CONFIG_PM */
+        snd_hda_set_power_save(&chip->bus, val * 1000);
        if (azx_has_pm_runtime(chip) || hda->use_vga_switcheroo)
                pm_runtime_put_noidle(&pci->dev);
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index c146d0de53d8..c55c0131be0a 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -38,6 +38,10 @@
 /* Enable this to see controls for tuning purpose. */
 /*#define ENABLE_TUNING_CONTROLS*/
+#ifdef ENABLE_TUNING_CONTROLS
+#include <sound/tlv.h>
+#endif
 #define FLOAT_ZERO      0x00000000
 #define FLOAT_ONE       0x3f800000
 #define FLOAT_TWO       0x40000000
@@ -1482,6 +1486,9 @@ static int dspio_scp(struct hda_codec *codec,
                } else if (ret_size != reply_data_size) {
                        codec_dbg(codec, "RetLen and HdrLen .NE.\n");
                        return -EINVAL;
+                } else if (!reply) {
+                        codec_dbg(codec, "NULL reply\n");
+                        return -EINVAL;
                } else {
                        *reply_len = ret_size*sizeof(unsigned int);
                        memcpy(reply, scp_reply.data, *reply_len);
@@ -3064,8 +3071,8 @@ static int equalizer_ctl_put(struct snd_kcontrol *kcontrol,
        return 1;
 }
-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0);
 static int add_tuning_control(struct hda_codec *codec,
                                hda_nid_t pnid, hda_nid_t nid,
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index c92b7ba344ef..cb19af145f46 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -849,6 +849,10 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
        SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
        SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
        SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+        SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+        SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+        SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+        SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
        SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
        SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
        SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index f14c1f288443..d706a416b587 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -329,6 +329,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
                break;
        case 0x10ec0225:
        case 0x10ec0233:
+        case 0x10ec0235:
        case 0x10ec0236:
        case 0x10ec0255:
        case 0x10ec0256:
@@ -2446,6 +2447,7 @@ static const struct snd_pci_quirk alc262_fixup_tbl[] = {
        SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110),
        SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ),
        SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN),
+        SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270),
        SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270),
        SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000),
        SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ),
@@ -3130,6 +3132,19 @@ static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec,
                spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
 }
+static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec,
+                                                 const struct hda_fixup *fix,
+                                                 int action)
+{
+        unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21);
+        unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19);
+        if (cfg_headphone && cfg_headset_mic == 0x411111f0)
+                snd_hda_codec_set_pincfg(codec, 0x19,
+                        (cfg_headphone & ~AC_DEFCFG_DEVICE) |
+                        (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT));
+}
 static void alc269_fixup_hweq(struct hda_codec *codec,
                               const struct hda_fixup *fix, int action)
 {
@@ -3248,8 +3263,12 @@ static void alc269_fixup_mic_mute_hook(void *private_data, int enabled)
        pinval = snd_hda_codec_get_pin_target(codec, spec->mute_led_nid);
        pinval &= ~AC_PINCTL_VREFEN;
        pinval |= enabled ? AC_PINCTL_VREF_HIZ : AC_PINCTL_VREF_80;
-        if (spec->mute_led_nid)
+        if (spec->mute_led_nid) {
+                /* temporarily power up/down for setting VREF */
+                snd_hda_power_up_pm(codec);
                snd_hda_set_pin_ctl_cache(codec, spec->mute_led_nid, pinval);
+                snd_hda_power_down_pm(codec);
+        }
 }
 /* Make sure the led works even in runtime suspend */
@@ -3477,6 +3496,7 @@ static void alc280_fixup_hp_gpio4(struct hda_codec *codec,
        }
 }
+#if IS_REACHABLE(INPUT)
 static void gpio2_mic_hotkey_event(struct hda_codec *codec,
                                   struct hda_jack_callback *event)
 {
@@ -3609,6 +3629,10 @@ static void alc233_fixup_lenovo_line2_mic_hotkey(struct hda_codec *codec,
                spec->kb_dev = NULL;
        }
 }
+#else /* INPUT */
+#define alc280_fixup_hp_gpio2_mic_hotkey        NULL
+#define alc233_fixup_lenovo_line2_mic_hotkey    NULL
+#endif /* INPUT */
 static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec,
                                const struct hda_fixup *fix, int action)
@@ -4709,6 +4733,16 @@ static void alc298_fixup_speaker_volume(struct hda_codec *codec,
        }
 }
+/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */
+static void alc295_fixup_disable_dac3(struct hda_codec *codec,
+                                      const struct hda_fixup *fix, int action)
+{
+        if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+                hda_nid_t conn[2] = { 0x02, 0x03 };
+                snd_hda_override_conn_list(codec, 0x17, 2, conn);
+        }
+}
 /* Hook to update amp GPIO4 for automute */
 static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
                                          struct hda_jack_callback *jack)
@@ -4782,6 +4816,7 @@ enum {
        ALC269_FIXUP_LIFEBOOK_EXTMIC,
        ALC269_FIXUP_LIFEBOOK_HP_PIN,
        ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT,
+        ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC,
        ALC269_FIXUP_AMIC,
        ALC269_FIXUP_DMIC,
        ALC269VB_FIXUP_AMIC,
@@ -4857,6 +4892,7 @@ enum {
        ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
        ALC255_FIXUP_DELL_SPK_NOISE,
        ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+        ALC295_FIXUP_DISABLE_DAC3,
        ALC280_FIXUP_HP_HEADSET_MIC,
        ALC221_FIXUP_HP_FRONT_MIC,
        ALC292_FIXUP_TPT460,
@@ -4972,6 +5008,10 @@ static const struct hda_fixup alc269_fixups[] = {
                .type = HDA_FIXUP_FUNC,
                .v.func = alc269_fixup_pincfg_no_hp_to_lineout,
        },
+        [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = {
+                .type = HDA_FIXUP_FUNC,
+                .v.func = alc269_fixup_pincfg_U7x7_headset_mic,
+        },
        [ALC269_FIXUP_AMIC] = {
                .type = HDA_FIXUP_PINS,
                .v.pins = (const struct hda_pintbl[]) {
@@ -5542,6 +5582,10 @@ static const struct hda_fixup alc269_fixups[] = {
                .chained = true,
                .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
        },
+        [ALC295_FIXUP_DISABLE_DAC3] = {
+                .type = HDA_FIXUP_FUNC,
+                .v.func = alc295_fixup_disable_dac3,
+        },
        [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
                .type = HDA_FIXUP_PINS,
                .v.pins = (const struct hda_pintbl[]) {
@@ -5599,6 +5643,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
        SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
        SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
        SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+        SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3),
        SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
        SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
        SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
@@ -5687,6 +5732,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
        SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT),
        SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN),
        SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN),
+        SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
        SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
        SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
        SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_BXBT2807_MIC),
@@ -5976,6 +6022,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
                {0x14, 0x90170110},
                {0x21, 0x02211020}),
        SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+                {0x12, 0x90a60130},
+                {0x14, 0x90170110},
+                {0x14, 0x01011020},
+                {0x21, 0x0221101f}),
+        SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
                ALC256_STANDARD_PINS),
        SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4,
                {0x12, 0x90a60130},
@@ -6031,6 +6082,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
                {0x12, 0x90a60120},
                {0x14, 0x90170110},
                {0x21, 0x0321101f}),
+        SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+                {0x12, 0xb7a60130},
+                {0x14, 0x90170110},
+                {0x21, 0x04211020}),
        SND_HDA_PIN_QUIRK(0x10ec0290, 0x103c, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1,
                ALC290_STANDARD_PINS,
                {0x15, 0x04211040},
@@ -6248,6 +6303,7 @@ static int patch_alc269(struct hda_codec *codec)
        case 0x10ec0298:
                spec->codec_variant = ALC269_TYPE_ALC298;
                break;
+        case 0x10ec0235:
        case 0x10ec0255:
                spec->codec_variant = ALC269_TYPE_ALC255;
                break;
@@ -6673,6 +6729,7 @@ enum {
        ALC668_FIXUP_DELL_DISABLE_AAMIX,
        ALC668_FIXUP_DELL_XPS13,
        ALC662_FIXUP_ASUS_Nx50,
+        ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
        ALC668_FIXUP_ASUS_Nx51,
 };
@@ -6920,14 +6977,21 @@ static const struct hda_fixup alc662_fixups[] = {
                .chained = true,
                .chain_id = ALC662_FIXUP_BASS_1A
        },
+        [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = {
+                .type = HDA_FIXUP_FUNC,
+                .v.func = alc_fixup_headset_mode_alc668,
+                .chain_id = ALC662_FIXUP_BASS_CHMAP
+        },
        [ALC668_FIXUP_ASUS_Nx51] = {
                .type = HDA_FIXUP_PINS,
                .v.pins = (const struct hda_pintbl[]) {
-                        {0x1a, 0x90170151}, /* bass speaker */
+                        { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */
+                        { 0x1a, 0x90170151 }, /* bass speaker */
+                        { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */
                        {}
                },
                .chained = true,
-                .chain_id = ALC662_FIXUP_BASS_CHMAP,
+                .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
        },
 };
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index a4a999a0317e..1a0c0d16a279 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -137,6 +137,7 @@
 #include <linux/pci.h>
 #include <linux/math64.h>
 #include <linux/io.h>
+#include <linux/nospec.h>
 #include <sound/core.h>
 #include <sound/control.h>
@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream,
                struct snd_pcm_channel_info *info)
 {
        struct hdspm *hdspm = snd_pcm_substream_chip(substream);
+        unsigned int channel = info->channel;
        if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
-                if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) {
+                if (snd_BUG_ON(channel >= hdspm->max_channels_out)) {
                        dev_info(hdspm->card->dev,
                                 "snd_hdspm_channel_info: output channel out of range (%d)\n",
-                                 info->channel);
+                                 channel);
                        return -EINVAL;
                }
-                if (hdspm->channel_map_out[info->channel] < 0) {
+                channel = array_index_nospec(channel, hdspm->max_channels_out);
+                if (hdspm->channel_map_out[channel] < 0) {
                        dev_info(hdspm->card->dev,
                                 "snd_hdspm_channel_info: output channel %d mapped out\n",
-                                 info->channel);
+                                 channel);
                        return -EINVAL;
                }
-                info->offset = hdspm->channel_map_out[info->channel] *
+                info->offset = hdspm->channel_map_out[channel] *
                        HDSPM_CHANNEL_BUFFER_BYTES;
        } else {
-                if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) {
+                if (snd_BUG_ON(channel >= hdspm->max_channels_in)) {
                        dev_info(hdspm->card->dev,
                                 "snd_hdspm_channel_info: input channel out of range (%d)\n",
-                                 info->channel);
+                                 channel);
                        return -EINVAL;
                }
-                if (hdspm->channel_map_in[info->channel] < 0) {
+                channel = array_index_nospec(channel, hdspm->max_channels_in);
+                if (hdspm->channel_map_in[channel] < 0) {
                        dev_info(hdspm->card->dev,
                                 "snd_hdspm_channel_info: input channel %d mapped out\n",
-                                 info->channel);
+                                 channel);
                        return -EINVAL;
                }
-                info->offset = hdspm->channel_map_in[info->channel] *
+                info->offset = hdspm->channel_map_in[channel] *
                        HDSPM_CHANNEL_BUFFER_BYTES;
        }
diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
index fdbc0aa2776a..c253bdf92e36 100644
--- a/sound/pci/rme9652/rme9652.c
+++ b/sound/pci/rme9652/rme9652.c
@@ -26,6 +26,7 @@
 #include <linux/pci.h>
 #include <linux/module.h>
 #include <linux/io.h>
+#include <linux/nospec.h>
 #include <sound/core.h>
 #include <sound/control.h>
@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream,
        if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS))
                return -EINVAL;
-        if ((chn = rme9652->channel_map[info->channel]) < 0) {
+        chn = rme9652->channel_map[array_index_nospec(info->channel,
+                                                      RME9652_NCHANNELS)];
+        if (chn < 0)
                return -EINVAL;
-        }
        info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES;
        info->first = 0;
diff --git a/sound/soc/au1x/ac97c.c b/sound/soc/au1x/ac97c.c
index 29a97d52e8ad..66d6c52e7761 100644
--- a/sound/soc/au1x/ac97c.c
+++ b/sound/soc/au1x/ac97c.c
@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97,
        do {
                mutex_lock(&ctx->lock);
-                tmo = 5;
+                tmo = 6;
-                while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
+                while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
                        udelay(21);     /* wait an ac97 frame time */
                if (!tmo) {
                        pr_debug("ac97rd timeout #1\n");
@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_read(struct snd_ac97 *ac97,
                 * poll, Forrest, poll...
                 */
                tmo = 0x10000;
-                while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--)
+                while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo)
                        asm volatile ("nop");
                data = RD(ctx, AC97_CMDRESP);
diff --git a/sound/soc/cirrus/edb93xx.c b/sound/soc/cirrus/edb93xx.c
index 85962657aabe..517963ef4847 100644
--- a/sound/soc/cirrus/edb93xx.c
+++ b/sound/soc/cirrus/edb93xx.c
@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_dai = {
        .cpu_dai_name   = "ep93xx-i2s",
        .codec_name     = "spi0.0",
        .codec_dai_name = "cs4271-hifi",
-        .dai_fmt        = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+        .dai_fmt        = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
                          SND_SOC_DAIFMT_CBS_CFS,
        .ops            = &edb93xx_ops,
 };
diff --git a/sound/soc/cirrus/ep93xx-i2s.c b/sound/soc/cirrus/ep93xx-i2s.c
index 934f8aefdd90..0dc3852c4621 100644
--- a/sound/soc/cirrus/ep93xx-i2s.c
+++ b/sound/soc/cirrus/ep93xx-i2s.c
@@ -51,7 +51,9 @@
 #define EP93XX_I2S_WRDLEN_24            (1 << 0)
 #define EP93XX_I2S_WRDLEN_32            (2 << 0)
-#define EP93XX_I2S_LINCTRLDATA_R_JUST   (1 << 2) /* Right justify */
+#define EP93XX_I2S_RXLINCTRLDATA_R_JUST BIT(1) /* Right justify */
+#define EP93XX_I2S_TXLINCTRLDATA_R_JUST BIT(2) /* Right justify */
 #define EP93XX_I2S_CLKCFG_LRS           (1 << 0) /* lrclk polarity */
 #define EP93XX_I2S_CLKCFG_CKP           (1 << 1) /* Bit clock polarity */
@@ -170,25 +172,25 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai,
                                  unsigned int fmt)
 {
        struct ep93xx_i2s_info *info = snd_soc_dai_get_drvdata(cpu_dai);
-        unsigned int clk_cfg, lin_ctrl;
+        unsigned int clk_cfg;
+        unsigned int txlin_ctrl = 0;
+        unsigned int rxlin_ctrl = 0;
        clk_cfg  = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXCLKCFG);
-        lin_ctrl = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXLINCTRLDATA);
        switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
        case SND_SOC_DAIFMT_I2S:
                clk_cfg |= EP93XX_I2S_CLKCFG_REL;
-                lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
                break;
        case SND_SOC_DAIFMT_LEFT_J:
                clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
-                lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
                break;
        case SND_SOC_DAIFMT_RIGHT_J:
                clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
-                lin_ctrl |= EP93XX_I2S_LINCTRLDATA_R_JUST;
+                rxlin_ctrl |= EP93XX_I2S_RXLINCTRLDATA_R_JUST;
+                txlin_ctrl |= EP93XX_I2S_TXLINCTRLDATA_R_JUST;
                break;
        default:
@@ -213,32 +215,32 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai,
        switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
        case SND_SOC_DAIFMT_NB_NF:
                /* Negative bit clock, lrclk low on left word */
-                clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL);
+                clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS);
                break;
        case SND_SOC_DAIFMT_NB_IF:
                /* Negative bit clock, lrclk low on right word */
                clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP;
-                clk_cfg |= EP93XX_I2S_CLKCFG_REL;
+                clk_cfg |= EP93XX_I2S_CLKCFG_LRS;
                break;
        case SND_SOC_DAIFMT_IB_NF:
                /* Positive bit clock, lrclk low on left word */
                clk_cfg |= EP93XX_I2S_CLKCFG_CKP;
-                clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+                clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS;
                break;
        case SND_SOC_DAIFMT_IB_IF:
                /* Positive bit clock, lrclk low on right word */
-                clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL;
+                clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS;
                break;
        }
        /* Write new register values */
        ep93xx_i2s_write_reg(info, EP93XX_I2S_RXCLKCFG, clk_cfg);
        ep93xx_i2s_write_reg(info, EP93XX_I2S_TXCLKCFG, clk_cfg);
-        ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, lin_ctrl);
+        ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, rxlin_ctrl);
-        ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, lin_ctrl);
+        ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, txlin_ctrl);
        return 0;
 }
diff --git a/sound/soc/cirrus/snappercl15.c b/sound/soc/cirrus/snappercl15.c
index 98089df08df6..c6737a573bc0 100644
--- a/sound/soc/cirrus/snappercl15.c
+++ b/sound/soc/cirrus/snappercl15.c
@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl15_dai = {
        .codec_dai_name = "tlv320aic23-hifi",
        .codec_name     = "tlv320aic23-codec.0-001a",
        .platform_name  = "ep93xx-i2s",
-        .dai_fmt        = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+        .dai_fmt        = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
                          SND_SOC_DAIFMT_CBS_CFS,
        .ops            = &snappercl15_ops,
 };
diff --git a/sound/soc/codecs/pcm512x-spi.c b/sound/soc/codecs/pcm512x-spi.c
index 712ed6598c48..ebdf9bd5a64c 100644
--- a/sound/soc/codecs/pcm512x-spi.c
+++ b/sound/soc/codecs/pcm512x-spi.c
@@ -70,3 +70,7 @@ static struct spi_driver pcm512x_spi_driver = {
 };
 module_spi_driver(pcm512x_spi_driver);
+MODULE_DESCRIPTION("ASoC PCM512x codec driver - SPI");
+MODULE_AUTHOR("Mark Brown <broonie@kernel.org>");
+MODULE_LICENSE("GPL v2");
diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c
index 4452fea0b118..bd4998f577a0 100644
--- a/sound/soc/codecs/ssm2602.c
+++ b/sound/soc/codecs/ssm2602.c
@@ -54,10 +54,17 @@ struct ssm2602_priv {
 * using 2 wire for device control, so we cache them instead.
