main/linux-grsec: port stable fixes from 3.4.28-3.4.29

(cherry picked from commit 04b8f4d3f4326cd32cffce17c24848316b5cabda)

2 files changed, 906 insertions, 27 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index cc73138bcd..294ec02e7b 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.6.11
 _kernver=3.6
-pkgrel=11
+pkgrel=12
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
         http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-        patch-3.6.11-al2.patch
+        patch-3.6.11-al3.patch
         grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
         
         0004-arp-flush-arp-cache-on-device-change.patch
@@ -151,7 +151,7 @@ dev() {
 
 md5sums="1a1760420eac802c541a20ab51a093d1  linux-3.6.tar.xz
 bd4bba74093405887d521309a74c19e9  patch-3.6.11.xz
-4d225839f004e4133c5fa48b7ca0ddf5  patch-3.6.11-al2.patch
+ca40e52ffe0519221fc07c25bedfc346  patch-3.6.11-al3.patch
 3838e6334ed957fd73e793e1816fe66c  grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 daf2cbb558588c49c138fe9ca2482b64  r8169-num-rx-desc.patch
diff --git a/main/linux-grsec/patch-3.6.11-al2.patch b/main/linux-grsec/patch-3.6.11-al3.patch
index 3139bf3a63..91e87fef2f 100644
--- a/main/linux-grsec/patch-3.6.11-al2.patch
+++ b/main/linux-grsec/patch-3.6.11-al3.patch
@@ -15,6 +15,19 @@ index df74518..ab1017b 100644
  
         info.si_signo = SIGSEGV;
         info.si_errno = 0;
+diff --git a/arch/arm/mach-at91/setup.c b/arch/arm/mach-at91/setup.c
+index bd0e88c..c2ff99c 100644
+--- a/arch/arm/mach-at91/setup.c
++++ b/arch/arm/mach-at91/setup.c
+@@ -104,6 +104,8 @@ static void __init soc_detect(u32 dbgu_base)
+        switch (socid) {
+        case ARCH_ID_AT91RM9200:
+                at91_soc_initdata.type = AT91_SOC_RM9200;
++               if (at91_soc_initdata.subtype == AT91_SOC_SUBTYPE_NONE)
++                       at91_soc_initdata.subtype = AT91_SOC_RM9200_BGA;
+                at91_boot_soc = at91rm9200_soc;
+                break;
+ 
 diff --git a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h b/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h
 index a611ad3..b6132aa 100644
 --- a/arch/arm/mach-pxa/include/mach/mfp-pxa27x.h
@@ -58,6 +71,54 @@ index 124bce6..a301e61 100644
  #define REALVIEW_EB11MP_L220_BASE      0x10102000      /* L220 registers */
  #define REALVIEW_EB11MP_SYS_PLD_CTRL1  0xD8            /* Register offset for MPCore sysctl */
  #else
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index 13f555d..357fc03 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -729,25 +729,27 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset,
+        size_t size, enum dma_data_direction dir,
+        void (*op)(const void *, size_t, int))
+ {
++       unsigned long pfn;
++       size_t left = size;
++
++       pfn = page_to_pfn(page) + offset / PAGE_SIZE;
++       offset %= PAGE_SIZE;
++
+        /*
+         * A single sg entry may refer to multiple physically contiguous
+         * pages.  But we still need to process highmem pages individually.
+         * If highmem is not configured then the bulk of this loop gets
+         * optimized out.
+         */
+-       size_t left = size;
+        do {
+                size_t len = left;
+                void *vaddr;
+ 
++               page = pfn_to_page(pfn);
++
+                if (PageHighMem(page)) {
+-                       if (len + offset > PAGE_SIZE) {
+-                               if (offset >= PAGE_SIZE) {
+-                                       page += offset / PAGE_SIZE;
+-                                       offset %= PAGE_SIZE;
+-                               }
++                       if (len + offset > PAGE_SIZE)
+                                len = PAGE_SIZE - offset;
+-                       }
+                        vaddr = kmap_high_get(page);
+                        if (vaddr) {
+                                vaddr += offset;
+@@ -764,7 +766,7 @@ static void dma_cache_maint_page(struct page *page, unsigned long offset,
+                        op(vaddr, len, dir);
+                }
+                offset = 0;
+-               page++;
++               pfn++;
+                left -= len;
+        } while (left);
+ }
 diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
 index c2fa21d..b68b531 100644
 --- a/arch/arm/mm/mmu.c
@@ -71,6 +132,59 @@ index c2fa21d..b68b531 100644
                 protection_map[i] = __pgprot(v | user_pgprot);
         }
  
