Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2020-06-11 07:32:45 -0400
committerMike Pagano <mpagano@gentoo.org>2020-06-11 07:32:45 -0400
commit33a2f02536c79c46eb219d35d69972267c01a023 (patch)
treee51e82e16ca6ca4cd86f9e1d68bca7a99d11bd39
parentLinux patch 4.14.183 (diff)
downloadlinux-patches-33a2f02536c79c46eb219d35d69972267c01a023.tar.gz
linux-patches-33a2f02536c79c46eb219d35d69972267c01a023.tar.bz2
linux-patches-33a2f02536c79c46eb219d35d69972267c01a023.zip
Linux patch 4.14.1844.14-194
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1183_linux-4.14.184.patch1803
2 files changed, 1807 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index c9050098..75fcff60 100644
--- a/0000_README
+++ b/0000_README
@@ -775,6 +775,10 @@ Patch: 1182_linux-4.14.183.patch
From: https://www.kernel.org
Desc: Linux 4.14.183
+Patch: 1183_linux-4.14.184.patch
+From: https://www.kernel.org
+Desc: Linux 4.14.184
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1183_linux-4.14.184.patch b/1183_linux-4.14.184.patch
new file mode 100644
index 00000000..df681fb2
--- /dev/null
+++ b/1183_linux-4.14.184.patch
@@ -0,0 +1,1803 @@
+diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
+index 9ebca6a750f3..5abe1cc9f068 100644
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -381,6 +381,7 @@ What: /sys/devices/system/cpu/vulnerabilities
+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
+ /sys/devices/system/cpu/vulnerabilities/l1tf
+ /sys/devices/system/cpu/vulnerabilities/mds
++ /sys/devices/system/cpu/vulnerabilities/srbds
+ /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
+ /sys/devices/system/cpu/vulnerabilities/itlb_multihit
+ Date: January 2018
+diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
+index 0795e3c2643f..ca4dbdd9016d 100644
+--- a/Documentation/admin-guide/hw-vuln/index.rst
++++ b/Documentation/admin-guide/hw-vuln/index.rst
+@@ -14,3 +14,4 @@ are configurable at compile, boot or run time.
+ mds
+ tsx_async_abort
+ multihit.rst
++ special-register-buffer-data-sampling.rst
+diff --git a/Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst b/Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst
+new file mode 100644
+index 000000000000..47b1b3afac99
+--- /dev/null
++++ b/Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst
+@@ -0,0 +1,149 @@
++.. SPDX-License-Identifier: GPL-2.0
++
++SRBDS - Special Register Buffer Data Sampling
++=============================================
++
++SRBDS is a hardware vulnerability that allows MDS :doc:`mds` techniques to
++infer values returned from special register accesses. Special register
++accesses are accesses to off core registers. According to Intel's evaluation,
++the special register reads that have a security expectation of privacy are
++RDRAND, RDSEED and SGX EGETKEY.
++
++When RDRAND, RDSEED and EGETKEY instructions are used, the data is moved
++to the core through the special register mechanism that is susceptible
++to MDS attacks.
++
++Affected processors
++--------------------
++Core models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may
++be affected.
++
++A processor is affected by SRBDS if its Family_Model and stepping is
++in the following list, with the exception of the listed processors
++exporting MDS_NO while Intel TSX is available yet not enabled. The
++latter class of processors are only affected when Intel TSX is enabled
++by software using TSX_CTRL_MSR otherwise they are not affected.
++
++ ============= ============ ========
++ common name Family_Model Stepping
++ ============= ============ ========
++ IvyBridge 06_3AH All
++
++ Haswell 06_3CH All
++ Haswell_L 06_45H All
++ Haswell_G 06_46H All
++
++ Broadwell_G 06_47H All
++ Broadwell 06_3DH All
++
++ Skylake_L 06_4EH All
++ Skylake 06_5EH All
++
++ Kabylake_L 06_8EH <= 0xC
++ Kabylake 06_9EH <= 0xD
++ ============= ============ ========
++
++Related CVEs
++------------
++
++The following CVE entry is related to this SRBDS issue:
++
++ ============== ===== =====================================
++ CVE-2020-0543 SRBDS Special Register Buffer Data Sampling
++ ============== ===== =====================================
++
++Attack scenarios
++----------------
++An unprivileged user can extract values returned from RDRAND and RDSEED
++executed on another core or sibling thread using MDS techniques.
++
++
++Mitigation mechanism
++-------------------
++Intel will release microcode updates that modify the RDRAND, RDSEED, and
++EGETKEY instructions to overwrite secret special register data in the shared
++staging buffer before the secret data can be accessed by another logical
++processor.
++
++During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core
++accesses from other logical processors will be delayed until the special
++register read is complete and the secret data in the shared staging buffer is
++overwritten.
++
++This has three effects on performance:
++
++#. RDRAND, RDSEED, or EGETKEY instructions have higher latency.
++
++#. Executing RDRAND at the same time on multiple logical processors will be
++ serialized, resulting in an overall reduction in the maximum RDRAND
++ bandwidth.
++
++#. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other
++ logical processors that miss their core caches, with an impact similar to
++ legacy locked cache-line-split accesses.
++
++The microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable
++the mitigation for RDRAND and RDSEED instructions executed outside of Intel
++Software Guard Extensions (Intel SGX) enclaves. On logical processors that
++disable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not
++take longer to execute and do not impact performance of sibling logical
++processors memory accesses. The opt-out mechanism does not affect Intel SGX
++enclaves (including execution of RDRAND or RDSEED inside an enclave, as well
++as EGETKEY execution).
++
++IA32_MCU_OPT_CTRL MSR Definition
++--------------------------------
++Along with the mitigation for this issue, Intel added a new thread-scope
++IA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and
++RNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL =
++9]==1. This MSR is introduced through the microcode update.
++
++Setting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor
++disables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX
++enclave on that logical processor. Opting out of the mitigation for a
++particular logical processor does not affect the RDRAND and RDSEED mitigations
++for other logical processors.
++
++Note that inside of an Intel SGX enclave, the mitigation is applied regardless
++of the value of RNGDS_MITG_DS.
++
++Mitigation control on the kernel command line
++---------------------------------------------
++The kernel command line allows control over the SRBDS mitigation at boot time
++with the option "srbds=". The option for this is:
++
++ ============= =============================================================
++ off This option disables SRBDS mitigation for RDRAND and RDSEED on
++ affected platforms.
++ ============= =============================================================
++
++SRBDS System Information
++-----------------------
++The Linux kernel provides vulnerability status information through sysfs. For
++SRBDS this can be accessed by the following sysfs file:
++/sys/devices/system/cpu/vulnerabilities/srbds
++
++The possible values contained in this file are:
++
++ ============================== =============================================
++ Not affected Processor not vulnerable
++ Vulnerable Processor vulnerable and mitigation disabled
++ Vulnerable: No microcode Processor vulnerable and microcode is missing
++ mitigation
++ Mitigation: Microcode Processor is vulnerable and mitigation is in
++ effect.
++ Mitigation: TSX disabled Processor is only vulnerable when TSX is
++ enabled while this system was booted with TSX
++ disabled.
++ Unknown: Dependent on
++ hypervisor status Running on virtual guest processor that is
++ affected but with no way to know if host
++ processor is mitigated or vulnerable.
++ ============================== =============================================
++
++SRBDS Default mitigation
++------------------------
++This new microcode serializes processor access during execution of RDRAND,
++RDSEED ensures that the shared buffer is overwritten before it is released for
++reuse. Use the "srbds=off" kernel command line to disable the mitigation for
++RDRAND and RDSEED.
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index ae51b1b7b67f..dc96e7f10ebc 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4234,6 +4234,26 @@
+ spia_pedr=
+ spia_peddr=
+
++ srbds= [X86,INTEL]
++ Control the Special Register Buffer Data Sampling
++ (SRBDS) mitigation.
