Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Alice Ferrazzi <alicef@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Wed, 31 Jan 2018 13:50:47
Message-Id: 1517406631.910e786f481545bd8c0e1230317eda74d828cc7b.alicef@gentoo
1 commit: 910e786f481545bd8c0e1230317eda74d828cc7b
2 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 31 13:50:31 2018 +0000
4 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 31 13:50:31 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=910e786f
7
8 linux kernel 4.14.16
9
10 0000_README | 4 +
11 1015_linux-4.14.16.patch | 3197 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3201 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index c7ad7f2..8311794 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -103,6 +103,10 @@ Patch: 1014_linux-4.14.15.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.14.15
21
22 +Patch: 1015_linux-4.14.16.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.14.16
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1015_linux-4.14.16.patch b/1015_linux-4.14.16.patch
31 new file mode 100644
32 index 0000000..02daf91
33 --- /dev/null
34 +++ b/1015_linux-4.14.16.patch
35 @@ -0,0 +1,3197 @@
36 +diff --git a/Makefile b/Makefile
37 +index bf1a277a67a4..90a4bffa8446 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,7 +1,7 @@
41 + # SPDX-License-Identifier: GPL-2.0
42 + VERSION = 4
43 + PATCHLEVEL = 14
44 +-SUBLEVEL = 15
45 ++SUBLEVEL = 16
46 + EXTRAVERSION =
47 + NAME = Petit Gorille
48 +
49 +diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
50 +index c199990e12b6..323a4df59a6c 100644
51 +--- a/arch/arm/net/bpf_jit_32.c
52 ++++ b/arch/arm/net/bpf_jit_32.c
53 +@@ -27,14 +27,58 @@
54 +
55 + int bpf_jit_enable __read_mostly;
56 +
57 ++/*
58 ++ * eBPF prog stack layout:
59 ++ *
60 ++ * high
61 ++ * original ARM_SP => +-----+
62 ++ * | | callee saved registers
63 ++ * +-----+ <= (BPF_FP + SCRATCH_SIZE)
64 ++ * | ... | eBPF JIT scratch space
65 ++ * eBPF fp register => +-----+
66 ++ * (BPF_FP) | ... | eBPF prog stack
67 ++ * +-----+
68 ++ * |RSVD | JIT scratchpad
69 ++ * current ARM_SP => +-----+ <= (BPF_FP - STACK_SIZE + SCRATCH_SIZE)
70 ++ * | |
71 ++ * | ... | Function call stack
72 ++ * | |
73 ++ * +-----+
74 ++ * low
75 ++ *
76 ++ * The callee saved registers depends on whether frame pointers are enabled.
77 ++ * With frame pointers (to be compliant with the ABI):
78 ++ *
79 ++ * high
80 ++ * original ARM_SP => +------------------+ \
81 ++ * | pc | |
82 ++ * current ARM_FP => +------------------+ } callee saved registers
83 ++ * |r4-r8,r10,fp,ip,lr| |
84 ++ * +------------------+ /
85 ++ * low
86 ++ *
87 ++ * Without frame pointers:
88 ++ *
89 ++ * high
90 ++ * original ARM_SP => +------------------+
91 ++ * | r4-r8,r10,fp,lr | callee saved registers
92 ++ * current ARM_FP => +------------------+
93 ++ * low
94 ++ *
95 ++ * When popping registers off the stack at the end of a BPF function, we
96 ++ * reference them via the current ARM_FP register.
97 ++ */
98 ++#define CALLEE_MASK (1 << ARM_R4 | 1 << ARM_R5 | 1 << ARM_R6 | \
99 ++ 1 << ARM_R7 | 1 << ARM_R8 | 1 << ARM_R10 | \
100 ++ 1 << ARM_FP)
101 ++#define CALLEE_PUSH_MASK (CALLEE_MASK | 1 << ARM_LR)
102 ++#define CALLEE_POP_MASK (CALLEE_MASK | 1 << ARM_PC)
103 ++
104 + #define STACK_OFFSET(k) (k)
105 + #define TMP_REG_1 (MAX_BPF_JIT_REG + 0) /* TEMP Register 1 */
106 + #define TMP_REG_2 (MAX_BPF_JIT_REG + 1) /* TEMP Register 2 */
107 + #define TCALL_CNT (MAX_BPF_JIT_REG + 2) /* Tail Call Count */
108 +
109 +-/* Flags used for JIT optimization */
110 +-#define SEEN_CALL (1 << 0)
111 +-
112 + #define FLAG_IMM_OVERFLOW (1 << 0)
113 +
114 + /*
115 +@@ -95,7 +139,6 @@ static const u8 bpf2a32[][2] = {
116 + * idx : index of current last JITed instruction.
117 + * prologue_bytes : bytes used in prologue.
118 + * epilogue_offset : offset of epilogue starting.
119 +- * seen : bit mask used for JIT optimization.
120 + * offsets : array of eBPF instruction offsets in
121 + * JITed code.
122 + * target : final JITed code.
123 +@@ -110,7 +153,6 @@ struct jit_ctx {
124 + unsigned int idx;
125 + unsigned int prologue_bytes;
126 + unsigned int epilogue_offset;
127 +- u32 seen;
128 + u32 flags;
129 + u32 *offsets;
130 + u32 *target;
131 +@@ -179,8 +221,13 @@ static void jit_fill_hole(void *area, unsigned int size)
132 + *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
133 + }
134 +
135 +-/* Stack must be multiples of 16 Bytes */
136 +-#define STACK_ALIGN(sz) (((sz) + 3) & ~3)
137 ++#if defined(CONFIG_AEABI) && (__LINUX_ARM_ARCH__ >= 5)
138 ++/* EABI requires the stack to be aligned to 64-bit boundaries */
139 ++#define STACK_ALIGNMENT 8
140 ++#else
141 ++/* Stack must be aligned to 32-bit boundaries */
142 ++#define STACK_ALIGNMENT 4
143 ++#endif
144 +
145 + /* Stack space for BPF_REG_2, BPF_REG_3, BPF_REG_4,
146 + * BPF_REG_5, BPF_REG_7, BPF_REG_8, BPF_REG_9,
147 +@@ -194,7 +241,7 @@ static void jit_fill_hole(void *area, unsigned int size)
148 + + SCRATCH_SIZE + \
149 + + 4 /* extra for skb_copy_bits buffer */)
150 +
151 +-#define STACK_SIZE STACK_ALIGN(_STACK_SIZE)
152 ++#define STACK_SIZE ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
153 +
154 + /* Get the offset of eBPF REGISTERs stored on scratch space. */
155 + #define STACK_VAR(off) (STACK_SIZE-off-4)
156 +@@ -285,16 +332,19 @@ static inline void emit_mov_i(const u8 rd, u32 val, struct jit_ctx *ctx)
157 + emit_mov_i_no8m(rd, val, ctx);
158 + }
159 +
160 +-static inline void emit_blx_r(u8 tgt_reg, struct jit_ctx *ctx)
161 ++static void emit_bx_r(u8 tgt_reg, struct jit_ctx *ctx)
162 + {
163 +- ctx->seen |= SEEN_CALL;
164 +-#if __LINUX_ARM_ARCH__ < 5
165 +- emit(ARM_MOV_R(ARM_LR, ARM_PC), ctx);
166 +-
167 + if (elf_hwcap & HWCAP_THUMB)
168 + emit(ARM_BX(tgt_reg), ctx);
169 + else
170 + emit(ARM_MOV_R(ARM_PC, tgt_reg), ctx);
171 ++}
172 ++
173 ++static inline void emit_blx_r(u8 tgt_reg, struct jit_ctx *ctx)
174 ++{
175 ++#if __LINUX_ARM_ARCH__ < 5
176 ++ emit(ARM_MOV_R(ARM_LR, ARM_PC), ctx);
177 ++ emit_bx_r(tgt_reg, ctx);
178 + #else
179 + emit(ARM_BLX_R(tgt_reg), ctx);
180 + #endif
181 +@@ -354,7 +404,6 @@ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
182 + }
183 +
184 + /* Call appropriate function */
185 +- ctx->seen |= SEEN_CALL;
186 + emit_mov_i(ARM_IP, op == BPF_DIV ?