 * There is no point in caching the reset register
 */
-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = {
+static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
-        0x0097, 0x0097, 0x0079, 0x0079,
+        { .reg = 0x00, .def = 0x0097 },
-        0x000a, 0x0008, 0x009f, 0x000a,
+        { .reg = 0x01, .def = 0x0097 },
-        0x0000, 0x0000
+        { .reg = 0x02, .def = 0x0079 },
+        { .reg = 0x03, .def = 0x0079 },
+        { .reg = 0x04, .def = 0x000a },
+        { .reg = 0x05, .def = 0x0008 },
+        { .reg = 0x06, .def = 0x009f },
+        { .reg = 0x07, .def = 0x000a },
+        { .reg = 0x08, .def = 0x0000 },
+        { .reg = 0x09, .def = 0x0000 }
 };
@@ -618,8 +625,8 @@ const struct regmap_config ssm2602_regmap_config = {
        .volatile_reg = ssm2602_register_volatile,
        .cache_type = REGCACHE_RBTREE,
-        .reg_defaults_raw = ssm2602_reg,
+        .reg_defaults = ssm2602_reg,
-        .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg),
+        .num_reg_defaults = ARRAY_SIZE(ssm2602_reg),
 };
 EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
index 59f234e51971..e8adead8be00 100644
--- a/sound/soc/fsl/fsl_esai.c
+++ b/sound/soc/fsl/fsl_esai.c
@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio,
        psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
+        /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */
+        if (ratio <= 256) {
+                pm = ratio;
+                fp = 1;
+                goto out;
+        }
        /* Set the max fluctuation -- 0.1% of the max devisor */
        savesub = (psr ? 1 : 8)  * 256 * maxfp / 1000;
diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
index ba384dee277b..d62695d696c4 100644
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -358,13 +358,19 @@ static int asoc_simple_card_dai_link_of(struct device_node *node,
        snprintf(prop, sizeof(prop), "%scpu", prefix);
        cpu = of_get_child_by_name(node, prop);
+        if (!cpu) {
+                ret = -EINVAL;
+                dev_err(dev, "%s: Can't find %s DT node\n", __func__, prop);
+                goto dai_link_of_err;
+        }
        snprintf(prop, sizeof(prop), "%splat", prefix);
        plat = of_get_child_by_name(node, prop);
        snprintf(prop, sizeof(prop), "%scodec", prefix);
        codec = of_get_child_by_name(node, prop);
-        if (!cpu || !codec) {
+        if (!codec) {
                ret = -EINVAL;
                dev_err(dev, "%s: Can't find %s DT node\n", __func__, prop);
                goto dai_link_of_err;
diff --git a/sound/soc/intel/Kconfig b/sound/soc/intel/Kconfig
index d430ef5a4f38..79c29330c56a 100644
--- a/sound/soc/intel/Kconfig
+++ b/sound/soc/intel/Kconfig
@@ -24,7 +24,6 @@ config SND_SST_IPC_PCI
 config SND_SST_IPC_ACPI
        tristate
        select SND_SST_IPC
-        depends on ACPI
 config SND_SOC_INTEL_SST
        tristate
@@ -91,7 +90,7 @@ config SND_SOC_INTEL_BROADWELL_MACH
 config SND_SOC_INTEL_BYTCR_RT5640_MACH
        tristate "ASoC Audio DSP Support for MID BYT Platform"
-        depends on X86 && I2C
+        depends on X86 && I2C && ACPI
        select SND_SOC_RT5640
        select SND_SST_MFLD_PLATFORM
        select SND_SST_IPC_ACPI
@@ -103,7 +102,7 @@ config SND_SOC_INTEL_BYTCR_RT5640_MACH
 config SND_SOC_INTEL_CHT_BSW_RT5672_MACH
        tristate "ASoC Audio driver for Intel Cherrytrail & Braswell with RT5672 codec"
-        depends on X86_INTEL_LPSS && I2C
+        depends on X86_INTEL_LPSS && I2C && ACPI
        select SND_SOC_RT5670
        select SND_SST_MFLD_PLATFORM
        select SND_SST_IPC_ACPI
@@ -115,7 +114,7 @@ config SND_SOC_INTEL_CHT_BSW_RT5672_MACH
 config SND_SOC_INTEL_CHT_BSW_RT5645_MACH
        tristate "ASoC Audio driver for Intel Cherrytrail & Braswell with RT5645/5650 codec"
-        depends on X86_INTEL_LPSS && I2C
+        depends on X86_INTEL_LPSS && I2C && ACPI
        select SND_SOC_RT5645
        select SND_SST_MFLD_PLATFORM
        select SND_SST_IPC_ACPI
diff --git a/sound/soc/intel/atom/sst/sst_stream.c b/sound/soc/intel/atom/sst/sst_stream.c
index a74c64c7053c..e83da42a8c03 100644
--- a/sound/soc/intel/atom/sst/sst_stream.c
+++ b/sound/soc/intel/atom/sst/sst_stream.c
@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct intel_sst_drv *sst_drv_ctx,
                sst_free_block(sst_drv_ctx, block);
 out:
        test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id);
-        return 0;
+        return ret;
 }
 /*
diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
index 4e2fcf188dd1..01a573a063d1 100644
--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c
+++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
@@ -131,23 +131,19 @@ static int cht_codec_init(struct snd_soc_pcm_runtime *runtime)
        struct cht_mc_private *ctx = snd_soc_card_get_drvdata(runtime->card);
        struct snd_soc_jack *jack = &ctx->jack;
-        /**
+        if (ctx->ts3a227e_present) {
-        * TI supports 4 butons headset detection
+                /*
-        * KEY_MEDIA
+                 * The jack has already been created in the
-        * KEY_VOICECOMMAND
+                 * cht_max98090_headset_init() function.
-        * KEY_VOLUMEUP
+                 */
-        * KEY_VOLUMEDOWN
+                snd_soc_jack_notifier_register(jack, &cht_jack_nb);
-        */
+                return 0;
-        if (ctx->ts3a227e_present)
+        }
-                jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE |
-                                        SND_JACK_BTN_0 | SND_JACK_BTN_1 |
+        jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE;
-                                        SND_JACK_BTN_2 | SND_JACK_BTN_3;
-        else
-                jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE;
        ret = snd_soc_card_jack_new(runtime->card, "Headset Jack",
                                        jack_type, jack, NULL, 0);
        if (ret) {
                dev_err(runtime->dev, "Headset Jack creation failed %d\n", ret);
                return ret;
@@ -203,6 +199,27 @@ static int cht_max98090_headset_init(struct snd_soc_component *component)
 {
        struct snd_soc_card *card = component->card;
        struct cht_mc_private *ctx = snd_soc_card_get_drvdata(card);
+        struct snd_soc_jack *jack = &ctx->jack;
+        int jack_type;
+        int ret;
+        /*
+         * TI supports 4 butons headset detection
+         * KEY_MEDIA
+         * KEY_VOICECOMMAND
+         * KEY_VOLUMEUP
+         * KEY_VOLUMEDOWN
+         */
+        jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE |
+                    SND_JACK_BTN_0 | SND_JACK_BTN_1 |
+                    SND_JACK_BTN_2 | SND_JACK_BTN_3;
+        ret = snd_soc_card_jack_new(card, "Headset Jack", jack_type,
+                                    jack, NULL, 0);
+        if (ret) {
+                dev_err(card->dev, "Headset Jack creation failed %d\n", ret);
+                return ret;
+        }
        return ts3a227e_enable_jack_detect(component, &ctx->jack);
 }
diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c
index 38d65a3529c4..44d560966e9c 100644
--- a/sound/soc/intel/boards/cht_bsw_rt5645.c
+++ b/sound/soc/intel/boards/cht_bsw_rt5645.c
@@ -96,6 +96,7 @@ static const struct snd_soc_dapm_widget cht_dapm_widgets[] = {
        SND_SOC_DAPM_HP("Headphone", NULL),
        SND_SOC_DAPM_MIC("Headset Mic", NULL),
        SND_SOC_DAPM_MIC("Int Mic", NULL),
+        SND_SOC_DAPM_MIC("Int Analog Mic", NULL),
        SND_SOC_DAPM_SPK("Ext Spk", NULL),
        SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0,
                        platform_clock_control, SND_SOC_DAPM_POST_PMD),
@@ -106,6 +107,8 @@ static const struct snd_soc_dapm_route cht_rt5645_audio_map[] = {
        {"IN1N", NULL, "Headset Mic"},
        {"DMIC L1", NULL, "Int Mic"},
        {"DMIC R1", NULL, "Int Mic"},
+        {"IN2P", NULL, "Int Analog Mic"},
+        {"IN2N", NULL, "Int Analog Mic"},
        {"Headphone", NULL, "HPOL"},
        {"Headphone", NULL, "HPOR"},
        {"Ext Spk", NULL, "SPOL"},
@@ -119,6 +122,9 @@ static const struct snd_soc_dapm_route cht_rt5645_audio_map[] = {
        {"Headphone", NULL, "Platform Clock"},
        {"Headset Mic", NULL, "Platform Clock"},
        {"Int Mic", NULL, "Platform Clock"},
+        {"Int Analog Mic", NULL, "Platform Clock"},
+        {"Int Analog Mic", NULL, "micbias1"},
+        {"Int Analog Mic", NULL, "micbias2"},
        {"Ext Spk", NULL, "Platform Clock"},
 };
@@ -147,6 +153,7 @@ static const struct snd_kcontrol_new cht_mc_controls[] = {
        SOC_DAPM_PIN_SWITCH("Headphone"),
        SOC_DAPM_PIN_SWITCH("Headset Mic"),
        SOC_DAPM_PIN_SWITCH("Int Mic"),
+        SOC_DAPM_PIN_SWITCH("Int Analog Mic"),
        SOC_DAPM_PIN_SWITCH("Ext Spk"),
 };
diff --git a/sound/soc/intel/common/sst-firmware.c b/sound/soc/intel/common/sst-firmware.c
index 1636a1eeb002..be1b69c63bdf 100644
--- a/sound/soc/intel/common/sst-firmware.c
+++ b/sound/soc/intel/common/sst-firmware.c
@@ -260,7 +260,6 @@ int sst_dma_new(struct sst_dsp *sst)
        struct sst_pdata *sst_pdata = sst->pdata;
        struct sst_dma *dma;
        struct resource mem;
-        const char *dma_dev_name;
        int ret = 0;
        if (sst->pdata->resindex_dma_base == -1)
@@ -271,7 +270,6 @@ int sst_dma_new(struct sst_dsp *sst)
        * is attached to the ADSP IP. */
        switch (sst->pdata->dma_engine) {
        case SST_DMA_TYPE_DW:
-                dma_dev_name = "dw_dmac";
                break;
        default:
                dev_err(sst->dev, "error: invalid DMA engine %d\n",
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
index b4844f78266f..f6c3be192cc9 100644
--- a/sound/soc/intel/skylake/skl.c
+++ b/sound/soc/intel/skylake/skl.c
@@ -280,7 +280,7 @@ static int probe_codec(struct hdac_ext_bus *ebus, int addr)
        struct hdac_bus *bus = ebus_to_hbus(ebus);
        unsigned int cmd = (addr << 28) | (AC_NODE_ROOT << 20) |
                (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID;
-        unsigned int res;
+        unsigned int res = -1;
        mutex_lock(&bus->cmd_mutex);
        snd_hdac_bus_send_cmd(bus, cmd);
diff --git a/sound/soc/mediatek/Kconfig b/sound/soc/mediatek/Kconfig
index 15c04e2eae34..976967675387 100644
--- a/sound/soc/mediatek/Kconfig
+++ b/sound/soc/mediatek/Kconfig
@@ -9,7 +9,7 @@ config SND_SOC_MEDIATEK
 config SND_SOC_MT8173_MAX98090
        tristate "ASoC Audio driver for MT8173 with MAX98090 codec"
-        depends on SND_SOC_MEDIATEK
+        depends on SND_SOC_MEDIATEK && I2C
        select SND_SOC_MAX98090
        help
          This adds ASoC driver for Mediatek MT8173 boards
@@ -19,7 +19,7 @@ config SND_SOC_MT8173_MAX98090
 config SND_SOC_MT8173_RT5650_RT5676
        tristate "ASoC Audio driver for MT8173 with RT5650 RT5676 codecs"
-        depends on SND_SOC_MEDIATEK
+        depends on SND_SOC_MEDIATEK && I2C
        select SND_SOC_RT5645
        select SND_SOC_RT5677
        help
diff --git a/sound/soc/nuc900/nuc900-ac97.c b/sound/soc/nuc900/nuc900-ac97.c
index b6615affe571..fde974d52bb2 100644
--- a/sound/soc/nuc900/nuc900-ac97.c
+++ b/sound/soc/nuc900/nuc900-ac97.c
@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(struct snd_ac97 *ac97,
        /* polling the AC_R_FINISH */
        while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH)
-                                                                && timeout--)
+                                                                && --timeout)
                mdelay(1);
        if (!timeout) {
@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd_ac97 *ac97, unsigned short reg,
        /* polling the AC_W_FINISH */
        while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH)
-                                                                && timeout--)
+                                                                && --timeout)
                mdelay(1);
        if (!timeout)
diff --git a/sound/soc/pxa/brownstone.c b/sound/soc/pxa/brownstone.c
index 6147e86e9b0f..55ca9c9364b8 100644
--- a/sound/soc/pxa/brownstone.c
+++ b/sound/soc/pxa/brownstone.c
@@ -136,3 +136,4 @@ module_platform_driver(mmp_driver);
 MODULE_AUTHOR("Leo Yan <leoy@marvell.com>");
 MODULE_DESCRIPTION("ALSA SoC Brownstone");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:brownstone-audio");
diff --git a/sound/soc/pxa/mioa701_wm9713.c b/sound/soc/pxa/mioa701_wm9713.c
index 29bc60e85e92..6cd28f95d548 100644
--- a/sound/soc/pxa/mioa701_wm9713.c
+++ b/sound/soc/pxa/mioa701_wm9713.c
@@ -203,3 +203,4 @@ module_platform_driver(mioa701_wm9713_driver);
 MODULE_AUTHOR("Robert Jarzmik (rjarzmik@free.fr)");
 MODULE_DESCRIPTION("ALSA SoC WM9713 MIO A701");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:mioa701-wm9713");
diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c
index 51e790d006f5..96df9b2d8fc4 100644
--- a/sound/soc/pxa/mmp-pcm.c
+++ b/sound/soc/pxa/mmp-pcm.c
@@ -248,3 +248,4 @@ module_platform_driver(mmp_pcm_driver);
 MODULE_AUTHOR("Leo Yan <leoy@marvell.com>");
 MODULE_DESCRIPTION("MMP Soc Audio DMA module");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:mmp-pcm-audio");
diff --git a/sound/soc/pxa/mmp-sspa.c b/sound/soc/pxa/mmp-sspa.c
index eca60c29791a..ca8b23f8c525 100644
--- a/sound/soc/pxa/mmp-sspa.c
+++ b/sound/soc/pxa/mmp-sspa.c
@@ -482,3 +482,4 @@ module_platform_driver(asoc_mmp_sspa_driver);
 MODULE_AUTHOR("Leo Yan <leoy@marvell.com>");
 MODULE_DESCRIPTION("MMP SSPA SoC Interface");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:mmp-sspa-dai");
diff --git a/sound/soc/pxa/palm27x.c b/sound/soc/pxa/palm27x.c
index 4e74d9573f03..bcc81e920a67 100644
--- a/sound/soc/pxa/palm27x.c
+++ b/sound/soc/pxa/palm27x.c
@@ -161,3 +161,4 @@ module_platform_driver(palm27x_wm9712_driver);
 MODULE_AUTHOR("Marek Vasut <marek.vasut@gmail.com>");
 MODULE_DESCRIPTION("ALSA SoC Palm T|X, T5 and LifeDrive");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:palm27x-asoc");
diff --git a/sound/soc/pxa/pxa-ssp.c b/sound/soc/pxa/pxa-ssp.c
index da03fad1b9cd..3cad990dad2c 100644
--- a/sound/soc/pxa/pxa-ssp.c
+++ b/sound/soc/pxa/pxa-ssp.c
