diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 4a8116547873f960bd2b5c8caa795aab3ec03a4b..333458ca1bdd2f2f57945906b7bd6ce74cf5b455 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1511,9 +1511,8 @@ out:
 	return err;
 }
 
-static void lo_release(struct gendisk *disk, fmode_t mode)
+static void __lo_release(struct loop_device *lo)
 {
-	struct loop_device *lo = disk->private_data;
 	int err;
 
 	mutex_lock(&lo->lo_ctl_mutex);
@@ -1541,6 +1540,13 @@ out:
 	mutex_unlock(&lo->lo_ctl_mutex);
 }
 
+static void lo_release(struct gendisk *disk, fmode_t mode)
+{
+	mutex_lock(&loop_index_mutex);
+	__lo_release(disk->private_data);
+	mutex_unlock(&loop_index_mutex);
+}
+
 static const struct block_device_operations lo_fops = {
 	.owner =	THIS_MODULE,
 	.open =		lo_open,
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 29e01ab6859f2ef56aa861a7444e304e93702776..89a77018eeec11c9b8f6b60515781a5120447eb3 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -232,13 +232,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 
 	/* Walk  this report and pull out the info we need */
 	while (i < length) {
-		prefix = report[i];
-
-		/* Skip over prefix */
-		i++;
+		prefix = report[i++];
 
 		/* Determine data size and save the data in the proper variable */
-		size = PREF_SIZE(prefix);
+		size = (1U << PREF_SIZE(prefix)) >> 1;
+		if (i + size > length) {
+			dev_err(ddev,
+				"Not enough data (need %d, have %d)\n",
+				i + size, length);
+			break;
+		}
+
 		switch (size) {
 		case 1:
 			data = report[i];
@@ -246,8 +250,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 		case 2:
 			data16 = get_unaligned_le16(&report[i]);
 			break;
-		case 3:
-			size = 4;
+		case 4:
 			data32 = get_unaligned_le32(&report[i]);
 			break;
 		}
diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
old mode 100755
new mode 100644
index 5b077c9195a71b0ecdb0b17d323613888fbe518e..b79540f477ccd4ad77ab455c95b5679fd97d3a6e
--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2015, 2018 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -52,6 +52,11 @@ static int32_t msm_actuator_piezo_set_default_focus(
 	struct msm_camera_i2c_reg_setting reg_setting;
 	CDBG("Enter\n");
 
+	if (a_ctrl->i2c_reg_tbl == NULL) {
+		pr_err("failed. i2c reg tabl is NULL");
+		return -EFAULT;
+	}
+
 	if (a_ctrl->curr_step_pos != 0) {
 		a_ctrl->i2c_tbl_index = 0;
 		a_ctrl->func_tbl->actuator_parse_i2c_params(a_ctrl,
@@ -79,13 +84,25 @@ static int32_t msm_actuator_piezo_set_default_focus(
 static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
 	int16_t next_lens_position, uint32_t hw_params, uint16_t delay)
 {
-	struct msm_actuator_reg_params_t *write_arr = a_ctrl->reg_tbl;
+	struct msm_actuator_reg_params_t *write_arr = NULL;
 	uint32_t hw_dword = hw_params;
 	uint16_t i2c_byte1 = 0, i2c_byte2 = 0;
 	uint16_t value = 0;
-	uint32_t size = a_ctrl->reg_tbl_size, i = 0;
-	struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl;
+	uint32_t size = 0, i = 0;
+	struct msm_camera_i2c_reg_array *i2c_tbl = NULL;
 	CDBG("Enter\n");
+
+	if ((!a_ctrl) ||
+		(!a_ctrl->reg_tbl) ||
+		(!a_ctrl->i2c_reg_tbl)) {
+		pr_err("failed. NULL actuator pointers");
+		return;
+	}
+
+	size = a_ctrl->reg_tbl_size;
+	write_arr = a_ctrl->reg_tbl;
+	i2c_tbl = a_ctrl->i2c_reg_tbl;
+
 	for (i = 0; i < size; i++) {
 		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
 			value = (next_lens_position <<
@@ -513,6 +530,17 @@ static int32_t msm_actuator_piezo_move_focus(
 		return -EFAULT;
 	}
 
+	if (a_ctrl->i2c_reg_tbl == NULL) {
+		pr_err("failed. i2c reg tabl is NULL");
+		return -EFAULT;
+	}
+
+	if (dest_step_position > a_ctrl->total_steps) {
+		pr_err("Step pos greater than total steps = %d\n",
+			dest_step_position);
+		return -EFAULT;
+	}
+
 	a_ctrl->i2c_tbl_index = 0;
 	a_ctrl->func_tbl->actuator_parse_i2c_params(a_ctrl,
 		(num_steps *
@@ -577,6 +605,10 @@ static int32_t msm_actuator_move_focus(
 		pr_err("Invalid direction = %d\n", dir);
 		return -EFAULT;
 	}
+	if (a_ctrl->i2c_reg_tbl == NULL) {
+		pr_err("failed. i2c reg tabl is NULL");
+		return -EFAULT;
+	}
 	if (dest_step_pos > a_ctrl->total_steps) {
 		pr_err("Step pos greater than total steps = %d\n",
 		dest_step_pos);
@@ -588,6 +620,8 @@ static int32_t msm_actuator_move_focus(
 		a_ctrl->curr_step_pos, dest_step_pos, curr_lens_pos);
 
 	while (a_ctrl->curr_step_pos != dest_step_pos) {
+		if (a_ctrl->curr_region_index >= a_ctrl->region_size)
+			break;
 		step_boundary =
 			a_ctrl->region_params[a_ctrl->curr_region_index].
 			step_bound[dir];
@@ -678,6 +712,10 @@ static int32_t msm_actuator_bivcm_move_focus(
 		pr_err("Invalid direction = %d\n", dir);
 		return -EFAULT;
 	}
+	if (a_ctrl->i2c_reg_tbl == NULL) {
+		pr_err("failed. i2c reg tabl is NULL");
+		return -EFAULT;
+	}
 	if (dest_step_pos > a_ctrl->total_steps) {
 		pr_err("Step pos greater than total steps = %d\n",
 		dest_step_pos);
@@ -689,6 +727,8 @@ static int32_t msm_actuator_bivcm_move_focus(
 		a_ctrl->curr_step_pos, dest_step_pos, curr_lens_pos);
 
 	while (a_ctrl->curr_step_pos != dest_step_pos) {
+		if (a_ctrl->curr_region_index >= a_ctrl->region_size)
+			break;
 		step_boundary =
 			a_ctrl->region_params[a_ctrl->curr_region_index].
 			step_bound[dir];
@@ -1076,6 +1116,18 @@ static int32_t msm_actuator_set_position(
 		return -EFAULT;
 	}
 