++
++ Certain CPUs are vulnerable to an MDS-like
++ exploit which can leak bits from the random
++ number generator.
++
++ By default, this issue is mitigated by
++ microcode. However, the microcode fix can cause
++ the RDRAND and RDSEED instructions to become
++ much slower. Among other effects, this will
++ result in reduced throughput from /dev/urandom.
++
++ The microcode mitigation can be disabled with
++ the following option:
++
++ off: Disable mitigation and remove
++ performance impact to RDRAND and RDSEED
++
+ srcutree.counter_wrap_check [KNL]
+ Specifies how frequently to check for
+ grace-period sequence counter wrap for the
+diff --git a/Makefile b/Makefile
+index aa9d8c79bff0..ce607fe26228 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 183
++SUBLEVEL = 184
+ EXTRAVERSION =
+ NAME = Petit Gorille
+
+diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c
+index 6b8d106e0d53..11c2c4a3fe69 100644
+--- a/arch/arc/kernel/setup.c
++++ b/arch/arc/kernel/setup.c
+@@ -15,6 +15,7 @@
+ #include <linux/clocksource.h>
+ #include <linux/console.h>
+ #include <linux/module.h>
++#include <linux/sizes.h>
+ #include <linux/cpu.h>
+ #include <linux/of_fdt.h>
+ #include <linux/of.h>
+@@ -355,12 +356,12 @@ static void arc_chk_core_config(void)
+ if ((unsigned int)__arc_dccm_base != cpu->dccm.base_addr)
+ panic("Linux built with incorrect DCCM Base address\n");
+
+- if (CONFIG_ARC_DCCM_SZ != cpu->dccm.sz)
++ if (CONFIG_ARC_DCCM_SZ * SZ_1K != cpu->dccm.sz)
+ panic("Linux built with incorrect DCCM Size\n");
+ #endif
+
+ #ifdef CONFIG_ARC_HAS_ICCM
+- if (CONFIG_ARC_ICCM_SZ != cpu->iccm.sz)
++ if (CONFIG_ARC_ICCM_SZ * SZ_1K != cpu->iccm.sz)
+ panic("Linux built with incorrect ICCM Size\n");
+ #endif
+
+diff --git a/arch/arc/plat-eznps/Kconfig b/arch/arc/plat-eznps/Kconfig
+index ce908e2c5282..71378bfec8d0 100644
+--- a/arch/arc/plat-eznps/Kconfig
++++ b/arch/arc/plat-eznps/Kconfig
+@@ -6,6 +6,7 @@
+
+ menuconfig ARC_PLAT_EZNPS
+ bool "\"EZchip\" ARC dev platform"
++ depends on ISA_ARCOMPACT
+ select CPU_BIG_ENDIAN
+ select CLKSRC_NPS if !PHYS_ADDR_T_64BIT
+ select EZNPS_GIC
+diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S
+index 0cfd5a83a1da..151f001a90ff 100644
+--- a/arch/s390/kernel/mcount.S
++++ b/arch/s390/kernel/mcount.S
+@@ -40,6 +40,7 @@ EXPORT_SYMBOL(_mcount)
+ ENTRY(ftrace_caller)
+ .globl ftrace_regs_caller
+ .set ftrace_regs_caller,ftrace_caller
++ stg %r14,(__SF_GPRS+8*8)(%r15) # save traced function caller
+ lgr %r1,%r15
+ #ifndef CC_USING_HOTPATCH
+ aghi %r0,MCOUNT_RETURN_FIXUP
+diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
+index baeba0567126..884466592943 100644
+--- a/arch/x86/include/asm/cpu_device_id.h
++++ b/arch/x86/include/asm/cpu_device_id.h
+@@ -9,6 +9,33 @@
+
+ #include <linux/mod_devicetable.h>
+
++#define X86_STEPPINGS(mins, maxs) GENMASK(maxs, mins)
++
++/**
++ * X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE - Base macro for CPU matching
++ * @_vendor: The vendor name, e.g. INTEL, AMD, HYGON, ..., ANY
++ * The name is expanded to X86_VENDOR_@_vendor
++ * @_family: The family number or X86_FAMILY_ANY
++ * @_model: The model number, model constant or X86_MODEL_ANY
++ * @_steppings: Bitmask for steppings, stepping constant or X86_STEPPING_ANY
++ * @_feature: A X86_FEATURE bit or X86_FEATURE_ANY
++ * @_data: Driver specific data or NULL. The internal storage
++ * format is unsigned long. The supplied value, pointer
++ * etc. is casted to unsigned long internally.
++ *
++ * Backport version to keep the SRBDS pile consistant. No shorter variants
++ * required for this.
++ */
++#define X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(_vendor, _family, _model, \
++ _steppings, _feature, _data) { \
++ .vendor = X86_VENDOR_##_vendor, \
++ .family = _family, \
++ .model = _model, \
++ .steppings = _steppings, \
++ .feature = _feature, \
++ .driver_data = (unsigned long) _data \
++}
++
+ extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
+
+ #endif
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index 157cfaf1064c..764cbf1774d9 100644
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -346,6 +346,7 @@
+ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
+ #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */
+ #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
++#define X86_FEATURE_SRBDS_CTRL (18*32+ 9) /* "" SRBDS mitigation MSR available */
+ #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */
+ #define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */
+ #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */
+@@ -390,5 +391,6 @@
+ #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
+ #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
+ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
++#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
+
+ #endif /* _ASM_X86_CPUFEATURES_H */
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index 5761a86b88e0..9dc445ac7f19 100644
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -110,6 +110,10 @@
+ #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */
+ #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */
+
++/* SRBDS support */
++#define MSR_IA32_MCU_OPT_CTRL 0x00000123
++#define RNGDS_MITG_DIS BIT(0)
++
+ #define MSR_IA32_SYSENTER_CS 0x00000174
+ #define MSR_IA32_SYSENTER_ESP 0x00000175
+ #define MSR_IA32_SYSENTER_EIP 0x00000176
+diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
+index 98a337e3835d..2f7a4018b6e4 100644
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -234,6 +234,7 @@ static inline int pmd_large(pmd_t pte)
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */
+ static inline int pmd_trans_huge(pmd_t pmd)
+ {
+ return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE;
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 7896a34f53b5..1de9a3c404af 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -41,6 +41,7 @@ static void __init l1tf_select_mitigation(void);
+ static void __init mds_select_mitigation(void);
+ static void __init mds_print_mitigation(void);
+ static void __init taa_select_mitigation(void);
++static void __init srbds_select_mitigation(void);
+
+ /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
+ u64 x86_spec_ctrl_base;
+@@ -108,6 +109,7 @@ void __init check_bugs(void)
+ l1tf_select_mitigation();
+ mds_select_mitigation();
+ taa_select_mitigation();
++ srbds_select_mitigation();
+
+ /*
+ * As MDS and TAA mitigations are inter-related, print MDS
+@@ -390,6 +392,97 @@ static int __init tsx_async_abort_parse_cmdline(char *str)
+ }
+ early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
+
++#undef pr_fmt
++#define pr_fmt(fmt) "SRBDS: " fmt
++
++enum srbds_mitigations {
++ SRBDS_MITIGATION_OFF,
++ SRBDS_MITIGATION_UCODE_NEEDED,
++ SRBDS_MITIGATION_FULL,
++ SRBDS_MITIGATION_TSX_OFF,
++ SRBDS_MITIGATION_HYPERVISOR,
++};
++
++static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
++
++static const char * const srbds_strings[] = {
++ [SRBDS_MITIGATION_OFF] = "Vulnerable",
++ [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
++ [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
++ [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
++ [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
++};
++
++static bool srbds_off;
++
++void update_srbds_msr(void)
++{
++ u64 mcu_ctrl;
++
++ if (!boot_cpu_has_bug(X86_BUG_SRBDS))
++ return;
++
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
++ return;
++
++ if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
++ return;
++
++ rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
++
++ switch (srbds_mitigation) {
++ case SRBDS_MITIGATION_OFF:
++ case SRBDS_MITIGATION_TSX_OFF:
++ mcu_ctrl |= RNGDS_MITG_DIS;
++ break;
++ case SRBDS_MITIGATION_FULL:
++ mcu_ctrl &= ~RNGDS_MITG_DIS;
++ break;
++ default:
++ break;
++ }
++
++ wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
++}
++
++static void __init srbds_select_mitigation(void)
++{
++ u64 ia32_cap;
++
++ if (!boot_cpu_has_bug(X86_BUG_SRBDS))
++ return;
++
++ /*
++ * Check to see if this is one of the MDS_NO systems supporting
++ * TSX that are only exposed to SRBDS when TSX is enabled.