@@ -833,3 +833,4 @@ module_platform_driver(asoc_ssp_driver);
 MODULE_AUTHOR("Mark Brown <broonie@opensource.wolfsonmicro.com>");
 MODULE_DESCRIPTION("PXA SSP/PCM SoC Interface");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:pxa-ssp-dai");
diff --git a/sound/soc/pxa/pxa2xx-ac97.c b/sound/soc/pxa/pxa2xx-ac97.c
index f3de615aacd7..9615e6de1306 100644
--- a/sound/soc/pxa/pxa2xx-ac97.c
+++ b/sound/soc/pxa/pxa2xx-ac97.c
@@ -287,3 +287,4 @@ module_platform_driver(pxa2xx_ac97_driver);
 MODULE_AUTHOR("Nicolas Pitre");
 MODULE_DESCRIPTION("AC97 driver for the Intel PXA2xx chip");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:pxa2xx-ac97");
diff --git a/sound/soc/pxa/pxa2xx-pcm.c b/sound/soc/pxa/pxa2xx-pcm.c
index 9f390398d518..410d48b93031 100644
--- a/sound/soc/pxa/pxa2xx-pcm.c
+++ b/sound/soc/pxa/pxa2xx-pcm.c
@@ -117,3 +117,4 @@ module_platform_driver(pxa_pcm_driver);
 MODULE_AUTHOR("Nicolas Pitre");
 MODULE_DESCRIPTION("Intel PXA2xx PCM DMA module");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:pxa-pcm-audio");
diff --git a/sound/soc/rockchip/rockchip_spdif.c b/sound/soc/rockchip/rockchip_spdif.c
index 5a806da89f42..5e2eb4cc5cf1 100644
--- a/sound/soc/rockchip/rockchip_spdif.c
+++ b/sound/soc/rockchip/rockchip_spdif.c
@@ -54,7 +54,7 @@ static const struct of_device_id rk_spdif_match[] = {
 };
 MODULE_DEVICE_TABLE(of, rk_spdif_match);
-static int rk_spdif_runtime_suspend(struct device *dev)
+static int __maybe_unused rk_spdif_runtime_suspend(struct device *dev)
 {
        struct rk_spdif_dev *spdif = dev_get_drvdata(dev);
@@ -64,7 +64,7 @@ static int rk_spdif_runtime_suspend(struct device *dev)
        return 0;
 }
-static int rk_spdif_runtime_resume(struct device *dev)
+static int __maybe_unused rk_spdif_runtime_resume(struct device *dev)
 {
        struct rk_spdif_dev *spdif = dev_get_drvdata(dev);
        int ret;
@@ -316,26 +316,30 @@ static int rk_spdif_probe(struct platform_device *pdev)
        spdif->mclk = devm_clk_get(&pdev->dev, "mclk");
        if (IS_ERR(spdif->mclk)) {
                dev_err(&pdev->dev, "Can't retrieve rk_spdif master clock\n");
-                return PTR_ERR(spdif->mclk);
+                ret = PTR_ERR(spdif->mclk);
+                goto err_disable_hclk;
        }
        ret = clk_prepare_enable(spdif->mclk);
        if (ret) {
                dev_err(spdif->dev, "clock enable failed %d\n", ret);
-                return ret;
+                goto err_disable_clocks;
        }
        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
        regs = devm_ioremap_resource(&pdev->dev, res);
-        if (IS_ERR(regs))
+        if (IS_ERR(regs)) {
-                return PTR_ERR(regs);
+                ret = PTR_ERR(regs);
+                goto err_disable_clocks;
+        }
        spdif->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "hclk", regs,
                                                  &rk_spdif_regmap_config);
        if (IS_ERR(spdif->regmap)) {
                dev_err(&pdev->dev,
                        "Failed to initialise managed register map\n");
-                return PTR_ERR(spdif->regmap);
+                ret = PTR_ERR(spdif->regmap);
+                goto err_disable_clocks;
        }
        spdif->playback_dma_data.addr = res->start + SPDIF_SMPDR;
@@ -367,6 +371,10 @@ static int rk_spdif_probe(struct platform_device *pdev)
 err_pm_runtime:
        pm_runtime_disable(&pdev->dev);
+err_disable_clocks:
+        clk_disable_unprepare(spdif->mclk);
+err_disable_hclk:
+        clk_disable_unprepare(spdif->hclk);
        return ret;
 }
diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c
index fd6e247d9fd8..91bad6731c9d 100644
--- a/sound/soc/samsung/i2s.c
+++ b/sound/soc/samsung/i2s.c
@@ -640,8 +640,12 @@ static int i2s_set_fmt(struct snd_soc_dai *dai,
                tmp |= mod_slave;
                break;
        case SND_SOC_DAIFMT_CBS_CFS:
-                /* Set default source clock in Master mode */
+                /*
-                if (i2s->rclk_srcrate == 0)
+                 * Set default source clock in Master mode, only when the
+                 * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any
+                 * clock configuration assigned in DT is not overwritten.
+                 */
+                if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL)
                        i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0,
                                                        0, SND_SOC_CLOCK_IN);
                break;
@@ -856,6 +860,11 @@ static int config_setup(struct i2s_dai *i2s)
                return 0;
        if (!(i2s->quirks & QUIRK_NO_MUXPSR)) {
+                struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC];
+                if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc))
+                        i2s->rclk_srcrate = clk_get_rate(rclksrc);
                psr = i2s->rclk_srcrate / i2s->frmclk / rfs;
                writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR);
                dev_dbg(&i2s->pdev->dev,
diff --git a/sound/soc/sh/rcar/rsnd.h b/sound/soc/sh/rcar/rsnd.h
index 085329878525..5976e3992dd1 100644
--- a/sound/soc/sh/rcar/rsnd.h
+++ b/sound/soc/sh/rcar/rsnd.h
@@ -235,6 +235,7 @@ enum rsnd_mod_type {
        RSND_MOD_MIX,
        RSND_MOD_CTU,
        RSND_MOD_SRC,
+        RSND_MOD_SSIP, /* SSI parent */
        RSND_MOD_SSI,
        RSND_MOD_MAX,
 };
@@ -365,6 +366,7 @@ struct rsnd_dai_stream {
 };
 #define rsnd_io_to_mod(io, i)   ((i) < RSND_MOD_MAX ? (io)->mod[(i)] : NULL)
 #define rsnd_io_to_mod_ssi(io)  rsnd_io_to_mod((io), RSND_MOD_SSI)
+#define rsnd_io_to_mod_ssip(io) rsnd_io_to_mod((io), RSND_MOD_SSIP)
 #define rsnd_io_to_mod_src(io)  rsnd_io_to_mod((io), RSND_MOD_SRC)
 #define rsnd_io_to_mod_ctu(io)  rsnd_io_to_mod((io), RSND_MOD_CTU)
 #define rsnd_io_to_mod_mix(io)  rsnd_io_to_mod((io), RSND_MOD_MIX)
diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
index c62a2947ac14..df79d7c846ea 100644
--- a/sound/soc/sh/rcar/ssi.c
+++ b/sound/soc/sh/rcar/ssi.c
@@ -143,6 +143,15 @@ static int rsnd_ssi_master_clk_start(struct rsnd_ssi *ssi,
        for (j = 0; j < ARRAY_SIZE(ssi_clk_mul_table); j++) {
                /*
+                 * It will set SSIWSR.CONT here, but SSICR.CKDV = 000
+                 * with it is not allowed. (SSIWSR.WS_MODE with
+                 * SSICR.CKDV = 000 is not allowed either).
+                 * Skip it. See SSICR.CKDV
+                 */
+                if (j == 0)
+                        continue;
+                /*
                 * this driver is assuming that
                 * system word is 64fs (= 2 x 32bit)
                 * see rsnd_ssi_init()
@@ -444,6 +453,13 @@ static void __rsnd_ssi_interrupt(struct rsnd_mod *mod,
                struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
                u32 *buf = (u32 *)(runtime->dma_area +
                                   rsnd_dai_pointer_offset(io, 0));
+                int shift = 0;
+                switch (runtime->sample_bits) {
+                case 32:
+                        shift = 8;
+                        break;
+                }
                /*
                 * 8/16/32 data can be assesse to TDR/RDR register
@@ -451,9 +467,9 @@ static void __rsnd_ssi_interrupt(struct rsnd_mod *mod,
                 * see rsnd_ssi_init()
                 */
                if (rsnd_io_is_play(io))
-                        rsnd_mod_write(mod, SSITDR, *buf);
+                        rsnd_mod_write(mod, SSITDR, (*buf) << shift);
                else
-                        *buf = rsnd_mod_read(mod, SSIRDR);
+                        *buf = (rsnd_mod_read(mod, SSIRDR) >> shift);
                elapsed = rsnd_dai_pointer_update(io, sizeof(*buf));
        }
@@ -550,11 +566,16 @@ static int rsnd_ssi_dma_remove(struct rsnd_mod *mod,
                               struct rsnd_priv *priv)
 {
        struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod);
+        struct rsnd_mod *pure_ssi_mod = rsnd_io_to_mod_ssi(io);
        struct device *dev = rsnd_priv_to_dev(priv);
        int irq = ssi->info->irq;
        rsnd_dma_quit(io, rsnd_mod_to_dma(mod));
+        /* Do nothing if non SSI (= SSI parent, multi SSI) mod */
+        if (pure_ssi_mod != mod)
+                return 0;
        /* PIO will request IRQ again */
        devm_free_irq(dev, irq, mod);
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 6a438a361592..9e784cc3e5d2 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -425,6 +425,8 @@ err_data:
 static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
 {
        struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+        list_del(&data->paths);
        kfree(data->wlist);
        kfree(data);
 }
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 977066ba1769..43b80db952d1 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1682,8 +1682,10 @@ int dpcm_be_dai_shutdown(struct snd_soc_pcm_runtime *fe, int stream)
                        continue;
                if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) &&
-                    (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN))
+                    (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) {
-                        continue;
+                        soc_pcm_hw_free(be_substream);
+                        be->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_FREE;
+                }
                dev_dbg(be->dev, "ASoC: close BE %s\n",
                        dpcm->fe->dai_link->name);
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index e3f34a86413c..c1e76feb3529 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -1188,6 +1188,9 @@ static struct snd_kcontrol_new *soc_tplg_dapm_widget_dmixer_create(
                        kfree(sm);
                        continue;
                }
+                /* create any TLV data */
+                soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr);
        }
        return kc;
diff --git a/sound/soc/ux500/mop500.c b/sound/soc/ux500/mop500.c
index ba9fc099cf67..503aef8fcde2 100644
--- a/sound/soc/ux500/mop500.c
+++ b/sound/soc/ux500/mop500.c
@@ -164,3 +164,7 @@ static struct platform_driver snd_soc_mop500_driver = {
 };
 module_platform_driver(snd_soc_mop500_driver);
+MODULE_LICENSE("GPL v2");
+MODULE_DESCRIPTION("ASoC MOP500 board driver");
+MODULE_AUTHOR("Ola Lilja");
diff --git a/sound/soc/ux500/ux500_pcm.c b/sound/soc/ux500/ux500_pcm.c
index f12c01dddc8d..d35ba7700f46 100644
--- a/sound/soc/ux500/ux500_pcm.c
+++ b/sound/soc/ux500/ux500_pcm.c
@@ -165,3 +165,8 @@ int ux500_pcm_unregister_platform(struct platform_device *pdev)
        return 0;
 }
 EXPORT_SYMBOL_GPL(ux500_pcm_unregister_platform);
+MODULE_AUTHOR("Ola Lilja");
+MODULE_AUTHOR("Roger Nilsson");
+MODULE_DESCRIPTION("ASoC UX500 driver");
+MODULE_LICENSE("GPL v2");
diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
index cebea9b7f769..6a9be1df7851 100644
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_line6 *line6, unsigned char *data,
        }
        usb_fill_int_urb(urb, line6->usbdev,
-                         usb_sndbulkpipe(line6->usbdev,
+                         usb_sndintpipe(line6->usbdev,
                                         line6->properties->ep_ctrl_w),
                         transfer_buffer, length, midi_sent, line6,
                         line6->interval);
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index c9ae29068c7c..97d6a18e6956 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -343,17 +343,20 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request,
                            int validx, int *value_ret)
 {
        struct snd_usb_audio *chip = cval->head.mixer->chip;
-        unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */
+        /* enough space for one range */
+        unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
        unsigned char *val;
-        int idx = 0, ret, size;
+        int idx = 0, ret, val_size, size;
        __u8 bRequest;
+        val_size = uac2_ctl_value_size(cval->val_type);
        if (request == UAC_GET_CUR) {
                bRequest = UAC2_CS_CUR;
-                size = uac2_ctl_value_size(cval->val_type);
+                size = val_size;
        } else {
                bRequest = UAC2_CS_RANGE;
-                size = sizeof(buf);
+                size = sizeof(__u16) + 3 * val_size;
        }
        memset(buf, 0, sizeof(buf));
@@ -386,16 +389,17 @@ error:
                val = buf + sizeof(__u16);
                break;
        case UAC_GET_MAX:
-                val = buf + sizeof(__u16) * 2;
+                val = buf + sizeof(__u16) + val_size;
                break;
        case UAC_GET_RES:
-                val = buf + sizeof(__u16) * 3;
+                val = buf + sizeof(__u16) + val_size * 2;
                break;
        default:
                return -EINVAL;
        }
-        *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16)));
+        *value_ret = convert_signed_value(cval,
+                                          snd_usb_combine_bytes(val, val_size));
        return 0;
 }
@@ -900,6 +904,14 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
                }
                break;
+        case USB_ID(0x0d8c, 0x0103):
+                if (!strcmp(kctl->id.name, "PCM Playback Volume")) {
+                        usb_audio_info(chip,
+                                 "set volume quirk for CM102-A+/102S+\n");
+                        cval->min = -256;
+                }
+                break;
        case USB_ID(0x0471, 0x0101):
        case USB_ID(0x0471, 0x0104):
        case USB_ID(0x0471, 0x0105):
diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
index 1f8fb0d904e0..f5cf23ffb35b 100644
--- a/sound/usb/mixer_maps.c
+++ b/sound/usb/mixer_maps.c
@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = {
 /*
 * Dell usb dock with ALC4020 codec had a firmware problem where it got
 * screwed up when zero volume is passed; just skip it as a workaround
+ *
+ * Also the extension unit gives an access error, so skip it as well.