+diff --git a/arch/arm/vfp/entry.S b/arch/arm/vfp/entry.S
+index cc926c9..323ce1a 100644
+--- a/arch/arm/vfp/entry.S
++++ b/arch/arm/vfp/entry.S
+@@ -22,7 +22,7 @@
+ @  IRQs disabled.
+ @
+ ENTRY(do_vfp)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+        ldr     r4, [r10, #TI_PREEMPT]  @ get preempt count
+        add     r11, r4, #1             @ increment it
+        str     r11, [r10, #TI_PREEMPT]
+@@ -35,7 +35,7 @@ ENTRY(do_vfp)
+ ENDPROC(do_vfp)
+ 
+ ENTRY(vfp_null_entry)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+        get_thread_info r10
+        ldr     r4, [r10, #TI_PREEMPT]  @ get preempt count
+        sub     r11, r4, #1             @ decrement it
+@@ -53,7 +53,7 @@ ENDPROC(vfp_null_entry)
+ 
+        __INIT
+ ENTRY(vfp_testing_entry)
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+        get_thread_info r10
+        ldr     r4, [r10, #TI_PREEMPT]  @ get preempt count
+        sub     r11, r4, #1             @ decrement it
+diff --git a/arch/arm/vfp/vfphw.S b/arch/arm/vfp/vfphw.S
+index ea0349f..dd5e56f 100644
+--- a/arch/arm/vfp/vfphw.S
++++ b/arch/arm/vfp/vfphw.S
+@@ -168,7 +168,7 @@ vfp_hw_state_valid:
+                                        @ else it's one 32-bit instruction, so
+                                        @ always subtract 4 from the following
+                                        @ instruction address.
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+        get_thread_info r10
+        ldr     r4, [r10, #TI_PREEMPT]  @ get preempt count
+        sub     r11, r4, #1             @ decrement it
+@@ -192,7 +192,7 @@ look_for_VFP_exceptions:
+        @ not recognised by VFP
+ 
+        DBGSTR  "not VFP"
+-#ifdef CONFIG_PREEMPT
++#ifdef CONFIG_PREEMPT_COUNT
+        get_thread_info r10
+        ldr     r4, [r10, #TI_PREEMPT]  @ get preempt count
+        sub     r11, r4, #1             @ decrement it
 diff --git a/arch/cris/include/asm/io.h b/arch/cris/include/asm/io.h
 index 32567bc..ac12ae2 100644
 --- a/arch/cris/include/asm/io.h
@@ -319,16 +433,31 @@ index 8f8e8ee..2a6919e 100644
         jmp iret_exc
  5:     pushl_cfi $-1 /* orig_ax = -1 => not a system call */
         SAVE_ALL
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index eb11369..8563b64 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
+        unsigned int cpu;
+        struct cpuinfo_x86 *c;
+ 
++       if (!capable(CAP_SYS_RAWIO))
++               return -EPERM;
++
+        cpu = iminor(file->f_path.dentry->d_inode);
+        if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+                return -ENXIO;  /* No such CPU */
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 5cee802..53339c1 100644
+index 5cee802..b328612 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -613,6 +613,81 @@ static __init void reserve_ibft_region(void)
+@@ -613,6 +613,83 @@ static __init void reserve_ibft_region(void)
  
  static unsigned reserve_low = CONFIG_X86_RESERVE_LOW << 10;
  
 +static bool __init snb_gfx_workaround_needed(void)
 +{
++#ifdef CONFIG_PCI
 +       int i;
 +       u16 vendor, devid;
 +       static const u16 snb_ids[] = {
@@ -353,6 +482,7 @@ index 5cee802..53339c1 100644
 +       for (i = 0; i < ARRAY_SIZE(snb_ids); i++)
 +               if (devid == snb_ids[i])
 +                       return true;
++#endif
 +
 +       return false;
 +}
@@ -405,7 +535,7 @@ index 5cee802..53339c1 100644
  static void __init trim_bios_range(void)
  {
         /*
-@@ -633,6 +708,7 @@ static void __init trim_bios_range(void)
+@@ -633,6 +710,7 @@ static void __init trim_bios_range(void)
          * take them out.
          */
         e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
@@ -413,7 +543,7 @@ index 5cee802..53339c1 100644
         sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
  }
  
-@@ -911,6 +987,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -911,6 +989,8 @@ void __init setup_arch(char **cmdline_p)
  
         setup_real_mode();
  
@@ -422,6 +552,69 @@ index 5cee802..53339c1 100644
         init_gbpages();
  
         /* max_pfn_mapped is updated here */
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 72d8899..6825327 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -900,7 +900,7 @@ void __init efi_enter_virtual_mode(void)
+         *
+         * Call EFI services through wrapper functions.
+         */
+-       efi.runtime_version = efi_systab.fw_revision;
++       efi.runtime_version = efi_systab.hdr.revision;
+        efi.get_time = virt_efi_get_time;
+        efi.set_time = virt_efi_set_time;
+        efi.get_wakeup_time = virt_efi_get_wakeup_time;
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index ac3aa54..0fba86d 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -38,7 +38,7 @@
+ #include <asm/cacheflush.h>
+ #include <asm/fixmap.h>
+ 
+-static pgd_t save_pgd __initdata;
++static pgd_t *save_pgd __initdata;
+ static unsigned long efi_flags __initdata;
+ 
+ static void __init early_code_mapping_set_exec(int executable)
+@@ -61,12 +61,20 @@ static void __init early_code_mapping_set_exec(int executable)
+ void __init efi_call_phys_prelog(void)
+ {
+        unsigned long vaddress;
++       int pgd;
++       int n_pgds;
+ 
+        early_code_mapping_set_exec(1);
+        local_irq_save(efi_flags);
+-       vaddress = (unsigned long)__va(0x0UL);
+-       save_pgd = *pgd_offset_k(0x0UL);
+-       set_pgd(pgd_offset_k(0x0UL), *pgd_offset_k(vaddress));
++
++       n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
++       save_pgd = kmalloc(n_pgds * sizeof(pgd_t), GFP_KERNEL);
++
++       for (pgd = 0; pgd < n_pgds; pgd++) {
++               save_pgd[pgd] = *pgd_offset_k(pgd * PGDIR_SIZE);
++               vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
++               set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
++       }
+        __flush_tlb_all();
+ }
+ 
+@@ -75,7 +83,11 @@ void __init efi_call_phys_epilog(void)
+        /*
+         * After the lock is released, the original page table is restored.
+         */
+-       set_pgd(pgd_offset_k(0x0UL), save_pgd);
++       int pgd;
++       int n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE);
++       for (pgd = 0; pgd < n_pgds; pgd++)
++               set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]);
++       kfree(save_pgd);
+        __flush_tlb_all();
+        local_irq_restore(efi_flags);
+        early_code_mapping_set_exec(0);
 diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
 index ad3730b..aac684d 100644
 --- a/drivers/acpi/processor_idle.c
@@ -1291,6 +1484,19 @@ index f7f1dc6..ed0e8b7 100644
  