++ */
++ ia32_cap = x86_read_arch_cap_msr();
++ if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM))
++ srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
++ else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
++ srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
++ else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
++ srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
++ else if (cpu_mitigations_off() || srbds_off)
++ srbds_mitigation = SRBDS_MITIGATION_OFF;
++
++ update_srbds_msr();
++ pr_info("%s\n", srbds_strings[srbds_mitigation]);
++}
++
++static int __init srbds_parse_cmdline(char *str)
++{
++ if (!str)
++ return -EINVAL;
++
++ if (!boot_cpu_has_bug(X86_BUG_SRBDS))
++ return 0;
++
++ srbds_off = !strcmp(str, "off");
++ return 0;
++}
++early_param("srbds", srbds_parse_cmdline);
++
+ #undef pr_fmt
+ #define pr_fmt(fmt) "Spectre V1 : " fmt
+
+@@ -1491,6 +1584,11 @@ static char *ibpb_state(void)
+ return "";
+ }
+
++static ssize_t srbds_show_state(char *buf)
++{
++ return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
++}
++
+ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
+ char *buf, unsigned int bug)
+ {
+@@ -1532,6 +1630,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
+ case X86_BUG_ITLB_MULTIHIT:
+ return itlb_multihit_show_state(buf);
+
++ case X86_BUG_SRBDS:
++ return srbds_show_state(buf);
++
+ default:
+ break;
+ }
+@@ -1578,4 +1679,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr
+ {
+ return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
+ }
++
++ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
++}
+ #endif
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 7b4141889919..4a760fa494ac 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -964,9 +964,30 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
+ {}
+ };
+
+-static bool __init cpu_matches(unsigned long which)
++#define VULNBL_INTEL_STEPPINGS(model, steppings, issues) \
++ X86_MATCH_VENDOR_FAM_MODEL_STEPPINGS_FEATURE(INTEL, 6, \
++ INTEL_FAM6_##model, steppings, \
++ X86_FEATURE_ANY, issues)
++
++#define SRBDS BIT(0)
++
++static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
++ VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(HASWELL_CORE, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(HASWELL_ULT, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(HASWELL_GT3E, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(BROADWELL_GT3E, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(BROADWELL_CORE, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPING_ANY, SRBDS),
++ VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPINGS(0x0, 0xC), SRBDS),
++ VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPINGS(0x0, 0xD), SRBDS),
++ {}
++};
++
++static bool __init cpu_matches(const struct x86_cpu_id *table, unsigned long which)
+ {
+- const struct x86_cpu_id *m = x86_match_cpu(cpu_vuln_whitelist);
++ const struct x86_cpu_id *m = x86_match_cpu(table);
+
+ return m && !!(m->driver_data & which);
+ }
+@@ -986,29 +1007,32 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+ u64 ia32_cap = x86_read_arch_cap_msr();
+
+ /* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */
+- if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
++ if (!cpu_matches(cpu_vuln_whitelist, NO_ITLB_MULTIHIT) &&
++ !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
+ setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT);
+
+- if (cpu_matches(NO_SPECULATION))
++ if (cpu_matches(cpu_vuln_whitelist, NO_SPECULATION))
+ return;
+
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+
+- if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
++ if (!cpu_matches(cpu_vuln_whitelist, NO_SSB) &&
++ !(ia32_cap & ARCH_CAP_SSB_NO) &&
+ !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+
+ if (ia32_cap & ARCH_CAP_IBRS_ALL)
+ setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
+
+- if (!cpu_matches(NO_MDS) && !(ia32_cap & ARCH_CAP_MDS_NO)) {
++ if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) &&
++ !(ia32_cap & ARCH_CAP_MDS_NO)) {
+ setup_force_cpu_bug(X86_BUG_MDS);
+- if (cpu_matches(MSBDS_ONLY))
++ if (cpu_matches(cpu_vuln_whitelist, MSBDS_ONLY))
+ setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
+ }
+
+- if (!cpu_matches(NO_SWAPGS))
++ if (!cpu_matches(cpu_vuln_whitelist, NO_SWAPGS))
+ setup_force_cpu_bug(X86_BUG_SWAPGS);
+
+ /*
+@@ -1026,7 +1050,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+ (ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
+ setup_force_cpu_bug(X86_BUG_TAA);
+
+- if (cpu_matches(NO_MELTDOWN))
++ /*
++ * SRBDS affects CPUs which support RDRAND or RDSEED and are listed
++ * in the vulnerability blacklist.
++ */
++ if ((cpu_has(c, X86_FEATURE_RDRAND) ||
++ cpu_has(c, X86_FEATURE_RDSEED)) &&
++ cpu_matches(cpu_vuln_blacklist, SRBDS))
++ setup_force_cpu_bug(X86_BUG_SRBDS);
++
++ if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
+ return;
+
+ /* Rogue Data Cache Load? No! */
+@@ -1035,7 +1068,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
+
+ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
+
+- if (cpu_matches(NO_L1TF))
++ if (cpu_matches(cpu_vuln_whitelist, NO_L1TF))
+ return;
+
+ setup_force_cpu_bug(X86_BUG_L1TF);
+@@ -1451,6 +1484,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
+ mtrr_ap_init();
+ validate_apic_and_package_id(c);
+ x86_spec_ctrl_setup_ap();
++ update_srbds_msr();
+ }
+
+ static __init int setup_noclflush(char *arg)
+diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
+index db10a63687d3..432058e5e44b 100644
+--- a/arch/x86/kernel/cpu/cpu.h
++++ b/arch/x86/kernel/cpu/cpu.h
+@@ -69,6 +69,7 @@ extern int detect_ht_early(struct cpuinfo_x86 *c);
+ unsigned int aperfmperf_get_khz(int cpu);
+
+ extern void x86_spec_ctrl_setup_ap(void);
++extern void update_srbds_msr(void);
+
+ extern u64 x86_read_arch_cap_msr(void);
+
+diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c
+index 3fed38812eea..751e59057466 100644
+--- a/arch/x86/kernel/cpu/match.c
++++ b/arch/x86/kernel/cpu/match.c
+@@ -34,13 +34,18 @@ const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match)
+ const struct x86_cpu_id *m;
+ struct cpuinfo_x86 *c = &boot_cpu_data;
+
+- for (m = match; m->vendor | m->family | m->model | m->feature; m++) {
++ for (m = match;
++ m->vendor | m->family | m->model | m->steppings | m->feature;
++ m++) {
+ if (m->vendor != X86_VENDOR_ANY && c->x86_vendor != m->vendor)
+ continue;
+ if (m->family != X86_FAMILY_ANY && c->x86 != m->family)
+ continue;
+ if (m->model != X86_MODEL_ANY && c->x86_model != m->model)
+ continue;
++ if (m->steppings != X86_STEPPING_ANY &&
++ !(BIT(c->x86_stepping) & m->steppings))
++ continue;
+ if (m->feature != X86_FEATURE_ANY && !cpu_has(c, m->feature))
+ continue;
+ return m;
+diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
+index 4d434ddb75db..f140b2d39319 100644
+--- a/arch/x86/mm/mmio-mod.c
++++ b/arch/x86/mm/mmio-mod.c
+@@ -385,7 +385,7 @@ static void enter_uniprocessor(void)
+ int cpu;
+ int err;
+
+- if (downed_cpus == NULL &&
++ if (!cpumask_available(downed_cpus) &&
+ !alloc_cpumask_var(&downed_cpus, GFP_KERNEL)) {
+ pr_notice("Failed to allocate mask\n");
+ goto out;
+@@ -415,7 +415,7 @@ static void leave_uniprocessor(void)
+ int cpu;
+ int err;
+
+- if (downed_cpus == NULL || cpumask_weight(downed_cpus) == 0)
++ if (!cpumask_available(downed_cpus) || cpumask_weight(downed_cpus) == 0)
+ return;
+ pr_notice("Re-enabling CPUs...\n");
+ for_each_cpu(cpu, downed_cpus) {
+diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
+index 0272f66db5ac..c800de86200d 100644
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -552,6 +552,12 @@ ssize_t __weak cpu_show_itlb_multihit(struct device *dev,
+ return sprintf(buf, "Not affected\n");
+ }
+
++ssize_t __weak cpu_show_srbds(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sprintf(buf, "Not affected\n");
++}
++
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+@@ -560,6 +566,7 @@ static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
+ static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
+ static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
+ static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
++static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
+
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_meltdown.attr,
+@@ -570,6 +577,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_mds.attr,
+ &dev_attr_tsx_async_abort.attr,
+ &dev_attr_itlb_multihit.attr,
++ &dev_attr_srbds.attr,
+ NULL
+ };
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index c8b07a182c0b..f8fb8a61fb90 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -837,6 +837,23 @@ static u8 *sony_report_fixup(struct hid_device *hdev, u8 *rdesc,
+ if (sc->quirks & PS3REMOTE)
+ return ps3remote_fixup(hdev, rdesc, rsize);
+
++ /*
++ * Some knock-off USB dongles incorrectly report their button count
++ * as 13 instead of 16 causing three non-functional buttons.
