summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2016-12-18 15:59:19 -0500
committerMike Pagano <mpagano@gentoo.org>2016-12-18 15:59:19 -0500
commiteaef47e8b89daedd16983012997986b33004186d (patch)
treec81ed7ba396db08f7e6e22c8251fb9556818675d
parentFix race condition in packet_set_ring. CVE-2016-8655. Bug #601926. (diff)
downloadlinux-patches-eaef47e8b89daedd16983012997986b33004186d.tar.gz
linux-patches-eaef47e8b89daedd16983012997986b33004186d.tar.bz2
linux-patches-eaef47e8b89daedd16983012997986b33004186d.zip
Linux patch 3.12.693.12-67
-rw-r--r--0000_README4
-rw-r--r--1068_linux-3.12.69.patch1536
2 files changed, 1540 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index 866b1222..bb6a8f9d 100644
--- a/0000_README
+++ b/0000_README
@@ -310,6 +310,10 @@ Patch: 1066_linux-3.12.67.patch
From: http://www.kernel.org
Desc: Linux 3.12.67
+Patch: 1066_linux-3.12.68.patch
+From: http://www.kernel.org
+Desc: Linux 3.12.68
+
Patch: 1067_linux-3.12.68.patch
From: http://www.kernel.org
Desc: Linux 3.12.68
diff --git a/1068_linux-3.12.69.patch b/1068_linux-3.12.69.patch
new file mode 100644
index 00000000..504780fe
--- /dev/null
+++ b/1068_linux-3.12.69.patch
@@ -0,0 +1,1536 @@
+diff --git a/Makefile b/Makefile
+index 6d86f39be8ce..f355c0e24cd6 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 12
+-SUBLEVEL = 68
++SUBLEVEL = 69
+ EXTRAVERSION =
+ NAME = One Giant Leap for Frogkind
+
+diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c
+index e751dbc527e2..7e9dfc4fcc23 100644
+--- a/arch/sparc/kernel/signal_32.c
++++ b/arch/sparc/kernel/signal_32.c
+@@ -88,7 +88,7 @@ asmlinkage void do_sigreturn(struct pt_regs *regs)
+ sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
+
+ /* 1. Make sure we are not getting garbage from the user */
+- if (!invalid_frame_pointer(sf, sizeof(*sf)))
++ if (invalid_frame_pointer(sf, sizeof(*sf)))
+ goto segv_and_exit;
+
+ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
+@@ -149,7 +149,7 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
+
+ synchronize_user_stack();
+ sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
+- if (!invalid_frame_pointer(sf, sizeof(*sf)))
++ if (invalid_frame_pointer(sf, sizeof(*sf)))
+ goto segv;
+
+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
+diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
+index 4650a3840305..a648a8e66f0d 100644
+--- a/arch/sparc/mm/init_64.c
++++ b/arch/sparc/mm/init_64.c
+@@ -807,8 +807,10 @@ struct mdesc_mblock {
+ };
+ static struct mdesc_mblock *mblocks;
+ static int num_mblocks;
++static int find_numa_node_for_addr(unsigned long pa,
++ struct node_mem_mask *pnode_mask);
+
+-static unsigned long ra_to_pa(unsigned long addr)
++static unsigned long __init ra_to_pa(unsigned long addr)
+ {
+ int i;
+
+@@ -824,8 +826,11 @@ static unsigned long ra_to_pa(unsigned long addr)
+ return addr;
+ }
+
+-static int find_node(unsigned long addr)
++static int __init find_node(unsigned long addr)
+ {
++ static bool search_mdesc = true;
++ static struct node_mem_mask last_mem_mask = { ~0UL, ~0UL };
++ static int last_index;
+ int i;
+
+ addr = ra_to_pa(addr);
+@@ -835,13 +840,30 @@ static int find_node(unsigned long addr)
+ if ((addr & p->mask) == p->val)
+ return i;
+ }
+- /* The following condition has been observed on LDOM guests.*/
+- WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node"
+- " rule. Some physical memory will be owned by node 0.");
+- return 0;
++ /* The following condition has been observed on LDOM guests because
++ * node_masks only contains the best latency mask and value.
++ * LDOM guest's mdesc can contain a single latency group to
++ * cover multiple address range. Print warning message only if the
++ * address cannot be found in node_masks nor mdesc.
++ */
++ if ((search_mdesc) &&
++ ((addr & last_mem_mask.mask) != last_mem_mask.val)) {
++ /* find the available node in the mdesc */
++ last_index = find_numa_node_for_addr(addr, &last_mem_mask);
++ numadbg("find_node: latency group for address 0x%lx is %d\n",
++ addr, last_index);
++ if ((last_index < 0) || (last_index >= num_node_masks)) {
++ /* WARN_ONCE() and use default group 0 */
++ WARN_ONCE(1, "find_node: A physical address doesn't match a NUMA node rule. Some physical memory will be owned by node 0.");
++ search_mdesc = false;
++ last_index = 0;
++ }
++ }
++
++ return last_index;
+ }
+
+-static u64 memblock_nid_range(u64 start, u64 end, int *nid)
++static u64 __init memblock_nid_range(u64 start, u64 end, int *nid)
+ {
+ *nid = find_node(start);
+ start += PAGE_SIZE;
+@@ -1150,6 +1172,41 @@ static struct mdesc_mlgroup * __init find_mlgroup(u64 node)
+ return NULL;
+ }
+
++static int find_numa_node_for_addr(unsigned long pa,
++ struct node_mem_mask *pnode_mask)
++{
++ struct mdesc_handle *md = mdesc_grab();
++ u64 node, arc;
++ int i = 0;
++
++ node = mdesc_node_by_name(md, MDESC_NODE_NULL, "latency-groups");
++ if (node == MDESC_NODE_NULL)
++ goto out;
++
++ mdesc_for_each_node_by_name(md, node, "group") {
++ mdesc_for_each_arc(arc, md, node, MDESC_ARC_TYPE_FWD) {
++ u64 target = mdesc_arc_target(md, arc);
++ struct mdesc_mlgroup *m = find_mlgroup(target);
++
++ if (!m)
++ continue;
++ if ((pa & m->mask) == m->match) {
++ if (pnode_mask) {
++ pnode_mask->mask = m->mask;
++ pnode_mask->val = m->match;
++ }
++ mdesc_release(md);
++ return i;
++ }
++ }
++ i++;
++ }
++
++out:
++ mdesc_release(md);
++ return -1;
++}
++
+ static int __init numa_attach_mlgroup(struct mdesc_handle *md, u64 grp,
+ int index)
+ {
+diff --git a/arch/tile/kernel/time.c b/arch/tile/kernel/time.c