         /* skip validate if the capability is not present */
         if (!dma_has_cap(DMA_XOR_VAL, dma_chan->device->cap_mask))
+diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
+index e164c55..1bfb207 100644
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -256,7 +256,7 @@ static ssize_t edac_pci_dev_store(struct kobject *kobj,
+        struct edac_pci_dev_attribute *edac_pci_dev;
+        edac_pci_dev = (struct edac_pci_dev_attribute *)attr;
+ 
+-       if (edac_pci_dev->show)
++       if (edac_pci_dev->store)
+                return edac_pci_dev->store(edac_pci_dev->value, buffer, count);
+        return -EIO;
+ }
 diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
 index 08c6749..638e1f7 100644
 --- a/drivers/firewire/net.c
@@ -1734,8 +1940,22 @@ index 895e628..a7e797c 100644
                                         ret = connector_status_connected;
                         }
                 }
+diff --git a/drivers/gpu/drm/radeon/radeon_cursor.c b/drivers/gpu/drm/radeon/radeon_cursor.c
+index 8794744..f1b951d 100644
+--- a/drivers/gpu/drm/radeon/radeon_cursor.c
++++ b/drivers/gpu/drm/radeon/radeon_cursor.c
+@@ -240,7 +240,8 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
+                y = 0;
+        }
+ 
+-       if (ASIC_IS_AVIVO(rdev)) {
++       /* fixed on DCE6 and newer */
++       if (ASIC_IS_AVIVO(rdev) && !ASIC_IS_DCE6(rdev)) {
+                int i = 0;
+                struct drm_crtc *crtc_p;
+ 
 diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
-index 7ddef8f..0125d34 100644
+index 7ddef8f..9bd2569 100644
 --- a/drivers/gpu/drm/radeon/radeon_display.c
 +++ b/drivers/gpu/drm/radeon/radeon_display.c
 @@ -695,10 +695,15 @@ int radeon_ddc_get_modes(struct radeon_connector *radeon_connector)
@@ -1758,6 +1978,15 @@ index 7ddef8f..0125d34 100644
                 struct radeon_connector_atom_dig *dig = radeon_connector->con_priv;
  
                 if ((dig->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT ||
+@@ -1113,7 +1118,7 @@ radeon_user_framebuffer_create(struct drm_device *dev,
+        if (ret) {
+                kfree(radeon_fb);
+                drm_gem_object_unreference_unlocked(obj);
+-               return NULL;
++               return ERR_PTR(ret);
+        }
+ 
+        return &radeon_fb->base;
 diff --git a/drivers/gpu/drm/radeon/radeon_i2c.c b/drivers/gpu/drm/radeon/radeon_i2c.c
 index 3edec1c..6076e85 100644
 --- a/drivers/gpu/drm/radeon/radeon_i2c.c
@@ -2115,8 +2344,60 @@ index d6cc77a..5f306f7 100644
  #endif /* CONFIG_X86 */
  
         return retval;
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 18a89b7..e69ece6 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -906,6 +906,38 @@ static void __init free_iommu_all(void)
+ }
+ 
+ /*
++ * Family15h Model 10h-1fh erratum 746 (IOMMU Logging May Stall Translations)
++ * Workaround:
++ *     BIOS should disable L2B micellaneous clock gating by setting
++ *     L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b
++ */
++static void __init amd_iommu_erratum_746_workaround(struct amd_iommu *iommu)
++{
++       u32 value;
++
++       if ((boot_cpu_data.x86 != 0x15) ||
++           (boot_cpu_data.x86_model < 0x10) ||
++           (boot_cpu_data.x86_model > 0x1f))
++               return;
++
++       pci_write_config_dword(iommu->dev, 0xf0, 0x90);
++       pci_read_config_dword(iommu->dev, 0xf4, &value);
++
++       if (value & BIT(2))
++               return;
++
++       /* Select NB indirect register 0x90 and enable writing */
++       pci_write_config_dword(iommu->dev, 0xf0, 0x90 | (1 << 8));
++
++       pci_write_config_dword(iommu->dev, 0xf4, value | 0x4);
++       pr_info("AMD-Vi: Applying erratum 746 workaround for IOMMU at %s\n",
++               dev_name(&iommu->dev->dev));
++
++       /* Clear the enable writing bit */
++       pci_write_config_dword(iommu->dev, 0xf0, 0x90);
++}
++
++/*
+  * This function clues the initialization function for one IOMMU
+  * together and also allocates the command buffer and programs the
+  * hardware. It does NOT enable the IOMMU. This is done afterwards.
+@@ -1092,6 +1124,8 @@ static int iommu_init_pci(struct amd_iommu *iommu)
+                        iommu->stored_l2[i] = iommu_read_l2(iommu, i);
+        }
+ 
++       amd_iommu_erratum_746_workaround(iommu);
++
+        return pci_enable_device(iommu->dev);
+ }
+ 
 diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index 554e6ac..c646a8e 100644
+index 554e6ac..04fb7af 100644
 --- a/drivers/iommu/intel-iommu.c
 +++ b/drivers/iommu/intel-iommu.c
 @@ -1827,10 +1827,17 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
@@ -2179,6 +2460,41 @@ index 554e6ac..c646a8e 100644
         if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
                 return 1;
  
+@@ -4196,6 +4234,21 @@ static struct iommu_ops intel_iommu_ops = {
+        .pgsize_bitmap  = INTEL_IOMMU_PGSIZES,
+ };
+ 
++static void __devinit quirk_iommu_g4x_gfx(struct pci_dev *dev)
++{
++       /* G4x/GM45 integrated gfx dmar support is totally busted. */
++       printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n");
++       dmar_map_gfx = 0;
++}
++
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e10, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e20, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e30, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e40, quirk_iommu_g4x_gfx);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e90, quirk_iommu_g4x_gfx);
++
+ static void __devinit quirk_iommu_rwbf(struct pci_dev *dev)
+ {
+        /*
+@@ -4204,12 +4257,6 @@ static void __devinit quirk_iommu_rwbf(struct pci_dev *dev)
+         */
+        printk(KERN_INFO "DMAR: Forcing write-buffer flush capability\n");
+        rwbf_quirk = 1;
+-
+-       /* https://bugzilla.redhat.com/show_bug.cgi?id=538163 */
+-       if (dev->revision == 0x07) {
+-               printk(KERN_INFO "DMAR: Disabling IOMMU for graphics on this chipset\n");
+-               dmar_map_gfx = 0;
+-       }
+ }
+ 
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_rwbf);
 diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
 index afd9598..a651d52 100644
 --- a/drivers/md/dm-ioctl.c
@@ -2751,6 +3067,28 @@ index a1f4332..b27e215 100644
         /* Choose NAND mode. */
         writel(BM_GPMI_CTRL1_GPMI_MODE, r->gpmi_regs + HW_GPMI_CTRL1_CLR);
  
+diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c
+index 4c538e3..f56a48e 100644
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -918,7 +918,7 @@ static int c_can_handle_bus_err(struct net_device *dev,
+                break;
+        case LEC_ACK_ERROR:
+                netdev_dbg(dev, "ack error\n");
+-               cf->data[2] |= (CAN_ERR_PROT_LOC_ACK |
++               cf->data[3] |= (CAN_ERR_PROT_LOC_ACK |
+                                CAN_ERR_PROT_LOC_ACK_DEL);
+                break;
+        case LEC_BIT1_ERROR:
+@@ -931,7 +931,7 @@ static int c_can_handle_bus_err(struct net_device *dev,
+                break;
+        case LEC_CRC_ERROR:
+                netdev_dbg(dev, "CRC error\n");
+-               cf->data[2] |= (CAN_ERR_PROT_LOC_CRC_SEQ |
++               cf->data[3] |= (CAN_ERR_PROT_LOC_CRC_SEQ |
+                                CAN_ERR_PROT_LOC_CRC_DEL);
+                break;
+        default:
 diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
 index 963e2cc..8233e5e 100644
 --- a/drivers/net/can/dev.c
@@ -2765,6 +3103,38 @@ index 963e2cc..8233e5e 100644
         can_flush_echo_skb(dev);
  }
  EXPORT_SYMBOL_GPL(close_candev);
+diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c
+index 48b3d62..7a43d4d 100644
+--- a/drivers/net/can/pch_can.c
++++ b/drivers/net/can/pch_can.c
+@@ -560,7 +560,7 @@ static void pch_can_error(struct net_device *ndev, u32 status)
+                stats->rx_errors++;
+                break;
+        case PCH_CRC_ERR:
+-               cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ |
++               cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ |
+                               CAN_ERR_PROT_LOC_CRC_DEL;
+                priv->can.can_stats.bus_error++;
+                stats->rx_errors++;
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 9ded21e..44996a9 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -746,12 +746,12 @@ static int ti_hecc_error(struct net_device *ndev, int int_status,
+                }
+                if (err_status & HECC_CANES_CRCE) {
+                        hecc_set_bit(priv, HECC_CANES, HECC_CANES_CRCE);
+-                       cf->data[2] |= CAN_ERR_PROT_LOC_CRC_SEQ |
++                       cf->data[3] |= CAN_ERR_PROT_LOC_CRC_SEQ |
+                                        CAN_ERR_PROT_LOC_CRC_DEL;
+                }
+                if (err_status & HECC_CANES_ACKE) {
+                        hecc_set_bit(priv, HECC_CANES, HECC_CANES_ACKE);
+-                       cf->data[2] |= CAN_ERR_PROT_LOC_ACK |
++                       cf->data[3] |= CAN_ERR_PROT_LOC_ACK |
+                                        CAN_ERR_PROT_LOC_ACK_DEL;
+                }
+        }
 diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
 index 48cc4fb..b1b8e96 100644
 --- a/drivers/net/ethernet/intel/igb/igb_main.c
@@ -3100,6 +3470,18 @@ index 3a1ff55..a633aea 100644
  
  enum targetPowerHTRates {
         HT_TARGET_RATE_0_8_16,
+diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c
+index 1b48414..4527d0d 100644
+--- a/drivers/net/wireless/ath/ath9k/beacon.c
++++ b/drivers/net/wireless/ath/ath9k/beacon.c
+@@ -147,6 +147,7 @@ static struct ath_buf *ath9k_beacon_generate(struct ieee80211_hw *hw,
+                                 skb->len, DMA_TO_DEVICE);
+                dev_kfree_skb_any(skb);
+                bf->bf_buf_addr = 0;
++               bf->bf_mpdu = NULL;
+        }
+ 
+        skb = ieee80211_beacon_get(hw, vif);
 diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
 index e5cceb0..bbd249d 100644
 --- a/drivers/net/wireless/ath/ath9k/calib.c
@@ -3126,6 +3508,51 @@ index 1060c19..60dcb6c 100644
  #define NUM_NF_READINGS       6
  #define ATH9K_NF_CAL_HIST_MAX 5
  
