Stable Archive on lore.kernel.org
 help / color / Atom feed
* Linux 3.16.72
@ 2019-08-13 13:35 Ben Hutchings
  2019-08-13 14:49 ` Bhaskar Chowdhury
  0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2019-08-13 13:35 UTC (permalink / raw)
  To: linux-kernel, Andrew Morton, torvalds, Jiri Slaby, stable; +Cc: lwn

[-- Attachment #1.1: Type: text/plain, Size: 23709 bytes --]

I'm announcing the release of the 3.16.72 kernel.

All users of the 3.16 kernel series should upgrade.

The updated 3.16.y git tree can be found at:
        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.16.y
and can be browsed at the normal kernel.org git web browser:
        https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git

The diff from 3.16.71 is attached to this message.

Ben.

------------

 Documentation/kernel-parameters.txt              |   5 +
 Documentation/siphash.txt                        | 100 ++++++++++
 Documentation/usb/power-management.txt           |  14 +-
 Documentation/virtual/kvm/api.txt                |  16 +-
 MAINTAINERS                                      |   7 +
 Makefile                                         |   2 +-
 arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi     |   1 +
 arch/arm/mach-imx/cpuidle-imx6q.c                |  27 +--
 arch/mips/kernel/scall64-o32.S                   |   2 +-
 arch/powerpc/include/asm/vdso_datapage.h         |   8 +-
 arch/powerpc/kernel/signal_32.c                  |   3 +
 arch/powerpc/kernel/signal_64.c                  |   5 +
 arch/powerpc/kernel/vdso32/gettimeofday.S        |   2 +-
 arch/powerpc/kernel/vdso64/gettimeofday.S        |   2 +-
 arch/x86/include/asm/calling.h                   |  18 ++
 arch/x86/include/asm/cpufeatures.h               |  41 ++--
 arch/x86/include/asm/kvm_host.h                  |  13 +-
 arch/x86/include/asm/xen/hypercall.h             |   3 +
 arch/x86/kernel/cpu/bugs.c                       | 105 +++++++++-
 arch/x86/kernel/cpu/common.c                     |  42 ++--
 arch/x86/kernel/entry_64.S                       |  73 +++++--
 arch/x86/kernel/kprobes/core.c                   |  48 ++++-
 arch/x86/kernel/process.c                        |   8 +-
 arch/x86/kvm/cpuid.c                             |   5 +
 arch/x86/kvm/mmu.c                               |  13 +-
 arch/x86/kvm/mmu.h                               |   2 +-
 arch/x86/kvm/vmx.c                               |  15 --
 arch/x86/kvm/x86.c                               |  18 +-
 arch/xtensa/kernel/stacktrace.c                  |   6 +-
 block/bio.c                                      |   5 +-
 drivers/acpi/acpica/nsobject.c                   |   4 +
 drivers/block/floppy.c                           |  32 +++-
 drivers/block/xsysace.c                          |   2 +
 drivers/bluetooth/hci_ath.c                      |   3 +
 drivers/bluetooth/hci_ldisc.c                    |   9 +
 drivers/bluetooth/hci_uart.h                     |   1 +
 drivers/gpio/gpio-adnp.c                         |   6 +-
 drivers/iio/adc/ad_sigma_delta.c                 |   1 +
 drivers/iio/adc/at91_adc.c                       |  28 +--
 drivers/iio/dac/mcp4725.c                        |   1 +
 drivers/iio/industrialio-buffer.c                |   6 +-
 drivers/iio/industrialio-core.c                  |   4 +-
 drivers/infiniband/hw/mlx4/alias_GUID.c          |   2 +-
 drivers/input/tablet/gtco.c                      |  20 +-
 drivers/iommu/amd_iommu_init.c                   |   2 +-
 drivers/iommu/intel-iommu.c                      |   3 +
 drivers/md/dm-table.c                            |  39 ++++
 drivers/md/dm.c                                  |  31 ++-
 drivers/media/usb/tlg2300/pd-common.h            |   2 +-
 drivers/mtd/chips/cfi_cmdset_0002.c              |   6 +-
 drivers/net/ethernet/3com/3c515.c                |   2 +-
 drivers/net/ethernet/8390/mac8390.c              |  37 ++--
 drivers/net/ethernet/neterion/vxge/vxge-config.c |   1 +
 drivers/net/macvtap.c                            |   3 -
 drivers/net/phy/phy_device.c                     |   5 +-
 drivers/net/ppp/pptp.c                           |   2 +-
 drivers/net/slip/slhc.c                          |   2 +-
 drivers/net/team/team.c                          |   6 +
 drivers/net/tun.c                                |   6 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |   1 -
 drivers/net/wireless/rt2x00/rt2x00mac.c          |  10 -
 drivers/net/wireless/rt2x00/rt2x00queue.c        |  15 +-
 drivers/pci/quirks.c                             |   2 +
 drivers/s390/scsi/zfcp_erp.c                     |  17 ++
 drivers/s390/scsi/zfcp_ext.h                     |   2 +
 drivers/s390/scsi/zfcp_scsi.c                    |   4 +
 drivers/scsi/libsas/sas_expander.c               |   9 +-
 drivers/staging/comedi/drivers/vmk80xx.c         |   8 +-
 drivers/staging/iio/meter/ade7854.c              |   2 +-
 drivers/staging/rtl8712/rtl8712_cmd.c            |  10 +-
 drivers/staging/rtl8712/rtl8712_cmd.h            |   2 +-
 drivers/staging/speakup/speakup_soft.c           |  12 +-
 drivers/staging/speakup/spk_priv.h               |   1 +
 drivers/staging/speakup/synth.c                  |   6 +
 drivers/staging/usbip/stub_rx.c                  |  12 +-
 drivers/staging/usbip/usbip_common.h             |   7 +
 drivers/tty/serial/atmel_serial.c                |   4 +
 drivers/tty/serial/max310x.c                     |   2 +
 drivers/tty/serial/mxs-auart.c                   |   4 +
 drivers/tty/serial/sh-sci.c                      |  12 +-
 drivers/usb/core/driver.c                        |  13 --
 drivers/usb/core/message.c                       |   4 +-
 drivers/usb/host/xhci-hub.c                      |  19 +-
 drivers/usb/host/xhci.h                          |   8 +
 drivers/usb/misc/yurex.c                         |   1 +
 drivers/usb/serial/cp210x.c                      |   1 +
 drivers/usb/serial/ftdi_sio.c                    |   2 +
 drivers/usb/serial/ftdi_sio_ids.h                |   4 +-
 drivers/usb/serial/mos7720.c                     |   4 +-
 drivers/usb/storage/realtek_cr.c                 |  13 +-
 drivers/vhost/net.c                              |  31 +--
 drivers/vhost/scsi.c                             |  15 +-
 drivers/vhost/vhost.c                            |  20 +-
 drivers/vhost/vhost.h                            |   6 +-
 drivers/w1/masters/ds2490.c                      |   6 +-
 drivers/xen/balloon.c                            |  16 +-
 fs/afs/fsclient.c                                |   6 +-
 fs/btrfs/compression.c                           |  18 ++
 fs/btrfs/compression.h                           |   1 +
 fs/btrfs/props.c                                 |   5 +-
 fs/ceph/dir.c                                    |   6 +-
 fs/cifs/cifsglob.h                               |   2 +
 fs/cifs/file.c                                   |  30 ++-
 fs/cifs/inode.c                                  |   4 +
 fs/cifs/misc.c                                   |  25 ++-
 fs/cifs/smb2misc.c                               |   6 +-
 fs/cifs/smb2ops.c                                |   2 +
 fs/ext4/file.c                                   |   2 +-
 fs/ext4/resize.c                                 |  11 +-
 fs/lockd/host.c                                  |   3 +-
 fs/proc/meminfo.c                                |  34 +---
 fs/proc/proc_sysctl.c                            |   7 +-
 fs/udf/truncate.c                                |   3 +
 fs/ufs/util.h                                    |   2 +-
 include/linux/kprobes.h                          |   1 +
 include/linux/lockdep.h                          |  15 ++
 include/linux/mm.h                               |   1 +
 include/linux/siphash.h                          |  90 +++++++++
 include/linux/string.h                           |   3 +
 include/linux/usb.h                              |   2 -
 include/net/ip.h                                 |  12 +-
 include/net/ipv6.h                               |   4 +-
 include/net/netfilter/nf_conntrack.h             |   2 +
 include/net/netns/ipv4.h                         |   2 +
 include/net/sctp/checksum.h                      |   2 +-
 kernel/events/core.c                             |   2 +
 kernel/futex.c                                   |   4 +
 kernel/sched/fair.c                              |  35 +++-
 kernel/trace/ftrace.c                            |   5 +-
 kernel/trace/ring_buffer.c                       |   2 +-
 lib/Kconfig.debug                                |  10 +
 lib/Makefile                                     |   3 +-
 lib/siphash.c                                    | 232 +++++++++++++++++++++++
 lib/string.c                                     |  20 ++
 lib/test_siphash.c                               | 131 +++++++++++++
 mm/page_alloc.c                                  |  43 +++++
 mm/vmstat.c                                      |   5 -
 net/batman-adv/bridge_loop_avoidance.c           |  16 +-
 net/batman-adv/translation-table.c               |  32 +++-
 net/bridge/br_multicast.c                        |   4 +-
 net/bridge/br_netfilter.c                        |   3 +
 net/bridge/netfilter/ebtables.c                  |   3 +-
 net/core/net-sysfs.c                             |   6 +-
 net/dccp/feat.c                                  |   7 +-
 net/dccp/ipv6.c                                  |   4 +-
 net/ipv4/igmp.c                                  |   4 +-
 net/ipv4/ip_output.c                             |   7 +-
 net/ipv4/ip_tunnel_core.c                        |   3 +-
 net/ipv4/ipmr.c                                  |   7 +-
 net/ipv4/raw.c                                   |   2 +-
 net/ipv4/route.c                                 |  16 +-
 net/ipv4/xfrm4_mode_tunnel.c                     |   2 +-
 net/ipv4/xfrm4_policy.c                          |  60 ++++--
 net/ipv6/ip6_flowlabel.c                         |  24 ++-
 net/ipv6/ip6_output.c                            |  23 +--
 net/ipv6/ip6mr.c                                 |  11 +-
 net/ipv6/output_core.c                           |  53 +++++-
 net/ipv6/tcp_ipv6.c                              |   8 +-
 net/ipv6/udp_offload.c                           |   6 +
 net/ipv6/xfrm6_tunnel.c                          |   4 +
 net/l2tp/l2tp_core.c                             |  10 +-
 net/mac80211/debugfs_netdev.c                    |   2 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |   5 +-
 net/netfilter/nf_conntrack_core.c                |  36 ++++
 net/netfilter/nf_conntrack_netlink.c             |  34 +++-
 net/packet/af_packet.c                           |  37 ++--
 net/rose/rose_loopback.c                         |  34 ++--
 net/sunrpc/cache.c                               |   3 +
 net/tipc/sysctl.c                                |   4 +-
 net/xfrm/xfrm_user.c                             |   2 +-
 security/device_cgroup.c                         |   2 +-
 sound/core/init.c                                |  18 +-
 sound/core/oss/pcm_oss.c                         |  43 +++--
 sound/core/pcm_native.c                          |   9 +-
 sound/core/rawmidi.c                             |   2 +
 sound/core/seq/oss/seq_oss_synth.c               |   7 +-
 sound/core/seq/seq_clientmgr.c                   |   6 +-
 tools/lib/traceevent/event-parse.c               |   2 +-
 tools/perf/tests/evsel-tp-sched.c                |   1 +
 virt/kvm/kvm_main.c                              |   3 +
 180 files changed, 1973 insertions(+), 565 deletions(-)

Aditya Pakki (1):
      serial: max310x: Fix to avoid potential NULL pointer dereference

Al Viro (1):
      ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour

Alan Stern (4):
      USB: core: Fix unterminated string returned by usb_string()
      USB: core: Fix bug caused by duplicate interface PM usage counter
      USB: yurex: Fix protection fault after device removal
      USB: w1 ds2490: Fix bug caused by improper use of altsetting array

Anand Jain (1):
      btrfs: prop: fix vanished compression property after failed set

Andre Przywara (1):
      PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller

Andy Lutomirski (2):
      x86/asm/entry/64: Disentangle error_entry/exit gsbase/ebx/usermode code
      x86/entry/64: Really create an error-entry-from-usermode code path

Arnd Bergmann (1):
      3c515: fix integer overflow warning

Aurelien Aptel (1):
      CIFS: keep FileInfo handle live during oplock break

Aurelien Jarno (1):
      MIPS: scall64-o32: Fix indirect syscall number load

Axel Lin (1):
      gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input

Ben Gardon (1):
      kvm: mmu: Fix overflow on kvm mmu page limit calculation

Ben Hutchings (3):
      x86: cpufeatures: Renumber feature word 7
      Revert "inet: update the IP ID generation algorithm to higher standards."
      Linux 3.16.72

Changbin Du (1):
      perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()

Chen Jie (1):
      futex: Ensure that futex address is aligned in handle_futex_death()

Christophe Leroy (1):
      powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64

Colin Ian King (1):
      vxge: fix return of a free'd memblock on a failed dma mapping

Dan Carpenter (2):
      staging: rtl8712: uninitialized memory in read_bbreg_hdl()
      xen: Prevent buffer overflow in privcmd ioctl

David Howells (1):
      afs: Fix StoreData op marshalling

Denis Efremov (4):
      floppy: fix div-by-zero in setup_format_params
      floppy: fix out-of-bounds read in next_valid_format
      floppy: fix invalid pointer dereference in drive_name
      floppy: fix out-of-bounds read in copy_buffer

Dragos Bogdan (1):
      iio: ad_sigma_delta: select channel when reading register

Eric Dumazet (7):
      tcp: do not use ipv6 header for ipv4 flow
      dccp: do not use ipv6 header for ipv4 flow
      net/rose: fix unbound loop in rose_loopback_timer()
      l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv()
      ipv6/flowlabel: wait rcu grace period before put_pid()
      l2ip: fix possible use-after-free
      inet: switch IP ID generator to siphash

Erik Schmauss (1):
      ACPICA: Namespace: remove address node from global list after method termination

Fabrice Gasnier (1):
      iio: core: fix a possible circular locking dependency

Finn Thain (1):
      mac8390: Fix mmio access size probe

Florian Westphal (2):
      netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
      netfilter: ctnetlink: don't use conntrack/expect object addresses as id

Frank Sorenson (1):
      cifs: do not attempt cifs operation on smb2+ rename error

Frederic Weisbecker (1):
      locking/lockdep: Add IRQs disabled/enabled assertion APIs: lockdep_assert_irqs_enabled()/disabled()

Geert Uytterhoeven (1):
      net: mac8390: Use standard memcpy_{from,to}io()

Georg Ottinger (1):
      iio: adc: at91: disable adc channel interrupt in timeout case

George McCollister (1):
      USB: serial: ftdi_sio: add additional NovaTech products

Grant Hernandez (1):
      Input: gtco - bounds check collection indent level

Greg Kroah-Hartman (1):
      USB: serial: cp210x: add new device id

Guenter Roeck (1):
      xsysace: Fix error handling in ace_setup

Gustavo A. R. Silva (2):
      ALSA: rawmidi: Fix potential Spectre v1 vulnerability
      ALSA: seq: oss: Fix Spectre v1 vulnerability

Hangbin Liu (1):
      team: fix possible recursive locking when add slaves

Hannes Frederic Sowa (3):
      ipv4: hash net ptr into fragmentation bucket selection
      ipv4: ip_tunnel: use net namespace from rtable not socket
      ipv6: hash net ptr into fragmentation bucket selection

Heiner Kallweit (1):
      net: phy: don't clear BMCR in genphy_soft_reset

Hoan Nguyen An (1):
      serial: sh-sci: Fix setting SCSCR_TIE while transferring data

Ian Abbott (2):
      staging: comedi: vmk80xx: Fix use of uninitialized semaphore
      staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf

Igor Redko (1):
      mm/page_alloc.c: calculate 'available' memory in a separate function

Ilya Dryomov (1):
      dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors

Jack Morgenstein (1):
      IB/mlx4: Fix race condition between catas error reset and aliasguid flows

Jan Kara (1):
      udf: Fix crash on IO error during truncate

Jann Horn (1):
      device_cgroup: fix RCU imbalance in error case

Jason A. Donenfeld (1):
      siphash: add cryptographically secure PRF

Jason Wang (4):
      vhost_net: introduce vhost_exceeds_weight()
      vhost: introduce vhost_exceeds_weight()
      vhost_net: fix possible infinite loop
      vhost: scsi: add weight support

Jason Yan (1):
      scsi: libsas: fix a race condition when smp task timeout

Jean-Francois Dagenais (1):
      iio: dac: mcp4725: add missing powerdown bits in store eeprom

Jeff Layton (1):
      ceph: ensure d_name stability in ceph_dentry_hash()

Jie Liu (1):
      tipc: set sysctl_tipc_rmem and named_timeout right range

Jim Mattson (1):
      kvm: x86: IA32_ARCH_CAPABILITIES is always supported

Joerg Roedel (1):
      iommu/amd: Set exclusion range correctly

Johannes Berg (1):
      mac80211: don't attempt to rename ERR_PTR() debugfs dirs

Johannes Thumshirn (1):
      btrfs: correctly validate compression type

Johannes Weiner (1):
      proc: meminfo: estimate available memory more conservatively

Josh Poimboeuf (3):
      x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
      x86/speculation: Enable Spectre v1 swapgs mitigations
      x86/entry/64: Use JMP instead of JMPQ

Juergen Gross (1):
      xen: let alloc_xenballooned_pages() fail if not enough memory free

Jérôme Glisse (1):
      block: do not leak memory in bio_copy_user_iov()

Kangjie Lu (2):
      tty: atmel_serial: fix a potential NULL pointer dereference
      tty: mxs-auart: fix a potential NULL pointer dereference

Kohji Okuno (1):
      ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time

Konstantin Khlebnikov (1):
      mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n

Lars-Peter Clausen (1):
      iio: Fix scan mask selection

Leonard Pollak (1):
      Staging: iio: meter: fixed typo

Lin Yi (1):
      USB: serial: mos7720: fix mos_parport refcount imbalance on error path

Linus Torvalds (1):
      slip: make slhc_free() silently accept an error pointer

Liu Jian (1):
      mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer

Lu Baolu (1):
      iommu/vt-d: Check capability before disabling protected memory

Lukas Czerner (2):
      ext4: fix data corruption caused by unaligned direct AIO
      ext4: add missing brelse() in add_new_gdb_meta_bg()

Malte Leip (1):
      usb: usbip: fix isoc packet num validation in get_pipe

Marco Felsch (1):
      ARM: dts: pfla02: increase phy reset duration

Markus Elfring (1):
      iio: Use kmalloc_array() in iio_scan_mask_set()

Masami Hiramatsu (3):
      x86/kprobes: Verify stack frame on kretprobe
      kprobes: Mark ftrace mcount handler functions nokprobe
      x86/kprobes: Avoid kretprobe recursion bug

Mathias Nyman (1):
      xhci: Don't let USB3 ports stuck in polling state prevent suspend

Max Filippov (1):
      xtensa: fix return_address

Mel Gorman (1):
      sched/fair: Do not re-read ->h_load_next during hierarchical load calculation

Michael Ellerman (1):
      powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038

Michael Neuling (1):
      powerpc/tm: Fix oops on sigreturn on systems without TM

Mike Snitzer (1):
      dm: disable DISCARD if the underlying storage no longer supports it

NeilBrown (2):
      NFS: fix mount/umount race in nlmclnt.
      sunrpc: don't mark uninitialised items as VALID.

Nick Desaulniers (1):
      lib/string.c: implement a basic bcmp

Nikolay Aleksandrov (1):
      net: bridge: multicast: use rcu to access port list from br_multicast_start_querier

Paolo Abeni (1):
      vhost_net: use packet weight for rx handler, too

Peter Zijlstra (1):
      trace: Fix preempt_enable_no_resched() abuse

Phil Auld (1):
      sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup

Rikard Falkeborn (1):
      tools lib traceevent: Fix missing equality check for strcmp

Ronnie Sahlberg (1):
      cifs: fix handle leak in smb2_query_symlink()

Sabrina Dubroca (1):
      ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment

Samuel Thibault (1):
      staging: speakup_soft: Fix alternate speech with other synths

Sean Christopherson (2):
      KVM: Reject device ioctls from processes other than the VM's creator
      KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts

Steffen Klassert (3):
      xfrm4: Fix header checks in _decode_session4.
      xfrm4: Reload skb header pointers after calling pskb_may_pull.
      xfrm4: Fix uninitialized memory read in _decode_session4

Steffen Maier (2):
      scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
      scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices

Stephane Eranian (1):
      perf/core: Restore mmap record type correctly

Su Yanjun (1):
      xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module

Sven Eckelmann (3):
      batman-adv: Reduce claim hash refcnt only for removed entry
      batman-adv: Reduce tt_local hash refcnt only for removed entry
      batman-adv: Reduce tt_global hash refcnt only for removed entry

Takashi Iwai (3):
      ALSA: pcm: Fix possible OOB access in PCM oss plugins
      ALSA: pcm: Don't suspend stream in unrecoverable PCM state
      ALSA: core: Fix card races between register and disconnect

Thomas Gleixner (2):
      x86/speculation: Prevent deadlock on ssb_state::lock
      x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS

Vijayakumar Durai (1):
      rt2x00: do not increment sequence number while re-transmitting

Vlad Yasevich (4):
      ipv6: Select fragment id during UFO segmentation if not set.
      Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets"
      ipv6: Fix fragment id assignment on LE arches.
      ipv6: Make __ipv6_select_ident static

Vladis Dronov (1):
      Bluetooth: hci_uart: check for missing tty operations

Wanpeng Li (1):
      x86/entry/64: Fix context tracking state warning when load_gs_index fails

Willem de Bruijn (3):
      ipv6: invert flowlabel sharing check in process and user mode
      packet: in recvmsg msg_name return at least sizeof sockaddr_ll
      packet: validate msg_namelen in send directly

Xie XiuQi (1):
      sched/numa: Fix a possible divide-by-zero

Xin Long (3):
      ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
      netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
      sctp: get sctphdr by offset in sctp_compute_cksum

YueHaibing (5):
      xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
      net-sysfs: call dev_hold if kobject_init_and_add success
      fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
      dccp: Fix memleak in __feat_register_sp
      fs/proc/proc_sysctl.c: Fix a NULL pointer dereference

Zubin Mithra (1):
      ALSA: seq: Fix OOB-reads from strlcpy

haibinzhang(张海斌) (1):
      vhost-net: set packet weight of tx polling to 2 * vq size

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson



[-- Attachment #1.2: linux-3.16.72.patch --]
[-- Type: text/x-diff, Size: 205076 bytes --]

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 67a21b2ef3e4..2fe0b85b693d 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1917,6 +1917,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 				improves system performance, but it may also
 				expose users to several CPU vulnerabilities.
 				Equivalent to: nopti [X86]
+					       nospectre_v1 [X86]
 					       nospectre_v2 [X86]
 					       spectre_v2_user=off [X86]
 					       spec_store_bypass_disable=off [X86]
@@ -2215,6 +2216,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 			register save and restore. The kernel will only save
 			legacy floating-point registers on task switch.
 
+	nospectre_v1	[X86] Disable mitigations for Spectre Variant 1
+			(bounds check bypass). With this option data leaks are
+			possible in the system.
+
 	nospectre_v2	[X86] Disable all mitigations for the Spectre variant 2
 			(indirect branch prediction) vulnerability. System may
 			allow data leaks with this option, which is equivalent
diff --git a/Documentation/siphash.txt b/Documentation/siphash.txt
new file mode 100644
index 000000000000..e8e6ddbbaab4
--- /dev/null
+++ b/Documentation/siphash.txt
@@ -0,0 +1,100 @@
+         SipHash - a short input PRF
+-----------------------------------------------
+Written by Jason A. Donenfeld <jason@zx2c4.com>
+
+SipHash is a cryptographically secure PRF -- a keyed hash function -- that
+performs very well for short inputs, hence the name. It was designed by
+cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended
+as a replacement for some uses of: `jhash`, `md5_transform`, `sha_transform`,
+and so forth.
+
+SipHash takes a secret key filled with randomly generated numbers and either
+an input buffer or several input integers. It spits out an integer that is
+indistinguishable from random. You may then use that integer as part of secure
+sequence numbers, secure cookies, or mask it off for use in a hash table.
+
+1. Generating a key
+
+Keys should always be generated from a cryptographically secure source of
+random numbers, either using get_random_bytes or get_random_once:
+
+siphash_key_t key;
+get_random_bytes(&key, sizeof(key));
+
+If you're not deriving your key from here, you're doing it wrong.
+
+2. Using the functions
+
+There are two variants of the function, one that takes a list of integers, and
+one that takes a buffer:
+
+u64 siphash(const void *data, size_t len, const siphash_key_t *key);
+
+And:
+
+u64 siphash_1u64(u64, const siphash_key_t *key);
+u64 siphash_2u64(u64, u64, const siphash_key_t *key);
+u64 siphash_3u64(u64, u64, u64, const siphash_key_t *key);
+u64 siphash_4u64(u64, u64, u64, u64, const siphash_key_t *key);
+u64 siphash_1u32(u32, const siphash_key_t *key);
+u64 siphash_2u32(u32, u32, const siphash_key_t *key);
+u64 siphash_3u32(u32, u32, u32, const siphash_key_t *key);
+u64 siphash_4u32(u32, u32, u32, u32, const siphash_key_t *key);
+
+If you pass the generic siphash function something of a constant length, it
+will constant fold at compile-time and automatically choose one of the
+optimized functions.
+
+3. Hashtable key function usage:
+
+struct some_hashtable {
+	DECLARE_HASHTABLE(hashtable, 8);
+	siphash_key_t key;
+};
+
+void init_hashtable(struct some_hashtable *table)
+{
+	get_random_bytes(&table->key, sizeof(table->key));
+}
+
+static inline hlist_head *some_hashtable_bucket(struct some_hashtable *table, struct interesting_input *input)
+{
+	return &table->hashtable[siphash(input, sizeof(*input), &table->key) & (HASH_SIZE(table->hashtable) - 1)];
+}
+
+You may then iterate like usual over the returned hash bucket.
+
+4. Security
+
+SipHash has a very high security margin, with its 128-bit key. So long as the
+key is kept secret, it is impossible for an attacker to guess the outputs of
+the function, even if being able to observe many outputs, since 2^128 outputs
+is significant.
+
+Linux implements the "2-4" variant of SipHash.
+
+5. Struct-passing Pitfalls
+
+Often times the XuY functions will not be large enough, and instead you'll
+want to pass a pre-filled struct to siphash. When doing this, it's important
+to always ensure the struct has no padding holes. The easiest way to do this
+is to simply arrange the members of the struct in descending order of size,
+and to use offsetendof() instead of sizeof() for getting the size. For
+performance reasons, if possible, it's probably a good thing to align the
+struct to the right boundary. Here's an example:
+
+const struct {
+	struct in6_addr saddr;
+	u32 counter;
+	u16 dport;
+} __aligned(SIPHASH_ALIGNMENT) combined = {
+	.saddr = *(struct in6_addr *)saddr,
+	.counter = counter,
+	.dport = dport
+};
+u64 h = siphash(&combined, offsetofend(typeof(combined), dport), &secret);
+
+6. Resources
+
+Read the SipHash paper if you're interested in learning more:
+https://131002.net/siphash/siphash.pdf
diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt
index 1392b61d6ebe..3073ea800389 100644
--- a/Documentation/usb/power-management.txt
+++ b/Documentation/usb/power-management.txt
@@ -345,11 +345,15 @@ autosuspend the interface's device.  When the usage counter is = 0
 then the interface is considered to be idle, and the kernel may
 autosuspend the device.
 
-Drivers need not be concerned about balancing changes to the usage
-counter; the USB core will undo any remaining "get"s when a driver
-is unbound from its interface.  As a corollary, drivers must not call
-any of the usb_autopm_* functions after their disconnect() routine has
-returned.
+Drivers must be careful to balance their overall changes to the usage
+counter.  Unbalanced "get"s will remain in effect when a driver is
+unbound from its interface, preventing the device from going into
+runtime suspend should the interface be bound to a driver again.  On
+the other hand, drivers are allowed to achieve this balance by calling
+the usb_autopm_* functions even after their disconnect routine
+has returned -- say from within a work-queue routine -- provided they
+retain an active reference to the interface (via usb_get_intf and
+usb_put_intf).
 
 Drivers using the async routines are responsible for their own
 synchronization and mutual exclusion.
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
index e86da4377402..fcafeed97244 100644
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -13,7 +13,7 @@ of a virtual machine.  The ioctls belong to three classes
 
  - VM ioctls: These query and set attributes that affect an entire virtual
    machine, for example memory layout.  In addition a VM ioctl is used to
-   create virtual cpus (vcpus).
+   create virtual cpus (vcpus) and devices.
 
    Only run VM ioctls from the same process (address space) that was used
    to create the VM.
@@ -24,6 +24,11 @@ of a virtual machine.  The ioctls belong to three classes
    Only run vcpu ioctls from the same thread that was used to create the
    vcpu.
 
+ - device ioctls: These query and set attributes that control the operation
+   of a single device.
+
+   device ioctls must be issued from the same process (address space) that
+   was used to create the VM.
 
 2. File descriptors
 -------------------
@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors.  An initial
 open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
 can be used to issue system ioctls.  A KVM_CREATE_VM ioctl on this
 handle will create a VM file descriptor which can be used to issue VM
-ioctls.  A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
-and return a file descriptor pointing to it.  Finally, ioctls on a vcpu
-fd can be used to control the vcpu, including the important task of
-actually running guest code.
+ioctls.  A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
+create a virtual cpu or device and return a file descriptor pointing to
+the new resource.  Finally, ioctls on a vcpu or device fd can be used
+to control the vcpu or device.  For vcpus, this includes the important
+task of actually running guest code.
 
 In general file descriptors can be migrated among processes by means
 of fork() and the SCM_RIGHTS facility of unix domain socket.  These
diff --git a/MAINTAINERS b/MAINTAINERS
index b2a5243e9d0b..61dbb398b540 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8188,6 +8188,13 @@ F:	arch/arm/mach-s3c24xx/mach-bast.c
 F:	arch/arm/mach-s3c24xx/bast-ide.c
 F:	arch/arm/mach-s3c24xx/bast-irq.c
 
+SIPHASH PRF ROUTINES
+M:	Jason A. Donenfeld <Jason@zx2c4.com>
+S:	Maintained
+F:	lib/siphash.c
+F:	lib/test_siphash.c
+F:	include/linux/siphash.h
+
 TI DAVINCI MACHINE SUPPORT
 M:	Sekhar Nori <nsekhar@ti.com>
 M:	Kevin Hilman <khilman@deeprootsystems.com>
diff --git a/Makefile b/Makefile
index c2c6a3580e8a..e2d6e0b9f22d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 VERSION = 3
 PATCHLEVEL = 16
-SUBLEVEL = 71
+SUBLEVEL = 72
 EXTRAVERSION =
 NAME = Museum of Fishiegoodies
 
diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
index 50c7718cb84e..0214e1199a06 100644
--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
@@ -302,6 +302,7 @@
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_enet>;
 	phy-mode = "rgmii";
+	phy-reset-duration = <10>; /* in msecs */
 	phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
 	status = "disabled";
 };
diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
index 6bcae0479049..e338a6d23b77 100644
--- a/arch/arm/mach-imx/cpuidle-imx6q.c
+++ b/arch/arm/mach-imx/cpuidle-imx6q.c
@@ -14,30 +14,23 @@
 #include "common.h"
 #include "cpuidle.h"
 
-static atomic_t master = ATOMIC_INIT(0);
-static DEFINE_SPINLOCK(master_lock);
+static int num_idle_cpus = 0;
+static DEFINE_SPINLOCK(cpuidle_lock);
 
 static int imx6q_enter_wait(struct cpuidle_device *dev,
 			    struct cpuidle_driver *drv, int index)
 {
-	if (atomic_inc_return(&master) == num_online_cpus()) {
-		/*
-		 * With this lock, we prevent other cpu to exit and enter
-		 * this function again and become the master.
-		 */
-		if (!spin_trylock(&master_lock))
-			goto idle;
+	spin_lock(&cpuidle_lock);
+	if (++num_idle_cpus == num_online_cpus())
 		imx6q_set_lpm(WAIT_UNCLOCKED);
-		cpu_do_idle();
-		imx6q_set_lpm(WAIT_CLOCKED);
-		spin_unlock(&master_lock);
-		goto done;
-	}
+	spin_unlock(&cpuidle_lock);
 
-idle:
 	cpu_do_idle();
-done:
-	atomic_dec(&master);
+
+	spin_lock(&cpuidle_lock);
+	if (num_idle_cpus-- == num_online_cpus())
+		imx6q_set_lpm(WAIT_CLOCKED);
+	spin_unlock(&cpuidle_lock);
 
 	return index;
 }
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 37361502d63b..ff9987fd5fd0 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -124,7 +124,7 @@ NESTED(handle_sys, PT_SIZE, sp)
 	subu	t1, v0,  __NR_O32_Linux
 	move	a1, v0
 	bnez	t1, 1f /* __NR_syscall at offset 0 */
-	lw	a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
+	ld	a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
 	.set	pop
 
 1:	jal	syscall_trace_enter
diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
index b73a8199f161..1e0ee59c8276 100644
--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -82,10 +82,10 @@ struct vdso_data {
 	__u32 icache_block_size;		/* L1 i-cache block size     */
 	__u32 dcache_log_block_size;		/* L1 d-cache log block size */
 	__u32 icache_log_block_size;		/* L1 i-cache log block size */
-	__s32 wtom_clock_sec;			/* Wall to monotonic clock */
-	__s32 wtom_clock_nsec;
-	struct timespec stamp_xtime;	/* xtime as at tb_orig_stamp */
-	__u32 stamp_sec_fraction;	/* fractional seconds of stamp_xtime */
+	__u32 stamp_sec_fraction;		/* fractional seconds of stamp_xtime */
+	__s32 wtom_clock_nsec;			/* Wall to monotonic clock nsec */
+	__s64 wtom_clock_sec;			/* Wall to monotonic clock sec */
+	struct timespec stamp_xtime;		/* xtime as at tb_orig_stamp */
    	__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls  */
    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
 };
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index e7e8c4db2651..90d1d10eff05 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1274,6 +1274,9 @@ long sys_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
 			goto bad;
 
 		if (MSR_TM_ACTIVE(msr_hi<<32)) {
+			/* Trying to start TM on non TM system */
+			if (!cpu_has_feature(CPU_FTR_TM))
+				goto bad;
 			/* We only recheckpoint on return if we're
 			 * transaction.
 			 */
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 0bcae29336c0..5437dae4f12f 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -702,6 +702,11 @@ int sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
 	if (MSR_TM_ACTIVE(msr)) {
 		/* We recheckpoint on return. */
 		struct ucontext __user *uc_transact;
+
+		/* Trying to start TM on non TM system */
+		if (!cpu_has_feature(CPU_FTR_TM))
+			goto badframe;
+
 		if (__get_user(uc_transact, &uc->uc_link))
 			goto badframe;
 		if (restore_tm_sigcontexts(regs, &uc->uc_mcontext,
diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
index 6b2b69616e77..8bacb8721961 100644
--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
 	 * can be used, r7 contains NSEC_PER_SEC.
 	 */
 
-	lwz	r5,WTOM_CLOCK_SEC(r9)
+	lwz	r5,(WTOM_CLOCK_SEC+LOPART)(r9)
 	lwz	r6,WTOM_CLOCK_NSEC(r9)
 
 	/* We now have our offset in r5,r6. We create a fake dependency
diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S
index 382021324883..6a6a8495bd55 100644
--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
@@ -85,7 +85,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
 	 * At this point, r4,r5 contain our sec/nsec values.
 	 */
 
-	lwa	r6,WTOM_CLOCK_SEC(r3)
+	ld	r6,WTOM_CLOCK_SEC(r3)
 	lwa	r9,WTOM_CLOCK_NSEC(r3)
 
 	/* We now have our result in r6,r9. We create a fake dependency
diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
index cb4c73bfeb48..129e29721835 100644
--- a/arch/x86/include/asm/calling.h
+++ b/arch/x86/include/asm/calling.h
@@ -47,6 +47,7 @@ For 32-bit we have the following conventions - kernel is built with
 */
 
 #include <asm/dwarf2.h>
+#include <asm/cpufeatures.h>
 
 #ifdef CONFIG_X86_64
 
@@ -195,6 +196,23 @@ For 32-bit we have the following conventions - kernel is built with
 	.byte 0xf1
 	.endm
 
+/*
+ * Mitigate Spectre v1 for conditional swapgs code paths.
+ *
+ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
+ * prevent a speculative swapgs when coming from kernel space.
+ *
+ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
+ * to prevent the swapgs from getting speculatively skipped when coming from
+ * user space.
+ */
+.macro FENCE_SWAPGS_USER_ENTRY
+	ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
+.endm
+.macro FENCE_SWAPGS_KERNEL_ENTRY
+	ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
+.endm
+
 #else /* CONFIG_X86_64 */
 
 /*
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 99137cbe34b8..ba48ab887acf 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -177,29 +177,33 @@
 #define X86_FEATURE_ARAT	( 7*32+ 1) /* Always Running APIC Timer */
 #define X86_FEATURE_CPB		( 7*32+ 2) /* AMD Core Performance Boost */
 #define X86_FEATURE_EPB		( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
-#define X86_FEATURE_XSAVEOPT	( 7*32+ 4) /* Optimized Xsave */
+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+4) /* Effectively INVPCID && CR4.PCIDE=1 */
 #define X86_FEATURE_PLN		( 7*32+ 5) /* Intel Power Limit Notification */
 #define X86_FEATURE_PTS		( 7*32+ 6) /* Intel Package Thermal Status */
 #define X86_FEATURE_DTHERM	( 7*32+ 7) /* Digital Thermal Sensor */
 #define X86_FEATURE_HW_PSTATE	( 7*32+ 8) /* AMD HW-PState */
 #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */
-#define X86_FEATURE_RSB_CTXSW	( 7*32+11) /* "" Fill RSB on context switches */
-#define X86_FEATURE_USE_IBPB	( 7*32+12) /* "" Indirect Branch Prediction Barrier enabled */
-#define X86_FEATURE_USE_IBRS_FW ( 7*32+13) /* "" Use IBRS during runtime firmware calls */
-#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+14) /* "" Disable Speculative Store Bypass. */
-#define X86_FEATURE_LS_CFG_SSBD	( 7*32+15) /* "" AMD SSBD implementation */
-#define X86_FEATURE_IBRS	( 7*32+16) /* Indirect Branch Restricted Speculation */
-#define X86_FEATURE_IBPB	( 7*32+17) /* Indirect Branch Prediction Barrier */
-#define X86_FEATURE_STIBP	( 7*32+18) /* Single Thread Indirect Branch Predictors */
-#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+19) /* "" MSR SPEC_CTRL is implemented */
-#define X86_FEATURE_SSBD	( 7*32+20) /* Speculative Store Bypass Disable */
-#define X86_FEATURE_ZEN		( 7*32+21) /* "" CPU is AMD family 0x17 (Zen) */
-#define X86_FEATURE_L1TF_PTEINV	( 7*32+22) /* "" L1TF workaround PTE inversion */
-#define X86_FEATURE_IBRS_ENHANCED ( 7*32+23) /* Enhanced IBRS */
-#define X86_FEATURE_RETPOLINE	( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
+#define X86_FEATURE_FENCE_SWAPGS_USER	( 7*32+10) /* "" LFENCE in user entry SWAPGS path */
+#define X86_FEATURE_FENCE_SWAPGS_KERNEL	( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */
+#define X86_FEATURE_RETPOLINE	( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
+
+#define X86_FEATURE_XSAVEOPT	( 7*32+15) /* Optimized Xsave */
+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
+#define X86_FEATURE_SSBD	( 7*32+17) /* Speculative Store Bypass Disable */
+
+#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* "" Fill RSB on context switches */
+
+#define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
+#define X86_FEATURE_LS_CFG_SSBD	( 7*32+24) /* "" AMD SSBD implementation */
+#define X86_FEATURE_IBRS	( 7*32+25) /* Indirect Branch Restricted Speculation */
+#define X86_FEATURE_IBPB	( 7*32+26) /* Indirect Branch Prediction Barrier */
+#define X86_FEATURE_STIBP	( 7*32+27) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_ZEN		( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
+#define X86_FEATURE_L1TF_PTEINV	( 7*32+29) /* "" L1TF workaround PTE inversion */
+#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
 #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
 
 /* Virtualization flags: Linux defined, word 8 */
@@ -274,5 +278,6 @@
 #define X86_BUG_L1TF		X86_BUG(9) /* CPU is affected by L1 Terminal Fault */
 #define X86_BUG_MDS		X86_BUG(10) /* CPU is affected by Microarchitectural data sampling */
 #define X86_BUG_MSBDS_ONLY	X86_BUG(11) /* CPU is only affected by the  MSDBS variant of BUG_MDS */
+#define X86_BUG_SWAPGS		X86_BUG(12) /* CPU is affected by speculation through SWAPGS */
 
 #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index e9eae4fbdde2..92a9ba2595b3 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 #define IOPL_SHIFT 12
 
 #define KVM_PERMILLE_MMU_PAGES 20
-#define KVM_MIN_ALLOC_MMU_PAGES 64
+#define KVM_MIN_ALLOC_MMU_PAGES 64UL
 #define KVM_MMU_HASH_SHIFT 10
 #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT)
 #define KVM_MIN_FREE_MMU_PAGES 5
@@ -363,6 +363,7 @@ struct kvm_vcpu_arch {
 	int mp_state;
 	u64 ia32_misc_enable_msr;
 	bool tpr_access_reporting;
+	u64 arch_capabilities;
 
 	/*
 	 * Paging state of the vcpu
@@ -551,9 +552,9 @@ struct kvm_apic_map {
 };
 
 struct kvm_arch {
-	unsigned int n_used_mmu_pages;
-	unsigned int n_requested_mmu_pages;
-	unsigned int n_max_mmu_pages;
+	unsigned long n_used_mmu_pages;
+	unsigned long n_requested_mmu_pages;
+	unsigned long n_max_mmu_pages;
 	unsigned int indirect_shadow_pages;
 	unsigned long mmu_valid_gen;
 	struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
@@ -809,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
 				     gfn_t gfn_offset, unsigned long mask);
 void kvm_mmu_zap_all(struct kvm *kvm);
 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm);
-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages);
 
 int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3);
 
diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index da45f9fc1913..5876b28f9331 100644
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -215,6 +215,9 @@ privcmd_call(unsigned call,
 	__HYPERCALL_DECLS;
 	__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
 
+	if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
+		return -EINVAL;
+
 	stac();
 	asm volatile(CALL_NOSPEC
 		     : __HYPERCALL_5PARAM
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index e325029ff01a..f9e23ee19bcb 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -30,6 +30,7 @@
 #include <asm/intel-family.h>
 #include <asm/e820.h>
 
+static void __init spectre_v1_select_mitigation(void);
 static void __init spectre_v2_select_mitigation(void);
 static void __init ssb_select_mitigation(void);
 static void __init l1tf_select_mitigation(void);
@@ -148,17 +149,11 @@ void __init check_bugs(void)
 	if (boot_cpu_has(X86_FEATURE_STIBP))
 		x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
 
-	/* Select the proper spectre mitigation before patching alternatives */
+	/* Select the proper CPU mitigations before patching alternatives: */
+	spectre_v1_select_mitigation();
 	spectre_v2_select_mitigation();
-
-	/*
-	 * Select proper mitigation for any exposure to the Speculative Store
-	 * Bypass vulnerability.
-	 */
 	ssb_select_mitigation();
-
 	l1tf_select_mitigation();
-
 	mds_select_mitigation();
 
 	arch_smt_update();
@@ -317,6 +312,98 @@ static int __init mds_cmdline(char *str)
 }
 early_param("mds", mds_cmdline);
 
+#undef pr_fmt
+#define pr_fmt(fmt)     "Spectre V1 : " fmt
+
+enum spectre_v1_mitigation {
+	SPECTRE_V1_MITIGATION_NONE,
+	SPECTRE_V1_MITIGATION_AUTO,
+};
+
+static enum spectre_v1_mitigation spectre_v1_mitigation =
+	SPECTRE_V1_MITIGATION_AUTO;
+
+static const char * const spectre_v1_strings[] = {
+	[SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
+	[SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
+};
+
+/*
+ * Does SMAP provide full mitigation against speculative kernel access to
+ * userspace?
+ */
+static bool smap_works_speculatively(void)
+{
+	if (!boot_cpu_has(X86_FEATURE_SMAP))
+		return false;
+
+	/*
+	 * On CPUs which are vulnerable to Meltdown, SMAP does not
+	 * prevent speculative access to user data in the L1 cache.
+	 * Consider SMAP to be non-functional as a mitigation on these
+	 * CPUs.
+	 */
+	if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
+		return false;
+
+	return true;
+}
+
+static void __init spectre_v1_select_mitigation(void)
+{
+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
+		spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
+		return;
+	}
+
+	if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
+		/*
+		 * With Spectre v1, a user can speculatively control either
+		 * path of a conditional swapgs with a user-controlled GS
+		 * value.  The mitigation is to add lfences to both code paths.
+		 *
+		 * If FSGSBASE is enabled, the user can put a kernel address in
+		 * GS, in which case SMAP provides no protection.
+		 *
+		 * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
+		 *	   FSGSBASE enablement patches have been merged. ]
+		 *
+		 * If FSGSBASE is disabled, the user can only put a user space
+		 * address in GS.  That makes an attack harder, but still
+		 * possible if there's no SMAP protection.
+		 */
+		if (!smap_works_speculatively()) {
+			/*
+			 * Mitigation can be provided from SWAPGS itself or
+			 * PTI as the CR3 write in the Meltdown mitigation
+			 * is serializing.
+			 *
+			 * If neither is there, mitigate with an LFENCE to
+			 * stop speculation through swapgs.
+			 */
+			if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
+			    !boot_cpu_has(X86_FEATURE_KAISER))
+				setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
+
+			/*
+			 * Enable lfences in the kernel entry (non-swapgs)
+			 * paths, to prevent user entry from speculatively
+			 * skipping swapgs.
+			 */
+			setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
+		}
+	}
+
+	pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
+}
+
+static int __init nospectre_v1_cmdline(char *str)
+{
+	spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
+	return 0;
+}
+early_param("nospectre_v1", nospectre_v1_cmdline);
+
 #undef pr_fmt
 #define pr_fmt(fmt)     "Spectre V2 : " fmt
 
@@ -1210,7 +1297,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
 		break;
 
 	case X86_BUG_SPECTRE_V1:
-		return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+		return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
 
 	case X86_BUG_SPECTRE_V2:
 		return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 9d4638d437de..337fcac8c8a0 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -813,6 +813,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
 #define NO_L1TF		BIT(3)
 #define NO_MDS		BIT(4)
 #define MSBDS_ONLY	BIT(5)
+#define NO_SWAPGS	BIT(6)
 
 #define VULNWL(_vendor, _family, _model, _whitelist)	\
 	{ X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
@@ -836,29 +837,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
 	VULNWL_INTEL(ATOM_BONNELL,		NO_SPECULATION),
 	VULNWL_INTEL(ATOM_BONNELL_MID,		NO_SPECULATION),
 
-	VULNWL_INTEL(ATOM_SILVERMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY),
-	VULNWL_INTEL(ATOM_SILVERMONT_X,		NO_SSB | NO_L1TF | MSBDS_ONLY),
-	VULNWL_INTEL(ATOM_SILVERMONT_MID,	NO_SSB | NO_L1TF | MSBDS_ONLY),
-	VULNWL_INTEL(ATOM_AIRMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY),
-	VULNWL_INTEL(XEON_PHI_KNL,		NO_SSB | NO_L1TF | MSBDS_ONLY),
-	VULNWL_INTEL(XEON_PHI_KNM,		NO_SSB | NO_L1TF | MSBDS_ONLY),
+	VULNWL_INTEL(ATOM_SILVERMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+	VULNWL_INTEL(ATOM_SILVERMONT_X,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+	VULNWL_INTEL(ATOM_SILVERMONT_MID,	NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+	VULNWL_INTEL(ATOM_AIRMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+	VULNWL_INTEL(XEON_PHI_KNL,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+	VULNWL_INTEL(XEON_PHI_KNM,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
 
 	VULNWL_INTEL(CORE_YONAH,		NO_SSB),
 
-	VULNWL_INTEL(ATOM_AIRMONT_MID,		NO_L1TF | MSBDS_ONLY),
+	VULNWL_INTEL(ATOM_AIRMONT_MID,		NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
 
-	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF),
-	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF),
-	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF),
+	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF | NO_SWAPGS),
+	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF | NO_SWAPGS),
+	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS),
+
+	/*
+	 * Technically, swapgs isn't serializing on AMD (despite it previously
+	 * being documented as such in the APM).  But according to AMD, %gs is
+	 * updated non-speculatively, and the issuing of %gs-relative memory
+	 * operands will be blocked until the %gs update completes, which is
+	 * good enough for our purposes.
+	 */
 
 	/* AMD Family 0xf - 0x12 */
-	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
-	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
-	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
-	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
+	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
 
 	/* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
-	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS),
+	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
 	{}
 };
 
@@ -895,6 +904,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
 			setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
 	}
 
+	if (!cpu_matches(NO_SWAPGS))
+		setup_force_cpu_bug(X86_BUG_SWAPGS);
+
 	if (cpu_matches(NO_MELTDOWN))
 		return;
 
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 6e5feb342ee4..467069f38f21 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -265,14 +265,19 @@ ENDPROC(native_usergs_sysret64)
 	testl $3, CS-RBP(%rsi)
 	je 1f
 	SWAPGS
+	FENCE_SWAPGS_USER_ENTRY
 	SWITCH_KERNEL_CR3
+	jmp	2f
+1:
+	FENCE_SWAPGS_KERNEL_ENTRY
+2:
 	/*
 	 * irq_count is used to check if a CPU is already on an interrupt stack
 	 * or not. While this is essentially redundant with preempt_count it is
 	 * a little cheaper to use a separate counter in the PDA (short of
 	 * moving irq_enter into assembly, which would be too much work)
 	 */
-1:	incl PER_CPU_VAR(irq_count)
+	incl PER_CPU_VAR(irq_count)
 	cmovzq PER_CPU_VAR(irq_stack_ptr),%rsp
 	CFI_DEF_CFA_REGISTER	rsi
 
@@ -337,6 +342,13 @@ ENTRY(save_paranoid)
 	movq	%rax, %cr3
 2:
 #endif
+	/*
+	 * The above doesn't do an unconditional CR3 write, even in the PTI
+	 * case.  So do an lfence to prevent GS speculation, regardless of
+	 * whether PTI is enabled.
+	 */
+	FENCE_SWAPGS_KERNEL_ENTRY
+
 	ret
 	CFI_ENDPROC
 END(save_paranoid)
@@ -1445,10 +1457,27 @@ ENTRY(error_entry)
 	 */
 	SWITCH_KERNEL_CR3
 	testl $3,CS+8(%rsp)
-	je error_kernelspace
-error_swapgs:
+	jz	.Lerror_kernelspace
+
+	/*
+	 * We entered from user mode or we're pretending to have entered
+	 * from user mode due to an IRET fault.
+	 */
 	SWAPGS
-error_sti:
+	FENCE_SWAPGS_USER_ENTRY
+
+.Lerror_entry_from_usermode_after_swapgs:
+	/*
+	 * We need to tell lockdep that IRQs are off.  We can't do this until
+	 * we fix gsbase, and we should do it before enter_from_user_mode
+	 * (which can take locks).
+	 */
+	TRACE_IRQS_OFF
+	ret
+
+.Lerror_entry_done_lfence:
+	FENCE_SWAPGS_KERNEL_ENTRY
+.Lerror_entry_done:
 	TRACE_IRQS_OFF
 	ret
 
@@ -1458,28 +1487,46 @@ ENTRY(error_entry)
  * truncated RIP for IRET exceptions returning to compat mode. Check
  * for these here too.
  */
-error_kernelspace:
+.Lerror_kernelspace:
 	leaq native_irq_return_iret(%rip),%rcx
 	cmpq %rcx,RIP+8(%rsp)
-	je error_bad_iret
+	je	.Lerror_bad_iret
 	movl %ecx,%eax	/* zero extend */
 	cmpq %rax,RIP+8(%rsp)
-	je bstep_iret
+	je	.Lbstep_iret
 	cmpq $gs_change,RIP+8(%rsp)
-	je error_swapgs
-	jmp error_sti
+	jne	.Lerror_entry_done_lfence
+
+	/*
+	 * hack: gs_change can fail with user gsbase.  If this happens, fix up
+	 * gsbase and proceed.  We'll fix up the exception and land in
+	 * gs_change's error handler with kernel gsbase.
+	 */
+	SWAPGS
+	FENCE_SWAPGS_USER_ENTRY
+	jmp .Lerror_entry_done
 
-bstep_iret:
+.Lbstep_iret:
 	/* Fix truncated RIP */
 	movq %rcx,RIP+8(%rsp)
 	/* fall through */
 
-error_bad_iret:
+.Lerror_bad_iret:
+	/*
+	 * We came from an IRET to user mode, so we have user gsbase.
+	 * Switch to kernel gsbase:
+	 */
 	SWAPGS
+	FENCE_SWAPGS_USER_ENTRY
+
+	/*
+	 * Pretend that the exception came from user mode: set up pt_regs
+	 * as if we faulted immediately after IRET.
+	 */
 	mov %rsp,%rdi
 	call fixup_bad_iret
 	mov %rax,%rsp
-	jmp error_sti
+	jmp	.Lerror_entry_from_usermode_after_swapgs
 	CFI_ENDPROC
 END(error_entry)
 
@@ -1579,6 +1626,7 @@ ENTRY(nmi)
 	 * to switch CR3 here.
 	 */
 	cld
+	FENCE_SWAPGS_USER_ENTRY
 	movq	%rsp, %rdx
 	movq	PER_CPU_VAR(kernel_stack), %rsp
 	addq	$KERNEL_STACK_OFFSET, %rsp
@@ -1624,6 +1672,7 @@ ENTRY(nmi)
 	movq	%rax, %cr3
 2:
 #endif
+	FENCE_SWAPGS_KERNEL_ENTRY
 	call	do_nmi
 
 #ifdef CONFIG_PAGE_TABLE_ISOLATION
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 608f18c62412..cb6657f35f41 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -494,6 +494,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
 	unsigned long *sara = stack_addr(regs);
 
 	ri->ret_addr = (kprobe_opcode_t *) *sara;
+	ri->fp = sara;
 
 	/* Replace the return addr with trampoline addr */
 	*sara = (unsigned long) &kretprobe_trampoline;
@@ -685,26 +686,48 @@ static void __used kretprobe_trampoline_holder(void)
 NOKPROBE_SYMBOL(kretprobe_trampoline_holder);
 NOKPROBE_SYMBOL(kretprobe_trampoline);
 
+static struct kprobe kretprobe_kprobe = {
+	.addr = (void *)kretprobe_trampoline,
+};
+
 /*
  * Called from kretprobe_trampoline
  */
 __visible __used void *trampoline_handler(struct pt_regs *regs)
 {
+	struct kprobe_ctlblk *kcb;
 	struct kretprobe_instance *ri = NULL;
 	struct hlist_head *head, empty_rp;
 	struct hlist_node *tmp;
 	unsigned long flags, orig_ret_address = 0;
 	unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
 	kprobe_opcode_t *correct_ret_addr = NULL;
+	void *frame_pointer;
+	bool skipped = false;
+
+	preempt_disable();
+
+	/*
+	 * Set a dummy kprobe for avoiding kretprobe recursion.
+	 * Since kretprobe never run in kprobe handler, kprobe must not
+	 * be running at this point.
+	 */
+	kcb = get_kprobe_ctlblk();
+	__this_cpu_write(current_kprobe, &kretprobe_kprobe);
+	kcb->kprobe_status = KPROBE_HIT_ACTIVE;
 