+index 5d10642db63e..1edda6603cd9 100644
+--- a/arch/tile/kernel/time.c
++++ b/arch/tile/kernel/time.c
+@@ -216,8 +216,8 @@ void do_timer_interrupt(struct pt_regs *regs, int fault_num)
+ */
+ unsigned long long sched_clock(void)
+ {
+- return clocksource_cyc2ns(get_cycles(),
+- sched_clock_mult, SCHED_CLOCK_SHIFT);
++ return mult_frac(get_cycles(),
++ sched_clock_mult, 1ULL << SCHED_CLOCK_SHIFT);
+ }
+
+ int setup_profiling_timer(unsigned int multiplier)
+diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
+index 30a2aa3782fa..879e67acf463 100644
+--- a/arch/x86/kernel/head_32.S
++++ b/arch/x86/kernel/head_32.S
+@@ -564,7 +564,7 @@ early_idt_handler_common:
+ movl %eax,%ds
+ movl %eax,%es
+
+- cmpl $(__KERNEL_CS),32(%esp)
++ cmpw $(__KERNEL_CS),32(%esp)
+ jne 10f
+
+ leal 28(%esp),%eax # Pointer to %eip
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index c5db2a43e730..ef486d90f318 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -428,6 +428,7 @@ static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
+ static void mwait_idle(void)
+ {
+ if (!current_set_polling_and_test()) {
++ trace_cpu_idle_rcuidle(1, smp_processor_id());
+ if (static_cpu_has(X86_FEATURE_CLFLUSH_MONITOR)) {
+ mb();
+ clflush((void *)&current_thread_info()->flags);
+@@ -439,6 +440,7 @@ static void mwait_idle(void)
+ __sti_mwait(0, 0);
+ else
+ local_irq_enable();
++ trace_cpu_idle_rcuidle(PWR_EVENT_EXIT, smp_processor_id());
+ } else
+ local_irq_enable();
+ __current_clr_polling();
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index cad86cd56f82..77d373211053 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1985,14 +1985,8 @@ static int em_iret(struct x86_emulate_ctxt *ctxt)
+ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned short sel, old_sel;
+- struct desc_struct old_desc, new_desc;
+- const struct x86_emulate_ops *ops = ctxt->ops;
+-
+- /* Assignment of RIP may only fail in 64-bit mode */
+- if (ctxt->mode == X86EMUL_MODE_PROT64)
+- ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
+- VCPU_SREG_CS);
++ unsigned short sel;
++ struct desc_struct new_desc;
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+
+@@ -2001,12 +1995,10 @@ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+ return rc;
+
+ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
+- if (rc != X86EMUL_CONTINUE) {
+- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
+- /* assigning eip failed; restore the old cs */
+- ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
+- return rc;
+- }
++ /* Error handling is not implemented. */
++ if (rc != X86EMUL_CONTINUE)
++ return X86EMUL_UNHANDLEABLE;
++
+ return rc;
+ }
+
+@@ -2063,14 +2055,8 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+ unsigned long eip, cs;
+- u16 old_cs;
+ int cpl = ctxt->ops->cpl(ctxt);
+- struct desc_struct old_desc, new_desc;
+- const struct x86_emulate_ops *ops = ctxt->ops;
+-
+- if (ctxt->mode == X86EMUL_MODE_PROT64)
+- ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
+- VCPU_SREG_CS);
++ struct desc_struct new_desc;
+
+ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+@@ -2085,10 +2071,10 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rc = assign_eip_far(ctxt, eip, new_desc.l);
+- if (rc != X86EMUL_CONTINUE) {
+- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
+- ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
+- }
++ /* Error handling is not implemented. */
++ if (rc != X86EMUL_CONTINUE)
++ return X86EMUL_UNHANDLEABLE;
++
+ return rc;
+ }
+
+diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c
+index d988fff65ee5..ae2e03ea2371 100644
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -277,6 +277,8 @@ void atombios_crtc_dpms(struct drm_crtc *crtc, int mode)
+ atombios_enable_crtc_memreq(crtc, ATOM_ENABLE);
+ atombios_blank_crtc(crtc, ATOM_DISABLE);
+ drm_vblank_post_modeset(dev, radeon_crtc->crtc_id);
++ /* Make sure vblank interrupt is still enabled if needed */
++ radeon_irq_set(rdev);
+ radeon_crtc_load_lut(crtc);
+ break;
+ case DRM_MODE_DPMS_STANDBY:
+diff --git a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+index bc73021d3596..ae0d7b1cb9aa 100644
+--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+@@ -331,6 +331,8 @@ static void radeon_crtc_dpms(struct drm_crtc *crtc, int mode)
+ WREG32_P(RADEON_CRTC_EXT_CNTL, crtc_ext_cntl, ~(mask | crtc_ext_cntl));
+ }
+ drm_vblank_post_modeset(dev, radeon_crtc->crtc_id);
++ /* Make sure vblank interrupt is still enabled if needed */
++ radeon_irq_set(rdev);
+ radeon_crtc_load_lut(crtc);
+ break;
+ case DRM_MODE_DPMS_STANDBY:
+diff --git a/drivers/i2c/busses/i2c-at91.c b/drivers/i2c/busses/i2c-at91.c
+index e71372f86072..e6f18b241255 100644
+--- a/drivers/i2c/busses/i2c-at91.c
++++ b/drivers/i2c/busses/i2c-at91.c
+@@ -370,19 +370,57 @@ static irqreturn_t atmel_twi_interrupt(int irq, void *dev_id)
+
+ if (!irqstatus)
+ return IRQ_NONE;
+- else if (irqstatus & AT91_TWI_RXRDY)
+- at91_twi_read_next_byte(dev);
+- else if (irqstatus & AT91_TWI_TXRDY)
+- at91_twi_write_next_byte(dev);
+-
+- /* catch error flags */
+- dev->transfer_status |= status;
+
++ /*
++ * When a NACK condition is detected, the I2C controller sets the NACK,
++ * TXCOMP and TXRDY bits all together in the Status Register (SR).
++ *
++ * 1 - Handling NACK errors with CPU write transfer.
++ *
++ * In such case, we should not write the next byte into the Transmit
++ * Holding Register (THR) otherwise the I2C controller would start a new
++ * transfer and the I2C slave is likely to reply by another NACK.
++ *
++ * 2 - Handling NACK errors with DMA write transfer.