+	if (!a_ctrl || !a_ctrl->func_tbl ||
+		!a_ctrl->func_tbl->actuator_parse_i2c_params ||
+		!a_ctrl->i2c_reg_tbl) {
+		pr_err("failed. NULL actuator pointers.");
+		return -EFAULT;
+	}
+
+	if (a_ctrl->actuator_state != ACT_OPS_ACTIVE) {
+		pr_err("failed. Invalid actuator state.");
+		return -EFAULT;
+	}
+
 	a_ctrl->i2c_tbl_index = 0;
 	for (index = 0; index < set_pos->number_of_steps; index++) {
 		next_lens_position = set_pos->pos[index];
@@ -1165,13 +1217,13 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
 
 	a_ctrl->region_size = set_info->af_tuning_params.region_size;
 	a_ctrl->pwd_step = set_info->af_tuning_params.pwd_step;
-	a_ctrl->total_steps = set_info->af_tuning_params.total_steps;
 
 	if (copy_from_user(&a_ctrl->region_params,
 		(void *)set_info->af_tuning_params.region_params,
-		a_ctrl->region_size * sizeof(struct region_params_t)))
+		a_ctrl->region_size * sizeof(struct region_params_t))) {
+		pr_err("Error copying region_params\n");
 		return -EFAULT;
-
+	}
 	if (a_ctrl->act_device_type == MSM_CAMERA_PLATFORM_DEVICE) {
 		cci_client = a_ctrl->i2c_client.cci_client;
 		cci_client->sid =
@@ -1199,6 +1251,7 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
 		(a_ctrl->i2c_reg_tbl != NULL)) {
 		kfree(a_ctrl->i2c_reg_tbl);
 	}
+
 	a_ctrl->i2c_reg_tbl = NULL;
 	a_ctrl->i2c_reg_tbl =
 		kzalloc(sizeof(struct msm_camera_i2c_reg_array) *
@@ -1208,6 +1261,8 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
 		return -ENOMEM;
 	}
 
+	a_ctrl->total_steps = set_info->af_tuning_params.total_steps;
+
 	if (copy_from_user(&a_ctrl->reg_tbl,
 		(void *)set_info->actuator_params.reg_tbl_params,
 		a_ctrl->reg_tbl_size *
diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
index abda82a7f8c072c65716ec2a42166df906ec7ae3..42f4a67fc5330b79fec09f64414f07387c5f8ca0 100644
--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
@@ -189,7 +189,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 			pr_err("%s: Read buffer Allocation failed rc = %d\n",
 				__func__, rc);
 			rc = -ENOMEM;
-			mutex_unlock(&effects->lock);
 			goto readbuf_fail;
 		}
 		atomic_set(&effects->out_count, effects->config.output.num_buf);
@@ -204,7 +203,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 		if (rc < 0) {
 			pr_err("%s: pcm read block config failed\n", __func__);
 			rc = -EINVAL;
-			mutex_unlock(&effects->lock);
 			goto cfg_fail;
 		}
 		pr_debug("%s: dec: sample_rate: %d, num_channels: %d, bit_width: %d\n",
@@ -219,7 +217,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
 			pr_err("%s: pcm write format block config failed\n",
 				__func__);
 			rc = -EINVAL;
-			mutex_unlock(&effects->lock);
 			goto cfg_fail;
 		}
 
@@ -353,6 +350,7 @@ ioctl_fail:
 readbuf_fail:
 	q6asm_audio_client_buf_free_contiguous(IN,
 					effects->ac);
+	mutex_unlock(&effects->lock);
 	return rc;
 cfg_fail:
 	q6asm_audio_client_buf_free_contiguous(IN,
@@ -360,6 +358,7 @@ cfg_fail:
 	q6asm_audio_client_buf_free_contiguous(OUT,
 					effects->ac);
 	effects->buf_alloc = 0;
+	mutex_unlock(&effects->lock);
 	return rc;
 }
 
diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
index 87e28bfddc696d415c92dee59b16b259419ad196..5c613eeb7f118994a65597ba79fdb21052a51677 100644
--- a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
+++ b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
@@ -27,6 +27,7 @@ struct msm_bus_floor_client_type {
 };
 
 static struct class *bus_floor_class;
+static DEFINE_RT_MUTEX(msm_bus_floor_vote_lock);
 #define MAX_VOTER_NAME	(50)
 #define DEFAULT_NODE_WIDTH	(8)
 #define DBG_NAME(s)	(strnstr(s, "-", 7) + 1)
@@ -64,18 +65,22 @@ static ssize_t bus_floor_active_only_store(struct device *dev,
 {
 	struct msm_bus_floor_client_type *cl;
 
+	rt_mutex_lock(&msm_bus_floor_vote_lock);
 	cl = dev_get_drvdata(dev);
 
 	if (!cl) {
 		pr_err("%s: Can't find cl", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return 0;
 	}
 
 	if (sscanf(buf, "%d", &cl->active_only) != 1) {
 		pr_err("%s:return error", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return -EINVAL;
 	}
 
+	rt_mutex_unlock(&msm_bus_floor_vote_lock);
 	return n;
 }
 
@@ -100,20 +105,24 @@ static ssize_t bus_floor_vote_store(struct device *dev,
 	struct msm_bus_floor_client_type *cl;
 	int ret = 0;
 
+	rt_mutex_lock(&msm_bus_floor_vote_lock);
 	cl = dev_get_drvdata(dev);
 
 	if (!cl) {
 		pr_err("%s: Can't find cl", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return 0;
 	}
 
 	if (sscanf(buf, "%llu", &cl->cur_vote_hz) != 1) {
 		pr_err("%s:return error", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return -EINVAL;
 	}
 
 	ret = msm_bus_floor_vote_context(dev_name(dev), cl->cur_vote_hz,
 					cl->active_only);
+	rt_mutex_unlock(&msm_bus_floor_vote_lock);
 	return n;
 }
 
@@ -126,15 +135,18 @@ static ssize_t bus_floor_vote_store_api(struct device *dev,
 	char name[10];
 	u64 vote_khz = 0;
 