187 + (u32)jit_udiv32 : (u32)jit_mod32, ctx);
188 + emit_blx_r(ARM_IP, ctx);
189 +@@ -620,8 +669,6 @@ static inline void emit_a32_lsh_r64(const u8 dst[], const u8 src[], bool dstk,
190 + /* Do LSH operation */
191 + emit(ARM_SUB_I(ARM_IP, rt, 32), ctx);
192 + emit(ARM_RSB_I(tmp2[0], rt, 32), ctx);
193 +- /* As we are using ARM_LR */
194 +- ctx->seen |= SEEN_CALL;
195 + emit(ARM_MOV_SR(ARM_LR, rm, SRTYPE_ASL, rt), ctx);
196 + emit(ARM_ORR_SR(ARM_LR, ARM_LR, rd, SRTYPE_ASL, ARM_IP), ctx);
197 + emit(ARM_ORR_SR(ARM_IP, ARM_LR, rd, SRTYPE_LSR, tmp2[0]), ctx);
198 +@@ -656,8 +703,6 @@ static inline void emit_a32_arsh_r64(const u8 dst[], const u8 src[], bool dstk,
199 + /* Do the ARSH operation */
200 + emit(ARM_RSB_I(ARM_IP, rt, 32), ctx);
201 + emit(ARM_SUBS_I(tmp2[0], rt, 32), ctx);
202 +- /* As we are using ARM_LR */
203 +- ctx->seen |= SEEN_CALL;
204 + emit(ARM_MOV_SR(ARM_LR, rd, SRTYPE_LSR, rt), ctx);
205 + emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_ASL, ARM_IP), ctx);
206 + _emit(ARM_COND_MI, ARM_B(0), ctx);
207 +@@ -692,8 +737,6 @@ static inline void emit_a32_lsr_r64(const u8 dst[], const u8 src[], bool dstk,
208 + /* Do LSH operation */
209 + emit(ARM_RSB_I(ARM_IP, rt, 32), ctx);
210 + emit(ARM_SUBS_I(tmp2[0], rt, 32), ctx);
211 +- /* As we are using ARM_LR */
212 +- ctx->seen |= SEEN_CALL;
213 + emit(ARM_MOV_SR(ARM_LR, rd, SRTYPE_LSR, rt), ctx);
214 + emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_ASL, ARM_IP), ctx);
215 + emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_LSR, tmp2[0]), ctx);
216 +@@ -828,8 +871,6 @@ static inline void emit_a32_mul_r64(const u8 dst[], const u8 src[], bool dstk,
217 + /* Do Multiplication */
218 + emit(ARM_MUL(ARM_IP, rd, rn), ctx);
219 + emit(ARM_MUL(ARM_LR, rm, rt), ctx);
220 +- /* As we are using ARM_LR */
221 +- ctx->seen |= SEEN_CALL;
222 + emit(ARM_ADD_R(ARM_LR, ARM_IP, ARM_LR), ctx);
223 +
224 + emit(ARM_UMULL(ARM_IP, rm, rd, rt), ctx);
225 +@@ -872,33 +913,53 @@ static inline void emit_str_r(const u8 dst, const u8 src, bool dstk,
226 + }
227 +
228 + /* dst = *(size*)(src + off) */
229 +-static inline void emit_ldx_r(const u8 dst, const u8 src, bool dstk,
230 +- const s32 off, struct jit_ctx *ctx, const u8 sz){
231 ++static inline void emit_ldx_r(const u8 dst[], const u8 src, bool dstk,
232 ++ s32 off, struct jit_ctx *ctx, const u8 sz){
233 + const u8 *tmp = bpf2a32[TMP_REG_1];
234 +- u8 rd = dstk ? tmp[1] : dst;
235 ++ const u8 *rd = dstk ? tmp : dst;
236 + u8 rm = src;
237 ++ s32 off_max;
238 +
239 +- if (off) {
240 ++ if (sz == BPF_H)
241 ++ off_max = 0xff;
242 ++ else
243 ++ off_max = 0xfff;
244 ++
245 ++ if (off < 0 || off > off_max) {
246 + emit_a32_mov_i(tmp[0], off, false, ctx);
247 + emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx);
248 + rm = tmp[0];
249 ++ off = 0;
250 ++ } else if (rd[1] == rm) {
251 ++ emit(ARM_MOV_R(tmp[0], rm), ctx);
252 ++ rm = tmp[0];
253 + }
254 + switch (sz) {
255 +- case BPF_W:
256 +- /* Load a Word */
257 +- emit(ARM_LDR_I(rd, rm, 0), ctx);
258 ++ case BPF_B:
259 ++ /* Load a Byte */
260 ++ emit(ARM_LDRB_I(rd[1], rm, off), ctx);
261 ++ emit_a32_mov_i(dst[0], 0, dstk, ctx);
262 + break;
263 + case BPF_H:
264 + /* Load a HalfWord */
265 +- emit(ARM_LDRH_I(rd, rm, 0), ctx);
266 ++ emit(ARM_LDRH_I(rd[1], rm, off), ctx);
267 ++ emit_a32_mov_i(dst[0], 0, dstk, ctx);
268 + break;
269 +- case BPF_B:
270 +- /* Load a Byte */
271 +- emit(ARM_LDRB_I(rd, rm, 0), ctx);
272 ++ case BPF_W:
273 ++ /* Load a Word */
274 ++ emit(ARM_LDR_I(rd[1], rm, off), ctx);
275 ++ emit_a32_mov_i(dst[0], 0, dstk, ctx);
276 ++ break;
277 ++ case BPF_DW:
278 ++ /* Load a Double Word */
279 ++ emit(ARM_LDR_I(rd[1], rm, off), ctx);
280 ++ emit(ARM_LDR_I(rd[0], rm, off + 4), ctx);
281 + break;
282 + }
283 + if (dstk)
284 +- emit(ARM_STR_I(rd, ARM_SP, STACK_VAR(dst)), ctx);
285 ++ emit(ARM_STR_I(rd[1], ARM_SP, STACK_VAR(dst[1])), ctx);
286 ++ if (dstk && sz == BPF_DW)
287 ++ emit(ARM_STR_I(rd[0], ARM_SP, STACK_VAR(dst[0])), ctx);
288 + }
289 +
290 + /* Arithmatic Operation */
291 +@@ -906,7 +967,6 @@ static inline void emit_ar_r(const u8 rd, const u8 rt, const u8 rm,
292 + const u8 rn, struct jit_ctx *ctx, u8 op) {
293 + switch (op) {
294 + case BPF_JSET:
295 +- ctx->seen |= SEEN_CALL;
296 + emit(ARM_AND_R(ARM_IP, rt, rn), ctx);
297 + emit(ARM_AND_R(ARM_LR, rd, rm), ctx);