++ *
++ * By setting the TXRDY bit in the SR, the I2C controller also triggers
++ * the DMA controller to write the next data into the THR. Then the
++ * result depends on the hardware version of the I2C controller.
++ *
++ * 2a - Without support of the Alternative Command mode.
++ *
++ * This is the worst case: the DMA controller is triggered to write the
++ * next data into the THR, hence starting a new transfer: the I2C slave
++ * is likely to reply by another NACK.
++ * Concurrently, this interrupt handler is likely to be called to manage
++ * the first NACK before the I2C controller detects the second NACK and
++ * sets once again the NACK bit into the SR.
++ * When handling the first NACK, this interrupt handler disables the I2C
++ * controller interruptions, especially the NACK interrupt.
++ * Hence, the NACK bit is pending into the SR. This is why we should
++ * read the SR to clear all pending interrupts at the beginning of
++ * at91_do_twi_transfer() before actually starting a new transfer.
++ *
++ * 2b - With support of the Alternative Command mode.
++ *
++ * When a NACK condition is detected, the I2C controller also locks the
++ * THR (and sets the LOCK bit in the SR): even though the DMA controller
++ * is triggered by the TXRDY bit to write the next data into the THR,
++ * this data actually won't go on the I2C bus hence a second NACK is not
++ * generated.
++ */
+ if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) {
+ at91_disable_twi_interrupts(dev);
+ complete(&dev->cmd_complete);
++ } else if (irqstatus & AT91_TWI_RXRDY) {
++ at91_twi_read_next_byte(dev);
++ } else if (irqstatus & AT91_TWI_TXRDY) {
++ at91_twi_write_next_byte(dev);
+ }
+
++ /* catch error flags */
++ dev->transfer_status |= status;
++
+ return IRQ_HANDLED;
+ }
+
+@@ -390,6 +428,7 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev)
+ {
+ int ret;
+ bool has_unre_flag = dev->pdata->has_unre_flag;
++ unsigned sr;
+
+ /*
+ * WARNING: the TXCOMP bit in the Status Register is NOT a clear on
+@@ -425,13 +464,16 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev)
+ INIT_COMPLETION(dev->cmd_complete);
+ dev->transfer_status = 0;
+
++ /* Clear pending interrupts, such as NACK. */
++ sr = at91_twi_read(dev, AT91_TWI_SR);
++
+ if (!dev->buf_len) {
+ at91_twi_write(dev, AT91_TWI_CR, AT91_TWI_QUICK);
+ at91_twi_write(dev, AT91_TWI_IER, AT91_TWI_TXCOMP);
+ } else if (dev->msg->flags & I2C_M_RD) {
+ unsigned start_flags = AT91_TWI_START;
+
+- if (at91_twi_read(dev, AT91_TWI_SR) & AT91_TWI_RXRDY) {
++ if (sr & AT91_TWI_RXRDY) {
+ dev_err(dev->dev, "RXRDY still set!");
+ at91_twi_read(dev, AT91_TWI_RHR);
+ }
+diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
+index 32d5e40c6863..48b63e849067 100644
+--- a/drivers/mtd/mtd_blkdevs.c
++++ b/drivers/mtd/mtd_blkdevs.c
+@@ -198,8 +198,8 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
+ if (!dev)
+ return -ERESTARTSYS; /* FIXME: busy loop! -arnd*/
+
+- mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
++ mutex_lock(&dev->lock);
+
+ if (dev->open)
+ goto unlock;
+@@ -223,8 +223,8 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode)
+
+ unlock:
+ dev->open++;
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ return ret;
+
+@@ -234,8 +234,8 @@ error_release:
+ error_put:
+ module_put(dev->tr->owner);
+ kref_put(&dev->ref, blktrans_dev_release);
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ return ret;
+ }
+@@ -247,8 +247,8 @@ static void blktrans_release(struct gendisk *disk, fmode_t mode)
+ if (!dev)
+ return;
+
+- mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
++ mutex_lock(&dev->lock);
+
+ if (--dev->open)
+ goto unlock;
+@@ -262,8 +262,8 @@ static void blktrans_release(struct gendisk *disk, fmode_t mode)
+ __put_mtd_device(dev->mtd);
+ }
+ unlock:
+- mutex_unlock(&mtd_table_mutex);
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&mtd_table_mutex);
+ blktrans_dev_put(dev);
+ }
+
+diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
+index e09a8c6f8536..798ca7be8c7f 100644
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5197,6 +5197,19 @@ static SIMPLE_DEV_PM_OPS(sky2_pm_ops, sky2_suspend, sky2_resume);
+
+ static void sky2_shutdown(struct pci_dev *pdev)
+ {
++ struct sky2_hw *hw = pci_get_drvdata(pdev);
++ int port;
++
++ for (port = 0; port < hw->ports; port++) {
++ struct net_device *ndev = hw->dev[port];
++
++ rtnl_lock();
++ if (netif_running(ndev)) {
++ dev_close(ndev);
++ netif_device_detach(ndev);
++ }
++ rtnl_unlock();
++ }
+ sky2_suspend(&pdev->dev);
+ pci_wake_from_d3(pdev, device_may_wakeup(&pdev->dev));
+ pci_set_power_state(pdev, PCI_D3hot);
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 576c3236fa40..98ce4feb9a79 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -67,7 +67,7 @@ static struct cdev macvtap_cdev;
+ static const struct proto_ops macvtap_socket_ops;
+
+ #define TUN_OFFLOADS (NETIF_F_HW_CSUM | NETIF_F_TSO_ECN | NETIF_F_TSO | \
+- NETIF_F_TSO6)
++ NETIF_F_TSO6 | NETIF_F_UFO)
+ #define RX_OFFLOADS (NETIF_F_GRO | NETIF_F_LRO)
+ #define TAP_FEATURES (NETIF_F_GSO | NETIF_F_SG | NETIF_F_FRAGLIST)
+
+@@ -566,8 +566,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
+ gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+ gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+@@ -615,6 +613,8 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else
+ BUG();
+ if (sinfo->gso_type & SKB_GSO_TCP_ECN)
+@@ -962,6 +962,9 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg)
+ if (arg & TUN_F_TSO6)
+ feature_mask |= NETIF_F_TSO6;
+ }
++
++ if (arg & TUN_F_UFO)
++ feature_mask |= NETIF_F_UFO;
+ }
+
+ /* tun/tap driver inverts the usage for TSO offloads, where
+@@ -972,7 +975,7 @@ static int set_offload(struct macvtap_queue *q, unsigned long arg)
+ * When user space turns off TSO, we turn off GSO/LRO so that
+ * user-space will not receive TSO frames.