+	rt_mutex_lock(&msm_bus_floor_vote_lock);
 	cl = dev_get_drvdata(dev);
 
 	if (!cl) {
 		pr_err("%s: Can't find cl", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return 0;
 	}
 
 	if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) {
 		pr_err("%s:return error", __func__);
+		rt_mutex_unlock(&msm_bus_floor_vote_lock);
 		return -EINVAL;
 	}
 	name[9] = '\0';
@@ -143,6 +155,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev,
 			__func__, name, vote_khz);
 
 	ret = msm_bus_floor_vote(name, vote_khz);
+	rt_mutex_unlock(&msm_bus_floor_vote_lock);
 	return n;
 }
 
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt.h b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt.h
index c608cf59413af2832bbfe6bfc1eae105b0ad9834..129443fe84b2978f86b8170ed09ddd76687ef37f 100644
--- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt.h
+++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt.h
@@ -6315,6 +6315,9 @@ PREPACK struct htt_txq_group {
 #define HTT_TX_COMPL_IND_APPEND_GET(_info)                             \
     (((_info) & HTT_TX_COMPL_IND_APPEND_M) >> HTT_TX_COMPL_IND_APPEND_S)
 
+#define HTT_TX_COMPL_HEAD_SZ                4
+#define HTT_TX_COMPL_BYTES_PER_MSDU_ID      2
+
 #define HTT_TX_COMPL_CTXT_SZ                sizeof(A_UINT16)
 #define HTT_TX_COMPL_CTXT_NUM(_bytes)       ((_bytes) >> 1)
 
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c
index e09636ad49fbfdc230e6c4b162895f6713c0e7f3..0c74af80d90096807e6816ab0a4c4b7b709adeab 100644
--- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c
+++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/HTT/htt_t2h.c
@@ -613,10 +613,26 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) {
         {
             int num_msdus;
             enum htt_tx_status status;
+            int msg_len = adf_nbuf_len(htt_t2h_msg);
 
             /* status - no enum translation needed */
             status = HTT_TX_COMPL_IND_STATUS_GET(*msg_word);
             num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word);
+
+            /*
+             * each desc id will occupy 2 bytes.
+             * the 4 is for htt msg header
+             */
+            if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID +
+                HTT_TX_COMPL_HEAD_SZ) > msg_len) {
+                adf_os_print("%s: num_msdus(%d) is invalid,"
+                            "adf_nbuf_len = %d\n",
+                            __FUNCTION__,
+                            num_msdus,
+                            msg_len);
+                break;
+            }
+
             if (num_msdus & 0x1) {
                 struct htt_tx_compl_ind_base *compl = (void *)msg_word;
 
@@ -685,8 +701,23 @@ if (adf_os_unlikely(pdev->rx_ring.rx_reset)) {
     case HTT_T2H_MSG_TYPE_TX_INSPECT_IND:
         {
             int num_msdus;
+            int msg_len = adf_nbuf_len(htt_t2h_msg);
 
             num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word);
+            /*
+             * each desc id will occupy 2 bytes.
+             * the 4 is for htt msg header
+             */
+            if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID +
+                HTT_TX_COMPL_HEAD_SZ) > msg_len) {
+                adf_os_print("%s: num_msdus(%d) is invalid,"
+                            "adf_nbuf_len = %d,inspect\n",
+                            __FUNCTION__,
+                            num_msdus,
+                            msg_len);
+                break;
+            }
+
             if (num_msdus & 0x1) {
                 struct htt_tx_compl_ind_base *compl = (void *)msg_word;
 
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx.c b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx.c
index 8b35aa45abcd23bc72c4a412269738eae7e66a11..94068d59fcb022ebfde7c466ba7dded12598eb68 100644
--- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx.c
+++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx.c
@@ -375,6 +375,9 @@ ol_txrx_pdev_attach(
     TXRX_STATS_INIT(pdev);
 
     TAILQ_INIT(&pdev->vdev_list);
+    TAILQ_INIT(&pdev->req_list);
+    pdev->req_list_depth = 0;
+    adf_os_spinlock_init(&pdev->req_list_spinlock);
 
     /* do initial set up of the peer ID -> peer object lookup map */
     if (ol_txrx_peer_find_attach(pdev)) {
@@ -901,8 +904,9 @@ A_STATUS ol_txrx_pdev_attach_target(ol_txrx_pdev_handle pdev)
 void
 ol_txrx_pdev_detach(ol_txrx_pdev_handle pdev, int force)
 {
-    int i;
+    int i = 0;
     unsigned int page_idx;
+    struct ol_txrx_stats_req_internal *req;
 
     /*checking to ensure txrx pdev structure is not NULL */
     if (!pdev) {
@@ -915,6 +919,30 @@ ol_txrx_pdev_detach(ol_txrx_pdev_handle pdev, int force)
     /* check that the pdev has no vdevs allocated */
     TXRX_ASSERT1(TAILQ_EMPTY(&pdev->vdev_list));
 
+    adf_os_spin_lock_bh(&pdev->req_list_spinlock);
+    if (pdev->req_list_depth > 0)
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+            "Warning: the txrx req list is not empty, depth=%d\n",
+            pdev->req_list_depth
+            );
+    TAILQ_FOREACH(req, &pdev->req_list, req_list_elem) {
+        TAILQ_REMOVE(&pdev->req_list, req, req_list_elem);
+        pdev->req_list_depth--;
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+            "%d: %p,verbose(%d), concise(%d), up_m(0x%x), reset_m(0x%x)\n",
+            i++,
+            req,
+            req->base.print.verbose,
+            req->base.print.concise,
+            req->base.stats_type_upload_mask,
+            req->base.stats_type_reset_mask
+            );
+        adf_os_mem_free(req);
+    }
+    adf_os_spin_unlock_bh(&pdev->req_list_spinlock);
+
+    adf_os_spinlock_destroy(&pdev->req_list_spinlock);
+
     OL_RX_REORDER_TIMEOUT_CLEANUP(pdev);
 
     if (ol_cfg_is_high_latency(pdev->ctrl_pdev)) {
@@ -1977,12 +2005,6 @@ void ol_txrx_print_level_set(unsigned level)
 #endif
 }
 
-struct ol_txrx_stats_req_internal {
-    struct ol_txrx_stats_req base;
-    int serviced; /* state of this request */
-    int offset;
-};
-
 static inline
 u_int64_t OL_TXRX_STATS_PTR_TO_U64(struct ol_txrx_stats_req_internal *req)
 {
@@ -2044,6 +2066,11 @@ ol_txrx_fw_stats_get(
     /* use the non-volatile request object's address as the cookie */
     cookie = OL_TXRX_STATS_PTR_TO_U64(non_volatile_req);
 