298 + emit(ARM_ORRS_R(ARM_IP, ARM_LR, ARM_IP), ctx);
299 +@@ -945,7 +1005,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
300 + const u8 *tcc = bpf2a32[TCALL_CNT];
301 + const int idx0 = ctx->idx;
302 + #define cur_offset (ctx->idx - idx0)
303 +-#define jmp_offset (out_offset - (cur_offset))
304 ++#define jmp_offset (out_offset - (cur_offset) - 2)
305 + u32 off, lo, hi;
306 +
307 + /* if (index >= array->map.max_entries)
308 +@@ -956,7 +1016,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
309 + emit_a32_mov_i(tmp[1], off, false, ctx);
310 + emit(ARM_LDR_I(tmp2[1], ARM_SP, STACK_VAR(r2[1])), ctx);
311 + emit(ARM_LDR_R(tmp[1], tmp2[1], tmp[1]), ctx);
312 +- /* index (64 bit) */
313 ++ /* index is 32-bit for arrays */
314 + emit(ARM_LDR_I(tmp2[1], ARM_SP, STACK_VAR(r3[1])), ctx);
315 + /* index >= array->map.max_entries */
316 + emit(ARM_CMP_R(tmp2[1], tmp[1]), ctx);
317 +@@ -997,7 +1057,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
318 + emit_a32_mov_i(tmp2[1], off, false, ctx);
319 + emit(ARM_LDR_R(tmp[1], tmp[1], tmp2[1]), ctx);
320 + emit(ARM_ADD_I(tmp[1], tmp[1], ctx->prologue_bytes), ctx);
321 +- emit(ARM_BX(tmp[1]), ctx);
322 ++ emit_bx_r(tmp[1], ctx);
323 +
324 + /* out: */
325 + if (out_offset == -1)
326 +@@ -1070,54 +1130,22 @@ static void build_prologue(struct jit_ctx *ctx)
327 + const u8 r2 = bpf2a32[BPF_REG_1][1];
328 + const u8 r3 = bpf2a32[BPF_REG_1][0];
329 + const u8 r4 = bpf2a32[BPF_REG_6][1];
330 +- const u8 r5 = bpf2a32[BPF_REG_6][0];
331 +- const u8 r6 = bpf2a32[TMP_REG_1][1];
332 +- const u8 r7 = bpf2a32[TMP_REG_1][0];
333 +- const u8 r8 = bpf2a32[TMP_REG_2][1];
334 +- const u8 r10 = bpf2a32[TMP_REG_2][0];
335 + const u8 fplo = bpf2a32[BPF_REG_FP][1];
336 + const u8 fphi = bpf2a32[BPF_REG_FP][0];
337 +- const u8 sp = ARM_SP;
338 + const u8 *tcc = bpf2a32[TCALL_CNT];
339 +
340 +- u16 reg_set = 0;
341 +-
342 +- /*
343 +- * eBPF prog stack layout
344 +- *
345 +- * high
346 +- * original ARM_SP => +-----+ eBPF prologue
347 +- * |FP/LR|
348 +- * current ARM_FP => +-----+
349 +- * | ... | callee saved registers
350 +- * eBPF fp register => +-----+ <= (BPF_FP)
351 +- * | ... | eBPF JIT scratch space
352 +- * | | eBPF prog stack
353 +- * +-----+
354 +- * |RSVD | JIT scratchpad
355 +- * current A64_SP => +-----+ <= (BPF_FP - STACK_SIZE)
356 +- * | |
357 +- * | ... | Function call stack
358 +- * | |
359 +- * +-----+
360 +- * low
361 +- */
362 +-
363 + /* Save callee saved registers. */
364 +- reg_set |= (1<<r4) | (1<<r5) | (1<<r6) | (1<<r7) | (1<<r8) | (1<<r10);
365 + #ifdef CONFIG_FRAME_POINTER
366 +- reg_set |= (1<<ARM_FP) | (1<<ARM_IP) | (1<<ARM_LR) | (1<<ARM_PC);
367 +- emit(ARM_MOV_R(ARM_IP, sp), ctx);
368 ++ u16 reg_set = CALLEE_PUSH_MASK | 1 << ARM_IP | 1 << ARM_PC;
369 ++ emit(ARM_MOV_R(ARM_IP, ARM_SP), ctx);
370 + emit(ARM_PUSH(reg_set), ctx);
371 + emit(ARM_SUB_I(ARM_FP, ARM_IP, 4), ctx);
372 + #else
373 +- /* Check if call instruction exists in BPF body */
374 +- if (ctx->seen & SEEN_CALL)
375 +- reg_set |= (1<<ARM_LR);
376 +- emit(ARM_PUSH(reg_set), ctx);
377 ++ emit(ARM_PUSH(CALLEE_PUSH_MASK), ctx);
378 ++ emit(ARM_MOV_R(ARM_FP, ARM_SP), ctx);
379 + #endif
380 + /* Save frame pointer for later */
381 +- emit(ARM_SUB_I(ARM_IP, sp, SCRATCH_SIZE), ctx);
382 ++ emit(ARM_SUB_I(ARM_IP, ARM_SP, SCRATCH_SIZE), ctx);
383 +
384 + ctx->stack_size = imm8m(STACK_SIZE);
385 +
386 +@@ -1140,33 +1168,19 @@ static void build_prologue(struct jit_ctx *ctx)
387 + /* end of prologue */
388 + }
389 +
390 ++/* restore callee saved registers. */
391 + static void build_epilogue(struct jit_ctx *ctx)
392 + {
393 +- const u8 r4 = bpf2a32[BPF_REG_6][1];
394 +- const u8 r5 = bpf2a32[BPF_REG_6][0];
395 +- const u8 r6 = bpf2a32[TMP_REG_1][1];
396 +- const u8 r7 = bpf2a32[TMP_REG_1][0];
397 +- const u8 r8 = bpf2a32[TMP_REG_2][1];
398 +- const u8 r10 = bpf2a32[TMP_REG_2][0];
399 +- u16 reg_set = 0;
400 +-
401 +- /* unwind function call stack */
402 +- emit(ARM_ADD_I(ARM_SP, ARM_SP, ctx->stack_size), ctx);
403 +-
404 +- /* restore callee saved registers. */
405 +- reg_set |= (1<<r4) | (1<<r5) | (1<<r6) | (1<<r7) | (1<<r8) | (1<<r10);
406 + #ifdef CONFIG_FRAME_POINTER
407 +- /* the first instruction of the prologue was: mov ip, sp */
408 +- reg_set |= (1<<ARM_FP) | (1<<ARM_SP) | (1<<ARM_PC);
409 ++ /* When using frame pointers, some additional registers need to