 	INIT_HLIST_HEAD(&empty_rp);
 	kretprobe_hash_lock(current, &head, &flags);
 	/* fixup registers */
 #ifdef CONFIG_X86_64
 	regs->cs = __KERNEL_CS;
+	/* On x86-64, we use pt_regs->sp for return address holder. */
+	frame_pointer = &regs->sp;
 #else
 	regs->cs = __KERNEL_CS | get_kernel_rpl();
 	regs->gs = 0;
+	/* On x86-32, we use pt_regs->flags for return address holder. */
+	frame_pointer = &regs->flags;
 #endif
 	regs->ip = trampoline_address;
 	regs->orig_ax = ~0UL;
@@ -726,8 +749,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
 		if (ri->task != current)
 			/* another task is sharing our hash bucket */
 			continue;
+		/*
+		 * Return probes must be pushed on this hash list correct
+		 * order (same as return order) so that it can be poped
+		 * correctly. However, if we find it is pushed it incorrect
+		 * order, this means we find a function which should not be
+		 * probed, because the wrong order entry is pushed on the
+		 * path of processing other kretprobe itself.
+		 */
+		if (ri->fp != frame_pointer) {
+			if (!skipped)
+				pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
+			skipped = true;
+			continue;
+		}
 
 		orig_ret_address = (unsigned long)ri->ret_addr;
+		if (skipped)
+			pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
+				ri->rp->kp.addr);
 
 		if (orig_ret_address != trampoline_address)
 			/*
@@ -745,14 +785,15 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
 		if (ri->task != current)
 			/* another task is sharing our hash bucket */
 			continue;
+		if (ri->fp != frame_pointer)
+			continue;
 
 		orig_ret_address = (unsigned long)ri->ret_addr;
 		if (ri->rp && ri->rp->handler) {
 			__this_cpu_write(current_kprobe, &ri->rp->kp);
-			get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
 			ri->ret_addr = correct_ret_addr;
 			ri->rp->handler(ri, regs);
-			__this_cpu_write(current_kprobe, NULL);
+			__this_cpu_write(current_kprobe, &kretprobe_kprobe);
 		}
 
 		recycle_rp_inst(ri, &empty_rp);
@@ -768,6 +809,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
 
 	kretprobe_hash_unlock(current, &flags);
 
+	__this_cpu_write(current_kprobe, NULL);
+	preempt_enable();
+
 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
 		hlist_del(&ri->hlist);
 		kfree(ri);
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 074510b5ea77..feca78bf2a6b 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -351,6 +351,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
 	u64 msr = x86_spec_ctrl_base;
 	bool updmsr = false;
 
+	lockdep_assert_irqs_disabled();
+
 	/*
 	 * If TIF_SSBD is different, select the proper mitigation
 	 * method. Note that if SSBD mitigation is disabled or permanentely
@@ -402,10 +404,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
 
 void speculation_ctrl_update(unsigned long tif)
 {
+	unsigned long flags;
+
 	/* Forced update. Make sure all relevant TIF flags are different */
-	preempt_disable();
+	local_irq_save(flags);
 	__speculation_ctrl_update(~tif, tif);
-	preempt_enable();
+	local_irq_restore(flags);
 }
 
 /* Called from seccomp/prctl update */
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 95cd58cdee99..6531ffcb174b 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -395,6 +395,11 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
 			entry->ebx |= F(TSC_ADJUST);
 			entry->edx &= kvm_cpuid_7_0_edx_x86_features;
 			cpuid_mask(&entry->edx, 10);
+			/*
+			 * We emulate ARCH_CAPABILITIES in software even
+			 * if the host doesn't support it.
+			 */
+			entry->edx |= F(ARCH_CAPABILITIES);
 		} else {
 			entry->ebx = 0;
 			entry->edx = 0;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index c81ccc0d8da0..886fb53b4604 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt)
  * aggregate version in order to make the slab shrinker
  * faster
  */
-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
 {
 	kvm->arch.n_used_mmu_pages += nr;
 	percpu_counter_add(&kvm_total_used_mmu_pages, nr);
@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
  * Changing the number of mmu pages allocated to the vm
  * Note: if goal_nr_mmu_pages is too small, you will get dead lock
  */
-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
 {
 	LIST_HEAD(invalid_list);
 
@@ -4505,10 +4505,10 @@ int kvm_mmu_module_init(void)
 /*
  * Caculate mmu pages needed for kvm.
  */
-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
 {
-	unsigned int nr_mmu_pages;
-	unsigned int  nr_pages = 0;
+	unsigned long nr_mmu_pages;
+	unsigned long nr_pages = 0;
 	struct kvm_memslots *slots;
 	struct kvm_memory_slot *memslot;
 
@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
 		nr_pages += memslot->npages;
 
 	nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
-	nr_mmu_pages = max(nr_mmu_pages,
-			(unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
+	nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES);
 
 	return nr_mmu_pages;
 }
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 58b2f51fdfdc..f3dc8f614512 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
 		bool execonly);
 bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
 
-static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
+static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
 {
 	if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
 		return kvm->arch.n_max_mmu_pages -
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index bd6b883f3075..00dd9ea13c22 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -433,7 +433,6 @@ struct vcpu_vmx {
 	u64 		      msr_guest_kernel_gs_base;
 #endif
 
-	u64 		      arch_capabilities;
 	u64 		      spec_ctrl;
 
 	u32 vm_entry_controls_shadow;
@@ -2481,12 +2480,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 
 		msr_info->data = to_vmx(vcpu)->spec_ctrl;
 		break;
-	case MSR_IA32_ARCH_CAPABILITIES:
-		if (!msr_info->host_initiated &&
-		    !guest_cpuid_has_arch_capabilities(vcpu))
-			return 1;
-		msr_info->data = to_vmx(vcpu)->arch_capabilities;
-		break;
 	case MSR_IA32_SYSENTER_CS:
 		msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
 		break;
@@ -2636,11 +2629,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 		vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
 					      MSR_TYPE_W);
 		break;
-	case MSR_IA32_ARCH_CAPABILITIES:
-		if (!msr_info->host_initiated)
-			return 1;
-		vmx->arch_capabilities = data;
-		break;
 	case MSR_IA32_CR_PAT:
 		if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
 			if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
@@ -4583,9 +4571,6 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
 		++vmx->nmsrs;
 	}
 
-	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
-		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities);
-
 	vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
 
 	/* 22.2.1, 20.8.1 */
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index cab3ca9d3f03..2c0f1ea119d6 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2089,6 +2089,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 	case MSR_F15H_EX_CFG:
 		break;
 
+	case MSR_IA32_ARCH_CAPABILITIES:
+		if (!msr_info->host_initiated)
+			return 1;
+		vcpu->arch.arch_capabilities = data;
+		break;
 	case MSR_EFER:
 		return set_efer(vcpu, data);
 	case MSR_K7_HWCR:
@@ -2479,6 +2484,12 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 	case MSR_IA32_UCODE_REV:
 		msr_info->data = 0x100000000ULL;
 		break;
+	case MSR_IA32_ARCH_CAPABILITIES:
+		if (!msr_info->host_initiated &&
+		    !guest_cpuid_has_arch_capabilities(vcpu))
+			return 1;
+		msr_info->data = vcpu->arch.arch_capabilities;
+		break;
 	case MSR_MTRRcap:
 		msr_info->data = 0x500 | KVM_NR_VAR_MTRR;
 		break;
@@ -3518,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map_addr(struct kvm *kvm,
 }
 
 static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
-					  u32 kvm_nr_mmu_pages)
+					 unsigned long kvm_nr_mmu_pages)
 {
 	if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES)
 		return -EINVAL;
@@ -3532,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
 	return 0;
 }
 
-static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
+static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
 {
 	return kvm->arch.n_max_mmu_pages;
 }
@@ -6957,6 +6968,9 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
 {
 	int r;
 
+	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
+		rdmsrl(MSR_IA32_ARCH_CAPABILITIES,
+		       vcpu->arch.arch_capabilities);
 	vcpu->arch.mtrr_state.have_fixed = 1;
 	r = vcpu_load(vcpu);
 	if (r)
diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
index 7d2c317bd98b..922525c0d25c 100644
--- a/arch/xtensa/kernel/stacktrace.c
+++ b/arch/xtensa/kernel/stacktrace.c
@@ -107,10 +107,14 @@ static int return_address_cb(struct stackframe *frame, void *data)
 	return 1;
 }
 
+/*
+ * level == 0 is for the return address from the caller of this function,
+ * not from this function itself.
+ */
 unsigned long return_address(unsigned level)
 {
 	struct return_addr_data r = {
-		.skip = level + 1,
+		.skip = level,
 	};
 	walk_stackframe(stack_pointer(NULL), return_address_cb, &r);
 	return r.addr;
diff --git a/block/bio.c b/block/bio.c
index 4218dab2bb47..3163dac6735d 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
 			}
 		}
 
-		if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
+		if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
+			if (!map_data)
+				__free_page(page);
 			break;
+		}
 
 		len -= bytes;
 		offset = 0;
diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
index f1ea8e56cd87..7abcfa6b055c 100644
--- a/drivers/acpi/acpica/nsobject.c
+++ b/drivers/acpi/acpica/nsobject.c
@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
 		}
 	}
 
+	if (obj_desc->common.type == ACPI_TYPE_REGION) {
+		acpi_ut_remove_address_range(obj_desc->region.space_id, node);
+	}
+
 	/* Clear the Node entry in all cases */
 
 	node->object = NULL;
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index df51673d6591..3999b8c6a09d 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
 	raw_cmd->kernel_data = floppy_track_buffer;
 	raw_cmd->length = 4 * F_SECT_PER_TRACK;
 
+	if (!F_SECT_PER_TRACK)
+		return;
+
 	/* allow for about 30ms for data transport per track */
 	head_shift = (F_SECT_PER_TRACK + 5) / 6;
 
@@ -3233,8 +3236,12 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
 	int cnt;
 
 	/* sanity checking for parameters. */
-	if (g->sect <= 0 ||
-	    g->head <= 0 ||
+	if ((int)g->sect <= 0 ||
+	    (int)g->head <= 0 ||
+	    /* check for overflow in max_sector */
+	    (int)(g->sect * g->head) <= 0 ||
+	    /* check for zero in F_SECT_PER_TRACK */
+	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
 	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
 	    /* check if reserved bits are set */
 	    (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
@@ -3378,6 +3385,24 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
 	return 0;
 }
 
+static bool valid_floppy_drive_params(const short autodetect[8],
+		int native_format)
+{
+	size_t floppy_type_size = ARRAY_SIZE(floppy_type);
+	size_t i = 0;
+
+	for (i = 0; i < 8; ++i) {
+		if (autodetect[i] < 0 ||
+		    autodetect[i] >= floppy_type_size)
+			return false;
+	}
+
+	if (native_format < 0 || native_format >= floppy_type_size)
+		return false;
+
+	return true;
+}
+
 static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd,
 		    unsigned long param)
 {
@@ -3504,6 +3529,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
 		SUPBOUND(size, strlen((const char *)outparam) + 1);
 		break;
 	case FDSETDRVPRM:
+		if (!valid_floppy_drive_params(inparam.dp.autodetect,
+				inparam.dp.native_format))
+			return -EINVAL;
 		*UDP = inparam.dp;
 		break;
 	case FDGETDRVPRM:
diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c
index ab3ea62e5dfc..f98a9207ec7e 100644
--- a/drivers/block/xsysace.c
+++ b/drivers/block/xsysace.c
@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace)
 	return 0;
 
 err_read:
+	/* prevent double queue cleanup */
+	ace->gd->queue = NULL;
 	put_disk(ace->gd);
 err_alloc_disk:
 	blk_cleanup_queue(ace->queue);
diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
index 0bc8a6a6a148..353ed68db711 100644
--- a/drivers/bluetooth/hci_ath.c
+++ b/drivers/bluetooth/hci_ath.c
@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu)
 
 	BT_DBG("hu %p", hu);
 
+	if (!hci_uart_has_flow_control(hu))
+		return -EOPNOTSUPP;
+
 	ath = kzalloc(sizeof(*ath), GFP_KERNEL);
 	if (!ath)
 		return -ENOMEM;
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index e00f8f5b5c8e..9ad437053e22 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -261,6 +261,15 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 	return 0;
 }
 
+/* Check the underlying device or tty has flow control support */
+bool hci_uart_has_flow_control(struct hci_uart *hu)
+{
+	if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset)
+		return true;
+
+	return false;
+}
+
 /* ------ LDISC part ------ */
 /* hci_uart_tty_open
  *
diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
index 12df101ca942..58e0bb8c041b 100644
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -90,6 +90,7 @@ int hci_uart_register_proto(struct hci_uart_proto *p);
 int hci_uart_unregister_proto(struct hci_uart_proto *p);
 int hci_uart_tx_wakeup(struct hci_uart *hu);
 int hci_uart_init_ready(struct hci_uart *hu);
+bool hci_uart_has_flow_control(struct hci_uart *hu);
 
 #ifdef CONFIG_BT_HCIUART_H4
 int h4_init(void);
diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c
index b2239d678d01..f2c092676e01 100644
--- a/drivers/gpio/gpio-adnp.c
+++ b/drivers/gpio/gpio-adnp.c
@@ -140,8 +140,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
 	if (err < 0)
 		goto out;
 
-	if (err & BIT(pos))
-		err = -EACCES;
+	if (value & BIT(pos)) {
+		err = -EPERM;
+		goto out;
+	}
 
 	err = 0;
 
diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
index dbcea7941059..3837cbdaf100 100644
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta,
 	if (sigma_delta->info->has_registers) {
 		data[0] = reg << sigma_delta->info->addr_shift;
 		data[0] |= sigma_delta->info->read_mask;
+		data[0] |= sigma_delta->comm;
 		spi_message_add_tail(&t[0], &m);
 	}
 	spi_message_add_tail(&t[1], &m);
diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c
index 10d5ec213091..2f7ad2538cec 100644
--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_dev *idev,
 		ret = wait_event_interruptible_timeout(st->wq_data_avail,
 						       st->done,
 						       msecs_to_jiffies(1000));
-		if (ret == 0)
-			ret = -ETIMEDOUT;
-		if (ret < 0) {
-			mutex_unlock(&st->lock);
-			return ret;
-		}
-
-		*val = st->last_value;
 
+		/* Disable interrupts, regardless if adc conversion was
+		 * successful or not
+		 */
 		at91_adc_writel(st, AT91_ADC_CHDR,
 				AT91_ADC_CH(chan->channel));
 		at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
 
-		st->last_value = 0;
-		st->done = false;
+		if (ret > 0) {
+			/* a valid conversion took place */
+			*val = st->last_value;
+			st->last_value = 0;
+			st->done = false;
+			ret = IIO_VAL_INT;
+		} else if (ret == 0) {
+			/* conversion timeout */
+			dev_err(&idev->dev, "ADC Channel %d timeout.\n",
+				chan->channel);
+			ret = -ETIMEDOUT;
+		}
+
 		mutex_unlock(&st->lock);
-		return IIO_VAL_INT;
+		return ret;
 
 	case IIO_CHAN_INFO_SCALE:
 		*val = st->vref_mv;
diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c
index b4dde8315210..89f695a958e9 100644
--- a/drivers/iio/dac/mcp4725.c
+++ b/drivers/iio/dac/mcp4725.c
@@ -86,6 +86,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev,
 		return 0;
 
 	inoutbuf[0] = 0x60; /* write EEPROM */
+	inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0;
 	inoutbuf[1] = data->dac_value >> 4;
 	inoutbuf[2] = (data->dac_value & 0xf) << 4;
 
diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 7562531ebf0e..77b19ca8b763 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -836,10 +836,8 @@ int iio_scan_mask_set(struct iio_dev *indio_dev,
 	const unsigned long *mask;
 	unsigned long *trialmask;
 
-	trialmask = kmalloc(sizeof(*trialmask)*
-			    BITS_TO_LONGS(indio_dev->masklength),
-			    GFP_KERNEL);
-
+	trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength),
+			    sizeof(*trialmask), GFP_KERNEL);
 	if (trialmask == NULL)
 		return -ENOMEM;
 	if (!indio_dev->masklength) {
diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 4d1b400ed260..5ea56edcdf42 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1195,12 +1195,12 @@ EXPORT_SYMBOL(iio_device_register);
  **/
 void iio_device_unregister(struct iio_dev *indio_dev)
 {
-	mutex_lock(&indio_dev->info_exist_lock);
-
 	device_del(&indio_dev->dev);
 
 	if (indio_dev->chrdev.dev)
 		cdev_del(&indio_dev->chrdev);
+
+	mutex_lock(&indio_dev->info_exist_lock);
 	iio_device_unregister_debugfs(indio_dev);
 
 	iio_disable_all_buffers(indio_dev);
diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c
index 0eb141c41416..fb60229bf191 100644
--- a/drivers/infiniband/hw/mlx4/alias_GUID.c
+++ b/drivers/infiniband/hw/mlx4/alias_GUID.c
@@ -579,8 +579,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev)
 	unsigned long flags;
 
 	for (i = 0 ; i < dev->num_ports; i++) {
-		cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work);
 		det = &sriov->alias_guid.ports_guid[i];
+		cancel_delayed_work_sync(&det->alias_guid_work);
 		spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags);
 		while (!list_empty(&det->cb_list)) {
 			cb_ctx = list_entry(det->cb_list.next,
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index fe1ab5067b5d..cf3af3a3297a 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
 
 /* Max size of a single report */
 #define REPORT_MAX_SIZE       10
+#define MAX_COLLECTION_LEVELS  10
 
 
 /* Bitmask whether pen is in range */
@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 	char  maintype = 'x';
 	char  globtype[12];
 	int   indent = 0;
-	char  indentstr[10] = "";
-
+	char  indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
 
 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
 
@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 			case TAG_MAIN_COL_START:
 				maintype = 'S';
 
+				if (indent == MAX_COLLECTION_LEVELS) {
+					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
+						indent + 1,
+						MAX_COLLECTION_LEVELS);
+					break;
+				}
+
 				if (data == 0) {
 					dev_dbg(ddev, "======>>>>>> Physical\n");
 					strcpy(globtype, "Physical");
@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 				break;
 
 			case TAG_MAIN_COL_END:
-				dev_dbg(ddev, "<<<<<<======\n");
 				maintype = 'E';
+
+				if (indent == 0) {
+					dev_err(ddev, "Collection level already at zero\n");
+					break;
+				}
+
+				dev_dbg(ddev, "<<<<<<======\n");
+
 				indent--;
 				for (x = 0; x < indent; x++)
 					indentstr[x] = '-';
diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
index 48b726f4ad48..006f4f9a3170 100644
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -293,7 +293,7 @@ static void iommu_write_l2(struct amd_iommu *iommu, u8 address, u32 val)
 static void iommu_set_exclusion_range(struct amd_iommu *iommu)
 {
 	u64 start = iommu->exclusion_start & PAGE_MASK;
-	u64 limit = (start + iommu->exclusion_length) & PAGE_MASK;
+	u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK;
 	u64 entry;
 
 	if (!iommu->exclusion_start)
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index b60eb1cca150..c2a44d2ca5b6 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -1394,6 +1394,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu)
 	u32 pmen;
 	unsigned long flags;
 
+	if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap))
+		return;
+
 	raw_spin_lock_irqsave(&iommu->register_lock, flags);
 	pmen = readl(iommu->reg + DMAR_PMEN_REG);
 	pmen &= ~DMA_PMEN_EPM;
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index f5f1837dfa5b..b010f9600d87 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -1432,6 +1432,36 @@ static bool dm_table_supports_write_same(struct dm_table *t)
 	return true;
 }
 
+static int device_requires_stable_pages(struct dm_target *ti,
+					struct dm_dev *dev, sector_t start,
+					sector_t len, void *data)
+{
+	struct request_queue *q = bdev_get_queue(dev->bdev);
+
+	return q && bdi_cap_stable_pages_required(&q->backing_dev_info);
+}
+
+/*
+ * If any underlying device requires stable pages, a table must require
+ * them as well.  Only targets that support iterate_devices are considered:
+ * don't want error, zero, etc to require stable pages.
+ */
+static bool dm_table_requires_stable_pages(struct dm_table *t)
+{
+	struct dm_target *ti;
+	unsigned i;
+
+	for (i = 0; i < dm_table_get_num_targets(t); i++) {
+		ti = dm_table_get_target(t, i);
+
+		if (ti->type->iterate_devices &&
+		    ti->type->iterate_devices(ti, device_requires_stable_pages, NULL))
+			return true;
+	}
+
+	return false;
+}
+
 void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
 			       struct queue_limits *limits)
 {
@@ -1473,6 +1503,15 @@ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
 
 	dm_table_set_integrity(t);
 
+	/*
+	 * Some devices don't use blk_integrity but still want stable pages
+	 * because they do their own checksumming.
+	 */
+	if (dm_table_requires_stable_pages(t))
+		q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES;
+	else
+		q->backing_dev_info.capabilities &= ~BDI_CAP_STABLE_WRITES;
+
 	/*
 	 * Determine whether or not this queue's I/O timings contribute
 	 * to the entropy pool, Only request-based targets use this.
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 043ad8d8d700..30ae713aecf8 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -756,6 +756,15 @@ static void dec_pending(struct dm_io *io, int error)
 	}
 }
 
+static void disable_discard(struct mapped_device *md)
+{
+	struct queue_limits *limits = dm_get_queue_limits(md);
+
+	/* device doesn't really support DISCARD, disable it */
+	limits->max_discard_sectors = 0;
+	queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue);
+}
+
 static void disable_write_same(struct mapped_device *md)
 {
 	struct queue_limits *limits = dm_get_queue_limits(md);
@@ -792,9 +801,14 @@ static void clone_endio(struct bio *bio, int error)
 		}
 	}
 
-	if (unlikely(r == -EREMOTEIO && (bio->bi_rw & REQ_WRITE_SAME) &&
-		     !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors))
-		disable_write_same(md);
+	if (unlikely(r == -EREMOTEIO)) {
+		if (bio->bi_rw & REQ_DISCARD &&
+		    !bdev_get_queue(bio->bi_bdev)->limits.max_discard_sectors)
+			disable_discard(md);
+		else if (bio->bi_rw & REQ_WRITE_SAME &&
+			 !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors)
+ 			disable_write_same(md);
+	}
 
 	free_tio(md, tio);
 	dec_pending(io, error);
@@ -996,9 +1010,14 @@ static void dm_done(struct request *clone, int error, bool mapped)
 			r = rq_end_io(tio->ti, clone, error, &tio->info);
 	}
 
-	if (unlikely(r == -EREMOTEIO && (clone->cmd_flags & REQ_WRITE_SAME) &&
-		     !clone->q->limits.max_write_same_sectors))
-		disable_write_same(tio->md);
+	if (unlikely(r == -EREMOTEIO)) {
+		if (clone->cmd_flags & REQ_DISCARD &&
+		    !clone->q->limits.max_discard_sectors)
+			disable_discard(tio->md);
+		else if (clone->cmd_flags & REQ_WRITE_SAME &&
+			 !clone->q->limits.max_write_same_sectors)
+			disable_write_same(tio->md);
+	}
 
 	if (r <= 0)
 		/* The target wants to complete the I/O */
diff --git a/drivers/media/usb/tlg2300/pd-common.h b/drivers/media/usb/tlg2300/pd-common.h
index 9e23ad32d2fe..562a58886ca2 100644
--- a/drivers/media/usb/tlg2300/pd-common.h
+++ b/drivers/media/usb/tlg2300/pd-common.h
@@ -257,7 +257,7 @@ void set_debug_mode(struct video_device *vfd, int debug_mode);
 #else
 #define in_hibernation(pd) (0)
 #endif
-#define get_pm_count(p) (atomic_read(&(p)->interface->pm_usage_cnt))
+#define get_pm_count(p) (atomic_read(&(p)->interface->dev.power.usage_count))
 
 #define log(a, ...) printk(KERN_DEBUG "\t[ %s : %.3d ] "a"\n", \
 				__func__, __LINE__,  ## __VA_ARGS__)
diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
index 92303daf44dc..40047a2f4696 100644
--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1538,7 +1538,11 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
 			continue;
 		}
 
-		if (time_after(jiffies, timeo) && !chip_ready(map, adr))
+		/*
+		 * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
+		 * the failure due to scheduling.
+		 */
+		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
 			break;
 
 		if (chip_good(map, adr, datum)) {
diff --git a/drivers/net/ethernet/3com/3c515.c b/drivers/net/ethernet/3com/3c515.c
index 94c656f5a05d..d4552e2c7189 100644
--- a/drivers/net/ethernet/3com/3c515.c
+++ b/drivers/net/ethernet/3com/3c515.c
@@ -1524,7 +1524,7 @@ static void update_stats(int ioaddr, struct net_device *dev)
 static void set_rx_mode(struct net_device *dev)
 {
 	int ioaddr = dev->base_addr;
-	short new_mode;
+	unsigned short new_mode;
 
 	if (dev->flags & IFF_PROMISC) {
 		if (corkscrew_debug > 3)
diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c
index 90e825e8abfe..02beb18942d2 100644
--- a/drivers/net/ethernet/8390/mac8390.c
+++ b/drivers/net/ethernet/8390/mac8390.c
@@ -153,11 +153,6 @@ static void dayna_block_input(struct net_device *dev, int count,
 static void dayna_block_output(struct net_device *dev, int count,
 			       const unsigned char *buf, int start_page);
 
-#define memcpy_fromio(a, b, c)	memcpy((a), (void *)(b), (c))
-#define memcpy_toio(a, b, c)	memcpy((void *)(a), (b), (c))
-
-#define memcmp_withio(a, b, c)	memcmp((a), (void *)(b), (c))
-
 /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
 static void slow_sane_get_8390_hdr(struct net_device *dev,
 				   struct e8390_pkt_hdr *hdr, int ring_page);
@@ -244,19 +239,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev)
 
 static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
 {
-	unsigned long outdata = 0xA5A0B5B0;
-	unsigned long indata =  0x00000000;
+	u32 outdata = 0xA5A0B5B0;
+	u32 indata = 0;
+
 	/* Try writing 32 bits */
-	memcpy_toio(membase, &outdata, 4);
-	/* Now compare them */
-	if (memcmp_withio(&outdata, membase, 4) == 0)
+	nubus_writel(outdata, membase);
+	/* Now read it back */
+	indata = nubus_readl(membase);
+	if (outdata == indata)
 		return ACCESS_32;
+
+	outdata = 0xC5C0D5D0;
+	indata = 0;
+
 	/* Write 16 bit output */
 	word_memcpy_tocard(membase, &outdata, 4);
 	/* Now read it back */
 	word_memcpy_fromcard(&indata, membase, 4);
 	if (outdata == indata)
 		return ACCESS_16;
+
 	return ACCESS_UNKNOWN;
 }
 
@@ -742,7 +744,7 @@ static void sane_get_8390_hdr(struct net_device *dev,
 			      struct e8390_pkt_hdr *hdr, int ring_page)
 {
 	unsigned long hdr_start = (ring_page - WD_START_PG)<<8;
-	memcpy_fromio(hdr, dev->mem_start + hdr_start, 4);
+	memcpy_fromio(hdr, (void __iomem *)dev->mem_start + hdr_start, 4);
 	/* Fix endianness */
 	hdr->count = swab16(hdr->count);
 }
@@ -756,13 +758,16 @@ static void sane_block_input(struct net_device *dev, int count,
 	if (xfer_start + count > ei_status.rmem_end) {
 		/* We must wrap the input move. */
 		int semi_count = ei_status.rmem_end - xfer_start;
-		memcpy_fromio(skb->data, dev->mem_start + xfer_base,
+		memcpy_fromio(skb->data,
+			      (void __iomem *)dev->mem_start + xfer_base,
 			      semi_count);
 		count -= semi_count;
-		memcpy_fromio(skb->data + semi_count, ei_status.rmem_start,
-			      count);
+		memcpy_fromio(skb->data + semi_count,
+			      (void __iomem *)ei_status.rmem_start, count);
 	} else {
-		memcpy_fromio(skb->data, dev->mem_start + xfer_base, count);
+		memcpy_fromio(skb->data,
+			      (void __iomem *)dev->mem_start + xfer_base,
+			      count);
 	}
 }
 
@@ -771,7 +776,7 @@ static void sane_block_output(struct net_device *dev, int count,
 {
 	long shmem = (start_page - WD_START_PG)<<8;
 
-	memcpy_toio(dev->mem_start + shmem, buf, count);
+	memcpy_toio((void __iomem *)dev->mem_start + shmem, buf, count);
 }
 
 /* dayna block input/output */
diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index 4332ebbd7162..39f4b38fd068 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -2381,6 +2381,7 @@ static void *__vxge_hw_blockpool_malloc(struct __vxge_hw_device *devh, u32 size,
 			vxge_os_dma_free(devh->pdev, memblock,
 				&dma_object->acc_handle);
 			status = VXGE_HW_ERR_OUT_OF_MEMORY;
+			memblock = NULL;
 			goto exit;
 		}
 
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 47eba38ae526..75cc676a3239 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -16,7 +16,6 @@
 #include <linux/idr.h>
 #include <linux/fs.h>
 
-#include <net/ipv6.h>
 #include <net/net_namespace.h>
 #include <net/rtnetlink.h>
 #include <net/sock.h>
@@ -571,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
 			break;
 		case VIRTIO_NET_HDR_GSO_UDP:
 			gso_type = SKB_GSO_UDP;
-			if (skb->protocol == htons(ETH_P_IPV6))
-				ipv6_proxy_select_ident(skb);
 			break;
 		default:
 			return -EINVAL;
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 7a6d2f8c5201..77fcb1bd81bc 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1072,7 +1072,10 @@ int genphy_soft_reset(struct phy_device *phydev)
 {
 	int ret;
 
-	ret = phy_write(phydev, MII_BMCR, BMCR_RESET);
+	ret = phy_read(phydev, MII_BMCR);
+	if (ret < 0)
+		return ret;
+	ret = phy_write(phydev, MII_BMCR, ret | BMCR_RESET);
 	if (ret < 0)
 		return ret;
 
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 5dd0fe1635b9..a97b20773508 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -284,7 +284,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
 	nf_reset(skb);
 
 	skb->ip_summed = CHECKSUM_NONE;
-	ip_select_ident(skb, NULL);
+	ip_select_ident(sock_net(sk), skb, NULL);
 	ip_send_check(iph);
 
 	ip_local_out(skb);
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index b52eabc168a0..f8234b5439f5 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
 void
 slhc_free(struct slcompress *comp)
 {
-	if ( comp == NULLSLCOMPR )
+	if ( IS_ERR_OR_NULL(comp) )
 		return;
 
 	if ( comp->tstate != NULLSLSTATE )
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index d6511041c766..8d408cd7c170 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1116,6 +1116,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
 		return -EINVAL;
 	}
 
+	if (netdev_has_upper_dev(dev, port_dev)) {
+		netdev_err(dev, "Device %s is already an upper device of the team interface\n",
+			   portname);
+		return -EBUSY;
+	}
+
 	if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
 	    vlan_uses_dev(dev)) {
 		netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 48ac45f26fa3..1bbcb278e6df 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -65,7 +65,6 @@
 #include <linux/nsproxy.h>
 #include <linux/virtio_net.h>
 #include <linux/rcupdate.h>
-#include <net/ipv6.h>
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
 #include <net/rtnetlink.h>
@@ -1143,8 +1142,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
 		break;
 	}
 
-	skb_reset_network_header(skb);
-
 	if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
 		pr_debug("GSO!\n");
 		switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
@@ -1156,8 +1153,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
 			break;
 		case VIRTIO_NET_HDR_GSO_UDP:
 			skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
-			if (skb->protocol == htons(ETH_P_IPV6))
-				ipv6_proxy_select_ident(skb);
 			break;
 		default:
 			tun->dev->stats.rx_frame_errors++;
@@ -1187,6 +1182,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
 		skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
 	}
 
+	skb_reset_network_header(skb);
 	skb_probe_transport_header(skb, 0);
 
 	rxhash = skb_get_hash(skb);
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index d13f25cd70d5..91aebb03841e 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -666,7 +666,6 @@ enum rt2x00_state_flags {
 	CONFIG_CHANNEL_HT40,
 	CONFIG_POWERSAVING,
 	CONFIG_HT_DISABLED,
-	CONFIG_QOS_DISABLED,
 
 	/*
 	 * Mark we currently are sequentially reading TX_STA_FIFO register
diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
index 004dff9b962d..e7c152dd0bef 100644
--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
@@ -682,18 +682,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
 			rt2x00dev->intf_associated--;
 
 		rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
-
-		clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
 	}
 
-	/*
-	 * Check for access point which do not support 802.11e . We have to
-	 * generate data frames sequence number in S/W for such AP, because
-	 * of H/W bug.
-	 */
-	if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
-		set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
-
 	/*
 	 * When the erp information has changed, we should perform
 	 * additional configuration steps. For all other changes we are done.
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 22d49d575d3f..8705092a052e 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
 	if (!test_bit(REQUIRE_SW_SEQNO, &rt2x00dev->cap_flags)) {
 		/*
 		 * rt2800 has a H/W (or F/W) bug, device incorrectly increase
-		 * seqno on retransmited data (non-QOS) frames. To workaround
-		 * the problem let's generate seqno in software if QOS is
-		 * disabled.
+		 * seqno on retransmitted data (non-QOS) and management frames.
+		 * To workaround the problem let's generate seqno in software.
+		 * Except for beacons which are transmitted periodically by H/W
+		 * hence hardware has to assign seqno for them.
 		 */
-		if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
-			__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
-		else
+	    	if (ieee80211_is_beacon(hdr->frame_control)) {
+			__set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
 			/* H/W will generate sequence number */
 			return;
+		}
+
+		__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
 	}
 
 	/*
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index f5d1f51101cf..57cc4e7d2bbc 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3514,6 +3514,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
 			 quirk_dma_func1_alias);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170,
+			 quirk_dma_func1_alias);
 /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172,
 			 quirk_dma_func1_alias);
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 21a6f6d76bbb..3a62c049696e 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action)
 	add_timer(&erp_action->timer);
 }
 
+void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
+				     int clear, char *dbftag)
+{
+	unsigned long flags;
+	struct zfcp_port *port;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	read_lock(&adapter->port_list_lock);
+	list_for_each_entry(port, &adapter->port_list, list)
+		_zfcp_erp_port_forced_reopen(port, clear, dbftag);
+	read_unlock(&adapter->port_list_lock);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
 				      int clear, char *id)
 {
@@ -1313,6 +1327,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
 		struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
 		int lun_status;
 
+		if (sdev->sdev_state == SDEV_DEL ||
+		    sdev->sdev_state == SDEV_CANCEL)
+			continue;
 		if (zsdev->port != port)
 			continue;
 		/* LUN under port of interest */
diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
index c5023d6811a8..cfe2a3b2d3b2 100644
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32);
 extern int  zfcp_erp_port_reopen(struct zfcp_port *, int, char *);
 extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
 extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
+extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
+					    int clear, char *dbftag);
 extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
 extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
 extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index f213786fe96c..9e9f0ad00bef 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -347,6 +347,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
 	int ret = SUCCESS, fc_ret;
 
+	if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
+		zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
+		zfcp_erp_wait(adapter);
+	}
 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
 	zfcp_erp_wait(adapter);
 	fc_ret = fc_block_scsi_eh(scpnt);
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index 7d5d66edae87..65826111d996 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task)
 	unsigned long flags;
 
 	spin_lock_irqsave(&task->task_state_lock, flags);
-	if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
+	if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 		task->task_state_flags |= SAS_TASK_STATE_ABORTED;
+		complete(&task->slow_task->completion);
+	}
 	spin_unlock_irqrestore(&task->task_state_lock, flags);
-
-	complete(&task->slow_task->completion);
 }
 
 static void smp_task_done(struct sas_task *task)
 {
-	if (!del_timer(&task->slow_task->timer))
-		return;
+	del_timer(&task->slow_task->timer);
 	complete(&task->slow_task->completion);
 }
 
diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
index 0adf3cffddb0..87b6e1aa107a 100644
--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)
 
 	size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize);
 	devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
-	if (!devpriv->usb_tx_buf) {
-		kfree(devpriv->usb_rx_buf);
+	if (!devpriv->usb_tx_buf)
 		return -ENOMEM;
-	}
 
 	return 0;
 }
@@ -872,6 +870,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
 
 	devpriv->model = boardinfo->model;
 
+	sema_init(&devpriv->limit_sem, 8);
+
 	ret = vmk80xx_find_usb_endpoints(dev);
 	if (ret)
 		return ret;
@@ -880,8 +880,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
 	if (ret)
 		return ret;
 
-	sema_init(&devpriv->limit_sem, 8);
-
 	usb_set_intfdata(intf, devpriv);
 
 	if (devpriv->model == VMK8061_MODEL) {
diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c
index bcfdb650c2c5..c318e263c1bb 100644
--- a/drivers/staging/iio/meter/ade7854.c
+++ b/drivers/staging/iio/meter/ade7854.c
@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(S_IWUSR | S_IRUGO,
 static IIO_DEV_ATTR_IPEAK(S_IWUSR | S_IRUGO,
 		ade7854_read_32bit,
 		ade7854_write_32bit,
-		ADE7854_VPEAK);
+		ADE7854_IPEAK);
 static IIO_DEV_ATTR_APHCAL(S_IWUSR | S_IRUGO,
 		ade7854_read_16bit,
 		ade7854_write_16bit,
diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
index 8ca7d7e68dca..2a0225900d89 100644
--- a/drivers/staging/rtl8712/rtl8712_cmd.c
+++ b/drivers/staging/rtl8712/rtl8712_cmd.c
@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
 
 static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
 {
-	u32 val;
-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);
 	struct readBB_parm *prdbbparm;
 	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
 
 	prdbbparm = (struct readBB_parm *)pcmd->parmbuf;
-	if (pcmd->rsp && pcmd->rspsz > 0)
-		memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
-	if (pcmd_callback == NULL)
-		r8712_free_cmd_obj(pcmd);
-	else
-		pcmd_callback(padapter, pcmd);
+	r8712_free_cmd_obj(pcmd);
 	return H2C_SUCCESS;
 }
 
diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
index 039ab3e97172..efa2fc98907f 100644
--- a/drivers/staging/rtl8712/rtl8712_cmd.h
+++ b/drivers/staging/rtl8712/rtl8712_cmd.h
@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
 static struct _cmd_callback	cmd_callback[] = {
 	{GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
 	{GEN_CMD_CODE(_Write_MACREG), NULL},
-	{GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
+	{GEN_CMD_CODE(_Read_BBREG), NULL},
 	{GEN_CMD_CODE(_Write_BBREG), NULL},
 	{GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
 	{GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
diff --git a/drivers/staging/speakup/speakup_soft.c b/drivers/staging/speakup/speakup_soft.c
index 9ed726509261..c5bf6b1aa80e 100644
--- a/drivers/staging/speakup/speakup_soft.c
+++ b/drivers/staging/speakup/speakup_soft.c
@@ -213,10 +213,13 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
 	DEFINE_WAIT(wait);
 
 	spin_lock_irqsave(&speakup_info.spinlock, flags);
+	synth_soft.alive = 1;
 	while (1) {
 		prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE);
-		if (!synth_buffer_empty() || speakup_info.flushing)
-			break;
+		if (synth_current() == &synth_soft) {
+			if (!synth_buffer_empty() || speakup_info.flushing)
+				break;
+		}
 		spin_unlock_irqrestore(&speakup_info.spinlock, flags);
 		if (fp->f_flags & O_NONBLOCK) {
 			finish_wait(&speakup_event, &wait);
@@ -234,6 +237,8 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
 	cp = buf;
 	init = get_initstring();
 	while (chars_sent < count) {
+		if (synth_current() != &synth_soft)
+			break;
 		if (speakup_info.flushing) {
 			speakup_info.flushing = 0;
 			ch = '\x18';
@@ -286,7 +291,8 @@ static unsigned int softsynth_poll(struct file *fp,
 	poll_wait(fp, &speakup_event, wait);
 
 	spin_lock_irqsave(&speakup_info.spinlock, flags);
-	if (!synth_buffer_empty() || speakup_info.flushing)
+	if (synth_current() == &synth_soft &&
+	    (!synth_buffer_empty() || speakup_info.flushing))
 		ret = POLLIN | POLLRDNORM;
 	spin_unlock_irqrestore(&speakup_info.spinlock, flags);
 	return ret;
diff --git a/drivers/staging/speakup/spk_priv.h b/drivers/staging/speakup/spk_priv.h
index 637ba6760ec0..b669021455dd 100644
--- a/drivers/staging/speakup/spk_priv.h
+++ b/drivers/staging/speakup/spk_priv.h
@@ -72,6 +72,7 @@ extern int synth_request_region(u_long, u_long);
 extern int synth_release_region(u_long, u_long);
 extern int synth_add(struct spk_synth *in_synth);
 extern void synth_remove(struct spk_synth *in_synth);
+struct spk_synth *synth_current(void);
 
 extern struct speakup_info_t speakup_info;
 
diff --git a/drivers/staging/speakup/synth.c b/drivers/staging/speakup/synth.c
index 172cf62b1aaf..1219089af4b5 100644
--- a/drivers/staging/speakup/synth.c
+++ b/drivers/staging/speakup/synth.c
@@ -475,4 +475,10 @@ void synth_remove(struct spk_synth *in_synth)
 }
 EXPORT_SYMBOL_GPL(synth_remove);
 
+struct spk_synth *synth_current(void)
+{
+	return synth;
+}
+EXPORT_SYMBOL_GPL(synth_current);
+
 short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC|B_SYM };
diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c
index 2ed1118d3d8b..7f10bc79a719 100644
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -375,16 +375,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
 	}
 
 	if (usb_endpoint_xfer_isoc(epd)) {
-		/* validate packet size and number of packets */
-		unsigned int maxp, packets, bytes;
-
-		maxp = usb_endpoint_maxp(epd);
-		maxp *= usb_endpoint_maxp_mult(epd);
-		bytes = pdu->u.cmd_submit.transfer_buffer_length;
-		packets = DIV_ROUND_UP(bytes, maxp);
-
+		/* validate number of packets */
 		if (pdu->u.cmd_submit.number_of_packets < 0 ||
-		    pdu->u.cmd_submit.number_of_packets > packets) {
+		    pdu->u.cmd_submit.number_of_packets >
+		    USBIP_MAX_ISO_PACKETS) {
 			dev_err(&sdev->udev->dev,
 				"CMD_SUBMIT: isoc invalid num packets %d\n",
 				pdu->u.cmd_submit.number_of_packets);
diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h
index 58787c49fb68..8b358911563b 100644
--- a/drivers/staging/usbip/usbip_common.h
+++ b/drivers/staging/usbip/usbip_common.h
@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug;
 #define USBIP_DIR_OUT	0x00
 #define USBIP_DIR_IN	0x01
 
+/*
+ * Arbitrary limit for the maximum number of isochronous packets in an URB,
+ * compare for example the uhci_submit_isochronous function in
+ * drivers/usb/host/uhci-q.c
+ */
+#define USBIP_MAX_ISO_PACKETS 1024
+
 /**
  * struct usbip_header_basic - data pertinent to every request
  * @command: the usbip request type
diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
index bc1c68c926bd..d8676716467b 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1045,6 +1045,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 				sg_dma_len(&atmel_port->sg_rx)/2,
 				DMA_DEV_TO_MEM,
 				DMA_PREP_INTERRUPT);
+	if (!desc) {
+		dev_err(port->dev, "Preparing DMA cyclic failed\n");
+		goto chan_err;
+	}
 	desc->callback = atmel_complete_rx_dma;
 	desc->callback_param = port;
 	atmel_port->desc_rx = desc;
diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
index ba285cd45b59..8ccab7cf437c 100644
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -1324,6 +1324,8 @@ static int max310x_spi_probe(struct spi_device *spi)
 	if (spi->dev.of_node) {
 		const struct of_device_id *of_id =
 			of_match_device(max310x_dt_ids, &spi->dev);
+		if (!of_id)
+			return -ENODEV;
 
 		devtype = (struct max310x_devtype *)of_id->data;
 	} else {
diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 8f6d6b5a2eeb..acacce37ec66 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1075,6 +1075,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
 
 	s->port.mapbase = r->start;
 	s->port.membase = ioremap(r->start, resource_size(r));
+	if (!s->port.membase) {
+		ret = -ENOMEM;
+		goto out_free_clk;
+	}
 	s->port.ops = &mxs_auart_ops;
 	s->port.iotype = UPIO_MEM;
 	s->port.fifosize = MXS_AUART_FIFO_SIZE;
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index e2224213111c..0dc1d1ac4a9a 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -633,19 +633,9 @@ static void sci_transmit_chars(struct uart_port *port)
 
 	if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
 		uart_write_wakeup(port);
-	if (uart_circ_empty(xmit)) {
+	if (uart_circ_empty(xmit))
 		sci_stop_tx(port);
-	} else {
-		ctrl = serial_port_in(port, SCSCR);
-
-		if (port->type != PORT_SCI) {
-			serial_port_in(port, SCxSR); /* Dummy read */
-			serial_port_out(port, SCxSR, SCxSR_TDxE_CLEAR(port));
-		}
 
-		ctrl |= SCSCR_TIE;
-		serial_port_out(port, SCSCR, ctrl);
-	}
 }
 
 /* On SH3, SCIF may read end-of-break as a space->mark char */
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index d002c23af6f4..71dfbff5839d 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -483,11 +483,6 @@ static int usb_unbind_interface(struct device *dev)
 		pm_runtime_disable(dev);
 	pm_runtime_set_suspended(dev);
 
-	/* Undo any residual pm_autopm_get_interface_* calls */
-	for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r)
-		usb_autopm_put_interface_no_suspend(intf);
-	atomic_set(&intf->pm_usage_cnt, 0);
-
 	if (!error)
 		usb_autosuspend_device(udev);
 
@@ -1638,7 +1633,6 @@ void usb_autopm_put_interface(struct usb_interface *intf)
 	int			status;
 
 	usb_mark_last_busy(udev);
-	atomic_dec(&intf->pm_usage_cnt);
 	status = pm_runtime_put_sync(&intf->dev);
 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
 			__func__, atomic_read(&intf->dev.power.usage_count),
@@ -1667,7 +1661,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf)
 	int			status;
 
 	usb_mark_last_busy(udev);
-	atomic_dec(&intf->pm_usage_cnt);
 	status = pm_runtime_put(&intf->dev);
 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
 			__func__, atomic_read(&intf->dev.power.usage_count),
@@ -1689,7 +1682,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf)
 	struct usb_device	*udev = interface_to_usbdev(intf);
 
 	usb_mark_last_busy(udev);
-	atomic_dec(&intf->pm_usage_cnt);
 	pm_runtime_put_noidle(&intf->dev);
 }
 EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend);
@@ -1720,8 +1712,6 @@ int usb_autopm_get_interface(struct usb_interface *intf)
 	status = pm_runtime_get_sync(&intf->dev);
 	if (status < 0)
 		pm_runtime_put_sync(&intf->dev);
-	else
-		atomic_inc(&intf->pm_usage_cnt);
 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
 			__func__, atomic_read(&intf->dev.power.usage_count),
 			status);
@@ -1755,8 +1745,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf)
 	status = pm_runtime_get(&intf->dev);
 	if (status < 0 && status != -EINPROGRESS)
 		pm_runtime_put_noidle(&intf->dev);
-	else
-		atomic_inc(&intf->pm_usage_cnt);
 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
 			__func__, atomic_read(&intf->dev.power.usage_count),
 			status);
@@ -1780,7 +1768,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf)
 	struct usb_device	*udev = interface_to_usbdev(intf);
 
 	usb_mark_last_busy(udev);
-	atomic_inc(&intf->pm_usage_cnt);
 	pm_runtime_get_noresume(&intf->dev);
 }
 EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume);
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 6af648c307b7..f7019c7e9bc5 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -822,9 +822,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
 
 	if (dev->state == USB_STATE_SUSPENDED)
 		return -EHOSTUNREACH;
-	if (size <= 0 || !buf || !index)
+	if (size <= 0 || !buf)
 		return -EINVAL;
 	buf[0] = 0;
+	if (index <= 0 || index >= 256)
+		return -EINVAL;
 	tbuf = kmalloc(256, GFP_NOIO);
 	if (!tbuf)
 		return -ENOMEM;
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index fd697bba07ff..dc3270e48dfb 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1199,20 +1199,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
 	port_index = max_ports;
 	while (port_index--) {
 		u32 t1, t2;
-
+		int retries = 10;
+retry:
 		t1 = readl(port_array[port_index]);
 		t2 = xhci_port_state_to_neutral(t1);
 		portsc_buf[port_index] = 0;
 
-		/* Bail out if a USB3 port has a new device in link training */
-		if ((hcd->speed >= HCD_USB3) &&
+		/*
+		 * Give a USB3 port in link training time to finish, but don't
+		 * prevent suspend as port might be stuck
+		 */
+		if ((hcd->speed >= HCD_USB3) && retries-- &&
 		    (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
-			bus_state->bus_suspended = 0;
 			spin_unlock_irqrestore(&xhci->lock, flags);
-			xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
-			return -EBUSY;
+			msleep(XHCI_PORT_POLLING_LFPS_TIME);
+			spin_lock_irqsave(&xhci->lock, flags);
+			xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n",
+				 port_index);
+			goto retry;
 		}
-
 		/* suspend ports in U0, or bail out for new connect changes */
 		if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) {
 			if ((t1 & PORT_CSC) && wake_enabled) {
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index feb702516470..bd191fbfdf40 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -413,6 +413,14 @@ struct xhci_op_regs {
  */
 #define XHCI_DEFAULT_BESL	4
 
+/*
+ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
+ * to complete link training. usually link trainig completes much faster
+ * so check status 10 times with 36ms sleep in places we need to wait for
+ * polling to complete.
+ */
+#define XHCI_PORT_POLLING_LFPS_TIME  36
+
 /**
  * struct xhci_intr_reg - Interrupt Register Set
  * @irq_pending:	IMAN - Interrupt Management Register.  Used to enable
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index 3114c8d061e9..1c9d08157708 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_interface *interface)
 	usb_deregister_dev(interface, &yurex_class);
 
 	/* prevent more I/O from starting */
+	usb_poison_urb(dev->urb);
 	mutex_lock(&dev->io_mutex);
 	dev->interface = NULL;
 	mutex_unlock(&dev->io_mutex);
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index b60dac48587c..3e22dd294879 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -76,6 +76,7 @@ static const struct usb_device_id id_table[] = {
 	{ USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */
 	{ USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */
 	{ USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */
+	{ USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */
 	{ USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */
 	{ USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */
 	{ USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index aa2bec8687fd..3f89153bc122 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -617,6 +617,8 @@ static const struct usb_device_id id_table_combined[] = {
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index ecc2424eb8e0..5258cec99219 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -566,7 +566,9 @@
 /*
  * NovaTech product ids (FTDI_VID)
  */
-#define FTDI_NT_ORIONLXM_PID	0x7c90	/* OrionLXm Substation Automation Platform */
+#define FTDI_NT_ORIONLXM_PID		0x7c90	/* OrionLXm Substation Automation Platform */
+#define FTDI_NT_ORIONLX_PLUS_PID	0x7c91	/* OrionLX+ Substation Automation Platform */
+#define FTDI_NT_ORION_IO_PID		0x7c92	/* Orion I/O */
 
 /*
  * Synapse Wireless product ids (FTDI_VID)
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index 56c4f6d074ca..454898c4a137 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -362,8 +362,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
 	if (!urbtrack)
 		return -ENOMEM;
 
-	kref_get(&mos_parport->ref_count);
-	urbtrack->mos_parport = mos_parport;
 	urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC);
 	if (!urbtrack->urb) {
 		kfree(urbtrack);
@@ -384,6 +382,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
 			     usb_sndctrlpipe(usbdev, 0),
 			     (unsigned char *)urbtrack->setup,
 			     NULL, 0, async_complete, urbtrack);
+	kref_get(&mos_parport->ref_count);
+	urbtrack->mos_parport = mos_parport;
 	kref_init(&urbtrack->ref_count);
 	INIT_LIST_HEAD(&urbtrack->urblist_entry);
 
diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
index 281be56d5648..56bfef517f68 100644
--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -767,18 +767,16 @@ static void rts51x_suspend_timer_fn(unsigned long data)
 		break;
 	case RTS51X_STAT_IDLE:
 	case RTS51X_STAT_SS:
-		usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n",
-			     atomic_read(&us->pusb_intf->pm_usage_cnt),
+		usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n",
 			     atomic_read(&us->pusb_intf->dev.power.usage_count));
 
-		if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) {
+		if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) {
 			usb_stor_dbg(us, "Ready to enter SS state\n");
 			rts51x_set_stat(chip, RTS51X_STAT_SS);
 			/* ignore mass storage interface's children */
 			pm_suspend_ignore_children(&us->pusb_intf->dev, true);
 			usb_autopm_put_interface_async(us->pusb_intf);
-			usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n",
-				     atomic_read(&us->pusb_intf->pm_usage_cnt),
+			usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n",
 				     atomic_read(&us->pusb_intf->dev.power.usage_count));
 		}
 		break;
@@ -811,11 +809,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
 	int ret;
 
 	if (working_scsi(srb)) {
-		usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n",
-			     atomic_read(&us->pusb_intf->pm_usage_cnt),
+		usb_stor_dbg(us, "working scsi, power.usage:%d\n",
 			     atomic_read(&us->pusb_intf->dev.power.usage_count));
 
-		if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) {
+		if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) {
 			ret = usb_autopm_get_interface(us->pusb_intf);
 			usb_stor_dbg(us, "working scsi, ret=%d\n", ret);
 		}
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index f544cfaa0a10..3f16c299263f 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -39,6 +39,12 @@ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
  * Using this limit prevents one virtqueue from starving others. */
 #define VHOST_NET_WEIGHT 0x80000
 
+/* Max number of packets transferred before requeueing the job.
+ * Using this limit prevents one virtqueue from starving others with small
+ * pkts.
+ */
+#define VHOST_NET_PKT_WEIGHT 256
+
 /* MAX number of TX used buffers for outstanding zerocopy */
 #define VHOST_MAX_PEND 128
 #define VHOST_GOODCOPY_LEN 256
@@ -351,6 +357,7 @@ static void handle_tx(struct vhost_net *net)
 	struct socket *sock;
 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
 	bool zcopy, zcopy_used;
+	int sent_pkts = 0;
 
 	mutex_lock(&vq->mutex);
 	sock = vq->private_data;
@@ -362,7 +369,7 @@ static void handle_tx(struct vhost_net *net)
 	hdr_size = nvq->vhost_hlen;
 	zcopy = nvq->ubufs;
 
-	for (;;) {
+	do {
 		/* Release DMAs done buffers first */
 		if (zcopy)
 			vhost_zerocopy_signal_used(net, vq);
@@ -450,11 +457,7 @@ static void handle_tx(struct vhost_net *net)
 			vhost_zerocopy_signal_used(net, vq);
 		total_len += len;
 		vhost_net_tx_packet(net);
-		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
-			vhost_poll_queue(&vq->poll);
-			break;
-		}
-	}
+	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
 out:
 	mutex_unlock(&vq->mutex);
 }
@@ -575,6 +578,7 @@ static void handle_rx(struct vhost_net *net)
 	size_t vhost_hlen, sock_hlen;
 	size_t vhost_len, sock_len;
 	struct socket *sock;
+	int recv_pkts = 0;
 
 	mutex_lock(&vq->mutex);
 	sock = vq->private_data;
@@ -589,7 +593,10 @@ static void handle_rx(struct vhost_net *net)
 		vq->log : NULL;
 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
 