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 4a9570d..aac4a40 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -344,6 +344,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+                        endpoint->ep_callbacks.tx(endpoint->ep_callbacks.priv,
+                                                  skb, htc_hdr->endpoint_id,
+                                                  txok);
++               } else {
++                       kfree_skb(skb);
+                }
+        }
+ 
+diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
+index 4480c0c..6b12d48 100644
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -744,6 +744,7 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc,
+                        return NULL;
+        }
+ 
++       list_del(&bf->list);
+        if (!bf->bf_mpdu)
+                return bf;
+ 
+@@ -1251,14 +1252,15 @@ requeue_drop_frag:
+                        sc->rx.frag = NULL;
+                }
+ requeue:
++               list_add_tail(&bf->list, &sc->rx.rxbuf);
++               if (flush)
++                       continue;
++
+                if (edma) {
+-                       list_add_tail(&bf->list, &sc->rx.rxbuf);
+                        ath_rx_edma_buf_link(sc, qtype);
+                } else {
+-                       list_move_tail(&bf->list, &sc->rx.rxbuf);
+                        ath_rx_buf_link(sc, bf);
+-                       if (!flush)
+-                               ath9k_hw_rxena(ah);
++                       ath9k_hw_rxena(ah);
+                }
+        } while (1);
+ 
 diff --git a/drivers/net/wireless/b43/b43.h b/drivers/net/wireless/b43/b43.h
 index 7c899fc..ac593ab 100644
 --- a/drivers/net/wireless/b43/b43.h
@@ -3485,6 +3912,120 @@ index 0ef08e0..aa87fb7 100644
                 if (err)
                         goto err_load;
         }
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+index a5edebe..c110674 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+@@ -1394,9 +1394,10 @@ void brcms_add_timer(struct brcms_timer *t, uint ms, int periodic)
+ #endif
+        t->ms = ms;
+        t->periodic = (bool) periodic;
+-       t->set = true;
+-
+-       atomic_inc(&t->wl->callbacks);
++       if (!t->set) {
++               t->set = true;
++               atomic_inc(&t->wl->callbacks);
++       }
+ 
+        ieee80211_queue_delayed_work(hw, &t->dly_wrk, msecs_to_jiffies(ms));
+ }
+diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
+index 0370403..27eccd9 100644
+--- a/drivers/net/wireless/iwlegacy/common.c
++++ b/drivers/net/wireless/iwlegacy/common.c
+@@ -3957,17 +3957,21 @@ il_connection_init_rx_config(struct il_priv *il)
+ 
+        memset(&il->staging, 0, sizeof(il->staging));
+ 
+-       if (!il->vif) {
++       switch (il->iw_mode) {
++       case NL80211_IFTYPE_UNSPECIFIED:
+                il->staging.dev_type = RXON_DEV_TYPE_ESS;
+-       } else if (il->vif->type == NL80211_IFTYPE_STATION) {
++               break;
++       case NL80211_IFTYPE_STATION:
+                il->staging.dev_type = RXON_DEV_TYPE_ESS;
+                il->staging.filter_flags = RXON_FILTER_ACCEPT_GRP_MSK;
+-       } else if (il->vif->type == NL80211_IFTYPE_ADHOC) {
++               break;
++       case NL80211_IFTYPE_ADHOC:
+                il->staging.dev_type = RXON_DEV_TYPE_IBSS;
+                il->staging.flags = RXON_FLG_SHORT_PREAMBLE_MSK;
+                il->staging.filter_flags =
+                    RXON_FILTER_BCON_AWARE_MSK | RXON_FILTER_ACCEPT_GRP_MSK;
+-       } else {
++               break;
++       default:
+                IL_ERR("Unsupported interface type %d\n", il->vif->type);
+                return;
+        }
+@@ -4550,8 +4554,7 @@ out:
+ EXPORT_SYMBOL(il_mac_add_interface);
+ 
+ static void
+-il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+-                     bool mode_change)
++il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif)
+ {
+        lockdep_assert_held(&il->mutex);
+ 
+@@ -4560,9 +4563,7 @@ il_teardown_interface(struct il_priv *il, struct ieee80211_vif *vif,
+                il_force_scan_end(il);
+        }
+ 
+-       if (!mode_change)
+-               il_set_mode(il);
+-
++       il_set_mode(il);
+ }
+ 
+ void
+@@ -4575,8 +4576,8 @@ il_mac_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
+ 
+        WARN_ON(il->vif != vif);
+        il->vif = NULL;
+-
+-       il_teardown_interface(il, vif, false);
++       il->iw_mode = NL80211_IFTYPE_UNSPECIFIED;
++       il_teardown_interface(il, vif);
+        memset(il->bssid, 0, ETH_ALEN);
+ 
+        D_MAC80211("leave\n");
+@@ -4685,18 +4686,10 @@ il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+        }
+ 
+        /* success */
+-       il_teardown_interface(il, vif, true);
+        vif->type = newtype;
+        vif->p2p = false;
+-       err = il_set_mode(il);
+-       WARN_ON(err);
+-       /*
+-        * We've switched internally, but submitting to the
+-        * device may have failed for some reason. Mask this
+-        * error, because otherwise mac80211 will not switch
+-        * (and set the interface type back) and we'll be
+-        * out of sync with it.
+-        */
++       il->iw_mode = newtype;
++       il_teardown_interface(il, vif);
+        err = 0;
+ 
+ out:
+diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
+index 13fbc4e..b879e13 100644
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -161,7 +161,7 @@ static int mwifiex_pcie_suspend(struct pci_dev *pdev, pm_message_t state)
+ 
+        if (pdev) {
+                card = (struct pcie_service_card *) pci_get_drvdata(pdev);
+-               if (!card || card->adapter) {
++               if (!card || !card->adapter) {
+                        pr_err("Card or adapter structure is not valid\n");
+                        return 0;
+                }
 diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
 index fb21360..8951285 100644
 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -4948,7 +5489,7 @@ index 68d4c10..f141b4f 100644
         g_lun0_dev = dev;
  
 diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c
-index ea479e5..0bbcd35 100644
+index ea479e5..c0dd776 100644
 --- a/drivers/target/target_core_fabric_configfs.c
 +++ b/drivers/target/target_core_fabric_configfs.c
 @@ -72,6 +72,12 @@ static int target_fabric_mappedlun_link(
@@ -4964,19 +5505,18 @@ index ea479e5..0bbcd35 100644
         /*
          * Ensure that the source port exists
          */
-@@ -746,6 +752,12 @@ static int target_fabric_port_link(
-        struct target_fabric_configfs *tf;
-        int ret;
- 
+@@ -763,6 +769,11 @@ static int target_fabric_port_link(
+                ret = -ENODEV;
+                goto out;
+        }
 +       if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) {
 +               pr_err("Bad dev->dev_link_magic, not a valid se_dev_ci pointer:"
 +                       " %p to struct se_device: %p\n", se_dev_ci, dev);
 +               return -EFAULT;
 +       }
-+
-        tpg_ci = &lun_ci->ci_parent->ci_group->cg_item;
-        se_tpg = container_of(to_config_group(tpg_ci),
-                                struct se_portal_group, tpg_group);
+ 
+        lun_p = core_dev_add_lun(se_tpg, dev, lun->unpacked_lun);
+        if (IS_ERR(lun_p)) {
 diff --git a/drivers/target/target_core_tpg.c b/drivers/target/target_core_tpg.c
 index b8628a5..8dfe6f5 100644
 --- a/drivers/target/target_core_tpg.c
@@ -6528,6 +7068,19 @@ index b982239..2f6212e 100644
         if (opt->osd_keepalive_timeout != CEPH_OSD_KEEPALIVE_DEFAULT)
                 seq_printf(m, ",osdkeepalivetimeout=%d",
                            opt->osd_keepalive_timeout);
+diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
+index ce5cbd7..210fce2 100644
+--- a/fs/cifs/cifs_dfs_ref.c
++++ b/fs/cifs/cifs_dfs_ref.c
+@@ -226,6 +226,8 @@ compose_mount_options_out:
+ compose_mount_options_err:
+        kfree(mountdata);
+        mountdata = ERR_PTR(rc);
++       kfree(*devname);
++       *devname = NULL;
+        goto compose_mount_options_out;
+ }
+ 
 diff --git a/fs/eventpoll.c b/fs/eventpoll.c
 index eedec84..3b032dd 100644
 --- a/fs/eventpoll.c
@@ -6873,6 +7426,42 @@ index 627f108..e210a66 100644
         } else
                 error = NFS_PROTO(dir)->remove(dir, &dentry->d_name);
         if (error == -ENOENT)
+diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
+index dd057bc..fc8dc20 100644
+--- a/fs/nfs/namespace.c
++++ b/fs/nfs/namespace.c
+@@ -177,11 +177,31 @@ out_nofree:
+        return mnt;
+ }
+ 
++static int
++nfs_namespace_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
++{
++       if (NFS_FH(dentry->d_inode)->size != 0)
++               return nfs_getattr(mnt, dentry, stat);
++       generic_fillattr(dentry->d_inode, stat);
++       return 0;
++}
++
++static int
++nfs_namespace_setattr(struct dentry *dentry, struct iattr *attr)
++{
++       if (NFS_FH(dentry->d_inode)->size != 0)
++               return nfs_setattr(dentry, attr);
++       return -EACCES;
++}
++
+ const struct inode_operations nfs_mountpoint_inode_operations = {
+        .getattr        = nfs_getattr,
++       .setattr        = nfs_setattr,
+ };
+ 
+ const struct inode_operations nfs_referral_inode_operations = {
++       .getattr        = nfs_namespace_getattr,
++       .setattr        = nfs_namespace_setattr,
+ };
+ 
+ static void nfs_expire_automounts(struct work_struct *work)
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
 index 7bff871..5e61aac 100644
 --- a/fs/nfs/nfs4proc.c
@@ -7132,6 +7721,23 @@ index aa23346..585ee1c 100644
  
         newblock = udf_get_pblock(inode->i_sb, newblocknum,
                                 iinfo->i_location.partitionReferenceNum, 0);
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index e562dd4..1236b8c 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -86,11 +86,11 @@ xfs_destroy_ioend(
+        }
+ 
+        if (ioend->io_iocb) {
++               inode_dio_done(ioend->io_inode);
+                if (ioend->io_isasync) {
+                        aio_complete(ioend->io_iocb, ioend->io_error ?
+                                        ioend->io_error : ioend->io_result, 0);
+                }
+-               inode_dio_done(ioend->io_inode);
+        }
+ 
+        mempool_free(ioend, xfs_ioend_pool);
 diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
 index ed6642a..25f01d0 100644
 --- a/include/asm-generic/tlb.h
@@ -7638,6 +8244,58 @@ index be4f856..67b64be 100644
                 __set_current_state(TASK_RUNNING);
                 if (clear_code)
                         current->exit_code = 0;
+diff --git a/kernel/smp.c b/kernel/smp.c
+index 29dd40a..69f38bd 100644
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -33,6 +33,7 @@ struct call_function_data {
+        struct call_single_data csd;
+        atomic_t                refs;
+        cpumask_var_t           cpumask;
++       cpumask_var_t           cpumask_ipi;
+ };
+ 
+ static DEFINE_PER_CPU_SHARED_ALIGNED(struct call_function_data, cfd_data);
+@@ -56,6 +57,9 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu)
+                if (!zalloc_cpumask_var_node(&cfd->cpumask, GFP_KERNEL,
+                                cpu_to_node(cpu)))
+                        return notifier_from_errno(-ENOMEM);
++               if (!zalloc_cpumask_var_node(&cfd->cpumask_ipi, GFP_KERNEL,
++                               cpu_to_node(cpu)))
++                       return notifier_from_errno(-ENOMEM);
+                break;
+ 
+ #ifdef CONFIG_HOTPLUG_CPU
+@@ -65,6 +69,7 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu)
+        case CPU_DEAD:
+        case CPU_DEAD_FROZEN:
+                free_cpumask_var(cfd->cpumask);
++               free_cpumask_var(cfd->cpumask_ipi);
+                break;
+ #endif
+        };
+@@ -526,6 +531,12 @@ void smp_call_function_many(const struct cpumask *mask,
+                return;
+        }
+ 
++       /*
++        * After we put an entry into the list, data->cpumask
++        * may be cleared again when another CPU sends another IPI for
++        * a SMP function call, so data->cpumask will be zero.
++        */
++       cpumask_copy(data->cpumask_ipi, data->cpumask);
+        raw_spin_lock_irqsave(&call_function.lock, flags);
+        /*
+         * Place entry at the _HEAD_ of the list, so that any cpu still
+@@ -549,7 +560,7 @@ void smp_call_function_many(const struct cpumask *mask,
+        smp_mb();
+ 
+        /* Send a message to all CPUs in the map */
+-       arch_send_call_function_ipi_mask(data->cpumask);
++       arch_send_call_function_ipi_mask(data->cpumask_ipi);
+ 
+        /* Optionally wait for the CPUs to complete */
+        if (wait)
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
 index 781ecc2..7f8a8df 100644
 --- a/kernel/trace/ftrace.c
@@ -7956,6 +8614,32 @@ index 0b997c8..aeb0962 100644
         if (!test_bit(HCI_INIT, &hdev->flags) &&
             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
                 hci_dev_lock(hdev);
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 715d7e3..67d1893 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2387,7 +2387,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+        if (ev->opcode != HCI_OP_NOP)
+                del_timer(&hdev->cmd_timer);
+ 
+-       if (ev->ncmd) {
++       if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
+                atomic_set(&hdev->cmd_cnt, 1);
+                if (!skb_queue_empty(&hdev->cmd_q))
+                        queue_work(hdev->workqueue, &hdev->cmd_work);
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index ccd985d..03652f3 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -931,7 +931,7 @@ static int hidp_setup_hid(struct hidp_session *session,
+        hid->version = req->version;
+        hid->country = req->country;
+ 
+-       strncpy(hid->name, req->name, 128);
++       strncpy(hid->name, req->name, sizeof(req->name) - 1);
+        strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
+        strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
+ 
 diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
 index 1a17850..32893a0 100644
 --- a/net/bluetooth/rfcomm/sock.c
@@ -8712,6 +9396,29 @@ index 7e32d42..8b45fb4 100644
                 goto out;
         }
         __inet6_hash(newsk, NULL);
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a58c0b6..f985911 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -151,7 +151,17 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+                        sta = sta_info_get(sdata, mac_addr);
+                else
+                        sta = sta_info_get_bss(sdata, mac_addr);
+-               if (!sta) {
++               /*
++                * The ASSOC test makes sure the driver is ready to
++                * receive the key. When wpa_supplicant has roamed
++                * using FT, it attempts to set the key before
++                * association has completed, this rejects that attempt
++                * so it will set the key again after assocation.
++                *
++                * TODO: accept the key if we have a station entry and
++                *       add it to the device after the station.
++                */
++               if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
+                        ieee80211_key_free(sdata->local, key);
+                        err = -ENOENT;
+                        goto out_unlock;
 diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
 index a5894dd..c55eacc 100644
 --- a/net/mac80211/ibss.c
@@ -8740,7 +9447,7 @@ index a5894dd..c55eacc 100644
                 int interval = IEEE80211_SCAN_INTERVAL;
  