++ */
++ if ((sc->quirks & SIXAXIS_CONTROLLER_USB) && *rsize >= 45 &&
++ /* Report Count (13) */
++ rdesc[23] == 0x95 && rdesc[24] == 0x0D &&
++ /* Usage Maximum (13) */
++ rdesc[37] == 0x29 && rdesc[38] == 0x0D &&
++ /* Report Count (3) */
++ rdesc[43] == 0x95 && rdesc[44] == 0x03) {
++ hid_info(hdev, "Fixing up USB dongle report descriptor\n");
++ rdesc[24] = 0x10;
++ rdesc[38] = 0x10;
++ rdesc[44] = 0x00;
++ }
++
+ return rdesc;
+ }
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+index 95052373a828..681ac9bc68b3 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
+@@ -381,6 +381,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = {
+ },
+ .driver_data = (void *)&sipodev_desc
+ },
++ {
++ .ident = "Schneider SCL142ALM",
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SCHNEIDER"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SCL142ALM"),
++ },
++ .driver_data = (void *)&sipodev_desc
++ },
+ { } /* Terminate list */
+ };
+
+diff --git a/drivers/i2c/busses/i2c-altera.c b/drivers/i2c/busses/i2c-altera.c
+index 8915ee30a5b4..1d59eede537b 100644
+--- a/drivers/i2c/busses/i2c-altera.c
++++ b/drivers/i2c/busses/i2c-altera.c
+@@ -81,6 +81,7 @@
+ * @isr_mask: cached copy of local ISR enables.
+ * @isr_status: cached copy of local ISR status.
+ * @lock: spinlock for IRQ synchronization.
++ * @isr_mutex: mutex for IRQ thread.
+ */
+ struct altr_i2c_dev {
+ void __iomem *base;
+@@ -97,6 +98,7 @@ struct altr_i2c_dev {
+ u32 isr_mask;
+ u32 isr_status;
+ spinlock_t lock; /* IRQ synchronization */
++ struct mutex isr_mutex;
+ };
+
+ static void
+@@ -256,10 +258,11 @@ static irqreturn_t altr_i2c_isr(int irq, void *_dev)
+ struct altr_i2c_dev *idev = _dev;
+ u32 status = idev->isr_status;
+
++ mutex_lock(&idev->isr_mutex);
+ if (!idev->msg) {
+ dev_warn(idev->dev, "unexpected interrupt\n");
+ altr_i2c_int_clear(idev, ALTR_I2C_ALL_IRQ);
+- return IRQ_HANDLED;
++ goto out;
+ }
+ read = (idev->msg->flags & I2C_M_RD) != 0;
+
+@@ -312,6 +315,8 @@ static irqreturn_t altr_i2c_isr(int irq, void *_dev)
+ complete(&idev->msg_complete);
+ dev_dbg(idev->dev, "Message Complete\n");
+ }
++out:
++ mutex_unlock(&idev->isr_mutex);
+
+ return IRQ_HANDLED;
+ }
+@@ -323,6 +328,7 @@ static int altr_i2c_xfer_msg(struct altr_i2c_dev *idev, struct i2c_msg *msg)
+ u32 value;
+ u8 addr = i2c_8bit_addr_from_msg(msg);
+
++ mutex_lock(&idev->isr_mutex);
+ idev->msg = msg;
+ idev->msg_len = msg->len;
+ idev->buf = msg->buf;
+@@ -347,6 +353,7 @@ static int altr_i2c_xfer_msg(struct altr_i2c_dev *idev, struct i2c_msg *msg)
+ altr_i2c_int_enable(idev, imask, true);
+ altr_i2c_fill_tx_fifo(idev);
+ }
++ mutex_unlock(&idev->isr_mutex);
+
+ time_left = wait_for_completion_timeout(&idev->msg_complete,
+ ALTR_I2C_XFER_TIMEOUT);
+@@ -420,6 +427,7 @@ static int altr_i2c_probe(struct platform_device *pdev)
+ idev->dev = &pdev->dev;
+ init_completion(&idev->msg_complete);
+ spin_lock_init(&idev->lock);
++ mutex_init(&idev->isr_mutex);
+
+ ret = device_property_read_u32(idev->dev, "fifo-size",
+ &idev->fifo_size);
+diff --git a/drivers/iio/light/vcnl4000.c b/drivers/iio/light/vcnl4000.c
+index 360b6e98137a..5a3a532937ba 100644
+--- a/drivers/iio/light/vcnl4000.c
++++ b/drivers/iio/light/vcnl4000.c
+@@ -61,7 +61,6 @@ static int vcnl4000_measure(struct vcnl4000_data *data, u8 req_mask,
+ u8 rdy_mask, u8 data_reg, int *val)
+ {
+ int tries = 20;
+- __be16 buf;
+ int ret;
+
+ mutex_lock(&data->lock);
+@@ -88,13 +87,12 @@ static int vcnl4000_measure(struct vcnl4000_data *data, u8 req_mask,
+ goto fail;
+ }
+
+- ret = i2c_smbus_read_i2c_block_data(data->client,
+- data_reg, sizeof(buf), (u8 *) &buf);
++ ret = i2c_smbus_read_word_swapped(data->client, data_reg);
+ if (ret < 0)
+ goto fail;
+
+ mutex_unlock(&data->lock);
+- *val = be16_to_cpu(buf);
++ *val = ret;
+
+ return 0;
+
+diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
+index eac740c476ce..a8b462e1beba 100644
+--- a/drivers/net/ethernet/apple/bmac.c
++++ b/drivers/net/ethernet/apple/bmac.c
+@@ -1187,7 +1187,7 @@ bmac_get_station_address(struct net_device *dev, unsigned char *ea)
+ int i;
+ unsigned short data;
+
+- for (i = 0; i < 6; i++)
++ for (i = 0; i < 3; i++)
+ {
+ reset_and_select_srom(dev);
+ data = read_srom(dev, i + EnetAddressOffset/2, SROMAddressBits);
+diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c
+index bddf4c25ee6e..7c2a9fd4dc1a 100644
+--- a/drivers/net/ethernet/freescale/ucc_geth.c
++++ b/drivers/net/ethernet/freescale/ucc_geth.c
+@@ -45,6 +45,7 @@
+ #include <soc/fsl/qe/ucc.h>
+ #include <soc/fsl/qe/ucc_fast.h>
+ #include <asm/machdep.h>
++#include <net/sch_generic.h>
+
+ #include "ucc_geth.h"
+
+@@ -1551,11 +1552,8 @@ static int ugeth_disable(struct ucc_geth_private *ugeth, enum comm_dir mode)
+
+ static void ugeth_quiesce(struct ucc_geth_private *ugeth)
+ {
+- /* Prevent any further xmits, plus detach the device. */
+- netif_device_detach(ugeth->ndev);
+-
+- /* Wait for any current xmits to finish. */
+- netif_tx_disable(ugeth->ndev);
++ /* Prevent any further xmits */
++ netif_tx_stop_all_queues(ugeth->ndev);
+
+ /* Disable the interrupt to avoid NAPI rescheduling. */
+ disable_irq(ugeth->ug_info->uf_info.irq);
+@@ -1568,7 +1566,10 @@ static void ugeth_activate(struct ucc_geth_private *ugeth)
+ {
+ napi_enable(&ugeth->napi);
+ enable_irq(ugeth->ug_info->uf_info.irq);
+- netif_device_attach(ugeth->ndev);
++
++ /* allow to xmit again */
++ netif_tx_wake_all_queues(ugeth->ndev);
++ __netdev_watchdog_up(ugeth->ndev);
+ }
+
+ /* Called every time the controller might need to be made
+diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c
+index ce4bfecc26c7..ae80a223975d 100644
+--- a/drivers/net/ethernet/smsc/smsc911x.c
++++ b/drivers/net/ethernet/smsc/smsc911x.c
+@@ -2515,20 +2515,20 @@ static int smsc911x_drv_probe(struct platform_device *pdev)