+    adf_os_spin_lock_bh(&pdev->req_list_spinlock);
+    TAILQ_INSERT_TAIL(&pdev->req_list, non_volatile_req, req_list_elem);
+    pdev->req_list_depth++;
+    adf_os_spin_unlock_bh(&pdev->req_list_spinlock);
+
     if (htt_h2t_dbg_stats_get(
             pdev->htt_pdev,
             req->stats_type_upload_mask,
@@ -2051,14 +2078,15 @@ ol_txrx_fw_stats_get(
             HTT_H2T_STATS_REQ_CFG_STAT_TYPE_INVALID, 0,
             cookie))
     {
+        adf_os_spin_lock_bh(&pdev->req_list_spinlock);
+        TAILQ_REMOVE(&pdev->req_list, non_volatile_req, req_list_elem);
+        pdev->req_list_depth--;
+        adf_os_spin_unlock_bh(&pdev->req_list_spinlock);
+
         adf_os_mem_free(non_volatile_req);
         return A_ERROR;
     }
 
-    if (req->wait.blocking) {
-        while (adf_os_mutex_acquire(pdev->osdev, req->wait.sem_ptr)) {}
-    }
-
     return A_OK;
 }
 #endif
@@ -2072,11 +2100,27 @@ ol_txrx_fw_stats_handler(
     enum htt_dbg_stats_status status;
     int length;
     u_int8_t *stats_data;
-    struct ol_txrx_stats_req_internal *req;
+    struct ol_txrx_stats_req_internal *req, *tmp;
     int more = 0;
+    int found = 0;
 
     req = OL_TXRX_U64_TO_STATS_PTR(cookie);
 
+    adf_os_spin_lock_bh(&pdev->req_list_spinlock);
+    TAILQ_FOREACH(tmp, &pdev->req_list, req_list_elem) {
+        if (req == tmp) {
+            found = 1;
+            break;
+        }
+    }
+    adf_os_spin_unlock_bh(&pdev->req_list_spinlock);
+
+    if (!found) {
+        TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+            "req(%p) from firmware can't be found in the list\n", req);
+        return;
+    }
+
     do {
         htt_t2h_dbg_stats_hdr_parse(
             stats_info_list, &type, &status, &length, &stats_data);
@@ -2200,10 +2244,16 @@ ol_txrx_fw_stats_handler(
     } while (1);
 
     if (! more) {
-        if (req->base.wait.blocking) {
-            adf_os_mutex_release(pdev->osdev, req->base.wait.sem_ptr);
+        adf_os_spin_lock_bh(&pdev->req_list_spinlock);
+        TAILQ_FOREACH(tmp, &pdev->req_list, req_list_elem) {
+            if (req == tmp) {
+                TAILQ_REMOVE(&pdev->req_list, req, req_list_elem);
+                pdev->req_list_depth--;
+                adf_os_mem_free(req);
+                break;
+            }
         }
-        adf_os_mem_free(req);
+        adf_os_spin_unlock_bh(&pdev->req_list_spinlock);
     }
 }
 
diff --git a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx_types.h b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx_types.h
index beee134bedd7bb331dd9b4debcdcbf8d18464c08..3ccd9f54c7bdd1681065e71446fd60563809c37b 100644
--- a/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx_types.h
+++ b/drivers/staging/qcacld-2.0/CORE/CLD_TXRX/TXRX/ol_txrx_types.h
@@ -540,6 +540,10 @@ struct ol_txrx_pdev_t {
 	/* ol_txrx_vdev list */
 	TAILQ_HEAD(, ol_txrx_vdev_t) vdev_list;
 
+	TAILQ_HEAD(, ol_txrx_stats_req_internal) req_list;
+	int req_list_depth;
+	adf_os_spinlock_t req_list_spinlock;
+
 	/* peer ID to peer object map (array of pointers to peer objects) */
 	struct ol_txrx_peer_t **peer_id_to_obj_map;
 
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
index 2991836b49eceba0b3b1731d58aa486d975f6972..e4ef0ef99ed74157469cadbd2e8b18dd817959bc 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
@@ -4272,6 +4272,7 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter,
     tDot11fIERSN dot11RSNIE;
     tDot11fIEWPA dot11WPAIE;
     tANI_U32 i;
+    tANI_U32 status;
     tANI_U8 *pRsnIe;
     tANI_U16 RSNIeLen;
     tPmkidCacheInfo PMKIDCache[4]; // Local transfer memory
@@ -4297,10 +4298,17 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter,
         pRsnIe = gen_ie + 2;
         RSNIeLen = gen_ie_len - 2;
         // Unpack the RSN IE
-        dot11fUnpackIeRSN((tpAniSirGlobal) halHandle,
+        status = dot11fUnpackIeRSN((tpAniSirGlobal) halHandle,
                             pRsnIe,
                             RSNIeLen,
                             &dot11RSNIE);
+        if (DOT11F_FAILED(status))
+        {
+            hddLog(LOGE,
+                       FL("Parse failure in hdd_ProcessGENIE (0x%08x)"),
+                       status);
+            return -EINVAL;
+        }
         // Copy out the encryption and authentication types
         hddLog(LOG1, FL("%s: pairwise cipher suite count: %d"),
                 __func__, dot11RSNIE.pwise_cipher_suite_count );
diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessProbeReqFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessProbeReqFrame.c
index a00327363d16093028fd53681e98a374ce9c09fd..0c106d8d781f7fdc73f8c48404b183fee6808960 100644
--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessProbeReqFrame.c
+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessProbeReqFrame.c
@@ -727,6 +727,10 @@ limSendSmeProbeReqInd(tpAniSirGlobal pMac,
 
     MTRACE(macTrace(pMac, TRACE_CODE_TX_SME_MSG, psessionEntry->peSessionId,
                                                                msgQ.type));
+
+    if (ProbeReqIELen > sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE))
+        ProbeReqIELen = sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE);
+
     pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIELen = (tANI_U16)ProbeReqIELen;
     vos_mem_copy(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE, pProbeReqIE, ProbeReqIELen);
 
diff --git a/drivers/staging/qcacld-2.0/CORE/SAP/src/sapChSelect.c b/drivers/staging/qcacld-2.0/CORE/SAP/src/sapChSelect.c
index ac74e57c61003d9bcff322cbdc3cc2fef50811b7..09694b47a309e34ba197a6e96ebd1cbf07e0a9a1 100644
--- a/drivers/staging/qcacld-2.0/CORE/SAP/src/sapChSelect.c
+++ b/drivers/staging/qcacld-2.0/CORE/SAP/src/sapChSelect.c
@@ -767,7 +767,9 @@ v_U32_t sapweightRssiCount(v_S7_t rssi, v_U16_t count)
 