 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 642a2a3..19d4ec3 100644
+index 642a2a3..fcab057 100644
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
 @@ -1239,9 +1239,9 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
@@ -8756,11 +9463,125 @@ index 642a2a3..19d4ec3 100644
  int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
                            struct cfg80211_scan_request *req);
  void ieee80211_scan_cancel(struct ieee80211_local *local);
+@@ -1267,10 +1267,8 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_sched_scan_stopped_work(struct work_struct *work);
+ 
+ /* off-channel helpers */
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+-                                   bool offchannel_ps_enable);
+-void ieee80211_offchannel_return(struct ieee80211_local *local,
+-                                bool offchannel_ps_disable);
++void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local);
++void ieee80211_offchannel_return(struct ieee80211_local *local);
+ void ieee80211_roc_setup(struct ieee80211_local *local);
+ void ieee80211_start_next_roc(struct ieee80211_local *local);
+ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata);
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 2138dc3..37e3028 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -102,8 +102,7 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
+        ieee80211_sta_reset_conn_monitor(sdata);
+ }
+ 
+-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+-                                   bool offchannel_ps_enable)
++void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local)
+ {
+        struct ieee80211_sub_if_data *sdata;
+ 
+@@ -128,8 +127,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+ 
+                if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
+                        netif_tx_stop_all_queues(sdata->dev);
+-                       if (offchannel_ps_enable &&
+-                           (sdata->vif.type == NL80211_IFTYPE_STATION) &&
++                       if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+                            sdata->u.mgd.associated)
+                                ieee80211_offchannel_ps_enable(sdata);
+                }
+@@ -137,8 +135,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+        mutex_unlock(&local->iflist_mtx);
+ }
+ 
+-void ieee80211_offchannel_return(struct ieee80211_local *local,
+-                                bool offchannel_ps_disable)
++void ieee80211_offchannel_return(struct ieee80211_local *local)
+ {
+        struct ieee80211_sub_if_data *sdata;
+ 
+@@ -151,11 +148,9 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
+                        continue;
+ 
+                /* Tell AP we're back */
+-               if (offchannel_ps_disable &&
+-                   sdata->vif.type == NL80211_IFTYPE_STATION) {
+-                       if (sdata->u.mgd.associated)
+-                               ieee80211_offchannel_ps_disable(sdata);
+-               }
++               if (sdata->vif.type == NL80211_IFTYPE_STATION &&
++                   sdata->u.mgd.associated)
++                       ieee80211_offchannel_ps_disable(sdata);
+ 
+                if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
+                        /*
+@@ -376,7 +371,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
+                        local->tmp_channel = NULL;
+                        ieee80211_hw_config(local, 0);
+ 
+-                       ieee80211_offchannel_return(local, true);
++                       ieee80211_offchannel_return(local);
+                }
+ 
+                ieee80211_recalc_idle(local);
 diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
-index 839dd97..09fc38d 100644
+index 839dd97..8719635 100644
 --- a/net/mac80211/scan.c
 +++ b/net/mac80211/scan.c
-@@ -819,9 +819,9 @@ int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
+@@ -310,7 +310,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
+        if (!was_hw_scan) {
+                ieee80211_configure_filter(local);
+                drv_sw_scan_complete(local);
+-               ieee80211_offchannel_return(local, true);
++               ieee80211_offchannel_return(local);
+        }
+ 
+        ieee80211_recalc_idle(local);
+@@ -355,7 +355,7 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
+        local->next_scan_state = SCAN_DECISION;
+        local->scan_channel_idx = 0;
+ 
+-       ieee80211_offchannel_stop_vifs(local, true);
++       ieee80211_offchannel_stop_vifs(local);
+ 
+        ieee80211_configure_filter(local);
+ 
+@@ -680,12 +680,8 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
+        local->scan_channel = NULL;
+        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+ 
+-       /*
+-        * Re-enable vifs and beaconing.  Leave PS
+-        * in off-channel state..will put that back
+-        * on-channel at the end of scanning.
+-        */
+-       ieee80211_offchannel_return(local, false);
++       /* disable PS */
++       ieee80211_offchannel_return(local);
+ 
+        *next_delay = HZ / 5;
+        /* afterwards, resume scan & go to next channel */
+@@ -695,8 +691,7 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
+ static void ieee80211_scan_state_resume(struct ieee80211_local *local,
+                                        unsigned long *next_delay)
+ {
+-       /* PS already is in off-channel mode */
+-       ieee80211_offchannel_stop_vifs(local, false);
++       ieee80211_offchannel_stop_vifs(local);
+ 
+        if (local->ops->flush) {
+                drv_flush(local, false);
+@@ -819,9 +814,9 @@ int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
         return res;
  }
  