+
+ retval = smsc911x_init(dev);
+ if (retval < 0)
+- goto out_disable_resources;
++ goto out_init_fail;
+
+ netif_carrier_off(dev);
+
+ retval = smsc911x_mii_init(pdev, dev);
+ if (retval) {
+ SMSC_WARN(pdata, probe, "Error %i initialising mii", retval);
+- goto out_disable_resources;
++ goto out_init_fail;
+ }
+
+ retval = register_netdev(dev);
+ if (retval) {
+ SMSC_WARN(pdata, probe, "Error %i registering device", retval);
+- goto out_disable_resources;
++ goto out_init_fail;
+ } else {
+ SMSC_TRACE(pdata, probe,
+ "Network interface: \"%s\"", dev->name);
+@@ -2569,9 +2569,10 @@ static int smsc911x_drv_probe(struct platform_device *pdev)
+
+ return 0;
+
+-out_disable_resources:
++out_init_fail:
+ pm_runtime_put(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++out_disable_resources:
+ (void)smsc911x_disable_resources(pdev);
+ out_enable_resources_fail:
+ smsc911x_free_resources(pdev);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 11a4a81b0397..bcc5d1e16ce2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -330,6 +330,19 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ /* Enable PTP clock */
+ regmap_read(gmac->nss_common, NSS_COMMON_CLK_GATE, &val);
+ val |= NSS_COMMON_CLK_GATE_PTP_EN(gmac->id);
++ switch (gmac->phy_mode) {
++ case PHY_INTERFACE_MODE_RGMII:
++ val |= NSS_COMMON_CLK_GATE_RGMII_RX_EN(gmac->id) |
++ NSS_COMMON_CLK_GATE_RGMII_TX_EN(gmac->id);
++ break;
++ case PHY_INTERFACE_MODE_SGMII:
++ val |= NSS_COMMON_CLK_GATE_GMII_RX_EN(gmac->id) |
++ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id);
++ break;
++ default:
++ /* We don't get here; the switch above will have errored out */
++ unreachable();
++ }
+ regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val);
+
+ if (gmac->phy_mode == PHY_INTERFACE_MODE_SGMII) {
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index fa7121dcab67..202a0f415e1e 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -497,6 +497,9 @@ static int pppoe_disc_rcv(struct sk_buff *skb, struct net_device *dev,
+ if (!skb)
+ goto out;
+
++ if (skb->pkt_type != PACKET_HOST)
++ goto abort;
++
+ if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+ goto abort;
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 820feeda1f35..32ce50f11907 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1249,6 +1249,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
+diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
+index f3f20abbe269..d06dc446a393 100644
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -1928,6 +1928,10 @@ static netdev_tx_t mpi_start_xmit(struct sk_buff *skb,
+ airo_print_err(dev->name, "%s: skb == NULL!",__func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+ npacks = skb_queue_len (&ai->txq);
+
+ if (npacks >= MAXTXQ - 1) {
+@@ -2130,6 +2134,10 @@ static netdev_tx_t airo_start_xmit(struct sk_buff *skb,
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
+@@ -2204,6 +2212,10 @@ static netdev_tx_t airo_start_xmit11(struct sk_buff *skb,
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
+diff --git a/drivers/net/wireless/intersil/p54/p54usb.c b/drivers/net/wireless/intersil/p54/p54usb.c
+index 15661da6eedc..39cfabf968d4 100644
+--- a/drivers/net/wireless/intersil/p54/p54usb.c
++++ b/drivers/net/wireless/intersil/p54/p54usb.c
+@@ -64,6 +64,7 @@ static const struct usb_device_id p54u_table[] = {
+ {USB_DEVICE(0x0db0, 0x6826)}, /* MSI UB54G (MS-6826) */
+ {USB_DEVICE(0x107b, 0x55f2)}, /* Gateway WGU-210 (Gemtek) */
+ {USB_DEVICE(0x124a, 0x4023)}, /* Shuttle PN15, Airvast WM168g, IOGear GWU513 */
++ {USB_DEVICE(0x124a, 0x4026)}, /* AirVasT USB wireless device */
+ {USB_DEVICE(0x1435, 0x0210)}, /* Inventel UR054G */
+ {USB_DEVICE(0x15a9, 0x0002)}, /* Gemtek WUBI-100GW 802.11g */
+ {USB_DEVICE(0x1630, 0x0005)}, /* 2Wire 802.11g USB (v1) / Z-Com */
+diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
+index fd08be2917e6..7399eb2c5e1d 100644
+--- a/drivers/nfc/st21nfca/dep.c
++++ b/drivers/nfc/st21nfca/dep.c
+@@ -184,8 +184,10 @@ static int st21nfca_tm_send_atr_res(struct nfc_hci_dev *hdev,
+ memcpy(atr_res->gbi, atr_req->gbi, gb_len);
+ r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi,
+ gb_len);
+- if (r < 0)
++ if (r < 0) {
++ kfree_skb(skb);
+ return r;
++ }
+ }
+
+ info->dep_info.curr_nfc_dep_pni = 0;
+diff --git a/drivers/nvdimm/btt.c b/drivers/nvdimm/btt.c
+index c46b7e1b0132..3c68ea878ad0 100644
+--- a/drivers/nvdimm/btt.c
++++ b/drivers/nvdimm/btt.c
+@@ -399,9 +399,9 @@ static int btt_flog_write(struct arena_info *arena, u32 lane, u32 sub,
+ arena->freelist[lane].sub = 1 - arena->freelist[lane].sub;
+ if (++(arena->freelist[lane].seq) == 4)
+ arena->freelist[lane].seq = 1;
+- if (ent_e_flag(ent->old_map))
++ if (ent_e_flag(le32_to_cpu(ent->old_map)))
+ arena->freelist[lane].has_err = 1;
+- arena->freelist[lane].block = le32_to_cpu(ent_lba(ent->old_map));
++ arena->freelist[lane].block = ent_lba(le32_to_cpu(ent->old_map));
+
+ return ret;
+ }
+@@ -567,8 +567,8 @@ static int btt_freelist_init(struct arena_info *arena)
+ * FIXME: if error clearing fails during init, we want to make
+ * the BTT read-only
+ */
+- if (ent_e_flag(log_new.old_map) &&
+- !ent_normal(log_new.old_map)) {
++ if (ent_e_flag(le32_to_cpu(log_new.old_map)) &&
++ !ent_normal(le32_to_cpu(log_new.old_map))) {
+ arena->freelist[i].has_err = 1;
+ ret = arena_clear_freelist_error(arena, i);
+ if (ret)
+diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
+index ace9958f2905..6ed3b4ed27dd 100644
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -1978,7 +1978,7 @@ struct device *create_namespace_pmem(struct nd_region *nd_region,
+ nd_mapping = &nd_region->mapping[i];
+ label_ent = list_first_entry_or_null(&nd_mapping->labels,
+ typeof(*label_ent), list);