   SIDE EFFECTS
 ============================================================================*/
-void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
+void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh,
+                              tSapSpectChInfo *spect_ch_strt_addr,
+                              tSapSpectChInfo *spect_ch_end_addr)
 {
     tSapSpectChInfo *pExtSpectCh = NULL;
     v_S31_t rssi;
@@ -783,7 +785,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
     {
         case CHANNEL_1:
             pExtSpectCh = (pSpectCh + 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -796,7 +800,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -809,7 +815,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -822,7 +830,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -838,7 +848,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
 
         case CHANNEL_2:
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -851,7 +863,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -864,7 +878,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -877,7 +893,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -890,7 +908,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -905,7 +925,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
             break;
         case CHANNEL_3:
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -918,7 +940,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -931,7 +955,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -944,7 +970,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -957,7 +985,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -970,7 +1000,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -985,7 +1017,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
             break;
         case CHANNEL_4:
             pExtSpectCh = (pSpectCh - 3);
-            if(pExtSpectCh != NULL)
+            if(pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -998,7 +1032,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1011,7 +1047,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1024,7 +1062,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1037,7 +1077,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1050,7 +1092,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1063,7 +1107,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1084,7 +1130,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
         case CHANNEL_9:
         case CHANNEL_10:
             pExtSpectCh = (pSpectCh - 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1097,7 +1145,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1110,7 +1160,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1123,7 +1175,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1136,7 +1190,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1149,7 +1205,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1162,7 +1220,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1175,7 +1235,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 4);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1191,7 +1253,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
 
         case CHANNEL_11:
             pExtSpectCh = (pSpectCh - 4);
-            if(pExtSpectCh != NULL)
+            if(pExtSpectCh != NULL &&
+               (pExtSpectCh >= spect_ch_strt_addr &&
+                pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1205,7 +1269,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
             }
 
             pExtSpectCh = (pSpectCh - 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1218,7 +1284,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1231,7 +1299,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1244,7 +1314,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1257,7 +1329,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1270,7 +1344,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 3);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1286,7 +1362,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
 
         case CHANNEL_12:
             pExtSpectCh = (pSpectCh - 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1300,7 +1378,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
             }
 
             pExtSpectCh = (pSpectCh - 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1313,7 +1393,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1326,7 +1408,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1339,7 +1423,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1352,7 +1438,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 2);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1368,7 +1456,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
 
         case CHANNEL_13:
             pExtSpectCh = (pSpectCh - 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1382,7 +1472,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
             }
 
             pExtSpectCh = (pSpectCh - 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1395,7 +1487,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if(pExtSpectCh != NULL)
+            if(pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1408,7 +1502,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1421,7 +1517,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh + 1);
-            if ((pExtSpectCh != NULL) && (pExtSpectCh->chNum <= CHANNEL_14))
+            if ((pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr)))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1437,7 +1535,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
 
         case CHANNEL_14:
             pExtSpectCh = (pSpectCh - 1);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1450,7 +1550,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 2);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1463,7 +1565,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 3);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1476,7 +1580,9 @@ void sapInterferenceRssiCount(tSapSpectChInfo *pSpectCh)
                     pExtSpectCh->rssiAgr = SOFTAP_MIN_RSSI;
             }
             pExtSpectCh = (pSpectCh - 4);
-            if (pExtSpectCh != NULL)
+            if (pExtSpectCh != NULL &&
+                (pExtSpectCh >= spect_ch_strt_addr &&
+                 pExtSpectCh < spect_ch_end_addr))
             {
                 ++pExtSpectCh->bssCount;
                 rssi = pSpectCh->rssiAgr +
@@ -1847,7 +1953,8 @@ void sapComputeSpectWeight( tSapChSelSpectInfo* pSpectInfoParams,
 
                 if(operatingBand == eCSR_DOT11_MODE_11g)
                 {
-                     sapInterferenceRssiCount(pSpectCh);
+                     sapInterferenceRssiCount(pSpectCh, pSpectChStartAddr,
+                                              pSpectChEndAddr);
                 }
 
                 VOS_TRACE(VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_INFO_HIGH,
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/ol_txrx_dbg.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/ol_txrx_dbg.h
index 7309db33dc86582431b044abd70d18fe955838b4..517bf5f4b317580ebf92031eed15c39a1ae8d283 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/ol_txrx_dbg.h
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/ol_txrx_dbg.h
@@ -76,6 +76,13 @@ struct ol_txrx_stats_req {
     } wait;
 };
 
+struct ol_txrx_stats_req_internal {
+    struct ol_txrx_stats_req base;
+    TAILQ_ENTRY(ol_txrx_stats_req_internal) req_list_elem;
+    int serviced; /* state of this request */
+    int offset;
+};
+
 #ifndef TXRX_DEBUG_LEVEL
 #define TXRX_DEBUG_LEVEL 0 /* no debug info */
 #endif
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index c3a9e89ba98d4b36436ddd255a85506640efaefe..010db5898cd472b08fc5dd54bb9d2fed0c1171c3 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -493,7 +493,7 @@ static bool wma_is_vdev_in_ap_mode(tp_wma_handle wma, u_int8_t vdev_id)
 {
 	struct wma_txrx_node *intf = wma->interfaces;
 
-	if (vdev_id > wma->max_bssid) {
+	if (vdev_id >= wma->max_bssid) {
 		WMA_LOGP("%s: Invalid vdev_id %hu", __func__, vdev_id);
 		VOS_ASSERT(0);
 		return false;
@@ -519,7 +519,7 @@ static bool wma_is_vdev_in_ibss_mode(tp_wma_handle wma, u_int8_t vdev_id)
 {
 	struct wma_txrx_node *intf = wma->interfaces;
 
-	if (vdev_id > wma->max_bssid) {
+	if (vdev_id >= wma->max_bssid) {
 		WMA_LOGP("%s: Invalid vdev_id %hu", __func__, vdev_id);
 		VOS_ASSERT(0);
 		return false;
@@ -1294,9 +1294,15 @@ static int wma_vdev_start_rsp_ind(tp_wma_handle wma, u_int8_t *buf)
 		return -EINVAL;
 	}
 
+	if (resp_event->vdev_id >= wma->max_bssid) {
+		WMA_LOGE("%s: received invalid vdev_id %d",
+			__func__, resp_event->vdev_id);
+		return -EINVAL;
+	}
+
 	iface = &wma->interfaces[resp_event->vdev_id];
 