-	while ((sock_len = peek_head_len(sock->sk))) {
+	do {
+		sock_len = peek_head_len(sock->sk);
+		if (!sock_len)
+			break;
 		sock_len += sock_hlen;
 		vhost_len = sock_len + vhost_hlen;
 		headcount = get_rx_bufs(vq, vq->heads, vhost_len,
@@ -659,11 +666,8 @@ static void handle_rx(struct vhost_net *net)
 		if (unlikely(vq_log))
 			vhost_log_write(vq, vq_log, log, vhost_len);
 		total_len += vhost_len;
-		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
-			vhost_poll_queue(&vq->poll);
-			break;
-		}
-	}
+	} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
+
 out:
 	mutex_unlock(&vq->mutex);
 }
@@ -732,7 +736,8 @@ static int vhost_net_open(struct inode *inode, struct file *f)
 		n->vqs[i].vhost_hlen = 0;
 		n->vqs[i].sock_hlen = 0;
 	}
-	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
+	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
+		       VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT);
 
 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);
diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 0dfb3fd6e836..498de4bfcd60 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -60,6 +60,12 @@
 #define TCM_VHOST_PREALLOC_UPAGES 2048
 #define TCM_VHOST_PREALLOC_PROT_SGLS 512
 
+/* Max number of requests before requeueing the job.
+ * Using this limit prevents one virtqueue from starving others with
+ * request.
+ */
+#define VHOST_SCSI_WEIGHT 256
+
 struct vhost_scsi_inflight {
 	/* Wait for the flush operation to finish */
 	struct completion comp;
@@ -992,7 +998,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
 	u64 tag;
 	u32 exp_data_len, data_first, data_num, data_direction, prot_first;
 	unsigned out, in, i;
-	int head, ret, data_niov, prot_niov, prot_bytes;
+	int head, ret, data_niov, prot_niov, prot_bytes, c = 0;
 	size_t req_size;
 	u16 lun;
 	u8 *target, *lunp, task_attr;
@@ -1010,7 +1016,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
 
 	vhost_disable_notify(&vs->dev, vq);
 
-	for (;;) {
+	do {
 		head = vhost_get_vq_desc(vq, vq->iov,
 					ARRAY_SIZE(vq->iov), &out, &in,
 					NULL, NULL);
@@ -1213,7 +1219,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
 		 */
 		INIT_WORK(&cmd->work, tcm_vhost_submission_work);
 		queue_work(tcm_vhost_workqueue, &cmd->work);
-	}
+	} while (likely(!vhost_exceeds_weight(vq, ++c, 0)));
 
 	mutex_unlock(&vq->mutex);
 	return;
@@ -1576,7 +1582,8 @@ static int vhost_scsi_open(struct inode *inode, struct file *f)
 		vqs[i] = &vs->vqs[i].vq;
 		vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick;
 	}
-	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ);
+	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ,
+		       VHOST_SCSI_WEIGHT, 0);
 
 	tcm_vhost_init_inflight(vs, NULL);
 
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 337e1d04871f..48507ef0542a 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -292,8 +292,24 @@ static void vhost_dev_free_iovecs(struct vhost_dev *dev)
 		vhost_vq_free_iovecs(dev->vqs[i]);
 }
 
+bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
+			  int pkts, int total_len)
+{
+	struct vhost_dev *dev = vq->dev;
+
+	if ((dev->byte_weight && total_len >= dev->byte_weight) ||
+	    pkts >= dev->weight) {
+		vhost_poll_queue(&vq->poll);
+		return true;
+	}
+
+	return false;
+}
+EXPORT_SYMBOL_GPL(vhost_exceeds_weight);
+
 void vhost_dev_init(struct vhost_dev *dev,
-		    struct vhost_virtqueue **vqs, int nvqs)
+		    struct vhost_virtqueue **vqs, int nvqs,
+		    int weight, int byte_weight)
 {
 	struct vhost_virtqueue *vq;
 	int i;
@@ -308,6 +324,8 @@ void vhost_dev_init(struct vhost_dev *dev,
 	spin_lock_init(&dev->work_lock);
 	INIT_LIST_HEAD(&dev->work_list);
 	dev->worker = NULL;
+	dev->weight = weight;
+	dev->byte_weight = byte_weight;
 
 	for (i = 0; i < dev->nvqs; ++i) {
 		vq = dev->vqs[i];
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 3eda654b8f5a..6c4c8aade233 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -123,9 +123,13 @@ struct vhost_dev {
 	spinlock_t work_lock;
 	struct list_head work_list;
 	struct task_struct *worker;
+	int weight;
+	int byte_weight;
 };
 
-void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs);
+bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len);
+void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
+		    int nvqs, int weight, int byte_weight);
 long vhost_dev_set_owner(struct vhost_dev *dev);
 bool vhost_dev_has_owner(struct vhost_dev *dev);
 long vhost_dev_check_owner(struct vhost_dev *);
diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c
index 176b88fa694c..ed420aa9216b 100644
--- a/drivers/w1/masters/ds2490.c
+++ b/drivers/w1/masters/ds2490.c
@@ -1041,15 +1041,15 @@ static int ds_probe(struct usb_interface *intf,
 	/* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */
 	alt = 3;
 	err = usb_set_interface(dev->udev,
-		intf->altsetting[alt].desc.bInterfaceNumber, alt);
+		intf->cur_altsetting->desc.bInterfaceNumber, alt);
 	if (err) {
 		dev_err(&dev->udev->dev, "Failed to set alternative setting %d "
 			"for %d interface: err=%d.\n", alt,
-			intf->altsetting[alt].desc.bInterfaceNumber, err);
+			intf->cur_altsetting->desc.bInterfaceNumber, err);
 		goto err_out_clear;
 	}
 
-	iface_desc = &intf->altsetting[alt];
+	iface_desc = intf->cur_altsetting;
 	if (iface_desc->desc.bNumEndpoints != NUM_EP-1) {
 		printk(KERN_INFO "Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints);
 		err = -EINVAL;
diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index 8db7abb6ef5a..cdb055207753 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -502,8 +502,15 @@ static void balloon_process(struct work_struct *work)
 				state = reserve_additional_memory(credit);
 		}
 
-		if (credit < 0)
-			state = decrease_reservation(-credit, GFP_BALLOON);
+		if (credit < 0) {
+			long n_pages;
+
+			n_pages = min(-credit, si_mem_available());
+			state = decrease_reservation(n_pages, GFP_BALLOON);
+			if (state == BP_DONE && n_pages != -credit &&
+			    n_pages < totalreserve_pages)
+				state = BP_EAGAIN;
+		}
 
 		state = update_schedule(state);
 
@@ -561,6 +568,9 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages, bool highmem)
 			enum bp_state st;
 			if (page)
 				balloon_append(page);
+			if (si_mem_available() < nr_pages)
+				return -ENOMEM;
+
 			st = decrease_reservation(nr_pages - pgno,
 					highmem ? GFP_HIGHUSER : GFP_USER);
 			if (st != BP_DONE)
@@ -692,7 +702,7 @@ static int __init balloon_init(void)
 	balloon_stats.schedule_delay = 1;
 	balloon_stats.max_schedule_delay = 32;
 	balloon_stats.retry_count = 1;
-	balloon_stats.max_retry_count = RETRY_UNLIMITED;
+	balloon_stats.max_retry_count = 4;
 
 #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
 	balloon_stats.hotplug_pages = 0;
diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
index c2e930ec2888..696db173e26f 100644
--- a/fs/afs/fsclient.c
+++ b/fs/afs/fsclient.c
@@ -1382,8 +1382,8 @@ static int afs_fs_setattr_size64(struct afs_server *server, struct key *key,
 
 	xdr_encode_AFS_StoreStatus(&bp, attr);
 
-	*bp++ = 0;				/* position of start of write */
-	*bp++ = 0;
+	*bp++ = htonl(attr->ia_size >> 32);	/* position of start of write */
+	*bp++ = htonl((u32) attr->ia_size);
 	*bp++ = 0;				/* size of write */
 	*bp++ = 0;
 	*bp++ = htonl(attr->ia_size >> 32);	/* new file length */
@@ -1433,7 +1433,7 @@ static int afs_fs_setattr_size(struct afs_server *server, struct key *key,
 
 	xdr_encode_AFS_StoreStatus(&bp, attr);
 
-	*bp++ = 0;				/* position of start of write */
+	*bp++ = htonl(attr->ia_size);		/* position of start of write */
 	*bp++ = 0;				/* size of write */
 	*bp++ = htonl(attr->ia_size);		/* new file length */
 
diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
index 6db91cdbd92d..6a02cb3e5650 100644
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -42,6 +42,8 @@
 #include "extent_io.h"
 #include "extent_map.h"
 
+static const char* const btrfs_compress_types[] = { "", "zlib", "lzo" };
+
 struct compressed_bio {
 	/* number of bios pending for this compressed extent */
 	atomic_t pending_bios;
@@ -81,6 +83,22 @@ struct compressed_bio {
 	u32 sums;
 };
 
+bool btrfs_compress_is_valid_type(const char *str, size_t len)
+{
+	int i;
+
+	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
+		size_t comp_len = strlen(btrfs_compress_types[i]);
+
+		if (len < comp_len)
+			continue;
+
+		if (!strncmp(btrfs_compress_types[i], str, comp_len))
+			return true;
+	}
+	return false;
+}
+
 static int btrfs_decompress_biovec(int type, struct page **pages_in,
 				   u64 disk_start, struct bio_vec *bvec,
 				   int vcnt, size_t srclen);
diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
index d181f70caae0..5f15b34d88f7 100644
--- a/fs/btrfs/compression.h
+++ b/fs/btrfs/compression.h
@@ -80,4 +80,5 @@ struct btrfs_compress_op {
 extern struct btrfs_compress_op btrfs_zlib_compress;
 extern struct btrfs_compress_op btrfs_lzo_compress;
 
+bool btrfs_compress_is_valid_type(const char *str, size_t len);
 #endif
diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
index 129b1dd28527..8b041d83533a 100644
--- a/fs/btrfs/props.c
+++ b/fs/btrfs/props.c
@@ -22,6 +22,7 @@
 #include "hash.h"
 #include "transaction.h"
 #include "xattr.h"
+#include "compression.h"
 
 #define BTRFS_PROP_HANDLERS_HT_BITS 8
 static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS);
@@ -378,9 +379,7 @@ int btrfs_subvol_inherit_props(struct btrfs_trans_handle *trans,
 
 static int prop_compression_validate(const char *value, size_t len)
 {
-	if (!strncmp("lzo", value, len))
-		return 0;
-	else if (!strncmp("zlib", value, len))
+	if (btrfs_compress_is_valid_type(value, len))
 		return 0;
 
 	return -EINVAL;
diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
index 5e2005030f54..bdda508cc85d 100644
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1327,6 +1327,7 @@ void ceph_dentry_lru_del(struct dentry *dn)
 unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
 {
 	struct ceph_inode_info *dci = ceph_inode(dir);
+	unsigned hash;
 
 	switch (dci->i_dir_layout.dl_dir_hash) {
 	case 0:	/* for backward compat */
@@ -1334,8 +1335,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
 		return dn->d_name.hash;
 
 	default:
-		return ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
+		spin_lock(&dn->d_lock);
+		hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
 				     dn->d_name.name, dn->d_name.len);
+		spin_unlock(&dn->d_lock);
+		return hash;
 	}
 }
 
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 23f5cb1ee904..ff85c3129e9d 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1092,6 +1092,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file)
 }
 
 struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
 void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
 
 #define CIFS_CACHE_READ_FLG	1
@@ -1579,6 +1580,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
 #endif /* CONFIG_CIFS_ACL */
 
 void cifs_oplock_break(struct work_struct *work);
+void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
 
 extern const struct slow_work_ops cifs_oplock_break_ops;
 extern struct workqueue_struct *cifsiod_wq;
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 4b8870f889e3..9b3d28b79329 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -359,12 +359,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file)
 	return cifs_file;
 }
 
-/*
- * Release a reference on the file private data. This may involve closing
- * the filehandle out on the server. Must be called without holding
- * tcon->open_file_lock and cifs_file->file_info_lock.
+/**
+ * cifsFileInfo_put - release a reference of file priv data
+ *
+ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
  */
 void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
+{
+	_cifsFileInfo_put(cifs_file, true);
+}
+
+/**
+ * _cifsFileInfo_put - release a reference of file priv data
+ *
+ * This may involve closing the filehandle @cifs_file out on the
+ * server. Must be called without holding tcon->open_file_lock and
+ * cifs_file->file_info_lock.
+ *
+ * If @wait_for_oplock_handler is true and we are releasing the last
+ * reference, wait for any running oplock break handler of the file
+ * and cancel any pending one. If calling this function from the
+ * oplock break handler, you need to pass false.
+ *
+ */
+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
 {
 	struct inode *inode = cifs_file->dentry->d_inode;
 	struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
@@ -412,7 +430,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
 
 	spin_unlock(&tcon->open_file_lock);
 
-	oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
+	oplock_break_cancelled = wait_oplock_handler ?
+		cancel_work_sync(&cifs_file->oplock_break) : false;
 
 	if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
 		struct TCP_Server_Info *server = tcon->ses->server;
@@ -3701,6 +3720,7 @@ void cifs_oplock_break(struct work_struct *work)
 							     cinode);
 		cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
 	}
+	_cifsFileInfo_put(cfile, false /* do not wait for ourself */);
 	cifs_done_oplock_break(cinode);
 }
 
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 09ca7c978700..f681091ec3db 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1627,6 +1627,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry,
 	if (rc == 0 || rc != -EBUSY)
 		goto do_rename_exit;
 
+	/* Don't fall back to using SMB on SMB 2+ mount */
+	if (server->vals->protocol_id != 0)
+		goto do_rename_exit;
+
 	/* open-file renames don't work across directories */
 	if (to_dentry->d_parent != from_dentry->d_parent)
 		goto do_rename_exit;
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index f03fecafc5d5..debc26b95cd7 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -477,8 +477,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 					   &pCifsInode->flags);
 
-				queue_work(cifsoplockd_wq,
-					   &netfile->oplock_break);
+				cifs_queue_oplock_break(netfile);
 				netfile->oplock_break_cancelled = false;
 
 				spin_unlock(&tcon->open_file_lock);
@@ -610,6 +609,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode)
 	spin_unlock(&cinode->writers_lock);
 }
 
+/**
+ * cifs_queue_oplock_break - queue the oplock break handler for cfile
+ *
+ * This function is called from the demultiplex thread when it
+ * receives an oplock break for @cfile.
+ *
+ * Assumes the tcon->open_file_lock is held.
+ * Assumes cfile->file_info_lock is NOT held.
+ */
+void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
+{
+	/*
+	 * Bump the handle refcount now while we hold the
+	 * open_file_lock to enforce the validity of it for the oplock
+	 * break handler. The matching put is done at the end of the
+	 * handler.
+	 */
+	cifsFileInfo_get(cfile);
+
+	queue_work(cifsoplockd_wq, &cfile->oplock_break);
+}
+
 void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
 {
 	clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index 1485ab8c2d65..f80fcc6921ee 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -458,7 +458,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
 			clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 				  &cinode->flags);
 
-		queue_work(cifsoplockd_wq, &cfile->oplock_break);
+		cifs_queue_oplock_break(cfile);
 		kfree(lw);
 		return true;
 	}
@@ -602,8 +602,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 					   &cinode->flags);
 				spin_unlock(&cfile->file_info_lock);
-				queue_work(cifsoplockd_wq,
-					   &cfile->oplock_break);
+
+				cifs_queue_oplock_break(cfile);
 
 				spin_unlock(&tcon->open_file_lock);
 				spin_unlock(&cifs_tcp_ses_lock);
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 376ccd96127f..d95a547cf94e 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -906,6 +906,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
 
 	rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_buf);
 
+	if (!rc)
+		SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
 	if (!rc || !err_buf) {
 		kfree(utf16_path);
 		return -ENOENT;
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index 40c86790109e..201f683bea89 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos)
 	struct super_block *sb = inode->i_sb;
 	int blockmask = sb->s_blocksize - 1;
 
-	if (pos >= i_size_read(inode))
+	if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
 		return 0;
 
 	if ((pos | iov_iter_alignment(from)) & blockmask)
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index 80c3f1ed1afa..63597cd0265c 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -908,11 +908,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
 	memcpy(n_group_desc, o_group_desc,
 	       EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
 	n_group_desc[gdb_num] = gdb_bh;
+
+	BUFFER_TRACE(gdb_bh, "get_write_access");
+	err = ext4_journal_get_write_access(handle, gdb_bh);
+	if (err) {
+		kvfree(n_group_desc);
+		brelse(gdb_bh);
+		return err;
+	}
+
 	EXT4_SB(sb)->s_group_desc = n_group_desc;
 	EXT4_SB(sb)->s_gdb_count++;
 	ext4_kvfree(o_group_desc);
-	BUFFER_TRACE(gdb_bh, "get_write_access");
-	err = ext4_journal_get_write_access(handle, gdb_bh);
 	return err;
 }
 
diff --git a/fs/lockd/host.c b/fs/lockd/host.c
index b31117c12102..6f12147a2fea 100644
--- a/fs/lockd/host.c
+++ b/fs/lockd/host.c
@@ -288,12 +288,11 @@ void nlmclnt_release_host(struct nlm_host *host)
 
 	WARN_ON_ONCE(host->h_server);
 
-	if (atomic_dec_and_test(&host->h_count)) {
+	if (atomic_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) {
 		WARN_ON_ONCE(!list_empty(&host->h_lockowners));
 		WARN_ON_ONCE(!list_empty(&host->h_granted));
 		WARN_ON_ONCE(!list_empty(&host->h_reclaim));
 
-		mutex_lock(&nlm_host_mutex);
 		nlm_destroy_host_locked(host);
 		mutex_unlock(&nlm_host_mutex);
 	}
diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
index 7445af0b1aa3..a0bc66039269 100644
--- a/fs/proc/meminfo.c
+++ b/fs/proc/meminfo.c
@@ -27,10 +27,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
 	struct vmalloc_info vmi;
 	long cached;
 	long available;
-	unsigned long pagecache;
-	unsigned long wmark_low = 0;
 	unsigned long pages[NR_LRU_LISTS];
-	struct zone *zone;
 	int lru;
 
 /*
@@ -51,36 +48,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
 	for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
 		pages[lru] = global_page_state(NR_LRU_BASE + lru);
 
-	for_each_zone(zone)
-		wmark_low += zone->watermark[WMARK_LOW];
-
-	/*
-	 * Estimate the amount of memory available for userspace allocations,
-	 * without causing swapping.
-	 *
-	 * Free memory cannot be taken below the low watermark, before the
-	 * system starts swapping.
-	 */
-	available = i.freeram - wmark_low;
-
-	/*
-	 * Not all the page cache can be freed, otherwise the system will
-	 * start swapping. Assume at least half of the page cache, or the
-	 * low watermark worth of cache, needs to stay.
-	 */
-	pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
-	pagecache -= min(pagecache / 2, wmark_low);
-	available += pagecache;
-
-	/*
-	 * Part of the reclaimable slab consists of items that are in use,
-	 * and cannot be freed. Cap this estimate at the low watermark.
-	 */
-	available += global_page_state(NR_SLAB_RECLAIMABLE) -
-		     min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
-
-	if (available < 0)
-		available = 0;
+	available = si_mem_available();
 
 	/*
 	 * Tagged format, for easy grepping and expansion.
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index bfb8e8d588b8..eb7067de78db 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -1550,8 +1550,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
 	if (--header->nreg)
 		return;
 
-	put_links(header);
-	start_unregistering(header);
+	if (parent) {
+		put_links(header);
+		start_unregistering(header);
+	}
+
 	if (!--header->count)
 		kfree_rcu(header, rcu);
 
diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c
index 8a9657d7f7c6..8df2632a2966 100644
--- a/fs/udf/truncate.c
+++ b/fs/udf/truncate.c
@@ -261,6 +261,9 @@ void udf_truncate_extents(struct inode *inode)
 			epos.block = eloc;
 			epos.bh = udf_tread(sb,
 					udf_get_lb_pblock(sb, &eloc, 0));
+			/* Error reading indirect block? */
+			if (!epos.bh)
+				return;
 			if (elen)
 				indirect_ext_len =
 					(elen + sb->s_blocksize - 1) >>
diff --git a/fs/ufs/util.h b/fs/ufs/util.h
index 3f9463f8cf2f..f877d5cadd98 100644
--- a/fs/ufs/util.h
+++ b/fs/ufs/util.h
@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
 	case UFS_UID_44BSD:
 		return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
 	case UFS_UID_EFT:
-		if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
+		if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
 			return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
 		/* Fall through */
 	default:
diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
index 8c0ff78ff45a..83fac3e091c2 100644
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -197,6 +197,7 @@ struct kretprobe_instance {
 	struct kretprobe *rp;
 	kprobe_opcode_t *ret_addr;
 	struct task_struct *task;
+	void *fp;
 	char data[0];
 };
 
diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
index 64c7425afbce..f2bca5a77851 100644
--- a/include/linux/lockdep.h
+++ b/include/linux/lockdep.h
@@ -525,9 +525,24 @@ do {									\
 	lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_);	\
 	lock_release(&(lock)->dep_map, 0, _THIS_IP_);			\
 } while (0)
+
+#define lockdep_assert_irqs_enabled()	do {				\
+		WARN_ONCE(debug_locks && !current->lockdep_recursion &&	\
+			  !current->hardirqs_enabled,			\
+			  "IRQs not enabled as expected\n");		\
+	} while (0)
+
+#define lockdep_assert_irqs_disabled()	do {				\
+		WARN_ONCE(debug_locks && !current->lockdep_recursion &&	\
+			  current->hardirqs_enabled,			\
+			  "IRQs not disabled as expected\n");		\
+	} while (0)
+
 #else
 # define might_lock(lock) do { } while (0)
 # define might_lock_read(lock) do { } while (0)
+# define lockdep_assert_irqs_enabled() do { } while (0)
+# define lockdep_assert_irqs_disabled() do { } while (0)
 #endif
 
 #ifdef CONFIG_PROVE_RCU
diff --git a/include/linux/mm.h b/include/linux/mm.h
index a576467cd4a5..e67e12641b63 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1699,6 +1699,7 @@ extern int __meminit init_per_zone_wmark_min(void);
 extern void mem_init(void);
 extern void __init mmap_init(void);
 extern void show_mem(unsigned int flags);
+extern long si_mem_available(void);
 extern void si_meminfo(struct sysinfo * val);
 extern void si_meminfo_node(struct sysinfo *val, int nid);
 
diff --git a/include/linux/siphash.h b/include/linux/siphash.h
new file mode 100644
index 000000000000..c8c7ae2e687b
--- /dev/null
+++ b/include/linux/siphash.h
@@ -0,0 +1,90 @@
+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ *
+ * This file is provided under a dual BSD/GPLv2 license.
+ *
+ * SipHash: a fast short-input PRF
+ * https://131002.net/siphash/
+ *
+ * This implementation is specifically for SipHash2-4.
+ */
+
+#ifndef _LINUX_SIPHASH_H
+#define _LINUX_SIPHASH_H
+
+#include <linux/types.h>
+#include <linux/kernel.h>
+
+#define SIPHASH_ALIGNMENT __alignof__(u64)
+typedef struct {
+	u64 key[2];
+} siphash_key_t;
+
+static inline bool siphash_key_is_zero(const siphash_key_t *key)
+{
+	return !(key->key[0] | key->key[1]);
+}
+
+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
+#endif
+
+u64 siphash_1u64(const u64 a, const siphash_key_t *key);
+u64 siphash_2u64(const u64 a, const u64 b, const siphash_key_t *key);
+u64 siphash_3u64(const u64 a, const u64 b, const u64 c,
+		 const siphash_key_t *key);
+u64 siphash_4u64(const u64 a, const u64 b, const u64 c, const u64 d,
+		 const siphash_key_t *key);
+u64 siphash_1u32(const u32 a, const siphash_key_t *key);
+u64 siphash_3u32(const u32 a, const u32 b, const u32 c,
+		 const siphash_key_t *key);
+
+static inline u64 siphash_2u32(const u32 a, const u32 b,
+			       const siphash_key_t *key)
+{
+	return siphash_1u64((u64)b << 32 | a, key);
+}
+static inline u64 siphash_4u32(const u32 a, const u32 b, const u32 c,
+			       const u32 d, const siphash_key_t *key)
+{
+	return siphash_2u64((u64)b << 32 | a, (u64)d << 32 | c, key);
+}
+
+
+static inline u64 ___siphash_aligned(const __le64 *data, size_t len,
+				     const siphash_key_t *key)
+{
+	if (__builtin_constant_p(len) && len == 4)
+		return siphash_1u32(le32_to_cpup((const __le32 *)data), key);
+	if (__builtin_constant_p(len) && len == 8)
+		return siphash_1u64(le64_to_cpu(data[0]), key);
+	if (__builtin_constant_p(len) && len == 16)
+		return siphash_2u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
+				    key);
+	if (__builtin_constant_p(len) && len == 24)
+		return siphash_3u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
+				    le64_to_cpu(data[2]), key);
+	if (__builtin_constant_p(len) && len == 32)
+		return siphash_4u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
+				    le64_to_cpu(data[2]), le64_to_cpu(data[3]),
+				    key);
+	return __siphash_aligned(data, len, key);
+}
+
+/**
+ * siphash - compute 64-bit siphash PRF value
+ * @data: buffer to hash
+ * @size: size of @data
+ * @key: the siphash key
+ */
+static inline u64 siphash(const void *data, size_t len,
+			  const siphash_key_t *key)
+{
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+	if (!IS_ALIGNED((unsigned long)data, SIPHASH_ALIGNMENT))
+		return __siphash_unaligned(data, len, key);
+#endif
+	return ___siphash_aligned(data, len, key);
+}
+
+#endif /* _LINUX_SIPHASH_H */
diff --git a/include/linux/string.h b/include/linux/string.h
index dd71dd08a840..85491dd76903 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -113,6 +113,9 @@ extern void * memscan(void *,int,__kernel_size_t);
 #ifndef __HAVE_ARCH_MEMCMP
 extern int memcmp(const void *,const void *,__kernel_size_t);
 #endif
+#ifndef __HAVE_ARCH_BCMP
+extern int bcmp(const void *,const void *,__kernel_size_t);
+#endif
 #ifndef __HAVE_ARCH_MEMCHR
 extern void * memchr(const void *,int,__kernel_size_t);
 #endif
diff --git a/include/linux/usb.h b/include/linux/usb.h
index a53e036b2252..64a39f02a5f6 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -125,7 +125,6 @@ enum usb_interface_condition {
  * @dev: driver model's view of this device
  * @usb_dev: if an interface is bound to the USB major, this will point
  *	to the sysfs representation for that device.
- * @pm_usage_cnt: PM usage counter for this interface
  * @reset_ws: Used for scheduling resets from atomic context.
  * @reset_running: set to 1 if the interface is currently running a
  *      queued reset so that usb_cancel_queued_reset() doesn't try to
@@ -186,7 +185,6 @@ struct usb_interface {
 
 	struct device dev;		/* interface specific device info */
 	struct device *usb_dev;
-	atomic_t pm_usage_cnt;		/* usage counter for autosuspend */
 	struct work_struct reset_ws;	/* for resets in atomic context */
 };
 #define	to_usb_interface(d) container_of(d, struct usb_interface, dev)
diff --git a/include/net/ip.h b/include/net/ip.h
index 27dd9826e05d..8ec53320c902 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -319,9 +319,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
 }
 
 u32 ip_idents_reserve(u32 hash, int segs);
-void __ip_select_ident(struct iphdr *iph, int segs);
+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
 
-static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs)
+static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
+					struct sock *sk, int segs)
 {
 	struct iphdr *iph = ip_hdr(skb);
 
@@ -338,13 +339,14 @@ static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, in
 			iph->id = 0;
 		}
 	} else {
-		__ip_select_ident(iph, segs);
+		__ip_select_ident(net, iph, segs);
 	}
 }
 
-static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk)
+static inline void ip_select_ident(struct net *net, struct sk_buff *skb,
+				   struct sock *sk)
 {
-	ip_select_ident_segs(skb, sk, 1);
+	ip_select_ident_segs(net, skb, sk, 1);
 }
 
 static inline __wsum inet_compute_pseudo(struct sk_buff *skb, int proto)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index c30ba46ef2f0..c4e455f4bfe6 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -688,7 +688,9 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add
 	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
 }
 
-void ipv6_proxy_select_ident(struct sk_buff *skb);
+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
+		       struct rt6_info *rt);
+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb);
 
 int ip6_dst_hoplimit(struct dst_entry *dst);
 
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 5c53572b5f0d..3b66e31a7819 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -289,6 +289,8 @@ void init_nf_conntrack_hash_rnd(void);
 
 void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl);
 
+u32 nf_ct_get_id(const struct nf_conn *ct);
+
 #define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)
 #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
 
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 80a1c572b9a0..213f53d4f6b2 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -7,6 +7,7 @@
 
 #include <linux/uidgid.h>
 #include <net/inet_frag.h>
+#include <linux/siphash.h>
 
 struct tcpm_hash_bucket;
 struct ctl_table_header;
@@ -98,5 +99,6 @@ struct netns_ipv4 {
 #endif
 #endif
 	atomic_t	rt_genid;
+	siphash_key_t	ip_id_key;
 };
 #endif
diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
index 32ee65a30aff..1c6e6c0766ca 100644
--- a/include/net/sctp/checksum.h
+++ b/include/net/sctp/checksum.h
@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2,
 static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
 					unsigned int offset)
 {
-	struct sctphdr *sh = sctp_hdr(skb);
+	struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
 	const struct skb_checksum_ops ops = {
 		.update  = sctp_csum_update,
 		.combine = sctp_csum_combine,
diff --git a/kernel/events/core.c b/kernel/events/core.c
index e8be52939ed1..3beed0ea98d9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5445,6 +5445,7 @@ static void perf_event_mmap_output(struct perf_event *event,
 	struct perf_output_handle handle;
 	struct perf_sample_data sample;
 	int size = mmap_event->event_id.header.size;
+	u32 type = mmap_event->event_id.header.type;
 	int ret;
 
 	if (!perf_event_mmap_match(event, data))
@@ -5488,6 +5489,7 @@ static void perf_event_mmap_output(struct perf_event *event,
 	perf_output_end(&handle);
 out:
 	mmap_event->event_id.header.size = size;
+	mmap_event->event_id.header.type = type;
 }
 
 static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
diff --git a/kernel/futex.c b/kernel/futex.c
index 0ee2f54d74fb..99679c0040cc 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2909,6 +2909,10 @@ int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
 {
 	u32 uval, uninitialized_var(nval), mval;
 
+	/* Futex address must be 32bit aligned */
+	if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
+		return -1;
+
 retry:
 	if (get_user(uval, uaddr))
 		return -1;
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 328410652be6..f967ff776e5b 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1503,6 +1503,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period)
 	if (p->last_task_numa_placement) {
 		delta = runtime - p->last_sum_exec_runtime;
 		*period = now - p->last_task_numa_placement;
+
+		/* Avoid time going backwards, prevent potential divide error: */
+		if (unlikely((s64)*period < 0))
+			*period = 0;
 	} else {
 		delta = p->se.avg.runnable_avg_sum;
 		*period = p->se.avg.runnable_avg_period;
@@ -3704,6 +3708,8 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer)
 	return HRTIMER_NORESTART;
 }
 
+extern const u64 max_cfs_quota_period;
+
 static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
 {
 	struct cfs_bandwidth *cfs_b =
@@ -3711,6 +3717,7 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
 	ktime_t now;
 	int overrun;
 	int idle = 0;
+	int count = 0;
 
 	raw_spin_lock(&cfs_b->lock);
 	for (;;) {
@@ -3720,6 +3727,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
 		if (!overrun)
 			break;
 
+		if (++count > 3) {
+			u64 new, old = ktime_to_ns(cfs_b->period);
+
+			new = (old * 147) / 128; /* ~115% */
+			new = min(new, max_cfs_quota_period);
+
+			cfs_b->period = ns_to_ktime(new);
+
+			/* since max is 1s, this is limited to 1e9^2, which fits in u64 */
+			cfs_b->quota *= new;
+			cfs_b->quota = div64_u64(cfs_b->quota, old);
+
+			pr_warn_ratelimited(
+	"cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
+				smp_processor_id(),
+				div_u64(new, NSEC_PER_USEC),
+				div_u64(cfs_b->quota, NSEC_PER_USEC));
+
+			/* reset count so we don't come right back in here */
+			count = 0;
+		}
+
 		idle = do_sched_cfs_period_timer(cfs_b, overrun);
 	}
 	raw_spin_unlock(&cfs_b->lock);
@@ -5487,10 +5516,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
 	if (cfs_rq->last_h_load_update == now)
 		return;
 
-	cfs_rq->h_load_next = NULL;
+	ACCESS_ONCE(cfs_rq->h_load_next) = NULL;
 	for_each_sched_entity(se) {
 		cfs_rq = cfs_rq_of(se);
-		cfs_rq->h_load_next = se;
+		ACCESS_ONCE(cfs_rq->h_load_next) = se;
 		if (cfs_rq->last_h_load_update == now)
 			break;
 	}
@@ -5500,7 +5529,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
 		cfs_rq->last_h_load_update = now;
 	}
 
-	while ((se = cfs_rq->h_load_next) != NULL) {
+	while ((se = ACCESS_ONCE(cfs_rq->h_load_next)) != NULL) {
 		load = cfs_rq->h_load;
 		load = div64_ul(load * se->avg.load_avg_contrib,
 				cfs_rq->runnable_load_avg + 1);
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 8ee705e1d472..c59d43d54d32 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -32,6 +32,7 @@
 #include <linux/list.h>
 #include <linux/hash.h>
 #include <linux/rcupdate.h>
+#include <linux/kprobes.h>
 
 #include <trace/events/sched.h>
 
@@ -4508,7 +4509,7 @@ static struct ftrace_ops control_ops = {
 	INIT_OPS_HASH(control_ops)
 };
 
-static inline void
+static nokprobe_inline void
 __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
 		       struct ftrace_ops *ignored, struct pt_regs *regs)
 {
@@ -4561,11 +4562,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
 {
 	__ftrace_ops_list_func(ip, parent_ip, NULL, regs);
 }
+NOKPROBE_SYMBOL(ftrace_ops_list_func);
 #else
 static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
 {
 	__ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
 }
+NOKPROBE_SYMBOL(ftrace_ops_no_ops);
 #endif
 
 static void clear_ftrace_swapper(void)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 107e8ce1a87e..89d99ccb1617 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -729,7 +729,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu)
 
 	preempt_disable_notrace();
 	time = rb_time_stamp(buffer);
-	preempt_enable_no_resched_notrace();
+	preempt_enable_notrace();
 
 	return time;
 }
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 7a638aa3545b..3678fc124dc1 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1550,6 +1550,16 @@ config TEST_STRING_HELPERS
 config TEST_KSTRTOX
 	tristate "Test kstrto*() family of functions at runtime"
 
+config TEST_HASH
+	tristate "Perform selftest on hash functions"
+	default n
+	help
+	  Enable this option to test the kernel's siphash (<linux/siphash.h>)
+	  hash functions on boot (or module load).
+
+	  This is intended to help people writing architecture-specific
+	  optimized versions.  If unsure, say N.
+
 endmenu # runtime tests
 
 config PROVIDE_OHCI1394_DMA_INIT
diff --git a/lib/Makefile b/lib/Makefile
index ba967a19edba..31a4389ff179 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -26,10 +26,11 @@ obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \
 	 bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \
 	 gcd.o lcm.o list_sort.o uuid.o flex_array.o iovec.o clz_ctz.o \
 	 bsearch.o find_last_bit.o find_next_bit.o llist.o memweight.o kfifo.o \
-	 percpu-refcount.o percpu_ida.o hash.o
+	 percpu-refcount.o percpu_ida.o hash.o siphash.o
 obj-y += string_helpers.o
 obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o
 obj-y += kstrtox.o
+obj-$(CONFIG_TEST_HASH) += test_siphash.o
 obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
 obj-$(CONFIG_TEST_MODULE) += test_module.o
 obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
diff --git a/lib/siphash.c b/lib/siphash.c
new file mode 100644
index 000000000000..c43cf406e71b
--- /dev/null
+++ b/lib/siphash.c
@@ -0,0 +1,232 @@
+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ *
+ * This file is provided under a dual BSD/GPLv2 license.
+ *
+ * SipHash: a fast short-input PRF
+ * https://131002.net/siphash/
+ *
+ * This implementation is specifically for SipHash2-4.
+ */
+
+#include <linux/siphash.h>
+#include <asm/unaligned.h>
+
+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
+#include <linux/dcache.h>
+#include <asm/word-at-a-time.h>
+#endif
+
+#define SIPROUND \
+	do { \
+	v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \
+	v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \
+	v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \
+	v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \
+	} while (0)
+
+#define PREAMBLE(len) \
+	u64 v0 = 0x736f6d6570736575ULL; \
+	u64 v1 = 0x646f72616e646f6dULL; \
+	u64 v2 = 0x6c7967656e657261ULL; \
+	u64 v3 = 0x7465646279746573ULL; \
+	u64 b = ((u64)(len)) << 56; \
+	v3 ^= key->key[1]; \
+	v2 ^= key->key[0]; \
+	v1 ^= key->key[1]; \
+	v0 ^= key->key[0];
+
+#define POSTAMBLE \
+	v3 ^= b; \
+	SIPROUND; \
+	SIPROUND; \
+	v0 ^= b; \
+	v2 ^= 0xff; \
+	SIPROUND; \
+	SIPROUND; \
+	SIPROUND; \
+	SIPROUND; \
+	return (v0 ^ v1) ^ (v2 ^ v3);
+
+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key)
+{
+	const u8 *end = data + len - (len % sizeof(u64));
+	const u8 left = len & (sizeof(u64) - 1);
+	u64 m;
+	PREAMBLE(len)
+	for (; data != end; data += sizeof(u64)) {
+		m = le64_to_cpup(data);
+		v3 ^= m;
+		SIPROUND;
+		SIPROUND;
+		v0 ^= m;
+	}
+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
+	if (left)
+		b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
+						  bytemask_from_count(left)));
+#else
+	switch (left) {
+	case 7: b |= ((u64)end[6]) << 48;
+	case 6: b |= ((u64)end[5]) << 40;
+	case 5: b |= ((u64)end[4]) << 32;
+	case 4: b |= le32_to_cpup(data); break;
+	case 3: b |= ((u64)end[2]) << 16;
+	case 2: b |= le16_to_cpup(data); break;
+	case 1: b |= end[0];
+	}
+#endif
+	POSTAMBLE
+}
+EXPORT_SYMBOL(__siphash_aligned);
+
+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key)
+{
+	const u8 *end = data + len - (len % sizeof(u64));
+	const u8 left = len & (sizeof(u64) - 1);
+	u64 m;
+	PREAMBLE(len)
+	for (; data != end; data += sizeof(u64)) {
+		m = get_unaligned_le64(data);
+		v3 ^= m;
+		SIPROUND;
+		SIPROUND;
+		v0 ^= m;
+	}
+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
+	if (left)
+		b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
+						  bytemask_from_count(left)));
+#else
+	switch (left) {
+	case 7: b |= ((u64)end[6]) << 48;
+	case 6: b |= ((u64)end[5]) << 40;
+	case 5: b |= ((u64)end[4]) << 32;
+	case 4: b |= get_unaligned_le32(end); break;
+	case 3: b |= ((u64)end[2]) << 16;
+	case 2: b |= get_unaligned_le16(end); break;
+	case 1: b |= end[0];
+	}
+#endif
+	POSTAMBLE
+}
+EXPORT_SYMBOL(__siphash_unaligned);
+#endif
+
+/**
+ * siphash_1u64 - compute 64-bit siphash PRF value of a u64
+ * @first: first u64
+ * @key: the siphash key
+ */
+u64 siphash_1u64(const u64 first, const siphash_key_t *key)
+{
+	PREAMBLE(8)
+	v3 ^= first;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= first;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_1u64);
+
+/**
+ * siphash_2u64 - compute 64-bit siphash PRF value of 2 u64
+ * @first: first u64
+ * @second: second u64
+ * @key: the siphash key
+ */
+u64 siphash_2u64(const u64 first, const u64 second, const siphash_key_t *key)
+{
+	PREAMBLE(16)
+	v3 ^= first;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= first;
+	v3 ^= second;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= second;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_2u64);
+
+/**
+ * siphash_3u64 - compute 64-bit siphash PRF value of 3 u64
+ * @first: first u64
+ * @second: second u64
+ * @third: third u64
+ * @key: the siphash key
+ */
+u64 siphash_3u64(const u64 first, const u64 second, const u64 third,
+		 const siphash_key_t *key)
+{
+	PREAMBLE(24)
+	v3 ^= first;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= first;
+	v3 ^= second;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= second;
+	v3 ^= third;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= third;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_3u64);
+
+/**
+ * siphash_4u64 - compute 64-bit siphash PRF value of 4 u64
+ * @first: first u64
+ * @second: second u64
+ * @third: third u64
+ * @forth: forth u64
+ * @key: the siphash key
+ */
+u64 siphash_4u64(const u64 first, const u64 second, const u64 third,
+		 const u64 forth, const siphash_key_t *key)
+{
+	PREAMBLE(32)
+	v3 ^= first;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= first;
+	v3 ^= second;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= second;
+	v3 ^= third;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= third;
+	v3 ^= forth;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= forth;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_4u64);
+
+u64 siphash_1u32(const u32 first, const siphash_key_t *key)
+{
+	PREAMBLE(4)
+	b |= first;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_1u32);
+
+u64 siphash_3u32(const u32 first, const u32 second, const u32 third,
+		 const siphash_key_t *key)
+{
+	u64 combined = (u64)second << 32 | first;
+	PREAMBLE(12)
+	v3 ^= combined;
+	SIPROUND;
+	SIPROUND;
+	v0 ^= combined;
+	b |= third;
+	POSTAMBLE
+}
+EXPORT_SYMBOL(siphash_3u32);
diff --git a/lib/string.c b/lib/string.c
index 80e8bdb60538..94928426f511 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -776,6 +776,26 @@ __visible int memcmp(const void *cs, const void *ct, size_t count)
 EXPORT_SYMBOL(memcmp);
 #endif
 
+#ifndef __HAVE_ARCH_BCMP
+/**
+ * bcmp - returns 0 if and only if the buffers have identical contents.
+ * @a: pointer to first buffer.
+ * @b: pointer to second buffer.
+ * @len: size of buffers.
+ *
+ * The sign or magnitude of a non-zero return value has no particular
+ * meaning, and architectures may implement their own more efficient bcmp(). So
+ * while this particular implementation is a simple (tail) call to memcmp, do
+ * not rely on anything but whether the return value is zero or non-zero.
+ */
+#undef bcmp
+int bcmp(const void *a, const void *b, size_t len)
+{
+	return memcmp(a, b, len);
+}
+EXPORT_SYMBOL(bcmp);
+#endif
+
 #ifndef __HAVE_ARCH_MEMSCAN
 /**
  * memscan - Find a character in an area of memory.
diff --git a/lib/test_siphash.c b/lib/test_siphash.c
new file mode 100644
index 000000000000..d972acfc15e4
--- /dev/null
+++ b/lib/test_siphash.c
@@ -0,0 +1,131 @@
+/* Test cases for siphash.c
+ *
+ * Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ *
+ * This file is provided under a dual BSD/GPLv2 license.
+ *
+ * SipHash: a fast short-input PRF
+ * https://131002.net/siphash/
+ *
+ * This implementation is specifically for SipHash2-4.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <linux/siphash.h>
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/errno.h>
+#include <linux/module.h>
+
+/* Test vectors taken from official reference source available at:
+ *     https://131002.net/siphash/siphash24.c
+ */
+
+static const siphash_key_t test_key_siphash =
+	{{ 0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL }};
+
+static const u64 test_vectors_siphash[64] = {
+	0x726fdb47dd0e0e31ULL, 0x74f839c593dc67fdULL, 0x0d6c8009d9a94f5aULL,
+	0x85676696d7fb7e2dULL, 0xcf2794e0277187b7ULL, 0x18765564cd99a68dULL,
+	0xcbc9466e58fee3ceULL, 0xab0200f58b01d137ULL, 0x93f5f5799a932462ULL,
+	0x9e0082df0ba9e4b0ULL, 0x7a5dbbc594ddb9f3ULL, 0xf4b32f46226bada7ULL,
+	0x751e8fbc860ee5fbULL, 0x14ea5627c0843d90ULL, 0xf723ca908e7af2eeULL,
+	0xa129ca6149be45e5ULL, 0x3f2acc7f57c29bdbULL, 0x699ae9f52cbe4794ULL,
+	0x4bc1b3f0968dd39cULL, 0xbb6dc91da77961bdULL, 0xbed65cf21aa2ee98ULL,
+	0xd0f2cbb02e3b67c7ULL, 0x93536795e3a33e88ULL, 0xa80c038ccd5ccec8ULL,
+	0xb8ad50c6f649af94ULL, 0xbce192de8a85b8eaULL, 0x17d835b85bbb15f3ULL,
+	0x2f2e6163076bcfadULL, 0xde4daaaca71dc9a5ULL, 0xa6a2506687956571ULL,
+	0xad87a3535c49ef28ULL, 0x32d892fad841c342ULL, 0x7127512f72f27cceULL,
+	0xa7f32346f95978e3ULL, 0x12e0b01abb051238ULL, 0x15e034d40fa197aeULL,
+	0x314dffbe0815a3b4ULL, 0x027990f029623981ULL, 0xcadcd4e59ef40c4dULL,
+	0x9abfd8766a33735cULL, 0x0e3ea96b5304a7d0ULL, 0xad0c42d6fc585992ULL,
+	0x187306c89bc215a9ULL, 0xd4a60abcf3792b95ULL, 0xf935451de4f21df2ULL,
+	0xa9538f0419755787ULL, 0xdb9acddff56ca510ULL, 0xd06c98cd5c0975ebULL,
+	0xe612a3cb9ecba951ULL, 0xc766e62cfcadaf96ULL, 0xee64435a9752fe72ULL,
+	0xa192d576b245165aULL, 0x0a8787bf8ecb74b2ULL, 0x81b3e73d20b49b6fULL,
+	0x7fa8220ba3b2eceaULL, 0x245731c13ca42499ULL, 0xb78dbfaf3a8d83bdULL,
+	0xea1ad565322a1a0bULL, 0x60e61c23a3795013ULL, 0x6606d7e446282b93ULL,
+	0x6ca4ecb15c5f91e1ULL, 0x9f626da15c9625f3ULL, 0xe51b38608ef25f57ULL,
+	0x958a324ceb064572ULL
+};
+
+static int __init siphash_test_init(void)
+{
+	u8 in[64] __aligned(SIPHASH_ALIGNMENT);
+	u8 in_unaligned[65] __aligned(SIPHASH_ALIGNMENT);
+	u8 i;
+	int ret = 0;
+
+	for (i = 0; i < 64; ++i) {
+		in[i] = i;
+		in_unaligned[i + 1] = i;
+		if (siphash(in, i, &test_key_siphash) !=
+						test_vectors_siphash[i]) {
+			pr_info("siphash self-test aligned %u: FAIL\n", i + 1);
+			ret = -EINVAL;
+		}
+		if (siphash(in_unaligned + 1, i, &test_key_siphash) !=
+						test_vectors_siphash[i]) {
+			pr_info("siphash self-test unaligned %u: FAIL\n", i + 1);
+			ret = -EINVAL;
+		}
+	}
+	if (siphash_1u64(0x0706050403020100ULL, &test_key_siphash) !=
+						test_vectors_siphash[8]) {
+		pr_info("siphash self-test 1u64: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_2u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
+			 &test_key_siphash) != test_vectors_siphash[16]) {
+		pr_info("siphash self-test 2u64: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_3u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
+			 0x1716151413121110ULL, &test_key_siphash) !=
+						test_vectors_siphash[24]) {
+		pr_info("siphash self-test 3u64: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_4u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
+			 0x1716151413121110ULL, 0x1f1e1d1c1b1a1918ULL,
+			 &test_key_siphash) != test_vectors_siphash[32]) {
+		pr_info("siphash self-test 4u64: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_1u32(0x03020100U, &test_key_siphash) !=
+						test_vectors_siphash[4]) {
+		pr_info("siphash self-test 1u32: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_2u32(0x03020100U, 0x07060504U, &test_key_siphash) !=
+						test_vectors_siphash[8]) {
+		pr_info("siphash self-test 2u32: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_3u32(0x03020100U, 0x07060504U,
+			 0x0b0a0908U, &test_key_siphash) !=
+						test_vectors_siphash[12]) {
+		pr_info("siphash self-test 3u32: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (siphash_4u32(0x03020100U, 0x07060504U,
+			 0x0b0a0908U, 0x0f0e0d0cU, &test_key_siphash) !=
+						test_vectors_siphash[16]) {
+		pr_info("siphash self-test 4u32: FAIL\n");
+		ret = -EINVAL;
+	}
+	if (!ret)
+		pr_info("self-tests: pass\n");
+	return ret;
+}
+
+static void __exit siphash_test_exit(void)
+{
+}
+
+module_init(siphash_test_init);
+module_exit(siphash_test_exit);
+
+MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
+MODULE_LICENSE("Dual BSD/GPL");
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 7a783dc67305..b491f75f7491 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -3072,6 +3072,49 @@ static inline void show_node(struct zone *zone)
 		printk("Node %d ", zone_to_nid(zone));
 }
 
+long si_mem_available(void)
+{
+	long available;
+	unsigned long pagecache;
+	unsigned long wmark_low = 0;
+	unsigned long pages[NR_LRU_LISTS];
+	struct zone *zone;
+	int lru;
+
+	for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
+		pages[lru] = global_page_state(NR_LRU_BASE + lru);
+
+	for_each_zone(zone)
+		wmark_low += zone->watermark[WMARK_LOW];
+
+	/*
+	 * Estimate the amount of memory available for userspace allocations,
+	 * without causing swapping.
+	 */
+	available = global_page_state(NR_FREE_PAGES) - totalreserve_pages;
+
+	/*
+	 * Not all the page cache can be freed, otherwise the system will
+	 * start swapping. Assume at least half of the page cache, or the
+	 * low watermark worth of cache, needs to stay.
+	 */
+	pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
+	pagecache -= min(pagecache / 2, wmark_low);
+	available += pagecache;
+
+	/*
+	 * Part of the reclaimable slab consists of items that are in use,
+	 * and cannot be freed. Cap this estimate at the low watermark.
+	 */
+	available += global_page_state(NR_SLAB_RECLAIMABLE) -
+		     min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
+
+	if (available < 0)
+		available = 0;
+	return available;
+}
+EXPORT_SYMBOL_GPL(si_mem_available);
+
 void si_meminfo(struct sysinfo *val)
 {
 	val->totalram = totalram_pages;
diff --git a/mm/vmstat.c b/mm/vmstat.c
index ae3c911843fa..8272a99dce41 100644
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -861,13 +861,8 @@ const char * const vmstat_text[] = {
 	"thp_zero_page_alloc_failed",
 #endif
 #ifdef CONFIG_DEBUG_TLBFLUSH
-#ifdef CONFIG_SMP
 	"nr_tlb_remote_flush",
 	"nr_tlb_remote_flush_received",
-#else
-	"", /* nr_tlb_remote_flush */
-	"", /* nr_tlb_remote_flush_received */
-#endif /* CONFIG_SMP */
 	"nr_tlb_local_flush_all",
 	"nr_tlb_local_flush_one",
 #endif /* CONFIG_DEBUG_TLBFLUSH */
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 335401d6351c..2a1611e65904 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -677,6 +677,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
 				 const uint8_t *mac, const unsigned short vid)
 {
 	struct batadv_bla_claim search_claim, *claim;
+	struct batadv_bla_claim *claim_removed_entry;
+	struct hlist_node *claim_removed_node;
 
 	ether_addr_copy(search_claim.addr, mac);
 	search_claim.vid = vid;
@@ -687,10 +689,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
 	batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n",
 		   mac, BATADV_PRINT_VID(vid));
 
-	batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim,
-			   batadv_choose_claim, claim);
-	batadv_claim_free_ref(claim); /* reference from the hash is gone */
+	claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash,
+						batadv_compare_claim,
+						batadv_choose_claim, claim);
+	if (!claim_removed_node)
+		goto free_claim;
 
+	/* reference from the hash is gone */
+	claim_removed_entry = hlist_entry(claim_removed_node,
+					  struct batadv_bla_claim, hash_entry);
+	batadv_claim_free_ref(claim_removed_entry);
+
+free_claim:
 	/* don't need the reference from hash_find() anymore */
 	batadv_claim_free_ref(claim);
 }
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index c9ac7d948a21..422d54f6a243 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -483,14 +483,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
 				  struct batadv_tt_global_entry *tt_global,
 				  const char *message)
 {
+	struct batadv_tt_global_entry *tt_removed_entry;
+	struct hlist_node *tt_removed_node;
+
 	batadv_dbg(BATADV_DBG_TT, bat_priv,
 		   "Deleting global tt entry %pM (vid: %d): %s\n",
 		   tt_global->common.addr,
 		   BATADV_PRINT_VID(tt_global->common.vid), message);
 
-	batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt,
-			   batadv_choose_tt, &tt_global->common);
-	batadv_tt_global_entry_free_ref(tt_global);
+	tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash,
+					     batadv_compare_tt,
+					     batadv_choose_tt,
+					     &tt_global->common);
+	if (!tt_removed_node)
+		return;
+
+	/* drop reference of remove hash entry */
+	tt_removed_entry = hlist_entry(tt_removed_node,
+				       struct batadv_tt_global_entry,
+				       common.hash_entry);
+	batadv_tt_global_entry_free_ref(tt_removed_entry);
 }
 
 /**
@@ -1021,9 +1033,10 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
 				const uint8_t *addr, unsigned short vid,
 				const char *message, bool roaming)
 {
+	struct batadv_tt_local_entry *tt_removed_entry;
 	struct batadv_tt_local_entry *tt_local_entry;
 	uint16_t flags, curr_flags = BATADV_NO_FLAGS;
-	void *tt_entry_exists;
+	struct hlist_node *tt_removed_node;
 
 	tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
 	if (!tt_local_entry)
@@ -1052,15 +1065,18 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
 	 */
 	batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
 
-	tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
+	tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash,
 					     batadv_compare_tt,
 					     batadv_choose_tt,
 					     &tt_local_entry->common);
-	if (!tt_entry_exists)
+	if (!tt_removed_node)
 		goto out;
 
-	/* extra call to free the local tt entry */
-	batadv_tt_local_entry_free_ref(tt_local_entry);
+	/* drop reference of remove hash entry */
+	tt_removed_entry = hlist_entry(tt_removed_node,
+				       struct batadv_tt_local_entry,
+				       common.hash_entry);
+	batadv_tt_local_entry_free_ref(tt_removed_entry);
 
 out:
 	if (tt_local_entry)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 3c594185de36..7725dd99fdc6 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -2036,7 +2036,8 @@ static void br_multicast_start_querier(struct net_bridge *br,
 
 	__br_multicast_open(br, query);
 
-	list_for_each_entry(port, &br->port_list, list) {
+	rcu_read_lock();
+	list_for_each_entry_rcu(port, &br->port_list, list) {
 		if (port->state == BR_STATE_DISABLED ||
 		    port->state == BR_STATE_BLOCKING)
 			continue;
@@ -2048,6 +2049,7 @@ static void br_multicast_start_querier(struct net_bridge *br,
 			br_multicast_enable(&port->ip6_own_query);
 #endif
 	}
+	rcu_read_unlock();
 }
 
 int br_multicast_toggle(struct net_bridge *br, unsigned long val)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 2cf4e30ac41a..7ddb8b322556 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -659,6 +659,8 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
 		return NF_DROP;
 
 	skb->protocol = htons(ETH_P_IPV6);
+	skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
+
 	NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 		br_nf_pre_routing_finish_ipv6);
 
@@ -715,6 +717,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
 		return NF_DROP;
 	store_orig_dstaddr(skb);
 	skb->protocol = htons(ETH_P_IP);
+	skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
 