410 ++ * be loaded. */
411 ++ u16 reg_set = CALLEE_POP_MASK | 1 << ARM_SP;
412 ++ emit(ARM_SUB_I(ARM_SP, ARM_FP, hweight16(reg_set) * 4), ctx);
413 + emit(ARM_LDM(ARM_SP, reg_set), ctx);
414 + #else
415 +- if (ctx->seen & SEEN_CALL)
416 +- reg_set |= (1<<ARM_PC);
417 + /* Restore callee saved registers. */
418 +- emit(ARM_POP(reg_set), ctx);
419 +- /* Return back to the callee function */
420 +- if (!(ctx->seen & SEEN_CALL))
421 +- emit(ARM_BX(ARM_LR), ctx);
422 ++ emit(ARM_MOV_R(ARM_SP, ARM_FP), ctx);
423 ++ emit(ARM_POP(CALLEE_POP_MASK), ctx);
424 + #endif
425 + }
426 +
427 +@@ -1394,8 +1408,6 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
428 + emit_rev32(rt, rt, ctx);
429 + goto emit_bswap_uxt;
430 + case 64:
431 +- /* Because of the usage of ARM_LR */
432 +- ctx->seen |= SEEN_CALL;
433 + emit_rev32(ARM_LR, rt, ctx);
434 + emit_rev32(rt, rd, ctx);
435 + emit(ARM_MOV_R(rd, ARM_LR), ctx);
436 +@@ -1448,22 +1460,7 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
437 + rn = sstk ? tmp2[1] : src_lo;
438 + if (sstk)
439 + emit(ARM_LDR_I(rn, ARM_SP, STACK_VAR(src_lo)), ctx);
440 +- switch (BPF_SIZE(code)) {
441 +- case BPF_W:
442 +- /* Load a Word */
443 +- case BPF_H:
444 +- /* Load a Half-Word */
445 +- case BPF_B:
446 +- /* Load a Byte */
447 +- emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_SIZE(code));
448 +- emit_a32_mov_i(dst_hi, 0, dstk, ctx);
449 +- break;
450 +- case BPF_DW:
451 +- /* Load a double word */
452 +- emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_W);
453 +- emit_ldx_r(dst_hi, rn, dstk, off+4, ctx, BPF_W);
454 +- break;
455 +- }
456 ++ emit_ldx_r(dst, rn, dstk, off, ctx, BPF_SIZE(code));
457 + break;
458 + /* R0 = ntohx(*(size *)(((struct sk_buff *)R6)->data + imm)) */
459 + case BPF_LD | BPF_ABS | BPF_W:
460 +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
461 +index ba38d403abb2..bb32f7f6dd0f 100644
462 +--- a/arch/arm64/net/bpf_jit_comp.c
463 ++++ b/arch/arm64/net/bpf_jit_comp.c
464 +@@ -148,7 +148,8 @@ static inline int epilogue_offset(const struct jit_ctx *ctx)
465 + /* Stack must be multiples of 16B */
466 + #define STACK_ALIGN(sz) (((sz) + 15) & ~15)
467 +
468 +-#define PROLOGUE_OFFSET 8
469 ++/* Tail call offset to jump into */
470 ++#define PROLOGUE_OFFSET 7
471 +
472 + static int build_prologue(struct jit_ctx *ctx)
473 + {
474 +@@ -200,19 +201,19 @@ static int build_prologue(struct jit_ctx *ctx)
475 + /* Initialize tail_call_cnt */
476 + emit(A64_MOVZ(1, tcc, 0, 0), ctx);
477 +
478 +- /* 4 byte extra for skb_copy_bits buffer */
479 +- ctx->stack_size = prog->aux->stack_depth + 4;
480 +- ctx->stack_size = STACK_ALIGN(ctx->stack_size);
481 +-
482 +- /* Set up function call stack */
483 +- emit(A64_SUB_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
484 +-
485 + cur_offset = ctx->idx - idx0;
486 + if (cur_offset != PROLOGUE_OFFSET) {
487 + pr_err_once("PROLOGUE_OFFSET = %d, expected %d!\n",
488 + cur_offset, PROLOGUE_OFFSET);
489 + return -1;
490 + }
491 ++
492 ++ /* 4 byte extra for skb_copy_bits buffer */
493 ++ ctx->stack_size = prog->aux->stack_depth + 4;
494 ++ ctx->stack_size = STACK_ALIGN(ctx->stack_size);
495 ++
496 ++ /* Set up function call stack */
497 ++ emit(A64_SUB_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
498 + return 0;
499 + }
500 +
501 +@@ -260,11 +261,12 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
502 + emit(A64_LDR64(prg, tmp, prg), ctx);
503 + emit(A64_CBZ(1, prg, jmp_offset), ctx);
504 +
505 +- /* goto *(prog->bpf_func + prologue_size); */
506 ++ /* goto *(prog->bpf_func + prologue_offset); */
507 + off = offsetof(struct bpf_prog, bpf_func);
508 + emit_a64_mov_i64(tmp, off, ctx);
509 + emit(A64_LDR64(tmp, prg, tmp), ctx);
510 + emit(A64_ADD_I(1, tmp, tmp, sizeof(u32) * PROLOGUE_OFFSET), ctx);
511 ++ emit(A64_ADD_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
512 + emit(A64_BR(tmp), ctx);
513 +
514 + /* out: */
515 +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
516 +index b87a930c2201..6c88cb18ace2 100644
517 +--- a/arch/s390/kvm/kvm-s390.c
518 ++++ b/arch/s390/kvm/kvm-s390.c
519 +@@ -768,7 +768,7 @@ static void kvm_s390_sync_request_broadcast(struct kvm *kvm, int req)
520 +
521 + /*
522 + * Must be called with kvm->srcu held to avoid races on memslots, and with
523 +- * kvm->lock to avoid races with ourselves and kvm_s390_vm_stop_migration.