-	if ((resp_event->vdev_id <= wma->max_bssid) &&
+	if ((resp_event->vdev_id < wma->max_bssid) &&
 		(adf_os_atomic_read(
 		&wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress)) &&
 		(wma_is_vdev_in_ap_mode(wma, resp_event->vdev_id) == true)) {
@@ -1889,7 +1895,7 @@ static void wma_delete_all_ibss_peers(tp_wma_handle wma, A_UINT32 vdev_id)
 	ol_txrx_vdev_handle vdev;
 	ol_txrx_peer_handle peer, temp;
 
-	if (!wma || vdev_id > wma->max_bssid)
+	if (!wma || vdev_id >= wma->max_bssid)
 		return;
 
 	vdev = wma->interfaces[vdev_id].handle;
@@ -1931,7 +1937,7 @@ static void wma_delete_all_ap_remote_peers(tp_wma_handle wma, A_UINT32 vdev_id)
 	ol_txrx_vdev_handle vdev;
 	ol_txrx_peer_handle peer, temp;
 
-	if (!wma || vdev_id > wma->max_bssid)
+	if (!wma || vdev_id >= wma->max_bssid)
 		return;
 
 	vdev = wma->interfaces[vdev_id].handle;
@@ -2190,7 +2196,7 @@ static int wma_vdev_stop_ind(tp_wma_handle wma, u_int8_t *buf)
 
 	resp_event = (wmi_vdev_stopped_event_fixed_param *)buf;
 
-	if ((resp_event->vdev_id <= wma->max_bssid) &&
+	if ((resp_event->vdev_id < wma->max_bssid) &&
 	(adf_os_atomic_read(&wma->interfaces[resp_event->vdev_id].vdev_restart_params.hidden_ssid_restart_in_progress)) &&
 	((wma->interfaces[resp_event->vdev_id].type == WMI_VDEV_TYPE_AP) &&
 	(wma->interfaces[resp_event->vdev_id].sub_type == 0))) {
@@ -2229,7 +2235,7 @@ static int wma_vdev_stop_ind(tp_wma_handle wma, u_int8_t *buf)
 		tpDeleteBssParams params =
 			(tpDeleteBssParams)req_msg->user_data;
 		struct beacon_info *bcn;
-		if (resp_event->vdev_id > wma->max_bssid) {
+		if (resp_event->vdev_id >= wma->max_bssid) {
 			WMA_LOGE("%s: Invalid vdev_id %d", __func__,
 				resp_event->vdev_id);
 			vos_mem_free(params);
@@ -3935,6 +3941,11 @@ static int wma_extscan_hotlist_match_event_handler(void *handle,
 		dest_ap->ieLength = src_hotlist-> ie_length;
 		WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid,
 						dest_ap->bssid);
+		if (src_hotlist->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) {
+			WMA_LOGE("%s Invalid SSID len %d, truncating",
+				__func__, src_hotlist->ssid.ssid_len);
+			src_hotlist->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH;
+		}
 		vos_mem_copy(dest_ap->ssid, src_hotlist->ssid.ssid,
 					src_hotlist->ssid.ssid_len);
 		dest_ap->ssid[src_hotlist->ssid.ssid_len] = '\0';
@@ -4109,6 +4120,13 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info,
 			WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid,
 						ap->bssid);
 
+			if (src_hotlist->ssid.ssid_len >
+			    SIR_MAC_MAX_SSID_LENGTH) {
+				WMA_LOGD("%s Invalid SSID len %d, truncating",
+					 __func__, src_hotlist->ssid.ssid_len);
+				src_hotlist->ssid.ssid_len =
+						SIR_MAC_MAX_SSID_LENGTH;
+			}
 			vos_mem_copy(ap->ssid, src_hotlist->ssid.ssid,
 					src_hotlist->ssid.ssid_len);
 			ap->ssid[src_hotlist->ssid.ssid_len] = '\0';
@@ -4421,10 +4439,13 @@ static int wma_passpoint_match_event_handler(void *handle,
 			WMA_SVC_MSG_MAX_SIZE) {
 		WMA_LOGE("IE Length: %d or ANQP Length: %d is huge",
 				event->ie_length, event->anqp_length);
-		VOS_ASSERT(0);
 		return -EINVAL;
 	}
-
+	if (event->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) {
+		WMA_LOGD("%s: Invalid ssid len %d, truncating",
+			__func__, event->ssid.ssid_len);
+		event->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH;
+	}
 	dest_match = vos_mem_malloc(sizeof(*dest_match) +
 				event->ie_length + event->anqp_length);
 	if (!dest_match) {
@@ -4516,6 +4537,11 @@ static int wma_unified_link_iface_stats_event_handler(void *handle,
 		WMA_LOGA("%s: Invalid param_tlvs for Iface Stats", __func__);
 		return -EINVAL;
 	}
+	if (link_stats->num_ac > WIFI_AC_MAX) {
+		WMA_LOGE("%s: Excess data received from firmware num_ac %d",
+			__func__, link_stats->num_ac);
+		return -EINVAL;
+	}
 
 	link_stats_size = sizeof(tSirWifiIfaceStat);
 	iface_info_size = sizeof(tSirWifiInterfaceInfo);
@@ -9805,7 +9831,7 @@ VOS_STATUS wma_start_scan(tp_wma_handle wma_handle,
 	int len;
 	tSirScanOffloadEvent *scan_event;
 
-	if (scan_req->sessionId > wma_handle->max_bssid) {
+	if (scan_req->sessionId >= wma_handle->max_bssid) {
 		WMA_LOGE("%s: Invalid vdev_id %d, msg_type : 0x%x", __func__,
 			scan_req->sessionId, msg_type);
 		goto error1;
@@ -12712,7 +12738,7 @@ void wma_vdev_resp_timer(void *data)
 		struct beacon_info *bcn;
 		struct wma_txrx_node *iface;
 
-		if (tgt_req->vdev_id > wma->max_bssid) {
+		if (tgt_req->vdev_id >= wma->max_bssid) {
 			WMA_LOGE("%s: Invalid vdev_id %d", __func__,
 				tgt_req->vdev_id);
 			vos_mem_free(params);
@@ -23142,7 +23168,7 @@ static VOS_STATUS wma_wow_enter(tp_wma_handle wma,
 
 	WMA_LOGD("wow enable req received for vdev id: %d", info->sessionId);
 
-	if (info->sessionId > wma->max_bssid) {
+	if (info->sessionId >= wma->max_bssid) {
 		WMA_LOGE("Invalid vdev id (%d)", info->sessionId);
 		vos_mem_free(info);
 		return VOS_STATUS_E_INVAL;
@@ -23169,7 +23195,7 @@ static VOS_STATUS wma_wow_exit(tp_wma_handle wma,
 