 	NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
 		br_nf_pre_routing_finish);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 2df71bc7959d..75929f9bd4e6 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2011,7 +2011,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+		/* rule should have no remaining data after target */
+		if (type == EBT_COMPAT_TARGET && size_left)
 			return -EINVAL;
 
 		match32 = (struct compat_ebt_entry_mwt *) buf;
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index cd332d0fa930..7550d098e3b7 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -788,6 +788,8 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
 	if (error)
 		return error;
 
+	dev_hold(queue->dev);
+
 	if (net->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, net->sysfs_rx_queue_group);
 		if (error) {
@@ -797,7 +799,6 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return error;
 }
@@ -1146,6 +1147,8 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
 	if (error)
 		return error;
 
+	dev_hold(queue->dev);
+
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
 	if (error) {
@@ -1155,7 +1158,6 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return 0;
 }
diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index 9733ddbc96cb..fa99d53f29e5 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
 	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
 		return -ENOMEM;
 
-	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
+	if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
+		kfree(fval.sp.vec);
+		return -ENOMEM;
+	}
+
+	return 0;
 }
 
 /**
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 30455bf91b18..c3ed865d262f 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -491,8 +491,8 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
 		newnp->ipv6_mc_list = NULL;
 		newnp->ipv6_ac_list = NULL;
 		newnp->ipv6_fl_list = NULL;
-		newnp->mcast_oif   = inet6_iif(skb);
-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
+		newnp->mcast_oif   = inet_iif(skb);
+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
 
 		/*
 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 48444c4c3c51..680ce5f4fb65 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -395,7 +395,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
 
 	pip->protocol = IPPROTO_IGMP;
 	pip->tot_len  = 0;	/* filled in later */
-	ip_select_ident(skb, NULL);
+	ip_select_ident(net, skb, NULL);
 	((u8 *)&pip[1])[0] = IPOPT_RA;
 	((u8 *)&pip[1])[1] = 4;
 	((u8 *)&pip[1])[2] = 0;
@@ -739,7 +739,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
 	iph->daddr    = dst;
 	iph->saddr    = fl4.saddr;
 	iph->protocol = IPPROTO_IGMP;
-	ip_select_ident(skb, NULL);
+	ip_select_ident(net, skb, NULL);
 	((u8 *)&iph[1])[0] = IPOPT_RA;
 	((u8 *)&iph[1])[1] = 4;
 	((u8 *)&iph[1])[2] = 0;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 109eddf0248a..2a05dfc9a35e 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -150,7 +150,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
 	iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
 	iph->saddr    = saddr;
 	iph->protocol = sk->sk_protocol;
-	ip_select_ident(skb, sk);
+	ip_select_ident(sock_net(sk), skb, sk);
 
 	if (opt && opt->opt.optlen) {
 		iph->ihl += opt->opt.optlen>>2;
@@ -432,7 +432,8 @@ int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
 		ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
 	}
 
-	ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1);
+	ip_select_ident_segs(sock_net(sk), skb, sk,
+			     skb_shinfo(skb)->gso_segs ?: 1);
 
 	/* TODO : should we use skb->sk here instead of sk ? */
 	skb->priority = sk->sk_priority;
@@ -1385,7 +1386,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
 	iph->ttl = ttl;
 	iph->protocol = sk->sk_protocol;
 	ip_copy_addrs(iph, fl4);
-	ip_select_ident(skb, sk);
+	ip_select_ident(net, skb, sk);
 
 	if (opt) {
 		iph->ihl += opt->optlen>>2;
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 88c386cf7d85..ce63ab21b6cd 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -74,7 +74,8 @@ int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
 	iph->daddr	=	dst;
 	iph->saddr	=	src;
 	iph->ttl	=	ttl;
-	__ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1);
+	__ip_select_ident(dev_net(rt->dst.dev), iph,
+			  skb_shinfo(skb)->gso_segs ?: 1);
 
 	err = ip_local_out_sk(sk, skb);
 	if (unlikely(net_xmit_eval(err)))
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 643ec0bb80a5..5859c0f5bd41 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1647,7 +1647,8 @@ static struct notifier_block ip_mr_notifier = {
  *	important for multicast video.
  */
 
-static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
+static void ip_encap(struct net *net, struct sk_buff *skb,
+		     __be32 saddr, __be32 daddr)
 {
 	struct iphdr *iph;
 	const struct iphdr *old_iph = ip_hdr(skb);
@@ -1666,7 +1667,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
 	iph->protocol	=	IPPROTO_IPIP;
 	iph->ihl	=	5;
 	iph->tot_len	=	htons(skb->len);
-	ip_select_ident(skb, NULL);
+	ip_select_ident(net, skb, NULL);
 	ip_send_check(iph);
 
 	memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
@@ -1763,7 +1764,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
 	 * What do we do with netfilter? -- RR
 	 */
 	if (vif->flags & VIFF_TUNNEL) {
-		ip_encap(skb, vif->local, vif->remote);
+		ip_encap(net, skb, vif->local, vif->remote);
 		/* FIXME: extra output firewall step used to be here. --RR */
 		vif->dev->stats.tx_packets++;
 		vif->dev->stats.tx_bytes += skb->len;
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index e43a585abb35..04700c745ca0 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -399,7 +399,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
 		iph->check   = 0;
 		iph->tot_len = htons(length);
 		if (!iph->id)
-			ip_select_ident(skb, NULL);
+			ip_select_ident(net, skb, NULL);
 
 		iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
 	}
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 660848116761..858596c80e0e 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -484,19 +484,19 @@ u32 ip_idents_reserve(u32 hash, int segs)
 }
 EXPORT_SYMBOL(ip_idents_reserve);
 
-void __ip_select_ident(struct iphdr *iph, int segs)
+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
 {
-	static u32 ip_idents_hashrnd __read_mostly;
-	static u32 ip_idents_hashrnd_extra __read_mostly;
 	u32 hash, id;
 
-	net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
-	net_get_random_once(&ip_idents_hashrnd_extra, sizeof(ip_idents_hashrnd_extra));
+	/* Note the following code is not safe, but this is okay. */
+	if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+		get_random_bytes(&net->ipv4.ip_id_key,
+				 sizeof(net->ipv4.ip_id_key));
 
-	hash = jhash_3words((__force u32)iph->daddr,
+	hash = siphash_3u32((__force u32)iph->daddr,
 			    (__force u32)iph->saddr,
-			    iph->protocol ^ ip_idents_hashrnd_extra,
-			    ip_idents_hashrnd);
+			    iph->protocol,
+			    &net->ipv4.ip_id_key);
 	id = ip_idents_reserve(hash, segs);
 	iph->id = htons(id);
 }
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 91771a7c802f..35feda676464 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -63,7 +63,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
 
 	top_iph->saddr = x->props.saddr.a4;
 	top_iph->daddr = x->id.daddr.a4;
-	ip_select_ident(skb, NULL);
+	ip_select_ident(dev_net(dst->dev), skb, NULL);
 
 	return 0;
 }
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 3a4c1f93023a..1b99e1406186 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -103,7 +103,8 @@ static void
 _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
 	const struct iphdr *iph = ip_hdr(skb);
-	u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
+	int ihl = iph->ihl;
+	u8 *xprth = skb_network_header(skb) + ihl * 4;
 	struct flowi4 *fl4 = &fl->u.ip4;
 	int oif = 0;
 
@@ -114,6 +115,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 	fl4->flowi4_mark = skb->mark;
 	fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
 
+	fl4->flowi4_proto = iph->protocol;
+	fl4->daddr = reverse ? iph->saddr : iph->daddr;
+	fl4->saddr = reverse ? iph->daddr : iph->saddr;
+	fl4->flowi4_tos = iph->tos;
+
 	if (!ip_is_fragment(iph)) {
 		switch (iph->protocol) {
 		case IPPROTO_UDP:
@@ -123,7 +129,10 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 		case IPPROTO_DCCP:
 			if (xprth + 4 < skb->data ||
 			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
-				__be16 *ports = (__be16 *)xprth;
+				__be16 *ports;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				ports = (__be16 *)xprth;
 
 				fl4->fl4_sport = ports[!!reverse];
 				fl4->fl4_dport = ports[!reverse];
@@ -131,8 +140,12 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			break;
 
 		case IPPROTO_ICMP:
-			if (pskb_may_pull(skb, xprth + 2 - skb->data)) {
-				u8 *icmp = xprth;
+			if (xprth + 2 < skb->data ||
+			    pskb_may_pull(skb, xprth + 2 - skb->data)) {
+				u8 *icmp;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				icmp = xprth;
 
 				fl4->fl4_icmp_type = icmp[0];
 				fl4->fl4_icmp_code = icmp[1];
@@ -140,33 +153,50 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			break;
 
 		case IPPROTO_ESP:
-			if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
-				__be32 *ehdr = (__be32 *)xprth;
+			if (xprth + 4 < skb->data ||
+			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
+				__be32 *ehdr;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				ehdr = (__be32 *)xprth;
 
 				fl4->fl4_ipsec_spi = ehdr[0];
 			}
 			break;
 
 		case IPPROTO_AH:
-			if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
-				__be32 *ah_hdr = (__be32 *)xprth;
+			if (xprth + 8 < skb->data ||
+			    pskb_may_pull(skb, xprth + 8 - skb->data)) {
+				__be32 *ah_hdr;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				ah_hdr = (__be32 *)xprth;
 
 				fl4->fl4_ipsec_spi = ah_hdr[1];
 			}
 			break;
 
 		case IPPROTO_COMP:
-			if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
-				__be16 *ipcomp_hdr = (__be16 *)xprth;
+			if (xprth + 4 < skb->data ||
+			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
+				__be16 *ipcomp_hdr;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				ipcomp_hdr = (__be16 *)xprth;
 
 				fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
 			}
 			break;
 
 		case IPPROTO_GRE:
-			if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
-				__be16 *greflags = (__be16 *)xprth;
-				__be32 *gre_hdr = (__be32 *)xprth;
+			if (xprth + 12 < skb->data ||
+			    pskb_may_pull(skb, xprth + 12 - skb->data)) {
+				__be16 *greflags;
+				__be32 *gre_hdr;
+
+				xprth = skb_network_header(skb) + ihl * 4;
+				greflags = (__be16 *)xprth;
+				gre_hdr = (__be32 *)xprth;
 
 				if (greflags[0] & GRE_KEY) {
 					if (greflags[0] & GRE_CSUM)
@@ -181,10 +211,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 			break;
 		}
 	}
-	fl4->flowi4_proto = iph->protocol;
-	fl4->daddr = reverse ? iph->saddr : iph->daddr;
-	fl4->saddr = reverse ? iph->daddr : iph->saddr;
-	fl4->flowi4_tos = iph->tos;
 }
 
 static inline int xfrm4_garbage_collect(struct dst_ops *ops)
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index f40ba684d69b..d8e8008aa7a4 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -94,16 +94,22 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
 	return fl;
 }
 
+static void fl_free_rcu(struct rcu_head *head)
+{
+	struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
+
+	if (fl->share == IPV6_FL_S_PROCESS)
+		put_pid(fl->owner.pid);
+	release_net(fl->fl_net);
+	kfree(fl->opt);
+	kfree(fl);
+}
+
 
 static void fl_free(struct ip6_flowlabel *fl)
 {
-	if (fl) {
-		if (fl->share == IPV6_FL_S_PROCESS)
-			put_pid(fl->owner.pid);
-		release_net(fl->fl_net);
-		kfree(fl->opt);
-		kfree_rcu(fl, rcu);
-	}
+	if (fl)
+		call_rcu(&fl->rcu, fl_free_rcu);
 }
 
 static void fl_release(struct ip6_flowlabel *fl)
@@ -630,9 +636,9 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 				if (fl1->share == IPV6_FL_S_EXCL ||
 				    fl1->share != fl->share ||
 				    ((fl1->share == IPV6_FL_S_PROCESS) &&
-				     (fl1->owner.pid == fl->owner.pid)) ||
+				     (fl1->owner.pid != fl->owner.pid)) ||
 				    ((fl1->share == IPV6_FL_S_USER) &&
-				     uid_eq(fl1->owner.uid, fl->owner.uid)))
+				     !uid_eq(fl1->owner.uid, fl->owner.uid)))
 					goto release;
 
 				err = -ENOMEM;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index bb98cde51476..1e68db035daf 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -538,23 +538,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
 	skb_copy_secmark(to, from);
 }
 
-static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
-{
-	static u32 ip6_idents_hashrnd __read_mostly;
-	static u32 ip6_idents_hashrnd_extra __read_mostly;
-	u32 hash, id;
-
-	net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
-	net_get_random_once(&ip6_idents_hashrnd_extra, sizeof(ip6_idents_hashrnd_extra));
-
-	hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
-	hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
-	hash = jhash_1word(hash, ip6_idents_hashrnd_extra);
-
-	id = ip_idents_reserve(hash, 1);
-	fhdr->identification = htonl(id);
-}
-
 int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 {
 	struct sk_buff *frag;
@@ -649,7 +632,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 		skb_reset_network_header(skb);
 		memcpy(skb_network_header(skb), tmp_hdr, hlen);
 
-		ipv6_select_ident(fh, rt);
+		ipv6_select_ident(net, fh, rt);
 		fh->nexthdr = nexthdr;
 		fh->reserved = 0;
 		fh->frag_off = htons(IP6_MF);
@@ -802,7 +785,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 		fh->nexthdr = nexthdr;
 		fh->reserved = 0;
 		if (!frag_id) {
-			ipv6_select_ident(fh, rt);
+			ipv6_select_ident(net, fh, rt);
 			frag_id = fh->identification;
 		} else
 			fh->identification = frag_id;
@@ -1096,7 +1079,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
 	skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
 				     sizeof(struct frag_hdr)) & ~7;
 	skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
-	ipv6_select_ident(&fhdr, rt);
+	ipv6_select_ident(sock_net(sk), &fhdr, rt);
 	skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
 
 append:
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 42978998534c..5733b05558a5 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1662,6 +1662,10 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 	struct net *net = sock_net(sk);
 	struct mr6_table *mrt;
 
+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (mrt == NULL)
 		return -ENOENT;
@@ -1673,9 +1677,6 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
 
 	switch (optname) {
 	case MRT6_INIT:
-		if (sk->sk_type != SOCK_RAW ||
-		    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
-			return -EOPNOTSUPP;
 		if (optlen < sizeof(int))
 			return -EINVAL;
 
@@ -1812,6 +1813,10 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
 	struct net *net = sock_net(sk);
 	struct mr6_table *mrt;
 
+	if (sk->sk_type != SOCK_RAW ||
+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (mrt == NULL)
 		return -ENOENT;
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index e32c1ff35f78..a8274abad231 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -9,6 +9,36 @@
 #include <net/addrconf.h>
 #include <net/secure_seq.h>
 
+static u32 __ipv6_select_ident(struct net *net,
+			       struct in6_addr *dst, struct in6_addr *src)
+{
+	const struct {
+		struct in6_addr dst;
+		struct in6_addr src;
+	} __aligned(SIPHASH_ALIGNMENT) combined = {
+		.dst = *dst,
+		.src = *src,
+	};
+	u32 hash, id;
+
+	/* Note the following code is not safe, but this is okay. */
+	if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+		get_random_bytes(&net->ipv4.ip_id_key,
+				 sizeof(net->ipv4.ip_id_key));
+
+	hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+
+	/* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+	 * set the hight order instead thus minimizing possible future
+	 * collisions.
+	 */
+	id = ip_idents_reserve(hash, 1);
+	if (unlikely(!id))
+		id = 1 << 31;
+
+	return id;
+}
+
 /* This function exists only for tap drivers that must support broken
  * clients requesting UFO without specifying an IPv6 fragment ID.
  *
@@ -17,12 +47,11 @@
  *
  * The network header must be set before calling this.
  */
-void ipv6_proxy_select_ident(struct sk_buff *skb)
+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
 {
-	static u32 ip6_proxy_idents_hashrnd __read_mostly;
 	struct in6_addr buf[2];
 	struct in6_addr *addrs;
-	u32 hash, id;
+	u32 id;
 
 	addrs = skb_header_pointer(skb,
 				   skb_network_offset(skb) +
@@ -31,17 +60,21 @@ void ipv6_proxy_select_ident(struct sk_buff *skb)
 	if (!addrs)
 		return;
 
-	net_get_random_once(&ip6_proxy_idents_hashrnd,
-			    sizeof(ip6_proxy_idents_hashrnd));
-
-	hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd);
-	hash = __ipv6_addr_jhash(&addrs[0], hash);
-
-	id = ip_idents_reserve(hash, 1);
+	id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
 	skb_shinfo(skb)->ip6_frag_id = htonl(id);
 }
 EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
 
+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
+		       struct rt6_info *rt)
+{
+	u32 id;
+
+	id = __ipv6_select_ident(net, &rt->rt6i_dst.addr, &rt->rt6i_src.addr);
+	fhdr->identification = htonl(id);
+}
+EXPORT_SYMBOL(ipv6_select_ident);
+
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
 	unsigned int offset = sizeof(struct ipv6hdr);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 70a0f92cbbc0..4370371e0aa6 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1183,11 +1183,11 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 		newnp->ipv6_fl_list = NULL;
 		newnp->pktoptions  = NULL;
 		newnp->opt	   = NULL;
-		newnp->mcast_oif   = inet6_iif(skb);
-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
-		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
+		newnp->mcast_oif   = inet_iif(skb);
+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
+		newnp->rcv_flowinfo = 0;
 		if (np->repflow)
-			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
+			newnp->flow_label = 0;
 
 		/*
 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index fa9ea1a72f99..28d02353743f 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -75,6 +75,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
 
 		skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
 
+		/* Set the IPv6 fragment id if not set yet */
+		if (!skb_shinfo(skb)->ip6_frag_id)
+			ipv6_proxy_select_ident(dev_net(skb->dev), skb);
+
 		segs = NULL;
 		goto out;
 	}
@@ -120,6 +124,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
 		fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
 		fptr->nexthdr = nexthdr;
 		fptr->reserved = 0;
+		if (!skb_shinfo(skb)->ip6_frag_id)
+			ipv6_proxy_select_ident(dev_net(skb->dev), skb);
 		fptr->identification = skb_shinfo(skb)->ip6_frag_id;
 
 		/* Fragment the skb. ipv6 header and the remaining fields of the
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 1c66465a42dd..f1491b0004cd 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -390,6 +390,10 @@ static void __exit xfrm6_tunnel_fini(void)
 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
 	unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
+	/* Someone maybe has gotten the xfrm6_tunnel_spi.
+	 * So need to wait it.
+	 */
+	rcu_barrier();
 	kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
 }
 
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 661252aeb7e0..c8b5c8c355b4 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -217,8 +217,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
 
 	rcu_read_lock_bh();
 	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
-		if (tunnel->tunnel_id == tunnel_id) {
-			l2tp_tunnel_inc_refcount(tunnel);
+		if (tunnel->tunnel_id == tunnel_id &&
+		    atomic_inc_not_zero(&tunnel->ref_count)) {
 			rcu_read_unlock_bh();
 
 			return tunnel;
@@ -238,8 +238,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
 
 	rcu_read_lock_bh();
 	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
-		if (++count > nth) {
-			l2tp_tunnel_inc_refcount(tunnel);
+		if (++count > nth &&
+		    atomic_inc_not_zero(&tunnel->ref_count)) {
 			rcu_read_unlock_bh();
 			return tunnel;
 		}
@@ -997,7 +997,7 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 {
 	struct l2tp_tunnel *tunnel;
 
-	tunnel = l2tp_tunnel(sk);
+	tunnel = rcu_dereference_sk_user_data(sk);
 	if (tunnel == NULL)
 		goto pass_up;
 
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1ab5e1a51c98..607d8fdd5e68 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -735,7 +735,7 @@ void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
 
 	dir = sdata->vif.debugfs_dir;
 
-	if (!dir)
+	if (IS_ERR_OR_NULL(dir))
 		return;
 
 	sprintf(buf, "netdev:%s", sdata->name);
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 7abd786d9d89..44fa945ed6b4 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -813,7 +813,8 @@ int
 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 		  struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
 {
-	struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
+	struct net *net = skb_net(skb);
+	struct netns_ipvs *ipvs = net_ipvs(net);
 	struct rtable *rt;			/* Route to the other host */
 	__be32 saddr;				/* Source for tunnel */
 	struct net_device *tdev;		/* Device to other host */
@@ -882,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 	iph->daddr		=	cp->daddr.ip;
 	iph->saddr		=	saddr;
 	iph->ttl		=	old_iph->ttl;
-	ip_select_ident(skb, NULL);
+	ip_select_ident(net, skb, NULL);
 
 	/* Another hack: avoid icmp_send in ip_fragment */
 	skb->ignore_df = 1;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cdd47388723b..170681b21d25 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -23,6 +23,7 @@
 #include <linux/slab.h>
 #include <linux/random.h>
 #include <linux/jhash.h>
+#include <linux/siphash.h>
 #include <linux/err.h>
 #include <linux/percpu.h>
 #include <linux/moduleparam.h>
@@ -52,6 +53,7 @@
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_helper.h>
+#include <net/netns/hash.h>
 
 #define NF_CONNTRACK_VERSION	"0.5.0"
 
@@ -232,6 +234,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
 }
 EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
 
+/* Generate a almost-unique pseudo-id for a given conntrack.
+ *
+ * intentionally doesn't re-use any of the seeds used for hash
+ * table location, we assume id gets exposed to userspace.
+ *
+ * Following nf_conn items do not change throughout lifetime
+ * of the nf_conn after it has been committed to main hash table:
+ *
+ * 1. nf_conn address
+ * 2. nf_conn->ext address
+ * 3. nf_conn->master address (normally NULL)
+ * 4. tuple
+ * 5. the associated net namespace
+ */
+u32 nf_ct_get_id(const struct nf_conn *ct)
+{
+	static __read_mostly siphash_key_t ct_id_seed;
+	unsigned long a, b, c, d;
+
+	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
+
+	a = (unsigned long)ct;
+	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
+	c = (unsigned long)ct->ext;
+	d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
+				   &ct_id_seed);
+#ifdef CONFIG_64BIT
+	return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
+#else
+	return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);
+#endif
+}
+EXPORT_SYMBOL_GPL(nf_ct_get_id);
+
 static void
 clean_from_lists(struct nf_conn *ct)
 {
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index faa736bae869..b9bf8b0f4ec1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -29,6 +29,7 @@
 #include <linux/spinlock.h>
 #include <linux/interrupt.h>
 #include <linux/slab.h>
+#include <linux/siphash.h>
 
 #include <linux/netfilter.h>
 #include <net/netlink.h>
@@ -435,7 +436,9 @@ ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
 static inline int
 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
 {
-	if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
+	__be32 id = (__force __be32)nf_ct_get_id(ct);
+
+	if (nla_put_be32(skb, CTA_ID, id))
 		goto nla_put_failure;
 	return 0;
 
@@ -1047,8 +1050,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
 	ct = nf_ct_tuplehash_to_ctrack(h);
 
 	if (cda[CTA_ID]) {
-		u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
-		if (id != (u32)(unsigned long)ct) {
+		__be32 id = nla_get_be32(cda[CTA_ID]);
+
+		if (id != (__force __be32)nf_ct_get_id(ct)) {
 			nf_ct_put(ct);
 			return -ENOENT;
 		}
@@ -2321,6 +2325,25 @@ ctnetlink_exp_dump_mask(struct sk_buff *skb,
 
 static const union nf_inet_addr any_addr;
 
+static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
+{
+	static __read_mostly siphash_key_t exp_id_seed;
+	unsigned long a, b, c, d;
+
+	net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
+
+	a = (unsigned long)exp;
+	b = (unsigned long)exp->helper;
+	c = (unsigned long)exp->master;
+	d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
+
+#ifdef CONFIG_64BIT
+	return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
+#else
+	return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
+#endif
+}
+
 static int
 ctnetlink_exp_dump_expect(struct sk_buff *skb,
 			  const struct nf_conntrack_expect *exp)
@@ -2368,7 +2391,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
 	}
 #endif
 	if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
-	    nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
+	    nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
 	    nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
 	    nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
 		goto nla_put_failure;
@@ -2664,7 +2687,8 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
 
 	if (cda[CTA_EXPECT_ID]) {
 		__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
-		if (ntohl(id) != (u32)(unsigned long)exp) {
+
+		if (id != nf_expect_get_id(exp)) {
 			nf_ct_expect_put(exp);
 			return -ENOENT;
 		}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 20a844788443..0777d98d3dec 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2278,8 +2278,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 	void *ph;
 	DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);
 	bool need_wait = !(msg->msg_flags & MSG_DONTWAIT);
+	unsigned char *addr = NULL;
 	int tp_len, size_max;
-	unsigned char *addr;
 	int len_sum = 0;
 	int status = TP_STATUS_AVAILABLE;
 	int hlen, tlen;
@@ -2289,7 +2289,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 	if (likely(saddr == NULL)) {
 		dev	= packet_cached_dev_get(po);
 		proto	= po->num;
-		addr	= NULL;
 	} else {
 		err = -EINVAL;
 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
@@ -2299,10 +2298,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 						sll_addr)))
 			goto out;
 		proto	= saddr->sll_protocol;
-		addr	= saddr->sll_halen ? saddr->sll_addr : NULL;
 		dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
-		if (addr && dev && saddr->sll_halen < dev->addr_len)
-			goto out_put;
+		if (po->sk.sk_socket->type == SOCK_DGRAM) {
+			if (dev && msg->msg_namelen < dev->addr_len +
+				   offsetof(struct sockaddr_ll, sll_addr))
+				goto out_put;
+			addr = saddr->sll_addr;
+		}
 	}
 
 	err = -ENXIO;
@@ -2435,7 +2437,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
 	struct sk_buff *skb;
 	struct net_device *dev;
 	__be16 proto;
-	unsigned char *addr;
+	unsigned char *addr = NULL;
 	int err, reserve = 0;
 	struct virtio_net_hdr vnet_hdr = { 0 };
 	int offset = 0;
@@ -2453,7 +2455,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
 	if (likely(saddr == NULL)) {
 		dev	= packet_cached_dev_get(po);
 		proto	= po->num;
-		addr	= NULL;
 	} else {
 		err = -EINVAL;
 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
@@ -2461,10 +2462,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
 		if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
 			goto out;
 		proto	= saddr->sll_protocol;
-		addr	= saddr->sll_halen ? saddr->sll_addr : NULL;
 		dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
-		if (addr && dev && saddr->sll_halen < dev->addr_len)
-			goto out_unlock;
+		if (sock->type == SOCK_DGRAM) {
+			if (dev && msg->msg_namelen < dev->addr_len +
+				   offsetof(struct sockaddr_ll, sll_addr))
+				goto out_unlock;
+			addr = saddr->sll_addr;
+		}
 	}
 
 	err = -ENXIO;
@@ -3027,19 +3031,28 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
 	sock_recv_ts_and_drops(msg, sk, skb);
 
 	if (msg->msg_name) {
+		int copy_len;
+
 		/* If the address length field is there to be filled
 		 * in, we fill it in now.
 		 */
 		if (sock->type == SOCK_PACKET) {
 			__sockaddr_check_size(sizeof(struct sockaddr_pkt));
 			msg->msg_namelen = sizeof(struct sockaddr_pkt);
+			copy_len = msg->msg_namelen;
 		} else {
 			struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
 			msg->msg_namelen = sll->sll_halen +
 				offsetof(struct sockaddr_ll, sll_addr);
+			copy_len = msg->msg_namelen;
+			if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
+				memset(msg->msg_name +
+				       offsetof(struct sockaddr_ll, sll_addr),
+				       0, sizeof(sll->sll_addr));
+				msg->msg_namelen = sizeof(struct sockaddr_ll);
+			}
 		}
-		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
-		       msg->msg_namelen);
+		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
 	}
 
 	if (pkt_sk(sk)->auxdata) {
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index 344456206b70..d5199b25b821 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -16,15 +16,19 @@
 #include <linux/init.h>
 
 static struct sk_buff_head loopback_queue;
+#define ROSE_LOOPBACK_LIMIT 1000
 static struct timer_list loopback_timer;
 
 static void rose_set_loopback_timer(void);
+static void rose_loopback_timer(unsigned long);
 
 void rose_loopback_init(void)
 {
 	skb_queue_head_init(&loopback_queue);
 
 	init_timer(&loopback_timer);
+	loopback_timer.data     = 0;
+	loopback_timer.function = &rose_loopback_timer;
 }
 
 static int rose_loopback_running(void)
@@ -34,33 +38,27 @@ static int rose_loopback_running(void)
 
 int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh)
 {
-	struct sk_buff *skbn;
-
-	skbn = skb_clone(skb, GFP_ATOMIC);
+	struct sk_buff *skbn = NULL;
 
-	kfree_skb(skb);
+	if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT)
+		skbn = skb_clone(skb, GFP_ATOMIC);
 
-	if (skbn != NULL) {
+	if (skbn) {
+		consume_skb(skb);
 		skb_queue_tail(&loopback_queue, skbn);
 
 		if (!rose_loopback_running())
 			rose_set_loopback_timer();
+	} else {
+		kfree_skb(skb);
 	}
 
 	return 1;
 }
 
-static void rose_loopback_timer(unsigned long);
-
 static void rose_set_loopback_timer(void)
 {
-	del_timer(&loopback_timer);
-
-	loopback_timer.data     = 0;
-	loopback_timer.function = &rose_loopback_timer;
-	loopback_timer.expires  = jiffies + 10;
-
-	add_timer(&loopback_timer);
+	mod_timer(&loopback_timer, jiffies + 10);
 }
 
 static void rose_loopback_timer(unsigned long param)
@@ -71,8 +69,12 @@ static void rose_loopback_timer(unsigned long param)
 	struct sock *sk;
 	unsigned short frametype;
 	unsigned int lci_i, lci_o;
+	int count;
 
-	while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
+	for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
+		skb = skb_dequeue(&loopback_queue);
+		if (!skb)
+			return;
 		if (skb->len < ROSE_MIN_LEN) {
 			kfree_skb(skb);
 			continue;
@@ -109,6 +111,8 @@ static void rose_loopback_timer(unsigned long param)
 			kfree_skb(skb);
 		}
 	}
+	if (!skb_queue_empty(&loopback_queue))
+		mod_timer(&loopback_timer, jiffies + 1);
 }
 
 void __exit rose_loopback_clear(void)
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index cdfa7f4c0a59..4a5598a42cd6 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -50,6 +50,7 @@ static void cache_init(struct cache_head *h)
 	h->last_refresh = now;
 }
 
+static inline int cache_is_valid(struct cache_head *h);
 static void cache_fresh_locked(struct cache_head *head, time_t expiry);
 static void cache_fresh_unlocked(struct cache_head *head,
 				struct cache_detail *detail);
@@ -98,6 +99,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
 				*hp = tmp->next;
 				tmp->next = NULL;
 				detail->entries --;
+				if (cache_is_valid(tmp) == -EAGAIN)
+					set_bit(CACHE_NEGATIVE, &tmp->flags);
 				cache_fresh_locked(tmp, 0);
 				freeme = tmp;
 				break;
diff --git a/net/tipc/sysctl.c b/net/tipc/sysctl.c
index f3fef93325a8..a4125b069833 100644
--- a/net/tipc/sysctl.c
+++ b/net/tipc/sysctl.c
@@ -37,6 +37,7 @@
 
 #include <linux/sysctl.h>
 
+static int one = 1;
 static struct ctl_table_header *tipc_ctl_hdr;
 
 static struct ctl_table tipc_table[] = {
@@ -45,7 +46,8 @@ static struct ctl_table tipc_table[] = {
 		.data		= &sysctl_tipc_rmem,
 		.maxlen		= sizeof(sysctl_tipc_rmem),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1         = &one,
 	},
 	{}
 };
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 62fbbdc58566..b0f84a040f32 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1255,7 +1255,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
 	ret = verify_policy_dir(p->dir);
 	if (ret)
 		return ret;
-	if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
+	if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
 		return -EINVAL;
 
 	return 0;
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index d9d69e6930ed..8fee5f7be4f1 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
 		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
 			rc = dev_exception_add(devcg, ex);
 			if (rc)
-				break;
+				return rc;
 		} else {
 			/*
 			 * in the other possible cases:
diff --git a/sound/core/init.c b/sound/core/init.c
index 7bdfd19e24a8..e0d04b91d561 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card *card)
 	card->shutdown = 1;
 	spin_unlock(&card->files_lock);
 
-	/* phase 1: disable fops (user space) operations for ALSA API */
-	mutex_lock(&snd_card_mutex);
-	snd_cards[card->number] = NULL;
-	clear_bit(card->number, snd_cards_lock);
-	mutex_unlock(&snd_card_mutex);
-	
-	/* phase 2: replace file->f_op with special dummy operations */
-	
+	/* replace file->f_op with special dummy operations */
 	spin_lock(&card->files_lock);
 	list_for_each_entry(mfile, &card->files_list, list) {
 		/* it's critical part, use endless loop */
@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card *card)
 	}
 	spin_unlock(&card->files_lock);	
 
-	/* phase 3: notify all connected devices about disconnection */
+	/* notify all connected devices about disconnection */
 	/* at this point, they cannot respond to any calls except release() */
 
 #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card *card)
 		device_del(&card->card_dev);
 		card->registered = false;
 	}
+
+	/* disable fops (user space) operations for ALSA API */
+	mutex_lock(&snd_card_mutex);
+	snd_cards[card->number] = NULL;
+	clear_bit(card->number, snd_cards_lock);
+	mutex_unlock(&snd_card_mutex);
+
 #ifdef CONFIG_PM
 	wake_up(&card->power_sleep);
 #endif
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index 41bae2baea71..f853b62befa1 100644
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
 	oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
 			 params_channels(params) / 8;
 
+	err = snd_pcm_oss_period_size(substream, params, sparams);
+	if (err < 0)
+		goto failure;
+
+	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
+	if (err < 0)
+		goto failure;
+
+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
+				     runtime->oss.periods, NULL);
+	if (err < 0)
+		goto failure;
+
+	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
+
+	err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
+	if (err < 0) {
+		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
+		goto failure;
+	}
+
 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
 	snd_pcm_oss_plugin_clear(substream);
 	if (!direct) {
@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
 	}
 #endif
 
-	err = snd_pcm_oss_period_size(substream, params, sparams);
-	if (err < 0)
-		goto failure;
-
-	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
-	if (err < 0)
-		goto failure;
-
-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
-				     runtime->oss.periods, NULL);
-	if (err < 0)
-		goto failure;
-
-	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
-
-	if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
-		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
-		goto failure;
-	}
-
 	memset(sw_params, 0, sizeof(*sw_params));
 	if (runtime->oss.trigger) {
 		sw_params->start_threshold = 1;
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 7c407ab2d82a..a0ee065a9f8c 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1063,8 +1063,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push)
 static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
-	if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
+	switch (runtime->status->state) {
+	case SNDRV_PCM_STATE_SUSPENDED:
 		return -EBUSY;
+	/* unresumable PCM state; return -EBUSY for skipping suspend */
+	case SNDRV_PCM_STATE_OPEN:
+	case SNDRV_PCM_STATE_SETUP:
+	case SNDRV_PCM_STATE_DISCONNECTED:
+		return -EBUSY;
+	}
 	runtime->trigger_master = substream;
 	return 0;
 }
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 2bd5b8524181..09e05c0b59a1 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -29,6 +29,7 @@
 #include <linux/mutex.h>
 #include <linux/module.h>
 #include <linux/delay.h>
+#include <linux/nospec.h>
 #include <sound/rawmidi.h>
 #include <sound/info.h>
 #include <sound/control.h>
@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card,
 		return -ENXIO;
 	if (info->stream < 0 || info->stream > 1)
 		return -EINVAL;
+	info->stream = array_index_nospec(info->stream, 2);
 	pstr = &rmidi->streams[info->stream];
 	if (pstr->substream_count == 0)
 		return -ENOENT;
diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index 8bf5335d953b..6ab2de7695d8 100644
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -617,13 +617,14 @@ int
 snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
 {
 	struct seq_oss_synth *rec;
+	struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
 
-	if (dev < 0 || dev >= dp->max_synthdev)
+	if (!info)
 		return -ENXIO;
 
-	if (dp->synths[dev].is_midi) {
+	if (info->is_midi) {
 		struct midi_info minf;
-		snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
+		snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
 		inf->synth_type = SYNTH_TYPE_MIDI;
 		inf->synth_subtype = 0;
 		inf->nr_voices = 16;
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 60fb2c708d75..f6396e012a0f 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client,
 
 	/* fill the info fields */
 	if (client_info.name[0])
-		strlcpy(client->name, client_info.name, sizeof(client->name));
+		strscpy(client->name, client_info.name, sizeof(client->name));
 
 	client->filter = client_info.filter;
 	client->event_lost = client_info.event_lost;
@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client,
 	/* set queue name */
 	if (! info.name[0])
 		snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
-	strlcpy(q->name, info.name, sizeof(q->name));
+	strscpy(q->name, info.name, sizeof(q->name));
 	queuefree(q);
 
 	if (copy_to_user(arg, &info, sizeof(info)))
@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client,
 		queuefree(q);
 		return -EPERM;
 	}
-	strlcpy(q->name, info.name, sizeof(q->name));
+	strscpy(q->name, info.name, sizeof(q->name));
 	queuefree(q);
 
 	return 0;
diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
index 95b2df232d71..383aaaebad6c 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -2065,7 +2065,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
 		return val & 0xffffffff;
 
 	if (strcmp(type, "u64") == 0 ||
-	    strcmp(type, "s64"))
+	    strcmp(type, "s64") == 0)
 		return val;
 
 	if (strcmp(type, "s8") == 0)
diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
index c81bd9a31db7..fd3a453a21cf 100644
--- a/tools/perf/tests/evsel-tp-sched.c
+++ b/tools/perf/tests/evsel-tp-sched.c
@@ -77,5 +77,6 @@ int test__perf_evsel__tp_sched_test(void)
 	if (perf_evsel__test_field(evsel, "target_cpu", 4, true))
 		ret = -1;
 
+	perf_evsel__delete(evsel);
 	return ret;
 }
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index ad0c85a63c80..cc0b4c5f5c72 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2240,6 +2240,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
 {
 	struct kvm_device *dev = filp->private_data;
 
+	if (dev->kvm->mm != current->mm)
+		return -EIO;
+
 	switch (ioctl) {
 	case KVM_SET_DEVICE_ATTR:
 		return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Linux 3.16.72
  2019-08-13 13:35 Linux 3.16.72 Ben Hutchings
@ 2019-08-13 14:49 ` Bhaskar Chowdhury
  0 siblings, 0 replies; 2+ messages in thread
From: Bhaskar Chowdhury @ 2019-08-13 14:49 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, Andrew Morton, torvalds, Jiri Slaby, stable, lwn

[-- Attachment #1: Type: text/plain, Size: 235269 bytes --]


Thanks, a bunch Ben :)


On 14:35 Tue 13 Aug 2019, Ben Hutchings wrote:
>I'm announcing the release of the 3.16.72 kernel.
>
>All users of the 3.16 kernel series should upgrade.
>
>The updated 3.16.y git tree can be found at:
>        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.16.y
>and can be browsed at the normal kernel.org git web browser:
>        https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git
>
>The diff from 3.16.71 is attached to this message.
>
>Ben.
>
>------------
>
> Documentation/kernel-parameters.txt              |   5 +
> Documentation/siphash.txt                        | 100 ++++++++++
> Documentation/usb/power-management.txt           |  14 +-
> Documentation/virtual/kvm/api.txt                |  16 +-
> MAINTAINERS                                      |   7 +
> Makefile                                         |   2 +-
> arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi     |   1 +
> arch/arm/mach-imx/cpuidle-imx6q.c                |  27 +--
> arch/mips/kernel/scall64-o32.S                   |   2 +-
> arch/powerpc/include/asm/vdso_datapage.h         |   8 +-
> arch/powerpc/kernel/signal_32.c                  |   3 +
> arch/powerpc/kernel/signal_64.c                  |   5 +
> arch/powerpc/kernel/vdso32/gettimeofday.S        |   2 +-
> arch/powerpc/kernel/vdso64/gettimeofday.S        |   2 +-
> arch/x86/include/asm/calling.h                   |  18 ++
> arch/x86/include/asm/cpufeatures.h               |  41 ++--
> arch/x86/include/asm/kvm_host.h                  |  13 +-
> arch/x86/include/asm/xen/hypercall.h             |   3 +
> arch/x86/kernel/cpu/bugs.c                       | 105 +++++++++-
> arch/x86/kernel/cpu/common.c                     |  42 ++--
> arch/x86/kernel/entry_64.S                       |  73 +++++--
> arch/x86/kernel/kprobes/core.c                   |  48 ++++-
> arch/x86/kernel/process.c                        |   8 +-
> arch/x86/kvm/cpuid.c                             |   5 +
> arch/x86/kvm/mmu.c                               |  13 +-
> arch/x86/kvm/mmu.h                               |   2 +-
> arch/x86/kvm/vmx.c                               |  15 --
> arch/x86/kvm/x86.c                               |  18 +-
> arch/xtensa/kernel/stacktrace.c                  |   6 +-
> block/bio.c                                      |   5 +-
> drivers/acpi/acpica/nsobject.c                   |   4 +
> drivers/block/floppy.c                           |  32 +++-
> drivers/block/xsysace.c                          |   2 +
> drivers/bluetooth/hci_ath.c                      |   3 +
> drivers/bluetooth/hci_ldisc.c                    |   9 +
> drivers/bluetooth/hci_uart.h                     |   1 +
> drivers/gpio/gpio-adnp.c                         |   6 +-
> drivers/iio/adc/ad_sigma_delta.c                 |   1 +
> drivers/iio/adc/at91_adc.c                       |  28 +--
> drivers/iio/dac/mcp4725.c                        |   1 +
> drivers/iio/industrialio-buffer.c                |   6 +-
> drivers/iio/industrialio-core.c                  |   4 +-
> drivers/infiniband/hw/mlx4/alias_GUID.c          |   2 +-
> drivers/input/tablet/gtco.c                      |  20 +-
> drivers/iommu/amd_iommu_init.c                   |   2 +-
> drivers/iommu/intel-iommu.c                      |   3 +
> drivers/md/dm-table.c                            |  39 ++++
> drivers/md/dm.c                                  |  31 ++-
> drivers/media/usb/tlg2300/pd-common.h            |   2 +-
> drivers/mtd/chips/cfi_cmdset_0002.c              |   6 +-
> drivers/net/ethernet/3com/3c515.c                |   2 +-
> drivers/net/ethernet/8390/mac8390.c              |  37 ++--
> drivers/net/ethernet/neterion/vxge/vxge-config.c |   1 +
> drivers/net/macvtap.c                            |   3 -
> drivers/net/phy/phy_device.c                     |   5 +-
> drivers/net/ppp/pptp.c                           |   2 +-
> drivers/net/slip/slhc.c                          |   2 +-
> drivers/net/team/team.c                          |   6 +
> drivers/net/tun.c                                |   6 +-
> drivers/net/wireless/rt2x00/rt2x00.h             |   1 -
> drivers/net/wireless/rt2x00/rt2x00mac.c          |  10 -
> drivers/net/wireless/rt2x00/rt2x00queue.c        |  15 +-
> drivers/pci/quirks.c                             |   2 +
> drivers/s390/scsi/zfcp_erp.c                     |  17 ++
> drivers/s390/scsi/zfcp_ext.h                     |   2 +
> drivers/s390/scsi/zfcp_scsi.c                    |   4 +
> drivers/scsi/libsas/sas_expander.c               |   9 +-
> drivers/staging/comedi/drivers/vmk80xx.c         |   8 +-
> drivers/staging/iio/meter/ade7854.c              |   2 +-
> drivers/staging/rtl8712/rtl8712_cmd.c            |  10 +-
> drivers/staging/rtl8712/rtl8712_cmd.h            |   2 +-
> drivers/staging/speakup/speakup_soft.c           |  12 +-
> drivers/staging/speakup/spk_priv.h               |   1 +
> drivers/staging/speakup/synth.c                  |   6 +
> drivers/staging/usbip/stub_rx.c                  |  12 +-
> drivers/staging/usbip/usbip_common.h             |   7 +
> drivers/tty/serial/atmel_serial.c                |   4 +
> drivers/tty/serial/max310x.c                     |   2 +
> drivers/tty/serial/mxs-auart.c                   |   4 +
> drivers/tty/serial/sh-sci.c                      |  12 +-
> drivers/usb/core/driver.c                        |  13 --
> drivers/usb/core/message.c                       |   4 +-
> drivers/usb/host/xhci-hub.c                      |  19 +-
> drivers/usb/host/xhci.h                          |   8 +
> drivers/usb/misc/yurex.c                         |   1 +
> drivers/usb/serial/cp210x.c                      |   1 +
> drivers/usb/serial/ftdi_sio.c                    |   2 +
> drivers/usb/serial/ftdi_sio_ids.h                |   4 +-
> drivers/usb/serial/mos7720.c                     |   4 +-
> drivers/usb/storage/realtek_cr.c                 |  13 +-
> drivers/vhost/net.c                              |  31 +--
> drivers/vhost/scsi.c                             |  15 +-
> drivers/vhost/vhost.c                            |  20 +-
> drivers/vhost/vhost.h                            |   6 +-
> drivers/w1/masters/ds2490.c                      |   6 +-
> drivers/xen/balloon.c                            |  16 +-
> fs/afs/fsclient.c                                |   6 +-
> fs/btrfs/compression.c                           |  18 ++
> fs/btrfs/compression.h                           |   1 +
> fs/btrfs/props.c                                 |   5 +-
> fs/ceph/dir.c                                    |   6 +-
> fs/cifs/cifsglob.h                               |   2 +
> fs/cifs/file.c                                   |  30 ++-
> fs/cifs/inode.c                                  |   4 +
> fs/cifs/misc.c                                   |  25 ++-
> fs/cifs/smb2misc.c                               |   6 +-
> fs/cifs/smb2ops.c                                |   2 +
> fs/ext4/file.c                                   |   2 +-
> fs/ext4/resize.c                                 |  11 +-
> fs/lockd/host.c                                  |   3 +-
> fs/proc/meminfo.c                                |  34 +---
> fs/proc/proc_sysctl.c                            |   7 +-
> fs/udf/truncate.c                                |   3 +
> fs/ufs/util.h                                    |   2 +-
> include/linux/kprobes.h                          |   1 +
> include/linux/lockdep.h                          |  15 ++
> include/linux/mm.h                               |   1 +
> include/linux/siphash.h                          |  90 +++++++++
> include/linux/string.h                           |   3 +
> include/linux/usb.h                              |   2 -
> include/net/ip.h                                 |  12 +-
> include/net/ipv6.h                               |   4 +-
> include/net/netfilter/nf_conntrack.h             |   2 +
> include/net/netns/ipv4.h                         |   2 +
> include/net/sctp/checksum.h                      |   2 +-
> kernel/events/core.c                             |   2 +
> kernel/futex.c                                   |   4 +
> kernel/sched/fair.c                              |  35 +++-
> kernel/trace/ftrace.c                            |   5 +-
> kernel/trace/ring_buffer.c                       |   2 +-
> lib/Kconfig.debug                                |  10 +
> lib/Makefile                                     |   3 +-
> lib/siphash.c                                    | 232 +++++++++++++++++++++++
> lib/string.c                                     |  20 ++
> lib/test_siphash.c                               | 131 +++++++++++++
> mm/page_alloc.c                                  |  43 +++++
> mm/vmstat.c                                      |   5 -
> net/batman-adv/bridge_loop_avoidance.c           |  16 +-
> net/batman-adv/translation-table.c               |  32 +++-
> net/bridge/br_multicast.c                        |   4 +-
> net/bridge/br_netfilter.c                        |   3 +
> net/bridge/netfilter/ebtables.c                  |   3 +-
> net/core/net-sysfs.c                             |   6 +-
> net/dccp/feat.c                                  |   7 +-
> net/dccp/ipv6.c                                  |   4 +-
> net/ipv4/igmp.c                                  |   4 +-
> net/ipv4/ip_output.c                             |   7 +-
> net/ipv4/ip_tunnel_core.c                        |   3 +-
> net/ipv4/ipmr.c                                  |   7 +-
> net/ipv4/raw.c                                   |   2 +-
> net/ipv4/route.c                                 |  16 +-
> net/ipv4/xfrm4_mode_tunnel.c                     |   2 +-
> net/ipv4/xfrm4_policy.c                          |  60 ++++--
> net/ipv6/ip6_flowlabel.c                         |  24 ++-
> net/ipv6/ip6_output.c                            |  23 +--
> net/ipv6/ip6mr.c                                 |  11 +-
> net/ipv6/output_core.c                           |  53 +++++-
> net/ipv6/tcp_ipv6.c                              |   8 +-
> net/ipv6/udp_offload.c                           |   6 +
> net/ipv6/xfrm6_tunnel.c                          |   4 +
> net/l2tp/l2tp_core.c                             |  10 +-
> net/mac80211/debugfs_netdev.c                    |   2 +-
> net/netfilter/ipvs/ip_vs_xmit.c                  |   5 +-
> net/netfilter/nf_conntrack_core.c                |  36 ++++
> net/netfilter/nf_conntrack_netlink.c             |  34 +++-
> net/packet/af_packet.c                           |  37 ++--
> net/rose/rose_loopback.c                         |  34 ++--
> net/sunrpc/cache.c                               |   3 +
> net/tipc/sysctl.c                                |   4 +-
> net/xfrm/xfrm_user.c                             |   2 +-
> security/device_cgroup.c                         |   2 +-
> sound/core/init.c                                |  18 +-
> sound/core/oss/pcm_oss.c                         |  43 +++--
> sound/core/pcm_native.c                          |   9 +-
> sound/core/rawmidi.c                             |   2 +
> sound/core/seq/oss/seq_oss_synth.c               |   7 +-
> sound/core/seq/seq_clientmgr.c                   |   6 +-
> tools/lib/traceevent/event-parse.c               |   2 +-
> tools/perf/tests/evsel-tp-sched.c                |   1 +
> virt/kvm/kvm_main.c                              |   3 +
> 180 files changed, 1973 insertions(+), 565 deletions(-)
>
>Aditya Pakki (1):
>      serial: max310x: Fix to avoid potential NULL pointer dereference
>
>Al Viro (1):
>      ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
>
>Alan Stern (4):
>      USB: core: Fix unterminated string returned by usb_string()
>      USB: core: Fix bug caused by duplicate interface PM usage counter
>      USB: yurex: Fix protection fault after device removal
>      USB: w1 ds2490: Fix bug caused by improper use of altsetting array
>
>Anand Jain (1):
>      btrfs: prop: fix vanished compression property after failed set
>
>Andre Przywara (1):
>      PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller
>
>Andy Lutomirski (2):
>      x86/asm/entry/64: Disentangle error_entry/exit gsbase/ebx/usermode code
>      x86/entry/64: Really create an error-entry-from-usermode code path
>
>Arnd Bergmann (1):
>      3c515: fix integer overflow warning
>
>Aurelien Aptel (1):
>      CIFS: keep FileInfo handle live during oplock break
>
>Aurelien Jarno (1):
>      MIPS: scall64-o32: Fix indirect syscall number load
>
>Axel Lin (1):
>      gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
>
>Ben Gardon (1):
>      kvm: mmu: Fix overflow on kvm mmu page limit calculation
>
>Ben Hutchings (3):
>      x86: cpufeatures: Renumber feature word 7
>      Revert "inet: update the IP ID generation algorithm to higher standards."
>      Linux 3.16.72
>
>Changbin Du (1):
>      perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
>
>Chen Jie (1):
>      futex: Ensure that futex address is aligned in handle_futex_death()
>
>Christophe Leroy (1):
>      powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64
>
>Colin Ian King (1):
>      vxge: fix return of a free'd memblock on a failed dma mapping
>
>Dan Carpenter (2):
>      staging: rtl8712: uninitialized memory in read_bbreg_hdl()
>      xen: Prevent buffer overflow in privcmd ioctl
>
>David Howells (1):
>      afs: Fix StoreData op marshalling
>
>Denis Efremov (4):
>      floppy: fix div-by-zero in setup_format_params
>      floppy: fix out-of-bounds read in next_valid_format
>      floppy: fix invalid pointer dereference in drive_name
>      floppy: fix out-of-bounds read in copy_buffer
>
>Dragos Bogdan (1):
>      iio: ad_sigma_delta: select channel when reading register
>
>Eric Dumazet (7):
>      tcp: do not use ipv6 header for ipv4 flow
>      dccp: do not use ipv6 header for ipv4 flow
>      net/rose: fix unbound loop in rose_loopback_timer()
>      l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv()
>      ipv6/flowlabel: wait rcu grace period before put_pid()
>      l2ip: fix possible use-after-free
>      inet: switch IP ID generator to siphash
>
>Erik Schmauss (1):
>      ACPICA: Namespace: remove address node from global list after method termination
>
>Fabrice Gasnier (1):
>      iio: core: fix a possible circular locking dependency
>
>Finn Thain (1):
>      mac8390: Fix mmio access size probe
>
>Florian Westphal (2):
>      netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
>      netfilter: ctnetlink: don't use conntrack/expect object addresses as id
>
>Frank Sorenson (1):
>      cifs: do not attempt cifs operation on smb2+ rename error
>
>Frederic Weisbecker (1):
>      locking/lockdep: Add IRQs disabled/enabled assertion APIs: lockdep_assert_irqs_enabled()/disabled()
>
>Geert Uytterhoeven (1):
>      net: mac8390: Use standard memcpy_{from,to}io()
>
>Georg Ottinger (1):
>      iio: adc: at91: disable adc channel interrupt in timeout case
>
>George McCollister (1):
>      USB: serial: ftdi_sio: add additional NovaTech products
>
>Grant Hernandez (1):
>      Input: gtco - bounds check collection indent level
>
>Greg Kroah-Hartman (1):
>      USB: serial: cp210x: add new device id
>
>Guenter Roeck (1):
>      xsysace: Fix error handling in ace_setup
>
>Gustavo A. R. Silva (2):
>      ALSA: rawmidi: Fix potential Spectre v1 vulnerability
>      ALSA: seq: oss: Fix Spectre v1 vulnerability
>
>Hangbin Liu (1):
>      team: fix possible recursive locking when add slaves
>
>Hannes Frederic Sowa (3):
>      ipv4: hash net ptr into fragmentation bucket selection
>      ipv4: ip_tunnel: use net namespace from rtable not socket
>      ipv6: hash net ptr into fragmentation bucket selection
>
>Heiner Kallweit (1):
>      net: phy: don't clear BMCR in genphy_soft_reset
>
>Hoan Nguyen An (1):
>      serial: sh-sci: Fix setting SCSCR_TIE while transferring data
>
>Ian Abbott (2):
>      staging: comedi: vmk80xx: Fix use of uninitialized semaphore
>      staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
>
>Igor Redko (1):
>      mm/page_alloc.c: calculate 'available' memory in a separate function
>
>Ilya Dryomov (1):
>      dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors
>
>Jack Morgenstein (1):
>      IB/mlx4: Fix race condition between catas error reset and aliasguid flows
>
>Jan Kara (1):
>      udf: Fix crash on IO error during truncate
>
>Jann Horn (1):
>      device_cgroup: fix RCU imbalance in error case
>
>Jason A. Donenfeld (1):
>      siphash: add cryptographically secure PRF
>
>Jason Wang (4):
>      vhost_net: introduce vhost_exceeds_weight()
>      vhost: introduce vhost_exceeds_weight()
>      vhost_net: fix possible infinite loop
>      vhost: scsi: add weight support
>
>Jason Yan (1):
>      scsi: libsas: fix a race condition when smp task timeout
>
>Jean-Francois Dagenais (1):
>      iio: dac: mcp4725: add missing powerdown bits in store eeprom
>
>Jeff Layton (1):
>      ceph: ensure d_name stability in ceph_dentry_hash()
>
>Jie Liu (1):
>      tipc: set sysctl_tipc_rmem and named_timeout right range
>
>Jim Mattson (1):
>      kvm: x86: IA32_ARCH_CAPABILITIES is always supported
>
>Joerg Roedel (1):
>      iommu/amd: Set exclusion range correctly
>
>Johannes Berg (1):
>      mac80211: don't attempt to rename ERR_PTR() debugfs dirs
>
>Johannes Thumshirn (1):
>      btrfs: correctly validate compression type
>
>Johannes Weiner (1):
>      proc: meminfo: estimate available memory more conservatively
>
>Josh Poimboeuf (3):
>      x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
>      x86/speculation: Enable Spectre v1 swapgs mitigations
>      x86/entry/64: Use JMP instead of JMPQ
>
>Juergen Gross (1):
>      xen: let alloc_xenballooned_pages() fail if not enough memory free
>
>Jérôme Glisse (1):
>      block: do not leak memory in bio_copy_user_iov()
>
>Kangjie Lu (2):
>      tty: atmel_serial: fix a potential NULL pointer dereference
>      tty: mxs-auart: fix a potential NULL pointer dereference
>
>Kohji Okuno (1):
>      ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
>
>Konstantin Khlebnikov (1):
>      mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
>
>Lars-Peter Clausen (1):
>      iio: Fix scan mask selection
>
>Leonard Pollak (1):
>      Staging: iio: meter: fixed typo
>
>Lin Yi (1):
>      USB: serial: mos7720: fix mos_parport refcount imbalance on error path
>
>Linus Torvalds (1):
>      slip: make slhc_free() silently accept an error pointer
>
>Liu Jian (1):
>      mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
>
>Lu Baolu (1):
>      iommu/vt-d: Check capability before disabling protected memory
>
>Lukas Czerner (2):
>      ext4: fix data corruption caused by unaligned direct AIO
>      ext4: add missing brelse() in add_new_gdb_meta_bg()
>
>Malte Leip (1):
>      usb: usbip: fix isoc packet num validation in get_pipe
>
>Marco Felsch (1):
>      ARM: dts: pfla02: increase phy reset duration
>
>Markus Elfring (1):
>      iio: Use kmalloc_array() in iio_scan_mask_set()
>
>Masami Hiramatsu (3):
>      x86/kprobes: Verify stack frame on kretprobe
>      kprobes: Mark ftrace mcount handler functions nokprobe
>      x86/kprobes: Avoid kretprobe recursion bug
>
>Mathias Nyman (1):
>      xhci: Don't let USB3 ports stuck in polling state prevent suspend
>
>Max Filippov (1):
>      xtensa: fix return_address
>
>Mel Gorman (1):
>      sched/fair: Do not re-read ->h_load_next during hierarchical load calculation
>
>Michael Ellerman (1):
>      powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
>
>Michael Neuling (1):
>      powerpc/tm: Fix oops on sigreturn on systems without TM
>
>Mike Snitzer (1):
>      dm: disable DISCARD if the underlying storage no longer supports it
>
>NeilBrown (2):
>      NFS: fix mount/umount race in nlmclnt.
>      sunrpc: don't mark uninitialised items as VALID.
>
>Nick Desaulniers (1):
>      lib/string.c: implement a basic bcmp
>
>Nikolay Aleksandrov (1):
>      net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
>
>Paolo Abeni (1):
>      vhost_net: use packet weight for rx handler, too
>
>Peter Zijlstra (1):
>      trace: Fix preempt_enable_no_resched() abuse
>
>Phil Auld (1):
>      sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup
>
>Rikard Falkeborn (1):
>      tools lib traceevent: Fix missing equality check for strcmp
>
>Ronnie Sahlberg (1):
>      cifs: fix handle leak in smb2_query_symlink()
>
>Sabrina Dubroca (1):
>      ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
>
>Samuel Thibault (1):
>      staging: speakup_soft: Fix alternate speech with other synths
>
>Sean Christopherson (2):
>      KVM: Reject device ioctls from processes other than the VM's creator
>      KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
>
>Steffen Klassert (3):
>      xfrm4: Fix header checks in _decode_session4.
>      xfrm4: Reload skb header pointers after calling pskb_may_pull.
>      xfrm4: Fix uninitialized memory read in _decode_session4
>
>Steffen Maier (2):
>      scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
>      scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
>
>Stephane Eranian (1):
>      perf/core: Restore mmap record type correctly
>
>Su Yanjun (1):
>      xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
>
>Sven Eckelmann (3):
>      batman-adv: Reduce claim hash refcnt only for removed entry
>      batman-adv: Reduce tt_local hash refcnt only for removed entry
>      batman-adv: Reduce tt_global hash refcnt only for removed entry
>
>Takashi Iwai (3):
>      ALSA: pcm: Fix possible OOB access in PCM oss plugins
>      ALSA: pcm: Don't suspend stream in unrecoverable PCM state
>      ALSA: core: Fix card races between register and disconnect
>
>Thomas Gleixner (2):
>      x86/speculation: Prevent deadlock on ssb_state::lock
>      x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
>
>Vijayakumar Durai (1):
>      rt2x00: do not increment sequence number while re-transmitting
>
>Vlad Yasevich (4):
>      ipv6: Select fragment id during UFO segmentation if not set.
>      Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets"
>      ipv6: Fix fragment id assignment on LE arches.
>      ipv6: Make __ipv6_select_ident static
>
>Vladis Dronov (1):
>      Bluetooth: hci_uart: check for missing tty operations
>
>Wanpeng Li (1):
>      x86/entry/64: Fix context tracking state warning when load_gs_index fails
>
>Willem de Bruijn (3):
>      ipv6: invert flowlabel sharing check in process and user mode
>      packet: in recvmsg msg_name return at least sizeof sockaddr_ll
>      packet: validate msg_namelen in send directly
>
>Xie XiuQi (1):
>      sched/numa: Fix a possible divide-by-zero
>
>Xin Long (3):
>      ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
>      netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
>      sctp: get sctphdr by offset in sctp_compute_cksum
>
>YueHaibing (5):
>      xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
>      net-sysfs: call dev_hold if kobject_init_and_add success
>      fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
>      dccp: Fix memleak in __feat_register_sp
>      fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
>
>Zubin Mithra (1):
>      ALSA: seq: Fix OOB-reads from strlcpy
>
>haibinzhang(张海斌) (1):
>      vhost-net: set packet weight of tx polling to 2 * vq size
>
>-- 
>Ben Hutchings
>When in doubt, use brute force. - Ken Thompson
>
>

>diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>index 67a21b2ef3e4..2fe0b85b693d 100644
>--- a/Documentation/kernel-parameters.txt
>+++ b/Documentation/kernel-parameters.txt
>@@ -1917,6 +1917,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> 				improves system performance, but it may also
> 				expose users to several CPU vulnerabilities.
> 				Equivalent to: nopti [X86]
>+					       nospectre_v1 [X86]
> 					       nospectre_v2 [X86]
> 					       spectre_v2_user=off [X86]
> 					       spec_store_bypass_disable=off [X86]
>@@ -2215,6 +2216,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
> 			register save and restore. The kernel will only save
> 			legacy floating-point registers on task switch.
> 
>+	nospectre_v1	[X86] Disable mitigations for Spectre Variant 1
>+			(bounds check bypass). With this option data leaks are
>+			possible in the system.
>+
> 	nospectre_v2	[X86] Disable all mitigations for the Spectre variant 2
> 			(indirect branch prediction) vulnerability. System may
> 			allow data leaks with this option, which is equivalent
>diff --git a/Documentation/siphash.txt b/Documentation/siphash.txt
>new file mode 100644
>index 000000000000..e8e6ddbbaab4
>--- /dev/null
>+++ b/Documentation/siphash.txt
>@@ -0,0 +1,100 @@
>+         SipHash - a short input PRF
>+-----------------------------------------------
>+Written by Jason A. Donenfeld <jason@zx2c4.com>
>+
>+SipHash is a cryptographically secure PRF -- a keyed hash function -- that
>+performs very well for short inputs, hence the name. It was designed by
>+cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended
>+as a replacement for some uses of: `jhash`, `md5_transform`, `sha_transform`,
>+and so forth.
>+
>+SipHash takes a secret key filled with randomly generated numbers and either
>+an input buffer or several input integers. It spits out an integer that is
>+indistinguishable from random. You may then use that integer as part of secure
>+sequence numbers, secure cookies, or mask it off for use in a hash table.
>+
>+1. Generating a key
>+
>+Keys should always be generated from a cryptographically secure source of
>+random numbers, either using get_random_bytes or get_random_once:
>+
>+siphash_key_t key;
>+get_random_bytes(&key, sizeof(key));
>+
>+If you're not deriving your key from here, you're doing it wrong.
>+
>+2. Using the functions
>+
>+There are two variants of the function, one that takes a list of integers, and
>+one that takes a buffer:
>+
>+u64 siphash(const void *data, size_t len, const siphash_key_t *key);
>+
>+And:
>+
>+u64 siphash_1u64(u64, const siphash_key_t *key);
>+u64 siphash_2u64(u64, u64, const siphash_key_t *key);
>+u64 siphash_3u64(u64, u64, u64, const siphash_key_t *key);
>+u64 siphash_4u64(u64, u64, u64, u64, const siphash_key_t *key);
>+u64 siphash_1u32(u32, const siphash_key_t *key);
>+u64 siphash_2u32(u32, u32, const siphash_key_t *key);
>+u64 siphash_3u32(u32, u32, u32, const siphash_key_t *key);
>+u64 siphash_4u32(u32, u32, u32, u32, const siphash_key_t *key);
>+
>+If you pass the generic siphash function something of a constant length, it
>+will constant fold at compile-time and automatically choose one of the
>+optimized functions.
>+
>+3. Hashtable key function usage:
>+
>+struct some_hashtable {
>+	DECLARE_HASHTABLE(hashtable, 8);
>+	siphash_key_t key;
>+};
>+
>+void init_hashtable(struct some_hashtable *table)
>+{
>+	get_random_bytes(&table->key, sizeof(table->key));
>+}
>+
>+static inline hlist_head *some_hashtable_bucket(struct some_hashtable *table, struct interesting_input *input)
>+{
>+	return &table->hashtable[siphash(input, sizeof(*input), &table->key) & (HASH_SIZE(table->hashtable) - 1)];
>+}
>+
>+You may then iterate like usual over the returned hash bucket.
>+
>+4. Security
>+
>+SipHash has a very high security margin, with its 128-bit key. So long as the
>+key is kept secret, it is impossible for an attacker to guess the outputs of
>+the function, even if being able to observe many outputs, since 2^128 outputs
>+is significant.
>+
>+Linux implements the "2-4" variant of SipHash.
>+
>+5. Struct-passing Pitfalls
>+
>+Often times the XuY functions will not be large enough, and instead you'll
>+want to pass a pre-filled struct to siphash. When doing this, it's important
>+to always ensure the struct has no padding holes. The easiest way to do this
>+is to simply arrange the members of the struct in descending order of size,
>+and to use offsetendof() instead of sizeof() for getting the size. For
>+performance reasons, if possible, it's probably a good thing to align the
>+struct to the right boundary. Here's an example:
>+
>+const struct {
>+	struct in6_addr saddr;
>+	u32 counter;
>+	u16 dport;
>+} __aligned(SIPHASH_ALIGNMENT) combined = {
>+	.saddr = *(struct in6_addr *)saddr,
>+	.counter = counter,
>+	.dport = dport
>+};
>+u64 h = siphash(&combined, offsetofend(typeof(combined), dport), &secret);
>+
>+6. Resources
>+
>+Read the SipHash paper if you're interested in learning more:
>+https://131002.net/siphash/siphash.pdf
>diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt
>index 1392b61d6ebe..3073ea800389 100644
>--- a/Documentation/usb/power-management.txt
>+++ b/Documentation/usb/power-management.txt
>@@ -345,11 +345,15 @@ autosuspend the interface's device.  When the usage counter is = 0
> then the interface is considered to be idle, and the kernel may
> autosuspend the device.
> 
>-Drivers need not be concerned about balancing changes to the usage
>-counter; the USB core will undo any remaining "get"s when a driver
>-is unbound from its interface.  As a corollary, drivers must not call
>-any of the usb_autopm_* functions after their disconnect() routine has
>-returned.
>+Drivers must be careful to balance their overall changes to the usage
>+counter.  Unbalanced "get"s will remain in effect when a driver is
>+unbound from its interface, preventing the device from going into
>+runtime suspend should the interface be bound to a driver again.  On
>+the other hand, drivers are allowed to achieve this balance by calling
>+the usb_autopm_* functions even after their disconnect routine
>+has returned -- say from within a work-queue routine -- provided they
>+retain an active reference to the interface (via usb_get_intf and
>+usb_put_intf).
> 
> Drivers using the async routines are responsible for their own
> synchronization and mutual exclusion.
>diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
>index e86da4377402..fcafeed97244 100644
>--- a/Documentation/virtual/kvm/api.txt
>+++ b/Documentation/virtual/kvm/api.txt
>@@ -13,7 +13,7 @@ of a virtual machine.  The ioctls belong to three classes
> 
>  - VM ioctls: These query and set attributes that affect an entire virtual
>    machine, for example memory layout.  In addition a VM ioctl is used to
>-   create virtual cpus (vcpus).
>+   create virtual cpus (vcpus) and devices.
> 
>    Only run VM ioctls from the same process (address space) that was used
>    to create the VM.
>@@ -24,6 +24,11 @@ of a virtual machine.  The ioctls belong to three classes
>    Only run vcpu ioctls from the same thread that was used to create the
>    vcpu.
> 
>+ - device ioctls: These query and set attributes that control the operation
>+   of a single device.
>+
>+   device ioctls must be issued from the same process (address space) that
>+   was used to create the VM.
> 
> 2. File descriptors
> -------------------
>@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors.  An initial
> open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
> can be used to issue system ioctls.  A KVM_CREATE_VM ioctl on this
> handle will create a VM file descriptor which can be used to issue VM
>-ioctls.  A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
>-and return a file descriptor pointing to it.  Finally, ioctls on a vcpu
>-fd can be used to control the vcpu, including the important task of
>-actually running guest code.
>+ioctls.  A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
>+create a virtual cpu or device and return a file descriptor pointing to
>+the new resource.  Finally, ioctls on a vcpu or device fd can be used
>+to control the vcpu or device.  For vcpus, this includes the important
>+task of actually running guest code.
> 
> In general file descriptors can be migrated among processes by means
> of fork() and the SCM_RIGHTS facility of unix domain socket.  These
>diff --git a/MAINTAINERS b/MAINTAINERS
>index b2a5243e9d0b..61dbb398b540 100644
>--- a/MAINTAINERS
>+++ b/MAINTAINERS
>@@ -8188,6 +8188,13 @@ F:	arch/arm/mach-s3c24xx/mach-bast.c
> F:	arch/arm/mach-s3c24xx/bast-ide.c
> F:	arch/arm/mach-s3c24xx/bast-irq.c
> 
>+SIPHASH PRF ROUTINES
>+M:	Jason A. Donenfeld <Jason@zx2c4.com>
>+S:	Maintained
>+F:	lib/siphash.c
>+F:	lib/test_siphash.c
>+F:	include/linux/siphash.h
>+
> TI DAVINCI MACHINE SUPPORT
> M:	Sekhar Nori <nsekhar@ti.com>
> M:	Kevin Hilman <khilman@deeprootsystems.com>
>diff --git a/Makefile b/Makefile
>index c2c6a3580e8a..e2d6e0b9f22d 100644
>--- a/Makefile
>+++ b/Makefile
>@@ -1,6 +1,6 @@
> VERSION = 3
> PATCHLEVEL = 16
>-SUBLEVEL = 71
>+SUBLEVEL = 72
> EXTRAVERSION =
> NAME = Museum of Fishiegoodies
> 
>diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>index 50c7718cb84e..0214e1199a06 100644
>--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>+++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
>@@ -302,6 +302,7 @@
> 	pinctrl-names = "default";
> 	pinctrl-0 = <&pinctrl_enet>;
> 	phy-mode = "rgmii";
>+	phy-reset-duration = <10>; /* in msecs */
> 	phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
> 	status = "disabled";
> };
>diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
>index 6bcae0479049..e338a6d23b77 100644
>--- a/arch/arm/mach-imx/cpuidle-imx6q.c
>+++ b/arch/arm/mach-imx/cpuidle-imx6q.c
>@@ -14,30 +14,23 @@
> #include "common.h"
> #include "cpuidle.h"
> 
>-static atomic_t master = ATOMIC_INIT(0);
>-static DEFINE_SPINLOCK(master_lock);
>+static int num_idle_cpus = 0;
>+static DEFINE_SPINLOCK(cpuidle_lock);
> 
> static int imx6q_enter_wait(struct cpuidle_device *dev,
> 			    struct cpuidle_driver *drv, int index)
> {
>-	if (atomic_inc_return(&master) == num_online_cpus()) {
>-		/*
>-		 * With this lock, we prevent other cpu to exit and enter
>-		 * this function again and become the master.
>-		 */
>-		if (!spin_trylock(&master_lock))
>-			goto idle;
>+	spin_lock(&cpuidle_lock);
>+	if (++num_idle_cpus == num_online_cpus())
> 		imx6q_set_lpm(WAIT_UNCLOCKED);
>-		cpu_do_idle();
>-		imx6q_set_lpm(WAIT_CLOCKED);
>-		spin_unlock(&master_lock);
>-		goto done;
>-	}
>+	spin_unlock(&cpuidle_lock);
> 
>-idle:
> 	cpu_do_idle();
>-done:
>-	atomic_dec(&master);
>+
>+	spin_lock(&cpuidle_lock);
>+	if (num_idle_cpus-- == num_online_cpus())
>+		imx6q_set_lpm(WAIT_CLOCKED);
>+	spin_unlock(&cpuidle_lock);
> 
> 	return index;
> }
>diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
>index 37361502d63b..ff9987fd5fd0 100644
>--- a/arch/mips/kernel/scall64-o32.S
>+++ b/arch/mips/kernel/scall64-o32.S
>@@ -124,7 +124,7 @@ NESTED(handle_sys, PT_SIZE, sp)
> 	subu	t1, v0,  __NR_O32_Linux
> 	move	a1, v0
> 	bnez	t1, 1f /* __NR_syscall at offset 0 */
>-	lw	a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
>+	ld	a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
> 	.set	pop
> 
> 1:	jal	syscall_trace_enter
>diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
>index b73a8199f161..1e0ee59c8276 100644
>--- a/arch/powerpc/include/asm/vdso_datapage.h
>+++ b/arch/powerpc/include/asm/vdso_datapage.h
>@@ -82,10 +82,10 @@ struct vdso_data {
> 	__u32 icache_block_size;		/* L1 i-cache block size     */
> 	__u32 dcache_log_block_size;		/* L1 d-cache log block size */
> 	__u32 icache_log_block_size;		/* L1 i-cache log block size */
>-	__s32 wtom_clock_sec;			/* Wall to monotonic clock */
>-	__s32 wtom_clock_nsec;
>-	struct timespec stamp_xtime;	/* xtime as at tb_orig_stamp */
>-	__u32 stamp_sec_fraction;	/* fractional seconds of stamp_xtime */
>+	__u32 stamp_sec_fraction;		/* fractional seconds of stamp_xtime */
>+	__s32 wtom_clock_nsec;			/* Wall to monotonic clock nsec */
>+	__s64 wtom_clock_sec;			/* Wall to monotonic clock sec */
>+	struct timespec stamp_xtime;		/* xtime as at tb_orig_stamp */
>    	__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls  */
>    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
> };
>diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
>index e7e8c4db2651..90d1d10eff05 100644
>--- a/arch/powerpc/kernel/signal_32.c
>+++ b/arch/powerpc/kernel/signal_32.c
>@@ -1274,6 +1274,9 @@ long sys_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
> 			goto bad;
> 
> 		if (MSR_TM_ACTIVE(msr_hi<<32)) {
>+			/* Trying to start TM on non TM system */
>+			if (!cpu_has_feature(CPU_FTR_TM))
>+				goto bad;
> 			/* We only recheckpoint on return if we're
> 			 * transaction.
> 			 */
>diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
>index 0bcae29336c0..5437dae4f12f 100644
>--- a/arch/powerpc/kernel/signal_64.c
>+++ b/arch/powerpc/kernel/signal_64.c
>@@ -702,6 +702,11 @@ int sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
> 	if (MSR_TM_ACTIVE(msr)) {
> 		/* We recheckpoint on return. */
> 		struct ucontext __user *uc_transact;
>+
>+		/* Trying to start TM on non TM system */
>+		if (!cpu_has_feature(CPU_FTR_TM))
>+			goto badframe;
>+
> 		if (__get_user(uc_transact, &uc->uc_link))
> 			goto badframe;
> 		if (restore_tm_sigcontexts(regs, &uc->uc_mcontext,
>diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
>index 6b2b69616e77..8bacb8721961 100644
>--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
>+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
>@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
> 	 * can be used, r7 contains NSEC_PER_SEC.
> 	 */
> 
>-	lwz	r5,WTOM_CLOCK_SEC(r9)
>+	lwz	r5,(WTOM_CLOCK_SEC+LOPART)(r9)
> 	lwz	r6,WTOM_CLOCK_NSEC(r9)
> 
> 	/* We now have our offset in r5,r6. We create a fake dependency
>diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S
>index 382021324883..6a6a8495bd55 100644
>--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
>+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
>@@ -85,7 +85,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
> 	 * At this point, r4,r5 contain our sec/nsec values.
> 	 */
> 
>-	lwa	r6,WTOM_CLOCK_SEC(r3)
>+	ld	r6,WTOM_CLOCK_SEC(r3)
> 	lwa	r9,WTOM_CLOCK_NSEC(r3)
> 
> 	/* We now have our result in r6,r9. We create a fake dependency
>diff --git a/arch/x86/include/asm/calling.h b/arch/x86/include/asm/calling.h
>index cb4c73bfeb48..129e29721835 100644
>--- a/arch/x86/include/asm/calling.h
>+++ b/arch/x86/include/asm/calling.h
>@@ -47,6 +47,7 @@ For 32-bit we have the following conventions - kernel is built with
> */
> 
> #include <asm/dwarf2.h>
>+#include <asm/cpufeatures.h>
> 
> #ifdef CONFIG_X86_64
> 
>@@ -195,6 +196,23 @@ For 32-bit we have the following conventions - kernel is built with
> 	.byte 0xf1
> 	.endm
> 
>+/*
>+ * Mitigate Spectre v1 for conditional swapgs code paths.
>+ *
>+ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
>+ * prevent a speculative swapgs when coming from kernel space.
>+ *
>+ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
>+ * to prevent the swapgs from getting speculatively skipped when coming from
>+ * user space.
>+ */
>+.macro FENCE_SWAPGS_USER_ENTRY
>+	ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
>+.endm
>+.macro FENCE_SWAPGS_KERNEL_ENTRY
>+	ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
>+.endm
>+
> #else /* CONFIG_X86_64 */
> 
> /*
>diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
>index 99137cbe34b8..ba48ab887acf 100644
>--- a/arch/x86/include/asm/cpufeatures.h
>+++ b/arch/x86/include/asm/cpufeatures.h
>@@ -177,29 +177,33 @@
> #define X86_FEATURE_ARAT	( 7*32+ 1) /* Always Running APIC Timer */
> #define X86_FEATURE_CPB		( 7*32+ 2) /* AMD Core Performance Boost */
> #define X86_FEATURE_EPB		( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
>-#define X86_FEATURE_XSAVEOPT	( 7*32+ 4) /* Optimized Xsave */
>+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+4) /* Effectively INVPCID && CR4.PCIDE=1 */
> #define X86_FEATURE_PLN		( 7*32+ 5) /* Intel Power Limit Notification */
> #define X86_FEATURE_PTS		( 7*32+ 6) /* Intel Package Thermal Status */
> #define X86_FEATURE_DTHERM	( 7*32+ 7) /* Digital Thermal Sensor */
> #define X86_FEATURE_HW_PSTATE	( 7*32+ 8) /* AMD HW-PState */
> #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
>-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */
>-#define X86_FEATURE_RSB_CTXSW	( 7*32+11) /* "" Fill RSB on context switches */
>-#define X86_FEATURE_USE_IBPB	( 7*32+12) /* "" Indirect Branch Prediction Barrier enabled */
>-#define X86_FEATURE_USE_IBRS_FW ( 7*32+13) /* "" Use IBRS during runtime firmware calls */
>-#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+14) /* "" Disable Speculative Store Bypass. */
>-#define X86_FEATURE_LS_CFG_SSBD	( 7*32+15) /* "" AMD SSBD implementation */
>-#define X86_FEATURE_IBRS	( 7*32+16) /* Indirect Branch Restricted Speculation */
>-#define X86_FEATURE_IBPB	( 7*32+17) /* Indirect Branch Prediction Barrier */
>-#define X86_FEATURE_STIBP	( 7*32+18) /* Single Thread Indirect Branch Predictors */
>-#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+19) /* "" MSR SPEC_CTRL is implemented */
>-#define X86_FEATURE_SSBD	( 7*32+20) /* Speculative Store Bypass Disable */
>-#define X86_FEATURE_ZEN		( 7*32+21) /* "" CPU is AMD family 0x17 (Zen) */
>-#define X86_FEATURE_L1TF_PTEINV	( 7*32+22) /* "" L1TF workaround PTE inversion */
>-#define X86_FEATURE_IBRS_ENHANCED ( 7*32+23) /* Enhanced IBRS */
>-#define X86_FEATURE_RETPOLINE	( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
>-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
>-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
>+#define X86_FEATURE_FENCE_SWAPGS_USER	( 7*32+10) /* "" LFENCE in user entry SWAPGS path */
>+#define X86_FEATURE_FENCE_SWAPGS_KERNEL	( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */
>+#define X86_FEATURE_RETPOLINE	( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
>+#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
>+
>+#define X86_FEATURE_XSAVEOPT	( 7*32+15) /* Optimized Xsave */
>+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
>+#define X86_FEATURE_SSBD	( 7*32+17) /* Speculative Store Bypass Disable */
>+
>+#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* "" Fill RSB on context switches */
>+
>+#define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
>+#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
>+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
>+#define X86_FEATURE_LS_CFG_SSBD	( 7*32+24) /* "" AMD SSBD implementation */
>+#define X86_FEATURE_IBRS	( 7*32+25) /* Indirect Branch Restricted Speculation */
>+#define X86_FEATURE_IBPB	( 7*32+26) /* Indirect Branch Prediction Barrier */
>+#define X86_FEATURE_STIBP	( 7*32+27) /* Single Thread Indirect Branch Predictors */
>+#define X86_FEATURE_ZEN		( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
>+#define X86_FEATURE_L1TF_PTEINV	( 7*32+29) /* "" L1TF workaround PTE inversion */
>+#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
> #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
> 
> /* Virtualization flags: Linux defined, word 8 */
>@@ -274,5 +278,6 @@
> #define X86_BUG_L1TF		X86_BUG(9) /* CPU is affected by L1 Terminal Fault */
> #define X86_BUG_MDS		X86_BUG(10) /* CPU is affected by Microarchitectural data sampling */
> #define X86_BUG_MSBDS_ONLY	X86_BUG(11) /* CPU is only affected by the  MSDBS variant of BUG_MDS */
>+#define X86_BUG_SWAPGS		X86_BUG(12) /* CPU is affected by speculation through SWAPGS */
> 
> #endif /* _ASM_X86_CPUFEATURES_H */
>diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
>index e9eae4fbdde2..92a9ba2595b3 100644
>--- a/arch/x86/include/asm/kvm_host.h
>+++ b/arch/x86/include/asm/kvm_host.h
>@@ -88,7 +88,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
> #define IOPL_SHIFT 12
> 
> #define KVM_PERMILLE_MMU_PAGES 20
>-#define KVM_MIN_ALLOC_MMU_PAGES 64
>+#define KVM_MIN_ALLOC_MMU_PAGES 64UL
> #define KVM_MMU_HASH_SHIFT 10
> #define KVM_NUM_MMU_PAGES (1 << KVM_MMU_HASH_SHIFT)
> #define KVM_MIN_FREE_MMU_PAGES 5
>@@ -363,6 +363,7 @@ struct kvm_vcpu_arch {
> 	int mp_state;
> 	u64 ia32_misc_enable_msr;
> 	bool tpr_access_reporting;
>+	u64 arch_capabilities;
> 
> 	/*
> 	 * Paging state of the vcpu
>@@ -551,9 +552,9 @@ struct kvm_apic_map {
> };
> 
> struct kvm_arch {
>-	unsigned int n_used_mmu_pages;
>-	unsigned int n_requested_mmu_pages;
>-	unsigned int n_max_mmu_pages;
>+	unsigned long n_used_mmu_pages;
>+	unsigned long n_requested_mmu_pages;
>+	unsigned long n_max_mmu_pages;
> 	unsigned int indirect_shadow_pages;
> 	unsigned long mmu_valid_gen;
> 	struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
>@@ -809,8 +810,8 @@ void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
> 				     gfn_t gfn_offset, unsigned long mask);
> void kvm_mmu_zap_all(struct kvm *kvm);
> void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm);
>-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
>-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
>+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
>+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long kvm_nr_mmu_pages);
> 
> int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3);
> 
>diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
>index da45f9fc1913..5876b28f9331 100644
>--- a/arch/x86/include/asm/xen/hypercall.h
>+++ b/arch/x86/include/asm/xen/hypercall.h
>@@ -215,6 +215,9 @@ privcmd_call(unsigned call,
> 	__HYPERCALL_DECLS;
> 	__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
> 
>+	if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
>+		return -EINVAL;
>+
> 	stac();
> 	asm volatile(CALL_NOSPEC
> 		     : __HYPERCALL_5PARAM
>diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
>index e325029ff01a..f9e23ee19bcb 100644
>--- a/arch/x86/kernel/cpu/bugs.c
>+++ b/arch/x86/kernel/cpu/bugs.c
>@@ -30,6 +30,7 @@
> #include <asm/intel-family.h>
> #include <asm/e820.h>
> 
>+static void __init spectre_v1_select_mitigation(void);
> static void __init spectre_v2_select_mitigation(void);
> static void __init ssb_select_mitigation(void);
> static void __init l1tf_select_mitigation(void);
>@@ -148,17 +149,11 @@ void __init check_bugs(void)
> 	if (boot_cpu_has(X86_FEATURE_STIBP))
> 		x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
> 
>-	/* Select the proper spectre mitigation before patching alternatives */
>+	/* Select the proper CPU mitigations before patching alternatives: */
>+	spectre_v1_select_mitigation();
> 	spectre_v2_select_mitigation();
>-
>-	/*
>-	 * Select proper mitigation for any exposure to the Speculative Store
>-	 * Bypass vulnerability.
>-	 */
> 	ssb_select_mitigation();
>-
> 	l1tf_select_mitigation();
>-
> 	mds_select_mitigation();
> 
> 	arch_smt_update();
>@@ -317,6 +312,98 @@ static int __init mds_cmdline(char *str)
> }
> early_param("mds", mds_cmdline);
> 
>+#undef pr_fmt
>+#define pr_fmt(fmt)     "Spectre V1 : " fmt
>+
>+enum spectre_v1_mitigation {
>+	SPECTRE_V1_MITIGATION_NONE,
>+	SPECTRE_V1_MITIGATION_AUTO,
>+};
>+
>+static enum spectre_v1_mitigation spectre_v1_mitigation =
>+	SPECTRE_V1_MITIGATION_AUTO;
>+
>+static const char * const spectre_v1_strings[] = {
>+	[SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
>+	[SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
>+};
>+
>+/*
>+ * Does SMAP provide full mitigation against speculative kernel access to
>+ * userspace?
>+ */
>+static bool smap_works_speculatively(void)
>+{
>+	if (!boot_cpu_has(X86_FEATURE_SMAP))
>+		return false;
>+
>+	/*
>+	 * On CPUs which are vulnerable to Meltdown, SMAP does not
>+	 * prevent speculative access to user data in the L1 cache.
>+	 * Consider SMAP to be non-functional as a mitigation on these
>+	 * CPUs.
>+	 */
>+	if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
>+		return false;
>+
>+	return true;
>+}
>+
>+static void __init spectre_v1_select_mitigation(void)
>+{
>+	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
>+		spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
>+		return;
>+	}
>+
>+	if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
>+		/*
>+		 * With Spectre v1, a user can speculatively control either
>+		 * path of a conditional swapgs with a user-controlled GS
>+		 * value.  The mitigation is to add lfences to both code paths.
>+		 *
>+		 * If FSGSBASE is enabled, the user can put a kernel address in
>+		 * GS, in which case SMAP provides no protection.
>+		 *
>+		 * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
>+		 *	   FSGSBASE enablement patches have been merged. ]
>+		 *
>+		 * If FSGSBASE is disabled, the user can only put a user space
>+		 * address in GS.  That makes an attack harder, but still
>+		 * possible if there's no SMAP protection.
>+		 */
>+		if (!smap_works_speculatively()) {
>+			/*
>+			 * Mitigation can be provided from SWAPGS itself or
>+			 * PTI as the CR3 write in the Meltdown mitigation
>+			 * is serializing.
>+			 *
>+			 * If neither is there, mitigate with an LFENCE to
>+			 * stop speculation through swapgs.
>+			 */
>+			if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
>+			    !boot_cpu_has(X86_FEATURE_KAISER))
>+				setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
>+
>+			/*
>+			 * Enable lfences in the kernel entry (non-swapgs)
>+			 * paths, to prevent user entry from speculatively
>+			 * skipping swapgs.
>+			 */
>+			setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
>+		}
>+	}
>+
>+	pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
>+}
>+
>+static int __init nospectre_v1_cmdline(char *str)
>+{
>+	spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
>+	return 0;
>+}
>+early_param("nospectre_v1", nospectre_v1_cmdline);
>+
> #undef pr_fmt
> #define pr_fmt(fmt)     "Spectre V2 : " fmt
> 
>@@ -1210,7 +1297,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
> 		break;
> 
> 	case X86_BUG_SPECTRE_V1:
>-		return sprintf(buf, "Mitigation: __user pointer sanitization\n");
>+		return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
> 
> 	case X86_BUG_SPECTRE_V2:
> 		return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
>diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
>index 9d4638d437de..337fcac8c8a0 100644
>--- a/arch/x86/kernel/cpu/common.c
>+++ b/arch/x86/kernel/cpu/common.c
>@@ -813,6 +813,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
> #define NO_L1TF		BIT(3)
> #define NO_MDS		BIT(4)
> #define MSBDS_ONLY	BIT(5)
>+#define NO_SWAPGS	BIT(6)
> 
> #define VULNWL(_vendor, _family, _model, _whitelist)	\
> 	{ X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
>@@ -836,29 +837,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
> 	VULNWL_INTEL(ATOM_BONNELL,		NO_SPECULATION),
> 	VULNWL_INTEL(ATOM_BONNELL_MID,		NO_SPECULATION),
> 
>-	VULNWL_INTEL(ATOM_SILVERMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY),
>-	VULNWL_INTEL(ATOM_SILVERMONT_X,		NO_SSB | NO_L1TF | MSBDS_ONLY),
>-	VULNWL_INTEL(ATOM_SILVERMONT_MID,	NO_SSB | NO_L1TF | MSBDS_ONLY),
>-	VULNWL_INTEL(ATOM_AIRMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY),
>-	VULNWL_INTEL(XEON_PHI_KNL,		NO_SSB | NO_L1TF | MSBDS_ONLY),
>-	VULNWL_INTEL(XEON_PHI_KNM,		NO_SSB | NO_L1TF | MSBDS_ONLY),
>+	VULNWL_INTEL(ATOM_SILVERMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+	VULNWL_INTEL(ATOM_SILVERMONT_X,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+	VULNWL_INTEL(ATOM_SILVERMONT_MID,	NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+	VULNWL_INTEL(ATOM_AIRMONT,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+	VULNWL_INTEL(XEON_PHI_KNL,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
>+	VULNWL_INTEL(XEON_PHI_KNM,		NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
> 
> 	VULNWL_INTEL(CORE_YONAH,		NO_SSB),
> 
>-	VULNWL_INTEL(ATOM_AIRMONT_MID,		NO_L1TF | MSBDS_ONLY),
>+	VULNWL_INTEL(ATOM_AIRMONT_MID,		NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
> 
>-	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF),
>-	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF),
>-	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF),
>+	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF | NO_SWAPGS),
>+	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF | NO_SWAPGS),
>+	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS),
>+
>+	/*
>+	 * Technically, swapgs isn't serializing on AMD (despite it previously
>+	 * being documented as such in the APM).  But according to AMD, %gs is
>+	 * updated non-speculatively, and the issuing of %gs-relative memory
>+	 * operands will be blocked until the %gs update completes, which is
>+	 * good enough for our purposes.
>+	 */
> 
> 	/* AMD Family 0xf - 0x12 */
>-	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>-	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>-	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>-	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
>+	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
>+	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
> 
> 	/* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
>-	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS),
>+	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
> 	{}
> };
> 
>@@ -895,6 +904,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
> 			setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
> 	}
> 
>+	if (!cpu_matches(NO_SWAPGS))
>+		setup_force_cpu_bug(X86_BUG_SWAPGS);
>+
> 	if (cpu_matches(NO_MELTDOWN))
> 		return;
> 
>diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
>index 6e5feb342ee4..467069f38f21 100644
>--- a/arch/x86/kernel/entry_64.S
>+++ b/arch/x86/kernel/entry_64.S
>@@ -265,14 +265,19 @@ ENDPROC(native_usergs_sysret64)
> 	testl $3, CS-RBP(%rsi)
> 	je 1f
> 	SWAPGS
>+	FENCE_SWAPGS_USER_ENTRY
> 	SWITCH_KERNEL_CR3
>+	jmp	2f
>+1:
>+	FENCE_SWAPGS_KERNEL_ENTRY
>+2:
> 	/*
> 	 * irq_count is used to check if a CPU is already on an interrupt stack
> 	 * or not. While this is essentially redundant with preempt_count it is
> 	 * a little cheaper to use a separate counter in the PDA (short of
> 	 * moving irq_enter into assembly, which would be too much work)
> 	 */
>-1:	incl PER_CPU_VAR(irq_count)
>+	incl PER_CPU_VAR(irq_count)
> 	cmovzq PER_CPU_VAR(irq_stack_ptr),%rsp
> 	CFI_DEF_CFA_REGISTER	rsi
> 
>@@ -337,6 +342,13 @@ ENTRY(save_paranoid)
> 	movq	%rax, %cr3
> 2:
> #endif
>+	/*
>+	 * The above doesn't do an unconditional CR3 write, even in the PTI
>+	 * case.  So do an lfence to prevent GS speculation, regardless of
>+	 * whether PTI is enabled.
>+	 */
>+	FENCE_SWAPGS_KERNEL_ENTRY
>+
> 	ret
> 	CFI_ENDPROC
> END(save_paranoid)
>@@ -1445,10 +1457,27 @@ ENTRY(error_entry)
> 	 */
> 	SWITCH_KERNEL_CR3
> 	testl $3,CS+8(%rsp)
>-	je error_kernelspace
>-error_swapgs:
>+	jz	.Lerror_kernelspace
>+
>+	/*
>+	 * We entered from user mode or we're pretending to have entered
>+	 * from user mode due to an IRET fault.
>+	 */
> 	SWAPGS
>-error_sti:
>+	FENCE_SWAPGS_USER_ENTRY
>+
>+.Lerror_entry_from_usermode_after_swapgs:
>+	/*
>+	 * We need to tell lockdep that IRQs are off.  We can't do this until
>+	 * we fix gsbase, and we should do it before enter_from_user_mode
>+	 * (which can take locks).
>+	 */
>+	TRACE_IRQS_OFF
>+	ret
>+
>+.Lerror_entry_done_lfence:
>+	FENCE_SWAPGS_KERNEL_ENTRY
>+.Lerror_entry_done:
> 	TRACE_IRQS_OFF
> 	ret
> 
>@@ -1458,28 +1487,46 @@ ENTRY(error_entry)
>  * truncated RIP for IRET exceptions returning to compat mode. Check
>  * for these here too.
>  */
>-error_kernelspace:
>+.Lerror_kernelspace:
> 	leaq native_irq_return_iret(%rip),%rcx
> 	cmpq %rcx,RIP+8(%rsp)
>-	je error_bad_iret
>+	je	.Lerror_bad_iret
> 	movl %ecx,%eax	/* zero extend */
> 	cmpq %rax,RIP+8(%rsp)
>-	je bstep_iret
>+	je	.Lbstep_iret
> 	cmpq $gs_change,RIP+8(%rsp)
>-	je error_swapgs
>-	jmp error_sti
>+	jne	.Lerror_entry_done_lfence
>+
>+	/*
>+	 * hack: gs_change can fail with user gsbase.  If this happens, fix up
>+	 * gsbase and proceed.  We'll fix up the exception and land in
>+	 * gs_change's error handler with kernel gsbase.
>+	 */
>+	SWAPGS
>+	FENCE_SWAPGS_USER_ENTRY
>+	jmp .Lerror_entry_done
> 
>-bstep_iret:
>+.Lbstep_iret:
> 	/* Fix truncated RIP */
> 	movq %rcx,RIP+8(%rsp)
> 	/* fall through */
> 
>-error_bad_iret:
>+.Lerror_bad_iret:
>+	/*
>+	 * We came from an IRET to user mode, so we have user gsbase.
>+	 * Switch to kernel gsbase:
>+	 */
> 	SWAPGS
>+	FENCE_SWAPGS_USER_ENTRY
>+
>+	/*
>+	 * Pretend that the exception came from user mode: set up pt_regs
>+	 * as if we faulted immediately after IRET.
>+	 */
> 	mov %rsp,%rdi
> 	call fixup_bad_iret
> 	mov %rax,%rsp
>-	jmp error_sti
>+	jmp	.Lerror_entry_from_usermode_after_swapgs
> 	CFI_ENDPROC
> END(error_entry)
> 
>@@ -1579,6 +1626,7 @@ ENTRY(nmi)
> 	 * to switch CR3 here.
> 	 */
> 	cld
>+	FENCE_SWAPGS_USER_ENTRY
> 	movq	%rsp, %rdx
> 	movq	PER_CPU_VAR(kernel_stack), %rsp
> 	addq	$KERNEL_STACK_OFFSET, %rsp
>@@ -1624,6 +1672,7 @@ ENTRY(nmi)
> 	movq	%rax, %cr3
> 2:
> #endif
>+	FENCE_SWAPGS_KERNEL_ENTRY
> 	call	do_nmi
> 
> #ifdef CONFIG_PAGE_TABLE_ISOLATION
>diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
>index 608f18c62412..cb6657f35f41 100644
>--- a/arch/x86/kernel/kprobes/core.c
>+++ b/arch/x86/kernel/kprobes/core.c
>@@ -494,6 +494,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
> 	unsigned long *sara = stack_addr(regs);
> 
> 	ri->ret_addr = (kprobe_opcode_t *) *sara;
>+	ri->fp = sara;
> 
> 	/* Replace the return addr with trampoline addr */
> 	*sara = (unsigned long) &kretprobe_trampoline;
>@@ -685,26 +686,48 @@ static void __used kretprobe_trampoline_holder(void)
> NOKPROBE_SYMBOL(kretprobe_trampoline_holder);
> NOKPROBE_SYMBOL(kretprobe_trampoline);
> 
>+static struct kprobe kretprobe_kprobe = {
>+	.addr = (void *)kretprobe_trampoline,
>+};
>+
> /*
>  * Called from kretprobe_trampoline
>  */
> __visible __used void *trampoline_handler(struct pt_regs *regs)
> {
>+	struct kprobe_ctlblk *kcb;
> 	struct kretprobe_instance *ri = NULL;
> 	struct hlist_head *head, empty_rp;
> 	struct hlist_node *tmp;
> 	unsigned long flags, orig_ret_address = 0;
> 	unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
> 	kprobe_opcode_t *correct_ret_addr = NULL;
>+	void *frame_pointer;
>+	bool skipped = false;
>+
>+	preempt_disable();
>+
>+	/*
>+	 * Set a dummy kprobe for avoiding kretprobe recursion.
>+	 * Since kretprobe never run in kprobe handler, kprobe must not
>+	 * be running at this point.
>+	 */
>+	kcb = get_kprobe_ctlblk();
>+	__this_cpu_write(current_kprobe, &kretprobe_kprobe);
>+	kcb->kprobe_status = KPROBE_HIT_ACTIVE;
> 
> 	INIT_HLIST_HEAD(&empty_rp);
> 	kretprobe_hash_lock(current, &head, &flags);
> 	/* fixup registers */
> #ifdef CONFIG_X86_64
> 	regs->cs = __KERNEL_CS;
>+	/* On x86-64, we use pt_regs->sp for return address holder. */
>+	frame_pointer = &regs->sp;
> #else
> 	regs->cs = __KERNEL_CS | get_kernel_rpl();
> 	regs->gs = 0;
>+	/* On x86-32, we use pt_regs->flags for return address holder. */
>+	frame_pointer = &regs->flags;
> #endif
> 	regs->ip = trampoline_address;
> 	regs->orig_ax = ~0UL;
>@@ -726,8 +749,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
> 		if (ri->task != current)
> 			/* another task is sharing our hash bucket */
> 			continue;
>+		/*
>+		 * Return probes must be pushed on this hash list correct
>+		 * order (same as return order) so that it can be poped
>+		 * correctly. However, if we find it is pushed it incorrect
>+		 * order, this means we find a function which should not be
>+		 * probed, because the wrong order entry is pushed on the
>+		 * path of processing other kretprobe itself.
>+		 */
>+		if (ri->fp != frame_pointer) {
>+			if (!skipped)
>+				pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
>+			skipped = true;
>+			continue;
>+		}
> 
> 		orig_ret_address = (unsigned long)ri->ret_addr;
>+		if (skipped)
>+			pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
>+				ri->rp->kp.addr);
> 
> 		if (orig_ret_address != trampoline_address)
> 			/*
>@@ -745,14 +785,15 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
> 		if (ri->task != current)
> 			/* another task is sharing our hash bucket */
> 			continue;
>+		if (ri->fp != frame_pointer)
>+			continue;
> 
> 		orig_ret_address = (unsigned long)ri->ret_addr;
> 		if (ri->rp && ri->rp->handler) {
> 			__this_cpu_write(current_kprobe, &ri->rp->kp);
>-			get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
> 			ri->ret_addr = correct_ret_addr;
> 			ri->rp->handler(ri, regs);
>-			__this_cpu_write(current_kprobe, NULL);
>+			__this_cpu_write(current_kprobe, &kretprobe_kprobe);
> 		}
> 
> 		recycle_rp_inst(ri, &empty_rp);
>@@ -768,6 +809,9 @@ __visible __used void *trampoline_handler(struct pt_regs *regs)
> 
> 	kretprobe_hash_unlock(current, &flags);
> 
>+	__this_cpu_write(current_kprobe, NULL);
>+	preempt_enable();
>+
> 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
> 		hlist_del(&ri->hlist);
> 		kfree(ri);
>diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
>index 074510b5ea77..feca78bf2a6b 100644
>--- a/arch/x86/kernel/process.c
>+++ b/arch/x86/kernel/process.c
>@@ -351,6 +351,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
> 	u64 msr = x86_spec_ctrl_base;
> 	bool updmsr = false;
> 
>+	lockdep_assert_irqs_disabled();
>+
> 	/*
> 	 * If TIF_SSBD is different, select the proper mitigation
> 	 * method. Note that if SSBD mitigation is disabled or permanentely
>@@ -402,10 +404,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
> 
> void speculation_ctrl_update(unsigned long tif)
> {
>+	unsigned long flags;
>+
> 	/* Forced update. Make sure all relevant TIF flags are different */
>-	preempt_disable();
>+	local_irq_save(flags);
> 	__speculation_ctrl_update(~tif, tif);
>-	preempt_enable();
>+	local_irq_restore(flags);
> }
> 
> /* Called from seccomp/prctl update */
>diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
>index 95cd58cdee99..6531ffcb174b 100644
>--- a/arch/x86/kvm/cpuid.c
>+++ b/arch/x86/kvm/cpuid.c
>@@ -395,6 +395,11 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
> 			entry->ebx |= F(TSC_ADJUST);
> 			entry->edx &= kvm_cpuid_7_0_edx_x86_features;
> 			cpuid_mask(&entry->edx, 10);
>+			/*
>+			 * We emulate ARCH_CAPABILITIES in software even
>+			 * if the host doesn't support it.
>+			 */
>+			entry->edx |= F(ARCH_CAPABILITIES);
> 		} else {
> 			entry->ebx = 0;
> 			entry->edx = 0;
>diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
>index c81ccc0d8da0..886fb53b4604 100644
>--- a/arch/x86/kvm/mmu.c
>+++ b/arch/x86/kvm/mmu.c
>@@ -1492,7 +1492,7 @@ static int is_empty_shadow_page(u64 *spt)
>  * aggregate version in order to make the slab shrinker
>  * faster
>  */
>-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
>+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
> {
> 	kvm->arch.n_used_mmu_pages += nr;
> 	percpu_counter_add(&kvm_total_used_mmu_pages, nr);
>@@ -2207,7 +2207,7 @@ static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
>  * Changing the number of mmu pages allocated to the vm
>  * Note: if goal_nr_mmu_pages is too small, you will get dead lock
>  */
>-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
>+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
> {
> 	LIST_HEAD(invalid_list);
> 
>@@ -4505,10 +4505,10 @@ int kvm_mmu_module_init(void)
> /*
>  * Caculate mmu pages needed for kvm.
>  */
>-unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
>+unsigned long kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
> {
>-	unsigned int nr_mmu_pages;
>-	unsigned int  nr_pages = 0;
>+	unsigned long nr_mmu_pages;
>+	unsigned long nr_pages = 0;
> 	struct kvm_memslots *slots;
> 	struct kvm_memory_slot *memslot;
> 
>@@ -4518,8 +4518,7 @@ unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
> 		nr_pages += memslot->npages;
> 
> 	nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
>-	nr_mmu_pages = max(nr_mmu_pages,
>-			(unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
>+	nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES);
> 
> 	return nr_mmu_pages;
> }
>diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
>index 58b2f51fdfdc..f3dc8f614512 100644
>--- a/arch/x86/kvm/mmu.h
>+++ b/arch/x86/kvm/mmu.h
>@@ -81,7 +81,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
> 		bool execonly);
> bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
> 
>-static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
>+static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
> {
> 	if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
> 		return kvm->arch.n_max_mmu_pages -
>diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>index bd6b883f3075..00dd9ea13c22 100644
>--- a/arch/x86/kvm/vmx.c
>+++ b/arch/x86/kvm/vmx.c
>@@ -433,7 +433,6 @@ struct vcpu_vmx {
> 	u64 		      msr_guest_kernel_gs_base;
> #endif
> 
>-	u64 		      arch_capabilities;
> 	u64 		      spec_ctrl;
> 
> 	u32 vm_entry_controls_shadow;
>@@ -2481,12 +2480,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> 
> 		msr_info->data = to_vmx(vcpu)->spec_ctrl;
> 		break;
>-	case MSR_IA32_ARCH_CAPABILITIES:
>-		if (!msr_info->host_initiated &&
>-		    !guest_cpuid_has_arch_capabilities(vcpu))
>-			return 1;
>-		msr_info->data = to_vmx(vcpu)->arch_capabilities;
>-		break;
> 	case MSR_IA32_SYSENTER_CS:
> 		msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
> 		break;
>@@ -2636,11 +2629,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> 		vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
> 					      MSR_TYPE_W);
> 		break;
>-	case MSR_IA32_ARCH_CAPABILITIES:
>-		if (!msr_info->host_initiated)
>-			return 1;
>-		vmx->arch_capabilities = data;
>-		break;
> 	case MSR_IA32_CR_PAT:
> 		if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
> 			if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
>@@ -4583,9 +4571,6 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
> 		++vmx->nmsrs;
> 	}
> 
>-	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
>-		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities);
>-
> 	vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
> 
> 	/* 22.2.1, 20.8.1 */
>diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>index cab3ca9d3f03..2c0f1ea119d6 100644
>--- a/arch/x86/kvm/x86.c
>+++ b/arch/x86/kvm/x86.c
>@@ -2089,6 +2089,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> 	case MSR_F15H_EX_CFG:
> 		break;
> 
>+	case MSR_IA32_ARCH_CAPABILITIES:
>+		if (!msr_info->host_initiated)
>+			return 1;
>+		vcpu->arch.arch_capabilities = data;
>+		break;
> 	case MSR_EFER:
> 		return set_efer(vcpu, data);
> 	case MSR_K7_HWCR:
>@@ -2479,6 +2484,12 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> 	case MSR_IA32_UCODE_REV:
> 		msr_info->data = 0x100000000ULL;
> 		break;
>+	case MSR_IA32_ARCH_CAPABILITIES:
>+		if (!msr_info->host_initiated &&
>+		    !guest_cpuid_has_arch_capabilities(vcpu))
>+			return 1;
>+		msr_info->data = vcpu->arch.arch_capabilities;
>+		break;
> 	case MSR_MTRRcap:
> 		msr_info->data = 0x500 | KVM_NR_VAR_MTRR;
> 		break;
>@@ -3518,7 +3529,7 @@ static int kvm_vm_ioctl_set_identity_map_addr(struct kvm *kvm,
> }
> 
> static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
>-					  u32 kvm_nr_mmu_pages)
>+					 unsigned long kvm_nr_mmu_pages)
> {
> 	if (kvm_nr_mmu_pages < KVM_MIN_ALLOC_MMU_PAGES)
> 		return -EINVAL;
>@@ -3532,7 +3543,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
> 	return 0;
> }
> 
>-static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
>+static unsigned long kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
> {
> 	return kvm->arch.n_max_mmu_pages;
> }
>@@ -6957,6 +6968,9 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
> {
> 	int r;
> 
>+	if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
>+		rdmsrl(MSR_IA32_ARCH_CAPABILITIES,
>+		       vcpu->arch.arch_capabilities);
> 	vcpu->arch.mtrr_state.have_fixed = 1;
> 	r = vcpu_load(vcpu);
> 	if (r)
>diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
>index 7d2c317bd98b..922525c0d25c 100644
>--- a/arch/xtensa/kernel/stacktrace.c
>+++ b/arch/xtensa/kernel/stacktrace.c
>@@ -107,10 +107,14 @@ static int return_address_cb(struct stackframe *frame, void *data)
> 	return 1;
> }
> 
>+/*
>+ * level == 0 is for the return address from the caller of this function,
>+ * not from this function itself.
>+ */
> unsigned long return_address(unsigned level)
> {
> 	struct return_addr_data r = {
>-		.skip = level + 1,
>+		.skip = level,
> 	};
> 	walk_stackframe(stack_pointer(NULL), return_address_cb, &r);
> 	return r.addr;
>diff --git a/block/bio.c b/block/bio.c
>index 4218dab2bb47..3163dac6735d 100644
>--- a/block/bio.c
>+++ b/block/bio.c
>@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
> 			}
> 		}
> 
>-		if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
>+		if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
>+			if (!map_data)
>+				__free_page(page);
> 			break;
>+		}
> 
> 		len -= bytes;
> 		offset = 0;
>diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
>index f1ea8e56cd87..7abcfa6b055c 100644
>--- a/drivers/acpi/acpica/nsobject.c
>+++ b/drivers/acpi/acpica/nsobject.c
>@@ -222,6 +222,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
> 		}
> 	}
> 
>+	if (obj_desc->common.type == ACPI_TYPE_REGION) {
>+		acpi_ut_remove_address_range(obj_desc->region.space_id, node);
>+	}
>+
> 	/* Clear the Node entry in all cases */
> 
> 	node->object = NULL;
>diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
>index df51673d6591..3999b8c6a09d 100644
>--- a/drivers/block/floppy.c
>+++ b/drivers/block/floppy.c
>@@ -2113,6 +2113,9 @@ static void setup_format_params(int track)
> 	raw_cmd->kernel_data = floppy_track_buffer;
> 	raw_cmd->length = 4 * F_SECT_PER_TRACK;
> 
>+	if (!F_SECT_PER_TRACK)
>+		return;
>+
> 	/* allow for about 30ms for data transport per track */
> 	head_shift = (F_SECT_PER_TRACK + 5) / 6;
> 
>@@ -3233,8 +3236,12 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g,
> 	int cnt;
> 
> 	/* sanity checking for parameters. */
>-	if (g->sect <= 0 ||
>-	    g->head <= 0 ||
>+	if ((int)g->sect <= 0 ||
>+	    (int)g->head <= 0 ||
>+	    /* check for overflow in max_sector */
>+	    (int)(g->sect * g->head) <= 0 ||
>+	    /* check for zero in F_SECT_PER_TRACK */
>+	    (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 ||
> 	    g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) ||
> 	    /* check if reserved bits are set */
> 	    (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0)
>@@ -3378,6 +3385,24 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
> 	return 0;
> }
> 
>+static bool valid_floppy_drive_params(const short autodetect[8],
>+		int native_format)
>+{
>+	size_t floppy_type_size = ARRAY_SIZE(floppy_type);
>+	size_t i = 0;
>+
>+	for (i = 0; i < 8; ++i) {
>+		if (autodetect[i] < 0 ||
>+		    autodetect[i] >= floppy_type_size)
>+			return false;
>+	}
>+
>+	if (native_format < 0 || native_format >= floppy_type_size)
>+		return false;
>+
>+	return true;
>+}
>+
> static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd,
> 		    unsigned long param)
> {
>@@ -3504,6 +3529,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
> 		SUPBOUND(size, strlen((const char *)outparam) + 1);
> 		break;
> 	case FDSETDRVPRM:
>+		if (!valid_floppy_drive_params(inparam.dp.autodetect,
>+				inparam.dp.native_format))
>+			return -EINVAL;
> 		*UDP = inparam.dp;
> 		break;
> 	case FDGETDRVPRM:
>diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c
>index ab3ea62e5dfc..f98a9207ec7e 100644
>--- a/drivers/block/xsysace.c
>+++ b/drivers/block/xsysace.c
>@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace)
> 	return 0;
> 
> err_read:
>+	/* prevent double queue cleanup */
>+	ace->gd->queue = NULL;
> 	put_disk(ace->gd);
> err_alloc_disk:
> 	blk_cleanup_queue(ace->queue);
>diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
>index 0bc8a6a6a148..353ed68db711 100644
>--- a/drivers/bluetooth/hci_ath.c
>+++ b/drivers/bluetooth/hci_ath.c
>@@ -112,6 +112,9 @@ static int ath_open(struct hci_uart *hu)
> 
> 	BT_DBG("hu %p", hu);
> 
>+	if (!hci_uart_has_flow_control(hu))
>+		return -EOPNOTSUPP;
>+
> 	ath = kzalloc(sizeof(*ath), GFP_KERNEL);
> 	if (!ath)
> 		return -ENOMEM;
>diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
>index e00f8f5b5c8e..9ad437053e22 100644
>--- a/drivers/bluetooth/hci_ldisc.c
>+++ b/drivers/bluetooth/hci_ldisc.c
>@@ -261,6 +261,15 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
> 	return 0;
> }
> 
>+/* Check the underlying device or tty has flow control support */
>+bool hci_uart_has_flow_control(struct hci_uart *hu)
>+{
>+	if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset)
>+		return true;
>+
>+	return false;
>+}
>+
> /* ------ LDISC part ------ */
> /* hci_uart_tty_open
>  *
>diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
>index 12df101ca942..58e0bb8c041b 100644
>--- a/drivers/bluetooth/hci_uart.h
>+++ b/drivers/bluetooth/hci_uart.h
>@@ -90,6 +90,7 @@ int hci_uart_register_proto(struct hci_uart_proto *p);
> int hci_uart_unregister_proto(struct hci_uart_proto *p);
> int hci_uart_tx_wakeup(struct hci_uart *hu);
> int hci_uart_init_ready(struct hci_uart *hu);
>+bool hci_uart_has_flow_control(struct hci_uart *hu);
> 
> #ifdef CONFIG_BT_HCIUART_H4
> int h4_init(void);
>diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c
>index b2239d678d01..f2c092676e01 100644
>--- a/drivers/gpio/gpio-adnp.c
>+++ b/drivers/gpio/gpio-adnp.c
>@@ -140,8 +140,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
> 	if (err < 0)
> 		goto out;