+- label0 = label_ent ? label_ent->label : 0;
++ label0 = label_ent ? label_ent->label : NULL;
+
+ if (!label0) {
+ WARN_ON(1);
+@@ -2315,8 +2315,9 @@ static struct device **scan_labels(struct nd_region *nd_region)
+ continue;
+
+ /* skip labels that describe extents outside of the region */
+- if (nd_label->dpa < nd_mapping->start || nd_label->dpa > map_end)
+- continue;
++ if (__le64_to_cpu(nd_label->dpa) < nd_mapping->start ||
++ __le64_to_cpu(nd_label->dpa) > map_end)
++ continue;
+
+ i = add_namespace_resource(nd_region, nd_label, devs, count);
+ if (i < 0)
+diff --git a/drivers/nvmem/qfprom.c b/drivers/nvmem/qfprom.c
+index 2bdb6c389328..d3e08496e49b 100644
+--- a/drivers/nvmem/qfprom.c
++++ b/drivers/nvmem/qfprom.c
+@@ -30,19 +30,6 @@ static int qfprom_reg_read(void *context,
+ return 0;
+ }
+
+-static int qfprom_reg_write(void *context,
+- unsigned int reg, void *_val, size_t bytes)
+-{
+- void __iomem *base = context;
+- u8 *val = _val;
+- int i = 0, words = bytes;
+-
+- while (words--)
+- writeb(*val++, base + reg + i++);
+-
+- return 0;
+-}
+-
+ static int qfprom_remove(struct platform_device *pdev)
+ {
+ struct nvmem_device *nvmem = platform_get_drvdata(pdev);
+@@ -56,7 +43,6 @@ static struct nvmem_config econfig = {
+ .stride = 1,
+ .word_size = 1,
+ .reg_read = qfprom_reg_read,
+- .reg_write = qfprom_reg_write,
+ };
+
+ static int qfprom_probe(struct platform_device *pdev)
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index b167411580ba..dd918c5d5cb8 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -655,12 +655,13 @@ static void hisi_sas_port_notify_formed(struct asd_sas_phy *sas_phy)
+ struct hisi_hba *hisi_hba = sas_ha->lldd_ha;
+ struct hisi_sas_phy *phy = sas_phy->lldd_phy;
+ struct asd_sas_port *sas_port = sas_phy->port;
+- struct hisi_sas_port *port = to_hisi_sas_port(sas_port);
++ struct hisi_sas_port *port;
+ unsigned long flags;
+
+ if (!sas_port)
+ return;
+
++ port = to_hisi_sas_port(sas_port);
+ spin_lock_irqsave(&hisi_hba->lock, flags);
+ port->port_attached = 1;
+ port->id = phy->port_id;
+diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
+index 022fcd2e4702..9654898f3e51 100644
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -392,8 +392,8 @@ EXPORT_SYMBOL(scsi_dev_info_list_add_keyed);
+
+ /**
+ * scsi_dev_info_list_find - find a matching dev_info list entry.
+- * @vendor: vendor string
+- * @model: model (product) string
++ * @vendor: full vendor string
++ * @model: full model (product) string
+ * @key: specify list to use
+ *
+ * Description:
+@@ -408,7 +408,7 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
+ struct scsi_dev_info_list *devinfo;
+ struct scsi_dev_info_list_table *devinfo_table =
+ scsi_devinfo_lookup_by_key(key);
+- size_t vmax, mmax;
++ size_t vmax, mmax, mlen;
+ const char *vskip, *mskip;
+
+ if (IS_ERR(devinfo_table))
+@@ -447,15 +447,18 @@ static struct scsi_dev_info_list *scsi_dev_info_list_find(const char *vendor,
+ dev_info_list) {
+ if (devinfo->compatible) {
+ /*
+- * Behave like the older version of get_device_flags.
++ * vendor strings must be an exact match
+ */
+- if (memcmp(devinfo->vendor, vskip, vmax) ||
+- (vmax < sizeof(devinfo->vendor) &&
+- devinfo->vendor[vmax]))
++ if (vmax != strlen(devinfo->vendor) ||
++ memcmp(devinfo->vendor, vskip, vmax))
+ continue;
+- if (memcmp(devinfo->model, mskip, mmax) ||
+- (mmax < sizeof(devinfo->model) &&
+- devinfo->model[mmax]))
++
++ /*
++ * @model specifies the full string, and
++ * must be larger or equal to devinfo->model
++ */
++ mlen = strlen(devinfo->model);
++ if (mmax < mlen || memcmp(devinfo->model, mskip, mlen))
+ continue;
+ return devinfo;
+ } else {
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 78d9c2c48236..3a98e5a1d830 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2365,6 +2365,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
+
+ err = ufshcd_map_sg(hba, lrbp);
+ if (err) {
++ ufshcd_release(hba);
+ lrbp->cmd = NULL;
+ clear_bit_unlock(tag, &hba->lrb_in_use);
+ goto out;
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index b461200871f8..cbdad3c4930f 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -305,6 +305,9 @@ static int dw_spi_transfer_one(struct spi_master *master,
+ dws->len = transfer->len;
+ spin_unlock_irqrestore(&dws->buf_lock, flags);
+
++ /* Ensure dw->rx and dw->rx_end are visible */
++ smp_mb();
++
+ spi_enable_chip(dws, 0);
+
+ /* Handle per transfer options for bpw and speed */
+diff --git a/drivers/staging/rtl8712/wifi.h b/drivers/staging/rtl8712/wifi.h
+index 0ed2f44ab4e9..14b899fcd97c 100644
+--- a/drivers/staging/rtl8712/wifi.h
++++ b/drivers/staging/rtl8712/wifi.h
+@@ -468,7 +468,7 @@ static inline unsigned char *get_hdr_bssid(unsigned char *pframe)
+ /* block-ack parameters */
+ #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+ #define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
++#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0
+ #define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+ #define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+
+@@ -562,13 +562,6 @@ struct ieee80211_ht_addt_info {
+ #define IEEE80211_HT_IE_NON_GF_STA_PRSNT 0x0004
+ #define IEEE80211_HT_IE_NON_HT_STA_PRSNT 0x0010
+
+-/* block-ack parameters */
+-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
+-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+-
+ /*
+ * A-PMDU buffer sizes
+ * According to IEEE802.11n spec size varies from 8K to 64K (in powers of 2)
+diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
+index fc0ef13f2616..d52221ae1b85 100644
+--- a/drivers/tty/hvc/hvc_console.c
++++ b/drivers/tty/hvc/hvc_console.c
+@@ -357,15 +357,14 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
+ * tty fields and return the kref reference.