524 ++ * kvm->slots_lock to avoid races with ourselves and kvm_s390_vm_stop_migration.
525 + */
526 + static int kvm_s390_vm_start_migration(struct kvm *kvm)
527 + {
528 +@@ -824,7 +824,7 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm)
529 + }
530 +
531 + /*
532 +- * Must be called with kvm->lock to avoid races with ourselves and
533 ++ * Must be called with kvm->slots_lock to avoid races with ourselves and
534 + * kvm_s390_vm_start_migration.
535 + */
536 + static int kvm_s390_vm_stop_migration(struct kvm *kvm)
537 +@@ -839,6 +839,8 @@ static int kvm_s390_vm_stop_migration(struct kvm *kvm)
538 +
539 + if (kvm->arch.use_cmma) {
540 + kvm_s390_sync_request_broadcast(kvm, KVM_REQ_STOP_MIGRATION);
541 ++ /* We have to wait for the essa emulation to finish */
542 ++ synchronize_srcu(&kvm->srcu);
543 + vfree(mgs->pgste_bitmap);
544 + }
545 + kfree(mgs);
546 +@@ -848,14 +850,12 @@ static int kvm_s390_vm_stop_migration(struct kvm *kvm)
547 + static int kvm_s390_vm_set_migration(struct kvm *kvm,
548 + struct kvm_device_attr *attr)
549 + {
550 +- int idx, res = -ENXIO;
551 ++ int res = -ENXIO;
552 +
553 +- mutex_lock(&kvm->lock);
554 ++ mutex_lock(&kvm->slots_lock);
555 + switch (attr->attr) {
556 + case KVM_S390_VM_MIGRATION_START:
557 +- idx = srcu_read_lock(&kvm->srcu);
558 + res = kvm_s390_vm_start_migration(kvm);
559 +- srcu_read_unlock(&kvm->srcu, idx);
560 + break;
561 + case KVM_S390_VM_MIGRATION_STOP:
562 + res = kvm_s390_vm_stop_migration(kvm);
563 +@@ -863,7 +863,7 @@ static int kvm_s390_vm_set_migration(struct kvm *kvm,
564 + default:
565 + break;
566 + }
567 +- mutex_unlock(&kvm->lock);
568 ++ mutex_unlock(&kvm->slots_lock);
569 +
570 + return res;
571 + }
572 +@@ -1753,7 +1753,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
573 + r = -EFAULT;
574 + if (copy_from_user(&args, argp, sizeof(args)))
575 + break;
576 ++ mutex_lock(&kvm->slots_lock);
577 + r = kvm_s390_get_cmma_bits(kvm, &args);
578 ++ mutex_unlock(&kvm->slots_lock);
579 + if (!r) {
580 + r = copy_to_user(argp, &args, sizeof(args));
581 + if (r)
582 +@@ -1767,7 +1769,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
583 + r = -EFAULT;
584 + if (copy_from_user(&args, argp, sizeof(args)))
585 + break;
586 ++ mutex_lock(&kvm->slots_lock);
587 + r = kvm_s390_set_cmma_bits(kvm, &args);
588 ++ mutex_unlock(&kvm->slots_lock);
589 + break;
590 + }
591 + default:
592 +diff --git a/arch/x86/events/amd/power.c b/arch/x86/events/amd/power.c
593 +index a6eee5ac4f58..2aefacf5c5b2 100644
594 +--- a/arch/x86/events/amd/power.c
595 ++++ b/arch/x86/events/amd/power.c
596 +@@ -277,7 +277,7 @@ static int __init amd_power_pmu_init(void)
597 + int ret;
598 +
599 + if (!x86_match_cpu(cpu_match))
600 +- return 0;
601 ++ return -ENODEV;
602 +
603 + if (!boot_cpu_has(X86_FEATURE_ACC_POWER))
604 + return -ENODEV;
605 +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
606 +index c4fa4a85d4cb..e4fc595cd6ea 100644
607 +--- a/arch/x86/kernel/cpu/microcode/core.c
608 ++++ b/arch/x86/kernel/cpu/microcode/core.c
609 +@@ -239,7 +239,7 @@ static int __init save_microcode_in_initrd(void)
610 + break;
611 + case X86_VENDOR_AMD:
612 + if (c->x86 >= 0x10)
613 +- return save_microcode_in_initrd_amd(cpuid_eax(1));
614 ++ ret = save_microcode_in_initrd_amd(cpuid_eax(1));
615 + break;
616 + default:
617 + break;
618 +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
619 +index d9e460fc7a3b..f7c55b0e753a 100644
620 +--- a/arch/x86/kernel/cpu/microcode/intel.c
621 ++++ b/arch/x86/kernel/cpu/microcode/intel.c
622 +@@ -45,6 +45,9 @@ static const char ucode_path[] = "kernel/x86/microcode/GenuineIntel.bin";
623 + /* Current microcode patch used in early patching on the APs. */
624 + static struct microcode_intel *intel_ucode_patch;
625 +
626 ++/* last level cache size per core */
627 ++static int llc_size_per_core;
628 ++
629 + static inline bool cpu_signatures_match(unsigned int s1, unsigned int p1,
630 + unsigned int s2, unsigned int p2)
631 + {
632 +@@ -912,12 +915,14 @@ static bool is_blacklisted(unsigned int cpu)
633 +
634 + /*
635 + * Late loading on model 79 with microcode revision less than 0x0b000021
636 +- * may result in a system hang. This behavior is documented in item
637 +- * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
638 ++ * and LLC size per core bigger than 2.5MB may result in a system hang.
639 ++ * This behavior is documented in item BDF90, #334165 (Intel Xeon
640 ++ * Processor E7-8800/4800 v4 Product Family).