 	WMA_LOGD("wow disable req received for vdev id: %d", info->sessionId);
 
-	if (info->sessionId > wma->max_bssid) {
+	if (info->sessionId >= wma->max_bssid) {
 		WMA_LOGE("Invalid vdev id (%d)", info->sessionId);
 		vos_mem_free(info);
 		return VOS_STATUS_E_INVAL;
@@ -23202,7 +23228,7 @@ static VOS_STATUS wma_suspend_req(tp_wma_handle wma, tpSirWlanSuspendParam info)
 
 	wma->no_of_suspend_ind++;
 
-	if (info->sessionId > wma->max_bssid) {
+	if (info->sessionId >= wma->max_bssid) {
 		WMA_LOGE("Invalid vdev id (%d)", info->sessionId);
 		vos_mem_free(info);
 		return VOS_STATUS_E_INVAL;
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c
index c2cd54c2c2684b73a7af98b4b49b2c8b448474e3..6dccfcc7a9e317c1ec48f0cfc997423a9b04f1fb 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma_nan_datapath.c
@@ -490,7 +490,7 @@ void wma_delete_all_nan_remote_peers(tp_wma_handle wma, uint32_t vdev_id)
 	ol_txrx_vdev_handle vdev;
 	ol_txrx_peer_handle peer, temp;
 
-	if (!wma || vdev_id > wma->max_bssid)
+	if (!wma || vdev_id >= wma->max_bssid)
 		return;
 
 	vdev = wma->interfaces[vdev_id].handle;
diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/include/pktlog_ac_api.h b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/include/pktlog_ac_api.h
index a30aaab2b07b96d8179b7bab6788c9ca5cecacd9..5fdc83c575b539ec416df983c41ab89aa2a6755b 100644
--- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/include/pktlog_ac_api.h
+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/include/pktlog_ac_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -72,7 +72,7 @@ struct ath_pktlog_info {
 	/* Size of buffer in bytes */
 	int32_t buf_size;
 	spinlock_t log_lock;
-
+	struct mutex pktlog_mutex;
 	/* Threshold of TCP SACK packets for triggered stop */
 	int sack_thr;
 
diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
index ec61b77e827cf4b34ada40426d7ab93f74a9f81b..6054306de0f503b8d138ce414295786e400cd471 100644
--- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/linux_ac.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -78,6 +78,8 @@ static struct ath_pktlog_info *g_pktlog_info;
 
 static struct proc_dir_entry *g_pktlog_pde;
 
+static DEFINE_MUTEX(proc_mutex);
+
 static int pktlog_attach(struct ol_softc *sc);
 static void pktlog_detach(struct ol_softc *sc);
 static int pktlog_open(struct inode *i, struct file *f);
@@ -120,6 +122,7 @@ int pktlog_alloc_buf(struct ol_softc *scn)
 	unsigned long vaddr;
 	struct page *vpg;
 	struct ath_pktlog_info *pl_info;
+	struct ath_pktlog_buf *buffer;
 
 	if (!scn || !scn->pdev_txrx_handle->pl_dev) {
 		printk(PKTLOG_TAG
@@ -133,19 +136,28 @@ int pktlog_alloc_buf(struct ol_softc *scn)
 
 	page_cnt = (sizeof(*(pl_info->buf)) + pl_info->buf_size) / PAGE_SIZE;
 
-	if ((pl_info->buf = vmalloc((page_cnt + 2) * PAGE_SIZE)) == NULL) {
+	spin_lock_bh(&pl_info->log_lock);
+	if(pl_info->buf != NULL) {
+		printk("Buffer is already in use\n");
+		spin_unlock_bh(&pl_info->log_lock);
+		return -EINVAL;
+	}
+	spin_unlock_bh(&pl_info->log_lock);
+
+	if ((buffer = vmalloc((page_cnt + 2) * PAGE_SIZE)) == NULL) {
 		printk(PKTLOG_TAG
 		       "%s: Unable to allocate buffer "
 		       "(%d pages)\n", __func__, page_cnt);
 		return -ENOMEM;
 	}
 
-	pl_info->buf = (struct ath_pktlog_buf *)
-			(((unsigned long) (pl_info->buf) + PAGE_SIZE - 1)
+
+	buffer = (struct ath_pktlog_buf *)
+			(((unsigned long) (buffer) + PAGE_SIZE - 1)
 			& PAGE_MASK);
 
-	for (vaddr = (unsigned long) (pl_info->buf);
-	     vaddr < ((unsigned long) (pl_info->buf) + (page_cnt * PAGE_SIZE));
+	for (vaddr = (unsigned long) (buffer);
+	     vaddr < ((unsigned long) (buffer) + (page_cnt * PAGE_SIZE));
 	     vaddr += PAGE_SIZE) {
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25))
 		vpg = vmalloc_to_page((const void *) vaddr);
@@ -155,6 +167,12 @@ int pktlog_alloc_buf(struct ol_softc *scn)
 		SetPageReserved(vpg);
 	}
 
+	spin_lock_bh(&pl_info->log_lock);
+	if(pl_info->buf != NULL)
+		pktlog_release_buf(scn);
+
+	pl_info->buf =  buffer;
+	spin_unlock_bh(&pl_info->log_lock);
 	return 0;
 }
 
@@ -198,6 +216,7 @@ pktlog_cleanup(struct ath_pktlog_info *pl_info)
 {
 	pl_info->log_state = 0;
 	PKTLOG_LOCK_DESTROY(pl_info);
+	mutex_destroy(&pl_info->pktlog_mutex);
 }
 
 /* sysctl procfs handler to enable pktlog */
@@ -209,9 +228,11 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp,
 	ol_ath_generic_softc_handle scn;
 	struct ol_pktlog_dev_t *pl_dev;
 
+	mutex_lock(&proc_mutex);
 	scn = (ol_ath_generic_softc_handle) ctl->extra1;
 
 	if (!scn) {
+		mutex_unlock(&proc_mutex);
 		printk("%s: Invalid scn context\n", __func__);
 		ASSERT(0);
 		return -EINVAL;
@@ -220,6 +241,7 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp,
 	pl_dev = get_pl_handle((struct ol_softc *)scn);
 
 	if (!pl_dev) {
+		mutex_unlock(&proc_mutex);
 		printk("%s: Invalid pktlog context\n", __func__);
 		ASSERT(0);
 		return -ENODEV;
@@ -249,6 +271,7 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp,
 	ctl->data = NULL;
 	ctl->maxlen = 0;
 
+	mutex_unlock(&proc_mutex);
 	return ret;
 }
 
@@ -266,9 +289,11 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp,
 	ol_ath_generic_softc_handle scn;
 	struct ol_pktlog_dev_t *pl_dev;
 