+ */
+ if (rc) {
+- tty_port_tty_set(&hp->port, NULL);
+- tty->driver_data = NULL;
+- tty_port_put(&hp->port);
+ printk(KERN_ERR "hvc_open: request_irq failed with rc %d.\n", rc);
+- } else
++ } else {
+ /* We are ready... raise DTR/RTS */
+ if (C_BAUD(tty))
+ if (hp->ops->dtr_rts)
+ hp->ops->dtr_rts(hp, 1);
++ tty_port_set_initialized(&hp->port, true);
++ }
+
+ /* Force wakeup of the polling thread */
+ hvc_kick();
+@@ -375,22 +374,12 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
+
+ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ {
+- struct hvc_struct *hp;
++ struct hvc_struct *hp = tty->driver_data;
+ unsigned long flags;
+
+ if (tty_hung_up_p(filp))
+ return;
+
+- /*
+- * No driver_data means that this close was issued after a failed
+- * hvc_open by the tty layer's release_dev() function and we can just
+- * exit cleanly because the kref reference wasn't made.
+- */
+- if (!tty->driver_data)
+- return;
+-
+- hp = tty->driver_data;
+-
+ spin_lock_irqsave(&hp->port.lock, flags);
+
+ if (--hp->port.count == 0) {
+@@ -398,6 +387,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ /* We are done with the tty pointer now. */
+ tty_port_tty_set(&hp->port, NULL);
+
++ if (!tty_port_initialized(&hp->port))
++ return;
++
+ if (C_HUPCL(tty))
+ if (hp->ops->dtr_rts)
+ hp->ops->dtr_rts(hp, 0);
+@@ -414,6 +406,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ * waking periodically to check chars_in_buffer().
+ */
+ tty_wait_until_sent(tty, HVC_CLOSE_WAIT);
++ tty_port_set_initialized(&hp->port, false);
+ } else {
+ if (hp->port.count < 0)
+ printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
+diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
+index b9ec4e2828e2..610cb8338d53 100644
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -126,7 +126,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */
+ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
+ static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
+ static bool dead_key_next;
+-static int npadch = -1; /* -1 or number assembled on pad */
++
++/* Handles a number being assembled on the number pad */
++static bool npadch_active;
++static unsigned int npadch_value;
++
+ static unsigned int diacr;
+ static char rep; /* flag telling character repeat */
+
+@@ -816,12 +820,12 @@ static void k_shift(struct vc_data *vc, unsigned char value, char up_flag)
+ shift_state &= ~(1 << value);
+
+ /* kludge */
+- if (up_flag && shift_state != old_state && npadch != -1) {
++ if (up_flag && shift_state != old_state && npadch_active) {
+ if (kbd->kbdmode == VC_UNICODE)
+- to_utf8(vc, npadch);
++ to_utf8(vc, npadch_value);
+ else
+- put_queue(vc, npadch & 0xff);
+- npadch = -1;
++ put_queue(vc, npadch_value & 0xff);
++ npadch_active = false;
+ }
+ }
+
+@@ -839,7 +843,7 @@ static void k_meta(struct vc_data *vc, unsigned char value, char up_flag)
+
+ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
+ {
+- int base;
++ unsigned int base;
+
+ if (up_flag)
+ return;
+@@ -853,10 +857,12 @@ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
+ base = 16;
+ }
+
+- if (npadch == -1)
+- npadch = value;
+- else
+- npadch = npadch * base + value;
++ if (!npadch_active) {
++ npadch_value = 0;
++ npadch_active = true;
++ }
++
++ npadch_value = npadch_value * base + value;
+ }
+
+ static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 38709bee4c20..4067f079b08d 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -602,7 +602,7 @@ static void acm_softint(struct work_struct *work)
+ }
+
+ if (test_and_clear_bit(ACM_ERROR_DELAY, &acm->flags)) {
+- for (i = 0; i < ACM_NR; i++)
++ for (i = 0; i < acm->rx_buflimit; i++)
+ if (test_and_clear_bit(i, &acm->urbs_in_error_delay))
+ acm_submit_read_urb(acm, i, GFP_NOIO);
+ }
+diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
+index dca39c9a13b0..962bf792f658 100644
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -2749,6 +2749,13 @@ static int musb_resume(struct device *dev)
+ musb_enable_interrupts(musb);
+ musb_platform_enable(musb);
+
++ /* session might be disabled in suspend */
++ if (musb->port_mode == MUSB_HOST &&
++ !(musb->ops->quirks & MUSB_PRESERVE_SESSION)) {
++ devctl |= MUSB_DEVCTL_SESSION;
++ musb_writeb(musb->mregs, MUSB_DEVCTL, devctl);
++ }
++
+ spin_lock_irqsave(&musb->lock, flags);
+ error = musb_run_resume_work(musb);
+ if (error)
+diff --git a/drivers/usb/musb/musb_debugfs.c b/drivers/usb/musb/musb_debugfs.c
+index 952733ceaac8..480b2119f1e7 100644
+--- a/drivers/usb/musb/musb_debugfs.c
++++ b/drivers/usb/musb/musb_debugfs.c
+@@ -206,6 +206,11 @@ static ssize_t musb_test_mode_write(struct file *file,
+ u8 test;
+ char buf[24];
+
++ memset(buf, 0x00, sizeof(buf));
++
++ if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
++ return -EFAULT;
++
+ pm_runtime_get_sync(musb->controller);
+ test = musb_readb(musb->mregs, MUSB_TESTMODE);
+ if (test) {
+@@ -214,11 +219,6 @@ static ssize_t musb_test_mode_write(struct file *file,
+ goto ret;
+ }
+
+- memset(buf, 0x00, sizeof(buf));
+-
+- if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+- return -EFAULT;
+-
+ if (strstarts(buf, "force host full-speed"))
+ test = MUSB_TEST_FORCE_HOST | MUSB_TEST_FORCE_FS;
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 3621bde2a0ed..b07f805ee661 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1160,6 +1160,10 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1031, 0xff), /* Telit LE910C1-EUX */
++ .driver_info = NCTRL(0) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1033, 0xff), /* Telit LE910C1-EUX (ECM) */
++ .driver_info = NCTRL(0) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
+ .driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index cdfc65ca8cd9..27b4082f4d19 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -177,6 +177,7 @@ static const struct usb_device_id id_table[] = {
+ {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
+ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
++ {DEVICE_SWI(0x413c, 0x81cb)}, /* Dell Wireless 5816e QDL */
+ {DEVICE_SWI(0x413c, 0x81cc)}, /* Dell Wireless 5816e */
+ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
+ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */
+diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
+index 95e9576c2fe6..4fab7ec9cd3f 100644
+--- a/drivers/usb/serial/usb_wwan.c
++++ b/drivers/usb/serial/usb_wwan.c
+@@ -302,6 +302,10 @@ static void usb_wwan_indat_callback(struct urb *urb)
+ if (status) {
+ dev_dbg(dev, "%s: nonzero status: %d on endpoint %02x.\n",
+ __func__, status, endpoint);
++
++ /* don't resubmit on fatal errors */
++ if (status == -ESHUTDOWN || status == -ENOENT)
++ return;
+ } else {
+ if (urb->actual_length) {
+ tty_insert_flip_string(&port->port, data,
+diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
+index 6db347b58644..eba777807fc0 100644
+--- a/include/linux/mod_devicetable.h
++++ b/include/linux/mod_devicetable.h
+@@ -589,6 +589,10 @@ struct mips_cdmm_device_id {
+ /*
+ * MODULE_DEVICE_TABLE expects this struct to be called x86cpu_device_id.