+ */
+- if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6))
++ if (feature_mask & (NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_UFO))
+ features |= RX_OFFLOADS;
+ else
+ features &= ~RX_OFFLOADS;
+@@ -1073,7 +1076,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
+ case TUNSETOFFLOAD:
+ /* let the user check for future flags */
+ if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 |
+- TUN_F_TSO_ECN))
++ TUN_F_TSO_ECN | TUN_F_UFO))
+ return -EINVAL;
+
+ rtnl_lock();
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 46f9cb21ec56..813750d09680 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -173,7 +173,7 @@ struct tun_struct {
+ struct net_device *dev;
+ netdev_features_t set_features;
+ #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \
+- NETIF_F_TSO6)
++ NETIF_F_TSO6|NETIF_F_UFO)
+
+ int vnet_hdr_sz;
+ int sndbuf;
+@@ -1113,20 +1113,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- {
+- static bool warned;
+-
+- if (!warned) {
+- warned = true;
+- netdev_warn(tun->dev,
+- "%s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+- }
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+ break;
+- }
+ default:
+ tun->dev->stats.rx_frame_errors++;
+ kfree_skb(skb);
+@@ -1230,6 +1220,8 @@ static ssize_t tun_put_user(struct tun_struct *tun,
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ gso.gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else {
+ pr_err("unexpected GSO type: "
+ "0x%x, gso_size %d, hdr_len %d\n",
+@@ -1758,6 +1750,11 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+ features |= NETIF_F_TSO6;
+ arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
+ }
++
++ if (arg & TUN_F_UFO) {
++ features |= NETIF_F_UFO;
++ arg &= ~TUN_F_UFO;
++ }
+ }
+
+ /* This gives the user a way to test for new features in future by
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 421642af8d06..5d080516d0c5 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -438,17 +438,8 @@ static void receive_buf(struct receive_queue *rq, void *buf, unsigned int len)
+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- {
+- static bool warned;
+-
+- if (!warned) {
+- warned = true;
+- netdev_warn(dev,
+- "host using disabled UFO feature; please fix it\n");
+- }
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+ break;
+- }
+ case VIRTIO_NET_HDR_GSO_TCPV6:
+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
+ break;
+@@ -763,6 +754,8 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
+ hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
+ hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
++ hdr->hdr.gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else
+ BUG();
+ if (skb_shinfo(skb)->gso_type & SKB_GSO_TCP_ECN)
+@@ -1579,7 +1572,7 @@ static int virtnet_probe(struct virtio_device *vdev)
+ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
+
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
+- dev->hw_features |= NETIF_F_TSO
++ dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
+ | NETIF_F_TSO_ECN | NETIF_F_TSO6;
+ }
+ /* Individual feature bits: what can host handle? */
+@@ -1589,9 +1582,11 @@ static int virtnet_probe(struct virtio_device *vdev)
+ dev->hw_features |= NETIF_F_TSO6;
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_ECN))
+ dev->hw_features |= NETIF_F_TSO_ECN;
++ if (virtio_has_feature(vdev, VIRTIO_NET_F_HOST_UFO))
++ dev->hw_features |= NETIF_F_UFO;
+
+ if (gso)
+- dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
++ dev->features |= dev->hw_features & (NETIF_F_ALL_TSO|NETIF_F_UFO);
+ /* (!csum && gso) case will be fixed by register_netdev() */
+ }
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
+@@ -1626,7 +1621,8 @@ static int virtnet_probe(struct virtio_device *vdev)
+ /* If we can receive ANY GSO packets, we must allocate large ones. */
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
+ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) ||
+- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN))
++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) ||
++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO))
+ vi->big_packets = true;
+
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF))
+@@ -1812,9 +1808,9 @@ static struct virtio_device_id id_table[] = {
+ static unsigned int features[] = {
+ VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM,
+ VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC,
+- VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_TSO6,
++ VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6,
+ VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6,
+- VIRTIO_NET_F_GUEST_ECN,
++ VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO,
+ VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ,
+ VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN,
+ VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ,
+diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
+index fbad00a5abc8..a664ec1f3b93 100644
+--- a/drivers/net/wireless/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/mwifiex/cfg80211.c
+@@ -1693,8 +1693,9 @@ done:
+ is_scanning_required = 1;
+ } else {
+ dev_dbg(priv->adapter->dev,
+- "info: trying to associate to '%s' bssid %pM\n",
+- (char *) req_ssid.ssid, bss->bssid);
++ "info: trying to associate to '%.*s' bssid %pM\n",
++ req_ssid.ssid_len, (char *)req_ssid.ssid,
++ bss->bssid);
+ memcpy(&priv->cfg_bssid, bss->bssid, ETH_ALEN);
+ break;
+ }
+@@ -1735,8 +1736,8 @@ mwifiex_cfg80211_connect(struct wiphy *wiphy, struct net_device *dev,