> 
>-	if (err & BIT(pos))
>-		err = -EACCES;
>+	if (value & BIT(pos)) {
>+		err = -EPERM;
>+		goto out;
>+	}
> 
> 	err = 0;
> 
>diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
>index dbcea7941059..3837cbdaf100 100644
>--- a/drivers/iio/adc/ad_sigma_delta.c
>+++ b/drivers/iio/adc/ad_sigma_delta.c
>@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta,
> 	if (sigma_delta->info->has_registers) {
> 		data[0] = reg << sigma_delta->info->addr_shift;
> 		data[0] |= sigma_delta->info->read_mask;
>+		data[0] |= sigma_delta->comm;
> 		spi_message_add_tail(&t[0], &m);
> 	}
> 	spi_message_add_tail(&t[1], &m);
>diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c
>index 10d5ec213091..2f7ad2538cec 100644
>--- a/drivers/iio/adc/at91_adc.c
>+++ b/drivers/iio/adc/at91_adc.c
>@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_dev *idev,
> 		ret = wait_event_interruptible_timeout(st->wq_data_avail,
> 						       st->done,
> 						       msecs_to_jiffies(1000));
>-		if (ret == 0)
>-			ret = -ETIMEDOUT;
>-		if (ret < 0) {
>-			mutex_unlock(&st->lock);
>-			return ret;
>-		}
>-
>-		*val = st->last_value;
> 
>+		/* Disable interrupts, regardless if adc conversion was
>+		 * successful or not
>+		 */
> 		at91_adc_writel(st, AT91_ADC_CHDR,
> 				AT91_ADC_CH(chan->channel));
> 		at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
> 
>-		st->last_value = 0;
>-		st->done = false;
>+		if (ret > 0) {
>+			/* a valid conversion took place */
>+			*val = st->last_value;
>+			st->last_value = 0;
>+			st->done = false;
>+			ret = IIO_VAL_INT;
>+		} else if (ret == 0) {
>+			/* conversion timeout */
>+			dev_err(&idev->dev, "ADC Channel %d timeout.\n",
>+				chan->channel);
>+			ret = -ETIMEDOUT;
>+		}
>+
> 		mutex_unlock(&st->lock);
>-		return IIO_VAL_INT;
>+		return ret;
> 
> 	case IIO_CHAN_INFO_SCALE:
> 		*val = st->vref_mv;
>diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c
>index b4dde8315210..89f695a958e9 100644
>--- a/drivers/iio/dac/mcp4725.c
>+++ b/drivers/iio/dac/mcp4725.c
>@@ -86,6 +86,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev,
> 		return 0;
> 
> 	inoutbuf[0] = 0x60; /* write EEPROM */
>+	inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0;
> 	inoutbuf[1] = data->dac_value >> 4;
> 	inoutbuf[2] = (data->dac_value & 0xf) << 4;
> 
>diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
>index 7562531ebf0e..77b19ca8b763 100644
>--- a/drivers/iio/industrialio-buffer.c
>+++ b/drivers/iio/industrialio-buffer.c
>@@ -836,10 +836,8 @@ int iio_scan_mask_set(struct iio_dev *indio_dev,
> 	const unsigned long *mask;
> 	unsigned long *trialmask;
> 
>-	trialmask = kmalloc(sizeof(*trialmask)*
>-			    BITS_TO_LONGS(indio_dev->masklength),
>-			    GFP_KERNEL);
>-
>+	trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength),
>+			    sizeof(*trialmask), GFP_KERNEL);
> 	if (trialmask == NULL)
> 		return -ENOMEM;
> 	if (!indio_dev->masklength) {
>diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
>index 4d1b400ed260..5ea56edcdf42 100644
>--- a/drivers/iio/industrialio-core.c
>+++ b/drivers/iio/industrialio-core.c
>@@ -1195,12 +1195,12 @@ EXPORT_SYMBOL(iio_device_register);
>  **/
> void iio_device_unregister(struct iio_dev *indio_dev)
> {
>-	mutex_lock(&indio_dev->info_exist_lock);
>-
> 	device_del(&indio_dev->dev);
> 
> 	if (indio_dev->chrdev.dev)
> 		cdev_del(&indio_dev->chrdev);
>+
>+	mutex_lock(&indio_dev->info_exist_lock);
> 	iio_device_unregister_debugfs(indio_dev);
> 
> 	iio_disable_all_buffers(indio_dev);
>diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c
>index 0eb141c41416..fb60229bf191 100644
>--- a/drivers/infiniband/hw/mlx4/alias_GUID.c
>+++ b/drivers/infiniband/hw/mlx4/alias_GUID.c
>@@ -579,8 +579,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev)
> 	unsigned long flags;
> 
> 	for (i = 0 ; i < dev->num_ports; i++) {
>-		cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work);
> 		det = &sriov->alias_guid.ports_guid[i];
>+		cancel_delayed_work_sync(&det->alias_guid_work);
> 		spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags);
> 		while (!list_empty(&det->cb_list)) {
> 			cb_ctx = list_entry(det->cb_list.next,
>diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
>index fe1ab5067b5d..cf3af3a3297a 100644
>--- a/drivers/input/tablet/gtco.c
>+++ b/drivers/input/tablet/gtco.c
>@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
> 
> /* Max size of a single report */
> #define REPORT_MAX_SIZE       10
>+#define MAX_COLLECTION_LEVELS  10
> 
> 
> /* Bitmask whether pen is in range */
>@@ -224,8 +225,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> 	char  maintype = 'x';
> 	char  globtype[12];
> 	int   indent = 0;
>-	char  indentstr[10] = "";
>-
>+	char  indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
> 
> 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
> 
>@@ -351,6 +351,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> 			case TAG_MAIN_COL_START:
> 				maintype = 'S';
> 
>+				if (indent == MAX_COLLECTION_LEVELS) {
>+					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
>+						indent + 1,
>+						MAX_COLLECTION_LEVELS);
>+					break;
>+				}
>+
> 				if (data == 0) {
> 					dev_dbg(ddev, "======>>>>>> Physical\n");
> 					strcpy(globtype, "Physical");
>@@ -370,8 +377,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
> 				break;
> 
> 			case TAG_MAIN_COL_END:
>-				dev_dbg(ddev, "<<<<<<======\n");
> 				maintype = 'E';
>+
>+				if (indent == 0) {
>+					dev_err(ddev, "Collection level already at zero\n");
>+					break;
>+				}
>+
>+				dev_dbg(ddev, "<<<<<<======\n");
>+
> 				indent--;
> 				for (x = 0; x < indent; x++)
> 					indentstr[x] = '-';
>diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
>index 48b726f4ad48..006f4f9a3170 100644
>--- a/drivers/iommu/amd_iommu_init.c
>+++ b/drivers/iommu/amd_iommu_init.c
>@@ -293,7 +293,7 @@ static void iommu_write_l2(struct amd_iommu *iommu, u8 address, u32 val)
> static void iommu_set_exclusion_range(struct amd_iommu *iommu)
> {
> 	u64 start = iommu->exclusion_start & PAGE_MASK;
>-	u64 limit = (start + iommu->exclusion_length) & PAGE_MASK;
>+	u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK;
> 	u64 entry;
> 
> 	if (!iommu->exclusion_start)
>diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
>index b60eb1cca150..c2a44d2ca5b6 100644
>--- a/drivers/iommu/intel-iommu.c
>+++ b/drivers/iommu/intel-iommu.c
>@@ -1394,6 +1394,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu)
> 	u32 pmen;
> 	unsigned long flags;
> 
>+	if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap))
>+		return;
>+
> 	raw_spin_lock_irqsave(&iommu->register_lock, flags);
> 	pmen = readl(iommu->reg + DMAR_PMEN_REG);
> 	pmen &= ~DMA_PMEN_EPM;
>diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
>index f5f1837dfa5b..b010f9600d87 100644
>--- a/drivers/md/dm-table.c
>+++ b/drivers/md/dm-table.c
>@@ -1432,6 +1432,36 @@ static bool dm_table_supports_write_same(struct dm_table *t)
> 	return true;
> }
> 
>+static int device_requires_stable_pages(struct dm_target *ti,
>+					struct dm_dev *dev, sector_t start,
>+					sector_t len, void *data)
>+{
>+	struct request_queue *q = bdev_get_queue(dev->bdev);
>+
>+	return q && bdi_cap_stable_pages_required(&q->backing_dev_info);
>+}
>+
>+/*
>+ * If any underlying device requires stable pages, a table must require
>+ * them as well.  Only targets that support iterate_devices are considered:
>+ * don't want error, zero, etc to require stable pages.
>+ */
>+static bool dm_table_requires_stable_pages(struct dm_table *t)
>+{
>+	struct dm_target *ti;
>+	unsigned i;
>+
>+	for (i = 0; i < dm_table_get_num_targets(t); i++) {
>+		ti = dm_table_get_target(t, i);
>+
>+		if (ti->type->iterate_devices &&
>+		    ti->type->iterate_devices(ti, device_requires_stable_pages, NULL))
>+			return true;
>+	}
>+
>+	return false;
>+}
>+
> void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
> 			       struct queue_limits *limits)
> {
>@@ -1473,6 +1503,15 @@ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q,
> 
> 	dm_table_set_integrity(t);
> 
>+	/*
>+	 * Some devices don't use blk_integrity but still want stable pages
>+	 * because they do their own checksumming.
>+	 */
>+	if (dm_table_requires_stable_pages(t))
>+		q->backing_dev_info.capabilities |= BDI_CAP_STABLE_WRITES;
>+	else
>+		q->backing_dev_info.capabilities &= ~BDI_CAP_STABLE_WRITES;
>+
> 	/*
> 	 * Determine whether or not this queue's I/O timings contribute
> 	 * to the entropy pool, Only request-based targets use this.
>diff --git a/drivers/md/dm.c b/drivers/md/dm.c
>index 043ad8d8d700..30ae713aecf8 100644
>--- a/drivers/md/dm.c
>+++ b/drivers/md/dm.c
>@@ -756,6 +756,15 @@ static void dec_pending(struct dm_io *io, int error)
> 	}
> }
> 
>+static void disable_discard(struct mapped_device *md)
>+{
>+	struct queue_limits *limits = dm_get_queue_limits(md);
>+
>+	/* device doesn't really support DISCARD, disable it */
>+	limits->max_discard_sectors = 0;
>+	queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue);
>+}
>+
> static void disable_write_same(struct mapped_device *md)
> {
> 	struct queue_limits *limits = dm_get_queue_limits(md);
>@@ -792,9 +801,14 @@ static void clone_endio(struct bio *bio, int error)
> 		}
> 	}
> 
>-	if (unlikely(r == -EREMOTEIO && (bio->bi_rw & REQ_WRITE_SAME) &&
>-		     !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors))
>-		disable_write_same(md);
>+	if (unlikely(r == -EREMOTEIO)) {
>+		if (bio->bi_rw & REQ_DISCARD &&
>+		    !bdev_get_queue(bio->bi_bdev)->limits.max_discard_sectors)
>+			disable_discard(md);
>+		else if (bio->bi_rw & REQ_WRITE_SAME &&
>+			 !bdev_get_queue(bio->bi_bdev)->limits.max_write_same_sectors)
>+ 			disable_write_same(md);
>+	}
> 
> 	free_tio(md, tio);
> 	dec_pending(io, error);
>@@ -996,9 +1010,14 @@ static void dm_done(struct request *clone, int error, bool mapped)
> 			r = rq_end_io(tio->ti, clone, error, &tio->info);
> 	}
> 
>-	if (unlikely(r == -EREMOTEIO && (clone->cmd_flags & REQ_WRITE_SAME) &&
>-		     !clone->q->limits.max_write_same_sectors))
>-		disable_write_same(tio->md);
>+	if (unlikely(r == -EREMOTEIO)) {
>+		if (clone->cmd_flags & REQ_DISCARD &&
>+		    !clone->q->limits.max_discard_sectors)
>+			disable_discard(tio->md);
>+		else if (clone->cmd_flags & REQ_WRITE_SAME &&
>+			 !clone->q->limits.max_write_same_sectors)
>+			disable_write_same(tio->md);
>+	}
> 
> 	if (r <= 0)
> 		/* The target wants to complete the I/O */
>diff --git a/drivers/media/usb/tlg2300/pd-common.h b/drivers/media/usb/tlg2300/pd-common.h
>index 9e23ad32d2fe..562a58886ca2 100644
>--- a/drivers/media/usb/tlg2300/pd-common.h
>+++ b/drivers/media/usb/tlg2300/pd-common.h
>@@ -257,7 +257,7 @@ void set_debug_mode(struct video_device *vfd, int debug_mode);
> #else
> #define in_hibernation(pd) (0)
> #endif
>-#define get_pm_count(p) (atomic_read(&(p)->interface->pm_usage_cnt))
>+#define get_pm_count(p) (atomic_read(&(p)->interface->dev.power.usage_count))
> 
> #define log(a, ...) printk(KERN_DEBUG "\t[ %s : %.3d ] "a"\n", \
> 				__func__, __LINE__,  ## __VA_ARGS__)
>diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
>index 92303daf44dc..40047a2f4696 100644
>--- a/drivers/mtd/chips/cfi_cmdset_0002.c
>+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
>@@ -1538,7 +1538,11 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
> 			continue;
> 		}
> 
>-		if (time_after(jiffies, timeo) && !chip_ready(map, adr))
>+		/*
>+		 * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
>+		 * the failure due to scheduling.
>+		 */
>+		if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
> 			break;
> 
> 		if (chip_good(map, adr, datum)) {
>diff --git a/drivers/net/ethernet/3com/3c515.c b/drivers/net/ethernet/3com/3c515.c
>index 94c656f5a05d..d4552e2c7189 100644
>--- a/drivers/net/ethernet/3com/3c515.c
>+++ b/drivers/net/ethernet/3com/3c515.c
>@@ -1524,7 +1524,7 @@ static void update_stats(int ioaddr, struct net_device *dev)
> static void set_rx_mode(struct net_device *dev)
> {
> 	int ioaddr = dev->base_addr;
>-	short new_mode;
>+	unsigned short new_mode;
> 
> 	if (dev->flags & IFF_PROMISC) {
> 		if (corkscrew_debug > 3)
>diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c
>index 90e825e8abfe..02beb18942d2 100644
>--- a/drivers/net/ethernet/8390/mac8390.c
>+++ b/drivers/net/ethernet/8390/mac8390.c
>@@ -153,11 +153,6 @@ static void dayna_block_input(struct net_device *dev, int count,
> static void dayna_block_output(struct net_device *dev, int count,
> 			       const unsigned char *buf, int start_page);
> 
>-#define memcpy_fromio(a, b, c)	memcpy((a), (void *)(b), (c))
>-#define memcpy_toio(a, b, c)	memcpy((void *)(a), (b), (c))
>-
>-#define memcmp_withio(a, b, c)	memcmp((a), (void *)(b), (c))
>-
> /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
> static void slow_sane_get_8390_hdr(struct net_device *dev,
> 				   struct e8390_pkt_hdr *hdr, int ring_page);
>@@ -244,19 +239,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev)
> 
> static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
> {
>-	unsigned long outdata = 0xA5A0B5B0;
>-	unsigned long indata =  0x00000000;
>+	u32 outdata = 0xA5A0B5B0;
>+	u32 indata = 0;
>+
> 	/* Try writing 32 bits */
>-	memcpy_toio(membase, &outdata, 4);
>-	/* Now compare them */
>-	if (memcmp_withio(&outdata, membase, 4) == 0)
>+	nubus_writel(outdata, membase);
>+	/* Now read it back */
>+	indata = nubus_readl(membase);
>+	if (outdata == indata)
> 		return ACCESS_32;
>+
>+	outdata = 0xC5C0D5D0;
>+	indata = 0;
>+
> 	/* Write 16 bit output */
> 	word_memcpy_tocard(membase, &outdata, 4);
> 	/* Now read it back */
> 	word_memcpy_fromcard(&indata, membase, 4);
> 	if (outdata == indata)
> 		return ACCESS_16;
>+
> 	return ACCESS_UNKNOWN;
> }
> 
>@@ -742,7 +744,7 @@ static void sane_get_8390_hdr(struct net_device *dev,
> 			      struct e8390_pkt_hdr *hdr, int ring_page)
> {
> 	unsigned long hdr_start = (ring_page - WD_START_PG)<<8;
>-	memcpy_fromio(hdr, dev->mem_start + hdr_start, 4);
>+	memcpy_fromio(hdr, (void __iomem *)dev->mem_start + hdr_start, 4);
> 	/* Fix endianness */
> 	hdr->count = swab16(hdr->count);
> }
>@@ -756,13 +758,16 @@ static void sane_block_input(struct net_device *dev, int count,
> 	if (xfer_start + count > ei_status.rmem_end) {
> 		/* We must wrap the input move. */
> 		int semi_count = ei_status.rmem_end - xfer_start;
>-		memcpy_fromio(skb->data, dev->mem_start + xfer_base,
>+		memcpy_fromio(skb->data,
>+			      (void __iomem *)dev->mem_start + xfer_base,
> 			      semi_count);
> 		count -= semi_count;
>-		memcpy_fromio(skb->data + semi_count, ei_status.rmem_start,
>-			      count);
>+		memcpy_fromio(skb->data + semi_count,
>+			      (void __iomem *)ei_status.rmem_start, count);
> 	} else {
>-		memcpy_fromio(skb->data, dev->mem_start + xfer_base, count);
>+		memcpy_fromio(skb->data,
>+			      (void __iomem *)dev->mem_start + xfer_base,
>+			      count);
> 	}
> }
> 
>@@ -771,7 +776,7 @@ static void sane_block_output(struct net_device *dev, int count,
> {
> 	long shmem = (start_page - WD_START_PG)<<8;
> 
>-	memcpy_toio(dev->mem_start + shmem, buf, count);
>+	memcpy_toio((void __iomem *)dev->mem_start + shmem, buf, count);
> }
> 
> /* dayna block input/output */
>diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
>index 4332ebbd7162..39f4b38fd068 100644
>--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
>+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
>@@ -2381,6 +2381,7 @@ static void *__vxge_hw_blockpool_malloc(struct __vxge_hw_device *devh, u32 size,
> 			vxge_os_dma_free(devh->pdev, memblock,
> 				&dma_object->acc_handle);
> 			status = VXGE_HW_ERR_OUT_OF_MEMORY;
>+			memblock = NULL;
> 			goto exit;
> 		}
> 
>diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
>index 47eba38ae526..75cc676a3239 100644
>--- a/drivers/net/macvtap.c
>+++ b/drivers/net/macvtap.c
>@@ -16,7 +16,6 @@
> #include <linux/idr.h>
> #include <linux/fs.h>
> 
>-#include <net/ipv6.h>
> #include <net/net_namespace.h>
> #include <net/rtnetlink.h>
> #include <net/sock.h>
>@@ -571,8 +570,6 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
> 			break;
> 		case VIRTIO_NET_HDR_GSO_UDP:
> 			gso_type = SKB_GSO_UDP;
>-			if (skb->protocol == htons(ETH_P_IPV6))
>-				ipv6_proxy_select_ident(skb);
> 			break;
> 		default:
> 			return -EINVAL;
>diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
>index 7a6d2f8c5201..77fcb1bd81bc 100644
>--- a/drivers/net/phy/phy_device.c
>+++ b/drivers/net/phy/phy_device.c
>@@ -1072,7 +1072,10 @@ int genphy_soft_reset(struct phy_device *phydev)
> {
> 	int ret;
> 
>-	ret = phy_write(phydev, MII_BMCR, BMCR_RESET);
>+	ret = phy_read(phydev, MII_BMCR);
>+	if (ret < 0)
>+		return ret;
>+	ret = phy_write(phydev, MII_BMCR, ret | BMCR_RESET);
> 	if (ret < 0)
> 		return ret;
> 
>diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
>index 5dd0fe1635b9..a97b20773508 100644
>--- a/drivers/net/ppp/pptp.c
>+++ b/drivers/net/ppp/pptp.c
>@@ -284,7 +284,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
> 	nf_reset(skb);
> 
> 	skb->ip_summed = CHECKSUM_NONE;
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(sock_net(sk), skb, NULL);
> 	ip_send_check(iph);
> 
> 	ip_local_out(skb);
>diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
>index b52eabc168a0..f8234b5439f5 100644
>--- a/drivers/net/slip/slhc.c
>+++ b/drivers/net/slip/slhc.c
>@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
> void
> slhc_free(struct slcompress *comp)
> {
>-	if ( comp == NULLSLCOMPR )
>+	if ( IS_ERR_OR_NULL(comp) )
> 		return;
> 
> 	if ( comp->tstate != NULLSLSTATE )
>diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
>index d6511041c766..8d408cd7c170 100644
>--- a/drivers/net/team/team.c
>+++ b/drivers/net/team/team.c
>@@ -1116,6 +1116,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
> 		return -EINVAL;
> 	}
> 
>+	if (netdev_has_upper_dev(dev, port_dev)) {
>+		netdev_err(dev, "Device %s is already an upper device of the team interface\n",
>+			   portname);
>+		return -EBUSY;
>+	}
>+
> 	if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
> 	    vlan_uses_dev(dev)) {
> 		netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
>diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>index 48ac45f26fa3..1bbcb278e6df 100644
>--- a/drivers/net/tun.c
>+++ b/drivers/net/tun.c
>@@ -65,7 +65,6 @@
> #include <linux/nsproxy.h>
> #include <linux/virtio_net.h>
> #include <linux/rcupdate.h>
>-#include <net/ipv6.h>
> #include <net/net_namespace.h>
> #include <net/netns/generic.h>
> #include <net/rtnetlink.h>
>@@ -1143,8 +1142,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> 		break;
> 	}
> 
>-	skb_reset_network_header(skb);
>-
> 	if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
> 		pr_debug("GSO!\n");
> 		switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
>@@ -1156,8 +1153,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> 			break;
> 		case VIRTIO_NET_HDR_GSO_UDP:
> 			skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>-			if (skb->protocol == htons(ETH_P_IPV6))
>-				ipv6_proxy_select_ident(skb);
> 			break;
> 		default:
> 			tun->dev->stats.rx_frame_errors++;
>@@ -1187,6 +1182,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
> 		skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
> 	}
> 
>+	skb_reset_network_header(skb);
> 	skb_probe_transport_header(skb, 0);
> 
> 	rxhash = skb_get_hash(skb);
>diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
>index d13f25cd70d5..91aebb03841e 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00.h
>+++ b/drivers/net/wireless/rt2x00/rt2x00.h
>@@ -666,7 +666,6 @@ enum rt2x00_state_flags {
> 	CONFIG_CHANNEL_HT40,
> 	CONFIG_POWERSAVING,
> 	CONFIG_HT_DISABLED,
>-	CONFIG_QOS_DISABLED,
> 
> 	/*
> 	 * Mark we currently are sequentially reading TX_STA_FIFO register
>diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
>index 004dff9b962d..e7c152dd0bef 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
>+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
>@@ -682,18 +682,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
> 			rt2x00dev->intf_associated--;
> 
> 		rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
>-
>-		clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
> 	}
> 
>-	/*
>-	 * Check for access point which do not support 802.11e . We have to
>-	 * generate data frames sequence number in S/W for such AP, because
>-	 * of H/W bug.
>-	 */
>-	if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
>-		set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
>-
> 	/*
> 	 * When the erp information has changed, we should perform
> 	 * additional configuration steps. For all other changes we are done.
>diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
>index 22d49d575d3f..8705092a052e 100644
>--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
>+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
>@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
> 	if (!test_bit(REQUIRE_SW_SEQNO, &rt2x00dev->cap_flags)) {
> 		/*
> 		 * rt2800 has a H/W (or F/W) bug, device incorrectly increase
>-		 * seqno on retransmited data (non-QOS) frames. To workaround
>-		 * the problem let's generate seqno in software if QOS is
>-		 * disabled.
>+		 * seqno on retransmitted data (non-QOS) and management frames.
>+		 * To workaround the problem let's generate seqno in software.
>+		 * Except for beacons which are transmitted periodically by H/W
>+		 * hence hardware has to assign seqno for them.
> 		 */
>-		if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
>-			__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
>-		else
>+	    	if (ieee80211_is_beacon(hdr->frame_control)) {
>+			__set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
> 			/* H/W will generate sequence number */
> 			return;
>+		}
>+
>+		__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
> 	}
> 
> 	/*
>diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
>index f5d1f51101cf..57cc4e7d2bbc 100644
>--- a/drivers/pci/quirks.c
>+++ b/drivers/pci/quirks.c
>@@ -3514,6 +3514,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
> /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
> DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
> 			 quirk_dma_func1_alias);
>+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170,
>+			 quirk_dma_func1_alias);
> /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */
> DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172,
> 			 quirk_dma_func1_alias);
>diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
>index 21a6f6d76bbb..3a62c049696e 100644
>--- a/drivers/s390/scsi/zfcp_erp.c
>+++ b/drivers/s390/scsi/zfcp_erp.c
>@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action)
> 	add_timer(&erp_action->timer);
> }
> 
>+void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
>+				     int clear, char *dbftag)
>+{
>+	unsigned long flags;
>+	struct zfcp_port *port;
>+
>+	write_lock_irqsave(&adapter->erp_lock, flags);
>+	read_lock(&adapter->port_list_lock);
>+	list_for_each_entry(port, &adapter->port_list, list)
>+		_zfcp_erp_port_forced_reopen(port, clear, dbftag);
>+	read_unlock(&adapter->port_list_lock);
>+	write_unlock_irqrestore(&adapter->erp_lock, flags);
>+}
>+
> static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
> 				      int clear, char *id)
> {
>@@ -1313,6 +1327,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
> 		struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
> 		int lun_status;
> 
>+		if (sdev->sdev_state == SDEV_DEL ||
>+		    sdev->sdev_state == SDEV_CANCEL)
>+			continue;
> 		if (zsdev->port != port)
> 			continue;
> 		/* LUN under port of interest */
>diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
>index c5023d6811a8..cfe2a3b2d3b2 100644
>--- a/drivers/s390/scsi/zfcp_ext.h
>+++ b/drivers/s390/scsi/zfcp_ext.h
>@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32);
> extern int  zfcp_erp_port_reopen(struct zfcp_port *, int, char *);
> extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
> extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
>+extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
>+					    int clear, char *dbftag);
> extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
> extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
> extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
>diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
>index f213786fe96c..9e9f0ad00bef 100644
>--- a/drivers/s390/scsi/zfcp_scsi.c
>+++ b/drivers/s390/scsi/zfcp_scsi.c
>@@ -347,6 +347,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
> 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
> 	int ret = SUCCESS, fc_ret;
> 
>+	if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
>+		zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
>+		zfcp_erp_wait(adapter);
>+	}
> 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
> 	zfcp_erp_wait(adapter);
> 	fc_ret = fc_block_scsi_eh(scpnt);
>diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
>index 7d5d66edae87..65826111d996 100644
>--- a/drivers/scsi/libsas/sas_expander.c
>+++ b/drivers/scsi/libsas/sas_expander.c
>@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task)
> 	unsigned long flags;
> 
> 	spin_lock_irqsave(&task->task_state_lock, flags);
>-	if (!(task->task_state_flags & SAS_TASK_STATE_DONE))
>+	if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
> 		task->task_state_flags |= SAS_TASK_STATE_ABORTED;
>+		complete(&task->slow_task->completion);
>+	}
> 	spin_unlock_irqrestore(&task->task_state_lock, flags);
>-
>-	complete(&task->slow_task->completion);
> }
> 
> static void smp_task_done(struct sas_task *task)
> {
>-	if (!del_timer(&task->slow_task->timer))
>-		return;
>+	del_timer(&task->slow_task->timer);
> 	complete(&task->slow_task->completion);
> }
> 
>diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
>index 0adf3cffddb0..87b6e1aa107a 100644
>--- a/drivers/staging/comedi/drivers/vmk80xx.c
>+++ b/drivers/staging/comedi/drivers/vmk80xx.c
>@@ -757,10 +757,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)
> 
> 	size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize);
> 	devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
>-	if (!devpriv->usb_tx_buf) {
>-		kfree(devpriv->usb_rx_buf);
>+	if (!devpriv->usb_tx_buf)
> 		return -ENOMEM;
>-	}
> 
> 	return 0;
> }
>@@ -872,6 +870,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
> 
> 	devpriv->model = boardinfo->model;
> 
>+	sema_init(&devpriv->limit_sem, 8);
>+
> 	ret = vmk80xx_find_usb_endpoints(dev);
> 	if (ret)
> 		return ret;
>@@ -880,8 +880,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
> 	if (ret)
> 		return ret;
> 
>-	sema_init(&devpriv->limit_sem, 8);
>-
> 	usb_set_intfdata(intf, devpriv);
> 
> 	if (devpriv->model == VMK8061_MODEL) {
>diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c
>index bcfdb650c2c5..c318e263c1bb 100644
>--- a/drivers/staging/iio/meter/ade7854.c
>+++ b/drivers/staging/iio/meter/ade7854.c
>@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(S_IWUSR | S_IRUGO,
> static IIO_DEV_ATTR_IPEAK(S_IWUSR | S_IRUGO,
> 		ade7854_read_32bit,
> 		ade7854_write_32bit,
>-		ADE7854_VPEAK);
>+		ADE7854_IPEAK);
> static IIO_DEV_ATTR_APHCAL(S_IWUSR | S_IRUGO,
> 		ade7854_read_16bit,
> 		ade7854_write_16bit,
>diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
>index 8ca7d7e68dca..2a0225900d89 100644
>--- a/drivers/staging/rtl8712/rtl8712_cmd.c
>+++ b/drivers/staging/rtl8712/rtl8712_cmd.c
>@@ -155,19 +155,11 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
> 
> static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
> {
>-	u32 val;
>-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);
> 	struct readBB_parm *prdbbparm;
> 	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
> 
> 	prdbbparm = (struct readBB_parm *)pcmd->parmbuf;
>-	if (pcmd->rsp && pcmd->rspsz > 0)
>-		memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
>-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
>-	if (pcmd_callback == NULL)
>-		r8712_free_cmd_obj(pcmd);
>-	else
>-		pcmd_callback(padapter, pcmd);
>+	r8712_free_cmd_obj(pcmd);
> 	return H2C_SUCCESS;
> }
> 
>diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
>index 039ab3e97172..efa2fc98907f 100644
>--- a/drivers/staging/rtl8712/rtl8712_cmd.h
>+++ b/drivers/staging/rtl8712/rtl8712_cmd.h
>@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd {
> static struct _cmd_callback	cmd_callback[] = {
> 	{GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
> 	{GEN_CMD_CODE(_Write_MACREG), NULL},
>-	{GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
>+	{GEN_CMD_CODE(_Read_BBREG), NULL},
> 	{GEN_CMD_CODE(_Write_BBREG), NULL},
> 	{GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
> 	{GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
>diff --git a/drivers/staging/speakup/speakup_soft.c b/drivers/staging/speakup/speakup_soft.c
>index 9ed726509261..c5bf6b1aa80e 100644
>--- a/drivers/staging/speakup/speakup_soft.c
>+++ b/drivers/staging/speakup/speakup_soft.c
>@@ -213,10 +213,13 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
> 	DEFINE_WAIT(wait);
> 
> 	spin_lock_irqsave(&speakup_info.spinlock, flags);
>+	synth_soft.alive = 1;
> 	while (1) {
> 		prepare_to_wait(&speakup_event, &wait, TASK_INTERRUPTIBLE);
>-		if (!synth_buffer_empty() || speakup_info.flushing)
>-			break;
>+		if (synth_current() == &synth_soft) {
>+			if (!synth_buffer_empty() || speakup_info.flushing)
>+				break;
>+		}
> 		spin_unlock_irqrestore(&speakup_info.spinlock, flags);
> 		if (fp->f_flags & O_NONBLOCK) {
> 			finish_wait(&speakup_event, &wait);
>@@ -234,6 +237,8 @@ static ssize_t softsynth_read(struct file *fp, char __user *buf, size_t count,
> 	cp = buf;
> 	init = get_initstring();
> 	while (chars_sent < count) {
>+		if (synth_current() != &synth_soft)
>+			break;
> 		if (speakup_info.flushing) {
> 			speakup_info.flushing = 0;
> 			ch = '\x18';
>@@ -286,7 +291,8 @@ static unsigned int softsynth_poll(struct file *fp,
> 	poll_wait(fp, &speakup_event, wait);
> 
> 	spin_lock_irqsave(&speakup_info.spinlock, flags);
>-	if (!synth_buffer_empty() || speakup_info.flushing)
>+	if (synth_current() == &synth_soft &&
>+	    (!synth_buffer_empty() || speakup_info.flushing))
> 		ret = POLLIN | POLLRDNORM;
> 	spin_unlock_irqrestore(&speakup_info.spinlock, flags);
> 	return ret;
>diff --git a/drivers/staging/speakup/spk_priv.h b/drivers/staging/speakup/spk_priv.h
>index 637ba6760ec0..b669021455dd 100644
>--- a/drivers/staging/speakup/spk_priv.h
>+++ b/drivers/staging/speakup/spk_priv.h
>@@ -72,6 +72,7 @@ extern int synth_request_region(u_long, u_long);
> extern int synth_release_region(u_long, u_long);
> extern int synth_add(struct spk_synth *in_synth);
> extern void synth_remove(struct spk_synth *in_synth);
>+struct spk_synth *synth_current(void);
> 
> extern struct speakup_info_t speakup_info;
> 
>diff --git a/drivers/staging/speakup/synth.c b/drivers/staging/speakup/synth.c
>index 172cf62b1aaf..1219089af4b5 100644
>--- a/drivers/staging/speakup/synth.c
>+++ b/drivers/staging/speakup/synth.c
>@@ -475,4 +475,10 @@ void synth_remove(struct spk_synth *in_synth)
> }
> EXPORT_SYMBOL_GPL(synth_remove);
> 
>+struct spk_synth *synth_current(void)
>+{
>+	return synth;
>+}
>+EXPORT_SYMBOL_GPL(synth_current);
>+
> short spk_punc_masks[] = { 0, SOME, MOST, PUNC, PUNC|B_SYM };
>diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c
>index 2ed1118d3d8b..7f10bc79a719 100644
>--- a/drivers/staging/usbip/stub_rx.c
>+++ b/drivers/staging/usbip/stub_rx.c
>@@ -375,16 +375,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
> 	}
> 
> 	if (usb_endpoint_xfer_isoc(epd)) {
>-		/* validate packet size and number of packets */
>-		unsigned int maxp, packets, bytes;
>-
>-		maxp = usb_endpoint_maxp(epd);
>-		maxp *= usb_endpoint_maxp_mult(epd);
>-		bytes = pdu->u.cmd_submit.transfer_buffer_length;
>-		packets = DIV_ROUND_UP(bytes, maxp);
>-
>+		/* validate number of packets */
> 		if (pdu->u.cmd_submit.number_of_packets < 0 ||
>-		    pdu->u.cmd_submit.number_of_packets > packets) {
>+		    pdu->u.cmd_submit.number_of_packets >
>+		    USBIP_MAX_ISO_PACKETS) {
> 			dev_err(&sdev->udev->dev,
> 				"CMD_SUBMIT: isoc invalid num packets %d\n",
> 				pdu->u.cmd_submit.number_of_packets);
>diff --git a/drivers/staging/usbip/usbip_common.h b/drivers/staging/usbip/usbip_common.h
>index 58787c49fb68..8b358911563b 100644
>--- a/drivers/staging/usbip/usbip_common.h
>+++ b/drivers/staging/usbip/usbip_common.h
>@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug;
> #define USBIP_DIR_OUT	0x00
> #define USBIP_DIR_IN	0x01
> 
>+/*
>+ * Arbitrary limit for the maximum number of isochronous packets in an URB,
>+ * compare for example the uhci_submit_isochronous function in
>+ * drivers/usb/host/uhci-q.c
>+ */
>+#define USBIP_MAX_ISO_PACKETS 1024
>+
> /**
>  * struct usbip_header_basic - data pertinent to every request
>  * @command: the usbip request type
>diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
>index bc1c68c926bd..d8676716467b 100644
>--- a/drivers/tty/serial/atmel_serial.c
>+++ b/drivers/tty/serial/atmel_serial.c
>@@ -1045,6 +1045,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
> 				sg_dma_len(&atmel_port->sg_rx)/2,
> 				DMA_DEV_TO_MEM,
> 				DMA_PREP_INTERRUPT);
>+	if (!desc) {
>+		dev_err(port->dev, "Preparing DMA cyclic failed\n");
>+		goto chan_err;
>+	}
> 	desc->callback = atmel_complete_rx_dma;
> 	desc->callback_param = port;
> 	atmel_port->desc_rx = desc;
>diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
>index ba285cd45b59..8ccab7cf437c 100644
>--- a/drivers/tty/serial/max310x.c
>+++ b/drivers/tty/serial/max310x.c
>@@ -1324,6 +1324,8 @@ static int max310x_spi_probe(struct spi_device *spi)
> 	if (spi->dev.of_node) {
> 		const struct of_device_id *of_id =
> 			of_match_device(max310x_dt_ids, &spi->dev);
>+		if (!of_id)
>+			return -ENODEV;
> 
> 		devtype = (struct max310x_devtype *)of_id->data;
> 	} else {
>diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
>index 8f6d6b5a2eeb..acacce37ec66 100644
>--- a/drivers/tty/serial/mxs-auart.c
>+++ b/drivers/tty/serial/mxs-auart.c
>@@ -1075,6 +1075,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
> 
> 	s->port.mapbase = r->start;
> 	s->port.membase = ioremap(r->start, resource_size(r));
>+	if (!s->port.membase) {
>+		ret = -ENOMEM;
>+		goto out_free_clk;
>+	}
> 	s->port.ops = &mxs_auart_ops;
> 	s->port.iotype = UPIO_MEM;
> 	s->port.fifosize = MXS_AUART_FIFO_SIZE;
>diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
>index e2224213111c..0dc1d1ac4a9a 100644
>--- a/drivers/tty/serial/sh-sci.c
>+++ b/drivers/tty/serial/sh-sci.c
>@@ -633,19 +633,9 @@ static void sci_transmit_chars(struct uart_port *port)
> 
> 	if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
> 		uart_write_wakeup(port);
>-	if (uart_circ_empty(xmit)) {
>+	if (uart_circ_empty(xmit))
> 		sci_stop_tx(port);
>-	} else {
>-		ctrl = serial_port_in(port, SCSCR);
>-
>-		if (port->type != PORT_SCI) {
>-			serial_port_in(port, SCxSR); /* Dummy read */
>-			serial_port_out(port, SCxSR, SCxSR_TDxE_CLEAR(port));
>-		}
> 
>-		ctrl |= SCSCR_TIE;
>-		serial_port_out(port, SCSCR, ctrl);
>-	}
> }
> 
> /* On SH3, SCIF may read end-of-break as a space->mark char */
>diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
>index d002c23af6f4..71dfbff5839d 100644
>--- a/drivers/usb/core/driver.c
>+++ b/drivers/usb/core/driver.c
>@@ -483,11 +483,6 @@ static int usb_unbind_interface(struct device *dev)
> 		pm_runtime_disable(dev);
> 	pm_runtime_set_suspended(dev);
> 
>-	/* Undo any residual pm_autopm_get_interface_* calls */
>-	for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r)
>-		usb_autopm_put_interface_no_suspend(intf);
>-	atomic_set(&intf->pm_usage_cnt, 0);
>-
> 	if (!error)
> 		usb_autosuspend_device(udev);
> 
>@@ -1638,7 +1633,6 @@ void usb_autopm_put_interface(struct usb_interface *intf)
> 	int			status;
> 
> 	usb_mark_last_busy(udev);
>-	atomic_dec(&intf->pm_usage_cnt);
> 	status = pm_runtime_put_sync(&intf->dev);
> 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> 			__func__, atomic_read(&intf->dev.power.usage_count),
>@@ -1667,7 +1661,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf)
> 	int			status;
> 
> 	usb_mark_last_busy(udev);
>-	atomic_dec(&intf->pm_usage_cnt);
> 	status = pm_runtime_put(&intf->dev);
> 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> 			__func__, atomic_read(&intf->dev.power.usage_count),
>@@ -1689,7 +1682,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf)
> 	struct usb_device	*udev = interface_to_usbdev(intf);
> 
> 	usb_mark_last_busy(udev);
>-	atomic_dec(&intf->pm_usage_cnt);
> 	pm_runtime_put_noidle(&intf->dev);
> }
> EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend);
>@@ -1720,8 +1712,6 @@ int usb_autopm_get_interface(struct usb_interface *intf)
> 	status = pm_runtime_get_sync(&intf->dev);
> 	if (status < 0)
> 		pm_runtime_put_sync(&intf->dev);
>-	else
>-		atomic_inc(&intf->pm_usage_cnt);
> 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> 			__func__, atomic_read(&intf->dev.power.usage_count),
> 			status);
>@@ -1755,8 +1745,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf)
> 	status = pm_runtime_get(&intf->dev);
> 	if (status < 0 && status != -EINPROGRESS)
> 		pm_runtime_put_noidle(&intf->dev);
>-	else
>-		atomic_inc(&intf->pm_usage_cnt);
> 	dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n",
> 			__func__, atomic_read(&intf->dev.power.usage_count),
> 			status);
>@@ -1780,7 +1768,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf)
> 	struct usb_device	*udev = interface_to_usbdev(intf);
> 
> 	usb_mark_last_busy(udev);
>-	atomic_inc(&intf->pm_usage_cnt);
> 	pm_runtime_get_noresume(&intf->dev);
> }
> EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume);
>diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
>index 6af648c307b7..f7019c7e9bc5 100644
>--- a/drivers/usb/core/message.c
>+++ b/drivers/usb/core/message.c
>@@ -822,9 +822,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size)
> 
> 	if (dev->state == USB_STATE_SUSPENDED)
> 		return -EHOSTUNREACH;
>-	if (size <= 0 || !buf || !index)
>+	if (size <= 0 || !buf)
> 		return -EINVAL;
> 	buf[0] = 0;
>+	if (index <= 0 || index >= 256)
>+		return -EINVAL;
> 	tbuf = kmalloc(256, GFP_NOIO);
> 	if (!tbuf)
> 		return -ENOMEM;
>diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
>index fd697bba07ff..dc3270e48dfb 100644
>--- a/drivers/usb/host/xhci-hub.c
>+++ b/drivers/usb/host/xhci-hub.c
>@@ -1199,20 +1199,25 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
> 	port_index = max_ports;
> 	while (port_index--) {
> 		u32 t1, t2;
>-
>+		int retries = 10;
>+retry:
> 		t1 = readl(port_array[port_index]);
> 		t2 = xhci_port_state_to_neutral(t1);
> 		portsc_buf[port_index] = 0;
> 
>-		/* Bail out if a USB3 port has a new device in link training */
>-		if ((hcd->speed >= HCD_USB3) &&
>+		/*
>+		 * Give a USB3 port in link training time to finish, but don't
>+		 * prevent suspend as port might be stuck
>+		 */
>+		if ((hcd->speed >= HCD_USB3) && retries-- &&
> 		    (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
>-			bus_state->bus_suspended = 0;
> 			spin_unlock_irqrestore(&xhci->lock, flags);
>-			xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
>-			return -EBUSY;
>+			msleep(XHCI_PORT_POLLING_LFPS_TIME);
>+			spin_lock_irqsave(&xhci->lock, flags);
>+			xhci_dbg(xhci, "port %d polling in bus suspend, waiting\n",
>+				 port_index);
>+			goto retry;
> 		}
>-
> 		/* suspend ports in U0, or bail out for new connect changes */
> 		if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) {
> 			if ((t1 & PORT_CSC) && wake_enabled) {
>diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
>index feb702516470..bd191fbfdf40 100644
>--- a/drivers/usb/host/xhci.h
>+++ b/drivers/usb/host/xhci.h
>@@ -413,6 +413,14 @@ struct xhci_op_regs {
>  */
> #define XHCI_DEFAULT_BESL	4
> 
>+/*
>+ * USB3 specification define a 360ms tPollingLFPSTiemout for USB3 ports
>+ * to complete link training. usually link trainig completes much faster
>+ * so check status 10 times with 36ms sleep in places we need to wait for
>+ * polling to complete.
>+ */
>+#define XHCI_PORT_POLLING_LFPS_TIME  36
>+
> /**
>  * struct xhci_intr_reg - Interrupt Register Set
>  * @irq_pending:	IMAN - Interrupt Management Register.  Used to enable
>diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
>index 3114c8d061e9..1c9d08157708 100644
>--- a/drivers/usb/misc/yurex.c
>+++ b/drivers/usb/misc/yurex.c
>@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_interface *interface)
> 	usb_deregister_dev(interface, &yurex_class);
> 
> 	/* prevent more I/O from starting */
>+	usb_poison_urb(dev->urb);
> 	mutex_lock(&dev->io_mutex);
> 	dev->interface = NULL;
> 	mutex_unlock(&dev->io_mutex);
>diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
>index b60dac48587c..3e22dd294879 100644
>--- a/drivers/usb/serial/cp210x.c
>+++ b/drivers/usb/serial/cp210x.c
>@@ -76,6 +76,7 @@ static const struct usb_device_id id_table[] = {
> 	{ USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */
> 	{ USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */
> 	{ USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */
>+	{ USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */
> 	{ USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */
> 	{ USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */
> 	{ USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */
>diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
>index aa2bec8687fd..3f89153bc122 100644
>--- a/drivers/usb/serial/ftdi_sio.c
>+++ b/drivers/usb/serial/ftdi_sio.c
>@@ -617,6 +617,8 @@ static const struct usb_device_id id_table_combined[] = {
> 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
> 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
> 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
>+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
>+	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
> 	{ USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
> 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
> 	{ USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
>diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
>index ecc2424eb8e0..5258cec99219 100644
>--- a/drivers/usb/serial/ftdi_sio_ids.h
>+++ b/drivers/usb/serial/ftdi_sio_ids.h
>@@ -566,7 +566,9 @@
> /*
>  * NovaTech product ids (FTDI_VID)
>  */
>-#define FTDI_NT_ORIONLXM_PID	0x7c90	/* OrionLXm Substation Automation Platform */
>+#define FTDI_NT_ORIONLXM_PID		0x7c90	/* OrionLXm Substation Automation Platform */
>+#define FTDI_NT_ORIONLX_PLUS_PID	0x7c91	/* OrionLX+ Substation Automation Platform */
>+#define FTDI_NT_ORION_IO_PID		0x7c92	/* Orion I/O */
> 
> /*
>  * Synapse Wireless product ids (FTDI_VID)
>diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
>index 56c4f6d074ca..454898c4a137 100644
>--- a/drivers/usb/serial/mos7720.c
>+++ b/drivers/usb/serial/mos7720.c
>@@ -362,8 +362,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
> 	if (!urbtrack)
> 		return -ENOMEM;
> 
>-	kref_get(&mos_parport->ref_count);
>-	urbtrack->mos_parport = mos_parport;
> 	urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC);
> 	if (!urbtrack->urb) {
> 		kfree(urbtrack);
>@@ -384,6 +382,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
> 			     usb_sndctrlpipe(usbdev, 0),
> 			     (unsigned char *)urbtrack->setup,
> 			     NULL, 0, async_complete, urbtrack);
>+	kref_get(&mos_parport->ref_count);
>+	urbtrack->mos_parport = mos_parport;
> 	kref_init(&urbtrack->ref_count);
> 	INIT_LIST_HEAD(&urbtrack->urblist_entry);
> 
>diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c
>index 281be56d5648..56bfef517f68 100644
>--- a/drivers/usb/storage/realtek_cr.c
>+++ b/drivers/usb/storage/realtek_cr.c
>@@ -767,18 +767,16 @@ static void rts51x_suspend_timer_fn(unsigned long data)
> 		break;
> 	case RTS51X_STAT_IDLE:
> 	case RTS51X_STAT_SS:
>-		usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n",
>-			     atomic_read(&us->pusb_intf->pm_usage_cnt),
>+		usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n",
> 			     atomic_read(&us->pusb_intf->dev.power.usage_count));
> 
>-		if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) {
>+		if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) {
> 			usb_stor_dbg(us, "Ready to enter SS state\n");
> 			rts51x_set_stat(chip, RTS51X_STAT_SS);
> 			/* ignore mass storage interface's children */
> 			pm_suspend_ignore_children(&us->pusb_intf->dev, true);
> 			usb_autopm_put_interface_async(us->pusb_intf);
>-			usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n",
>-				     atomic_read(&us->pusb_intf->pm_usage_cnt),
>+			usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n",
> 				     atomic_read(&us->pusb_intf->dev.power.usage_count));
> 		}
> 		break;
>@@ -811,11 +809,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
> 	int ret;
> 
> 	if (working_scsi(srb)) {
>-		usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n",
>-			     atomic_read(&us->pusb_intf->pm_usage_cnt),
>+		usb_stor_dbg(us, "working scsi, power.usage:%d\n",
> 			     atomic_read(&us->pusb_intf->dev.power.usage_count));
> 
>-		if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) {
>+		if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) {
> 			ret = usb_autopm_get_interface(us->pusb_intf);
> 			usb_stor_dbg(us, "working scsi, ret=%d\n", ret);
> 		}
>diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
>index f544cfaa0a10..3f16c299263f 100644
>--- a/drivers/vhost/net.c
>+++ b/drivers/vhost/net.c
>@@ -39,6 +39,12 @@ MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;"
>  * Using this limit prevents one virtqueue from starving others. */
> #define VHOST_NET_WEIGHT 0x80000
> 
>+/* Max number of packets transferred before requeueing the job.
>+ * Using this limit prevents one virtqueue from starving others with small
>+ * pkts.
>+ */
>+#define VHOST_NET_PKT_WEIGHT 256
>+
> /* MAX number of TX used buffers for outstanding zerocopy */
> #define VHOST_MAX_PEND 128
> #define VHOST_GOODCOPY_LEN 256
>@@ -351,6 +357,7 @@ static void handle_tx(struct vhost_net *net)
> 	struct socket *sock;
> 	struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
> 	bool zcopy, zcopy_used;
>+	int sent_pkts = 0;
> 
> 	mutex_lock(&vq->mutex);
> 	sock = vq->private_data;
>@@ -362,7 +369,7 @@ static void handle_tx(struct vhost_net *net)
> 	hdr_size = nvq->vhost_hlen;
> 	zcopy = nvq->ubufs;
> 
>-	for (;;) {
>+	do {
> 		/* Release DMAs done buffers first */
> 		if (zcopy)
> 			vhost_zerocopy_signal_used(net, vq);
>@@ -450,11 +457,7 @@ static void handle_tx(struct vhost_net *net)
> 			vhost_zerocopy_signal_used(net, vq);
> 		total_len += len;
> 		vhost_net_tx_packet(net);
>-		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
>-			vhost_poll_queue(&vq->poll);
>-			break;
>-		}
>-	}
>+	} while (likely(!vhost_exceeds_weight(vq, ++sent_pkts, total_len)));
> out:
> 	mutex_unlock(&vq->mutex);
> }
>@@ -575,6 +578,7 @@ static void handle_rx(struct vhost_net *net)
> 	size_t vhost_hlen, sock_hlen;
> 	size_t vhost_len, sock_len;
> 	struct socket *sock;
>+	int recv_pkts = 0;
> 
> 	mutex_lock(&vq->mutex);
> 	sock = vq->private_data;
>@@ -589,7 +593,10 @@ static void handle_rx(struct vhost_net *net)
> 		vq->log : NULL;
> 	mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
> 
>-	while ((sock_len = peek_head_len(sock->sk))) {
>+	do {
>+		sock_len = peek_head_len(sock->sk);
>+		if (!sock_len)
>+			break;
> 		sock_len += sock_hlen;
> 		vhost_len = sock_len + vhost_hlen;
> 		headcount = get_rx_bufs(vq, vq->heads, vhost_len,
>@@ -659,11 +666,8 @@ static void handle_rx(struct vhost_net *net)
> 		if (unlikely(vq_log))
> 			vhost_log_write(vq, vq_log, log, vhost_len);
> 		total_len += vhost_len;
>-		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
>-			vhost_poll_queue(&vq->poll);
>-			break;
>-		}
>-	}
>+	} while (likely(!vhost_exceeds_weight(vq, ++recv_pkts, total_len)));
>+
> out:
> 	mutex_unlock(&vq->mutex);
> }
>@@ -732,7 +736,8 @@ static int vhost_net_open(struct inode *inode, struct file *f)
> 		n->vqs[i].vhost_hlen = 0;
> 		n->vqs[i].sock_hlen = 0;
> 	}
>-	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX);
>+	vhost_dev_init(dev, vqs, VHOST_NET_VQ_MAX,
>+		       VHOST_NET_PKT_WEIGHT, VHOST_NET_WEIGHT);
> 
> 	vhost_poll_init(n->poll + VHOST_NET_VQ_TX, handle_tx_net, POLLOUT, dev);
> 	vhost_poll_init(n->poll + VHOST_NET_VQ_RX, handle_rx_net, POLLIN, dev);
>diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
>index 0dfb3fd6e836..498de4bfcd60 100644
>--- a/drivers/vhost/scsi.c
>+++ b/drivers/vhost/scsi.c
>@@ -60,6 +60,12 @@
> #define TCM_VHOST_PREALLOC_UPAGES 2048
> #define TCM_VHOST_PREALLOC_PROT_SGLS 512
> 
>+/* Max number of requests before requeueing the job.
>+ * Using this limit prevents one virtqueue from starving others with
>+ * request.
>+ */
>+#define VHOST_SCSI_WEIGHT 256
>+
> struct vhost_scsi_inflight {
> 	/* Wait for the flush operation to finish */
> 	struct completion comp;
>@@ -992,7 +998,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
> 	u64 tag;
> 	u32 exp_data_len, data_first, data_num, data_direction, prot_first;
> 	unsigned out, in, i;
>-	int head, ret, data_niov, prot_niov, prot_bytes;
>+	int head, ret, data_niov, prot_niov, prot_bytes, c = 0;
> 	size_t req_size;
> 	u16 lun;
> 	u8 *target, *lunp, task_attr;
>@@ -1010,7 +1016,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
> 
> 	vhost_disable_notify(&vs->dev, vq);
> 
>-	for (;;) {
>+	do {
> 		head = vhost_get_vq_desc(vq, vq->iov,
> 					ARRAY_SIZE(vq->iov), &out, &in,
> 					NULL, NULL);