+	mutex_lock(&proc_mutex);
 	scn = (ol_ath_generic_softc_handle) ctl->extra1;
 
 	if (!scn) {
+		mutex_unlock(&proc_mutex);
 		printk("%s: Invalid scn context\n", __func__);
 		ASSERT(0);
 		return -EINVAL;
@@ -277,6 +302,7 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp,
 	pl_dev = get_pl_handle((struct ol_softc *)scn);
 
 	if (!pl_dev) {
+		mutex_unlock(&proc_mutex);
 		printk("%s: Invalid pktlog handle\n", __func__);
 		ASSERT(0);
 		return -ENODEV;
@@ -301,6 +327,7 @@ ATH_SYSCTL_DECL(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp,
 	ctl->data = NULL;
 	ctl->maxlen = 0;
 
+	mutex_unlock(&proc_mutex);
 	return ret;
 }
 
@@ -732,7 +759,7 @@ rd_done:
 }
 
 static ssize_t
-pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+__pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
 {
 	size_t bufhdr_size;
 	size_t count = 0, ret_val = 0;
@@ -870,6 +897,24 @@ rd_done:
 	return ret_val;
 }
 
+static ssize_t
+pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+{
+	size_t ret_val = 0;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,10,0)
+	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
+					  PDE_DATA(file->f_path.dentry->d_inode);
+#else
+	struct proc_dir_entry *proc_entry = PDE(file->f_dentry->d_inode);
+	struct ath_pktlog_info *pl_info = (struct ath_pktlog_info *)
+					  proc_entry->data;
+#endif
+	mutex_lock(&pl_info->pktlog_mutex);
+	ret_val = __pktlog_read(file, buf, nbytes, ppos);
+	mutex_unlock(&pl_info->pktlog_mutex);
+	return ret_val;
+}
+
 #ifndef VMALLOC_VMADDR
 #define VMALLOC_VMADDR(x) ((unsigned long)(x))
 #endif
diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
index 542ff90ba595222a4d5eb6c904c2836a9959c60c..cad8b0e1aeddd22ee1bcf8bb37250c6825920a83 100644
--- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
@@ -280,6 +280,7 @@ pktlog_init(struct ol_softc *scn)
 
 	OS_MEMZERO(pl_info, sizeof(*pl_info));
 	PKTLOG_LOCK_INIT(pl_info);
+	mutex_init(&pl_info->pktlog_mutex);
 
 	pl_info->buf_size = PKTLOG_DEFAULT_BUFSIZE;
 	pl_info->buf = NULL;
@@ -301,8 +302,9 @@ pktlog_init(struct ol_softc *scn)
 	PKTLOG_RCUPDATE_SUBSCRIBER.callback = pktlog_callback;
 }
 
-int
-pktlog_enable(struct ol_softc *scn, int32_t log_state)
+
+static int
+__pktlog_enable(struct ol_softc *scn, int32_t log_state)
 {
 	struct ol_pktlog_dev_t *pl_dev;
 	struct ath_pktlog_info *pl_info;
@@ -392,8 +394,39 @@ pktlog_enable(struct ol_softc *scn, int32_t log_state)
 #define ONE_MEGABYTE (1024 * 1024)
 #define MAX_ALLOWED_PKTLOG_SIZE (16 * ONE_MEGABYTE)
 
-int
-pktlog_setsize(struct ol_softc *scn, int32_t size)
+int pktlog_enable(struct ol_softc *scn, int32_t log_state)
+{
+	struct ol_pktlog_dev_t *pl_dev;
+	struct ath_pktlog_info *pl_info;
+	int error;
+
+	if (!scn) {
+		printk("%s: Invalid scn context\n", __func__);
+		ASSERT(0);
+		return A_ERROR;
+	}
+
+	pl_dev = scn->pdev_txrx_handle->pl_dev;
+	if (!pl_dev) {
+		printk("%s: Invalid pktlog context\n", __func__);
+		ASSERT(0);
+		return A_ERROR;
+	}
+
+	pl_info = pl_dev->pl_info;
+
+	if (!pl_info)
+		return 0;
+
+	mutex_lock(&pl_info->pktlog_mutex);
+	error = __pktlog_enable(scn, log_state);
+	mutex_unlock(&pl_info->pktlog_mutex);
+	return error;
+}
+
+
+static int
+__pktlog_setsize(struct ol_softc *scn, int32_t size)
 {
 	struct ol_pktlog_dev_t *pl_dev = scn->pdev_txrx_handle->pl_dev;
 	struct ath_pktlog_info *pl_info = pl_dev->pl_info;
@@ -424,4 +457,25 @@ pktlog_setsize(struct ol_softc *scn, int32_t size)
 
 	return 0;
 }
+int
+pktlog_setsize(struct ol_softc *scn, int32_t size)
+{
+        struct ol_pktlog_dev_t *pl_dev;
+        struct ath_pktlog_info *pl_info;
+	int status;
+
+	if (!scn) {
+		printk("%s: Invalid scn context\n", __func__);
+		ASSERT(0);
+		return A_ERROR;
+	}
+
+	pl_dev = scn->pdev_txrx_handle->pl_dev;
+	pl_info = pl_dev->pl_info;
+
+	mutex_lock(&pl_info->pktlog_mutex);
+	status = __pktlog_setsize(scn, size);
+	mutex_unlock(&pl_info->pktlog_mutex);
+	return status;
+}
 #endif /* REMOVE_PKT_LOG */
diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
index 30a960d32923b92a8fe78f423fecae8bbabaaa0e..936b72b6e72f8d6c4de8b49aad12011a3c002487 100644
--- a/drivers/video/msm/mdss/mdss_mdp_util.c
+++ b/drivers/video/msm/mdss/mdss_mdp_util.c
@@ -438,6 +438,8 @@ int mdss_mdp_get_plane_sizes(u32 format, u32 w, u32 h,
 	if (ps == NULL)
 		return -EINVAL;
 
+	memset(ps, 0, sizeof(struct mdss_mdp_plane_sizes));
+
 	if ((w > MAX_IMG_WIDTH) || (h > MAX_IMG_HEIGHT))
 		return -ERANGE;
 
@@ -446,7 +448,6 @@ int mdss_mdp_get_plane_sizes(u32 format, u32 w, u32 h,
 		return -EINVAL;
 
 	bpp = fmt->bpp;
-	memset(ps, 0, sizeof(struct mdss_mdp_plane_sizes));
 
 	if (bwc_mode) {
 		u32 height, meta_size;