diff options
-rw-r--r-- | 0000_README | 4 | ||||
-rw-r--r-- | 1191_linux-4.14.192.patch | 1244 |
2 files changed, 1248 insertions, 0 deletions
diff --git a/0000_README b/0000_README index a0f0dc8c..c4718ce5 100644 --- a/0000_README +++ b/0000_README @@ -807,6 +807,10 @@ Patch: 1190_linux-4.14.191.patch From: https://www.kernel.org Desc: Linux 4.14.191 +Patch: 1191_linux-4.14.192.patch +From: https://www.kernel.org +Desc: Linux 4.14.192 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1191_linux-4.14.192.patch b/1191_linux-4.14.192.patch new file mode 100644 index 00000000..87bec01d --- /dev/null +++ b/1191_linux-4.14.192.patch @@ -0,0 +1,1244 @@ +diff --git a/Makefile b/Makefile +index e31c1ce12895..60570fad811e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 191 ++SUBLEVEL = 192 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index af2a7f1e3103..a30f656f791f 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -688,6 +688,12 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++static int watchpoint_fault_on_uaccess(struct pt_regs *regs, ++ struct arch_hw_breakpoint *info) ++{ ++ return !user_mode(regs) && info->ctrl.privilege == ARM_BREAKPOINT_USER; ++} ++ + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +@@ -747,16 +753,27 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + } + + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ ++ /* ++ * If we triggered a user watchpoint from a uaccess routine, ++ * then handle the stepping ourselves since userspace really ++ * can't help us with this. ++ */ ++ if (watchpoint_fault_on_uaccess(regs, info)) ++ goto step; ++ + perf_bp_event(wp, regs); + + /* +- * If no overflow handler is present, insert a temporary +- * mismatch breakpoint so we can single-step over the +- * watchpoint trigger. ++ * Defer stepping to the overflow handler if one is installed. ++ * Otherwise, insert a temporary mismatch breakpoint so that ++ * we can single-step over the watchpoint trigger. + */ +- if (is_default_overflow_handler(wp)) +- enable_single_step(wp, instruction_pointer(regs)); ++ if (!is_default_overflow_handler(wp)) ++ goto unlock; + ++step: ++ enable_single_step(wp, instruction_pointer(regs)); + unlock: + rcu_read_unlock(); + } +diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h +index 1824768fb1ee..3abb2dacb43f 100644 +--- a/arch/arm64/include/asm/alternative.h ++++ b/arch/arm64/include/asm/alternative.h +@@ -72,9 +72,9 @@ void apply_alternatives(void *start, size_t length); + "663:\n\t" \ + newinstr "\n" \ + "664:\n\t" \ +- ".previous\n\t" \ + ".org . - (664b-663b) + (662b-661b)\n\t" \ +- ".org . - (662b-661b) + (664b-663b)\n" \ ++ ".org . - (662b-661b) + (664b-663b)\n\t" \ ++ ".previous\n" \ + ".endif\n" + + #define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \ +diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h +index 0b6f5a7d4027..fd11e0d70e44 100644 +--- a/arch/arm64/include/asm/checksum.h ++++ b/arch/arm64/include/asm/checksum.h +@@ -30,16 +30,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) + { + __uint128_t tmp; + u64 sum; ++ int n = ihl; /* we want it signed */ + + tmp = *(const __uint128_t *)iph; + iph += 16; +- ihl -= 4; ++ n -= 4; + tmp += ((tmp >> 64) | (tmp << 64)); + sum = tmp >> 64; + do { + sum += *(const u32 *)iph; + iph += 4; +- } while (--ihl); ++ } while (--n > 0); + + sum += ((sum >> 32) | (sum << 32)); + return csum_fold((__force u32)(sum >> 32)); +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index ab5c215cf46c..068958575871 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -60,6 +60,7 @@ extern void __cmpxchg_called_with_bad_pointer(void); + extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old, + unsigned int new_); + extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_); ++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_); + + /* don't worry...optimizer will get rid of most of this */ + static inline unsigned long +@@ -71,6 +72,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size) + #endif + case 4: return __cmpxchg_u32((unsigned int *)ptr, + (unsigned int)old, (unsigned int)new_); ++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_); + } + __cmpxchg_called_with_bad_pointer(); + return old; +diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c +index 70ffbcf889b8..2e4d1f05a926 100644 +--- a/arch/parisc/lib/bitops.c ++++ b/arch/parisc/lib/bitops.c +@@ -79,3 +79,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign + _atomic_spin_unlock_irqrestore(ptr, flags); + return (unsigned long)prev; + } ++ ++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new) ++{ ++ unsigned long flags; ++ u8 prev; ++ ++ _atomic_spin_lock_irqsave(ptr, flags); ++ if ((prev = *ptr) == old) ++ *ptr = new; ++ _atomic_spin_unlock_irqrestore(ptr, flags); ++ return