>@@ -1213,7 +1219,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *vs, struct vhost_virtqueue *vq)
> 		 */
> 		INIT_WORK(&cmd->work, tcm_vhost_submission_work);
> 		queue_work(tcm_vhost_workqueue, &cmd->work);
>-	}
>+	} while (likely(!vhost_exceeds_weight(vq, ++c, 0)));
> 
> 	mutex_unlock(&vq->mutex);
> 	return;
>@@ -1576,7 +1582,8 @@ static int vhost_scsi_open(struct inode *inode, struct file *f)
> 		vqs[i] = &vs->vqs[i].vq;
> 		vs->vqs[i].vq.handle_kick = vhost_scsi_handle_kick;
> 	}
>-	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ);
>+	vhost_dev_init(&vs->dev, vqs, VHOST_SCSI_MAX_VQ,
>+		       VHOST_SCSI_WEIGHT, 0);
> 
> 	tcm_vhost_init_inflight(vs, NULL);
> 
>diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
>index 337e1d04871f..48507ef0542a 100644
>--- a/drivers/vhost/vhost.c
>+++ b/drivers/vhost/vhost.c
>@@ -292,8 +292,24 @@ static void vhost_dev_free_iovecs(struct vhost_dev *dev)
> 		vhost_vq_free_iovecs(dev->vqs[i]);
> }
> 
>+bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
>+			  int pkts, int total_len)
>+{
>+	struct vhost_dev *dev = vq->dev;
>+
>+	if ((dev->byte_weight && total_len >= dev->byte_weight) ||
>+	    pkts >= dev->weight) {
>+		vhost_poll_queue(&vq->poll);
>+		return true;
>+	}
>+
>+	return false;
>+}
>+EXPORT_SYMBOL_GPL(vhost_exceeds_weight);
>+
> void vhost_dev_init(struct vhost_dev *dev,
>-		    struct vhost_virtqueue **vqs, int nvqs)
>+		    struct vhost_virtqueue **vqs, int nvqs,
>+		    int weight, int byte_weight)
> {
> 	struct vhost_virtqueue *vq;
> 	int i;
>@@ -308,6 +324,8 @@ void vhost_dev_init(struct vhost_dev *dev,
> 	spin_lock_init(&dev->work_lock);
> 	INIT_LIST_HEAD(&dev->work_list);
> 	dev->worker = NULL;
>+	dev->weight = weight;
>+	dev->byte_weight = byte_weight;
> 
> 	for (i = 0; i < dev->nvqs; ++i) {
> 		vq = dev->vqs[i];
>diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
>index 3eda654b8f5a..6c4c8aade233 100644
>--- a/drivers/vhost/vhost.h
>+++ b/drivers/vhost/vhost.h
>@@ -123,9 +123,13 @@ struct vhost_dev {
> 	spinlock_t work_lock;
> 	struct list_head work_list;
> 	struct task_struct *worker;
>+	int weight;
>+	int byte_weight;
> };
> 
>-void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs, int nvqs);
>+bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int total_len);
>+void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
>+		    int nvqs, int weight, int byte_weight);
> long vhost_dev_set_owner(struct vhost_dev *dev);
> bool vhost_dev_has_owner(struct vhost_dev *dev);
> long vhost_dev_check_owner(struct vhost_dev *);
>diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c
>index 176b88fa694c..ed420aa9216b 100644
>--- a/drivers/w1/masters/ds2490.c
>+++ b/drivers/w1/masters/ds2490.c
>@@ -1041,15 +1041,15 @@ static int ds_probe(struct usb_interface *intf,
> 	/* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */
> 	alt = 3;
> 	err = usb_set_interface(dev->udev,
>-		intf->altsetting[alt].desc.bInterfaceNumber, alt);
>+		intf->cur_altsetting->desc.bInterfaceNumber, alt);
> 	if (err) {
> 		dev_err(&dev->udev->dev, "Failed to set alternative setting %d "
> 			"for %d interface: err=%d.\n", alt,
>-			intf->altsetting[alt].desc.bInterfaceNumber, err);
>+			intf->cur_altsetting->desc.bInterfaceNumber, err);
> 		goto err_out_clear;
> 	}
> 
>-	iface_desc = &intf->altsetting[alt];
>+	iface_desc = intf->cur_altsetting;
> 	if (iface_desc->desc.bNumEndpoints != NUM_EP-1) {
> 		printk(KERN_INFO "Num endpoints=%d. It is not DS9490R.\n", iface_desc->desc.bNumEndpoints);
> 		err = -EINVAL;
>diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
>index 8db7abb6ef5a..cdb055207753 100644
>--- a/drivers/xen/balloon.c
>+++ b/drivers/xen/balloon.c
>@@ -502,8 +502,15 @@ static void balloon_process(struct work_struct *work)
> 				state = reserve_additional_memory(credit);
> 		}
> 
>-		if (credit < 0)
>-			state = decrease_reservation(-credit, GFP_BALLOON);
>+		if (credit < 0) {
>+			long n_pages;
>+
>+			n_pages = min(-credit, si_mem_available());
>+			state = decrease_reservation(n_pages, GFP_BALLOON);
>+			if (state == BP_DONE && n_pages != -credit &&
>+			    n_pages < totalreserve_pages)
>+				state = BP_EAGAIN;
>+		}
> 
> 		state = update_schedule(state);
> 
>@@ -561,6 +568,9 @@ int alloc_xenballooned_pages(int nr_pages, struct page **pages, bool highmem)
> 			enum bp_state st;
> 			if (page)
> 				balloon_append(page);
>+			if (si_mem_available() < nr_pages)
>+				return -ENOMEM;
>+
> 			st = decrease_reservation(nr_pages - pgno,
> 					highmem ? GFP_HIGHUSER : GFP_USER);
> 			if (st != BP_DONE)
>@@ -692,7 +702,7 @@ static int __init balloon_init(void)
> 	balloon_stats.schedule_delay = 1;
> 	balloon_stats.max_schedule_delay = 32;
> 	balloon_stats.retry_count = 1;
>-	balloon_stats.max_retry_count = RETRY_UNLIMITED;
>+	balloon_stats.max_retry_count = 4;
> 
> #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
> 	balloon_stats.hotplug_pages = 0;
>diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
>index c2e930ec2888..696db173e26f 100644
>--- a/fs/afs/fsclient.c
>+++ b/fs/afs/fsclient.c
>@@ -1382,8 +1382,8 @@ static int afs_fs_setattr_size64(struct afs_server *server, struct key *key,
> 
> 	xdr_encode_AFS_StoreStatus(&bp, attr);
> 
>-	*bp++ = 0;				/* position of start of write */
>-	*bp++ = 0;
>+	*bp++ = htonl(attr->ia_size >> 32);	/* position of start of write */
>+	*bp++ = htonl((u32) attr->ia_size);
> 	*bp++ = 0;				/* size of write */
> 	*bp++ = 0;
> 	*bp++ = htonl(attr->ia_size >> 32);	/* new file length */
>@@ -1433,7 +1433,7 @@ static int afs_fs_setattr_size(struct afs_server *server, struct key *key,
> 
> 	xdr_encode_AFS_StoreStatus(&bp, attr);
> 
>-	*bp++ = 0;				/* position of start of write */
>+	*bp++ = htonl(attr->ia_size);		/* position of start of write */
> 	*bp++ = 0;				/* size of write */
> 	*bp++ = htonl(attr->ia_size);		/* new file length */
> 
>diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
>index 6db91cdbd92d..6a02cb3e5650 100644
>--- a/fs/btrfs/compression.c
>+++ b/fs/btrfs/compression.c
>@@ -42,6 +42,8 @@
> #include "extent_io.h"
> #include "extent_map.h"
> 
>+static const char* const btrfs_compress_types[] = { "", "zlib", "lzo" };
>+
> struct compressed_bio {
> 	/* number of bios pending for this compressed extent */
> 	atomic_t pending_bios;
>@@ -81,6 +83,22 @@ struct compressed_bio {
> 	u32 sums;
> };
> 
>+bool btrfs_compress_is_valid_type(const char *str, size_t len)
>+{
>+	int i;
>+
>+	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
>+		size_t comp_len = strlen(btrfs_compress_types[i]);
>+
>+		if (len < comp_len)
>+			continue;
>+
>+		if (!strncmp(btrfs_compress_types[i], str, comp_len))
>+			return true;
>+	}
>+	return false;
>+}
>+
> static int btrfs_decompress_biovec(int type, struct page **pages_in,
> 				   u64 disk_start, struct bio_vec *bvec,
> 				   int vcnt, size_t srclen);
>diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
>index d181f70caae0..5f15b34d88f7 100644
>--- a/fs/btrfs/compression.h
>+++ b/fs/btrfs/compression.h
>@@ -80,4 +80,5 @@ struct btrfs_compress_op {
> extern struct btrfs_compress_op btrfs_zlib_compress;
> extern struct btrfs_compress_op btrfs_lzo_compress;
> 
>+bool btrfs_compress_is_valid_type(const char *str, size_t len);
> #endif
>diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
>index 129b1dd28527..8b041d83533a 100644
>--- a/fs/btrfs/props.c
>+++ b/fs/btrfs/props.c
>@@ -22,6 +22,7 @@
> #include "hash.h"
> #include "transaction.h"
> #include "xattr.h"
>+#include "compression.h"
> 
> #define BTRFS_PROP_HANDLERS_HT_BITS 8
> static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS);
>@@ -378,9 +379,7 @@ int btrfs_subvol_inherit_props(struct btrfs_trans_handle *trans,
> 
> static int prop_compression_validate(const char *value, size_t len)
> {
>-	if (!strncmp("lzo", value, len))
>-		return 0;
>-	else if (!strncmp("zlib", value, len))
>+	if (btrfs_compress_is_valid_type(value, len))
> 		return 0;
> 
> 	return -EINVAL;
>diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
>index 5e2005030f54..bdda508cc85d 100644
>--- a/fs/ceph/dir.c
>+++ b/fs/ceph/dir.c
>@@ -1327,6 +1327,7 @@ void ceph_dentry_lru_del(struct dentry *dn)
> unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
> {
> 	struct ceph_inode_info *dci = ceph_inode(dir);
>+	unsigned hash;
> 
> 	switch (dci->i_dir_layout.dl_dir_hash) {
> 	case 0:	/* for backward compat */
>@@ -1334,8 +1335,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
> 		return dn->d_name.hash;
> 
> 	default:
>-		return ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
>+		spin_lock(&dn->d_lock);
>+		hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
> 				     dn->d_name.name, dn->d_name.len);
>+		spin_unlock(&dn->d_lock);
>+		return hash;
> 	}
> }
> 
>diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>index 23f5cb1ee904..ff85c3129e9d 100644
>--- a/fs/cifs/cifsglob.h
>+++ b/fs/cifs/cifsglob.h
>@@ -1092,6 +1092,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file)
> }
> 
> struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
>+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
> void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
> 
> #define CIFS_CACHE_READ_FLG	1
>@@ -1579,6 +1580,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
> #endif /* CONFIG_CIFS_ACL */
> 
> void cifs_oplock_break(struct work_struct *work);
>+void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
> 
> extern const struct slow_work_ops cifs_oplock_break_ops;
> extern struct workqueue_struct *cifsiod_wq;
>diff --git a/fs/cifs/file.c b/fs/cifs/file.c
>index 4b8870f889e3..9b3d28b79329 100644
>--- a/fs/cifs/file.c
>+++ b/fs/cifs/file.c
>@@ -359,12 +359,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file)
> 	return cifs_file;
> }
> 
>-/*
>- * Release a reference on the file private data. This may involve closing
>- * the filehandle out on the server. Must be called without holding
>- * tcon->open_file_lock and cifs_file->file_info_lock.
>+/**
>+ * cifsFileInfo_put - release a reference of file priv data
>+ *
>+ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
>  */
> void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
>+{
>+	_cifsFileInfo_put(cifs_file, true);
>+}
>+
>+/**
>+ * _cifsFileInfo_put - release a reference of file priv data
>+ *
>+ * This may involve closing the filehandle @cifs_file out on the
>+ * server. Must be called without holding tcon->open_file_lock and
>+ * cifs_file->file_info_lock.
>+ *
>+ * If @wait_for_oplock_handler is true and we are releasing the last
>+ * reference, wait for any running oplock break handler of the file
>+ * and cancel any pending one. If calling this function from the
>+ * oplock break handler, you need to pass false.
>+ *
>+ */
>+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
> {
> 	struct inode *inode = cifs_file->dentry->d_inode;
> 	struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
>@@ -412,7 +430,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
> 
> 	spin_unlock(&tcon->open_file_lock);
> 
>-	oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
>+	oplock_break_cancelled = wait_oplock_handler ?
>+		cancel_work_sync(&cifs_file->oplock_break) : false;
> 
> 	if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
> 		struct TCP_Server_Info *server = tcon->ses->server;
>@@ -3701,6 +3720,7 @@ void cifs_oplock_break(struct work_struct *work)
> 							     cinode);
> 		cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
> 	}
>+	_cifsFileInfo_put(cfile, false /* do not wait for ourself */);
> 	cifs_done_oplock_break(cinode);
> }
> 
>diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
>index 09ca7c978700..f681091ec3db 100644
>--- a/fs/cifs/inode.c
>+++ b/fs/cifs/inode.c
>@@ -1627,6 +1627,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry,
> 	if (rc == 0 || rc != -EBUSY)
> 		goto do_rename_exit;
> 
>+	/* Don't fall back to using SMB on SMB 2+ mount */
>+	if (server->vals->protocol_id != 0)
>+		goto do_rename_exit;
>+
> 	/* open-file renames don't work across directories */
> 	if (to_dentry->d_parent != from_dentry->d_parent)
> 		goto do_rename_exit;
>diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
>index f03fecafc5d5..debc26b95cd7 100644
>--- a/fs/cifs/misc.c
>+++ b/fs/cifs/misc.c
>@@ -477,8 +477,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
> 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> 					   &pCifsInode->flags);
> 
>-				queue_work(cifsoplockd_wq,
>-					   &netfile->oplock_break);
>+				cifs_queue_oplock_break(netfile);
> 				netfile->oplock_break_cancelled = false;
> 
> 				spin_unlock(&tcon->open_file_lock);
>@@ -610,6 +609,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode)
> 	spin_unlock(&cinode->writers_lock);
> }
> 
>+/**
>+ * cifs_queue_oplock_break - queue the oplock break handler for cfile
>+ *
>+ * This function is called from the demultiplex thread when it
>+ * receives an oplock break for @cfile.
>+ *
>+ * Assumes the tcon->open_file_lock is held.
>+ * Assumes cfile->file_info_lock is NOT held.
>+ */
>+void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
>+{
>+	/*
>+	 * Bump the handle refcount now while we hold the
>+	 * open_file_lock to enforce the validity of it for the oplock
>+	 * break handler. The matching put is done at the end of the
>+	 * handler.
>+	 */
>+	cifsFileInfo_get(cfile);
>+
>+	queue_work(cifsoplockd_wq, &cfile->oplock_break);
>+}
>+
> void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
> {
> 	clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
>diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
>index 1485ab8c2d65..f80fcc6921ee 100644
>--- a/fs/cifs/smb2misc.c
>+++ b/fs/cifs/smb2misc.c
>@@ -458,7 +458,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
> 			clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> 				  &cinode->flags);
> 
>-		queue_work(cifsoplockd_wq, &cfile->oplock_break);
>+		cifs_queue_oplock_break(cfile);
> 		kfree(lw);
> 		return true;
> 	}
>@@ -602,8 +602,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
> 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
> 					   &cinode->flags);
> 				spin_unlock(&cfile->file_info_lock);
>-				queue_work(cifsoplockd_wq,
>-					   &cfile->oplock_break);
>+
>+				cifs_queue_oplock_break(cfile);
> 
> 				spin_unlock(&tcon->open_file_lock);
> 				spin_unlock(&cifs_tcp_ses_lock);
>diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
>index 376ccd96127f..d95a547cf94e 100644
>--- a/fs/cifs/smb2ops.c
>+++ b/fs/cifs/smb2ops.c
>@@ -906,6 +906,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
> 
> 	rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_buf);
> 
>+	if (!rc)
>+		SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
> 	if (!rc || !err_buf) {
> 		kfree(utf16_path);
> 		return -ENOENT;
>diff --git a/fs/ext4/file.c b/fs/ext4/file.c
>index 40c86790109e..201f683bea89 100644
>--- a/fs/ext4/file.c
>+++ b/fs/ext4/file.c
>@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos)
> 	struct super_block *sb = inode->i_sb;
> 	int blockmask = sb->s_blocksize - 1;
> 
>-	if (pos >= i_size_read(inode))
>+	if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
> 		return 0;
> 
> 	if ((pos | iov_iter_alignment(from)) & blockmask)
>diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
>index 80c3f1ed1afa..63597cd0265c 100644
>--- a/fs/ext4/resize.c
>+++ b/fs/ext4/resize.c
>@@ -908,11 +908,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
> 	memcpy(n_group_desc, o_group_desc,
> 	       EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
> 	n_group_desc[gdb_num] = gdb_bh;
>+
>+	BUFFER_TRACE(gdb_bh, "get_write_access");
>+	err = ext4_journal_get_write_access(handle, gdb_bh);
>+	if (err) {
>+		kvfree(n_group_desc);
>+		brelse(gdb_bh);
>+		return err;
>+	}
>+
> 	EXT4_SB(sb)->s_group_desc = n_group_desc;
> 	EXT4_SB(sb)->s_gdb_count++;
> 	ext4_kvfree(o_group_desc);
>-	BUFFER_TRACE(gdb_bh, "get_write_access");
>-	err = ext4_journal_get_write_access(handle, gdb_bh);
> 	return err;
> }
> 
>diff --git a/fs/lockd/host.c b/fs/lockd/host.c
>index b31117c12102..6f12147a2fea 100644
>--- a/fs/lockd/host.c
>+++ b/fs/lockd/host.c
>@@ -288,12 +288,11 @@ void nlmclnt_release_host(struct nlm_host *host)
> 
> 	WARN_ON_ONCE(host->h_server);
> 
>-	if (atomic_dec_and_test(&host->h_count)) {
>+	if (atomic_dec_and_mutex_lock(&host->h_count, &nlm_host_mutex)) {
> 		WARN_ON_ONCE(!list_empty(&host->h_lockowners));
> 		WARN_ON_ONCE(!list_empty(&host->h_granted));
> 		WARN_ON_ONCE(!list_empty(&host->h_reclaim));
> 
>-		mutex_lock(&nlm_host_mutex);
> 		nlm_destroy_host_locked(host);
> 		mutex_unlock(&nlm_host_mutex);
> 	}
>diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
>index 7445af0b1aa3..a0bc66039269 100644
>--- a/fs/proc/meminfo.c
>+++ b/fs/proc/meminfo.c
>@@ -27,10 +27,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
> 	struct vmalloc_info vmi;
> 	long cached;
> 	long available;
>-	unsigned long pagecache;
>-	unsigned long wmark_low = 0;
> 	unsigned long pages[NR_LRU_LISTS];
>-	struct zone *zone;
> 	int lru;
> 
> /*
>@@ -51,36 +48,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
> 	for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
> 		pages[lru] = global_page_state(NR_LRU_BASE + lru);
> 
>-	for_each_zone(zone)
>-		wmark_low += zone->watermark[WMARK_LOW];
>-
>-	/*
>-	 * Estimate the amount of memory available for userspace allocations,
>-	 * without causing swapping.
>-	 *
>-	 * Free memory cannot be taken below the low watermark, before the
>-	 * system starts swapping.
>-	 */
>-	available = i.freeram - wmark_low;
>-
>-	/*
>-	 * Not all the page cache can be freed, otherwise the system will
>-	 * start swapping. Assume at least half of the page cache, or the
>-	 * low watermark worth of cache, needs to stay.
>-	 */
>-	pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
>-	pagecache -= min(pagecache / 2, wmark_low);
>-	available += pagecache;
>-
>-	/*
>-	 * Part of the reclaimable slab consists of items that are in use,
>-	 * and cannot be freed. Cap this estimate at the low watermark.
>-	 */
>-	available += global_page_state(NR_SLAB_RECLAIMABLE) -
>-		     min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
>-
>-	if (available < 0)
>-		available = 0;
>+	available = si_mem_available();
> 
> 	/*
> 	 * Tagged format, for easy grepping and expansion.
>diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
>index bfb8e8d588b8..eb7067de78db 100644
>--- a/fs/proc/proc_sysctl.c
>+++ b/fs/proc/proc_sysctl.c
>@@ -1550,8 +1550,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
> 	if (--header->nreg)
> 		return;
> 
>-	put_links(header);
>-	start_unregistering(header);
>+	if (parent) {
>+		put_links(header);
>+		start_unregistering(header);
>+	}
>+
> 	if (!--header->count)
> 		kfree_rcu(header, rcu);
> 
>diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c
>index 8a9657d7f7c6..8df2632a2966 100644
>--- a/fs/udf/truncate.c
>+++ b/fs/udf/truncate.c
>@@ -261,6 +261,9 @@ void udf_truncate_extents(struct inode *inode)
> 			epos.block = eloc;
> 			epos.bh = udf_tread(sb,
> 					udf_get_lb_pblock(sb, &eloc, 0));
>+			/* Error reading indirect block? */
>+			if (!epos.bh)
>+				return;
> 			if (elen)
> 				indirect_ext_len =
> 					(elen + sb->s_blocksize - 1) >>
>diff --git a/fs/ufs/util.h b/fs/ufs/util.h
>index 3f9463f8cf2f..f877d5cadd98 100644
>--- a/fs/ufs/util.h
>+++ b/fs/ufs/util.h
>@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
> 	case UFS_UID_44BSD:
> 		return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
> 	case UFS_UID_EFT:
>-		if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
>+		if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
> 			return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
> 		/* Fall through */
> 	default:
>diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
>index 8c0ff78ff45a..83fac3e091c2 100644
>--- a/include/linux/kprobes.h
>+++ b/include/linux/kprobes.h
>@@ -197,6 +197,7 @@ struct kretprobe_instance {
> 	struct kretprobe *rp;
> 	kprobe_opcode_t *ret_addr;
> 	struct task_struct *task;
>+	void *fp;
> 	char data[0];
> };
> 
>diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
>index 64c7425afbce..f2bca5a77851 100644
>--- a/include/linux/lockdep.h
>+++ b/include/linux/lockdep.h
>@@ -525,9 +525,24 @@ do {									\
> 	lock_acquire(&(lock)->dep_map, 0, 0, 1, 1, NULL, _THIS_IP_);	\
> 	lock_release(&(lock)->dep_map, 0, _THIS_IP_);			\
> } while (0)
>+
>+#define lockdep_assert_irqs_enabled()	do {				\
>+		WARN_ONCE(debug_locks && !current->lockdep_recursion &&	\
>+			  !current->hardirqs_enabled,			\
>+			  "IRQs not enabled as expected\n");		\
>+	} while (0)
>+
>+#define lockdep_assert_irqs_disabled()	do {				\
>+		WARN_ONCE(debug_locks && !current->lockdep_recursion &&	\
>+			  current->hardirqs_enabled,			\
>+			  "IRQs not disabled as expected\n");		\
>+	} while (0)
>+
> #else
> # define might_lock(lock) do { } while (0)
> # define might_lock_read(lock) do { } while (0)
>+# define lockdep_assert_irqs_enabled() do { } while (0)
>+# define lockdep_assert_irqs_disabled() do { } while (0)
> #endif
> 
> #ifdef CONFIG_PROVE_RCU
>diff --git a/include/linux/mm.h b/include/linux/mm.h
>index a576467cd4a5..e67e12641b63 100644
>--- a/include/linux/mm.h
>+++ b/include/linux/mm.h
>@@ -1699,6 +1699,7 @@ extern int __meminit init_per_zone_wmark_min(void);
> extern void mem_init(void);
> extern void __init mmap_init(void);
> extern void show_mem(unsigned int flags);
>+extern long si_mem_available(void);
> extern void si_meminfo(struct sysinfo * val);
> extern void si_meminfo_node(struct sysinfo *val, int nid);
> 
>diff --git a/include/linux/siphash.h b/include/linux/siphash.h
>new file mode 100644
>index 000000000000..c8c7ae2e687b
>--- /dev/null
>+++ b/include/linux/siphash.h
>@@ -0,0 +1,90 @@
>+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#ifndef _LINUX_SIPHASH_H
>+#define _LINUX_SIPHASH_H
>+
>+#include <linux/types.h>
>+#include <linux/kernel.h>
>+
>+#define SIPHASH_ALIGNMENT __alignof__(u64)
>+typedef struct {
>+	u64 key[2];
>+} siphash_key_t;
>+
>+static inline bool siphash_key_is_zero(const siphash_key_t *key)
>+{
>+	return !(key->key[0] | key->key[1]);
>+}
>+
>+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
>+#endif
>+
>+u64 siphash_1u64(const u64 a, const siphash_key_t *key);
>+u64 siphash_2u64(const u64 a, const u64 b, const siphash_key_t *key);
>+u64 siphash_3u64(const u64 a, const u64 b, const u64 c,
>+		 const siphash_key_t *key);
>+u64 siphash_4u64(const u64 a, const u64 b, const u64 c, const u64 d,
>+		 const siphash_key_t *key);
>+u64 siphash_1u32(const u32 a, const siphash_key_t *key);
>+u64 siphash_3u32(const u32 a, const u32 b, const u32 c,
>+		 const siphash_key_t *key);
>+
>+static inline u64 siphash_2u32(const u32 a, const u32 b,
>+			       const siphash_key_t *key)
>+{
>+	return siphash_1u64((u64)b << 32 | a, key);
>+}
>+static inline u64 siphash_4u32(const u32 a, const u32 b, const u32 c,
>+			       const u32 d, const siphash_key_t *key)
>+{
>+	return siphash_2u64((u64)b << 32 | a, (u64)d << 32 | c, key);
>+}
>+
>+
>+static inline u64 ___siphash_aligned(const __le64 *data, size_t len,
>+				     const siphash_key_t *key)
>+{
>+	if (__builtin_constant_p(len) && len == 4)
>+		return siphash_1u32(le32_to_cpup((const __le32 *)data), key);
>+	if (__builtin_constant_p(len) && len == 8)
>+		return siphash_1u64(le64_to_cpu(data[0]), key);
>+	if (__builtin_constant_p(len) && len == 16)
>+		return siphash_2u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+				    key);
>+	if (__builtin_constant_p(len) && len == 24)
>+		return siphash_3u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+				    le64_to_cpu(data[2]), key);
>+	if (__builtin_constant_p(len) && len == 32)
>+		return siphash_4u64(le64_to_cpu(data[0]), le64_to_cpu(data[1]),
>+				    le64_to_cpu(data[2]), le64_to_cpu(data[3]),
>+				    key);
>+	return __siphash_aligned(data, len, key);
>+}
>+
>+/**
>+ * siphash - compute 64-bit siphash PRF value
>+ * @data: buffer to hash
>+ * @size: size of @data
>+ * @key: the siphash key
>+ */
>+static inline u64 siphash(const void *data, size_t len,
>+			  const siphash_key_t *key)
>+{
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+	if (!IS_ALIGNED((unsigned long)data, SIPHASH_ALIGNMENT))
>+		return __siphash_unaligned(data, len, key);
>+#endif
>+	return ___siphash_aligned(data, len, key);
>+}
>+
>+#endif /* _LINUX_SIPHASH_H */
>diff --git a/include/linux/string.h b/include/linux/string.h
>index dd71dd08a840..85491dd76903 100644
>--- a/include/linux/string.h
>+++ b/include/linux/string.h
>@@ -113,6 +113,9 @@ extern void * memscan(void *,int,__kernel_size_t);
> #ifndef __HAVE_ARCH_MEMCMP
> extern int memcmp(const void *,const void *,__kernel_size_t);
> #endif
>+#ifndef __HAVE_ARCH_BCMP
>+extern int bcmp(const void *,const void *,__kernel_size_t);
>+#endif
> #ifndef __HAVE_ARCH_MEMCHR
> extern void * memchr(const void *,int,__kernel_size_t);
> #endif
>diff --git a/include/linux/usb.h b/include/linux/usb.h
>index a53e036b2252..64a39f02a5f6 100644
>--- a/include/linux/usb.h
>+++ b/include/linux/usb.h
>@@ -125,7 +125,6 @@ enum usb_interface_condition {
>  * @dev: driver model's view of this device
>  * @usb_dev: if an interface is bound to the USB major, this will point
>  *	to the sysfs representation for that device.
>- * @pm_usage_cnt: PM usage counter for this interface
>  * @reset_ws: Used for scheduling resets from atomic context.
>  * @reset_running: set to 1 if the interface is currently running a
>  *      queued reset so that usb_cancel_queued_reset() doesn't try to
>@@ -186,7 +185,6 @@ struct usb_interface {
> 
> 	struct device dev;		/* interface specific device info */
> 	struct device *usb_dev;
>-	atomic_t pm_usage_cnt;		/* usage counter for autosuspend */
> 	struct work_struct reset_ws;	/* for resets in atomic context */
> };
> #define	to_usb_interface(d) container_of(d, struct usb_interface, dev)
>diff --git a/include/net/ip.h b/include/net/ip.h
>index 27dd9826e05d..8ec53320c902 100644
>--- a/include/net/ip.h
>+++ b/include/net/ip.h
>@@ -319,9 +319,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
> }
> 
> u32 ip_idents_reserve(u32 hash, int segs);
>-void __ip_select_ident(struct iphdr *iph, int segs);
>+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
> 
>-static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs)
>+static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
>+					struct sock *sk, int segs)
> {
> 	struct iphdr *iph = ip_hdr(skb);
> 
>@@ -338,13 +339,14 @@ static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, in
> 			iph->id = 0;
> 		}
> 	} else {
>-		__ip_select_ident(iph, segs);
>+		__ip_select_ident(net, iph, segs);
> 	}
> }
> 
>-static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk)
>+static inline void ip_select_ident(struct net *net, struct sk_buff *skb,
>+				   struct sock *sk)
> {
>-	ip_select_ident_segs(skb, sk, 1);
>+	ip_select_ident_segs(net, skb, sk, 1);
> }
> 
> static inline __wsum inet_compute_pseudo(struct sk_buff *skb, int proto)
>diff --git a/include/net/ipv6.h b/include/net/ipv6.h
>index c30ba46ef2f0..c4e455f4bfe6 100644
>--- a/include/net/ipv6.h
>+++ b/include/net/ipv6.h
>@@ -688,7 +688,9 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add
> 	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
> }
> 
>-void ipv6_proxy_select_ident(struct sk_buff *skb);
>+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
>+		       struct rt6_info *rt);
>+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb);
> 
> int ip6_dst_hoplimit(struct dst_entry *dst);
> 
>diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
>index 5c53572b5f0d..3b66e31a7819 100644
>--- a/include/net/netfilter/nf_conntrack.h
>+++ b/include/net/netfilter/nf_conntrack.h
>@@ -289,6 +289,8 @@ void init_nf_conntrack_hash_rnd(void);
> 
> void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl);
> 
>+u32 nf_ct_get_id(const struct nf_conn *ct);
>+
> #define NF_CT_STAT_INC(net, count)	  __this_cpu_inc((net)->ct.stat->count)
> #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
> 
>diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
>index 80a1c572b9a0..213f53d4f6b2 100644
>--- a/include/net/netns/ipv4.h
>+++ b/include/net/netns/ipv4.h
>@@ -7,6 +7,7 @@
> 
> #include <linux/uidgid.h>
> #include <net/inet_frag.h>
>+#include <linux/siphash.h>
> 
> struct tcpm_hash_bucket;
> struct ctl_table_header;
>@@ -98,5 +99,6 @@ struct netns_ipv4 {
> #endif
> #endif
> 	atomic_t	rt_genid;
>+	siphash_key_t	ip_id_key;
> };
> #endif
>diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
>index 32ee65a30aff..1c6e6c0766ca 100644
>--- a/include/net/sctp/checksum.h
>+++ b/include/net/sctp/checksum.h
>@@ -61,7 +61,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2,
> static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
> 					unsigned int offset)
> {
>-	struct sctphdr *sh = sctp_hdr(skb);
>+	struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
> 	const struct skb_checksum_ops ops = {
> 		.update  = sctp_csum_update,
> 		.combine = sctp_csum_combine,
>diff --git a/kernel/events/core.c b/kernel/events/core.c
>index e8be52939ed1..3beed0ea98d9 100644
>--- a/kernel/events/core.c
>+++ b/kernel/events/core.c
>@@ -5445,6 +5445,7 @@ static void perf_event_mmap_output(struct perf_event *event,
> 	struct perf_output_handle handle;
> 	struct perf_sample_data sample;
> 	int size = mmap_event->event_id.header.size;
>+	u32 type = mmap_event->event_id.header.type;
> 	int ret;
> 
> 	if (!perf_event_mmap_match(event, data))
>@@ -5488,6 +5489,7 @@ static void perf_event_mmap_output(struct perf_event *event,
> 	perf_output_end(&handle);
> out:
> 	mmap_event->event_id.header.size = size;
>+	mmap_event->event_id.header.type = type;
> }
> 
> static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
>diff --git a/kernel/futex.c b/kernel/futex.c
>index 0ee2f54d74fb..99679c0040cc 100644
>--- a/kernel/futex.c
>+++ b/kernel/futex.c
>@@ -2909,6 +2909,10 @@ int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
> {
> 	u32 uval, uninitialized_var(nval), mval;
> 
>+	/* Futex address must be 32bit aligned */
>+	if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0)
>+		return -1;
>+
> retry:
> 	if (get_user(uval, uaddr))
> 		return -1;
>diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
>index 328410652be6..f967ff776e5b 100644
>--- a/kernel/sched/fair.c
>+++ b/kernel/sched/fair.c
>@@ -1503,6 +1503,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period)
> 	if (p->last_task_numa_placement) {
> 		delta = runtime - p->last_sum_exec_runtime;
> 		*period = now - p->last_task_numa_placement;
>+
>+		/* Avoid time going backwards, prevent potential divide error: */
>+		if (unlikely((s64)*period < 0))
>+			*period = 0;
> 	} else {
> 		delta = p->se.avg.runnable_avg_sum;
> 		*period = p->se.avg.runnable_avg_period;
>@@ -3704,6 +3708,8 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer)
> 	return HRTIMER_NORESTART;
> }
> 
>+extern const u64 max_cfs_quota_period;
>+
> static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> {
> 	struct cfs_bandwidth *cfs_b =
>@@ -3711,6 +3717,7 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> 	ktime_t now;
> 	int overrun;
> 	int idle = 0;
>+	int count = 0;
> 
> 	raw_spin_lock(&cfs_b->lock);
> 	for (;;) {
>@@ -3720,6 +3727,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
> 		if (!overrun)
> 			break;
> 
>+		if (++count > 3) {
>+			u64 new, old = ktime_to_ns(cfs_b->period);
>+
>+			new = (old * 147) / 128; /* ~115% */
>+			new = min(new, max_cfs_quota_period);
>+
>+			cfs_b->period = ns_to_ktime(new);
>+
>+			/* since max is 1s, this is limited to 1e9^2, which fits in u64 */
>+			cfs_b->quota *= new;
>+			cfs_b->quota = div64_u64(cfs_b->quota, old);
>+
>+			pr_warn_ratelimited(
>+	"cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
>+				smp_processor_id(),
>+				div_u64(new, NSEC_PER_USEC),
>+				div_u64(cfs_b->quota, NSEC_PER_USEC));
>+
>+			/* reset count so we don't come right back in here */
>+			count = 0;
>+		}
>+
> 		idle = do_sched_cfs_period_timer(cfs_b, overrun);
> 	}
> 	raw_spin_unlock(&cfs_b->lock);
>@@ -5487,10 +5516,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
> 	if (cfs_rq->last_h_load_update == now)
> 		return;
> 
>-	cfs_rq->h_load_next = NULL;
>+	ACCESS_ONCE(cfs_rq->h_load_next) = NULL;
> 	for_each_sched_entity(se) {
> 		cfs_rq = cfs_rq_of(se);
>-		cfs_rq->h_load_next = se;
>+		ACCESS_ONCE(cfs_rq->h_load_next) = se;
> 		if (cfs_rq->last_h_load_update == now)
> 			break;
> 	}
>@@ -5500,7 +5529,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
> 		cfs_rq->last_h_load_update = now;
> 	}
> 
>-	while ((se = cfs_rq->h_load_next) != NULL) {
>+	while ((se = ACCESS_ONCE(cfs_rq->h_load_next)) != NULL) {
> 		load = cfs_rq->h_load;
> 		load = div64_ul(load * se->avg.load_avg_contrib,
> 				cfs_rq->runnable_load_avg + 1);
>diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
>index 8ee705e1d472..c59d43d54d32 100644
>--- a/kernel/trace/ftrace.c
>+++ b/kernel/trace/ftrace.c
>@@ -32,6 +32,7 @@
> #include <linux/list.h>
> #include <linux/hash.h>
> #include <linux/rcupdate.h>
>+#include <linux/kprobes.h>
> 
> #include <trace/events/sched.h>
> 
>@@ -4508,7 +4509,7 @@ static struct ftrace_ops control_ops = {
> 	INIT_OPS_HASH(control_ops)
> };
> 
>-static inline void
>+static nokprobe_inline void
> __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
> 		       struct ftrace_ops *ignored, struct pt_regs *regs)
> {
>@@ -4561,11 +4562,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
> {
> 	__ftrace_ops_list_func(ip, parent_ip, NULL, regs);
> }
>+NOKPROBE_SYMBOL(ftrace_ops_list_func);
> #else
> static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
> {
> 	__ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
> }
>+NOKPROBE_SYMBOL(ftrace_ops_no_ops);
> #endif
> 
> static void clear_ftrace_swapper(void)
>diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
>index 107e8ce1a87e..89d99ccb1617 100644
>--- a/kernel/trace/ring_buffer.c
>+++ b/kernel/trace/ring_buffer.c
>@@ -729,7 +729,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu)
> 
> 	preempt_disable_notrace();
> 	time = rb_time_stamp(buffer);
>-	preempt_enable_no_resched_notrace();
>+	preempt_enable_notrace();
> 
> 	return time;
> }
>diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
>index 7a638aa3545b..3678fc124dc1 100644
>--- a/lib/Kconfig.debug
>+++ b/lib/Kconfig.debug
>@@ -1550,6 +1550,16 @@ config TEST_STRING_HELPERS
> config TEST_KSTRTOX
> 	tristate "Test kstrto*() family of functions at runtime"
> 
>+config TEST_HASH
>+	tristate "Perform selftest on hash functions"
>+	default n
>+	help
>+	  Enable this option to test the kernel's siphash (<linux/siphash.h>)
>+	  hash functions on boot (or module load).
>+
>+	  This is intended to help people writing architecture-specific
>+	  optimized versions.  If unsure, say N.
>+
> endmenu # runtime tests
> 
> config PROVIDE_OHCI1394_DMA_INIT
>diff --git a/lib/Makefile b/lib/Makefile
>index ba967a19edba..31a4389ff179 100644
>--- a/lib/Makefile
>+++ b/lib/Makefile
>@@ -26,10 +26,11 @@ obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \
> 	 bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \
> 	 gcd.o lcm.o list_sort.o uuid.o flex_array.o iovec.o clz_ctz.o \
> 	 bsearch.o find_last_bit.o find_next_bit.o llist.o memweight.o kfifo.o \
>-	 percpu-refcount.o percpu_ida.o hash.o
>+	 percpu-refcount.o percpu_ida.o hash.o siphash.o
> obj-y += string_helpers.o
> obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o
> obj-y += kstrtox.o
>+obj-$(CONFIG_TEST_HASH) += test_siphash.o
> obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
> obj-$(CONFIG_TEST_MODULE) += test_module.o
> obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
>diff --git a/lib/siphash.c b/lib/siphash.c
>new file mode 100644
>index 000000000000..c43cf406e71b
>--- /dev/null
>+++ b/lib/siphash.c
>@@ -0,0 +1,232 @@
>+/* Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#include <linux/siphash.h>
>+#include <asm/unaligned.h>
>+
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+#include <linux/dcache.h>
>+#include <asm/word-at-a-time.h>
>+#endif
>+
>+#define SIPROUND \
>+	do { \
>+	v0 += v1; v1 = rol64(v1, 13); v1 ^= v0; v0 = rol64(v0, 32); \
>+	v2 += v3; v3 = rol64(v3, 16); v3 ^= v2; \
>+	v0 += v3; v3 = rol64(v3, 21); v3 ^= v0; \
>+	v2 += v1; v1 = rol64(v1, 17); v1 ^= v2; v2 = rol64(v2, 32); \
>+	} while (0)
>+
>+#define PREAMBLE(len) \
>+	u64 v0 = 0x736f6d6570736575ULL; \
>+	u64 v1 = 0x646f72616e646f6dULL; \
>+	u64 v2 = 0x6c7967656e657261ULL; \
>+	u64 v3 = 0x7465646279746573ULL; \
>+	u64 b = ((u64)(len)) << 56; \
>+	v3 ^= key->key[1]; \
>+	v2 ^= key->key[0]; \
>+	v1 ^= key->key[1]; \
>+	v0 ^= key->key[0];
>+
>+#define POSTAMBLE \
>+	v3 ^= b; \
>+	SIPROUND; \
>+	SIPROUND; \
>+	v0 ^= b; \
>+	v2 ^= 0xff; \
>+	SIPROUND; \
>+	SIPROUND; \
>+	SIPROUND; \
>+	SIPROUND; \
>+	return (v0 ^ v1) ^ (v2 ^ v3);
>+
>+u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key)
>+{
>+	const u8 *end = data + len - (len % sizeof(u64));
>+	const u8 left = len & (sizeof(u64) - 1);
>+	u64 m;
>+	PREAMBLE(len)
>+	for (; data != end; data += sizeof(u64)) {
>+		m = le64_to_cpup(data);
>+		v3 ^= m;
>+		SIPROUND;
>+		SIPROUND;
>+		v0 ^= m;
>+	}
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+	if (left)
>+		b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
>+						  bytemask_from_count(left)));
>+#else
>+	switch (left) {
>+	case 7: b |= ((u64)end[6]) << 48;
>+	case 6: b |= ((u64)end[5]) << 40;
>+	case 5: b |= ((u64)end[4]) << 32;
>+	case 4: b |= le32_to_cpup(data); break;
>+	case 3: b |= ((u64)end[2]) << 16;
>+	case 2: b |= le16_to_cpup(data); break;
>+	case 1: b |= end[0];
>+	}
>+#endif
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(__siphash_aligned);
>+
>+#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>+u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key)
>+{
>+	const u8 *end = data + len - (len % sizeof(u64));
>+	const u8 left = len & (sizeof(u64) - 1);
>+	u64 m;
>+	PREAMBLE(len)
>+	for (; data != end; data += sizeof(u64)) {
>+		m = get_unaligned_le64(data);
>+		v3 ^= m;
>+		SIPROUND;
>+		SIPROUND;
>+		v0 ^= m;
>+	}
>+#if defined(CONFIG_DCACHE_WORD_ACCESS) && BITS_PER_LONG == 64
>+	if (left)
>+		b |= le64_to_cpu((__force __le64)(load_unaligned_zeropad(data) &
>+						  bytemask_from_count(left)));
>+#else
>+	switch (left) {
>+	case 7: b |= ((u64)end[6]) << 48;
>+	case 6: b |= ((u64)end[5]) << 40;
>+	case 5: b |= ((u64)end[4]) << 32;
>+	case 4: b |= get_unaligned_le32(end); break;
>+	case 3: b |= ((u64)end[2]) << 16;
>+	case 2: b |= get_unaligned_le16(end); break;
>+	case 1: b |= end[0];
>+	}
>+#endif
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(__siphash_unaligned);
>+#endif
>+
>+/**
>+ * siphash_1u64 - compute 64-bit siphash PRF value of a u64
>+ * @first: first u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_1u64(const u64 first, const siphash_key_t *key)
>+{
>+	PREAMBLE(8)
>+	v3 ^= first;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= first;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_1u64);
>+
>+/**
>+ * siphash_2u64 - compute 64-bit siphash PRF value of 2 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_2u64(const u64 first, const u64 second, const siphash_key_t *key)
>+{
>+	PREAMBLE(16)
>+	v3 ^= first;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= first;
>+	v3 ^= second;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= second;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_2u64);
>+
>+/**
>+ * siphash_3u64 - compute 64-bit siphash PRF value of 3 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @third: third u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_3u64(const u64 first, const u64 second, const u64 third,
>+		 const siphash_key_t *key)
>+{
>+	PREAMBLE(24)
>+	v3 ^= first;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= first;
>+	v3 ^= second;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= second;
>+	v3 ^= third;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= third;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_3u64);
>+
>+/**
>+ * siphash_4u64 - compute 64-bit siphash PRF value of 4 u64
>+ * @first: first u64
>+ * @second: second u64
>+ * @third: third u64
>+ * @forth: forth u64
>+ * @key: the siphash key
>+ */
>+u64 siphash_4u64(const u64 first, const u64 second, const u64 third,
>+		 const u64 forth, const siphash_key_t *key)
>+{
>+	PREAMBLE(32)
>+	v3 ^= first;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= first;
>+	v3 ^= second;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= second;
>+	v3 ^= third;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= third;
>+	v3 ^= forth;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= forth;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_4u64);
>+
>+u64 siphash_1u32(const u32 first, const siphash_key_t *key)
>+{
>+	PREAMBLE(4)
>+	b |= first;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_1u32);
>+
>+u64 siphash_3u32(const u32 first, const u32 second, const u32 third,
>+		 const siphash_key_t *key)
>+{
>+	u64 combined = (u64)second << 32 | first;
>+	PREAMBLE(12)
>+	v3 ^= combined;
>+	SIPROUND;
>+	SIPROUND;
>+	v0 ^= combined;
>+	b |= third;
>+	POSTAMBLE
>+}
>+EXPORT_SYMBOL(siphash_3u32);
>diff --git a/lib/string.c b/lib/string.c
>index 80e8bdb60538..94928426f511 100644
>--- a/lib/string.c
>+++ b/lib/string.c
>@@ -776,6 +776,26 @@ __visible int memcmp(const void *cs, const void *ct, size_t count)
> EXPORT_SYMBOL(memcmp);
> #endif
> 
>+#ifndef __HAVE_ARCH_BCMP
>+/**
>+ * bcmp - returns 0 if and only if the buffers have identical contents.
>+ * @a: pointer to first buffer.
>+ * @b: pointer to second buffer.
>+ * @len: size of buffers.
>+ *
>+ * The sign or magnitude of a non-zero return value has no particular
>+ * meaning, and architectures may implement their own more efficient bcmp(). So
>+ * while this particular implementation is a simple (tail) call to memcmp, do
>+ * not rely on anything but whether the return value is zero or non-zero.
>+ */
>+#undef bcmp
>+int bcmp(const void *a, const void *b, size_t len)
>+{
>+	return memcmp(a, b, len);
>+}
>+EXPORT_SYMBOL(bcmp);
>+#endif
>+
> #ifndef __HAVE_ARCH_MEMSCAN
> /**
>  * memscan - Find a character in an area of memory.
>diff --git a/lib/test_siphash.c b/lib/test_siphash.c
>new file mode 100644
>index 000000000000..d972acfc15e4
>--- /dev/null
>+++ b/lib/test_siphash.c
>@@ -0,0 +1,131 @@
>+/* Test cases for siphash.c
>+ *
>+ * Copyright (C) 2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
>+ *
>+ * This file is provided under a dual BSD/GPLv2 license.
>+ *
>+ * SipHash: a fast short-input PRF
>+ * https://131002.net/siphash/
>+ *
>+ * This implementation is specifically for SipHash2-4.
>+ */
>+
>+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>+
>+#include <linux/siphash.h>
>+#include <linux/kernel.h>
>+#include <linux/string.h>
>+#include <linux/errno.h>
>+#include <linux/module.h>
>+
>+/* Test vectors taken from official reference source available at:
>+ *     https://131002.net/siphash/siphash24.c
>+ */
>+
>+static const siphash_key_t test_key_siphash =
>+	{{ 0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL }};
>+
>+static const u64 test_vectors_siphash[64] = {
>+	0x726fdb47dd0e0e31ULL, 0x74f839c593dc67fdULL, 0x0d6c8009d9a94f5aULL,
>+	0x85676696d7fb7e2dULL, 0xcf2794e0277187b7ULL, 0x18765564cd99a68dULL,
>+	0xcbc9466e58fee3ceULL, 0xab0200f58b01d137ULL, 0x93f5f5799a932462ULL,
>+	0x9e0082df0ba9e4b0ULL, 0x7a5dbbc594ddb9f3ULL, 0xf4b32f46226bada7ULL,
>+	0x751e8fbc860ee5fbULL, 0x14ea5627c0843d90ULL, 0xf723ca908e7af2eeULL,
>+	0xa129ca6149be45e5ULL, 0x3f2acc7f57c29bdbULL, 0x699ae9f52cbe4794ULL,
>+	0x4bc1b3f0968dd39cULL, 0xbb6dc91da77961bdULL, 0xbed65cf21aa2ee98ULL,
>+	0xd0f2cbb02e3b67c7ULL, 0x93536795e3a33e88ULL, 0xa80c038ccd5ccec8ULL,
>+	0xb8ad50c6f649af94ULL, 0xbce192de8a85b8eaULL, 0x17d835b85bbb15f3ULL,
>+	0x2f2e6163076bcfadULL, 0xde4daaaca71dc9a5ULL, 0xa6a2506687956571ULL,
>+	0xad87a3535c49ef28ULL, 0x32d892fad841c342ULL, 0x7127512f72f27cceULL,
>+	0xa7f32346f95978e3ULL, 0x12e0b01abb051238ULL, 0x15e034d40fa197aeULL,
>+	0x314dffbe0815a3b4ULL, 0x027990f029623981ULL, 0xcadcd4e59ef40c4dULL,
>+	0x9abfd8766a33735cULL, 0x0e3ea96b5304a7d0ULL, 0xad0c42d6fc585992ULL,
>+	0x187306c89bc215a9ULL, 0xd4a60abcf3792b95ULL, 0xf935451de4f21df2ULL,
>+	0xa9538f0419755787ULL, 0xdb9acddff56ca510ULL, 0xd06c98cd5c0975ebULL,
>+	0xe612a3cb9ecba951ULL, 0xc766e62cfcadaf96ULL, 0xee64435a9752fe72ULL,
>+	0xa192d576b245165aULL, 0x0a8787bf8ecb74b2ULL, 0x81b3e73d20b49b6fULL,
>+	0x7fa8220ba3b2eceaULL, 0x245731c13ca42499ULL, 0xb78dbfaf3a8d83bdULL,
>+	0xea1ad565322a1a0bULL, 0x60e61c23a3795013ULL, 0x6606d7e446282b93ULL,
>+	0x6ca4ecb15c5f91e1ULL, 0x9f626da15c9625f3ULL, 0xe51b38608ef25f57ULL,
>+	0x958a324ceb064572ULL
>+};
>+
>+static int __init siphash_test_init(void)
>+{
>+	u8 in[64] __aligned(SIPHASH_ALIGNMENT);
>+	u8 in_unaligned[65] __aligned(SIPHASH_ALIGNMENT);
>+	u8 i;
>+	int ret = 0;
>+
>+	for (i = 0; i < 64; ++i) {
>+		in[i] = i;
>+		in_unaligned[i + 1] = i;
>+		if (siphash(in, i, &test_key_siphash) !=
>+						test_vectors_siphash[i]) {
>+			pr_info("siphash self-test aligned %u: FAIL\n", i + 1);
>+			ret = -EINVAL;
>+		}
>+		if (siphash(in_unaligned + 1, i, &test_key_siphash) !=
>+						test_vectors_siphash[i]) {
>+			pr_info("siphash self-test unaligned %u: FAIL\n", i + 1);
>+			ret = -EINVAL;
>+		}
>+	}
>+	if (siphash_1u64(0x0706050403020100ULL, &test_key_siphash) !=
>+						test_vectors_siphash[8]) {
>+		pr_info("siphash self-test 1u64: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_2u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+			 &test_key_siphash) != test_vectors_siphash[16]) {
>+		pr_info("siphash self-test 2u64: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_3u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+			 0x1716151413121110ULL, &test_key_siphash) !=
>+						test_vectors_siphash[24]) {
>+		pr_info("siphash self-test 3u64: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_4u64(0x0706050403020100ULL, 0x0f0e0d0c0b0a0908ULL,
>+			 0x1716151413121110ULL, 0x1f1e1d1c1b1a1918ULL,
>+			 &test_key_siphash) != test_vectors_siphash[32]) {
>+		pr_info("siphash self-test 4u64: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_1u32(0x03020100U, &test_key_siphash) !=
>+						test_vectors_siphash[4]) {
>+		pr_info("siphash self-test 1u32: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_2u32(0x03020100U, 0x07060504U, &test_key_siphash) !=
>+						test_vectors_siphash[8]) {
>+		pr_info("siphash self-test 2u32: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_3u32(0x03020100U, 0x07060504U,
>+			 0x0b0a0908U, &test_key_siphash) !=
>+						test_vectors_siphash[12]) {
>+		pr_info("siphash self-test 3u32: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (siphash_4u32(0x03020100U, 0x07060504U,
>+			 0x0b0a0908U, 0x0f0e0d0cU, &test_key_siphash) !=
>+						test_vectors_siphash[16]) {
>+		pr_info("siphash self-test 4u32: FAIL\n");
>+		ret = -EINVAL;
>+	}
>+	if (!ret)
>+		pr_info("self-tests: pass\n");
>+	return ret;
>+}
>+
>+static void __exit siphash_test_exit(void)
>+{
>+}
>+
>+module_init(siphash_test_init);
>+module_exit(siphash_test_exit);
>+
>+MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
>+MODULE_LICENSE("Dual BSD/GPL");
>diff --git a/mm/page_alloc.c b/mm/page_alloc.c
>index 7a783dc67305..b491f75f7491 100644
>--- a/mm/page_alloc.c
>+++ b/mm/page_alloc.c
>@@ -3072,6 +3072,49 @@ static inline void show_node(struct zone *zone)
> 		printk("Node %d ", zone_to_nid(zone));
> }
> 
>+long si_mem_available(void)
>+{
>+	long available;
>+	unsigned long pagecache;
>+	unsigned long wmark_low = 0;
>+	unsigned long pages[NR_LRU_LISTS];
>+	struct zone *zone;
>+	int lru;
>+
>+	for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
>+		pages[lru] = global_page_state(NR_LRU_BASE + lru);
>+
>+	for_each_zone(zone)
>+		wmark_low += zone->watermark[WMARK_LOW];
>+
>+	/*
>+	 * Estimate the amount of memory available for userspace allocations,
>+	 * without causing swapping.
>+	 */
>+	available = global_page_state(NR_FREE_PAGES) - totalreserve_pages;
>+
>+	/*
>+	 * Not all the page cache can be freed, otherwise the system will
>+	 * start swapping. Assume at least half of the page cache, or the
>+	 * low watermark worth of cache, needs to stay.
>+	 */
>+	pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
>+	pagecache -= min(pagecache / 2, wmark_low);
>+	available += pagecache;
>+
>+	/*
>+	 * Part of the reclaimable slab consists of items that are in use,
>+	 * and cannot be freed. Cap this estimate at the low watermark.
>+	 */
>+	available += global_page_state(NR_SLAB_RECLAIMABLE) -
>+		     min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
>+
>+	if (available < 0)
>+		available = 0;
>+	return available;
>+}
>+EXPORT_SYMBOL_GPL(si_mem_available);
>+
> void si_meminfo(struct sysinfo *val)
> {
> 	val->totalram = totalram_pages;
>diff --git a/mm/vmstat.c b/mm/vmstat.c
>index ae3c911843fa..8272a99dce41 100644
>--- a/mm/vmstat.c
>+++ b/mm/vmstat.c
>@@ -861,13 +861,8 @@ const char * const vmstat_text[] = {
> 	"thp_zero_page_alloc_failed",
> #endif
> #ifdef CONFIG_DEBUG_TLBFLUSH
>-#ifdef CONFIG_SMP
> 	"nr_tlb_remote_flush",
> 	"nr_tlb_remote_flush_received",
>-#else
>-	"", /* nr_tlb_remote_flush */
>-	"", /* nr_tlb_remote_flush_received */
>-#endif /* CONFIG_SMP */
> 	"nr_tlb_local_flush_all",
> 	"nr_tlb_local_flush_one",
> #endif /* CONFIG_DEBUG_TLBFLUSH */
>diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
>index 335401d6351c..2a1611e65904 100644
>--- a/net/batman-adv/bridge_loop_avoidance.c