641 + */
642 + if (c->x86 == 6 &&
643 + c->x86_model == INTEL_FAM6_BROADWELL_X &&
644 + c->x86_mask == 0x01 &&
645 ++ llc_size_per_core > 2621440 &&
646 + c->microcode < 0x0b000021) {
647 + pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
648 + pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
649 +@@ -975,6 +980,15 @@ static struct microcode_ops microcode_intel_ops = {
650 + .apply_microcode = apply_microcode_intel,
651 + };
652 +
653 ++static int __init calc_llc_size_per_core(struct cpuinfo_x86 *c)
654 ++{
655 ++ u64 llc_size = c->x86_cache_size * 1024;
656 ++
657 ++ do_div(llc_size, c->x86_max_cores);
658 ++
659 ++ return (int)llc_size;
660 ++}
661 ++
662 + struct microcode_ops * __init init_intel_microcode(void)
663 + {
664 + struct cpuinfo_x86 *c = &boot_cpu_data;
665 +@@ -985,5 +999,7 @@ struct microcode_ops * __init init_intel_microcode(void)
666 + return NULL;
667 + }
668 +
669 ++ llc_size_per_core = calc_llc_size_per_core(c);
670 ++
671 + return &microcode_intel_ops;
672 + }
673 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
674 +index a1561957dccb..5bfe61a5e8e3 100644
675 +--- a/arch/x86/mm/tlb.c
676 ++++ b/arch/x86/mm/tlb.c
677 +@@ -151,6 +151,34 @@ void switch_mm(struct mm_struct *prev, struct mm_struct *next,
678 + local_irq_restore(flags);
679 + }
680 +
681 ++static void sync_current_stack_to_mm(struct mm_struct *mm)
682 ++{
683 ++ unsigned long sp = current_stack_pointer;
684 ++ pgd_t *pgd = pgd_offset(mm, sp);
685 ++
686 ++ if (CONFIG_PGTABLE_LEVELS > 4) {
687 ++ if (unlikely(pgd_none(*pgd))) {
688 ++ pgd_t *pgd_ref = pgd_offset_k(sp);
689 ++
690 ++ set_pgd(pgd, *pgd_ref);
691 ++ }
692 ++ } else {
693 ++ /*
694 ++ * "pgd" is faked. The top level entries are "p4d"s, so sync
695 ++ * the p4d. This compiles to approximately the same code as
696 ++ * the 5-level case.
697 ++ */
698 ++ p4d_t *p4d = p4d_offset(pgd, sp);
699 ++
700 ++ if (unlikely(p4d_none(*p4d))) {
701 ++ pgd_t *pgd_ref = pgd_offset_k(sp);
702 ++ p4d_t *p4d_ref = p4d_offset(pgd_ref, sp);
703 ++
704 ++ set_p4d(p4d, *p4d_ref);
705 ++ }
706 ++ }
707 ++}
708 ++
709 + void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
710 + struct task_struct *tsk)
711 + {
712 +@@ -226,11 +254,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
713 + * mapped in the new pgd, we'll double-fault. Forcibly
714 + * map it.
715 + */
716 +- unsigned int index = pgd_index(current_stack_pointer);
717 +- pgd_t *pgd = next->pgd + index;
718 +-
719 +- if (unlikely(pgd_none(*pgd)))
720 +- set_pgd(pgd, init_mm.pgd[index]);
721 ++ sync_current_stack_to_mm(next);
722 + }
723 +
724 + /* Stop remote flushes for the previous mm */
725 +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
726 +index 58d4f4e1ad6a..ca38229b045a 100644
727 +--- a/drivers/cpufreq/cpufreq_governor.c
728 ++++ b/drivers/cpufreq/cpufreq_governor.c
729 +@@ -22,6 +22,8 @@
730 +
731 + #include "cpufreq_governor.h"
732 +
733 ++#define CPUFREQ_DBS_MIN_SAMPLING_INTERVAL (2 * TICK_NSEC / NSEC_PER_USEC)
734 ++
735 + static DEFINE_PER_CPU(struct cpu_dbs_info, cpu_dbs);
736 +
737 + static DEFINE_MUTEX(gov_dbs_data_mutex);
738 +@@ -47,11 +49,15 @@ ssize_t store_sampling_rate(struct gov_attr_set *attr_set, const char *buf,
739 + {
740 + struct dbs_data *dbs_data = to_dbs_data(attr_set);
741 + struct policy_dbs_info *policy_dbs;
742 ++ unsigned int sampling_interval;
743 + int ret;
744 +- ret = sscanf(buf, "%u", &dbs_data->sampling_rate);
745 +- if (ret != 1)
746 ++
747 ++ ret = sscanf(buf, "%u", &sampling_interval);
748 ++ if (ret != 1 || sampling_interval < CPUFREQ_DBS_MIN_SAMPLING_INTERVAL)
749 + return -EINVAL;
750 +
751 ++ dbs_data->sampling_rate = sampling_interval;
752 ++
753 + /*
754 + * We are operating under dbs_data->mutex and so the list and its
755 + * entries can't be freed concurrently.
756 +@@ -430,7 +436,14 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy)
757 + if (ret)
758 + goto free_policy_dbs_info;
759 +
760 +- dbs_data->sampling_rate = cpufreq_policy_transition_delay_us(policy);
761 ++ /*
762 ++ * The sampling interval should not be less than the transition latency
763 ++ * of the CPU and it also cannot be too small for dbs_update() to work
764 ++ * correctly.