+ return -EINVAL;
+ }
+
+- wiphy_dbg(wiphy, "info: Trying to associate to %s and bssid %pM\n",
+- (char *) sme->ssid, sme->bssid);
++ wiphy_dbg(wiphy, "info: Trying to associate to %.*s and bssid %pM\n",
++ (int)sme->ssid_len, (char *)sme->ssid, sme->bssid);
+
+ ret = mwifiex_cfg80211_assoc(priv, sme->ssid_len, sme->ssid, sme->bssid,
+ priv->bss_mode, sme->channel, sme, 0);
+@@ -1859,8 +1860,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy *wiphy, struct net_device *dev,
+ goto done;
+ }
+
+- wiphy_dbg(wiphy, "info: trying to join to %s and bssid %pM\n",
+- (char *) params->ssid, params->bssid);
++ wiphy_dbg(wiphy, "info: trying to join to %.*s and bssid %pM\n",
++ params->ssid_len, (char *)params->ssid, params->bssid);
+
+ mwifiex_set_ibss_params(priv, params);
+
+diff --git a/drivers/pci/access.c b/drivers/pci/access.c
+index 6bc9b12ba42a..da26bc899d5f 100644
+--- a/drivers/pci/access.c
++++ b/drivers/pci/access.c
+@@ -362,7 +362,8 @@ static const struct pci_vpd_ops pci_vpd_pci22_ops = {
+ static ssize_t pci_vpd_f0_read(struct pci_dev *dev, loff_t pos, size_t count,
+ void *arg)
+ {
+- struct pci_dev *tdev = pci_get_slot(dev->bus, PCI_SLOT(dev->devfn));
++ struct pci_dev *tdev = pci_get_slot(dev->bus,
++ PCI_DEVFN(PCI_SLOT(dev->devfn), 0));
+ ssize_t ret;
+
+ if (!tdev)
+@@ -376,7 +377,8 @@ static ssize_t pci_vpd_f0_read(struct pci_dev *dev, loff_t pos, size_t count,
+ static ssize_t pci_vpd_f0_write(struct pci_dev *dev, loff_t pos, size_t count,
+ const void *arg)
+ {
+- struct pci_dev *tdev = pci_get_slot(dev->bus, PCI_SLOT(dev->devfn));
++ struct pci_dev *tdev = pci_get_slot(dev->bus,
++ PCI_DEVFN(PCI_SLOT(dev->devfn), 0));
+ ssize_t ret;
+
+ if (!tdev)
+@@ -393,22 +395,6 @@ static const struct pci_vpd_ops pci_vpd_f0_ops = {
+ .release = pci_vpd_pci22_release,
+ };
+
+-static int pci_vpd_f0_dev_check(struct pci_dev *dev)
+-{
+- struct pci_dev *tdev = pci_get_slot(dev->bus, PCI_SLOT(dev->devfn));
+- int ret = 0;
+-
+- if (!tdev)
+- return -ENODEV;
+- if (!tdev->vpd || !tdev->multifunction ||
+- dev->class != tdev->class || dev->vendor != tdev->vendor ||
+- dev->device != tdev->device)
+- ret = -ENODEV;
+-
+- pci_dev_put(tdev);
+- return ret;
+-}
+-
+ int pci_vpd_pci22_init(struct pci_dev *dev)
+ {
+ struct pci_vpd_pci22 *vpd;
+@@ -417,12 +403,7 @@ int pci_vpd_pci22_init(struct pci_dev *dev)
+ cap = pci_find_capability(dev, PCI_CAP_ID_VPD);
+ if (!cap)
+ return -ENODEV;
+- if (dev->dev_flags & PCI_DEV_FLAGS_VPD_REF_F0) {
+- int ret = pci_vpd_f0_dev_check(dev);
+
+- if (ret)
+- return ret;
+- }
+ vpd = kzalloc(sizeof(*vpd), GFP_ATOMIC);
+ if (!vpd)
+ return -ENOMEM;
+diff --git a/drivers/pci/pcie/aer/aer_inject.c b/drivers/pci/pcie/aer/aer_inject.c
+index 587e7e853107..3b507a512487 100644
+--- a/drivers/pci/pcie/aer/aer_inject.c
++++ b/drivers/pci/pcie/aer/aer_inject.c
+@@ -283,20 +283,6 @@ out:
+ return 0;
+ }
+
+-static struct pci_dev *pcie_find_root_port(struct pci_dev *dev)
+-{
+- while (1) {
+- if (!pci_is_pcie(dev))
+- break;
+- if (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT)
+- return dev;
+- if (!dev->bus->self)
+- break;
+- dev = dev->bus->self;
+- }
+- return NULL;
+-}
+-
+ static int find_aer_device_iter(struct device *device, void *data)
+ {
+ struct pcie_device **result = data;
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index cb245bd510a2..b1f5f51b0196 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -1894,11 +1894,27 @@ static void quirk_netmos(struct pci_dev *dev)
+ DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_NETMOS, PCI_ANY_ID,
+ PCI_CLASS_COMMUNICATION_SERIAL, 8, quirk_netmos);
+
++/*
++ * Quirk non-zero PCI functions to route VPD access through function 0 for
++ * devices that share VPD resources between functions. The functions are
++ * expected to be identical devices.
++ */
+ static void quirk_f0_vpd_link(struct pci_dev *dev)
+ {
+- if (!dev->multifunction || !PCI_FUNC(dev->devfn))
++ struct pci_dev *f0;
++
++ if (!PCI_FUNC(dev->devfn))
+ return;
+- dev->dev_flags |= PCI_DEV_FLAGS_VPD_REF_F0;
++
++ f0 = pci_get_slot(dev->bus, PCI_DEVFN(PCI_SLOT(dev->devfn), 0));
++ if (!f0)
++ return;
++
++ if (f0->vpd && dev->class == f0->class &&
++ dev->vendor == f0->vendor && dev->device == f0->device)
++ dev->dev_flags |= PCI_DEV_FLAGS_VPD_REF_F0;
++
++ pci_dev_put(f0);
+ }
+ DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_VENDOR_ID_INTEL, PCI_ANY_ID,
+ PCI_CLASS_NETWORK_ETHERNET, 8, quirk_f0_vpd_link);
+diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c
+index 809b5ab9074c..60d74a666c62 100644
+--- a/drivers/pwm/sysfs.c
++++ b/drivers/pwm/sysfs.c
+@@ -364,6 +364,8 @@ void pwmchip_sysfs_unexport_children(struct pwm_chip *chip)
+ if (test_bit(PWMF_EXPORTED, &pwm->flags))
+ pwm_unexport_child(parent, pwm);
+ }
++
++ put_device(parent);
+ }
+
+ static int __init pwm_sysfs_init(void)
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index a961fe11b527..ae1db5499ca6 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -3516,6 +3516,10 @@ _scsih_eedp_error_handling(struct scsi_cmnd *scmd, u16 ioc_status)
+ SAM_STAT_CHECK_CONDITION;
+ }
+
++static inline bool ata_12_16_cmd(struct scsi_cmnd *scmd)
++{
++ return (scmd->cmnd[0] == ATA_12 || scmd->cmnd[0] == ATA_16);
++}
+
+ /**
+ * _scsih_qcmd_lck - main scsi request entry point
+@@ -3544,6 +3548,13 @@ _scsih_qcmd_lck(struct scsi_cmnd *scmd, void (*done)(struct scsi_cmnd *))
+ scsi_print_command(scmd);
+ #endif
+
++ /*
++ * Lock the device for any subsequent command until command is
++ * done.