 */
 static const struct usbmix_name_map dell_alc4020_map[] = {
+        { 4, NULL },    /* extension unit */
        { 16, NULL },
        { 19, NULL },
        { 0 }
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
index 48afae053c56..a9079654107c 100644
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -348,6 +348,15 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
                alts = &iface->altsetting[1];
                goto add_sync_ep;
+        case USB_ID(0x1397, 0x0002):
+                ep = 0x81;
+                iface = usb_ifnum_to_if(dev, 1);
+                if (!iface || iface->num_altsetting == 0)
+                        return -EINVAL;
+                alts = &iface->altsetting[1];
+                goto add_sync_ep;
        }
        if (attr == USB_ENDPOINT_SYNC_ASYNC &&
            altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
@@ -1291,7 +1300,7 @@ static void retire_capture_urb(struct snd_usb_substream *subs,
                if (bytes % (runtime->sample_bits >> 3) != 0) {
                        int oldbytes = bytes;
                        bytes = frames * stride;
-                        dev_warn(&subs->dev->dev,
+                        dev_warn_ratelimited(&subs->dev->dev,
                                 "Corrected urb data len. %d->%d\n",
                                                        oldbytes, bytes);
                }
diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
index 8a59d4782a0f..69bf5cf1e91e 100644
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -3277,4 +3277,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
        }
 },
+{
+        /*
+         * Bower's & Wilkins PX headphones only support the 48 kHz sample rate
+         * even though it advertises more. The capture interface doesn't work
+         * even on windows.
+         */
+        USB_DEVICE(0x19b5, 0x0021),
+        .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+                .ifnum = QUIRK_ANY_INTERFACE,
+                .type = QUIRK_COMPOSITE,
+                .data = (const struct snd_usb_audio_quirk[]) {
+                        {
+                                .ifnum = 0,
+                                .type = QUIRK_AUDIO_STANDARD_MIXER,
+                        },
+                        /* Capture */
+                        {
+                                .ifnum = 1,
+                                .type = QUIRK_IGNORE_INTERFACE,
+                        },
+                        /* Playback */
+                        {
+                                .ifnum = 2,
+                                .type = QUIRK_AUDIO_FIXED_ENDPOINT,
+                                .data = &(const struct audioformat) {
+                                        .formats = SNDRV_PCM_FMTBIT_S16_LE,
+                                        .channels = 2,
+                                        .iface = 2,
+                                        .altsetting = 1,
+                                        .altset_idx = 1,
+                                        .attributes = UAC_EP_CS_ATTR_FILL_MAX |
+                                                UAC_EP_CS_ATTR_SAMPLE_RATE,
+                                        .endpoint = 0x03,
+                                        .ep_attr = USB_ENDPOINT_XFER_ISOC,
+                                        .rates = SNDRV_PCM_RATE_48000,
+                                        .rate_min = 48000,
+                                        .rate_max = 48000,
+                                        .nr_rates = 1,
+                                        .rate_table = (unsigned int[]) {
+                                                48000
+                                        }
+                                }
+                        },
+                }
+        }
+},
 #undef USB_DEVICE_VENDOR_SPEC
diff --git a/tools/arch/x86/include/asm/unistd_32.h b/tools/arch/x86/include/asm/unistd_32.h
new file mode 100644
index 000000000000..cf33ab09273d
--- /dev/null
+++ b/tools/arch/x86/include/asm/unistd_32.h
@@ -0,0 +1,9 @@
+#ifndef __NR_perf_event_open
+# define __NR_perf_event_open 336
+#endif
+#ifndef __NR_futex
+# define __NR_futex 240
+#endif
+#ifndef __NR_gettid
+# define __NR_gettid 224
+#endif
diff --git a/tools/arch/x86/include/asm/unistd_64.h b/tools/arch/x86/include/asm/unistd_64.h
new file mode 100644
index 000000000000..2c9835695b56
--- /dev/null
+++ b/tools/arch/x86/include/asm/unistd_64.h
@@ -0,0 +1,9 @@
+#ifndef __NR_perf_event_open
+# define __NR_perf_event_open 298
+#endif
+#ifndef __NR_futex
+# define __NR_futex 202
+#endif
+#ifndef __NR_gettid
+# define __NR_gettid 186
+#endif
diff --git a/tools/build/Build.include b/tools/build/Build.include
index 4d000bc959b4..0340d8a51dab 100644
--- a/tools/build/Build.include
+++ b/tools/build/Build.include
@@ -12,6 +12,7 @@
 # Convenient variables
 comma   := ,
 squote  := '
+pound   := \#
 ###
 # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o
@@ -43,11 +44,11 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\
 ###
 # Replace >$< with >$$< to preserve $ when reloading the .cmd file
 # (needed for make)
-# Replace >#< with >\#< to avoid starting a comment in the .cmd file
+# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file
 # (needed for make)
 # Replace >'< with >'\''< to be able to enclose the whole string in '...'
 # (needed for the shell)
-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1)))))
+make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1)))))
 ###
 # Find any prerequisites that is newer than target or that does not exist.
@@ -62,8 +63,8 @@ dep-cmd = $(if $(wildcard $(fixdep)),
           $(fixdep) $(depfile) $@ '$(make-cmd)' > $(dot-target).tmp;           \
           rm -f $(depfile);                                                    \
           mv -f $(dot-target).tmp $(dot-target).cmd,                           \
-           printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \
+           printf '$(pound) cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \
-           printf '\# using basic dep data\n\n' >> $(dot-target).cmd;           \
+           printf '$(pound) using basic dep data\n\n' >> $(dot-target).cmd;           \
           cat $(depfile) >> $(dot-target).cmd;                                 \
           printf '%s\n' 'cmd_$@ := $(make-cmd)' >> $(dot-target).cmd)
diff --git a/tools/build/Makefile.build b/tools/build/Makefile.build
index 4a96473b180f..4ffc096eaf5d 100644
--- a/tools/build/Makefile.build
+++ b/tools/build/Makefile.build
@@ -19,6 +19,16 @@ else
  Q=@
 endif
+ifneq ($(filter 4.%,$(MAKE_VERSION)),)  # make-4
+ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),)
+  quiet=silent_
+endif
+else                                    # make-3.8x
+ifneq ($(filter s% -s%,$(MAKEFLAGS)),)
+  quiet=silent_
+endif
+endif
 build-dir := $(srctree)/tools/build
 # Define $(fixdep) for dep-cmd function
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index e176bad19bcb..ca080a129b33 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -487,6 +487,24 @@ bpf_object__init_maps(struct bpf_object *obj, void *data,
        return 0;
 }
+static bool section_have_execinstr(struct bpf_object *obj, int idx)
+{
+        Elf_Scn *scn;
+        GElf_Shdr sh;
+        scn = elf_getscn(obj->efile.elf, idx);
+        if (!scn)
+                return false;
+        if (gelf_getshdr(scn, &sh) != &sh)
+                return false;
+        if (sh.sh_flags & SHF_EXECINSTR)
+                return true;
+        return false;
+}
 static int bpf_object__elf_collect(struct bpf_object *obj)
 {
        Elf *elf = obj->efile.elf;
@@ -567,6 +585,14 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
                } else if (sh.sh_type == SHT_REL) {
                        void *reloc = obj->efile.reloc;
                        int nr_reloc = obj->efile.nr_reloc + 1;
+                        int sec = sh.sh_info; /* points to other section */
+                        /* Only do relo for section with exec instructions */
+                        if (!section_have_execinstr(obj, sec)) {
+                                pr_debug("skip relo %s(%d) for section(%d)\n",
+                                         name, idx, sec);
+                                continue;
+                        }
                        reloc = realloc(reloc,
                                        sizeof(*obj->efile.reloc) * nr_reloc);
diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
index 68276f35e323..6e4a10fe9dd0 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -4905,21 +4905,22 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct event
                                else
                                        ls = 2;
-                                if (*(ptr+1) == 'F' || *(ptr+1) == 'f' ||
+                                if (isalnum(ptr[1]))
-                                    *(ptr+1) == 'S' || *(ptr+1) == 's') {
                                        ptr++;
+                                if (*ptr == 'F' || *ptr == 'f' ||
+                                    *ptr == 'S' || *ptr == 's') {
                                        show_func = *ptr;
-                                } else if (*(ptr+1) == 'M' || *(ptr+1) == 'm') {
+                                } else if (*ptr == 'M' || *ptr == 'm') {
-                                        print_mac_arg(s, *(ptr+1), data, size, event, arg);
+                                        print_mac_arg(s, *ptr, data, size, event, arg);
-                                        ptr++;
                                        arg = arg->next;
                                        break;
-                                } else if (*(ptr+1) == 'I' || *(ptr+1) == 'i') {
+                                } else if (*ptr == 'I' || *ptr == 'i') {
                                        int n;
-                                        n = print_ip_arg(s, ptr+1, data, size, event, arg);
+                                        n = print_ip_arg(s, ptr, data, size, event, arg);
                                        if (n > 0) {
-                                                ptr += n;
+                                                ptr += n - 1;
                                                arg = arg->next;
                                                break;
                                        }
diff --git a/tools/lib/traceevent/parse-filter.c b/tools/lib/traceevent/parse-filter.c
index 88cccea3ca99..64309d73921b 100644
--- a/tools/lib/traceevent/parse-filter.c
+++ b/tools/lib/traceevent/parse-filter.c
@@ -1867,17 +1867,25 @@ static const char *get_field_str(struct filter_arg *arg, struct pevent_record *r
        struct pevent *pevent;
        unsigned long long addr;
        const char *val = NULL;
+        unsigned int size;
        char hex[64];
        /* If the field is not a string convert it */
        if (arg->str.field->flags & FIELD_IS_STRING) {
                val = record->data + arg->str.field->offset;
+                size = arg->str.field->size;
+                if (arg->str.field->flags & FIELD_IS_DYNAMIC) {
+                        addr = *(unsigned int *)val;
+                        val = record->data + (addr & 0xffff);
+                        size = addr >> 16;
+                }
                /*
                 * We need to copy the data since we can't be sure the field
                 * is null terminated.
                 */
-                if (*(val + arg->str.field->size - 1)) {
+                if (*(val + size - 1)) {
                        /* copy it */
                        memcpy(arg->str.buffer, val, arg->str.field->size);
                        /* the buffer is already NULL terminated */
diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
index b4eb5b679081..73d192f57dc3 100644
--- a/tools/perf/bench/numa.c
+++ b/tools/perf/bench/numa.c
@@ -208,6 +208,47 @@ static const char * const numa_usage[] = {
        NULL
 };
+/*
+ * To get number of numa nodes present.
+ */
+static int nr_numa_nodes(void)
+{
+        int i, nr_nodes = 0;
+        for (i = 0; i < g->p.nr_nodes; i++) {
+                if (numa_bitmask_isbitset(numa_nodes_ptr, i))
+                        nr_nodes++;
+        }
+        return nr_nodes;
+}
+/*
+ * To check if given numa node is present.
+ */
+static int is_node_present(int node)
+{
+        return numa_bitmask_isbitset(numa_nodes_ptr, node);
+}
+/*
+ * To check given numa node has cpus.
+ */
+static bool node_has_cpus(int node)
+{
+        struct bitmask *cpu = numa_allocate_cpumask();
+        unsigned int i;
+        if (cpu && !numa_node_to_cpus(node, cpu)) {
+                for (i = 0; i < cpu->size; i++) {
+                        if (numa_bitmask_isbitset(cpu, i))
+                                return true;
+                }
+        }
+        return false; /* lets fall back to nocpus safely */
+}
 static cpu_set_t bind_to_cpu(int target_cpu)
 {
        cpu_set_t orig_mask, mask;
@@ -236,12 +277,12 @@ static cpu_set_t bind_to_cpu(int target_cpu)
 static cpu_set_t bind_to_node(int target_node)
 {
-        int cpus_per_node = g->p.nr_cpus/g->p.nr_nodes;
+        int cpus_per_node = g->p.nr_cpus / nr_numa_nodes();
        cpu_set_t orig_mask, mask;
        int cpu;
        int ret;
-        BUG_ON(cpus_per_node*g->p.nr_nodes != g->p.nr_cpus);
+        BUG_ON(cpus_per_node * nr_numa_nodes() != g->p.nr_cpus);
        BUG_ON(!cpus_per_node);
        ret = sched_getaffinity(0, sizeof(orig_mask), &orig_mask);
@@ -641,7 +682,7 @@ static int parse_setup_node_list(void)
                        int i;
                        for (i = 0; i < mul; i++) {
-                                if (t >= g->p.nr_tasks) {
+                                if (t >= g->p.nr_tasks || !node_has_cpus(bind_node)) {
                                        printf("\n# NOTE: ignoring bind NODEs starting at NODE#%d\n", bind_node);
                                        goto out;
                                }
@@ -956,6 +997,8 @@ static void calc_convergence(double runtime_ns_max, double *convergence)
        sum = 0;
        for (node = 0; node < g->p.nr_nodes; node++) {
+                if (!is_node_present(node))
+                        continue;
                nr = nodes[node];
                nr_min = min(nr, nr_min);
                nr_max = max(nr, nr_max);
@@ -976,8 +1019,11 @@ static void calc_convergence(double runtime_ns_max, double *convergence)
        process_groups = 0;
        for (node = 0; node < g->p.nr_nodes; node++) {
-                int processes = count_node_processes(node);
+                int processes;
+                if (!is_node_present(node))
+                        continue;
+                processes = count_node_processes(node);
                nr = nodes[node];
                tprintf(" %2d/%-2d", nr, processes);
@@ -1283,7 +1329,7 @@ static void print_summary(void)
        printf("\n ###\n");
        printf(" # %d %s will execute (on %d nodes, %d CPUs):\n",
-                g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", g->p.nr_nodes, g->p.nr_cpus);
+                g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", nr_numa_nodes(), g->p.nr_cpus);
        printf(" #      %5dx %5ldMB global  shared mem operations\n",
                        g->p.nr_loops, g->p.bytes_global/1024/1024);
        printf(" #      %5dx %5ldMB process shared mem operations\n",
diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c
index 132afc97676c..9d4ac90ca87e 100644
--- a/tools/perf/builtin-probe.c
+++ b/tools/perf/builtin-probe.c
@@ -405,9 +405,9 @@ static int perf_del_probe_events(struct strfilter *filter)
        }
        if (ret == -ENOENT && ret2 == -ENOENT)
-                pr_debug("\"%s\" does not hit any event.\n", str);
+                pr_warning("\"%s\" does not hit any event.\n", str);
-                /* Note that this is silently ignored */
+        else
-        ret = 0;
+                ret = 0;
 error:
        if (kfd >= 0)
diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
index 4a8a02c302d2..47719bde34c6 100644
--- a/tools/perf/builtin-top.c
+++ b/tools/perf/builtin-top.c
@@ -70,6 +70,7 @@
 #include <linux/types.h>
 static volatile int done;
+static volatile int resize;
 #define HEADER_LINE_NR  5
@@ -79,10 +80,13 @@ static void perf_top__update_print_entries(struct perf_top *top)
 }
 static void perf_top__sig_winch(int sig __maybe_unused,
-                                siginfo_t *info __maybe_unused, void *arg)
+                                siginfo_t *info __maybe_unused, void *arg __maybe_unused)
 {
-        struct perf_top *top = arg;
+        resize = 1;
+}
+static void perf_top__resize(struct perf_top *top)
+{
        get_term_dimensions(&top->winsize);
        perf_top__update_print_entries(top);
 }
@@ -466,7 +470,7 @@ static bool perf_top__handle_keypress(struct perf_top *top, int c)
                                        .sa_sigaction = perf_top__sig_winch,
                                        .sa_flags     = SA_SIGINFO,
                                };
-                                perf_top__sig_winch(SIGWINCH, NULL, top);
+                                perf_top__resize(top);
                                sigaction(SIGWINCH, &act, NULL);
                        } else {
                                signal(SIGWINCH, SIG_DFL);
@@ -1023,6 +1027,11 @@ static int __cmd_top(struct perf_top *top)
                if (hits == top->samples)
                        ret = perf_evlist__poll(top->evlist, 100);
+                if (resize) {
+                        perf_top__resize(top);
+                        resize = 0;
+                }
        }
        ret = 0;
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index ebe7115c751a..da8afc121118 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1152,6 +1152,10 @@ static struct syscall_fmt {
        { .name     = "mlockall",   .errmsg = true,
          .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, },
        { .name     = "mmap",       .hexret = true,
+/* The standard mmap maps to old_mmap on s390x */
+#if defined(__s390x__)
+        .alias = "old_mmap",
+#endif
          .arg_scnprintf = { [0] = SCA_HEX,       /* addr */
                             [2] = SCA_MMAP_PROT, /* prot */