@@ -8773,7 +9594,7 @@ index 839dd97..09fc38d 100644
  {
         struct ieee80211_local *local = sdata->local;
         int ret = -EBUSY;
-@@ -835,22 +835,36 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
+@@ -835,22 +830,36 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
  
         /* fill internal scan request */
         if (!chan) {
@@ -9043,10 +9864,18 @@ index 48d7c0a..bd3ba88 100644
         free_irq(IRQ_AC97, NULL);
         if (ac97conf_clk) {
 diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index e1b7061..31ac338 100644
+index e1b7061..c6646d9 100644
 --- a/sound/pci/hda/patch_realtek.c
 +++ b/sound/pci/hda/patch_realtek.c
-@@ -6562,8 +6562,8 @@ static void alc861vd_fixup_dallas(struct hda_codec *codec,
+@@ -4719,6 +4719,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = {
+        SND_PCI_QUIRK(0x1584, 0x9077, "Uniwill P53", ALC880_FIXUP_VOL_KNOB),
+        SND_PCI_QUIRK(0x161f, 0x203d, "W810", ALC880_FIXUP_W810),
+        SND_PCI_QUIRK(0x161f, 0x205d, "Medion Rim 2150", ALC880_FIXUP_MEDION_RIM),
++       SND_PCI_QUIRK(0x1631, 0xe011, "PB 13201056", ALC880_FIXUP_6ST),
+        SND_PCI_QUIRK(0x1734, 0x107c, "FSC F1734", ALC880_FIXUP_F1734),
+        SND_PCI_QUIRK(0x1734, 0x1094, "FSC Amilo M1451G", ALC880_FIXUP_FUJITSU),
+        SND_PCI_QUIRK(0x1734, 0x10ac, "FSC AMILO Xi 1526", ALC880_FIXUP_F1734),
+@@ -6562,8 +6563,8 @@ static void alc861vd_fixup_dallas(struct hda_codec *codec,
                                   const struct alc_fixup *fix, int action)
  {
         if (action == ALC_FIXUP_ACT_PRE_PROBE) {
@@ -9100,10 +9929,27 @@ index a3acb7a..6275a2b 100644
  
         wm2000_write(i2c, WM2000_REG_SYS_START0, 0x33);
 diff --git a/sound/soc/codecs/wm2200.c b/sound/soc/codecs/wm2200.c
-index c8bff6d..86b84a1 100644
+index c8bff6d..8e0cf14 100644
 --- a/sound/soc/codecs/wm2200.c
 +++ b/sound/soc/codecs/wm2200.c
-@@ -1380,15 +1380,9 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+@@ -897,8 +897,6 @@ static const char *wm2200_mixer_texts[] = {
+        "EQR",
+        "LHPF1",
+        "LHPF2",
+-       "LHPF3",
+-       "LHPF4",
+        "DSP1.1",
+        "DSP1.2",
+        "DSP1.3",
+@@ -931,7 +929,6 @@ static int wm2200_mixer_values[] = {
+        0x25,
+        0x50,   /* EQ */
+        0x51,
+-       0x52,
+        0x60,   /* LHPF1 */
+        0x61,   /* LHPF2 */
+        0x68,   /* DSP1 */
+@@ -1380,15 +1377,9 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
         case SND_SOC_DAIFMT_DSP_A:
                 fmt_val = 0;
                 break;
@@ -9119,7 +9965,7 @@ index c8bff6d..86b84a1 100644
         default:
                 dev_err(codec->dev, "Unsupported DAI format %d\n",
                         fmt & SND_SOC_DAIFMT_FORMAT_MASK);
-@@ -1440,7 +1434,7 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+@@ -1440,7 +1431,7 @@ static int wm2200_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
                             WM2200_AIF1TX_LRCLK_MSTR | WM2200_AIF1TX_LRCLK_INV,
                             lrclk);
         snd_soc_update_bits(codec, WM2200_AUDIO_IF_1_5,
@@ -9362,6 +10208,39 @@ index eeefbce..34b9bb7 100644
         return 0;
  }
  
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index 298070e..41e8bfb 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1259,16 +1259,23 @@ static int parse_audio_feature_unit(struct mixer_build *state, int unitid, void
+                }
+                channels = (hdr->bLength - 7) / csize - 1;
+                bmaControls = hdr->bmaControls;
++               if (hdr->bLength < 7 + csize) {
++                       snd_printk(KERN_ERR "usbaudio: unit %u: "
++                                  "invalid UAC_FEATURE_UNIT descriptor\n",
++                                  unitid);
++                       return -EINVAL;
++               }
+        } else {
+                struct uac2_feature_unit_descriptor *ftr = _ftr;
+                csize = 4;
+                channels = (hdr->bLength - 6) / 4 - 1;
+                bmaControls = ftr->bmaControls;
+-       }
+-
+-       if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
+-               snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
+-               return -EINVAL;
++               if (hdr->bLength < 6 + csize) {
++                       snd_printk(KERN_ERR "usbaudio: unit %u: "
++                                  "invalid UAC_FEATURE_UNIT descriptor\n",
++                                  unitid);
++                       return -EINVAL;
++               }
+        }
+ 
+        /* parse the source unit */
 diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
 index 0f58b4b..b8d1ad1 100644
 --- a/sound/usb/quirks.c