765 ++ */
766 ++ dbs_data->sampling_rate = max_t(unsigned int,
767 ++ CPUFREQ_DBS_MIN_SAMPLING_INTERVAL,
768 ++ cpufreq_policy_transition_delay_us(policy));
769 +
770 + if (!have_governor_per_policy())
771 + gov->gdbs_data = dbs_data;
772 +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c
773 +index d0c6bfb68c4e..c50debb1986f 100644
774 +--- a/drivers/gpu/drm/vc4/vc4_gem.c
775 ++++ b/drivers/gpu/drm/vc4/vc4_gem.c
776 +@@ -146,7 +146,7 @@ vc4_save_hang_state(struct drm_device *dev)
777 + struct vc4_exec_info *exec[2];
778 + struct vc4_bo *bo;
779 + unsigned long irqflags;
780 +- unsigned int i, j, unref_list_count, prev_idx;
781 ++ unsigned int i, j, k, unref_list_count;
782 +
783 + kernel_state = kcalloc(1, sizeof(*kernel_state), GFP_KERNEL);
784 + if (!kernel_state)
785 +@@ -182,24 +182,24 @@ vc4_save_hang_state(struct drm_device *dev)
786 + return;
787 + }
788 +
789 +- prev_idx = 0;
790 ++ k = 0;
791 + for (i = 0; i < 2; i++) {
792 + if (!exec[i])
793 + continue;
794 +
795 + for (j = 0; j < exec[i]->bo_count; j++) {
796 + drm_gem_object_get(&exec[i]->bo[j]->base);
797 +- kernel_state->bo[j + prev_idx] = &exec[i]->bo[j]->base;
798 ++ kernel_state->bo[k++] = &exec[i]->bo[j]->base;
799 + }
800 +
801 + list_for_each_entry(bo, &exec[i]->unref_list, unref_head) {
802 + drm_gem_object_get(&bo->base.base);
803 +- kernel_state->bo[j + prev_idx] = &bo->base.base;
804 +- j++;
805 ++ kernel_state->bo[k++] = &bo->base.base;
806 + }
807 +- prev_idx = j + 1;
808 + }
809 +
810 ++ WARN_ON_ONCE(k != state->bo_count);
811 ++
812 + if (exec[0])
813 + state->start_bin = exec[0]->ct0ca;
814 + if (exec[1])
815 +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
816 +index 30d479f87cb8..fb5302ee57c7 100644
817 +--- a/drivers/infiniband/hw/mlx5/main.c
818 ++++ b/drivers/infiniband/hw/mlx5/main.c
819 +@@ -1276,7 +1276,8 @@ static int mlx5_ib_alloc_transport_domain(struct mlx5_ib_dev *dev, u32 *tdn)
820 + return err;
821 +
822 + if ((MLX5_CAP_GEN(dev->mdev, port_type) != MLX5_CAP_PORT_TYPE_ETH) ||
823 +- !MLX5_CAP_GEN(dev->mdev, disable_local_lb))
824 ++ (!MLX5_CAP_GEN(dev->mdev, disable_local_lb_uc) &&
825 ++ !MLX5_CAP_GEN(dev->mdev, disable_local_lb_mc)))
826 + return err;
827 +
828 + mutex_lock(&dev->lb_mutex);
829 +@@ -1294,7 +1295,8 @@ static void mlx5_ib_dealloc_transport_domain(struct mlx5_ib_dev *dev, u32 tdn)
830 + mlx5_core_dealloc_transport_domain(dev->mdev, tdn);
831 +
832 + if ((MLX5_CAP_GEN(dev->mdev, port_type) != MLX5_CAP_PORT_TYPE_ETH) ||
833 +- !MLX5_CAP_GEN(dev->mdev, disable_local_lb))
834 ++ (!MLX5_CAP_GEN(dev->mdev, disable_local_lb_uc) &&
835 ++ !MLX5_CAP_GEN(dev->mdev, disable_local_lb_mc)))
836 + return;
837 +
838 + mutex_lock(&dev->lb_mutex);
839 +@@ -4161,7 +4163,8 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
840 + }
841 +
842 + if ((MLX5_CAP_GEN(mdev, port_type) == MLX5_CAP_PORT_TYPE_ETH) &&
843 +- MLX5_CAP_GEN(mdev, disable_local_lb))
844 ++ (MLX5_CAP_GEN(mdev, disable_local_lb_uc) ||
845 ++ MLX5_CAP_GEN(mdev, disable_local_lb_mc)))
846 + mutex_init(&dev->lb_mutex);
847 +
848 + dev->ib_active = true;
849 +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
850 +index d86e59515b9c..d88d3e0f59fb 100644
851 +--- a/drivers/input/joystick/xpad.c
852 ++++ b/drivers/input/joystick/xpad.c
853 +@@ -229,6 +229,7 @@ static const struct xpad_device {
854 + { 0x0e6f, 0x0213, "Afterglow Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
855 + { 0x0e6f, 0x021f, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
856 + { 0x0e6f, 0x0246, "Rock Candy Gamepad for Xbox One 2015", 0, XTYPE_XBOXONE },
857 ++ { 0x0e6f, 0x02ab, "PDP Controller for Xbox One", 0, XTYPE_XBOXONE },
858 + { 0x0e6f, 0x0301, "Logic3 Controller", 0, XTYPE_XBOX360 },
859 + { 0x0e6f, 0x0346, "Rock Candy Gamepad for Xbox One 2016", 0, XTYPE_XBOXONE },
860 + { 0x0e6f, 0x0401, "Logic3 Controller", 0, XTYPE_XBOX360 },
861 +@@ -475,6 +476,22 @@ static const u8 xboxone_hori_init[] = {
862 + 0x00, 0x00, 0x00, 0x80, 0x00
863 + };
864 +
865 ++/*
866 ++ * This packet is required for some of the PDP pads to start
867 ++ * sending input reports. One of those pads is (0x0e6f:0x02ab).
868 ++ */
869 ++static const u8 xboxone_pdp_init1[] = {
870 ++ 0x0a, 0x20, 0x00, 0x03, 0x00, 0x01, 0x14
871 ++};
872 ++
873 ++/*
874 ++ * This packet is required for some of the PDP pads to start
875 ++ * sending input reports. One of those pads is (0x0e6f:0x02ab).
876 ++ */
877 ++static const u8 xboxone_pdp_init2[] = {
878 ++ 0x06, 0x20, 0x00, 0x02, 0x01, 0x00
879 ++};
880 ++
881 + /*
882 + * A specific rumble packet is required for some PowerA pads to start
883 + * sending input reports. One of those pads is (0x24c6:0x543a).
884 +@@ -505,6 +522,8 @@ static const struct xboxone_init_packet xboxone_init_packets[] = {
885 + XBOXONE_INIT_PKT(0x0e6f, 0x0165, xboxone_hori_init),
886 + XBOXONE_INIT_PKT(0x0f0d, 0x0067, xboxone_hori_init),
887 + XBOXONE_INIT_PKT(0x0000, 0x0000, xboxone_fw2015_init),
888 ++ XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init1),
889 ++ XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init2),
890 + XBOXONE_INIT_PKT(0x24c6, 0x541a, xboxone_rumblebegin_init),
891 + XBOXONE_INIT_PKT(0x24c6, 0x542a, xboxone_rumblebegin_init),
892 + XBOXONE_INIT_PKT(0x24c6, 0x543a, xboxone_rumblebegin_init),
893 +diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c
894 +index 0871010f18d5..bbd29220dbe9 100644
895 +--- a/drivers/input/mouse/trackpoint.c
896 ++++ b/drivers/input/mouse/trackpoint.c
897 +@@ -19,6 +19,13 @@
898 + #include "psmouse.h"
899 + #include "trackpoint.h"
900 +
901 ++static const char * const trackpoint_variants[] = {
902 ++ [TP_VARIANT_IBM] = "IBM",
903 ++ [TP_VARIANT_ALPS] = "ALPS",
904 ++ [TP_VARIANT_ELAN] = "Elan",
905 ++ [TP_VARIANT_NXP] = "NXP",
906 ++};
907 ++
908 + /*
909 + * Power-on Reset: Resets all trackpoint parameters, including RAM values,
910 + * to defaults.