>+++ b/net/batman-adv/bridge_loop_avoidance.c
>@@ -677,6 +677,8 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
> 				 const uint8_t *mac, const unsigned short vid)
> {
> 	struct batadv_bla_claim search_claim, *claim;
>+	struct batadv_bla_claim *claim_removed_entry;
>+	struct hlist_node *claim_removed_node;
> 
> 	ether_addr_copy(search_claim.addr, mac);
> 	search_claim.vid = vid;
>@@ -687,10 +689,18 @@ static void batadv_bla_del_claim(struct batadv_priv *bat_priv,
> 	batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_del_claim(): %pM, vid %d\n",
> 		   mac, BATADV_PRINT_VID(vid));
> 
>-	batadv_hash_remove(bat_priv->bla.claim_hash, batadv_compare_claim,
>-			   batadv_choose_claim, claim);
>-	batadv_claim_free_ref(claim); /* reference from the hash is gone */
>+	claim_removed_node = batadv_hash_remove(bat_priv->bla.claim_hash,
>+						batadv_compare_claim,
>+						batadv_choose_claim, claim);
>+	if (!claim_removed_node)
>+		goto free_claim;
> 
>+	/* reference from the hash is gone */
>+	claim_removed_entry = hlist_entry(claim_removed_node,
>+					  struct batadv_bla_claim, hash_entry);
>+	batadv_claim_free_ref(claim_removed_entry);
>+
>+free_claim:
> 	/* don't need the reference from hash_find() anymore */
> 	batadv_claim_free_ref(claim);
> }
>diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
>index c9ac7d948a21..422d54f6a243 100644
>--- a/net/batman-adv/translation-table.c
>+++ b/net/batman-adv/translation-table.c
>@@ -483,14 +483,26 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
> 				  struct batadv_tt_global_entry *tt_global,
> 				  const char *message)
> {
>+	struct batadv_tt_global_entry *tt_removed_entry;
>+	struct hlist_node *tt_removed_node;
>+
> 	batadv_dbg(BATADV_DBG_TT, bat_priv,
> 		   "Deleting global tt entry %pM (vid: %d): %s\n",
> 		   tt_global->common.addr,
> 		   BATADV_PRINT_VID(tt_global->common.vid), message);
> 
>-	batadv_hash_remove(bat_priv->tt.global_hash, batadv_compare_tt,
>-			   batadv_choose_tt, &tt_global->common);
>-	batadv_tt_global_entry_free_ref(tt_global);
>+	tt_removed_node = batadv_hash_remove(bat_priv->tt.global_hash,
>+					     batadv_compare_tt,
>+					     batadv_choose_tt,
>+					     &tt_global->common);
>+	if (!tt_removed_node)
>+		return;
>+
>+	/* drop reference of remove hash entry */
>+	tt_removed_entry = hlist_entry(tt_removed_node,
>+				       struct batadv_tt_global_entry,
>+				       common.hash_entry);
>+	batadv_tt_global_entry_free_ref(tt_removed_entry);
> }
> 
> /**
>@@ -1021,9 +1033,10 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
> 				const uint8_t *addr, unsigned short vid,
> 				const char *message, bool roaming)
> {
>+	struct batadv_tt_local_entry *tt_removed_entry;
> 	struct batadv_tt_local_entry *tt_local_entry;
> 	uint16_t flags, curr_flags = BATADV_NO_FLAGS;
>-	void *tt_entry_exists;
>+	struct hlist_node *tt_removed_node;
> 
> 	tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
> 	if (!tt_local_entry)
>@@ -1052,15 +1065,18 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
> 	 */
> 	batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
> 
>-	tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
>+	tt_removed_node = batadv_hash_remove(bat_priv->tt.local_hash,
> 					     batadv_compare_tt,
> 					     batadv_choose_tt,
> 					     &tt_local_entry->common);
>-	if (!tt_entry_exists)
>+	if (!tt_removed_node)
> 		goto out;
> 
>-	/* extra call to free the local tt entry */
>-	batadv_tt_local_entry_free_ref(tt_local_entry);
>+	/* drop reference of remove hash entry */
>+	tt_removed_entry = hlist_entry(tt_removed_node,
>+				       struct batadv_tt_local_entry,
>+				       common.hash_entry);
>+	batadv_tt_local_entry_free_ref(tt_removed_entry);
> 
> out:
> 	if (tt_local_entry)
>diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
>index 3c594185de36..7725dd99fdc6 100644
>--- a/net/bridge/br_multicast.c
>+++ b/net/bridge/br_multicast.c
>@@ -2036,7 +2036,8 @@ static void br_multicast_start_querier(struct net_bridge *br,
> 
> 	__br_multicast_open(br, query);
> 
>-	list_for_each_entry(port, &br->port_list, list) {
>+	rcu_read_lock();
>+	list_for_each_entry_rcu(port, &br->port_list, list) {
> 		if (port->state == BR_STATE_DISABLED ||
> 		    port->state == BR_STATE_BLOCKING)
> 			continue;
>@@ -2048,6 +2049,7 @@ static void br_multicast_start_querier(struct net_bridge *br,
> 			br_multicast_enable(&port->ip6_own_query);
> #endif
> 	}
>+	rcu_read_unlock();
> }
> 
> int br_multicast_toggle(struct net_bridge *br, unsigned long val)
>diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
>index 2cf4e30ac41a..7ddb8b322556 100644
>--- a/net/bridge/br_netfilter.c
>+++ b/net/bridge/br_netfilter.c
>@@ -659,6 +659,8 @@ static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
> 		return NF_DROP;
> 
> 	skb->protocol = htons(ETH_P_IPV6);
>+	skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
>+
> 	NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
> 		br_nf_pre_routing_finish_ipv6);
> 
>@@ -715,6 +717,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
> 		return NF_DROP;
> 	store_orig_dstaddr(skb);
> 	skb->protocol = htons(ETH_P_IP);
>+	skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
> 
> 	NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
> 		br_nf_pre_routing_finish);
>diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
>index 2df71bc7959d..75929f9bd4e6 100644
>--- a/net/bridge/netfilter/ebtables.c
>+++ b/net/bridge/netfilter/ebtables.c
>@@ -2011,7 +2011,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
> 		if (match_kern)
> 			match_kern->match_size = ret;
> 
>-		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
>+		/* rule should have no remaining data after target */
>+		if (type == EBT_COMPAT_TARGET && size_left)
> 			return -EINVAL;
> 
> 		match32 = (struct compat_ebt_entry_mwt *) buf;
>diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>index cd332d0fa930..7550d098e3b7 100644
>--- a/net/core/net-sysfs.c
>+++ b/net/core/net-sysfs.c
>@@ -788,6 +788,8 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
> 	if (error)
> 		return error;
> 
>+	dev_hold(queue->dev);
>+
> 	if (net->sysfs_rx_queue_group) {
> 		error = sysfs_create_group(kobj, net->sysfs_rx_queue_group);
> 		if (error) {
>@@ -797,7 +799,6 @@ static int rx_queue_add_kobject(struct net_device *net, int index)
> 	}
> 
> 	kobject_uevent(kobj, KOBJ_ADD);
>-	dev_hold(queue->dev);
> 
> 	return error;
> }
>@@ -1146,6 +1147,8 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
> 	if (error)
> 		return error;
> 
>+	dev_hold(queue->dev);
>+
> #ifdef CONFIG_BQL
> 	error = sysfs_create_group(kobj, &dql_group);
> 	if (error) {
>@@ -1155,7 +1158,6 @@ static int netdev_queue_add_kobject(struct net_device *net, int index)
> #endif
> 
> 	kobject_uevent(kobj, KOBJ_ADD);
>-	dev_hold(queue->dev);
> 
> 	return 0;
> }
>diff --git a/net/dccp/feat.c b/net/dccp/feat.c
>index 9733ddbc96cb..fa99d53f29e5 100644
>--- a/net/dccp/feat.c
>+++ b/net/dccp/feat.c
>@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
> 	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
> 		return -ENOMEM;
> 
>-	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
>+	if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
>+		kfree(fval.sp.vec);
>+		return -ENOMEM;
>+	}
>+
>+	return 0;
> }
> 
> /**
>diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
>index 30455bf91b18..c3ed865d262f 100644
>--- a/net/dccp/ipv6.c
>+++ b/net/dccp/ipv6.c
>@@ -491,8 +491,8 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
> 		newnp->ipv6_mc_list = NULL;
> 		newnp->ipv6_ac_list = NULL;
> 		newnp->ipv6_fl_list = NULL;
>-		newnp->mcast_oif   = inet6_iif(skb);
>-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
>+		newnp->mcast_oif   = inet_iif(skb);
>+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
> 
> 		/*
> 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
>diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
>index 48444c4c3c51..680ce5f4fb65 100644
>--- a/net/ipv4/igmp.c
>+++ b/net/ipv4/igmp.c
>@@ -395,7 +395,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
> 
> 	pip->protocol = IPPROTO_IGMP;
> 	pip->tot_len  = 0;	/* filled in later */
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(net, skb, NULL);
> 	((u8 *)&pip[1])[0] = IPOPT_RA;
> 	((u8 *)&pip[1])[1] = 4;
> 	((u8 *)&pip[1])[2] = 0;
>@@ -739,7 +739,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
> 	iph->daddr    = dst;
> 	iph->saddr    = fl4.saddr;
> 	iph->protocol = IPPROTO_IGMP;
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(net, skb, NULL);
> 	((u8 *)&iph[1])[0] = IPOPT_RA;
> 	((u8 *)&iph[1])[1] = 4;
> 	((u8 *)&iph[1])[2] = 0;
>diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>index 109eddf0248a..2a05dfc9a35e 100644
>--- a/net/ipv4/ip_output.c
>+++ b/net/ipv4/ip_output.c
>@@ -150,7 +150,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
> 	iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
> 	iph->saddr    = saddr;
> 	iph->protocol = sk->sk_protocol;
>-	ip_select_ident(skb, sk);
>+	ip_select_ident(sock_net(sk), skb, sk);
> 
> 	if (opt && opt->opt.optlen) {
> 		iph->ihl += opt->opt.optlen>>2;
>@@ -432,7 +432,8 @@ int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
> 		ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
> 	}
> 
>-	ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1);
>+	ip_select_ident_segs(sock_net(sk), skb, sk,
>+			     skb_shinfo(skb)->gso_segs ?: 1);
> 
> 	/* TODO : should we use skb->sk here instead of sk ? */
> 	skb->priority = sk->sk_priority;
>@@ -1385,7 +1386,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
> 	iph->ttl = ttl;
> 	iph->protocol = sk->sk_protocol;
> 	ip_copy_addrs(iph, fl4);
>-	ip_select_ident(skb, sk);
>+	ip_select_ident(net, skb, sk);
> 
> 	if (opt) {
> 		iph->ihl += opt->optlen>>2;
>diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
>index 88c386cf7d85..ce63ab21b6cd 100644
>--- a/net/ipv4/ip_tunnel_core.c
>+++ b/net/ipv4/ip_tunnel_core.c
>@@ -74,7 +74,8 @@ int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
> 	iph->daddr	=	dst;
> 	iph->saddr	=	src;
> 	iph->ttl	=	ttl;
>-	__ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1);
>+	__ip_select_ident(dev_net(rt->dst.dev), iph,
>+			  skb_shinfo(skb)->gso_segs ?: 1);
> 
> 	err = ip_local_out_sk(sk, skb);
> 	if (unlikely(net_xmit_eval(err)))
>diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
>index 643ec0bb80a5..5859c0f5bd41 100644
>--- a/net/ipv4/ipmr.c
>+++ b/net/ipv4/ipmr.c
>@@ -1647,7 +1647,8 @@ static struct notifier_block ip_mr_notifier = {
>  *	important for multicast video.
>  */
> 
>-static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
>+static void ip_encap(struct net *net, struct sk_buff *skb,
>+		     __be32 saddr, __be32 daddr)
> {
> 	struct iphdr *iph;
> 	const struct iphdr *old_iph = ip_hdr(skb);
>@@ -1666,7 +1667,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
> 	iph->protocol	=	IPPROTO_IPIP;
> 	iph->ihl	=	5;
> 	iph->tot_len	=	htons(skb->len);
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(net, skb, NULL);
> 	ip_send_check(iph);
> 
> 	memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
>@@ -1763,7 +1764,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
> 	 * What do we do with netfilter? -- RR
> 	 */
> 	if (vif->flags & VIFF_TUNNEL) {
>-		ip_encap(skb, vif->local, vif->remote);
>+		ip_encap(net, skb, vif->local, vif->remote);
> 		/* FIXME: extra output firewall step used to be here. --RR */
> 		vif->dev->stats.tx_packets++;
> 		vif->dev->stats.tx_bytes += skb->len;
>diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
>index e43a585abb35..04700c745ca0 100644
>--- a/net/ipv4/raw.c
>+++ b/net/ipv4/raw.c
>@@ -399,7 +399,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
> 		iph->check   = 0;
> 		iph->tot_len = htons(length);
> 		if (!iph->id)
>-			ip_select_ident(skb, NULL);
>+			ip_select_ident(net, skb, NULL);
> 
> 		iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
> 	}
>diff --git a/net/ipv4/route.c b/net/ipv4/route.c
>index 660848116761..858596c80e0e 100644
>--- a/net/ipv4/route.c
>+++ b/net/ipv4/route.c
>@@ -484,19 +484,19 @@ u32 ip_idents_reserve(u32 hash, int segs)
> }
> EXPORT_SYMBOL(ip_idents_reserve);
> 
>-void __ip_select_ident(struct iphdr *iph, int segs)
>+void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
> {
>-	static u32 ip_idents_hashrnd __read_mostly;
>-	static u32 ip_idents_hashrnd_extra __read_mostly;
> 	u32 hash, id;
> 
>-	net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
>-	net_get_random_once(&ip_idents_hashrnd_extra, sizeof(ip_idents_hashrnd_extra));
>+	/* Note the following code is not safe, but this is okay. */
>+	if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
>+		get_random_bytes(&net->ipv4.ip_id_key,
>+				 sizeof(net->ipv4.ip_id_key));
> 
>-	hash = jhash_3words((__force u32)iph->daddr,
>+	hash = siphash_3u32((__force u32)iph->daddr,
> 			    (__force u32)iph->saddr,
>-			    iph->protocol ^ ip_idents_hashrnd_extra,
>-			    ip_idents_hashrnd);
>+			    iph->protocol,
>+			    &net->ipv4.ip_id_key);
> 	id = ip_idents_reserve(hash, segs);
> 	iph->id = htons(id);
> }
>diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
>index 91771a7c802f..35feda676464 100644
>--- a/net/ipv4/xfrm4_mode_tunnel.c
>+++ b/net/ipv4/xfrm4_mode_tunnel.c
>@@ -63,7 +63,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
> 
> 	top_iph->saddr = x->props.saddr.a4;
> 	top_iph->daddr = x->id.daddr.a4;
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(dev_net(dst->dev), skb, NULL);
> 
> 	return 0;
> }
>diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
>index 3a4c1f93023a..1b99e1406186 100644
>--- a/net/ipv4/xfrm4_policy.c
>+++ b/net/ipv4/xfrm4_policy.c
>@@ -103,7 +103,8 @@ static void
> _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> {
> 	const struct iphdr *iph = ip_hdr(skb);
>-	u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
>+	int ihl = iph->ihl;
>+	u8 *xprth = skb_network_header(skb) + ihl * 4;
> 	struct flowi4 *fl4 = &fl->u.ip4;
> 	int oif = 0;
> 
>@@ -114,6 +115,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> 	fl4->flowi4_mark = skb->mark;
> 	fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
> 
>+	fl4->flowi4_proto = iph->protocol;
>+	fl4->daddr = reverse ? iph->saddr : iph->daddr;
>+	fl4->saddr = reverse ? iph->daddr : iph->saddr;
>+	fl4->flowi4_tos = iph->tos;
>+
> 	if (!ip_is_fragment(iph)) {
> 		switch (iph->protocol) {
> 		case IPPROTO_UDP:
>@@ -123,7 +129,10 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> 		case IPPROTO_DCCP:
> 			if (xprth + 4 < skb->data ||
> 			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
>-				__be16 *ports = (__be16 *)xprth;
>+				__be16 *ports;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				ports = (__be16 *)xprth;
> 
> 				fl4->fl4_sport = ports[!!reverse];
> 				fl4->fl4_dport = ports[!reverse];
>@@ -131,8 +140,12 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> 			break;
> 
> 		case IPPROTO_ICMP:
>-			if (pskb_may_pull(skb, xprth + 2 - skb->data)) {
>-				u8 *icmp = xprth;
>+			if (xprth + 2 < skb->data ||
>+			    pskb_may_pull(skb, xprth + 2 - skb->data)) {
>+				u8 *icmp;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				icmp = xprth;
> 
> 				fl4->fl4_icmp_type = icmp[0];
> 				fl4->fl4_icmp_code = icmp[1];
>@@ -140,33 +153,50 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> 			break;
> 
> 		case IPPROTO_ESP:
>-			if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
>-				__be32 *ehdr = (__be32 *)xprth;
>+			if (xprth + 4 < skb->data ||
>+			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
>+				__be32 *ehdr;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				ehdr = (__be32 *)xprth;
> 
> 				fl4->fl4_ipsec_spi = ehdr[0];
> 			}
> 			break;
> 
> 		case IPPROTO_AH:
>-			if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
>-				__be32 *ah_hdr = (__be32 *)xprth;
>+			if (xprth + 8 < skb->data ||
>+			    pskb_may_pull(skb, xprth + 8 - skb->data)) {
>+				__be32 *ah_hdr;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				ah_hdr = (__be32 *)xprth;
> 
> 				fl4->fl4_ipsec_spi = ah_hdr[1];
> 			}
> 			break;
> 
> 		case IPPROTO_COMP:
>-			if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
>-				__be16 *ipcomp_hdr = (__be16 *)xprth;
>+			if (xprth + 4 < skb->data ||
>+			    pskb_may_pull(skb, xprth + 4 - skb->data)) {
>+				__be16 *ipcomp_hdr;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				ipcomp_hdr = (__be16 *)xprth;
> 
> 				fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
> 			}
> 			break;
> 
> 		case IPPROTO_GRE:
>-			if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
>-				__be16 *greflags = (__be16 *)xprth;
>-				__be32 *gre_hdr = (__be32 *)xprth;
>+			if (xprth + 12 < skb->data ||
>+			    pskb_may_pull(skb, xprth + 12 - skb->data)) {
>+				__be16 *greflags;
>+				__be32 *gre_hdr;
>+
>+				xprth = skb_network_header(skb) + ihl * 4;
>+				greflags = (__be16 *)xprth;
>+				gre_hdr = (__be32 *)xprth;
> 
> 				if (greflags[0] & GRE_KEY) {
> 					if (greflags[0] & GRE_CSUM)
>@@ -181,10 +211,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
> 			break;
> 		}
> 	}
>-	fl4->flowi4_proto = iph->protocol;
>-	fl4->daddr = reverse ? iph->saddr : iph->daddr;
>-	fl4->saddr = reverse ? iph->daddr : iph->saddr;
>-	fl4->flowi4_tos = iph->tos;
> }
> 
> static inline int xfrm4_garbage_collect(struct dst_ops *ops)
>diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
>index f40ba684d69b..d8e8008aa7a4 100644
>--- a/net/ipv6/ip6_flowlabel.c
>+++ b/net/ipv6/ip6_flowlabel.c
>@@ -94,16 +94,22 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
> 	return fl;
> }
> 
>+static void fl_free_rcu(struct rcu_head *head)
>+{
>+	struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
>+
>+	if (fl->share == IPV6_FL_S_PROCESS)
>+		put_pid(fl->owner.pid);
>+	release_net(fl->fl_net);
>+	kfree(fl->opt);
>+	kfree(fl);
>+}
>+
> 
> static void fl_free(struct ip6_flowlabel *fl)
> {
>-	if (fl) {
>-		if (fl->share == IPV6_FL_S_PROCESS)
>-			put_pid(fl->owner.pid);
>-		release_net(fl->fl_net);
>-		kfree(fl->opt);
>-		kfree_rcu(fl, rcu);
>-	}
>+	if (fl)
>+		call_rcu(&fl->rcu, fl_free_rcu);
> }
> 
> static void fl_release(struct ip6_flowlabel *fl)
>@@ -630,9 +636,9 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
> 				if (fl1->share == IPV6_FL_S_EXCL ||
> 				    fl1->share != fl->share ||
> 				    ((fl1->share == IPV6_FL_S_PROCESS) &&
>-				     (fl1->owner.pid == fl->owner.pid)) ||
>+				     (fl1->owner.pid != fl->owner.pid)) ||
> 				    ((fl1->share == IPV6_FL_S_USER) &&
>-				     uid_eq(fl1->owner.uid, fl->owner.uid)))
>+				     !uid_eq(fl1->owner.uid, fl->owner.uid)))
> 					goto release;
> 
> 				err = -ENOMEM;
>diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>index bb98cde51476..1e68db035daf 100644
>--- a/net/ipv6/ip6_output.c
>+++ b/net/ipv6/ip6_output.c
>@@ -538,23 +538,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
> 	skb_copy_secmark(to, from);
> }
> 
>-static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
>-{
>-	static u32 ip6_idents_hashrnd __read_mostly;
>-	static u32 ip6_idents_hashrnd_extra __read_mostly;
>-	u32 hash, id;
>-
>-	net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
>-	net_get_random_once(&ip6_idents_hashrnd_extra, sizeof(ip6_idents_hashrnd_extra));
>-
>-	hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
>-	hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
>-	hash = jhash_1word(hash, ip6_idents_hashrnd_extra);
>-
>-	id = ip_idents_reserve(hash, 1);
>-	fhdr->identification = htonl(id);
>-}
>-
> int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> {
> 	struct sk_buff *frag;
>@@ -649,7 +632,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> 		skb_reset_network_header(skb);
> 		memcpy(skb_network_header(skb), tmp_hdr, hlen);
> 
>-		ipv6_select_ident(fh, rt);
>+		ipv6_select_ident(net, fh, rt);
> 		fh->nexthdr = nexthdr;
> 		fh->reserved = 0;
> 		fh->frag_off = htons(IP6_MF);
>@@ -802,7 +785,7 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
> 		fh->nexthdr = nexthdr;
> 		fh->reserved = 0;
> 		if (!frag_id) {
>-			ipv6_select_ident(fh, rt);
>+			ipv6_select_ident(net, fh, rt);
> 			frag_id = fh->identification;
> 		} else
> 			fh->identification = frag_id;
>@@ -1096,7 +1079,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> 	skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
> 				     sizeof(struct frag_hdr)) & ~7;
> 	skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>-	ipv6_select_ident(&fhdr, rt);
>+	ipv6_select_ident(sock_net(sk), &fhdr, rt);
> 	skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> 
> append:
>diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
>index 42978998534c..5733b05558a5 100644
>--- a/net/ipv6/ip6mr.c
>+++ b/net/ipv6/ip6mr.c
>@@ -1662,6 +1662,10 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
> 	struct net *net = sock_net(sk);
> 	struct mr6_table *mrt;
> 
>+	if (sk->sk_type != SOCK_RAW ||
>+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>+		return -EOPNOTSUPP;
>+
> 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
> 	if (mrt == NULL)
> 		return -ENOENT;
>@@ -1673,9 +1677,6 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
> 
> 	switch (optname) {
> 	case MRT6_INIT:
>-		if (sk->sk_type != SOCK_RAW ||
>-		    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>-			return -EOPNOTSUPP;
> 		if (optlen < sizeof(int))
> 			return -EINVAL;
> 
>@@ -1812,6 +1813,10 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
> 	struct net *net = sock_net(sk);
> 	struct mr6_table *mrt;
> 
>+	if (sk->sk_type != SOCK_RAW ||
>+	    inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
>+		return -EOPNOTSUPP;
>+
> 	mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
> 	if (mrt == NULL)
> 		return -ENOENT;
>diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
>index e32c1ff35f78..a8274abad231 100644
>--- a/net/ipv6/output_core.c
>+++ b/net/ipv6/output_core.c
>@@ -9,6 +9,36 @@
> #include <net/addrconf.h>
> #include <net/secure_seq.h>
> 
>+static u32 __ipv6_select_ident(struct net *net,
>+			       struct in6_addr *dst, struct in6_addr *src)
>+{
>+	const struct {
>+		struct in6_addr dst;
>+		struct in6_addr src;
>+	} __aligned(SIPHASH_ALIGNMENT) combined = {
>+		.dst = *dst,
>+		.src = *src,
>+	};
>+	u32 hash, id;
>+
>+	/* Note the following code is not safe, but this is okay. */
>+	if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
>+		get_random_bytes(&net->ipv4.ip_id_key,
>+				 sizeof(net->ipv4.ip_id_key));
>+
>+	hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
>+
>+	/* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
>+	 * set the hight order instead thus minimizing possible future
>+	 * collisions.
>+	 */
>+	id = ip_idents_reserve(hash, 1);
>+	if (unlikely(!id))
>+		id = 1 << 31;
>+
>+	return id;
>+}
>+
> /* This function exists only for tap drivers that must support broken
>  * clients requesting UFO without specifying an IPv6 fragment ID.
>  *
>@@ -17,12 +47,11 @@
>  *
>  * The network header must be set before calling this.
>  */
>-void ipv6_proxy_select_ident(struct sk_buff *skb)
>+void ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
> {
>-	static u32 ip6_proxy_idents_hashrnd __read_mostly;
> 	struct in6_addr buf[2];
> 	struct in6_addr *addrs;
>-	u32 hash, id;
>+	u32 id;
> 
> 	addrs = skb_header_pointer(skb,
> 				   skb_network_offset(skb) +
>@@ -31,17 +60,21 @@ void ipv6_proxy_select_ident(struct sk_buff *skb)
> 	if (!addrs)
> 		return;
> 
>-	net_get_random_once(&ip6_proxy_idents_hashrnd,
>-			    sizeof(ip6_proxy_idents_hashrnd));
>-
>-	hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd);
>-	hash = __ipv6_addr_jhash(&addrs[0], hash);
>-
>-	id = ip_idents_reserve(hash, 1);
>+	id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
> 	skb_shinfo(skb)->ip6_frag_id = htonl(id);
> }
> EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
> 
>+void ipv6_select_ident(struct net *net, struct frag_hdr *fhdr,
>+		       struct rt6_info *rt)
>+{
>+	u32 id;
>+
>+	id = __ipv6_select_ident(net, &rt->rt6i_dst.addr, &rt->rt6i_src.addr);
>+	fhdr->identification = htonl(id);
>+}
>+EXPORT_SYMBOL(ipv6_select_ident);
>+
> int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
> {
> 	unsigned int offset = sizeof(struct ipv6hdr);
>diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
>index 70a0f92cbbc0..4370371e0aa6 100644
>--- a/net/ipv6/tcp_ipv6.c
>+++ b/net/ipv6/tcp_ipv6.c
>@@ -1183,11 +1183,11 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
> 		newnp->ipv6_fl_list = NULL;
> 		newnp->pktoptions  = NULL;
> 		newnp->opt	   = NULL;
>-		newnp->mcast_oif   = inet6_iif(skb);
>-		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
>-		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
>+		newnp->mcast_oif   = inet_iif(skb);
>+		newnp->mcast_hops  = ip_hdr(skb)->ttl;
>+		newnp->rcv_flowinfo = 0;
> 		if (np->repflow)
>-			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
>+			newnp->flow_label = 0;
> 
> 		/*
> 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
>diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
>index fa9ea1a72f99..28d02353743f 100644
>--- a/net/ipv6/udp_offload.c
>+++ b/net/ipv6/udp_offload.c
>@@ -75,6 +75,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
> 
> 		skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
> 
>+		/* Set the IPv6 fragment id if not set yet */
>+		if (!skb_shinfo(skb)->ip6_frag_id)
>+			ipv6_proxy_select_ident(dev_net(skb->dev), skb);
>+
> 		segs = NULL;
> 		goto out;
> 	}
>@@ -120,6 +124,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
> 		fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
> 		fptr->nexthdr = nexthdr;
> 		fptr->reserved = 0;
>+		if (!skb_shinfo(skb)->ip6_frag_id)
>+			ipv6_proxy_select_ident(dev_net(skb->dev), skb);
> 		fptr->identification = skb_shinfo(skb)->ip6_frag_id;
> 
> 		/* Fragment the skb. ipv6 header and the remaining fields of the
>diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
>index 1c66465a42dd..f1491b0004cd 100644
>--- a/net/ipv6/xfrm6_tunnel.c
>+++ b/net/ipv6/xfrm6_tunnel.c
>@@ -390,6 +390,10 @@ static void __exit xfrm6_tunnel_fini(void)
> 	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
> 	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
> 	unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
>+	/* Someone maybe has gotten the xfrm6_tunnel_spi.
>+	 * So need to wait it.
>+	 */
>+	rcu_barrier();
> 	kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
> }
> 
>diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
>index 661252aeb7e0..c8b5c8c355b4 100644
>--- a/net/l2tp/l2tp_core.c
>+++ b/net/l2tp/l2tp_core.c
>@@ -217,8 +217,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
> 
> 	rcu_read_lock_bh();
> 	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
>-		if (tunnel->tunnel_id == tunnel_id) {
>-			l2tp_tunnel_inc_refcount(tunnel);
>+		if (tunnel->tunnel_id == tunnel_id &&
>+		    atomic_inc_not_zero(&tunnel->ref_count)) {
> 			rcu_read_unlock_bh();
> 
> 			return tunnel;
>@@ -238,8 +238,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
> 
> 	rcu_read_lock_bh();
> 	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
>-		if (++count > nth) {
>-			l2tp_tunnel_inc_refcount(tunnel);
>+		if (++count > nth &&
>+		    atomic_inc_not_zero(&tunnel->ref_count)) {
> 			rcu_read_unlock_bh();
> 			return tunnel;
> 		}
>@@ -997,7 +997,7 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
> {
> 	struct l2tp_tunnel *tunnel;
> 
>-	tunnel = l2tp_tunnel(sk);
>+	tunnel = rcu_dereference_sk_user_data(sk);
> 	if (tunnel == NULL)
> 		goto pass_up;
> 
>diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
>index 1ab5e1a51c98..607d8fdd5e68 100644
>--- a/net/mac80211/debugfs_netdev.c
>+++ b/net/mac80211/debugfs_netdev.c
>@@ -735,7 +735,7 @@ void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
> 
> 	dir = sdata->vif.debugfs_dir;
> 
>-	if (!dir)
>+	if (IS_ERR_OR_NULL(dir))
> 		return;
> 
> 	sprintf(buf, "netdev:%s", sdata->name);
>diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
>index 7abd786d9d89..44fa945ed6b4 100644
>--- a/net/netfilter/ipvs/ip_vs_xmit.c
>+++ b/net/netfilter/ipvs/ip_vs_xmit.c
>@@ -813,7 +813,8 @@ int
> ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
> 		  struct ip_vs_protocol *pp, struct ip_vs_iphdr *ipvsh)
> {
>-	struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
>+	struct net *net = skb_net(skb);
>+	struct netns_ipvs *ipvs = net_ipvs(net);
> 	struct rtable *rt;			/* Route to the other host */
> 	__be32 saddr;				/* Source for tunnel */
> 	struct net_device *tdev;		/* Device to other host */
>@@ -882,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
> 	iph->daddr		=	cp->daddr.ip;
> 	iph->saddr		=	saddr;
> 	iph->ttl		=	old_iph->ttl;
>-	ip_select_ident(skb, NULL);
>+	ip_select_ident(net, skb, NULL);
> 
> 	/* Another hack: avoid icmp_send in ip_fragment */
> 	skb->ignore_df = 1;
>diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
>index cdd47388723b..170681b21d25 100644
>--- a/net/netfilter/nf_conntrack_core.c
>+++ b/net/netfilter/nf_conntrack_core.c
>@@ -23,6 +23,7 @@
> #include <linux/slab.h>
> #include <linux/random.h>
> #include <linux/jhash.h>
>+#include <linux/siphash.h>
> #include <linux/err.h>
> #include <linux/percpu.h>
> #include <linux/moduleparam.h>
>@@ -52,6 +53,7 @@
> #include <net/netfilter/nf_nat.h>
> #include <net/netfilter/nf_nat_core.h>
> #include <net/netfilter/nf_nat_helper.h>
>+#include <net/netns/hash.h>
> 
> #define NF_CONNTRACK_VERSION	"0.5.0"
> 
>@@ -232,6 +234,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
> }
> EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
> 
>+/* Generate a almost-unique pseudo-id for a given conntrack.
>+ *
>+ * intentionally doesn't re-use any of the seeds used for hash
>+ * table location, we assume id gets exposed to userspace.
>+ *
>+ * Following nf_conn items do not change throughout lifetime
>+ * of the nf_conn after it has been committed to main hash table:
>+ *
>+ * 1. nf_conn address
>+ * 2. nf_conn->ext address
>+ * 3. nf_conn->master address (normally NULL)
>+ * 4. tuple
>+ * 5. the associated net namespace
>+ */
>+u32 nf_ct_get_id(const struct nf_conn *ct)
>+{
>+	static __read_mostly siphash_key_t ct_id_seed;
>+	unsigned long a, b, c, d;
>+
>+	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
>+
>+	a = (unsigned long)ct;
>+	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
>+	c = (unsigned long)ct->ext;
>+	d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
>+				   &ct_id_seed);
>+#ifdef CONFIG_64BIT
>+	return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
>+#else
>+	return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);
>+#endif
>+}
>+EXPORT_SYMBOL_GPL(nf_ct_get_id);
>+
> static void
> clean_from_lists(struct nf_conn *ct)
> {
>diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
>index faa736bae869..b9bf8b0f4ec1 100644
>--- a/net/netfilter/nf_conntrack_netlink.c
>+++ b/net/netfilter/nf_conntrack_netlink.c
>@@ -29,6 +29,7 @@
> #include <linux/spinlock.h>
> #include <linux/interrupt.h>
> #include <linux/slab.h>
>+#include <linux/siphash.h>
> 
> #include <linux/netfilter.h>
> #include <net/netlink.h>
>@@ -435,7 +436,9 @@ ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
> static inline int
> ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
> {
>-	if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
>+	__be32 id = (__force __be32)nf_ct_get_id(ct);
>+
>+	if (nla_put_be32(skb, CTA_ID, id))
> 		goto nla_put_failure;
> 	return 0;
> 
>@@ -1047,8 +1050,9 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
> 	ct = nf_ct_tuplehash_to_ctrack(h);
> 
> 	if (cda[CTA_ID]) {
>-		u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
>-		if (id != (u32)(unsigned long)ct) {
>+		__be32 id = nla_get_be32(cda[CTA_ID]);
>+
>+		if (id != (__force __be32)nf_ct_get_id(ct)) {
> 			nf_ct_put(ct);
> 			return -ENOENT;
> 		}
>@@ -2321,6 +2325,25 @@ ctnetlink_exp_dump_mask(struct sk_buff *skb,
> 
> static const union nf_inet_addr any_addr;
> 
>+static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
>+{
>+	static __read_mostly siphash_key_t exp_id_seed;
>+	unsigned long a, b, c, d;
>+
>+	net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
>+
>+	a = (unsigned long)exp;
>+	b = (unsigned long)exp->helper;
>+	c = (unsigned long)exp->master;
>+	d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
>+
>+#ifdef CONFIG_64BIT
>+	return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
>+#else
>+	return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
>+#endif
>+}
>+
> static int
> ctnetlink_exp_dump_expect(struct sk_buff *skb,
> 			  const struct nf_conntrack_expect *exp)
>@@ -2368,7 +2391,7 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
> 	}
> #endif
> 	if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
>-	    nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
>+	    nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
> 	    nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
> 	    nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
> 		goto nla_put_failure;
>@@ -2664,7 +2687,8 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
> 
> 	if (cda[CTA_EXPECT_ID]) {
> 		__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
>-		if (ntohl(id) != (u32)(unsigned long)exp) {
>+
>+		if (id != nf_expect_get_id(exp)) {
> 			nf_ct_expect_put(exp);
> 			return -ENOENT;
> 		}
>diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>index 20a844788443..0777d98d3dec 100644
>--- a/net/packet/af_packet.c
>+++ b/net/packet/af_packet.c
>@@ -2278,8 +2278,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> 	void *ph;
> 	DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name);
> 	bool need_wait = !(msg->msg_flags & MSG_DONTWAIT);
>+	unsigned char *addr = NULL;
> 	int tp_len, size_max;
>-	unsigned char *addr;
> 	int len_sum = 0;
> 	int status = TP_STATUS_AVAILABLE;
> 	int hlen, tlen;
>@@ -2289,7 +2289,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> 	if (likely(saddr == NULL)) {
> 		dev	= packet_cached_dev_get(po);
> 		proto	= po->num;
>-		addr	= NULL;
> 	} else {
> 		err = -EINVAL;
> 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
>@@ -2299,10 +2298,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
> 						sll_addr)))
> 			goto out;
> 		proto	= saddr->sll_protocol;
>-		addr	= saddr->sll_halen ? saddr->sll_addr : NULL;
> 		dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
>-		if (addr && dev && saddr->sll_halen < dev->addr_len)
>-			goto out_put;
>+		if (po->sk.sk_socket->type == SOCK_DGRAM) {
>+			if (dev && msg->msg_namelen < dev->addr_len +
>+				   offsetof(struct sockaddr_ll, sll_addr))
>+				goto out_put;
>+			addr = saddr->sll_addr;
>+		}
> 	}
> 
> 	err = -ENXIO;
>@@ -2435,7 +2437,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> 	struct sk_buff *skb;
> 	struct net_device *dev;
> 	__be16 proto;
>-	unsigned char *addr;
>+	unsigned char *addr = NULL;
> 	int err, reserve = 0;
> 	struct virtio_net_hdr vnet_hdr = { 0 };
> 	int offset = 0;
>@@ -2453,7 +2455,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> 	if (likely(saddr == NULL)) {
> 		dev	= packet_cached_dev_get(po);
> 		proto	= po->num;
>-		addr	= NULL;
> 	} else {
> 		err = -EINVAL;
> 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
>@@ -2461,10 +2462,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
> 		if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
> 			goto out;
> 		proto	= saddr->sll_protocol;
>-		addr	= saddr->sll_halen ? saddr->sll_addr : NULL;
> 		dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
>-		if (addr && dev && saddr->sll_halen < dev->addr_len)
>-			goto out_unlock;
>+		if (sock->type == SOCK_DGRAM) {
>+			if (dev && msg->msg_namelen < dev->addr_len +
>+				   offsetof(struct sockaddr_ll, sll_addr))
>+				goto out_unlock;
>+			addr = saddr->sll_addr;
>+		}
> 	}
> 
> 	err = -ENXIO;
>@@ -3027,19 +3031,28 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
> 	sock_recv_ts_and_drops(msg, sk, skb);
> 
> 	if (msg->msg_name) {
>+		int copy_len;
>+
> 		/* If the address length field is there to be filled
> 		 * in, we fill it in now.
> 		 */
> 		if (sock->type == SOCK_PACKET) {
> 			__sockaddr_check_size(sizeof(struct sockaddr_pkt));
> 			msg->msg_namelen = sizeof(struct sockaddr_pkt);
>+			copy_len = msg->msg_namelen;
> 		} else {
> 			struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
> 			msg->msg_namelen = sll->sll_halen +
> 				offsetof(struct sockaddr_ll, sll_addr);
>+			copy_len = msg->msg_namelen;
>+			if (msg->msg_namelen < sizeof(struct sockaddr_ll)) {
>+				memset(msg->msg_name +
>+				       offsetof(struct sockaddr_ll, sll_addr),
>+				       0, sizeof(sll->sll_addr));
>+				msg->msg_namelen = sizeof(struct sockaddr_ll);
>+			}
> 		}
>-		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
>-		       msg->msg_namelen);
>+		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
> 	}
> 
> 	if (pkt_sk(sk)->auxdata) {
>diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
>index 344456206b70..d5199b25b821 100644
>--- a/net/rose/rose_loopback.c
>+++ b/net/rose/rose_loopback.c
>@@ -16,15 +16,19 @@
> #include <linux/init.h>
> 
> static struct sk_buff_head loopback_queue;
>+#define ROSE_LOOPBACK_LIMIT 1000
> static struct timer_list loopback_timer;
> 
> static void rose_set_loopback_timer(void);
>+static void rose_loopback_timer(unsigned long);
> 
> void rose_loopback_init(void)
> {
> 	skb_queue_head_init(&loopback_queue);
> 
> 	init_timer(&loopback_timer);
>+	loopback_timer.data     = 0;
>+	loopback_timer.function = &rose_loopback_timer;
> }
> 
> static int rose_loopback_running(void)
>@@ -34,33 +38,27 @@ static int rose_loopback_running(void)
> 
> int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh)
> {
>-	struct sk_buff *skbn;
>-
>-	skbn = skb_clone(skb, GFP_ATOMIC);
>+	struct sk_buff *skbn = NULL;
> 
>-	kfree_skb(skb);
>+	if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT)
>+		skbn = skb_clone(skb, GFP_ATOMIC);
> 
>-	if (skbn != NULL) {
>+	if (skbn) {
>+		consume_skb(skb);
> 		skb_queue_tail(&loopback_queue, skbn);
> 
> 		if (!rose_loopback_running())
> 			rose_set_loopback_timer();
>+	} else {
>+		kfree_skb(skb);
> 	}
> 
> 	return 1;
> }
> 
>-static void rose_loopback_timer(unsigned long);
>-
> static void rose_set_loopback_timer(void)
> {
>-	del_timer(&loopback_timer);
>-
>-	loopback_timer.data     = 0;
>-	loopback_timer.function = &rose_loopback_timer;
>-	loopback_timer.expires  = jiffies + 10;
>-
>-	add_timer(&loopback_timer);
>+	mod_timer(&loopback_timer, jiffies + 10);
> }
> 
> static void rose_loopback_timer(unsigned long param)
>@@ -71,8 +69,12 @@ static void rose_loopback_timer(unsigned long param)
> 	struct sock *sk;
> 	unsigned short frametype;
> 	unsigned int lci_i, lci_o;
>+	int count;
> 
>-	while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
>+	for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
>+		skb = skb_dequeue(&loopback_queue);
>+		if (!skb)
>+			return;
> 		if (skb->len < ROSE_MIN_LEN) {
> 			kfree_skb(skb);
> 			continue;
>@@ -109,6 +111,8 @@ static void rose_loopback_timer(unsigned long param)
> 			kfree_skb(skb);
> 		}
> 	}
>+	if (!skb_queue_empty(&loopback_queue))
>+		mod_timer(&loopback_timer, jiffies + 1);
> }
> 
> void __exit rose_loopback_clear(void)
>diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
>index cdfa7f4c0a59..4a5598a42cd6 100644
>--- a/net/sunrpc/cache.c
>+++ b/net/sunrpc/cache.c
>@@ -50,6 +50,7 @@ static void cache_init(struct cache_head *h)
> 	h->last_refresh = now;
> }
> 
>+static inline int cache_is_valid(struct cache_head *h);
> static void cache_fresh_locked(struct cache_head *head, time_t expiry);
> static void cache_fresh_unlocked(struct cache_head *head,
> 				struct cache_detail *detail);
>@@ -98,6 +99,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
> 				*hp = tmp->next;
> 				tmp->next = NULL;
> 				detail->entries --;
>+				if (cache_is_valid(tmp) == -EAGAIN)
>+					set_bit(CACHE_NEGATIVE, &tmp->flags);
> 				cache_fresh_locked(tmp, 0);
> 				freeme = tmp;
> 				break;
>diff --git a/net/tipc/sysctl.c b/net/tipc/sysctl.c
>index f3fef93325a8..a4125b069833 100644
>--- a/net/tipc/sysctl.c
>+++ b/net/tipc/sysctl.c
>@@ -37,6 +37,7 @@
> 
> #include <linux/sysctl.h>
> 
>+static int one = 1;
> static struct ctl_table_header *tipc_ctl_hdr;
> 
> static struct ctl_table tipc_table[] = {
>@@ -45,7 +46,8 @@ static struct ctl_table tipc_table[] = {
> 		.data		= &sysctl_tipc_rmem,
> 		.maxlen		= sizeof(sysctl_tipc_rmem),
> 		.mode		= 0644,
>-		.proc_handler	= proc_dointvec,
>+		.proc_handler	= proc_dointvec_minmax,
>+		.extra1         = &one,
> 	},
> 	{}
> };
>diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
>index 62fbbdc58566..b0f84a040f32 100644
>--- a/net/xfrm/xfrm_user.c
>+++ b/net/xfrm/xfrm_user.c
>@@ -1255,7 +1255,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
> 	ret = verify_policy_dir(p->dir);
> 	if (ret)
> 		return ret;
>-	if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
>+	if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
> 		return -EINVAL;
> 
> 	return 0;
>diff --git a/security/device_cgroup.c b/security/device_cgroup.c
>index d9d69e6930ed..8fee5f7be4f1 100644
>--- a/security/device_cgroup.c
>+++ b/security/device_cgroup.c
>@@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
> 		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
> 			rc = dev_exception_add(devcg, ex);
> 			if (rc)
>-				break;
>+				return rc;
> 		} else {
> 			/*
> 			 * in the other possible cases:
>diff --git a/sound/core/init.c b/sound/core/init.c
>index 7bdfd19e24a8..e0d04b91d561 100644
>--- a/sound/core/init.c
>+++ b/sound/core/init.c
>@@ -389,14 +389,7 @@ int snd_card_disconnect(struct snd_card *card)
> 	card->shutdown = 1;
> 	spin_unlock(&card->files_lock);
> 
>-	/* phase 1: disable fops (user space) operations for ALSA API */
>-	mutex_lock(&snd_card_mutex);
>-	snd_cards[card->number] = NULL;
>-	clear_bit(card->number, snd_cards_lock);
>-	mutex_unlock(&snd_card_mutex);
>-	
>-	/* phase 2: replace file->f_op with special dummy operations */
>-	
>+	/* replace file->f_op with special dummy operations */
> 	spin_lock(&card->files_lock);
> 	list_for_each_entry(mfile, &card->files_list, list) {
> 		/* it's critical part, use endless loop */
>@@ -412,7 +405,7 @@ int snd_card_disconnect(struct snd_card *card)
> 	}
> 	spin_unlock(&card->files_lock);	
> 
>-	/* phase 3: notify all connected devices about disconnection */
>+	/* notify all connected devices about disconnection */
> 	/* at this point, they cannot respond to any calls except release() */
> 
> #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
>@@ -430,6 +423,13 @@ int snd_card_disconnect(struct snd_card *card)
> 		device_del(&card->card_dev);
> 		card->registered = false;
> 	}
>+
>+	/* disable fops (user space) operations for ALSA API */
>+	mutex_lock(&snd_card_mutex);
>+	snd_cards[card->number] = NULL;
>+	clear_bit(card->number, snd_cards_lock);
>+	mutex_unlock(&snd_card_mutex);
>+
> #ifdef CONFIG_PM
> 	wake_up(&card->power_sleep);
> #endif
>diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
>index 41bae2baea71..f853b62befa1 100644
>--- a/sound/core/oss/pcm_oss.c
>+++ b/sound/core/oss/pcm_oss.c
>@@ -951,6 +951,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
> 	oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
> 			 params_channels(params) / 8;
> 
>+	err = snd_pcm_oss_period_size(substream, params, sparams);
>+	if (err < 0)
>+		goto failure;
>+
>+	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
>+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
>+	if (err < 0)
>+		goto failure;
>+
>+	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
>+				     runtime->oss.periods, NULL);
>+	if (err < 0)
>+		goto failure;
>+
>+	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
>+
>+	err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
>+	if (err < 0) {
>+		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
>+		goto failure;
>+	}
>+
> #ifdef CONFIG_SND_PCM_OSS_PLUGINS
> 	snd_pcm_oss_plugin_clear(substream);
> 	if (!direct) {
>@@ -985,27 +1007,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
> 	}
> #endif
> 
>-	err = snd_pcm_oss_period_size(substream, params, sparams);
>-	if (err < 0)
>-		goto failure;
>-
>-	n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
>-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
>-	if (err < 0)
>-		goto failure;
>-
>-	err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
>-				     runtime->oss.periods, NULL);
>-	if (err < 0)
>-		goto failure;
>-
>-	snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
>-
>-	if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
>-		pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
>-		goto failure;
>-	}
>-
> 	memset(sw_params, 0, sizeof(*sw_params));
> 	if (runtime->oss.trigger) {
> 		sw_params->start_threshold = 1;
>diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
>index 7c407ab2d82a..a0ee065a9f8c 100644
>--- a/sound/core/pcm_native.c
>+++ b/sound/core/pcm_native.c
>@@ -1063,8 +1063,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push)
> static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
> {
> 	struct snd_pcm_runtime *runtime = substream->runtime;
>-	if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
>+	switch (runtime->status->state) {
>+	case SNDRV_PCM_STATE_SUSPENDED:
> 		return -EBUSY;
>+	/* unresumable PCM state; return -EBUSY for skipping suspend */
>+	case SNDRV_PCM_STATE_OPEN:
>+	case SNDRV_PCM_STATE_SETUP:
>+	case SNDRV_PCM_STATE_DISCONNECTED:
>+		return -EBUSY;
>+	}
> 	runtime->trigger_master = substream;
> 	return 0;
> }
>diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
>index 2bd5b8524181..09e05c0b59a1 100644
>--- a/sound/core/rawmidi.c
>+++ b/sound/core/rawmidi.c
>@@ -29,6 +29,7 @@
> #include <linux/mutex.h>
> #include <linux/module.h>
> #include <linux/delay.h>
>+#include <linux/nospec.h>
> #include <sound/rawmidi.h>
> #include <sound/info.h>
> #include <sound/control.h>
>@@ -601,6 +602,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card,
> 		return -ENXIO;
> 	if (info->stream < 0 || info->stream > 1)
> 		return -EINVAL;
>+	info->stream = array_index_nospec(info->stream, 2);
> 	pstr = &rmidi->streams[info->stream];
> 	if (pstr->substream_count == 0)
> 		return -ENOENT;
>diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
>index 8bf5335d953b..6ab2de7695d8 100644
>--- a/sound/core/seq/oss/seq_oss_synth.c
>+++ b/sound/core/seq/oss/seq_oss_synth.c
>@@ -617,13 +617,14 @@ int
> snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
> {
> 	struct seq_oss_synth *rec;
>+	struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
> 
>-	if (dev < 0 || dev >= dp->max_synthdev)
>+	if (!info)
> 		return -ENXIO;
> 
>-	if (dp->synths[dev].is_midi) {
>+	if (info->is_midi) {
> 		struct midi_info minf;
>-		snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
>+		snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
> 		inf->synth_type = SYNTH_TYPE_MIDI;
> 		inf->synth_subtype = 0;
> 		inf->nr_voices = 16;
>diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
>index 60fb2c708d75..f6396e012a0f 100644
>--- a/sound/core/seq/seq_clientmgr.c
>+++ b/sound/core/seq/seq_clientmgr.c
>@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client,
> 
> 	/* fill the info fields */
> 	if (client_info.name[0])
>-		strlcpy(client->name, client_info.name, sizeof(client->name));
>+		strscpy(client->name, client_info.name, sizeof(client->name));
> 
> 	client->filter = client_info.filter;
> 	client->event_lost = client_info.event_lost;
>@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client,
> 	/* set queue name */
> 	if (! info.name[0])
> 		snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
>-	strlcpy(q->name, info.name, sizeof(q->name));
>+	strscpy(q->name, info.name, sizeof(q->name));
> 	queuefree(q);
> 
> 	if (copy_to_user(arg, &info, sizeof(info)))
>@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client,
> 		queuefree(q);
> 		return -EPERM;
> 	}
>-	strlcpy(q->name, info.name, sizeof(q->name));
>+	strscpy(q->name, info.name, sizeof(q->name));
> 	queuefree(q);
> 
> 	return 0;
>diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
>index 95b2df232d71..383aaaebad6c 100644
>--- a/tools/lib/traceevent/event-parse.c
>+++ b/tools/lib/traceevent/event-parse.c
>@@ -2065,7 +2065,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
> 		return val & 0xffffffff;
> 
> 	if (strcmp(type, "u64") == 0 ||
>-	    strcmp(type, "s64"))
>+	    strcmp(type, "s64") == 0)
> 		return val;
> 
> 	if (strcmp(type, "s8") == 0)
>diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
>index c81bd9a31db7..fd3a453a21cf 100644
>--- a/tools/perf/tests/evsel-tp-sched.c
>+++ b/tools/perf/tests/evsel-tp-sched.c
>@@ -77,5 +77,6 @@ int test__perf_evsel__tp_sched_test(void)
> 	if (perf_evsel__test_field(evsel, "target_cpu", 4, true))
> 		ret = -1;
> 
>+	perf_evsel__delete(evsel);
> 	return ret;
> }
>diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>index ad0c85a63c80..cc0b4c5f5c72 100644
>--- a/virt/kvm/kvm_main.c
>+++ b/virt/kvm/kvm_main.c
>@@ -2240,6 +2240,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
> {
> 	struct kvm_device *dev = filp->private_data;
> 
>+	if (dev->kvm->mm != current->mm)
>+		return -EIO;
>+
> 	switch (ioctl) {
> 	case KVM_SET_DEVICE_ATTR:
> 		return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
>



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-13 13:35 Linux 3.16.72 Ben Hutchings
2019-08-13 14:49 ` Bhaskar Chowdhury

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox