main/linux-grsec: port stable fixes from 3.4.28-3.4.29

2 files changed, 906 insertions, 27 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index cc73138bcd..294ec02e7b 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.6.11
 _kernver=3.6
-pkgrel=11
+pkgrel=12
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-	patch-3.6.11-al2.patch
+	patch-3.6.11-al3.patch
 	grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
 	
 	0004-arp-flush-arp-cache-on-device-change.patch
@@ -151,7 +151,7 @@ dev() {
 
 md5sums="1a1760420eac802c541a20ab51a093d1  linux-3.6.tar.xz
 bd4bba74093405887d521309a74c19e9  patch-3.6.11.xz
-4d225839f004e4133c5fa48b7ca0ddf5  patch-3.6.11-al2.patch
+ca40e52ffe0519221fc07c25bedfc346  patch-3.6.11-al3.patch
 3838e6334ed957fd73e793e1816fe66c  grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
diff --git a/main/linux-grsec/patch-3.6.11-al2.patch b/main/linux-grsec/patch-3.6.11-al3.patch
index 3139bf3a63..91e87fef2f 100644
--- a/main/linux-grsec/patch-3.6.11-al2.patch
+++ b/main/linux-grsec/patch-3.6.11-al3.patch
@@ -15,6 +15,19 @@ index df74518..ab1017b 100644
  
  	info.si_signo = SIGSEGV;
  	info.si_errno = 0;
+diff --git a/arch/arm/mach-at91/setup.c b/arch/arm/mach-at91/setup.c
+index bd0e88c..c2ff99c 100644
+--- a/arch/arm/mach-at91/setup.c
++++ b/arch/arm/mach-at91/setup.c
+@@ -104,6 +104,8 @@ static void __init soc_detect(u32 dbgu_base)
+ 	switch (socid) {
+ 	case ARCH_ID_AT91RM9200:
+ 		at91_soc_initdata.type = AT91_SOC_RM9200;
++		if (at91_soc_initdata.subtype == AT91_SOC_SUBTYPE_NONE)
++			at91_soc_initdata.subtype = AT91_SOC_RM9200_BGA;
+ 		at91_boot_soc = at91rm9200_soc;
+ 		break;
+ 
 diff --git a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h b/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h
 index a611ad3..b6132aa 100644
 --- a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h
@@ -58,6 +71,54 @@ index 124bce6..a301e61 100644
  #define REALVIEW_EB11MP_L220_BASE	0x10102000	/* L220 registers */
  #define REALVIEW_EB11MP_SYS_PLD_CTRL1	0xD8		/* Register offset for MPCore sysctl */
  #else
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index 13f555d..357fc03 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -729,25 +729,27 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset,
+ 	size_t size, enum dma_data_direction dir,
+ 	void (*op)(const void *, size_t, int))
+ {
++	unsigned long pfn;
++	size_t left = size;
++
++	pfn = page_to_pfn(page) + offset / PAGE_SIZE;
++	offset %= PAGE_SIZE;
++
+ 	/*
+ 	 * A single sg entry may refer to multiple physically contiguous
+ 	 * pages.  But we still need to process highmem pages individually.
+ 	 * If highmem is not configured then the bulk of this loop gets
+ 	 * optimized out.
+ 	 */
+-	size_t left = size;
+ 	do {
+ 		size_t len = left;
+ 		void *vaddr;
+ 
++		page = pfn_to_page(pfn);
++
+ 		if (PageHighMem(page)) {
+-			if (len + offset > PAGE_SIZE) {
+-				if (offset >= PAGE_SIZE) {
+-					page += offset / PAGE_SIZE;
+-					offset %= PAGE_SIZE;
+-				}
++			if (len + offset > PAGE_SIZE)
+ 				len = PAGE_SIZE - offset;
+-			}
+ 			vaddr = kmap_high_get(page);
+ 			if (vaddr) {
+ 				vaddr += offset;
+@@ -764,7 +766,7 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset,
+ 			op(vaddr, len, dir);
+ 		}
+ 		offset = 0;
+-		page++;
++		pfn++;
+ 		left -= len;
+ 	} while (left);
+ }
 diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
 index c2fa21d..b68b531 100644
 --- a/arch/arm/mm/mmu.c
@@ -71,6 +132,59 @@ index c2fa21d..b68b531 100644
  		protection_map[i] = __pgprot(v | user_pgprot);
  	}
  
+diff --git a/arch/arm/vfp/entry.S b/arch/arm/vfp/entry.S
+index cc926c9..323ce1a 100644
+--- a/arch/arm/vfp/entry.S
++++ b/arch/arm/vfp/entry.S
+@@ -22,7 +22,7 @@
+ @  IRQs disabled.
+ @
+ ENTRY(do_vfp)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+ 	ldr	r4, [r10, #TI_PREEMPT]	@ get preempt count
+ 	add	r11, r4, #1		@ increment it
+ 	str	r11, [r10, #TI_PREEMPT]
+@@ -35,7 +35,7 @@ ENTRY(do_vfp)
+ ENDPROC(do_vfp)
+ 
+ ENTRY(vfp_null_entry)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+ 	get_thread_info	r10
+ 	ldr	r4, [r10, #TI_PREEMPT]	@ get preempt count
+ 	sub	r11, r4, #1		@ decrement it
+@@ -53,7 +53,7 @@ ENDPROC(vfp_null_entry)
+ 
+ 	__INIT
+ ENTRY(vfp_testing_entry)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+ 	get_thread_info	r10
+ 	ldr	r4, [r10, #TI_PREEMPT]	@ get preempt count
+ 	sub	r11, r4, #1		@ decrement it
+diff --git a/arch/arm/vfp/vfphw.S b/arch/arm/vfp/vfphw.S
+index ea0349f..dd5e56f 100644
+--- a/arch/arm/vfp/vfphw.S
++++ b/arch/arm/vfp/vfphw.S
+@@ -168,7 +168,7 @@ vfp_hw_state_valid:
+ 					@ else it's one 32-bit instruction, so
+ 					@ always subtract 4 from the following
+ 					@ instruction address.
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+ 	get_thread_info	r10
+ 	ldr	r4, [r10, #TI_PREEMPT]	@ get preempt count
+ 	sub	r11, r4, #1		@ decrement it
+@@ -192,7 +192,7 @@ look_for_VFP_exceptions:
+ 	@ not recognised by VFP
+ 
+ 	DBGSTR	"not VFP"
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+ 	get_thread_info	r10
+ 	ldr	r4, [r10, #TI_PREEMPT]	@ get preempt count
+ 	sub	r11, r4, #1		@ decrement it
 diff --git a/arch/cris/include/asm/io.h b/arch/cris/include/asm/io.h
 index 32567bc..ac12ae2 100644
 --- a/arch/cris/include/asm/io.h
@@ -319,16 +433,31 @@ index 8f8e8ee..2a6919e 100644
  	jmp iret_exc
  5:	pushl_cfi $-1 /* orig_ax = -1 => not a system call */
  	SAVE_ALL
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index eb11369..8563b64 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	unsigned int cpu;
+ 	struct cpuinfo_x86 *c;
+ 
++	if (!capable(CAP_SYS_RAWIO))
++		return -EPERM;
++
+ 	cpu = iminor(file->f_path.dentry->d_inode);
+ 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ 		return -ENXIO;	/* No such CPU */
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 5cee802..53339c1 100644
+index 5cee802..b328612 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -613,6 +613,81 @@ static __init void reserve_ibft_region(void)
+@@ -613,6 +613,83 @@ static __init void reserve_ibft_region(void)
  
  static unsigned reserve_low = CONFIG_X86_RESERVE_LOW << 10;
  
 +static bool __init snb_gfx_workaround_needed(void)
 +{
++#ifdef CONFIG_PCI
 +	int i;
 +	u16 vendor, devid;
 +	static const u16 snb_ids[] = {
@@ -353,6 +482,7 @@ index 5cee802..53339c1 100644
 +	for (i = 0; i < ARRAY_SIZE(snb_ids); i++)
 +		if (devid == snb_ids[i])
 +			return true;
++#endif
 +
 +	return false;
 +}
@@ -405,7 +535,7 @@ index 5cee802..53339c1 100644
  static void __init trim_bios_range(void)
  {
  	/*
-@@ -633,6 +708,7 @@ static void __init trim_bios_range(void)
+@@ -633,6 +710,7 @@ static void __init trim_bios_range(void)
  	 * take them out.
  	 */
  	e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
@@ -413,7 +543,7 @@ index 5cee802..53339c1 100644
  	sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
  }
  
-@@ -911,6 +987,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -911,6 +989,8 @@ void __init setup_arch(char **cmdline_p)
  
  	setup_real_mode();
  
@@ -422,6 +552,69 @@ index 5cee802..53339c1 100644
  	init_gbpages();
  
  	/* max_pfn_mapped is updated here */
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 72d8899..6825327 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -900,7 +900,7 @@ void __init efi_enter_virtual_mode(void)
+ 	 *
+ 	 * Call EFI services through wrapper functions.
+ 	 */
+-	efi.runtime_version = efi_systab.fw_revision;
++	efi.runtime_version = efi_systab.hdr.revision;
+ 	efi.get_time = virt_efi_get_time;
+ 	efi.set_time = virt_efi_set_time;
+ 	efi.get_wakeup_time = virt_efi_get_wakeup_time;
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index ac3aa54..0fba86d 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -38,7 +38,7 @@
+ #include <asm/cacheflush.h>
+ #include <asm/fixmap.h>
+ 
+-static pgd_t save_pgd __initdata;
++static pgd_t *save_pgd __initdata;
+ static unsigned long efi_flags __initdata;
+ 
+ static void __init early_code_mapping_set_exec(int executable)
+@@ -61,12 +61,20 @@ static void __init early_code_mapping_set_exec(int executable)
+ void __init efi_call_phys_prelog(void)
+ {
+ 	unsigned long vaddress;
++	int pgd;
++	int n_pgds;
+ 
+ 	early_code_mapping_set_exec(1);
+ 	local_irq_save(efi_flags);
+-	vaddress = (unsigned long)__va(0x0UL);
+-	save_pgd = *pgd_offset_k(0x0UL);
+-	set_pgd(pgd_offset_k(0x0UL), *pgd_offset_k(vaddress));
++
++	n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
++	save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
++
++	for (pgd = 0; pgd < n_pgds; pgd++) {
++		save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
++		vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
++		set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
++	}
+ 	__flush_tlb_all();
+ }
+ 
+@@ -75,7 +83,11 @@ void __init efi_call_phys_epilog(void)
+ 	/*
+ 	 * After the lock is released, the original page table is restored.
+ 	 */
+-	set_pgd(pgd_offset_k(0x0UL), save_pgd);
++	int pgd;
++	int n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE);
++	for (pgd = 0; pgd < n_pgds; pgd++)
++		set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]);
++	kfree(save_pgd);
+ 	__flush_tlb_all();
+ 	local_irq_restore(efi_flags);
+ 	early_code_mapping_set_exec(0);
 diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
 index ad3730b..aac684d 100644
 --- a/drivers/acpi/processor_idle.c
@@ -1291,6 +1484,19 @@ index f7f1dc6..ed0e8b7 100644
  
  	/* skip validate if the capability is not present */
  	if (!dma_has_cap(DMA_XOR_VAL, dma_chan->device->cap_mask))
+diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
+index e164c55..1bfb207 100644
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -256,7 +256,7 @@ static ssize_t edac_pci_dev_store(struct kobject *kobj,
+ 	struct edac_pci_dev_attribute *edac_pci_dev;
+ 	edac_pci_dev = (struct edac_pci_dev_attribute *)attr;
+ 
+-	if (edac_pci_dev->show)
++	if (edac_pci_dev->store)
+ 		return edac_pci_dev->store(edac_pci_dev->value, buffer, count);
+ 	return -EIO;
+ }
 diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
 index 08c6749..638e1f7 100644
 --- a/drivers/firewire/net.c
@@ -1734,8 +1940,22 @@ index 895e628..a7e797c 100644
  					ret = connector_status_connected;
  			}
  		}
+diff --git a/drivers/gpu/drm/radeon/radeon_cursor.c b/drivers/gpu/drm/radeon/radeon_cursor.c
+index 8794744..f1b951d 100644
+--- a/drivers/gpu/drm/radeon/radeon_cursor.c
++++ b/drivers/gpu/drm/radeon/radeon_cursor.c
+@@ -240,7 +240,8 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
+ 		y = 0;
+ 	}
+ 
+-	if (ASIC_IS_AVIVO(rdev)) {
++	/* fixed on DCE6 and newer */
++	if (ASIC_IS_AVIVO(rdev) && !ASIC_IS_DCE6(rdev)) {
+ 		int i = 0;
+ 		struct drm_crtc *crtc_p;
+ 
 diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
-index 7ddef8f..0125d34 100644
+index 7ddef8f..9bd2569 100644
 --- a/drivers/gpu/drm/radeon/radeon_display.c
 +++ b/drivers/gpu/drm/radeon/radeon_display.c
 @@ -695,10 +695,15 @@ int radeon_ddc_get_modes(struct radeon_connector *radeon_connector)
@@ -1758,6 +1978,15 @@ index 7ddef8f..0125d34 100644
  		struct radeon_connector_atom_dig *dig = radeon_connector->con_priv;
  
  		if ((dig->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT ||
+@@ -1113,7 +1118,7 @@ radeon_user_framebuffer_create(struct drm_device *dev,
+ 	if (ret) {
+ 		kfree(radeon_fb);
+ 		drm_gem_object_unreference_unlocked(obj);
+-		return NULL;
++		return ERR_PTR(ret);
+ 	}
+ 
+ 	return &radeon_fb->base;
 diff --git a/drivers/gpu/drm/radeon/radeon_i2c.c b/drivers/gpu/drm/radeon/radeon_i2c.c
 index 3edec1c..6076e85 100644
 --- a/drivers/gpu/drm/radeon/radeon_i2c.c
@@ -2115,8 +2344,60 @@ index d6cc77a..5f306f7 100644
  #endif /* CONFIG_X86 */
  
  	return retval;
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 18a89b7..e69ece6 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -906,6 +906,38 @@ static void __init free_iommu_all(void)
+ }
+ 
+ /*
++ * Family15h Model 10h-1fh erratum 746 (IOMMU Logging May Stall Translations)
++ * Workaround:
++ *     BIOS should disable L2B micellaneous clock gating by setting
++ *     L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b
++ */
++static void __init amd_iommu_erratum_746_workaround(struct amd_iommu *iommu)
++{
++	u32 value;
++
++	if ((boot_cpu_data.x86 != 0x15) ||
++	    (boot_cpu_data.x86_model < 0x10) ||
++	    (boot_cpu_data.x86_model > 0x1f))
++		return;
++
++	pci_write_config_dword(iommu->dev, 0xf0, 0x90);
++	pci_read_config_dword(iommu->dev, 0xf4, &value);
++
++	if (value & BIT(2))
++		return;
++
++	/* Select NB indirect register 0x90 and enable writing */
++	pci_write_config_dword(iommu->dev, 0xf0, 0x90 | (1 << 8));
++
++	pci_write_config_dword(iommu->dev, 0xf4, value | 0x4);
++	pr_info("AMD-Vi: Applying erratum 746 workaround for IOMMU at %s\n",
++		dev_name(&iommu->dev->dev));
++
++	/* Clear the enable writing bit */
++	pci_write_config_dword(iommu->dev, 0xf0, 0x90);
++}
++
++/*
+  * This function clues the initialization function for one IOMMU
+  * together and also allocates the command buffer and programs the
+  * hardware. It does NOT enable the IOMMU. This is done afterwards.
+@@ -1092,6 +1124,8 @@ static int iommu_init_pci(struct amd_iommu *iommu)
+ 			iommu->stored_l2[i] = iommu_read_l2(iommu, i);
+ 	}
+ 
++	amd_iommu_erratum_746_workaround(iommu);
++
+ 	return pci_enable_device(iommu->dev);
+ }
+ 
 diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index 554e6ac..c646a8e 100644
+index 554e6ac..04fb7af 100644
 --- a/drivers/iommu/intel-iommu.c
 +++ b/drivers/iommu/intel-iommu.c
 @@ -1827,10 +1827,17 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
@@ -2179,6 +2460,41 @@ index 554e6ac..c646a8e 100644
  	if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
  		return 1;
  
+@@ -4196,6 +4234,21 @@ static struct iommu_ops intel_iommu_ops = {
+ 	.pgsize_bitmap	= INTEL_IOMMU_PGSIZES,
+ };
+ 
++static void __devinit quirk_iommu_g4x_gfx(struct pci_dev *dev)
++{
++	/* G4x/GM45 integrated gfx dmar support is totally busted. */
++	printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n");
++	dmar_map_gfx = 0;
++}
++
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e10, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e20, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e30, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e40, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e90, quirk_iommu_g4x_gfx);
++
+ static void __devinit quirk_iommu_rwbf(struct pci_dev *dev)
+ {
+ 	/*
+@@ -4204,12 +4257,6 @@ static void __devinit quirk_iommu_rwbf(struct pci_dev *dev)
+ 	 */
+ 	printk(KERN_INFO "DMAR: Forcing write-buffer flush capability\n");
+ 	rwbf_quirk = 1;
+-
+-	/* https://bugzilla.redhat.com/show_bug.cgi?id=538163 */
+-	if (dev->revision == 0x07) {
+-		printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n");
+-		dmar_map_gfx = 0;
+-	}
+ }
+ 
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_rwbf);
 diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
 index afd9598..a651d52 100644
 --- a/drivers/md/dm-ioctl.c
@@ -2751,6 +3067,28 @@ index a1f4332..b27e215 100644
  	/* Choose NAND mode. */
  	writel(BM_GPMI_CTRL1_GPMI_MODE, r->gpmi_regs + HW_GPMI_CTRL1_CLR);
  
+diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c
+index 4c538e3..f56a48e 100644
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -918,7 +918,7 @@ static int c_can_handle_bus_err(struct net_device *dev,
+ 		break;
+ 	case LEC_ACK_ERROR:
+ 		netdev_dbg(dev, "ack error\n");
+-		cf->data[2] |= (CAN_ERR_PROT_LOC_ACK |
++		cf->data[3] |= (CAN_ERR_PROT_LOC_ACK |
+ 				CAN_ERR_PROT_LOC_ACK_DEL);
+ 		break;
+ 	case LEC_BIT1_ERROR:
+@@ -931,7 +931,7 @@ static int c_can_handle_bus_err(struct net_device *dev,
+ 		break;
+ 	case LEC_CRC_ERROR:
+ 		netdev_dbg(dev, "CRC error\n");
+-		cf->data[2] |= (CAN_ERR_PROT_LOC_CRC_SEQ |
++		cf->data[3] |= (CAN_ERR_PROT_LOC_CRC_SEQ |
+ 				CAN_ERR_PROT_LOC_CRC_DEL);
+ 		break;
+ 	default:
 diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
 index 963e2cc..8233e5e 100644
 --- a/drivers/net/can/dev.c
@@ -2765,6 +3103,38 @@ index 963e2cc..8233e5e 100644
  	can_flush_echo_skb(dev);
  }
  EXPORT_SYMBOL_GPL(close_candev);
+diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c
+index 48b3d62..7a43d4d 100644
+--- a/drivers/net/can/pch_can.c
++++ b/drivers/net/can/pch_can.c
+@@ -560,7 +560,7 @@ static void pch_can_error(struct net_device *ndev, u32 status)
+ 		stats->rx_errors++;
+ 		break;
+ 	case PCH_CRC_ERR:
+-		cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ |
++		cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ |
+ 			       CAN_ERR_PROT_LOC_CRC_DEL;
+ 		priv->can.can_stats.bus_error++;
+ 		stats->rx_errors++;
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 9ded21e..44996a9 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -746,12 +746,12 @@ static int ti_hecc_error(struct net_device *ndev, int int_status,
+ 		}
+ 		if (err_status & HECC_CANES_CRCE) {
+ 			hecc_set_bit(priv, HECC_CANES, HECC_CANES_CRCE);
+-			cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ |
++			cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ |
+ 					CAN_ERR_PROT_LOC_CRC_DEL;
+ 		}
+ 		if (err_status & HECC_CANES_ACKE) {
+ 			hecc_set_bit(priv, HECC_CANES, HECC_CANES_ACKE);
+-			cf->data[2] |= CAN_ERR_PROT_LOC_ACK |
++			cf->data[3] |= CAN_ERR_PROT_LOC_ACK |
+ 					CAN_ERR_PROT_LOC_ACK_DEL;
+ 		}
+ 	}
 diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
 index 48cc4fb..b1b8e96 100644
 --- a/drivers/net/ethernet/intel/igb/igb_main.c
@@ -3100,6 +3470,18 @@ index 3a1ff55..a633aea 100644
  
  enum targetPowerHTRates {
  	HT_TARGET_RATE_0_8_16,
+diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c
+index 1b48414..4527d0d 100644
+--- a/drivers/net/wireless/ath/ath9k/beacon.c
++++ b/drivers/net/wireless/ath/ath9k/beacon.c
+@@ -147,6 +147,7 @@ static struct ath_buf *ath9k_beacon_generate(struct ieee80211_hw *hw,
+ 				 skb->len, DMA_TO_DEVICE);
+ 		dev_kfree_skb_any(skb);
+ 		bf->bf_buf_addr = 0;
++		bf->bf_mpdu = NULL;
+ 	}
+ 
+ 	skb = ieee80211_beacon_get(hw, vif);
 diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
 index e5cceb0..bbd249d 100644
 --- a/drivers/net/wireless/ath/ath9k/calib.c
@@ -3126,6 +3508,51 @@ index 1060c19..60dcb6c 100644
  #define NUM_NF_READINGS       6
  #define ATH9K_NF_CAL_HIST_MAX 5
  
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 4a9570d..aac4a40 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -344,6 +344,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+ 			endpoint->ep_callbacks.tx(endpoint->ep_callbacks.priv,
+ 						  skb, htc_hdr->endpoint_id,
+ 						  txok);
++		} else {
++			kfree_skb(skb);
+ 		}
+ 	}
+ 
+diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
+index 4480c0c..6b12d48 100644
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -744,6 +744,7 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc,
+ 			return NULL;
+ 	}
+ 
++	list_del(&bf->list);
+ 	if (!bf->bf_mpdu)
+ 		return bf;
+ 
+@@ -1251,14 +1252,15 @@ requeue_drop_frag:
+ 			sc->rx.frag = NULL;
+ 		}
+ requeue:
++		list_add_tail(&bf->list, &sc->rx.rxbuf);
++		if (flush)
++			continue;
++
+ 		if (edma) {
+-			list_add_tail(&bf->list, &sc->rx.rxbuf);
+ 			ath_rx_edma_buf_link(sc, qtype);
+ 		} else {
+-			list_move_tail(&bf->list, &sc->rx.rxbuf);
+ 			ath_rx_buf_link(sc, bf);
+-			if (!flush)
+-				ath9k_hw_rxena(ah);
++			ath9k_hw_rxena(ah);
+ 		}
+ 	} while (1);
+ 
 diff --git a/drivers/net/wireless/b43/b43.h b/drivers/net/wireless/b43/b43.h
 index 7c899fc..ac593ab 100644
 --- a/drivers/net/wireless/b43/b43.h
@@ -3485,6 +3912,120 @@ index 0ef08e0..aa87fb7 100644
  		if (err)
  			goto err_load;
  	}
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+index a5edebe..c110674 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+@@ -1394,9 +1394,10 @@ void brcms_add_timer(struct brcms_timer *t, uint ms, int periodic)
+ #endif
+ 	t->ms = ms;
+ 	t->periodic = (bool) periodic;
+-	t->set = true;
+-
+-	atomic_inc(&t->wl->callbacks);
++	if (!t->set) {
++		t->set = true;
++		atomic_inc(&t->wl->callbacks);
++	}
+ 
+ 	ieee80211_queue_delayed_work(hw, &t->dly_wrk, msecs_to_jiffies(ms));
+ }
+diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
+index 0370403..27eccd9 100644
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -3957,17 +3957,21 @@ il_connection_init_rx_config(struct il_priv *il)
+ 
+ 	memset(&il->staging, 0, sizeof(il->staging));
+ 
+-	if (!il->vif) {
++	switch (il->iw_mode) {
++	case NL80211_IFTYPE_UNSPECIFIED:
+ 		il->staging.dev_type = RXON_DEV_TYPE_ESS;
+-	} else if (il->vif->type == NL80211_IFTYPE_STATION) {
++		break;
++	case NL80211_IFTYPE_STATION:
+ 		il->staging.dev_type = RXON_DEV_TYPE_ESS;
+ 		il->staging.filter_flags = RXON_FILTER_ACCEPT_GRP_MSK;
+-	} else if (il->vif->type == NL80211_IFTYPE_ADHOC) {
++		break;
++	case NL80211_IFTYPE_ADHOC:
+ 		il->staging.dev_type = RXON_DEV_TYPE_IBSS;
+ 		il->staging.flags = RXON_FLG_SHORT_PREAMBLE_MSK;
+ 		il->staging.filter_flags =
+ 		    RXON_FILTER_BCON_AWARE_MSK | RXON_FILTER_ACCEPT_GRP_MSK;
+-	} else {
++		break;
++	default:
+ 		IL_ERR("Unsupported interface type %d\n", il->vif->type);
+ 		return;
+ 	}
+@@ -4550,8 +4554,7 @@ out:
+ EXPORT_SYMBOL(il_mac_add_interface);
+ 
+ static void
+-il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+-		      bool mode_change)
++il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif)
+ {
+ 	lockdep_assert_held(&il->mutex);
+ 
+@@ -4560,9 +4563,7 @@ il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+ 		il_force_scan_end(il);
+ 	}
+ 
+-	if (!mode_change)
+-		il_set_mode(il);
+-
++	il_set_mode(il);
+ }
+ 
+ void
+@@ -4575,8 +4576,8 @@ il_mac_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ 
+ 	WARN_ON(il->vif != vif);
+ 	il->vif = NULL;
+-
+-	il_teardown_interface(il, vif, false);
++	il->iw_mode = NL80211_IFTYPE_UNSPECIFIED;
++	il_teardown_interface(il, vif);
+ 	memset(il->bssid, 0, ETH_ALEN);
+ 
+ 	D_MAC80211("leave\n");
+@@ -4685,18 +4686,10 @@ il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ 	}
+ 
+ 	/* success */
+-	il_teardown_interface(il, vif, true);
+ 	vif->type = newtype;
+ 	vif->p2p = false;
+-	err = il_set_mode(il);
+-	WARN_ON(err);
+-	/*
+-	 * We've switched internally, but submitting to the
+-	 * device may have failed for some reason. Mask this
+-	 * error, because otherwise mac80211 will not switch
+-	 * (and set the interface type back) and we'll be
+-	 * out of sync with it.
+-	 */
++	il->iw_mode = newtype;
++	il_teardown_interface(il, vif);
+ 	err = 0;
+ 
+ out:
+diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
+index 13fbc4e..b879e13 100644
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -161,7 +161,7 @@ static int mwifiex_pcie_suspend(struct pci_dev *pdev, pm_message_t state)
+ 
+ 	if (pdev) {
+ 		card = (struct pcie_service_card *) pci_get_drvdata(pdev);
+-		if (!card || card->adapter) {
++		if (!card || !card->adapter) {
+ 			pr_err("Card or adapter structure is not valid\n");
+ 			return 0;
+ 		}
 diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
 index fb21360..8951285 100644
 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -4948,7 +5489,7 @@ index 68d4c10..f141b4f 100644
  	g_lun0_dev = dev;
  
 diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c
-index ea479e5..0bbcd35 100644
+index ea479e5..c0dd776 100644
 --- a/drivers/target/target_core_fabric_configfs.c
 +++ b/drivers/target/target_core_fabric_configfs.c
 @@ -72,6 +72,12 @@ static int target_fabric_mappedlun_link(
@@ -4964,19 +5505,18 @@ index ea479e5..0bbcd35 100644
  	/*
  	 * Ensure that the source port exists
  	 */
-@@ -746,6 +752,12 @@ static int target_fabric_port_link(
- 	struct target_fabric_configfs *tf;
- 	int ret;
- 
+@@ -763,6 +769,11 @@ static int target_fabric_port_link(
+ 		ret = -ENODEV;
+ 		goto out;
+ 	}
 +	if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) {
 +		pr_err("Bad dev->dev_link_magic, not a valid se_dev_ci pointer:"
 +			" %p to struct se_device: %p\n", se_dev_ci, dev);
 +		return -EFAULT;
 +	}
-+
- 	tpg_ci = &lun_ci->ci_parent->ci_group->cg_item;
- 	se_tpg = container_of(to_config_group(tpg_ci),
- 				struct se_portal_group, tpg_group);
+ 
+ 	lun_p = core_dev_add_lun(se_tpg, dev, lun->unpacked_lun);
+ 	if (IS_ERR(lun_p)) {
 diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c
 index b8628a5..8dfe6f5 100644
 --- a/drivers/target/target_core_tpg.c
@@ -6528,6 +7068,19 @@ index b982239..2f6212e 100644
  	if (opt->osd_keepalive_timeout != CEPH_OSD_KEEPALIVE_DEFAULT)
  		seq_printf(m, ",osdkeepalivetimeout=%d",
  			   opt->osd_keepalive_timeout);
+diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
+index ce5cbd7..210fce2 100644
+--- a/fs/cifs/cifs_dfs_ref.c
++++ b/fs/cifs/cifs_dfs_ref.c
+@@ -226,6 +226,8 @@ compose_mount_options_out:
+ compose_mount_options_err:
+ 	kfree(mountdata);
+ 	mountdata = ERR_PTR(rc);
++	kfree(*devname);
++	*devname = NULL;
+ 	goto compose_mount_options_out;
+ }
+ 
 diff --git a/fs/eventpoll.c b/fs/eventpoll.c
 index eedec84..3b032dd 100644
 --- a/fs/eventpoll.c
@@ -6873,6 +7426,42 @@ index 627f108..e210a66 100644
  	} else
  		error = NFS_PROTO(dir)->remove(dir, &dentry->d_name);
  	if (error == -ENOENT)
+diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
+index dd057bc..fc8dc20 100644
+--- a/fs/nfs/namespace.c
++++ b/fs/nfs/namespace.c
+@@ -177,11 +177,31 @@ out_nofree:
+ 	return mnt;
+ }
+ 
++static int
++nfs_namespace_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
++{
++	if (NFS_FH(dentry->d_inode)->size != 0)
++		return nfs_getattr(mnt, dentry, stat);
++	generic_fillattr(dentry->d_inode, stat);
++	return 0;
++}
++
++static int
++nfs_namespace_setattr(struct dentry *dentry, struct iattr *attr)
++{
++	if (NFS_FH(dentry->d_inode)->size != 0)
++		return nfs_setattr(dentry, attr);
++	return -EACCES;
++}
++
+ const struct inode_operations nfs_mountpoint_inode_operations = {
+ 	.getattr	= nfs_getattr,
++	.setattr	= nfs_setattr,
+ };
+ 
+ const struct inode_operations nfs_referral_inode_operations = {
++	.getattr	= nfs_namespace_getattr,
++	.setattr	= nfs_namespace_setattr,
+ };
+ 
+ static void nfs_expire_automounts(struct work_struct *work)
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
 index 7bff871..5e61aac 100644
 --- a/fs/nfs/nfs4proc.c
@@ -7132,6 +7721,23 @@ index aa23346..585ee1c 100644
  
  	newblock = udf_get_pblock(inode->i_sb, newblocknum,
  				iinfo->i_location.partitionReferenceNum, 0);
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index e562dd4..1236b8c 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -86,11 +86,11 @@ xfs_destroy_ioend(
+ 	}
+ 
+ 	if (ioend->io_iocb) {
++		inode_dio_done(ioend->io_inode);
+ 		if (ioend->io_isasync) {
+ 			aio_complete(ioend->io_iocb, ioend->io_error ?
+ 					ioend->io_error : ioend->io_result, 0);
+ 		}
+-		inode_dio_done(ioend->io_inode);
+ 	}
+ 
+ 	mempool_free(ioend, xfs_ioend_pool);
 diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
 index ed6642a..25f01d0 100644
 --- a/include/asm-generic/tlb.h
@@ -7638,6 +8244,58 @@ index be4f856..67b64be 100644
  		__set_current_state(TASK_RUNNING);
  		if (clear_code)
  			current->exit_code = 0;
+diff --git a/kernel/smp.c b/kernel/smp.c
+index 29dd40a..69f38bd 100644
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -33,6 +33,7 @@ struct call_function_data {
+ 	struct call_single_data	csd;
+ 	atomic_t		refs;
+ 	cpumask_var_t		cpumask;
++	cpumask_var_t		cpumask_ipi;
+ };
+ 
+ static DEFINE_PER_CPU_SHARED_ALIGNED(struct call_function_data, cfd_data);
+@@ -56,6 +57,9 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu)
+ 		if (!zalloc_cpumask_var_node(&cfd->cpumask, GFP_KERNEL,
+ 				cpu_to_node(cpu)))
+ 			return notifier_from_errno(-ENOMEM);
++		if (!zalloc_cpumask_var_node(&cfd->cpumask_ipi, GFP_KERNEL,
++				cpu_to_node(cpu)))
++			return notifier_from_errno(-ENOMEM);
+ 		break;
+ 
+ #ifdef CONFIG_HOTPLUG_CPU
+@@ -65,6 +69,7 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu)
+ 	case CPU_DEAD:
+ 	case CPU_DEAD_FROZEN:
+ 		free_cpumask_var(cfd->cpumask);
++		free_cpumask_var(cfd->cpumask_ipi);
+ 		break;
+ #endif
+ 	};
+@@ -526,6 +531,12 @@ void smp_call_function_many(const struct cpumask *mask,
+ 		return;
+ 	}
+ 
++	/*
++	 * After we put an entry into the list, data->cpumask
++	 * may be cleared again when another CPU sends another IPI for
++	 * a SMP function call, so data->cpumask will be zero.
++	 */
++	cpumask_copy(data->cpumask_ipi, data->cpumask);
+ 	raw_spin_lock_irqsave(&call_function.lock, flags);
+ 	/*
+ 	 * Place entry at the _HEAD_ of the list, so that any cpu still
+@@ -549,7 +560,7 @@ void smp_call_function_many(const struct cpumask *mask,
+ 	smp_mb();
+ 
+ 	/* Send a message to all CPUs in the map */
+-	arch_send_call_function_ipi_mask(data->cpumask);
++	arch_send_call_function_ipi_mask(data->cpumask_ipi);
+ 
+ 	/* Optionally wait for the CPUs to complete */
+ 	if (wait)
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
 index 781ecc2..7f8a8df 100644
 --- a/kernel/trace/ftrace.c
@@ -7956,6 +8614,32 @@ index 0b997c8..aeb0962 100644
  	if (!test_bit(HCI_INIT, &hdev->flags) &&
  	    !test_bit(HCI_SETUP, &hdev->dev_flags)) {
  		hci_dev_lock(hdev);
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 715d7e3..67d1893 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2387,7 +2387,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ 	if (ev->opcode != HCI_OP_NOP)
+ 		del_timer(&hdev->cmd_timer);
+ 
+-	if (ev->ncmd) {
++	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
+ 		atomic_set(&hdev->cmd_cnt, 1);
+ 		if (!skb_queue_empty(&hdev->cmd_q))
+ 			queue_work(hdev->workqueue, &hdev->cmd_work);
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index ccd985d..03652f3 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -931,7 +931,7 @@ static int hidp_setup_hid(struct hidp_session *session,
+ 	hid->version = req->version;
+ 	hid->country = req->country;
+ 
+-	strncpy(hid->name, req->name, 128);
++	strncpy(hid->name, req->name, sizeof(req->name) - 1);
+ 	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
+ 	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
+ 
 diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
 index 1a17850..32893a0 100644
 --- a/net/bluetooth/rfcomm/sock.c
@@ -8712,6 +9396,29 @@ index 7e32d42..8b45fb4 100644
  		goto out;
  	}
  	__inet6_hash(newsk, NULL);
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a58c0b6..f985911 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -151,7 +151,17 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+ 			sta = sta_info_get(sdata, mac_addr);
+ 		else
+ 			sta = sta_info_get_bss(sdata, mac_addr);
+-		if (!sta) {
++		/*
++		 * The ASSOC test makes sure the driver is ready to
++		 * receive the key. When wpa_supplicant has roamed
++		 * using FT, it attempts to set the key before
++		 * association has completed, this rejects that attempt
++		 * so it will set the key again after assocation.
++		 *
++		 * TODO: accept the key if we have a station entry and
++		 *       add it to the device after the station.
++		 */
++		if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
+ 			ieee80211_key_free(sdata->local, key);
+ 			err = -ENOENT;
+ 			goto out_unlock;
 diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
 index a5894dd..c55eacc 100644
 --- a/net/mac80211/ibss.c
@@ -8740,7 +9447,7 @@ index a5894dd..c55eacc 100644
  		int interval = IEEE80211_SCAN_INTERVAL;
  
 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 642a2a3..19d4ec3 100644
+index 642a2a3..fcab057 100644
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
 @@ -1239,9 +1239,9 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
@@ -8756,11 +9463,125 @@ index 642a2a3..19d4ec3 100644
  int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
  			   struct cfg80211_scan_request *req);
  void ieee80211_scan_cancel(struct ieee80211_local *local);
+@@ -1267,10 +1267,8 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_sched_scan_stopped_work(struct work_struct *work);
+ 
+ /* off-channel helpers */
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+-				    bool offchannel_ps_enable);
+-void ieee80211_offchannel_return(struct ieee80211_local *local,
+-				 bool offchannel_ps_disable);
++void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local);
++void ieee80211_offchannel_return(struct ieee80211_local *local);
+ void ieee80211_roc_setup(struct ieee80211_local *local);
+ void ieee80211_start_next_roc(struct ieee80211_local *local);
+ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata);
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 2138dc3..37e3028 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -102,8 +102,7 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
+ 	ieee80211_sta_reset_conn_monitor(sdata);
+ }
+ 
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+-				    bool offchannel_ps_enable)
++void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local)
+ {
+ 	struct ieee80211_sub_if_data *sdata;
+ 
+@@ -128,8 +127,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+ 
+ 		if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
+ 			netif_tx_stop_all_queues(sdata->dev);
+-			if (offchannel_ps_enable &&
+-			    (sdata->vif.type == NL80211_IFTYPE_STATION) &&
++			if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+ 			    sdata->u.mgd.associated)
+ 				ieee80211_offchannel_ps_enable(sdata);
+ 		}
+@@ -137,8 +135,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+ 	mutex_unlock(&local->iflist_mtx);
+ }
+ 
+-void ieee80211_offchannel_return(struct ieee80211_local *local,
+-				 bool offchannel_ps_disable)
++void ieee80211_offchannel_return(struct ieee80211_local *local)
+ {
+ 	struct ieee80211_sub_if_data *sdata;
+ 
+@@ -151,11 +148,9 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
+ 			continue;
+ 
+ 		/* Tell AP we're back */
+-		if (offchannel_ps_disable &&
+-		    sdata->vif.type == NL80211_IFTYPE_STATION) {
+-			if (sdata->u.mgd.associated)
+-				ieee80211_offchannel_ps_disable(sdata);
+-		}
++		if (sdata->vif.type == NL80211_IFTYPE_STATION &&
++		    sdata->u.mgd.associated)
++			ieee80211_offchannel_ps_disable(sdata);
+ 
+ 		if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
+ 			/*
+@@ -376,7 +371,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
+ 			local->tmp_channel = NULL;
+ 			ieee80211_hw_config(local, 0);
+ 
+-			ieee80211_offchannel_return(local, true);
++			ieee80211_offchannel_return(local);
+ 		}
+ 
+ 		ieee80211_recalc_idle(local);
 diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
-index 839dd97..09fc38d 100644
+index 839dd97..8719635 100644
 --- a/net/mac80211/scan.c
 +++ b/net/mac80211/scan.c
-@@ -819,9 +819,9 @@ int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
+@@ -310,7 +310,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
+ 	if (!was_hw_scan) {
+ 		ieee80211_configure_filter(local);
+ 		drv_sw_scan_complete(local);
+-		ieee80211_offchannel_return(local, true);
++		ieee80211_offchannel_return(local);
+ 	}
+ 
+ 	ieee80211_recalc_idle(local);
+@@ -355,7 +355,7 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
+ 	local->next_scan_state = SCAN_DECISION;
+ 	local->scan_channel_idx = 0;
+ 
+-	ieee80211_offchannel_stop_vifs(local, true);
++	ieee80211_offchannel_stop_vifs(local);
+ 
+ 	ieee80211_configure_filter(local);
+ 
+@@ -680,12 +680,8 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
+ 	local->scan_channel = NULL;
+ 	ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+ 
+-	/*
+-	 * Re-enable vifs and beaconing.  Leave PS
+-	 * in off-channel state..will put that back
+-	 * on-channel at the end of scanning.
+-	 */
+-	ieee80211_offchannel_return(local, false);
++	/* disable PS */
++	ieee80211_offchannel_return(local);
+ 
+ 	*next_delay = HZ / 5;
+ 	/* afterwards, resume scan & go to next channel */
+@@ -695,8 +691,7 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
+ static void ieee80211_scan_state_resume(struct ieee80211_local *local,
+ 					unsigned long *next_delay)
+ {
+-	/* PS already is in off-channel mode */
+-	ieee80211_offchannel_stop_vifs(local, false);
++	ieee80211_offchannel_stop_vifs(local);
+ 
+ 	if (local->ops->flush) {
+ 		drv_flush(local, false);
+@@ -819,9 +814,9 @@ int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
  	return res;
  }
  
@@ -8773,7 +9594,7 @@ index 839dd97..09fc38d 100644
  {
  	struct ieee80211_local *local = sdata->local;
  	int ret = -EBUSY;
-@@ -835,22 +835,36 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
+@@ -835,22 +830,36 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
  
  	/* fill internal scan request */
  	if (!chan) {
@@ -9043,10 +9864,18 @@ index 48d7c0a..bd3ba88 100644
  	free_irq(IRQ_AC97, NULL);
  	if (ac97conf_clk) {
 diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index e1b7061..31ac338 100644
+index e1b7061..c6646d9 100644
 --- a/sound/pci/hda/patch_realtek.c
 +++ b/sound/pci/hda/patch_realtek.c
-@@ -6562,8 +6562,8 @@ static void alc861vd_fixup_dallas(struct hda_codec *codec,
+@@ -4719,6 +4719,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = {
+ 	SND_PCI_QUIRK(0x1584, 0x9077, "Uniwill P53", ALC880_FIXUP_VOL_KNOB),
+ 	SND_PCI_QUIRK(0x161f, 0x203d, "W810", ALC880_FIXUP_W810),
+ 	SND_PCI_QUIRK(0x161f, 0x205d, "Medion Rim 2150", ALC880_FIXUP_MEDION_RIM),
++	SND_PCI_QUIRK(0x1631, 0xe011, "PB 13201056", ALC880_FIXUP_6ST),
+ 	SND_PCI_QUIRK(0x1734, 0x107c, "FSC F1734", ALC880_FIXUP_F1734),
+ 	SND_PCI_QUIRK(0x1734, 0x1094, "FSC Amilo M1451G", ALC880_FIXUP_FUJITSU),
+ 	SND_PCI_QUIRK(0x1734, 0x10ac, "FSC AMILO Xi 1526", ALC880_FIXUP_F1734),
+@@ -6562,8 +6563,8 @@ static void alc861vd_fixup_dallas(struct hda_codec *codec,
  				  const struct alc_fixup *fix, int action)
  {
  	if (action == ALC_FIXUP_ACT_PRE_PROBE) {
@@ -9100,10 +9929,27 @@ index a3acb7a..6275a2b 100644
  
  	wm2000_write(i2c, WM2000_REG_SYS_START0, 0x33);
 diff --git a/sound/soc/codecs/wm2200.c b/sound/soc/codecs/wm2200.c
-index c8bff6d..86b84a1 100644
+index c8bff6d..8e0cf14 100644
 --- a/sound/soc/codecs/wm2200.c
 +++ b/sound/soc/codecs/wm2200.c
-@@ -1380,15 +1380,9 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+@@ -897,8 +897,6 @@ static const char *wm2200_mixer_texts[] = {
+ 	"EQR",
+ 	"LHPF1",
+ 	"LHPF2",
+-	"LHPF3",
+-	"LHPF4",
+ 	"DSP1.1",
+ 	"DSP1.2",
+ 	"DSP1.3",
+@@ -931,7 +929,6 @@ static int wm2200_mixer_values[] = {
+ 	0x25,
+ 	0x50,   /* EQ */
+ 	0x51,
+-	0x52,
+ 	0x60,   /* LHPF1 */
+ 	0x61,   /* LHPF2 */
+ 	0x68,   /* DSP1 */
+@@ -1380,15 +1377,9 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
  	case SND_SOC_DAIFMT_DSP_A:
  		fmt_val = 0;
  		break;
@@ -9119,7 +9965,7 @@ index c8bff6d..86b84a1 100644
  	default:
  		dev_err(codec->dev, "Unsupported DAI format %d\n",
  			fmt & SND_SOC_DAIFMT_FORMAT_MASK);
-@@ -1440,7 +1434,7 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+@@ -1440,7 +1431,7 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
  			    WM2200_AIF1TX_LRCLK_MSTR | WM2200_AIF1TX_LRCLK_INV,
  			    lrclk);
  	snd_soc_update_bits(codec, WM2200_AUDIO_IF_1_5,
@@ -9362,6 +10208,39 @@ index eeefbce..34b9bb7 100644
  	return 0;
  }
  
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index 298070e..41e8bfb 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1259,16 +1259,23 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, void
+ 		}
+ 		channels = (hdr->bLength - 7) / csize - 1;
+ 		bmaControls = hdr->bmaControls;
++		if (hdr->bLength < 7 + csize) {
++			snd_printk(KERN_ERR "usbaudio: unit %u: "
++				   "invalid UAC_FEATURE_UNIT descriptor\n",
++				   unitid);
++			return -EINVAL;
++		}
+ 	} else {
+ 		struct uac2_feature_unit_descriptor *ftr = _ftr;
+ 		csize = 4;
+ 		channels = (hdr->bLength - 6) / 4 - 1;
+ 		bmaControls = ftr->bmaControls;
+-	}
+-
+-	if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
+-		snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
+-		return -EINVAL;
++		if (hdr->bLength < 6 + csize) {
++			snd_printk(KERN_ERR "usbaudio: unit %u: "
++				   "invalid UAC_FEATURE_UNIT descriptor\n",
++				   unitid);
++			return -EINVAL;
++		}
+ 	}
+ 
+ 	/* parse the source unit */
 diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
 index 0f58b4b..b8d1ad1 100644
 --- a/sound/usb/quirks.c