++ */
++ if (ata_12_16_cmd(scmd))
++ scsi_internal_device_block(scmd->device);
++
+ scmd->scsi_done = done;
+ sas_device_priv_data = scmd->device->hostdata;
+ if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
+@@ -4047,6 +4058,9 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
+ if (scmd == NULL)
+ return 1;
+
++ if (ata_12_16_cmd(scmd))
++ scsi_internal_device_unblock(scmd->device, SDEV_RUNNING);
++
+ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
+
+ if (mpi_reply == NULL) {
+diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
+index d93ceeabed27..02f14e3ed220 100644
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -192,7 +192,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty,
+ {
+ struct n_tty_data *ldata = tty->disc_data;
+
+- tty_audit_add_data(tty, to, n, ldata->icanon);
++ tty_audit_add_data(tty, from, n, ldata->icanon);
+ return copy_to_user(to, from, n);
+ }
+
+diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
+index a4fdce74f883..3a5ddc1bf1fa 100644
+--- a/drivers/tty/tty_audit.c
++++ b/drivers/tty/tty_audit.c
+@@ -264,7 +264,7 @@ static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
+ *
+ * Audit @data of @size from @tty, if necessary.
+ */
+-void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
++void tty_audit_add_data(struct tty_struct *tty, const void *data,
+ size_t size, unsigned icanon)
+ {
+ struct tty_audit_buf *buf;
+diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
+index 7e8dceb4c634..f7ef78abce4b 100644
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -491,6 +491,7 @@ static int ci_hdrc_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ }
+
++ spin_lock_init(&ci->lock);
+ ci->dev = dev;
+ ci->platdata = dev->platform_data;
+ if (ci->platdata->phy)
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 455e4e6b9926..837b39975bc2 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1777,8 +1777,6 @@ static int udc_start(struct ci_hdrc *ci)
+ struct device *dev = ci->dev;
+ int retval = 0;
+
+- spin_lock_init(&ci->lock);
+-
+ ci->gadget.ops = &usb_gadget_ops;
+ ci->gadget.speed = USB_SPEED_UNKNOWN;
+ ci->gadget.max_speed = USB_SPEED_HIGH;
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index 188e50446514..8b3e77716c4a 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -130,6 +130,7 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
++ { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
+ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+ { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 62ec56e379a0..d1b76b0a67df 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1026,6 +1026,8 @@ static struct usb_device_id id_table_combined [] = {
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
++ { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { } /* Terminating entry */
+ };
+
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index db1a9b3a5f38..7b2f2056b7ef 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -596,6 +596,12 @@
+ #define STK541_PID 0x2109 /* Zigbee Controller */
+
+ /*
++ * Texas Instruments
++ */
++#define TI_VID 0x0451
++#define TI_CC3200_LAUNCHPAD_PID 0xC32A /* SimpleLink Wi-Fi CC3200 LaunchPad */
++
++/*
+ * Blackfin gnICE JTAG
+ * http://docs.blackfin.uclinux.org/doku.php?id=hw:jtag:gnice
+ */
+diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
+index b1d815eb6d0b..8988b268a69a 100644
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -919,10 +919,15 @@ int usb_stor_CB_transport(struct scsi_cmnd *srb, struct us_data *us)
+
+ /* COMMAND STAGE */
+ /* let's send the command via the control pipe */
++ /*
++ * Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack.
++ * Stack may be vmallocated. So no DMA for us. Make a copy.
++ */
++ memcpy(us->iobuf, srb->cmnd, srb->cmd_len);
+ result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
+ US_CBI_ADSC,
+ USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0,
+- us->ifnum, srb->cmnd, srb->cmd_len);
++ us->ifnum, us->iobuf, srb->cmd_len);
+
+ /* check the return code for the command */
+ usb_stor_dbg(us, "Call to usb_stor_ctrl_transfer() returned %d\n",
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 81562314df8c..00bc7bb96072 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1787,6 +1787,20 @@ static inline int pci_pcie_type(const struct pci_dev *dev)
+ return (pcie_caps_reg(dev) & PCI_EXP_FLAGS_TYPE) >> 4;
+ }
+
++static inline struct pci_dev *pcie_find_root_port(struct pci_dev *dev)
++{
++ while (1) {
++ if (!pci_is_pcie(dev))
++ break;
++ if (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT)
++ return dev;
++ if (!dev->bus->self)
++ break;
++ dev = dev->bus->self;
++ }
++ return NULL;
++}
++
+ void pci_request_acs(void);
+ bool pci_acs_enabled(struct pci_dev *pdev, u16 acs_flags);
+ bool pci_acs_path_enabled(struct pci_dev *start,
+diff --git a/include/linux/tty.h b/include/linux/tty.h
+index 96c23247a332..31cf8965ace8 100644
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -578,7 +578,7 @@ extern void n_tty_inherit_ops(struct tty_ldisc_ops *ops);
+
+ /* tty_audit.c */
+ #ifdef CONFIG_AUDIT
+-extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
++extern void tty_audit_add_data(struct tty_struct *tty, const void *data,
+ size_t size, unsigned icanon);
+ extern void tty_audit_exit(void);
+ extern void tty_audit_fork(struct signal_struct *sig);
+@@ -586,8 +586,8 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
+ extern void tty_audit_push(struct tty_struct *tty);
+ extern int tty_audit_push_current(void);
+ #else
+-static inline void tty_audit_add_data(struct tty_struct *tty,
+- unsigned char *data, size_t size, unsigned icanon)
++static inline void tty_audit_add_data(struct tty_struct *tty, const void *data,
++ size_t size, unsigned icanon)
+ {
+ }
+ static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch)
+diff --git a/kernel/panic.c b/kernel/panic.c
+index de5924c75b1b..639255d5e5e1 100644
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -138,8 +138,11 @@ void panic(const char *fmt, ...)
+ * We may have ended up stopping the CPU holding the lock (in
+ * smp_send_stop()) while still having some valuable data in the console
+ * buffer. Try to acquire the lock then release it regardless of the
+- * result. The release will also print the buffers out.
++ * result. The release will also print the buffers out. Locks debug
++ * should be disabled to avoid reporting bad unlock balance when
++ * panic() is not being callled from OOPS.
+ */
++ debug_locks_off();
+ console_flush_on_panic();
+
+ if (!panic_blink)
+diff --git a/kernel/rcutree_plugin.h b/kernel/rcutree_plugin.h
+index 511e6b47c594..a55fec567108 100644
+--- a/kernel/rcutree_plugin.h
++++ b/kernel/rcutree_plugin.h
+@@ -2274,6 +2274,7 @@ static int rcu_nocb_kthread(void *arg)
+ cl++;
+ c++;
+ local_bh_enable();
++ cond_resched();
+ list = next;
+ }
+ trace_rcu_batch_end(rdp->rsp->name, c, !!list, 0, 0, 1);
+diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
+index 5464c8744ea9..e24388a863a7 100644
+--- a/lib/mpi/mpi-pow.c
++++ b/lib/mpi/mpi-pow.c
+@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
+ if (!esize) {
+ /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
+ * depending on if MOD equals 1. */
+- rp[0] = 1;
+ res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
++ if (res->nlimbs) {
++ if (mpi_resize(res, 1) < 0)
++ goto enomem;
++ rp = res->d;
++ rp[0] = 1;
++ }
+ res->sign = 0;
+ goto leave;
+ }
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 73c6093e136a..7fa427ed41bc 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -728,7 +728,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ val = min_t(u32, val, sysctl_wmem_max);
+ set_sndbuf:
+ sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
++ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
+ /* Wake up sending tasks if we upped the value. */
+ sk->sk_write_space(sk);
+ break;
+@@ -764,7 +764,7 @@ set_rcvbuf:
+ * returning the value we actually used in getsockopt
+ * is the most desirable behavior.