+ * Although gcc seems to ignore this error, clang fails without this define.
++ *
++ * Note: The ordering of the struct is different from upstream because the
++ * static initializers in kernels < 5.7 still use C89 style while upstream
++ * has been converted to proper C99 initializers.
+ */
+ #define x86cpu_device_id x86_cpu_id
+ struct x86_cpu_id {
+@@ -597,6 +601,7 @@ struct x86_cpu_id {
+ __u16 model;
+ __u16 feature; /* bit index */
+ kernel_ulong_t driver_data;
++ __u16 steppings;
+ };
+
+ #define X86_FEATURE_MATCH(x) \
+@@ -605,6 +610,7 @@ struct x86_cpu_id {
+ #define X86_VENDOR_ANY 0xffff
+ #define X86_FAMILY_ANY 0
+ #define X86_MODEL_ANY 0
++#define X86_STEPPING_ANY 0
+ #define X86_FEATURE_ANY 0 /* Same as FPU, you can't test for that */
+
+ /*
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 44e20c4b5141..a16e0bdf7751 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ {
+ unsigned int gso_type = 0;
+ unsigned int thlen = 0;
++ unsigned int p_off = 0;
+ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+@@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+- if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ p_off = skb_transport_offset(skb) + thlen;
++ if (p_off > skb_headlen(skb))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -90,17 +92,25 @@ retry:
+ return -EINVAL;
+ }
+
+- if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ p_off = keys.control.thoff + thlen;
++ if (p_off > skb_headlen(skb) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
++ } else if (gso_type) {
++ p_off = thlen;
++ if (p_off > skb_headlen(skb))
++ return -EINVAL;
+ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
+
++ if (skb->len - p_off <= gso_size)
++ return -EINVAL;
++
+ skb_shinfo(skb)->gso_size = gso_size;
+ skb_shinfo(skb)->gso_type = gso_type;
+
+diff --git a/include/uapi/linux/mmc/ioctl.h b/include/uapi/linux/mmc/ioctl.h
+index 45f369dc0a42..83a8c10fd104 100644
+--- a/include/uapi/linux/mmc/ioctl.h
++++ b/include/uapi/linux/mmc/ioctl.h
+@@ -3,6 +3,7 @@
+ #define LINUX_MMC_IOCTL_H
+
+ #include <linux/types.h>
++#include <linux/major.h>
+
+ struct mmc_ioc_cmd {
+ /* Implies direction of data. true = write, false = read */
+diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
+index c74fc9826250..82270a41acce 100644
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -612,10 +612,6 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file,
+ if (ret)
+ goto out;
+
+- /* uprobe_write_opcode() assumes we don't cross page boundary */
+- BUG_ON((uprobe->offset & ~PAGE_MASK) +
+- UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
+-
+ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
+ set_bit(UPROBE_COPY_INSN, &uprobe->flags);
+
+@@ -894,6 +890,13 @@ int uprobe_register(struct inode *inode, loff_t offset, struct uprobe_consumer *
+ if (offset > i_size_read(inode))
+ return -EINVAL;
+
++ /*
++ * This ensures that copy_from_page() and copy_to_page()
++ * can't cross page boundary.
++ */
++ if (!IS_ALIGNED(offset, UPROBE_SWBP_INSN_SIZE))
++ return -EINVAL;
++
+ retry:
+ uprobe = alloc_uprobe(inode, offset);
+ if (!uprobe)
+@@ -1704,6 +1707,9 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
+ uprobe_opcode_t opcode;
+ int result;
+
++ if (WARN_ON_ONCE(!IS_ALIGNED(vaddr, UPROBE_SWBP_INSN_SIZE)))
++ return -EINVAL;
++
+ pagefault_disable();
+ result = __get_user(opcode, (uprobe_opcode_t __user *)vaddr);
+ pagefault_enable();
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 61d37e6da22d..b141ce697679 100644
+--- a/kernel/relay.c
++++ b/kernel/relay.c
+@@ -580,6 +580,11 @@ struct rchan *relay_open(const char *base_filename,
+ return NULL;
+
+ chan->buf = alloc_percpu(struct rchan_buf *);
++ if (!chan->buf) {
++ kfree(chan);
++ return NULL;
++ }
++
+ chan->version = RELAYFS_CHANNEL_VERSION;
+ chan->n_subbufs = n_subbufs;
+ chan->subbuf_size = subbuf_size;
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 88ceeb4ef817..3c7fcd5d5794 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -223,7 +223,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
+ new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr);
+ if (!new_pmd)
+ break;
+- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) {
+ if (extent == HPAGE_PMD_SIZE) {
+ bool moved;
+ /* See comment in move_ptes() */
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 096a28f9720d..d4d53aea2c60 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -262,6 +262,7 @@ static struct in_device *inetdev_init(struct net_device *dev)
+ err = devinet_sysctl_register(in_dev);
+ if (err) {
+ in_dev->dead = 1;
++ neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+ in_dev_put(in_dev);
+ in_dev = NULL;
+ goto out;
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index c3f8bac32584..6aedf082bc2e 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1589,6 +1589,8 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
+ tunnel_id, fd);
+ goto err;
+ }
++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
++ goto err;
+ switch (encap) {
+ case L2TP_ENCAPTYPE_UDP:
+ if (sk->sk_protocol != IPPROTO_UDP) {
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index f7880becc165..37a9f2a25263 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -24,7 +24,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -215,15 +214,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip_open(struct sock *sk)
++static int l2tp_ip_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip_lock);
++ sk_add_node(sk, &l2tp_ip_table);
++ write_unlock_bh(&l2tp_ip_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip_lock);
+- sk_add_node(sk, &l2tp_ip_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip_lock);
++}
++
++static int l2tp_ip_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip_hash(sk);
+ return 0;
+ }
+
+@@ -605,8 +620,8 @@ static struct proto l2tp_ip_prot = {
+ .sendmsg = l2tp_ip_sendmsg,
+ .recvmsg = l2tp_ip_recvmsg,
+ .backlog_rcv = l2tp_ip_backlog_recv,
+- .hash = inet_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip_hash,
++ .unhash = l2tp_ip_unhash,
+ .obj_size = sizeof(struct l2tp_ip_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ip_setsockopt,
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index 6efdfc9b5c43..9c4670fb29d7 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -24,8 +24,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+-#include <net/inet6_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -229,15 +227,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip6_open(struct sock *sk)
++static int l2tp_ip6_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip6_lock);
++ sk_add_node(sk, &l2tp_ip6_table);
++ write_unlock_bh(&l2tp_ip6_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip6_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip6_lock);
+- sk_add_node(sk, &l2tp_ip6_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip6_lock);
++}
++
++static int l2tp_ip6_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip6_hash(sk);
+ return 0;
+ }
+
+@@ -742,8 +756,8 @@ static struct proto l2tp_ip6_prot = {
+ .sendmsg = l2tp_ip6_sendmsg,
+ .recvmsg = l2tp_ip6_recvmsg,
+ .backlog_rcv = l2tp_ip6_backlog_recv,
+- .hash = inet6_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip6_hash,
++ .unhash = l2tp_ip6_unhash,
+ .obj_size = sizeof(struct l2tp_ip6_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ipv6_setsockopt,
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 73eac97e19fb..f297a427b421 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1290,7 +1290,7 @@ static int vsock_accept(struct socket *sock, struct socket *newsock, int flags,
+ /* Wait for children sockets to appear; these are the new sockets
+ * created upon connection establishment.
+ */
+- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK);
++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK);
+ prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE);
+
+ while ((connected = vsock_dequeue_accept(listener)) == NULL &&