prev; ++} +diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S +index 28cc61216b64..ed5b758c650d 100644 +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -203,7 +203,7 @@ syscall_trace_entry: + mov.l @(OFF_R7,r15), r7 ! arg3 + mov.l @(OFF_R3,r15), r3 ! syscall_nr + ! +- mov.l 2f, r10 ! Number of syscalls ++ mov.l 6f, r10 ! Number of syscalls + cmp/hs r10, r3 + bf syscall_call + mov #-ENOSYS, r0 +@@ -357,7 +357,7 @@ ENTRY(system_call) + tst r9, r8 + bf syscall_trace_entry + ! +- mov.l 2f, r8 ! Number of syscalls ++ mov.l 6f, r8 ! Number of syscalls + cmp/hs r8, r3 + bt syscall_badsys + ! +@@ -396,7 +396,7 @@ syscall_exit: + #if !defined(CONFIG_CPU_SH2) + 1: .long TRA + #endif +-2: .long NR_syscalls ++6: .long NR_syscalls + 3: .long sys_call_table + 7: .long do_syscall_trace_enter + 8: .long do_syscall_trace_leave +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c +index 02abc134367f..f7833ae4e3f1 100644 +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -206,7 +206,7 @@ spurious_8259A_irq: + * lets ACK and report it. [once per IRQ] + */ + if (!(spurious_irq_mask & irqmask)) { +- printk(KERN_DEBUG ++ printk_deferred(KERN_DEBUG + "spurious 8259A interrupt: IRQ%d.\n", irq); + spurious_irq_mask |= irqmask; + } +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index a9a55e76a43f..a5e2ce931f69 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -346,8 +346,11 @@ bool unwind_next_frame(struct unwind_state *state) + /* + * Find the orc_entry associated with the text address. + * +- * Decrement call return addresses by one so they work for sibling +- * calls and calls to noreturn functions. ++ * For a call frame (as opposed to a signal frame), state->ip points to ++ * the instruction after the call. That instruction's stack layout ++ * could be different from the call instruction's layout, for example ++ * if the call was to a noreturn function. So get the ORC data for the ++ * call instruction itself. + */ + orc = orc_find(state->signal ? state->ip : state->ip - 1); + if (!orc || orc->sp_reg == ORC_REG_UNDEFINED) +@@ -550,6 +553,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + state->sp = task->thread.sp; + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); ++ state->signal = (void *)state->ip == ret_from_fork; + } + + if (get_stack_info((unsigned long *)state->sp, state->task, +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 8d8e33b720b4..d3dc8bc6b3ad 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -352,7 +352,8 @@ SECTIONS + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { + __bss_start = .; + *(.bss..page_aligned) +- *(.bss) ++ . = ALIGN(PAGE_SIZE); ++ *(BSS_MAIN) + . = ALIGN(PAGE_SIZE); + __bss_stop = .; + } +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 537c36b55b5d..d4fdf0e52144 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1918,7 +1918,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + { + struct kvm_lapic *apic = vcpu->arch.apic; + +- if (!lapic_in_kernel(vcpu) || apic_lvtt_oneshot(apic) || ++ if (!kvm_apic_present(vcpu) || apic_lvtt_oneshot(apic) || + apic_lvtt_period(apic)) + return; + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 09f47c837c25..3aed03942d7d 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3075,6 +3075,9 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu) + if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED)) + return; + ++ if (vcpu->arch.st.steal.preempted) ++ return; ++ + vcpu->arch.st.steal.preempted = 1; + + kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime, +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 330853a2702f..43b74cf0787e 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + LSB_ITEM_SIZE); + break; + default: ++ kfree(hmac_buf); + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + + memset(&hmac_cmd, 0, sizeof(hmac_cmd)); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index c93e72d8ac5f..22d9ec80a2ff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -527,8 +527,9 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + return n ? -EFAULT : 0; + } + case AMDGPU_INFO_DEV_INFO: { +- struct drm_amdgpu_info_device dev_info = {}; ++ struct drm_amdgpu_info_device dev_info; + ++ memset(&dev_info, 0, sizeof(dev_info)); + dev_info.device_id = dev->pdev->device; + dev_info.chip_rev = adev->rev_id; + dev_info.external_rev = adev->external_rev_id; +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c +index d2c042af36b8..470a79eef254 100644 +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -730,9 +730,6 @@ err: + * @file_priv: drm file-private structure + * + * Open an object using the global name, returning a handle and the size. +- * +- * This handle (of course) holds a reference to the object, so the object +- * will not go away until the handle is deleted. + */ + int + drm_gem_open_ioctl(struct drm_device *dev, void *data, +@@ -757,14 +754,15 @@ drm_gem_open_ioctl(struct drm_device *dev, void *data, + + /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ + ret = drm_gem_handle_create_tail(file_priv, obj, &handle); +- drm_gem_object_put_unlocked(obj); + if (ret) +- return ret; ++ goto err; + + args->handle = handle; + args->size = obj->size; + +- return 0; ++err: ++ drm_gem_object_put_unlocked(obj); ++ return ret; + } + + /** +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index d917cefc5a19..b13605718291 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,10 +382,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -442,11 +440,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) ++ if (id->send_count > CDNS_I2C_FIFO_DEPTH) + ctrl_reg |= CDNS_I2C_CR_HOLD; +- else +- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; +- + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +diff --git a/drivers/iio/imu/adis16400_buffer.c b/drivers/iio/imu/adis16400_buffer.c +index e70a5339acb1..3fc11aec98b9 100644 +--- a/drivers/iio/imu/adis16400_buffer.c ++++ b/drivers/iio/imu/adis16400_buffer.c +@@ -38,8 +38,11 @@ int adis16400_update_scan_mode(struct iio_dev *indio_dev, + return -ENOMEM; + + adis->buffer = kzalloc(burst_length + sizeof(u16), GFP_KERNEL); +- if (!adis->buffer) ++ if (!adis->buffer) { ++ kfree(adis->xfer); ++ adis->xfer = NULL; + return -ENOMEM; ++ } + + tx = adis->buffer + burst_length; + tx[0] = ADIS_READ_REG(ADIS16400_GLOB_CMD); +diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c +index 040323b0f945..f63a7e6f272c 100644 +--- a/drivers/media/pci/cx23885/cx23888-ir.c ++++ b/drivers/media/pci/cx23885/cx23888-ir.c +@@ -1178,8 +1178,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev) + return -ENOMEM; + + spin_lock_init(&state->rx_kfifo_lock); +- if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL)) ++ if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, ++ GFP_KERNEL)) { ++ kfree(state); + return -ENOMEM; ++ } + + state->dev = dev; + sd = &state->sd; +diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c +index 0a5c4c7da505..006f8b8aaa7d 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c +@@ -1812,6 +1812,7 @@ static inline int uld_send(struct adapter *adap, struct sk_buff *skb, + txq_info = adap->sge.uld_txq_info[tx_uld_type]; + if (unlikely(!txq_info)) { + WARN_ON(true); ++ kfree_skb(skb); + return NET_XMIT_DROP; + } + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 85c11dafb4cd..8b8a0c4fbc99 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2324,7 +2324,7 @@ req_rx_irq_failed: + req_tx_irq_failed: + for (j = 0; j < i; j++) { + free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]); +- irq_dispose_mapping(adapter->rx_scrq[j]->irq); ++ irq_dispose_mapping(adapter->tx_scrq[j]->irq); + } + release_sub_crqs(adapter); + return rc; +diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c +index cf9011bb6e0f..c6660b61e836 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -4190,12 +4190,14 @@ end: + static void mlx4_shutdown(struct pci_dev *pdev) + { + struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); ++ struct mlx4_dev *dev = persist->dev; + + mlx4_info(persist->dev, "mlx4_shutdown was called\n"); + mutex_lock(&persist->interface_state_mutex); + if (persist->interface_state & MLX4_INTERFACE_STATE_UP) + mlx4_unload_one(pdev); + mutex_unlock(&persist->interface_state_mutex); ++ mlx4_pci_disable_device(dev); + } + + static const struct pci_error_handlers mlx4_err_handler = { +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 96f9f267d16d..dc12ab33afff 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -1361,7 +1361,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans, + bulk_list, cb, cb_priv, tid); + if (err) { +- kfree(trans); ++ kfree_rcu(trans, rcu); + return err; + } + return 0; +@@ -1574,11 +1574,13 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb, + break; + } + } +- rcu_read_unlock(); +- if (!found) ++ if (!found) { ++ rcu_read_unlock(); + goto drop; ++ } + + rxl->func(skb, local_port, rxl_item->priv); ++ rcu_read_unlock(); + return; + + drop: +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index c5d9f290ec4c..f8d1d02a3cd4 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -1015,7 +1015,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn) + index, attn_bits, attn_acks, asserted_bits, + deasserted_bits, p_sb_attn_sw->known_attn); + } else if (asserted_bits == 0x100) { +- DP_INFO(p_hwfn, "MFW indication via attention\n"); ++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, ++ "MFW indication via attention\n"); + } else { + DP_VERBOSE(p_hwfn, NETIF_MSG_INTR, + "MFW indication [deassertion]\n"); +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index d73617cc3b15..9f4d93a16b7e 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1482,6 +1482,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct ravb_private *priv = container_of(work, struct ravb_private, + work); + struct net_device *ndev = priv->ndev; ++ int error; + + netif_tx_stop_all_queues(ndev); + +@@ -1490,15 +1491,36 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_stop(ndev); + + /* Wait for DMA stopping */ +- ravb_stop_dma(ndev); ++ if (ravb_stop_dma(ndev)) { ++ /* If ravb_stop_dma() fails, the hardware is still operating ++ * for TX and/or RX. So, this should not call the following ++ * functions because ravb_dmac_init() is possible to fail too. ++ * Also, this should not retry ravb_stop_dma() again and again ++ * here because it's possible to wait forever. So, this just ++ * re-enables the TX and RX and skip the following ++ * re-initialization procedure. ++ */ ++ ravb_rcv_snd_enable(ndev); ++ goto out; ++ } + + ravb_ring_free(ndev, RAVB_BE); + ravb_ring_free(ndev, RAVB_NC); + + /* Device init */ +- ravb_dmac_init(ndev); ++ error = ravb_dmac_init(ndev); ++ if (error) { ++ /* If ravb_dmac_init() fails, descriptors are freed. So, this ++ * should return here to avoid re-enabling the TX and RX in ++ * ravb_emac_init(). ++ */ ++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", ++ __func__, error); ++ return; ++ } + ravb_emac_init(ndev); + ++out: + /* Initialise PTP Clock driver */ + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); +diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c +index 52703bbd4d66..df75efa96a7d 100644 +--- a/drivers/net/phy/mdio-bcm-unimac.c ++++ b/drivers/net/phy/mdio-bcm-unimac.c +@@ -237,6 +237,8 @@ static int unimac_mdio_probe(struct platform_device *pdev) + return -ENOMEM; + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!r) ++ return -EINVAL; + + /* Just ioremap, as this MDIO block is usually integrated into an + * Ethernet MAC controller register range +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 6597d1f8d68c..7988c41bff1d 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1402,8 +1402,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old) + unsigned long flags; + + if (old) +- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n", +- tty->termios.c_cflag, old->c_cflag); ++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n", ++ (unsigned int)tty->termios.c_cflag, ++ (unsigned int)old->c_cflag); + + /* the actual setup */ + spin_lock_irqsave(&serial->serial_lock, flags); +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index b179a96ea08c..895f307979c8 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3629,6 +3629,11 @@ static int lan78xx_probe(struct usb_interface *intf, + netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; + netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) { ++ ret = -ENODEV; ++ goto out3; ++ } ++ + dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; + dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; + dev->ep_intr = (intf->cur_altsetting)->endpoint + 2; +@@ -3653,6 +3658,7 @@ static int lan78xx_probe(struct usb_interface *intf, + usb_fill_int_urb(dev->urb_intr, dev->udev, + dev->pipe_intr, buf, maxp, + intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; + } + } + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index d2e062eaf561..f705f0e1cb5b 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -173,6 +173,7 @@ static int htc_config_pipe_credits(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC credit config timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -208,6 +209,7 @@ static int htc_setup_complete(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC start timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -280,6 +282,7 @@ int htc_connect_service(struct htc_target *target, + if (!time_left) { + dev_err(target->dev, "Service connection timeout for: %d\n", + service_connreq->service_id); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index f57f48e4d7a0..4b68804f3742 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -338,6 +338,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); + mutex_unlock(&wmi->op_mutex); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 91bf86cee273..1131397454bd 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -63,6 +63,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644); + MODULE_PARM_DESC(max_queues, + "Maximum number of queues per virtual interface"); + ++#define XENNET_TIMEOUT (5 * HZ) ++ + static const struct ethtool_ops xennet_ethtool_ops; + + struct netfront_cb { +@@ -1336,12 +1338,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev) + + netif_carrier_off(netdev); + +- xenbus_switch_state(dev, XenbusStateInitialising); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateClosed && +- xenbus_read_driver_state(dev->otherend) != +- XenbusStateUnknown); ++ do { ++ xenbus_switch_state(dev, XenbusStateInitialising); ++ err = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateClosed && ++ xenbus_read_driver_state(dev->otherend) != ++ XenbusStateUnknown, XENNET_TIMEOUT); ++ } while (!err); ++ + return netdev; + + exit: +@@ -2142,28 +2147,43 @@ static const struct attribute_group xennet_dev_group = { + }; + #endif /* CONFIG_SYSFS */ + +-static int xennet_remove(struct xenbus_device *dev) ++static void xennet_bus_close(struct xenbus_device *dev) + { +- struct netfront_info *info = dev_get_drvdata(&dev->dev); +- +- dev_dbg(&dev->dev, "%s\n", dev->nodename); ++ int ret; + +- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) { ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; ++ do { + xenbus_switch_state(dev, XenbusStateClosing); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosing || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosing || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++ ++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed) ++ return; + ++ do { + xenbus_switch_state(dev, XenbusStateClosed); +- wait_event(module_wq, +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateClosed || +- xenbus_read_driver_state(dev->otherend) == +- XenbusStateUnknown); +- } ++ ret = wait_event_timeout(module_wq, ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateClosed || ++ xenbus_read_driver_state(dev->otherend) == ++ XenbusStateUnknown, ++ XENNET_TIMEOUT); ++ } while (!ret); ++} ++ ++static int xennet_remove(struct xenbus_device *dev) ++{ ++ struct netfront_info *info = dev_get_drvdata(&dev->dev); + ++ xennet_bus_close(dev); + xennet_disconnect_backend(info); + + if (info->netdev->reg_state == NETREG_REGISTERED) +diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c +index 9d9c8d57a042..64b58455e620 100644 +--- a/drivers/nfc/s3fwrn5/core.c ++++ b/drivers/nfc/s3fwrn5/core.c +@@ -209,6 +209,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb, + case S3FWRN5_MODE_FW: + return s3fwrn5_fw_recv_frame(ndev, skb); + default: ++ kfree_skb(skb); + return -ENODEV; + } + } +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 5f26c170315c..243b16ce0c8e 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2086,6 +2086,19 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f1, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f4, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1508, quirk_disable_aspm_l0s); + ++static void quirk_disable_aspm_l0s_l1(struct pci_dev *dev) ++{ ++ pci_info(dev, "Disabling ASPM L0s/L1\n"); ++ pci_disable_link_state(dev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1); ++} ++ ++/* ++ * ASM1083/1085 PCIe-PCI bridge devices cause AER timeout errors on the ++ * upstream PCIe root port when ASPM is enabled. At least L0s mode is affected; ++ * disable both L0s and L1 for now to be safe. ++ */ ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ASMEDIA, 0x1080, quirk_disable_aspm_l0s_l1); ++ + /* + * Some Pericom PCIe-to-PCI bridges in reverse mode need the PCIe Retrain + * Link bit cleared after starting the link retrain process to allow this +diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c +index 70be4425ae0b..2b3637b40dde 100644 +--- a/drivers/scsi/libsas/sas_ata.c ++++ b/drivers/scsi/libsas/sas_ata.c +@@ -730,7 +730,6 @@ int sas_discover_sata(struct domain_device *dev) + if (res) + return res; + +- sas_discover_event(dev->port, DISCE_PROBE); + return 0; + } + +diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c +index b200edc665a5..d6365e2fcc60 100644 +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -221,13 +221,9 @@ void sas_notify_lldd_dev_gone(struct domain_device *dev) + } + } + +-static void sas_probe_devices(struct work_struct *work) ++static void sas_probe_devices(struct asd_sas_port *port) + { + struct domain_device *dev, *n; +- struct sas_discovery_event *ev = to_sas_discovery_event(work); +- struct asd_sas_port *port = ev->port; +- +- clear_bit(DISCE_PROBE, &port->disc.pending); + + /* devices must be domain members before link recovery and probe */ + list_for_each_entry(dev, &port->disco_list, disco_list_node) { +@@ -303,7 +299,6 @@ int sas_discover_end_dev(struct domain_device *dev) + res = sas_notify_lldd_dev_found(dev); + if (res) + return res; +- sas_discover_event(dev->port, DISCE_PROBE); + + return 0; + } +@@ -362,13 +357,9 @@ static void sas_unregister_common_dev(struct asd_sas_port *port, struct domain_d + sas_put_device(dev); + } + +-static void sas_destruct_devices(struct work_struct *work) ++void sas_destruct_devices(struct asd_sas_port *port) + { + struct domain_device *dev, *n; +- struct sas_discovery_event *ev = to_sas_discovery_event(work); +- struct asd_sas_port *port = ev->port; +- +- clear_bit(DISCE_DESTRUCT, &port->disc.pending); + + list_for_each_entry_safe(dev, n, &port->destroy_list, disco_list_node) { + list_del_init(&dev->disco_list_node); +@@ -379,6 +370,16 @@ static void sas_destruct_devices(struct work_struct *work) + } + } + ++static void sas_destruct_ports(struct asd_sas_port *port) ++{ ++ struct sas_port *sas_port, *p; ++ ++ list_for_each_entry_safe(sas_port, p, &port->sas_port_del_list, del_list) { ++ list_del_init(&sas_port->del_list); ++ sas_port_delete(sas_port); ++ } ++} ++ + void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev) + { + if (!test_bit(SAS_DEV_DESTROY, &dev->state) && +@@ -393,7 +394,6 @@ void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev) + if (!test_and_set_bit(SAS_DEV_DESTROY, &dev->state)) { + sas_rphy_unlink(dev->rphy); + list_move_tail(&dev->disco_list_node, &port->destroy_list); +- sas_discover_event(dev->port, DISCE_DESTRUCT); + } + } + +@@ -499,6 +499,8 @@ static void sas_discover_domain(struct work_struct *work) + port->port_dev = NULL; + } + ++ sas_probe_devices(port); ++ + SAS_DPRINTK("DONE DISCOVERY on port %d, pid:%d, result:%d\n", port->id, + task_pid_nr(current), error); + } +@@ -532,6 +534,10 @@ static void sas_revalidate_domain(struct work_struct *work) + port->id, task_pid_nr(current), res); + out: + mutex_unlock(&ha->disco_mutex); ++ ++ sas_destruct_devices(port); ++ sas_destruct_ports(port); ++ sas_probe_devices(port); + } + + /* ---------- Events ---------- */ +@@ -587,10 +593,8 @@ void sas_init_disc(struct sas_discovery *disc, struct asd_sas_port *port) + static const work_func_t sas_event_fns[DISC_NUM_EVENTS] = { + [DISCE_DISCOVER_DOMAIN] = sas_discover_domain, + [DISCE_REVALIDATE_DOMAIN] = sas_revalidate_domain, +- [DISCE_PROBE] = sas_probe_devices, + [DISCE_SUSPEND] = sas_suspend_devices, + [DISCE_RESUME] = sas_resume_devices, +- [DISCE_DESTRUCT] = sas_destruct_devices, + }; + + disc->pending = 0; +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index f77d72f01da9..84df6cf46760 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -1946,7 +1946,8 @@ static void sas_unregister_devs_sas_addr(struct domain_device *parent, + sas_port_delete_phy(phy->port, phy->phy); + sas_device_set_phy(found, phy->port); + if (phy->port->num_phys == 0) +- sas_port_delete(phy->port); ++ list_add_tail(&phy->port->del_list, ++ &parent->port->sas_port_del_list); + phy->port = NULL; + } + } +@@ -2156,7 +2157,7 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev) + struct domain_device *dev = NULL; + + res = sas_find_bcast_dev(port_dev, &dev); +- while (res == 0 && dev) { ++ if (res == 0 && dev) { + struct expander_device *ex = &dev->ex_dev; + int i = 0, phy_id; + +@@ -2168,9 +2169,6 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev) + res = sas_rediscover(dev, phy_id); + i = phy_id + 1; + } while (i < ex->num_phys); +- +- dev = NULL; +- res = sas_find_bcast_dev(port_dev, &dev); + } + return res; + } +diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h +index c07e08136491..f3449fde9c5f 100644 +--- a/drivers/scsi/libsas/sas_internal.h ++++ b/drivers/scsi/libsas/sas_internal.h +@@ -98,6 +98,7 @@ int sas_try_ata_reset(struct asd_sas_phy *phy); + void sas_hae_reset(struct work_struct *work); + + void sas_free_device(struct kref *kref); ++void sas_destruct_devices(struct asd_sas_port *port); + + #ifdef CONFIG_SCSI_SAS_HOST_SMP + extern void sas_smp_host_handler(struct bsg_job *job, struct Scsi_Host *shost); +diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c +index d3c5297c6c89..5d3244c8f280 100644 +--- a/drivers/scsi/libsas/sas_port.c ++++ b/drivers/scsi/libsas/sas_port.c +@@ -66,6 +66,7 @@ static void sas_resume_port(struct asd_sas_phy *phy) + rc = sas_notify_lldd_dev_found(dev); + if (rc) { + sas_unregister_dev(port, dev); ++ sas_destruct_devices(port); + continue; + } + +@@ -219,6 +220,7 @@ void sas_deform_port(struct asd_sas_phy *phy, int gone) + + if (port->num_phys == 1) { + sas_unregister_domain_devices(port, gone); ++ sas_destruct_devices(port); + sas_port_delete(port->port); + port->port = NULL; + } else { +@@ -323,6 +325,7 @@ static void sas_init_port(struct asd_sas_port *port, + INIT_LIST_HEAD(&port->dev_list); + INIT_LIST_HEAD(&port->disco_list); + INIT_LIST_HEAD(&port->destroy_list); ++ INIT_LIST_HEAD(&port->sas_port_del_list); + spin_lock_init(&port->phy_list_lock); + INIT_LIST_HEAD(&port->phy_list); + port->ha = sas_ha; +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index 4abefd841b6c..ff519f7a8784 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -817,6 +817,17 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, + de_name.name = d->filename[bit_pos]; + de_name.len = le16_to_cpu(de->name_len); + ++ /* check memory boundary before moving forward */ ++ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); ++ if (unlikely(bit_pos > d->max || ++ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) { ++ f2fs_msg(F2FS_I_SB(d->inode)->sb, KERN_WARNING, ++ "%s: corrupted namelen=%d, run fsck to fix.", ++ __func__, le16_to_cpu(de->name_len)); ++ set_sbi_flag(F2FS_I_SB(d->inode)->sb->s_fs_info, SBI_NEED_FSCK); ++ return -EINVAL; ++ } ++ + if (f2fs_encrypted_inode(d->inode)) { + int save_len = fstr->len; + int err; +@@ -835,7 +846,6 @@ int f2fs_fill_dentries(struct dir_context *ctx, struct f2fs_dentry_ptr *d, + le32_to_cpu(de->ino), d_type)) + return 1; + +- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)); + ctx->pos = start_pos + bit_pos; + } + return 0; +diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c +index 360e32220f93..0c0f70e6c7d9 100644 +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -2684,7 +2684,6 @@ xlog_state_do_callback( + int funcdidcallbacks; /* flag: function did callbacks */ + int repeats; /* for issuing console warnings if + * looping too many times */ +- int wake = 0; + + spin_lock(&log->l_icloglock); + first_iclog = iclog = log->l_iclog; +@@ -2886,11 +2885,9 @@ xlog_state_do_callback( + #endif + + if (log->l_iclog->ic_state & (XLOG_STATE_ACTIVE|XLOG_STATE_IOERROR)) +- wake = 1; +- spin_unlock(&log->l_icloglock); +- +- if (wake) + wake_up_all(&log->l_flush_wait); ++ ++ spin_unlock(&log->l_icloglock); + } + + +@@ -4052,7 +4049,9 @@ xfs_log_force_umount( + * item committed callback functions will do this again under lock to + * avoid races. + */ ++ spin_lock(&log->l_cilp->xc_push_lock); + wake_up_all(&log->l_cilp->xc_commit_wait); ++ spin_unlock(&log->l_cilp->xc_push_lock); + xlog_state_do_callback(log, XFS_LI_ABORTED, NULL); + + #ifdef XFSERRORDEBUG +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index c229ffbed6d4..48e618b20d34 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -251,7 +251,8 @@ + + #define PAGE_ALIGNED_DATA(page_align) \ + . = ALIGN(page_align); \ +- *(.data..page_aligned) ++ *(.data..page_aligned) \ ++ . = ALIGN(page_align); + + #define READ_MOSTLY_DATA(align) \ + . = ALIGN(align); \ +@@ -619,7 +620,9 @@ + . = ALIGN(bss_align); \ + .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ + BSS_FIRST_SECTIONS \ ++ . = ALIGN(PAGE_SIZE); \ + *(.bss..page_aligned) \ ++ . = ALIGN(PAGE_SIZE); \ + *(.dynbss) \ + *(BSS_MAIN) \ + *(COMMON) \ +diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h +index a966d281dedc..1b1cf9eff3b5 100644 +--- a/include/scsi/libsas.h ++++ b/include/scsi/libsas.h +@@ -87,10 +87,8 @@ enum discover_event { + DISCE_DISCOVER_DOMAIN = 0U, + DISCE_REVALIDATE_DOMAIN = 1, + DISCE_PORT_GONE = 2, +- DISCE_PROBE = 3, + DISCE_SUSPEND = 4, + DISCE_RESUME = 5, +- DISCE_DESTRUCT = 6, + DISC_NUM_EVENTS = 7, + }; + +@@ -269,6 +267,7 @@ struct asd_sas_port { + struct list_head dev_list; + struct list_head disco_list; + struct list_head destroy_list; ++ struct list_head sas_port_del_list; + enum sas_linkrate linkrate; + + struct sas_work work; +diff --git a/include/scsi/scsi_transport_sas.h b/include/scsi/scsi_transport_sas.h +index 62895b405933..05ec927a3c72 100644 +--- a/include/scsi/scsi_transport_sas.h ++++ b/include/scsi/scsi_transport_sas.h +@@ -156,6 +156,7 @@ struct sas_port { + + struct mutex phy_list_mutex; + struct list_head phy_list; ++ struct list_head del_list; /* libsas only */ + }; + + #define dev_to_sas_port(d) \ +diff --git a/include/uapi/linux/wireless.h b/include/uapi/linux/wireless.h +index 86eca3208b6b..a2c006a364e0 100644 +--- a/include/uapi/linux/wireless.h ++++ b/include/uapi/linux/wireless.h +@@ -74,6 +74,8 @@ + #include <linux/socket.h> /* for "struct sockaddr" et al */ + #include <linux/if.h> /* for IFNAMSIZ and co... */ + ++#include <stddef.h> /* for offsetof */ ++ + /***************************** VERSION *****************************/ + /* + * This constant is used to know the availability of the wireless +@@ -1090,8 +1092,7 @@ struct iw_event { + /* iw_point events are special. First, the payload (extra data) come at + * the end of the event, so they are bigger than IW_EV_POINT_LEN. Second, + * we omit the pointer, so start at an offset. */ +-#define IW_EV_POINT_OFF (((char *) &(((struct iw_point *) NULL)->length)) - \ +- (char *) NULL) ++#define IW_EV_POINT_OFF offsetof(struct iw_point, length) + #define IW_EV_POINT_LEN (IW_EV_LCP_LEN + sizeof(struct iw_point) - \ + IW_EV_POINT_OFF) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 505e69854eb8..6cc090d015f6 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -656,15 +656,20 @@ static void htab_elem_free_rcu(struct rcu_head *head) + preempt_enable(); + } + +-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) + { + struct bpf_map *map = &htab->map; ++ void *ptr; + + if (map->ops->map_fd_put_ptr) { +- void *ptr = fd_htab_map_get_ptr(map, l); +- ++ ptr = fd_htab_map_get_ptr(map, l); + map->ops->map_fd_put_ptr(ptr); + } ++} ++ ++static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) ++{ ++ htab_put_fd_value(htab, l); + + if (htab_is_prealloc(htab)) { + __pcpu_freelist_push(&htab->freelist, &l->fnode); +@@ -725,6 +730,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, + */ + pl_new = this_cpu_ptr(htab->extra_elems); + l_new = *pl_new; ++ htab_put_fd_value(htab, old_elem); + *pl_new = old_elem; + } else { + struct pcpu_freelist_node *l; +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index a9c65f13b7f5..32de8afbfbf8 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -301,7 +301,6 @@ static void p9_read_work(struct work_struct *work) + { + int n, err; + struct p9_conn *m; +- int status = REQ_STATUS_ERROR; + + m = container_of(work, struct p9_conn, rq); + +@@ -381,11 +380,21 @@ static void p9_read_work(struct work_struct *work) + if ((m->req) && (m->rc.offset == m->rc.capacity)) { + p9_debug(P9_DEBUG_TRANS, "got new packet\n"); + spin_lock(&m->client->lock); +- if (m->req->status != REQ_STATUS_ERROR) +- status = REQ_STATUS_RCVD; +- list_del(&m->req->req_list); +- /* update req->status while holding client->lock */ +- p9_client_cb(m->client, m->req, status); ++ if (m->req->status == REQ_STATUS_SENT) { ++ list_del(&m->req->req_list); ++ p9_client_cb(m->client, m->req, REQ_STATUS_RCVD); ++ } else if (m->req->status == REQ_STATUS_FLSHD) { ++ /* Ignore replies associated with a cancelled request. */ ++ p9_debug(P9_DEBUG_TRANS, ++ "Ignore replies associated with a cancelled request\n"); ++ } else { ++ spin_unlock(&m->client->lock); ++ p9_debug(P9_DEBUG_ERROR, ++ "Request tag %d errored out while we were reading the reply\n", ++ m->rc.tag); ++ err = -EIO; ++ goto error; ++ } + spin_unlock(&m->client->lock); + m->rc.sdata = NULL; + m->rc.offset = 0; +@@ -712,11 +721,20 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) + { + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + ++ spin_lock(&client->lock); ++ /* Ignore cancelled request if message has been received ++ * before lock. ++ */ ++ if (req->status == REQ_STATUS_RCVD) { ++ spin_unlock(&client->lock); ++ return 0; ++ } ++ + /* we haven't received a response for oldreq, + * remove it from the list. + */ +- spin_lock(&client->lock); + list_del(&req->req_list); ++ req->status = REQ_STATUS_FLSHD; + spin_unlock(&client->lock); + + return 0; +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index b1484b8316e8..c883cb67b731 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1997,6 +1997,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev) + ieee80211_stop_mesh(sdata); + mutex_lock(&sdata->local->mtx); + ieee80211_vif_release_channel(sdata); ++ kfree(sdata->u.mesh.ie); + mutex_unlock(&sdata->local->mtx); + + return 0; +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 130022091205..933f26e2ff8b 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -554,6 +554,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, + del_timer_sync(&mpath->timer); + atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); ++ mesh_path_flush_pending(mpath); + kfree_rcu(mpath, rcu); + } + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index c27cceae52e1..ef022d24f87a 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -453,12 +453,13 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, + int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr) + { + struct rds_notifier *notifier; +- struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */ ++ struct rds_rdma_notify cmsg; + unsigned int count = 0, max_messages = ~0U; + unsigned long flags; + LIST_HEAD(copy); + int err = 0; + ++ memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */ + + /* put_cmsg copies to user space and thus may sleep. We can't do this + * with rs_lock held, so first grab as many notifications as we can stuff +diff --git a/net/x25/x25_subr.c b/net/x25/x25_subr.c +index db0b1315d577..a946c1cfb5a2 100644 +--- a/net/x25/x25_subr.c ++++ b/net/x25/x25_subr.c +@@ -363,6 +363,12 @@ void x25_disconnect(struct sock *sk, int reason, unsigned char cause, + sk->sk_state_change(sk); + sock_set_flag(sk, SOCK_DEAD); + } ++ if (x25->neighbour) { ++ read_lock_bh(&x25_list_lock); ++ x25_neigh_put(x25->neighbour); ++ x25->neighbour = NULL; ++ read_unlock_bh(&x25_list_lock); ++ } + } + + /* +diff --git a/tools/testing/selftests/networking/timestamping/rxtimestamp.c b/tools/testing/selftests/networking/timestamping/rxtimestamp.c +index 7a573fb4c1c4..c6428f1ac22f 100644 +--- a/tools/testing/selftests/networking/timestamping/rxtimestamp.c ++++ b/tools/testing/selftests/networking/timestamping/rxtimestamp.c +@@ -328,8 +328,7 @@ int main(int argc, char **argv) + bool all_tests = true; + int arg_index = 0; + int failures = 0; +- int s, t; +- char opt; ++ int s, t, opt; + + while ((opt = getopt_long(argc, argv, "", long_options, + &arg_index)) != -1) { |