+ */
+- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
++ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
+ break;
+
+ case SO_RCVBUFFORCE:
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 294c642fbebb..4332b7c25af0 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -742,6 +742,7 @@ int dccp_invalid_packet(struct sk_buff *skb)
+ {
+ const struct dccp_hdr *dh;
+ unsigned int cscov;
++ u8 dccph_doff;
+
+ if (skb->pkt_type != PACKET_HOST)
+ return 1;
+@@ -763,18 +764,19 @@ int dccp_invalid_packet(struct sk_buff *skb)
+ /*
+ * If P.Data Offset is too small for packet type, drop packet and return
+ */
+- if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
+- DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);
++ dccph_doff = dh->dccph_doff;
++ if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
++ DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
+ return 1;
+ }
+ /*
+ * If P.Data Offset is too too large for packet, drop packet and return
+ */
+- if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {
+- DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);
++ if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
++ DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
+ return 1;
+ }
+-
++ dh = dccp_hdr(skb);
+ /*
+ * If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
+ * has short sequence numbers), drop packet and return
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index b4cdc79a7fc8..e6353e25cf03 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -97,6 +97,9 @@ int __ip_local_out(struct sk_buff *skb)
+
+ iph->tot_len = htons(skb->len);
+ ip_send_check(iph);
++
++ skb->protocol = htons(ETH_P_IP);
++
+ return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
+ skb_dst(skb)->dev, dst_output);
+ }
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 716dff49d0b9..6de66893a488 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -655,6 +655,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
+ if (len > 0xFFFF)
+ return -EMSGSIZE;
+
++ /* Must have at least a full ICMP header. */
++ if (len < icmph_len)
++ return -EINVAL;
++
+ /*
+ * Check the flags.
+ */
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index cfdb663e0259..9a625b1ae10f 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -950,12 +950,21 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
+ struct ipv6_tel_txoption opt;
+ struct dst_entry *dst = NULL, *ndst = NULL;
+ struct net_device *tdev;
++ bool use_cache = false;
+ int mtu;
+ unsigned int max_headroom = sizeof(struct ipv6hdr);
+ u8 proto;
+ int err = -1;
+
+- if (!fl6->flowi6_mark)
++ if (!(t->parms.flags &
++ (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
++ /* enable the cache only only if the routing decision does
++ * not depend on the current inner header value
++ */
++ use_cache = true;
++ }
++
++ if (use_cache)
+ dst = ip6_tnl_dst_check(t);
+ if (!dst) {
+ ndst = ip6_route_output(net, NULL, fl6);
+@@ -1013,7 +1022,7 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
+ consume_skb(skb);
+ skb = new_skb;
+ }
+- if (fl6->flowi6_mark) {
++ if (!use_cache) {
+ skb_dst_set(skb, dst);
+ ndst = NULL;
+ } else {
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index 4bd870af05d6..ab40997a1c2a 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -117,6 +117,8 @@ int __ip6_local_out(struct sk_buff *skb)
+ len = 0;
+ ipv6_hdr(skb)->payload_len = htons(len);
+
++ skb->protocol = htons(ETH_P_IPV6);
++
+ return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
+ skb_dst(skb)->dev, dst_output);
+ }
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 07f8b97f9ae9..81f317f841b4 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ int ret;
+ int chk_addr_ret;
+
+- if (!sock_flag(sk, SOCK_ZAPPED))
+- return -EINVAL;
+ if (addr_len < sizeof(struct sockaddr_l2tpip))
+ return -EINVAL;
+ if (addr->l2tp_family != AF_INET)
+@@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ read_unlock_bh(&l2tp_ip_lock);
+
+ lock_sock(sk);
++ if (!sock_flag(sk, SOCK_ZAPPED))
++ goto out;
++
+ if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))
+ goto out;
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index eadfb3031ed2..7c1a288f0b20 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -266,8 +266,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ int addr_type;
+ int err;
+
+- if (!sock_flag(sk, SOCK_ZAPPED))
+- return -EINVAL;
+ if (addr->l2tp_family != AF_INET6)
+ return -EINVAL;
+ if (addr_len < sizeof(*addr))
+@@ -293,6 +291,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ lock_sock(sk);
+
+ err = -EINVAL;
++ if (!sock_flag(sk, SOCK_ZAPPED))
++ goto out_unlock;
++
+ if (sk->sk_state != TCP_CLOSE)
+ goto out_unlock;
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 3f9804b2802a..40d82575adc1 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3115,19 +3115,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+ switch (val) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+ case TPACKET_V3:
+- po->tp_version = val;
+- return 0;
++ break;
+ default:
+ return -EINVAL;
+ }
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_version = val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_RESERVE:
+ {
+@@ -3584,6 +3590,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
++ lock_sock(sk);
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ WARN(1, "Tx-ring is not supported.\n");
+@@ -3665,7 +3672,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ goto out;
+ }
+
+- lock_sock(sk);
+
+ /* Detach socket from network */
+ spin_lock(&po->bind_lock);
+@@ -3714,11 +3720,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ if (!tx_ring)
+ prb_shutdown_retire_blk_timer(po, tx_ring, rb_queue);
+ }
+- release_sock(sk);
+
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
++ release_sock(sk);
+ return err;
+ }
+
+diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
+index 7ed78c9e505c..3f385130e9c0 100644
+--- a/net/sched/act_pedit.c
++++ b/net/sched/act_pedit.c
+@@ -124,6 +124,17 @@ static int tcf_pedit_cleanup(struct tc_action *a, int bind)
+ return 0;
+ }
+
++static bool offset_valid(struct sk_buff *skb, int offset)
++{
++ if (offset > 0 && offset > skb->len)
++ return false;
++
++ if (offset < 0 && -offset > skb_headroom(skb))
++ return false;
++
++ return true;
++}
++
+ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
+ struct tcf_result *res)
+ {
+@@ -150,6 +161,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
+ if (tkey->offmask) {
+ char *d, _d;
+
++ if (!offset_valid(skb, off + tkey->at)) {
++ pr_info("tc filter pedit 'at' offset %d out of bounds\n",
++ off + tkey->at);
++ goto bad;
++ }
+ d = skb_header_pointer(skb, off + tkey->at, 1,
+ &_d);
+ if (!d)
+@@ -162,10 +178,10 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
+ " offset must be on 32 bit boundaries\n");
+ goto bad;
+ }
+- if (offset > 0 && offset > skb->len) {
+- pr_info("tc filter pedit"
+- " offset %d can't exceed pkt length %d\n",
+- offset, skb->len);
++
++ if (!offset_valid(skb, off + offset)) {
++ pr_info("tc filter pedit offset %d out of bounds\n",
++ offset);
+ goto bad;
+ }
+
+diff --git a/net/wireless/core.h b/net/wireless/core.h
+index 3159e9c284c5..93917ffe1061 100644
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -61,6 +61,7 @@ struct cfg80211_registered_device {
+ struct list_head bss_list;
+ struct rb_root bss_tree;
+ u32 bss_generation;
++ u32 bss_entries;
+ struct cfg80211_scan_request *scan_req; /* protected by RTNL */
+ struct cfg80211_sched_scan_request *sched_scan_req;
+ unsigned long suspend_at;
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index d4397eba5408..8e5f5a706c95 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -55,6 +55,19 @@
+ * also linked into the probe response struct.