                             [3] = SCA_MMAP_FLAGS, /* flags */
diff --git a/tools/perf/config/Makefile b/tools/perf/config/Makefile
index 405c1c1e2975..9a4988cf7b38 100644
--- a/tools/perf/config/Makefile
+++ b/tools/perf/config/Makefile
@@ -200,6 +200,7 @@ CFLAGS += -I$(src-perf)/arch/$(ARCH)/include
 CFLAGS += -I$(srctree)/tools/include/
 CFLAGS += -I$(srctree)/arch/$(ARCH)/include/uapi
 CFLAGS += -I$(srctree)/arch/$(ARCH)/include
+CFLAGS += -I$(srctree)/tools/arch/$(ARCH)/include
 CFLAGS += -I$(srctree)/include/uapi
 CFLAGS += -I$(srctree)/include
diff --git a/tools/perf/perf-sys.h b/tools/perf/perf-sys.h
index 83a25cef82fd..5cee8a3d0455 100644
--- a/tools/perf/perf-sys.h
+++ b/tools/perf/perf-sys.h
@@ -11,29 +11,11 @@
 #if defined(__i386__)
 #define cpu_relax()     asm volatile("rep; nop" ::: "memory");
 #define CPUINFO_PROC    {"model name"}
-#ifndef __NR_perf_event_open
-# define __NR_perf_event_open 336
-#endif
-#ifndef __NR_futex
-# define __NR_futex 240
-#endif
-#ifndef __NR_gettid
-# define __NR_gettid 224
-#endif
 #endif
 #if defined(__x86_64__)
 #define cpu_relax()     asm volatile("rep; nop" ::: "memory");
 #define CPUINFO_PROC    {"model name"}
-#ifndef __NR_perf_event_open
-# define __NR_perf_event_open 298
-#endif
-#ifndef __NR_futex
-# define __NR_futex 202
-#endif
-#ifndef __NR_gettid
-# define __NR_gettid 186
-#endif
 #endif
 #ifdef __powerpc__
diff --git a/tools/perf/tests/kmod-path.c b/tools/perf/tests/kmod-path.c
index 08c433b4bf4f..25e80c02230b 100644
--- a/tools/perf/tests/kmod-path.c
+++ b/tools/perf/tests/kmod-path.c
@@ -60,6 +60,7 @@ int test__kmod_path__parse(void)
        M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_KERNEL, true);
        M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_USER, false);
+#ifdef HAVE_ZLIB_SUPPORT
        /* path                alloc_name  alloc_ext   kmod  comp  name   ext */
        T("/xxxx/xxxx/x.ko.gz", true     , true      , true, true, "[x]", "gz");
        T("/xxxx/xxxx/x.ko.gz", false    , true      , true, true, NULL , "gz");
@@ -95,6 +96,7 @@ int test__kmod_path__parse(void)
        M("x.ko.gz", PERF_RECORD_MISC_CPUMODE_UNKNOWN, true);
        M("x.ko.gz", PERF_RECORD_MISC_KERNEL, true);
        M("x.ko.gz", PERF_RECORD_MISC_USER, false);
+#endif
        /* path            alloc_name  alloc_ext  kmod  comp   name             ext */
        T("[test_module]", true      , true     , true, false, "[test_module]", NULL);
diff --git a/tools/perf/tests/vmlinux-kallsyms.c b/tools/perf/tests/vmlinux-kallsyms.c
index d677e018e504..bf907c50fcae 100644
--- a/tools/perf/tests/vmlinux-kallsyms.c
+++ b/tools/perf/tests/vmlinux-kallsyms.c
@@ -126,7 +126,7 @@ int test__vmlinux_matches_kallsyms(void)
                if (pair && UM(pair->start) == mem_start) {
 next_pair:
-                        if (strcmp(sym->name, pair->name) == 0) {
+                        if (arch__compare_symbol_names(sym->name, pair->name) == 0) {
                                /*
                                 * kallsyms don't have the symbol end, so we
                                 * set that by using the next symbol start - 1,
diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 425df5c86c9c..425597186677 100644
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -249,6 +249,8 @@ int __kmod_path__parse(struct kmod_path *m, const char *path,
                if ((strncmp(name, "[kernel.kallsyms]", 17) == 0) ||
                    (strncmp(name, "[guest.kernel.kallsyms", 22) == 0) ||
                    (strncmp(name, "[vdso]", 6) == 0) ||
+                    (strncmp(name, "[vdso32]", 8) == 0) ||
+                    (strncmp(name, "[vdsox32]", 9) == 0) ||
                    (strncmp(name, "[vsyscall]", 10) == 0)) {
                        m->kmod = false;
diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
index 26cba64345e3..46af9dde11e2 100644
--- a/tools/perf/util/event.c
+++ b/tools/perf/util/event.c
@@ -234,8 +234,8 @@ int perf_event__synthesize_mmap_events(struct perf_tool *tool,
        if (machine__is_default_guest(machine))
                return 0;
-        snprintf(filename, sizeof(filename), "%s/proc/%d/maps",
+        snprintf(filename, sizeof(filename), "%s/proc/%d/task/%d/maps",
-                 machine->root_dir, pid);
+                 machine->root_dir, pid, pid);
        fp = fopen(filename, "r");
        if (fp == NULL) {
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 39a8bd842d0d..4f2dc807471e 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -625,13 +625,13 @@ static void apply_config_terms(struct perf_evsel *evsel,
        struct perf_evsel_config_term *term;
        struct list_head *config_terms = &evsel->config_terms;
        struct perf_event_attr *attr = &evsel->attr;
-        struct callchain_param param;
+        /* callgraph default */
+        struct callchain_param param = {
+                .record_mode = callchain_param.record_mode,
+        };
        u32 dump_size = 0;
        char *callgraph_buf = NULL;
-        /* callgraph default */
-        param.record_mode = callchain_param.record_mode;
        list_for_each_entry(term, config_terms, list) {
                switch (term->type) {
                case PERF_EVSEL__CONFIG_TERM_PERIOD:
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 43838003c1a1..304f5d710143 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -1258,8 +1258,16 @@ static int __event_process_build_id(struct build_id_event *bev,
                dso__set_build_id(dso, &bev->build_id);
-                if (!is_kernel_module(filename, cpumode))
+                if (dso_type != DSO_TYPE_USER) {
-                        dso->kernel = dso_type;
+                        struct kmod_path m = { .name = NULL, };
+                        if (!kmod_path__parse_name(&m, filename) && m.kmod)
+                                dso__set_short_name(dso, strdup(m.name), true);
+                        else
+                                dso->kernel = dso_type;
+                        free(m.name);
+                }
                build_id__sprintf(dso->build_id, sizeof(dso->build_id),
                                  sbuild_id);
diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
index 4fd37d6708cb..f6720afa9f34 100644
--- a/tools/perf/util/hist.c
+++ b/tools/perf/util/hist.c
@@ -720,7 +720,7 @@ iter_prepare_cumulative_entry(struct hist_entry_iter *iter,
         * cumulated only one time to prevent entries more than 100%
         * overhead.
         */
-        he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1));
+        he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1));
        if (he_cache == NULL)
                return -ENOMEM;
@@ -881,8 +881,6 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al,
        if (err)
                return err;
-        iter->max_stack = max_stack_depth;
        err = iter->ops->prepare_entry(iter, al);
        if (err)
                goto out;
diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h
index a48a2078d288..46b7591acd9c 100644
--- a/tools/perf/util/hist.h
+++ b/tools/perf/util/hist.h
@@ -91,7 +91,6 @@ struct hist_entry_iter {
        int curr;
        bool hide_unresolved;
-        int max_stack;
        struct perf_evsel *evsel;
        struct perf_sample *sample;
diff --git a/tools/perf/util/include/asm/unistd_32.h b/tools/perf/util/include/asm/unistd_32.h
deleted file mode 100644
index 8b137891791f..000000000000
--- a/tools/perf/util/include/asm/unistd_32.h
+++ /dev/null
@@ -1 +0,0 @@
diff --git a/tools/perf/util/include/asm/unistd_64.h b/tools/perf/util/include/asm/unistd_64.h
deleted file mode 100644
index 8b137891791f..000000000000
--- a/tools/perf/util/include/asm/unistd_64.h
+++ /dev/null
@@ -1 +0,0 @@
diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
index eeeae0629ad3..dc17c881275d 100644
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -111,6 +111,7 @@ struct intel_pt_decoder {
        bool have_cyc;
        bool fixup_last_mtc;
        bool have_last_ip;
+        enum intel_pt_param_flags flags;
        uint64_t pos;
        uint64_t last_ip;
        uint64_t ip;
@@ -213,6 +214,8 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params)
        decoder->data               = params->data;
        decoder->return_compression = params->return_compression;
+        decoder->flags              = params->flags;
        decoder->period             = params->period;
        decoder->period_type        = params->period_type;
@@ -1010,6 +1013,15 @@ out_no_progress:
        return err;
 }
+static inline bool intel_pt_fup_with_nlip(struct intel_pt_decoder *decoder,
+                                          struct intel_pt_insn *intel_pt_insn,
+                                          uint64_t ip, int err)
+{
+        return decoder->flags & INTEL_PT_FUP_WITH_NLIP && !err &&
+               intel_pt_insn->branch == INTEL_PT_BR_INDIRECT &&
+               ip == decoder->ip + intel_pt_insn->length;
+}
 static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
 {
        struct intel_pt_insn intel_pt_insn;
@@ -1022,7 +1034,8 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
                err = intel_pt_walk_insn(decoder, &intel_pt_insn, ip);
                if (err == INTEL_PT_RETURN)
                        return 0;
-                if (err == -EAGAIN) {
+                if (err == -EAGAIN ||
+                    intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
                        if (decoder->set_fup_tx_flags) {
                                decoder->set_fup_tx_flags = false;
                                decoder->tx_flags = decoder->fup_tx_flags;
@@ -1032,7 +1045,7 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
                                decoder->state.flags = decoder->fup_tx_flags;
                                return 0;
                        }
-                        return err;
+                        return -EAGAIN;
                }
                decoder->set_fup_tx_flags = false;
                if (err)
@@ -1268,8 +1281,8 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder)
 {
        intel_pt_log("ERROR: Buffer overflow\n");
        intel_pt_clear_tx_flags(decoder);
-        decoder->have_tma = false;
        decoder->cbr = 0;
+        decoder->timestamp_insn_cnt = 0;
        decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
        decoder->overflow = true;
        return -EOVERFLOW;
@@ -1486,14 +1499,18 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder)
                case INTEL_PT_PSB:
                case INTEL_PT_TSC:
                case INTEL_PT_TMA:
-                case INTEL_PT_CBR:
                case INTEL_PT_MODE_TSX:
                case INTEL_PT_BAD:
                case INTEL_PT_PSBEND:
                        intel_pt_log("ERROR: Missing TIP after FUP\n");
                        decoder->pkt_state = INTEL_PT_STATE_ERR3;
+                        decoder->pkt_step = 0;
                        return -ENOENT;
+                case INTEL_PT_CBR:
+                        intel_pt_calc_cbr(decoder);
+                        break;
                case INTEL_PT_OVF:
                        return intel_pt_overflow(decoder);
@@ -2152,14 +2169,6 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder)
        return &decoder->state;
 }
-static bool intel_pt_at_psb(unsigned char *buf, size_t len)
-{
-        if (len < INTEL_PT_PSB_LEN)
-                return false;
-        return memmem(buf, INTEL_PT_PSB_LEN, INTEL_PT_PSB_STR,
-                      INTEL_PT_PSB_LEN);
-}
 /**
 * intel_pt_next_psb - move buffer pointer to the start of the next PSB packet.
 * @buf: pointer to buffer pointer
@@ -2248,6 +2257,7 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len)
 * @buf: buffer
 * @len: size of buffer
 * @tsc: TSC value returned
+ * @rem: returns remaining size when TSC is found
 *
 * Find a TSC packet in @buf and return the TSC value.  This function assumes
 * that @buf starts at a PSB and that PSB+ will contain TSC and so stops if a
@@ -2255,7 +2265,8 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len)
 *
 * Return: %true if TSC is found, false otherwise.
 */
-static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc)
+static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc,
+                              size_t *rem)
 {
        struct intel_pt_pkt packet;
        int ret;
@@ -2266,6 +2277,7 @@ static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc)
                        return false;
                if (packet.type == INTEL_PT_TSC) {
                        *tsc = packet.payload;
+                        *rem = len;
                        return true;
                }
                if (packet.type == INTEL_PT_PSBEND)
@@ -2316,6 +2328,8 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2)
 * @len_a: size of first buffer
 * @buf_b: second buffer
 * @len_b: size of second buffer
+ * @consecutive: returns true if there is data in buf_b that is consecutive
+ *               to buf_a
 *
 * If the trace contains TSC we can look at the last TSC of @buf_a and the
 * first TSC of @buf_b in order to determine if the buffers overlap, and then
@@ -2328,33 +2342,41 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2)
 static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
                                                size_t len_a,
                                                unsigned char *buf_b,
-                                                size_t len_b)
+                                                size_t len_b, bool *consecutive)
 {
        uint64_t tsc_a, tsc_b;
        unsigned char *p;
-        size_t len;
+        size_t len, rem_a, rem_b;
        p = intel_pt_last_psb(buf_a, len_a);
        if (!p)
                return buf_b; /* No PSB in buf_a => no overlap */
        len = len_a - (p - buf_a);
-        if (!intel_pt_next_tsc(p, len, &tsc_a)) {
+        if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a)) {
                /* The last PSB+ in buf_a is incomplete, so go back one more */
                len_a -= len;
                p = intel_pt_last_psb(buf_a, len_a);
                if (!p)
                        return buf_b; /* No full PSB+ => assume no overlap */
                len = len_a - (p - buf_a);
-                if (!intel_pt_next_tsc(p, len, &tsc_a))
+                if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a))
                        return buf_b; /* No TSC in buf_a => assume no overlap */
        }
        while (1) {
                /* Ignore PSB+ with no TSC */
-                if (intel_pt_next_tsc(buf_b, len_b, &tsc_b) &&
+                if (intel_pt_next_tsc(buf_b, len_b, &tsc_b, &rem_b)) {
-                    intel_pt_tsc_cmp(tsc_a, tsc_b) < 0)
+                        int cmp = intel_pt_tsc_cmp(tsc_a, tsc_b);
-                        return buf_b; /* tsc_a < tsc_b => no overlap */
+                        /* Same TSC, so buffers are consecutive */
+                        if (!cmp && rem_b >= rem_a) {
+                                *consecutive = true;
+                                return buf_b + len_b - (rem_b - rem_a);
+                        }
+                        if (cmp < 0)
+                                return buf_b; /* tsc_a < tsc_b => no overlap */
+                }
                if (!intel_pt_step_psb(&buf_b, &len_b))
                        return buf_b + len_b; /* No PSB in buf_b => no data */
@@ -2368,6 +2390,8 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
 * @buf_b: second buffer
 * @len_b: size of second buffer
 * @have_tsc: can use TSC packets to detect overlap
+ * @consecutive: returns true if there is data in buf_b that is consecutive
+ *               to buf_a
 *
 * When trace samples or snapshots are recorded there is the possibility that
 * the data overlaps.  Note that, for the purposes of decoding, data is only
@@ -2378,7 +2402,7 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
 */
 unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
                                     unsigned char *buf_b, size_t len_b,
-                                     bool have_tsc)
+                                     bool have_tsc, bool *consecutive)
 {
        unsigned char *found;
@@ -2390,7 +2414,8 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
                return buf_b; /* No overlap */
        if (have_tsc) {
-                found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b);
+                found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b,
+                                                  consecutive);
                if (found)
                        return found;
        }
@@ -2405,28 +2430,16 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
        }
        /* Now len_b >= len_a */
-        if (len_b > len_a) {
-                /* The leftover buffer 'b' must start at a PSB */
-                while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
-                        if (!intel_pt_step_psb(&buf_a, &len_a))
-                                return buf_b; /* No overlap */
-                }
-        }
        while (1) {
                /* Potential overlap so check the bytes */
                found = memmem(buf_a, len_a, buf_b, len_a);
-                if (found)
+                if (found) {
+                        *consecutive = true;
                        return buf_b + len_a;
+                }
                /* Try again at next PSB in buffer 'a' */
                if (!intel_pt_step_psb(&buf_a, &len_a))
                        return buf_b; /* No overlap */
-                /* The leftover buffer 'b' must start at a PSB */
-                while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
-                        if (!intel_pt_step_psb(&buf_a, &len_a))
-                                return buf_b; /* No overlap */
-                }
        }
 }
diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
index 02c38fec1c37..e420bd3be159 100644
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
@@ -53,6 +53,14 @@ enum {
        INTEL_PT_ERR_MAX,
 };
+enum intel_pt_param_flags {
+        /*
+         * FUP packet can contain next linear instruction pointer instead of
+         * current linear instruction pointer.
+         */
+        INTEL_PT_FUP_WITH_NLIP  = 1 << 0,
+};
 struct intel_pt_state {
        enum intel_pt_sample_type type;
        int err;
@@ -91,6 +99,7 @@ struct intel_pt_params {
        unsigned int mtc_period;
        uint32_t tsc_ctc_ratio_n;
        uint32_t tsc_ctc_ratio_d;
+        enum intel_pt_param_flags flags;
 };
 struct intel_pt_decoder;
@@ -102,7 +111,7 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder);
 unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
                                     unsigned char *buf_b, size_t len_b,
-                                     bool have_tsc);
+                                     bool have_tsc, bool *consecutive);
 int intel_pt__strerror(int code, char *buf, size_t buflen);
diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
index 7528ae4f7e28..e5c6caf913f3 100644
--- a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
@@ -281,7 +281,7 @@ static int intel_pt_get_cyc(unsigned int byte, const unsigned char *buf,
                if (len < offs)
                        return INTEL_PT_NEED_MORE_BYTES;
                byte = buf[offs++];
-                payload |= (byte >> 1) << shift;
+                payload |= ((uint64_t)byte >> 1) << shift;
        }
        packet->type = INTEL_PT_CYC;
diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
index 89927b5beebf..c8f2d084a8ce 100644
--- a/tools/perf/util/intel-pt.c
+++ b/tools/perf/util/intel-pt.c
@@ -125,6 +125,7 @@ struct intel_pt_queue {
        bool stop;
        bool step_through_buffers;
        bool use_buffer_pid_tid;
+        bool sync_switch;
        pid_t pid, tid;
        int cpu;
        int switch_state;
@@ -188,14 +189,17 @@ static void intel_pt_dump_event(struct intel_pt *pt, unsigned char *buf,
 static int intel_pt_do_fix_overlap(struct intel_pt *pt, struct auxtrace_buffer *a,
                                   struct auxtrace_buffer *b)
 {
+        bool consecutive = false;
        void *start;
        start = intel_pt_find_overlap(a->data, a->size, b->data, b->size,
-                                      pt->have_tsc);
+                                      pt->have_tsc, &consecutive);
        if (!start)
                return -EINVAL;
        b->use_size = b->data + b->size - start;
        b->use_data = start;
+        if (b->use_size && consecutive)
+                b->consecutive = true;
        return 0;
 }
@@ -672,6 +676,7 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt,
                                                   unsigned int queue_nr)
 {
        struct intel_pt_params params = { .get_trace = 0, };
+        struct perf_env *env = pt->machine->env;
        struct intel_pt_queue *ptq;
        ptq = zalloc(sizeof(struct intel_pt_queue));
@@ -749,6 +754,9 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt,
                }
        }
+        if (env->cpuid && !strncmp(env->cpuid, "GenuineIntel,6,92,", 18))
+                params.flags |= INTEL_PT_FUP_WITH_NLIP;
        ptq->decoder = intel_pt_decoder_new(&params);
        if (!ptq->decoder)
                goto out_free;
@@ -849,10 +857,12 @@ static int intel_pt_setup_queue(struct intel_pt *pt,
                        if (pt->timeless_decoding || !pt->have_sched_switch)
                                ptq->use_buffer_pid_tid = true;
                }
+                ptq->sync_switch = pt->sync_switch;
        }
        if (!ptq->on_heap &&
-            (!pt->sync_switch ||
+            (!ptq->sync_switch ||
             ptq->switch_state != INTEL_PT_SS_EXPECTING_SWITCH_EVENT)) {
                const struct intel_pt_state *state;
                int ret;
@@ -1235,11 +1245,12 @@ static int intel_pt_sample(struct intel_pt_queue *ptq)
        if (pt->synth_opts.last_branch)
                intel_pt_update_last_branch_rb(ptq);
-        if (!pt->sync_switch)
+        if (!ptq->sync_switch)
                return 0;
        if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
                switch (ptq->switch_state) {
+                case INTEL_PT_SS_NOT_TRACING:
                case INTEL_PT_SS_UNKNOWN:
                case INTEL_PT_SS_EXPECTING_SWITCH_IP:
                        err = intel_pt_next_tid(pt, ptq);
@@ -1316,6 +1327,21 @@ static u64 intel_pt_switch_ip(struct intel_pt *pt, u64 *ptss_ip)
        return switch_ip;
 }
+static void intel_pt_enable_sync_switch(struct intel_pt *pt)
+{
+        unsigned int i;
+        pt->sync_switch = true;
+        for (i = 0; i < pt->queues.nr_queues; i++) {
+                struct auxtrace_queue *queue = &pt->queues.queue_array[i];
+                struct intel_pt_queue *ptq = queue->priv;
+                if (ptq)
+                        ptq->sync_switch = true;
+        }
+}
 static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
 {
        const struct intel_pt_state *state = ptq->state;
@@ -1332,7 +1358,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
                        if (pt->switch_ip) {
                                intel_pt_log("switch_ip: %"PRIx64" ptss_ip: %"PRIx64"\n",
                                             pt->switch_ip, pt->ptss_ip);
-                                pt->sync_switch = true;
+                                intel_pt_enable_sync_switch(pt);
                        }
                }
        }
@@ -1348,9 +1374,9 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
                if (state->err) {
                        if (state->err == INTEL_PT_ERR_NODATA)
                                return 1;
-                        if (pt->sync_switch &&
+                        if (ptq->sync_switch &&
                            state->from_ip >= pt->kernel_start) {
-                                pt->sync_switch = false;
+                                ptq->sync_switch = false;
                                intel_pt_next_tid(pt, ptq);
                        }
                        if (pt->synth_opts.errors) {
@@ -1376,7 +1402,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
                                     state->timestamp, state->est_timestamp);
                        ptq->timestamp = state->est_timestamp;
                /* Use estimated TSC in unknown switch state */
-                } else if (pt->sync_switch &&
+                } else if (ptq->sync_switch &&
                           ptq->switch_state == INTEL_PT_SS_UNKNOWN &&
                           intel_pt_is_switch_ip(ptq, state->to_ip) &&
                           ptq->next_tid == -1) {
@@ -1523,7 +1549,7 @@ static int intel_pt_sync_switch(struct intel_pt *pt, int cpu, pid_t tid,
                return 1;
        ptq = intel_pt_cpu_to_ptq(pt, cpu);
-        if (!ptq)
+        if (!ptq || !ptq->sync_switch)
                return 1;
        switch (ptq->switch_state) {
diff --git a/tools/perf/util/ordered-events.c b/tools/perf/util/ordered-events.c
index b1b9e2385f4b..5e58149c4df2 100644
--- a/tools/perf/util/ordered-events.c
+++ b/tools/perf/util/ordered-events.c
@@ -79,7 +79,7 @@ static union perf_event *dup_event(struct ordered_events *oe,
 static void free_dup_event(struct ordered_events *oe, union perf_event *event)
 {
-        if (oe->copy_on_queue) {
+        if (event && oe->copy_on_queue) {
                oe->cur_alloc_size -= event->header.size;
                free(event);
        }
@@ -150,6 +150,7 @@ void ordered_events__delete(struct ordered_events *oe, struct ordered_event *eve
        list_move(&event->list, &oe->cache);
        oe->nr_events--;
        free_dup_event(oe, event->event);
+        event->event = NULL;
 }
 int ordered_events__queue(struct ordered_events *oe, union perf_event *event,
diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
index 03875f9154e7..0195b7e8c54a 100644
--- a/tools/perf/util/probe-event.c
+++ b/tools/perf/util/probe-event.c
@@ -2349,6 +2349,14 @@ static int get_new_event_name(char *buf, size_t len, const char *base,
 out:
        free(nbase);
+        /* Final validation */
+        if (ret >= 0 && !is_c_func_name(buf)) {
+                pr_warning("Internal error: \"%s\" is an invalid event name.\n",
+                           buf);
+                ret = -EINVAL;
+        }
        return ret;
 }
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index 010ff659b82f..4596496f6c0f 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -135,8 +135,14 @@ struct perf_session *perf_session__new(struct perf_data_file *file,
                        if (perf_session__open(session) < 0)
                                goto out_close;
-                        perf_session__set_id_hdr_size(session);
+                        /*
-                        perf_session__set_comm_exec(session);
+                         * set session attributes that are present in perf.data
+                         * but not in pipe-mode.
+                         */
+                        if (!file->is_pipe) {
+                                perf_session__set_id_hdr_size(session);
+                                perf_session__set_comm_exec(session);
+                        }
                }
        } else  {
                session->machines.host.env = &perf_env;
@@ -151,7 +157,11 @@ struct perf_session *perf_session__new(struct perf_data_file *file,
                        pr_warning("Cannot read kernel map\n");
        }
-        if (tool && tool->ordering_requires_timestamps &&
+        /*
+         * In pipe-mode, evlist is empty until PERF_RECORD_HEADER_ATTR is
+         * processed, so perf_evlist__sample_id_all is not meaningful here.
+         */
+        if ((!file || !file->is_pipe) && tool && tool->ordering_requires_timestamps &&
            tool->ordered_events && !perf_evlist__sample_id_all(session->evlist)) {
                dump_printf("WARNING: No sample_id_all support, falling back to unordered processing\n");
                tool->ordered_events = false;
@@ -1411,6 +1421,7 @@ static int __perf_session__process_pipe_events(struct perf_session *session)
        buf = malloc(cur_size);
        if (!buf)
                return -errno;
+        ordered_events__set_copy_on_queue(oe, true);
 more:
        event = buf;
        err = readn(fd, event, sizeof(struct perf_event_header));
diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c
index 2d8ccd4d9e1b..87312056f75d 100644
--- a/tools/perf/util/sort.c
+++ b/tools/perf/util/sort.c
@@ -604,6 +604,9 @@ static int hist_entry__mispredict_snprintf(struct hist_entry *he, char *bf,
 static int64_t
 sort__cycles_cmp(struct hist_entry *left, struct hist_entry *right)
 {
+        if (!left->branch_info || !right->branch_info)
+                return cmp_null(left->branch_info, right->branch_info);
        return left->branch_info->flags.cycles -
                right->branch_info->flags.cycles;
 }
@@ -611,6 +614,8 @@ sort__cycles_cmp(struct hist_entry *left, struct hist_entry *right)
 static int hist_entry__cycles_snprintf(struct hist_entry *he, char *bf,
                                    size_t size, unsigned int width)
 {
+        if (!he->branch_info)
+                return scnprintf(bf, size, "%-.*s", width, "N/A");
        if (he->branch_info->flags.cycles == 0)
                return repsep_snprintf(bf, size, "%-*s", width, "-");
        return repsep_snprintf(bf, size, "%-*hd", width,
diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
index 2dcfe9a7c8d0..60edec383281 100644
--- a/tools/perf/util/unwind-libdw.c
+++ b/tools/perf/util/unwind-libdw.c
@@ -37,6 +37,14 @@ static int __report_module(struct addr_location *al, u64 ip,
                return 0;
        mod = dwfl_addrmodule(ui->dwfl, ip);
+        if (mod) {
+                Dwarf_Addr s;
+                dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
+                if (s != al->map->start)
+                        mod = 0;
+        }
        if (!mod)
                mod = dwfl_report_elf(ui->dwfl, dso->short_name,
                                      dso->long_name, -1, al->map->start,
diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 47b1e36c7ea0..9adc9af8b048 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -162,7 +162,7 @@ int copyfile_offset(int ifd, loff_t off_in, int ofd, loff_t off_out, u64 size)
                size -= ret;
                off_in += ret;
-                off_out -= ret;
+                off_out += ret;
        }
        munmap(ptr, off_in + size);
diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include
index 8abbef164b4e..7ea4438b801d 100644
--- a/tools/scripts/Makefile.include
+++ b/tools/scripts/Makefile.include
@@ -46,6 +46,16 @@ else
 NO_SUBDIR = :
 endif
+ifneq ($(filter 4.%,$(MAKE_VERSION)),)  # make-4
+ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),)
+  silent=1
+endif
+else                                    # make-3.8x
+ifneq ($(filter s% -s%,$(MAKEFLAGS)),)
+  silent=1
+endif
+endif
 #
 # Define a callable command for descending to a new directory
 #
@@ -58,7 +68,7 @@ descend = \
 QUIET_SUBDIR0  = +$(MAKE) $(COMMAND_O) -C # space to separate -C and subdir
 QUIET_SUBDIR1  =
-ifneq ($(findstring $(MAKEFLAGS),s),s)
+ifneq ($(silent),1)
  ifneq ($(V),1)
        QUIET_CC       = @echo '  CC       '$@;
        QUIET_CC_FPIC  = @echo '  CC FPIC  '$@;
@@ -82,3 +92,5 @@ ifneq ($(findstring $(MAKEFLAGS),s),s)
        QUIET_INSTALL  = @printf '  INSTALL  %s\n' $1;
  endif
 endif
+pound := \#
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index 24ebd3e3eb7d..5d2e479430d1 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -90,6 +90,7 @@ ifdef INSTALL_PATH
        for TARGET in $(TARGETS); do \
                echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \
                echo "echo ========================================" >> $(ALL_SCRIPT); \
+                echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \
                echo "cd $$TARGET" >> $(ALL_SCRIPT); \
                make -s --no-print-directory -C $$TARGET emit_tests >> $(ALL_SCRIPT); \
                echo "cd \$$ROOT" >> $(ALL_SCRIPT); \
diff --git a/tools/testing/selftests/firmware/fw_filesystem.sh b/tools/testing/selftests/firmware/fw_filesystem.sh
index 856a1f327b3f..63c310cdac09 100755
--- a/tools/testing/selftests/firmware/fw_filesystem.sh
+++ b/tools/testing/selftests/firmware/fw_filesystem.sh
@@ -28,7 +28,12 @@ test_finish()
        if [ "$HAS_FW_LOADER_USER_HELPER" = "yes" ]; then
                echo "$OLD_TIMEOUT" >/sys/class/firmware/timeout
        fi
-        echo -n "$OLD_PATH" >/sys/module/firmware_class/parameters/path
+        if [ "$OLD_FWPATH" = "" ]; then
+                # A zero-length write won't work; write a null byte
+                printf '\000' >/sys/module/firmware_class/parameters/path
+        else
+                echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path
+        fi
        rm -f "$FW"
        rmdir "$FWPATH"
 }
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
new file mode 100644
index 000000000000..5ba73035e1d9
--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
@@ -0,0 +1,46 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# description: Kprobe event string type argument
+[ -f kprobe_events ] || exit_unsupported # this is configurable
+echo 0 > events/enable
+echo > kprobe_events
+case `uname -m` in
+x86_64)
+  ARG2=%si
+  OFFS=8
+;;
+i[3456]86)
+  ARG2=%cx
+  OFFS=4
+;;
+aarch64)
+  ARG2=%x1
+  OFFS=8
+;;
+arm*)
+  ARG2=%r1
+  OFFS=4
+;;
+*)
+  echo "Please implement other architecture here"
+  exit_untested
+esac
+: "Test get argument (1)"
+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events
+echo 1 > events/kprobes/testprobe/enable
+! echo test >> kprobe_events
+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\""
+echo 0 > events/kprobes/testprobe/enable
+: "Test get argument (2)"
+echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events
+echo 1 > events/kprobes/testprobe/enable
+! echo test1 test2 >> kprobe_events
+tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\""
+echo 0 > events/enable
+echo > kprobe_events
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
new file mode 100644
index 000000000000..231bcd2c4eb5
--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc
@@ -0,0 +1,97 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# description: Kprobe event argument syntax
+[ -f kprobe_events ] || exit_unsupported # this is configurable
+grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue
+echo 0 > events/enable
+echo > kprobe_events
+PROBEFUNC="vfs_read"
+GOODREG=
+BADREG=
+GOODSYM="_sdata"
+if ! grep -qw ${GOODSYM} /proc/kallsyms ; then
+  GOODSYM=$PROBEFUNC
+fi
+BADSYM="deaqswdefr"
+SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "`
+GOODTYPE="x16"
+BADTYPE="y16"
+case `uname -m` in
+x86_64|i[3456]86)
+  GOODREG=%ax
+  BADREG=%ex
+;;
+aarch64)
+  GOODREG=%x0
+  BADREG=%ax
+;;
+arm*)
+  GOODREG=%r0
+  BADREG=%ax
+;;
+esac
+test_goodarg() # Good-args
+{
+  while [ "$1" ]; do
+    echo "p ${PROBEFUNC} $1" > kprobe_events
+    shift 1
+  done;
+}
+test_badarg() # Bad-args
+{
+  while [ "$1" ]; do
+    ! echo "p ${PROBEFUNC} $1" > kprobe_events
+    shift 1
+  done;
+}
+echo > kprobe_events
+: "Register access"
+test_goodarg ${GOODREG}
+test_badarg ${BADREG}
+: "Symbol access"
+test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10"
+test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \
+            "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10"
+: "Stack access"
+test_goodarg "\$stack" "\$stack0" "\$stack1"
+test_badarg "\$stackp" "\$stack0+10" "\$stack1-10"
+: "Retval access"
+echo "r ${PROBEFUNC} \$retval" > kprobe_events
+! echo "p ${PROBEFUNC} \$retval" > kprobe_events
+: "Comm access"
+test_goodarg "\$comm"
+: "Indirect memory access"
+test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \
+        "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))"
+test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \
+        "+10(\$comm)" "+0(${GOODREG})+10"
+: "Name assignment"
+test_goodarg "varname=${GOODREG}"
+test_badarg "varname=varname2=${GOODREG}"
+: "Type syntax"
+test_goodarg "${GOODREG}:${GOODTYPE}"
+test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \
+        "${GOODTYPE}:${GOODREG}"
+: "Combination check"
+test_goodarg "\$comm:string" "+0(\$stack):string"
+test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string"
+echo > kprobe_events
diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
new file mode 100644
index 000000000000..4fda01a08da4
--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc
@@ -0,0 +1,43 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# description: Kprobe events - probe points
+[ -f kprobe_events ] || exit_unsupported # this is configurable
+TARGET_FUNC=create_trace_kprobe
+dec_addr() { # hexaddr
+  printf "%d" "0x"`echo $1 | tail -c 8`
+}
+set_offs() { # prev target next
+  A1=`dec_addr $1`
+  A2=`dec_addr $2`
+  A3=`dec_addr $3`
+  TARGET="0x$2" # an address
+  PREV=`expr $A1 - $A2` # offset to previous symbol
+  NEXT=+`expr $A3 - $A2` # offset to next symbol
+  OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol
+}
+# We have to decode symbol addresses to get correct offsets.