+ */
+
++/*
++ * Limit the number of BSS entries stored in mac80211. Each one is
++ * a bit over 4k at most, so this limits to roughly 4-5M of memory.
++ * If somebody wants to really attack this though, they'd likely
++ * use small beacons, and only one type of frame, limiting each of
++ * the entries to a much smaller size (in order to generate more
++ * entries in total, so overhead is bigger.)
++ */
++static int bss_entries_limit = 1000;
++module_param(bss_entries_limit, int, 0644);
++MODULE_PARM_DESC(bss_entries_limit,
++ "limit to number of scan BSS entries (per wiphy, default 1000)");
++
+ #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ)
+
+ static void bss_free(struct cfg80211_internal_bss *bss)
+@@ -135,6 +148,10 @@ static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
+
+ list_del_init(&bss->list);
+ rb_erase(&bss->rbn, &dev->bss_tree);
++ dev->bss_entries--;
++ WARN_ONCE((dev->bss_entries == 0) ^ list_empty(&dev->bss_list),
++ "rdev bss entries[%d]/list[empty:%d] corruption\n",
++ dev->bss_entries, list_empty(&dev->bss_list));
+ bss_ref_put(dev, bss);
+ return true;
+ }
+@@ -339,6 +356,40 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
+ __cfg80211_bss_expire(dev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
+ }
+
++static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
++{
++ struct cfg80211_internal_bss *bss, *oldest = NULL;
++ bool ret;
++
++ lockdep_assert_held(&rdev->bss_lock);
++
++ list_for_each_entry(bss, &rdev->bss_list, list) {
++ if (atomic_read(&bss->hold))
++ continue;
++
++ if (!list_empty(&bss->hidden_list) &&
++ !bss->pub.hidden_beacon_bss)
++ continue;
++
++ if (oldest && time_before(oldest->ts, bss->ts))
++ continue;
++ oldest = bss;
++ }
++
++ if (WARN_ON(!oldest))
++ return false;
++
++ /*
++ * The callers make sure to increase rdev->bss_generation if anything
++ * gets removed (and a new entry added), so there's no need to also do
++ * it here.
++ */
++
++ ret = __cfg80211_unlink_bss(rdev, oldest);
++ WARN_ON(!ret);
++ return ret;
++}
++
+ const u8 *cfg80211_find_ie(u8 eid, const u8 *ies, int len)
+ {
+ while (len > 2 && ies[0] != eid) {
+@@ -620,6 +671,7 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *dev,
+ const u8 *ie;
+ int i, ssidlen;
+ u8 fold = 0;
++ u32 n_entries = 0;
+
+ ies = rcu_access_pointer(new->pub.beacon_ies);
+ if (WARN_ON(!ies))
+@@ -643,6 +695,12 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *dev,
+ /* This is the bad part ... */
+
+ list_for_each_entry(bss, &dev->bss_list, list) {
++ /*
++ * we're iterating all the entries anyway, so take the
++ * opportunity to validate the list length accounting
++ */
++ n_entries++;
++
+ if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
+ continue;
+ if (bss->pub.channel != new->pub.channel)
+@@ -674,6 +732,10 @@ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *dev,
+ new->pub.beacon_ies);
+ }
+
++ WARN_ONCE(n_entries != dev->bss_entries,
++ "rdev bss entries[%d]/list[len:%d] corruption\n",
++ dev->bss_entries, n_entries);
++
+ return true;
+ }
+
+@@ -819,7 +881,14 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
+ }
+ }
+
++ if (dev->bss_entries >= bss_entries_limit &&
++ !cfg80211_bss_expire_oldest(dev)) {
++ kfree(new);
++ goto drop;
++ }
++
+ list_add_tail(&new->list, &dev->bss_list);
++ dev->bss_entries++;
+ rb_insert_bss(dev, new);
+ found = new;
+ }
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index 26c607c971f5..0c23888b9816 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -629,8 +629,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
+ /* released below */
+ cred = get_current_cred();
+ cxt = cred_cxt(cred);
+- profile = aa_cred_profile(cred);
+- previous_profile = cxt->previous;
++ profile = aa_get_newest_profile(aa_cred_profile(cred));
++ previous_profile = aa_get_newest_profile(cxt->previous);
+
+ if (unconfined(profile)) {
+ info = "unconfined";
+@@ -726,6 +726,8 @@ audit:
+ out:
+ aa_put_profile(hat);
+ kfree(name);
++ aa_put_profile(profile);
++ aa_put_profile(previous_profile);
+ put_cred(cred);
+
+ return error;
+diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
+index e1ef106c8a6f..066e91ce9de9 100644
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1857,10 +1857,10 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
+ if (substream->timer_running)
+ snd_timer_interrupt(substream->timer, 1);
+ _end:
++ kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
+ snd_pcm_stream_unlock_irqrestore(substream, flags);
+ if (runtime->transfer_ack_end)
+ runtime->transfer_ack_end(substream);
+- kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
+ }
+
+ EXPORT_SYMBOL(snd_pcm_period_elapsed);