+# If the offset is not an instruction boundary, it cause -EILSEQ.
+set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs`
+UINT_TEST=no
+# printf "%x" -1 returns (unsigned long)-1.
+if [ `printf "%x" -1 | wc -c` != 9 ]; then
+  UINT_TEST=yes
+fi
+echo 0 > events/enable
+echo > kprobe_events
+echo "p:testprobe ${TARGET_FUNC}" > kprobe_events
+echo "p:testprobe ${TARGET}" > kprobe_events
+echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events
+! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events
+if [ "${UINT_TEST}" = yes ]; then
+! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events
+fi
+echo > kprobe_events
+clear_trace
diff --git a/tools/testing/selftests/memfd/config b/tools/testing/selftests/memfd/config
new file mode 100644
index 000000000000..835c7f4dadcd
--- /dev/null
+++ b/tools/testing/selftests/memfd/config
@@ -0,0 +1 @@
+CONFIG_FUSE_FS=m
diff --git a/tools/testing/selftests/net/psock_fanout.c b/tools/testing/selftests/net/psock_fanout.c
index 412459369686..9b654a070e7d 100644
--- a/tools/testing/selftests/net/psock_fanout.c
+++ b/tools/testing/selftests/net/psock_fanout.c
@@ -97,6 +97,8 @@ static int sock_fanout_open(uint16_t typeflags, int num_packets)
 static void sock_fanout_set_ebpf(int fd)
 {
+        static char log_buf[65536];
        const int len_off = __builtin_offsetof(struct __sk_buff, len);
        struct bpf_insn prog[] = {
                { BPF_ALU64 | BPF_MOV | BPF_X,   6, 1, 0, 0 },
@@ -109,7 +111,6 @@ static void sock_fanout_set_ebpf(int fd)
                { BPF_ALU   | BPF_MOV | BPF_K,   0, 0, 0, 0 },
                { BPF_JMP   | BPF_EXIT,          0, 0, 0, 0 }
        };
-        char log_buf[512];
        union bpf_attr attr;
        int pfd;
diff --git a/tools/testing/selftests/powerpc/mm/subpage_prot.c b/tools/testing/selftests/powerpc/mm/subpage_prot.c
index 440180ff8089..ca29f5872817 100644
--- a/tools/testing/selftests/powerpc/mm/subpage_prot.c
+++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c
@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned long size)
        return 0;
 }
+static int syscall_available(void)
+{
+        int rc;
+        errno = 0;
+        rc = syscall(__NR_subpage_prot, 0, 0, 0);
+        return rc == 0 || (errno != ENOENT && errno != ENOSYS);
+}
 int test_anon(void)
 {
        unsigned long align;
@@ -145,6 +155,8 @@ int test_anon(void)
        void *mallocblock;
        unsigned long mallocsize;
+        SKIP_IF(!syscall_available());
        if (getpagesize() != 0x10000) {
                fprintf(stderr, "Kernel page size must be 64K!\n");
                return 1;
@@ -180,6 +192,8 @@ int test_file(void)
        off_t filesize;
        int fd;
+        SKIP_IF(!syscall_available());
        fd = open(file_name, O_RDWR);
        if (fd == -1) {
                perror("failed to open file");
diff --git a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
index 42d4c8caad81..de8dc82e2567 100644
--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
+++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
@@ -45,12 +45,12 @@ int test_body(void)
        printf("Check DSCR TM context switch: ");
        fflush(stdout);
        for (;;) {
-                rv = 1;
                asm __volatile__ (
                        /* set a known value into the DSCR */
                        "ld      3, %[dscr1];"
                        "mtspr   %[sprn_dscr], 3;"
+                        "li      %[rv], 1;"
                        /* start and suspend a transaction */
                        TBEGIN
                        "beq     1f;"
diff --git a/tools/testing/selftests/rcutorture/bin/configinit.sh b/tools/testing/selftests/rcutorture/bin/configinit.sh
index 3f81a1095206..50a6371b2b2e 100755
--- a/tools/testing/selftests/rcutorture/bin/configinit.sh
+++ b/tools/testing/selftests/rcutorture/bin/configinit.sh
@@ -51,7 +51,7 @@ then
                        mkdir $builddir
                fi
        else
-                echo Bad build directory: \"$builddir\"
+                echo Bad build directory: \"$buildloc\"
                exit 2
        fi
 fi
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 882fe83a3554..b3f345433ec7 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -1476,15 +1476,19 @@ TEST_F(TRACE_syscall, syscall_dropped)
 #define SECCOMP_SET_MODE_FILTER 1
 #endif
-#ifndef SECCOMP_FLAG_FILTER_TSYNC
+#ifndef SECCOMP_FILTER_FLAG_TSYNC
-#define SECCOMP_FLAG_FILTER_TSYNC 1
+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
+#endif
+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
 #endif
 #ifndef seccomp
-int seccomp(unsigned int op, unsigned int flags, struct sock_fprog *filter)
+int seccomp(unsigned int op, unsigned int flags, void *args)
 {
        errno = 0;
-        return syscall(__NR_seccomp, op, flags, filter);
+        return syscall(__NR_seccomp, op, flags, args);
 }
 #endif
@@ -1576,6 +1580,78 @@ TEST(seccomp_syscall_mode_lock)
        }
 }
+/*
+ * Test detection of known and unknown filter flags. Userspace needs to be able
+ * to check if a filter flag is supported by the current kernel and a good way
+ * of doing that is by attempting to enter filter mode, with the flag bit in
+ * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
+ * that the flag is valid and EINVAL indicates that the flag is invalid.
+ */
+TEST(detect_seccomp_filter_flags)
+{
+        unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
+                                 SECCOMP_FILTER_FLAG_SPEC_ALLOW };
+        unsigned int flag, all_flags;
+        int i;
+        long ret;
+        /* Test detection of known-good filter flags */
+        for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
+                int bits = 0;
+                flag = flags[i];
+                /* Make sure the flag is a single bit! */
+                while (flag) {
+                        if (flag & 0x1)
+                                bits ++;
+                        flag >>= 1;
+                }
+                ASSERT_EQ(1, bits);
+                flag = flags[i];
+                ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+                ASSERT_NE(ENOSYS, errno) {
+                        TH_LOG("Kernel does not support seccomp syscall!");
+                }
+                EXPECT_EQ(-1, ret);
+                EXPECT_EQ(EFAULT, errno) {
+                        TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
+                               flag);
+                }
+                all_flags |= flag;
+        }
+        /* Test detection of all known-good filter flags */
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
+        EXPECT_EQ(-1, ret);
+        EXPECT_EQ(EFAULT, errno) {
+                TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
+                       all_flags);
+        }
+        /* Test detection of an unknown filter flag */
+        flag = -1;
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+        EXPECT_EQ(-1, ret);
+        EXPECT_EQ(EINVAL, errno) {
+                TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
+                       flag);
+        }
+        /*
+         * Test detection of an unknown filter flag that may simply need to be
+         * added to this test
+         */
+        flag = flags[ARRAY_SIZE(flags) - 1] << 1;
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+        EXPECT_EQ(-1, ret);
+        EXPECT_EQ(EINVAL, errno) {
+                TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
+                       flag);
+        }
+}
 TEST(TSYNC_first)
 {
        struct sock_filter filter[] = {
@@ -1592,7 +1668,7 @@ TEST(TSYNC_first)
                TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
        }
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &prog);
        ASSERT_NE(ENOSYS, errno) {
                TH_LOG("Kernel does not support seccomp syscall!");
@@ -1810,7 +1886,7 @@ TEST_F(TSYNC, two_siblings_with_ancestor)
                self->sibling_count++;
        }
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_EQ(0, ret) {
                TH_LOG("Could install filter on all threads!");
@@ -1871,7 +1947,7 @@ TEST_F(TSYNC, two_siblings_with_no_filter)
                TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
        }
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_NE(ENOSYS, errno) {
                TH_LOG("Kernel does not support seccomp syscall!");
@@ -1919,7 +1995,7 @@ TEST_F(TSYNC, two_siblings_with_one_divergence)
                self->sibling_count++;
        }
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_EQ(self->sibling[0].system_tid, ret) {
                TH_LOG("Did not fail on diverged sibling.");
@@ -1971,7 +2047,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
                TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
        }
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_EQ(ret, self->sibling[0].system_tid) {
                TH_LOG("Did not fail on diverged sibling.");
@@ -2000,7 +2076,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
        /* Switch to the remaining sibling */
        sib = !sib;
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_EQ(0, ret) {
                TH_LOG("Expected the remaining sibling to sync");
@@ -2023,7 +2099,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
        while (!kill(self->sibling[sib].system_tid, 0))
                sleep(0.1);
-        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
+        ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
                      &self->apply_prog);
        ASSERT_EQ(0, ret);  /* just us chickens */
 }
diff --git a/tools/testing/selftests/x86/entry_from_vm86.c b/tools/testing/selftests/x86/entry_from_vm86.c
index d075ea0e5ca1..ade443a88421 100644
--- a/tools/testing/selftests/x86/entry_from_vm86.c
+++ b/tools/testing/selftests/x86/entry_from_vm86.c
@@ -95,6 +95,31 @@ asm (
        "int3\n\t"
        "vmcode_int80:\n\t"
        "int $0x80\n\t"
+        "vmcode_popf_hlt:\n\t"
+        "push %ax\n\t"
+        "popf\n\t"
+        "hlt\n\t"
+        "vmcode_umip:\n\t"
+        /* addressing via displacements */
+        "smsw (2052)\n\t"
+        "sidt (2054)\n\t"
+        "sgdt (2060)\n\t"
+        /* addressing via registers */
+        "mov $2066, %bx\n\t"
+        "smsw (%bx)\n\t"
+        "mov $2068, %bx\n\t"
+        "sidt (%bx)\n\t"
+        "mov $2074, %bx\n\t"
+        "sgdt (%bx)\n\t"
+        /* register operands, only for smsw */
+        "smsw %ax\n\t"
+        "mov %ax, (2080)\n\t"
+        "int3\n\t"
+        "vmcode_umip_str:\n\t"
+        "str %eax\n\t"
+        "vmcode_umip_sldt:\n\t"
+        "sldt %eax\n\t"
+        "int3\n\t"
        ".size vmcode, . - vmcode\n\t"
        "end_vmcode:\n\t"
        ".code32\n\t"
@@ -103,7 +128,8 @@ asm (
 extern unsigned char vmcode[], end_vmcode[];
 extern unsigned char vmcode_bound[], vmcode_sysenter[], vmcode_syscall[],
-        vmcode_sti[], vmcode_int3[], vmcode_int80[];
+        vmcode_sti[], vmcode_int3[], vmcode_int80[], vmcode_popf_hlt[],
+        vmcode_umip[], vmcode_umip_str[], vmcode_umip_sldt[];
 /* Returns false if the test was skipped. */
 static bool do_test(struct vm86plus_struct *v86, unsigned long eip,
@@ -153,13 +179,75 @@ static bool do_test(struct vm86plus_struct *v86, unsigned long eip,
            (VM86_TYPE(ret) == rettype && VM86_ARG(ret) == retarg)) {
                printf("[OK]\tReturned correctly\n");
        } else {
-                printf("[FAIL]\tIncorrect return reason\n");
+                printf("[FAIL]\tIncorrect return reason (started at eip = 0x%lx, ended at eip = 0x%lx)\n", eip, v86->regs.eip);
                nerrs++;
        }
        return true;
 }
+void do_umip_tests(struct vm86plus_struct *vm86, unsigned char *test_mem)
+{
+        struct table_desc {
+                unsigned short limit;
+                unsigned long base;
+        } __attribute__((packed));
+        /* Initialize variables with arbitrary values */
+        struct table_desc gdt1 = { .base = 0x3c3c3c3c, .limit = 0x9999 };
+        struct table_desc gdt2 = { .base = 0x1a1a1a1a, .limit = 0xaeae };
+        struct table_desc idt1 = { .base = 0x7b7b7b7b, .limit = 0xf1f1 };
+        struct table_desc idt2 = { .base = 0x89898989, .limit = 0x1313 };
+        unsigned short msw1 = 0x1414, msw2 = 0x2525, msw3 = 3737;
+        /* UMIP -- exit with INT3 unless kernel emulation did not trap #GP */
+        do_test(vm86, vmcode_umip - vmcode, VM86_TRAP, 3, "UMIP tests");
+        /* Results from displacement-only addressing */
+        msw1 = *(unsigned short *)(test_mem + 2052);
+        memcpy(&idt1, test_mem + 2054, sizeof(idt1));
+        memcpy(&gdt1, test_mem + 2060, sizeof(gdt1));
+        /* Results from register-indirect addressing */
+        msw2 = *(unsigned short *)(test_mem + 2066);
+        memcpy(&idt2, test_mem + 2068, sizeof(idt2));
+        memcpy(&gdt2, test_mem + 2074, sizeof(gdt2));
+        /* Results when using register operands */
+        msw3 = *(unsigned short *)(test_mem + 2080);
+        printf("[INFO]\tResult from SMSW:[0x%04x]\n", msw1);
+        printf("[INFO]\tResult from SIDT: limit[0x%04x]base[0x%08lx]\n",
+               idt1.limit, idt1.base);
+        printf("[INFO]\tResult from SGDT: limit[0x%04x]base[0x%08lx]\n",
+               gdt1.limit, gdt1.base);
+        if (msw1 != msw2 || msw1 != msw3)
+                printf("[FAIL]\tAll the results of SMSW should be the same.\n");
+        else
+                printf("[PASS]\tAll the results from SMSW are identical.\n");
+        if (memcmp(&gdt1, &gdt2, sizeof(gdt1)))
+                printf("[FAIL]\tAll the results of SGDT should be the same.\n");
+        else
+                printf("[PASS]\tAll the results from SGDT are identical.\n");
+        if (memcmp(&idt1, &idt2, sizeof(idt1)))
+                printf("[FAIL]\tAll the results of SIDT should be the same.\n");
+        else
+                printf("[PASS]\tAll the results from SIDT are identical.\n");
+        sethandler(SIGILL, sighandler, 0);
+        do_test(vm86, vmcode_umip_str - vmcode, VM86_SIGNAL, 0,
+                "STR instruction");
+        clearhandler(SIGILL);
+        sethandler(SIGILL, sighandler, 0);
+        do_test(vm86, vmcode_umip_sldt - vmcode, VM86_SIGNAL, 0,
+                "SLDT instruction");
+        clearhandler(SIGILL);
+}
 int main(void)
 {
        struct vm86plus_struct v86;
@@ -180,6 +268,9 @@ int main(void)
        v86.regs.ds = load_addr / 16;
        v86.regs.es = load_addr / 16;
+        /* Use the end of the page as our stack. */
+        v86.regs.esp = 4096;
        assert((v86.regs.cs & 3) == 0); /* Looks like RPL = 0 */
        /* #BR -- should deliver SIG??? */
@@ -211,6 +302,23 @@ int main(void)
        v86.regs.eflags &= ~X86_EFLAGS_IF;
        do_test(&v86, vmcode_sti - vmcode, VM86_STI, 0, "STI with VIP set");
+        /* POPF with VIP set but IF clear: should not trap */
+        v86.regs.eflags = X86_EFLAGS_VIP;
+        v86.regs.eax = 0;
+        do_test(&v86, vmcode_popf_hlt - vmcode, VM86_UNKNOWN, 0, "POPF with VIP set and IF clear");
+        /* POPF with VIP set and IF set: should trap */
+        v86.regs.eflags = X86_EFLAGS_VIP;
+        v86.regs.eax = X86_EFLAGS_IF;
+        do_test(&v86, vmcode_popf_hlt - vmcode, VM86_STI, 0, "POPF with VIP and IF set");
+        /* POPF with VIP clear and IF set: should not trap */
+        v86.regs.eflags = 0;
+        v86.regs.eax = X86_EFLAGS_IF;
+        do_test(&v86, vmcode_popf_hlt - vmcode, VM86_UNKNOWN, 0, "POPF with VIP clear and IF set");
+        v86.regs.eflags = 0;
        /* INT3 -- should cause #BP */
        do_test(&v86, vmcode_int3 - vmcode, VM86_TRAP, 3, "INT3");
@@ -218,6 +326,9 @@ int main(void)
        v86.regs.eax = (unsigned int)-1;
        do_test(&v86, vmcode_int80 - vmcode, VM86_INTx, 0x80, "int80");
+        /* UMIP -- should exit with INTx 0x80 unless UMIP was not disabled */
+        do_umip_tests(&v86, addr);
        /* Execute a null pointer */
        v86.regs.cs = 0;
        v86.regs.ss = 0;
@@ -231,7 +342,7 @@ int main(void)
        clearhandler(SIGSEGV);
        /* Make sure nothing explodes if we fork. */
-        if (fork() > 0)
+        if (fork() == 0)
                return 0;
        return (nerrs == 0 ? 0 : 1);
diff --git a/tools/thermal/tmon/sysfs.c b/tools/thermal/tmon/sysfs.c
index 1c12536f2081..18f523557983 100644
--- a/tools/thermal/tmon/sysfs.c
+++ b/tools/thermal/tmon/sysfs.c
@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst)
 int update_thermal_data()
 {
        int i;
+        int next_thermal_record = cur_thermal_record + 1;
        char tz_name[256];
        static unsigned long samples;
@@ -495,9 +496,9 @@ int update_thermal_data()
        }
        /* circular buffer for keeping historic data */
-        if (cur_thermal_record >= NR_THERMAL_RECORDS)
+        if (next_thermal_record >= NR_THERMAL_RECORDS)
-                cur_thermal_record = 0;
+                next_thermal_record = 0;
-        gettimeofday(&trec[cur_thermal_record].tv, NULL);
+        gettimeofday(&trec[next_thermal_record].tv, NULL);
        if (tmon_log) {
                fprintf(tmon_log, "%lu ", ++samples);
                fprintf(tmon_log, "%3.1f ", p_param.t_target);
@@ -507,11 +508,12 @@ int update_thermal_data()
                snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE,
                        ptdata.tzi[i].instance);
                sysfs_get_ulong(tz_name, "temp",
-                                &trec[cur_thermal_record].temp[i]);
+                                &trec[next_thermal_record].temp[i]);
                if (tmon_log)
                        fprintf(tmon_log, "%lu ",
-                                trec[cur_thermal_record].temp[i]/1000);
+                                trec[next_thermal_record].temp[i] / 1000);
        }
+        cur_thermal_record = next_thermal_record;
        for (i = 0; i < ptdata.nr_cooling_dev; i++) {
                char cdev_name[256];
                unsigned long val;
diff --git a/tools/thermal/tmon/tmon.c b/tools/thermal/tmon/tmon.c
index 9aa19652e8e8..b43138f8b862 100644
--- a/tools/thermal/tmon/tmon.c
+++ b/tools/thermal/tmon/tmon.c
@@ -336,7 +336,6 @@ int main(int argc, char **argv)
                        show_data_w();
                        show_cooling_device();
                }
-                cur_thermal_record++;
                time_elapsed += ticktime;
                controller_handler(trec[0].temp[target_tz_index] / 1000,
                                &yk);
diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
index ac73710473de..8000445ff884 100644
--- a/tools/usb/usbip/libsrc/usbip_common.c
+++ b/tools/usb/usbip/libsrc/usbip_common.c
@@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i,
                       struct usbip_usb_interface *uinf)
 {
        char busid[SYSFS_BUS_ID_SIZE];
+        int size;
        struct udev_device *sif;
-        sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i);
+        size = snprintf(busid, sizeof(busid), "%s:%d.%d",
+                        udev->busid, udev->bConfigurationValue, i);
+        if (size < 0 || (unsigned int)size >= sizeof(busid)) {
+                err("busid length %i >= %lu or < 0", size,
+                    (unsigned long)sizeof(busid));
+                return -1;
+        }
        sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid);
        if (!sif) {
diff --git a/tools/usb/usbip/libsrc/usbip_host_driver.c b/tools/usb/usbip/libsrc/usbip_host_driver.c
index bef08d5c44e8..071b9ce99420 100644
--- a/tools/usb/usbip/libsrc/usbip_host_driver.c
+++ b/tools/usb/usbip/libsrc/usbip_host_driver.c
@@ -39,13 +39,19 @@ struct udev *udev_context;
 static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
 {
        char status_attr_path[SYSFS_PATH_MAX];
+        int size;
        int fd;
        int length;
        char status;
        int value = 0;
-        snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status",
+        size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status",
-                 udev->path);
+                        udev->path);
+        if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) {
+                err("usbip_status path length %i >= %lu or < 0", size,
+                    (unsigned long)sizeof(status_attr_path));
+                return -1;
+        }
        fd = open(status_attr_path, O_RDONLY);
        if (fd < 0) {
@@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd)
 {
        char attr_name[] = "usbip_sockfd";
        char sockfd_attr_path[SYSFS_PATH_MAX];
+        int size;
        char sockfd_buff[30];
        int ret;
@@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd)
        }
        /* only the first interface is true */
-        snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s",
+        size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s",
-                 edev->udev.path, attr_name);
+                        edev->udev.path, attr_name);
+        if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) {
+                err("exported device path length %i >= %lu or < 0", size,
+                    (unsigned long)sizeof(sockfd_attr_path));
+                return -1;
+        }
-        snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
+        size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
+        if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) {
+                err("socket length %i >= %lu or < 0", size,
+                    (unsigned long)sizeof(sockfd_buff));
+                return -1;
+        }
        ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff,
                                    strlen(sockfd_buff));
diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
index ad9204773533..1274f326242c 100644
--- a/tools/usb/usbip/libsrc/vhci_driver.c
+++ b/tools/usb/usbip/libsrc/vhci_driver.c
@@ -55,12 +55,12 @@ static int parse_status(const char *value)
        while (*c != '\0') {
                int port, status, speed, devid;
-                unsigned long socket;
+                int sockfd;
                char lbusid[SYSFS_BUS_ID_SIZE];
-                ret = sscanf(c, "%d %d %d %x %lx %31s\n",
+                ret = sscanf(c, "%d %d %d %x %u %31s\n",
                                &port, &status, &speed,
-                                &devid, &socket, lbusid);
+                                &devid, &sockfd, lbusid);
                if (ret < 5) {
                        dbg("sscanf failed: %d", ret);
@@ -69,7 +69,7 @@ static int parse_status(const char *value)
                dbg("port %d status %d speed %d devid %x",
                                port, status, speed, devid);
-                dbg("socket %lx lbusid %s", socket, lbusid);
+                dbg("sockfd %u lbusid %s", sockfd, lbusid);
                /* if a device is connected, look at it */
diff --git a/tools/usb/usbip/src/usbip.c b/tools/usb/usbip/src/usbip.c
index d7599d943529..73d8eee8130b 100644
--- a/tools/usb/usbip/src/usbip.c
+++ b/tools/usb/usbip/src/usbip.c
@@ -176,6 +176,8 @@ int main(int argc, char *argv[])
                        break;
                case '?':
                        printf("usbip: invalid option\n");
+                        /* Terminate after printing error */
+                        /* FALLTHRU */
                default:
                        usbip_usage();
                        goto out;
diff --git a/tools/usb/usbip/src/usbip_bind.c b/tools/usb/usbip/src/usbip_bind.c
index fa46141ae68b..e121cfb1746a 100644
--- a/tools/usb/usbip/src/usbip_bind.c
+++ b/tools/usb/usbip/src/usbip_bind.c
@@ -144,6 +144,7 @@ static int bind_device(char *busid)
        int rc;
        struct udev *udev;
        struct udev_device *dev;
+        const char *devpath;
        /* Check whether the device with this bus ID exists. */
        udev = udev_new();
@@ -152,8 +153,16 @@ static int bind_device(char *busid)
                err("device with the specified bus ID does not exist");
                return -1;
        }
+        devpath = udev_device_get_devpath(dev);
        udev_unref(udev);
+        /* If the device is already attached to vhci_hcd - bail out */
+        if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
+                err("bind loop detected: device: %s is attached to %s\n",
+                    devpath, USBIP_VHCI_DRV_NAME);
+                return -1;
+        }
        rc = unbind_other(busid);
        if (rc == UNBIND_ST_FAILED) {
                err("could not unbind driver from device on busid %s", busid);
diff --git a/tools/usb/usbip/src/usbip_detach.c b/tools/usb/usbip/src/usbip_detach.c
index 9db9d21bb2ec..6a8db858caa5 100644
--- a/tools/usb/usbip/src/usbip_detach.c
+++ b/tools/usb/usbip/src/usbip_detach.c
@@ -43,7 +43,7 @@ void usbip_detach_usage(void)
 static int detach_port(char *port)
 {
-        int ret;
+        int ret = 0;
        uint8_t portnum;
        char path[PATH_MAX+1];
@@ -73,9 +73,12 @@ static int detach_port(char *port)
        }
        ret = usbip_vhci_detach_device(portnum);
-        if (ret < 0)
+        if (ret < 0) {
-                return -1;
+                ret = -1;
+                goto call_driver_close;
+        }
+call_driver_close:
        usbip_vhci_driver_close();
        return ret;
diff --git a/tools/usb/usbip/src/usbip_list.c b/tools/usb/usbip/src/usbip_list.c
index d5ce34a410e7..ac6081c3db82 100644
--- a/tools/usb/usbip/src/usbip_list.c
+++ b/tools/usb/usbip/src/usbip_list.c
@@ -180,6 +180,7 @@ static int list_devices(bool parsable)
        const char *busid;
        char product_name[128];
        int ret = -1;
+        const char *devpath;
        /* Create libudev context. */
        udev = udev_new();
@@ -202,6 +203,14 @@ static int list_devices(bool parsable)
                path = udev_list_entry_get_name(dev_list_entry);
                dev = udev_device_new_from_syspath(udev, path);
+                /* Ignore devices attached to vhci_hcd */
+                devpath = udev_device_get_devpath(dev);
+                if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
+                        dbg("Skip the device %s already attached to %s\n",
+                            devpath, USBIP_VHCI_DRV_NAME);
+                        continue;
+                }
                /* Get device information. */
                idVendor = udev_device_get_sysattr_value(dev, "idVendor");
                idProduct = udev_device_get_sysattr_value(dev, "idProduct");
diff --git a/tools/usb/usbip/src/usbipd.c b/tools/usb/usbip/src/usbipd.c
index 2a7cd2b8d966..8c5b0faba229 100644
--- a/tools/usb/usbip/src/usbipd.c
+++ b/tools/usb/usbip/src/usbipd.c
@@ -451,7 +451,7 @@ static void set_signal(void)
        sigaction(SIGTERM, &act, NULL);
        sigaction(SIGINT, &act, NULL);
        act.sa_handler = SIG_IGN;
-        sigaction(SIGCLD, &act, NULL);
+        sigaction(SIGCHLD, &act, NULL);
 }
 static const char *pid_file;
diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index 49001fa84ead..1203829316b2 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work)
 {
        struct kvm_kernel_irqfd *irqfd =
                container_of(work, struct kvm_kernel_irqfd, shutdown);
+        struct kvm *kvm = irqfd->kvm;
        u64 cnt;
+        /* Make sure irqfd has been initalized in assign path. */
+        synchronize_srcu(&kvm->irq_srcu);
        /*
         * Synchronize with the wait-queue and unhook ourselves to prevent
         * further events.
@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct kvm_irqfd *args)
        idx = srcu_read_lock(&kvm->irq_srcu);
        irqfd_update(kvm, irqfd);
-        srcu_read_unlock(&kvm->irq_srcu, idx);
        list_add_tail(&irqfd->list, &kvm->irqfds.items);
@@ -419,6 +422,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct kvm_irqfd *args)
                                irqfd->consumer.token, ret);
 #endif
+        srcu_read_unlock(&kvm->irq_srcu, idx);
        return 0;
 fail:
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index d080f06fd8d9..b814ae6822b6 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -902,8 +902,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
                /* Check for overlaps */
                r = -EEXIST;
                kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) {
-                        if ((slot->id >= KVM_USER_MEM_SLOTS) ||
+                        if (slot->id == id)
-                            (slot->id == id))
                                continue;
                        if (!((base_gfn + npages <= slot->base_gfn) ||
                              (base_gfn >= slot->base_gfn + slot->npages)))
author	David Huang	2018-08-21 05:01:29 -0500
committer	David Huang	2018-08-21 05:01:29 -0500
commit	c4efa79993284d3b96ac49bccd84a9e9f113c755 (patch)
tree	9346c8d62b4fe85810fa4876dc66c45b818c733f
parent	5761aab0d699493c2eb9907e3b249d29407cba17 (diff)
parent	09a53c9ff85affd1c6fbe66734e0d3e839dcb1c3 (diff)
download	psdkla-kernel-p-ti-lsk-linux-4.4.y.tar.gz psdkla-kernel-p-ti-lsk-linux-4.4.y.tar.xz psdkla-kernel-p-ti-lsk-linux-4.4.y.zip