911 +@@ -26,7 +33,7 @@
912 + */
913 + static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
914 + {
915 +- unsigned char results[2];
916 ++ u8 results[2];
917 + int tries = 0;
918 +
919 + /* Issue POR command, and repeat up to once if 0xFC00 received */
920 +@@ -38,7 +45,7 @@ static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
921 +
922 + /* Check for success response -- 0xAA00 */
923 + if (results[0] != 0xAA || results[1] != 0x00)
924 +- return -1;
925 ++ return -ENODEV;
926 +
927 + return 0;
928 + }
929 +@@ -46,8 +53,7 @@ static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
930 + /*
931 + * Device IO: read, write and toggle bit
932 + */
933 +-static int trackpoint_read(struct ps2dev *ps2dev,
934 +- unsigned char loc, unsigned char *results)
935 ++static int trackpoint_read(struct ps2dev *ps2dev, u8 loc, u8 *results)
936 + {
937 + if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
938 + ps2_command(ps2dev, results, MAKE_PS2_CMD(0, 1, loc))) {
939 +@@ -57,8 +63,7 @@ static int trackpoint_read(struct ps2dev *ps2dev,
940 + return 0;
941 + }
942 +
943 +-static int trackpoint_write(struct ps2dev *ps2dev,
944 +- unsigned char loc, unsigned char val)
945 ++static int trackpoint_write(struct ps2dev *ps2dev, u8 loc, u8 val)
946 + {
947 + if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
948 + ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_WRITE_MEM)) ||
949 +@@ -70,8 +75,7 @@ static int trackpoint_write(struct ps2dev *ps2dev,
950 + return 0;
951 + }
952 +
953 +-static int trackpoint_toggle_bit(struct ps2dev *ps2dev,
954 +- unsigned char loc, unsigned char mask)
955 ++static int trackpoint_toggle_bit(struct ps2dev *ps2dev, u8 loc, u8 mask)
956 + {
957 + /* Bad things will happen if the loc param isn't in this range */
958 + if (loc < 0x20 || loc >= 0x2F)
959 +@@ -87,11 +91,11 @@ static int trackpoint_toggle_bit(struct ps2dev *ps2dev,
960 + return 0;
961 + }
962 +
963 +-static int trackpoint_update_bit(struct ps2dev *ps2dev, unsigned char loc,
964 +- unsigned char mask, unsigned char value)
965 ++static int trackpoint_update_bit(struct ps2dev *ps2dev,
966 ++ u8 loc, u8 mask, u8 value)
967 + {
968 + int retval = 0;
969 +- unsigned char data;
970 ++ u8 data;
971 +
972 + trackpoint_read(ps2dev, loc, &data);
973 + if (((data & mask) == mask) != !!value)
974 +@@ -105,17 +109,18 @@ static int trackpoint_update_bit(struct ps2dev *ps2dev, unsigned char loc,
975 + */
976 + struct trackpoint_attr_data {
977 + size_t field_offset;
978 +- unsigned char command;
979 +- unsigned char mask;
980 +- unsigned char inverted;
981 +- unsigned char power_on_default;
982 ++ u8 command;
983 ++ u8 mask;
984 ++ bool inverted;
985 ++ u8 power_on_default;
986 + };
987 +
988 +-static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse, void *data, char *buf)
989 ++static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse,
990 ++ void *data, char *buf)
991 + {
992 + struct trackpoint_data *tp = psmouse->private;
993 + struct trackpoint_attr_data *attr = data;
994 +- unsigned char value = *(unsigned char *)((char *)tp + attr->field_offset);
995 ++ u8 value = *(u8 *)((void *)tp + attr->field_offset);
996 +
997 + if (attr->inverted)
998 + value = !value;
999 +@@ -128,8 +133,8 @@ static ssize_t trackpoint_set_int_attr(struct psmouse *psmouse, void *data,
1000 + {
1001 + struct trackpoint_data *tp = psmouse->private;
1002 + struct trackpoint_attr_data *attr = data;
1003 +- unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
1004 +- unsigned char value;
1005 ++ u8 *field = (void *)tp + attr->field_offset;
1006 ++ u8 value;
1007 + int err;
1008 +
1009 + err = kstrtou8(buf, 10, &value);
1010 +@@ -157,17 +162,14 @@ static ssize_t trackpoint_set_bit_attr(struct psmouse *psmouse, void *data,
1011 + {
1012 + struct trackpoint_data *tp = psmouse->private;
1013 + struct trackpoint_attr_data *attr = data;
1014 +- unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
1015 +- unsigned int value;
1016 ++ bool *field = (void *)tp + attr->field_offset;
1017 ++ bool value;
1018 + int err;
1019 +
1020 +- err = kstrtouint(buf, 10, &value);
1021 ++ err = kstrtobool(buf, &value);
1022 + if (err)
1023 + return err;
1024 +
1025 +- if (value > 1)
1026 +- return -EINVAL;
1027 +-
1028 + if (attr->inverted)
1029 + value = !value;
1030 +
1031 +@@ -193,30 +195,6 @@ PSMOUSE_DEFINE_ATTR(_name, S_IWUSR | S_IRUGO, \
1032 + &trackpoint_attr_##_name, \
1033 + trackpoint_show_int_attr, trackpoint_set_bit_attr)
1034 +
1035 +-#define TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name) \
1036 +-do { \
1037 +- struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name; \
1038 +- \
1039 +- trackpoint_update_bit(&_psmouse->ps2dev, \
1040 +- _attr->command, _attr->mask, _tp->_name); \
1041 +-} while (0)
1042 +-
1043 +-#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name) \
1044 +-do { \
1045 +- if (!_power_on || \
1046 +- _tp->_name != trackpoint_attr_##_name.power_on_default) { \
1047 +- if (!trackpoint_attr_##_name.mask) \
1048 +- trackpoint_write(&_psmouse->ps2dev, \
1049 +- trackpoint_attr_##_name.command, \
1050 +- _tp->_name); \
1051 +- else \
1052 +- TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name); \
1053 +- } \
1054 +-} while (0)
1055 +-
1056 +-#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name) \
1057 +- (_tp->_name = trackpoint_attr_##_name.power_on_default)
1058 +-
1059 + TRACKPOINT_INT_ATTR(sensitivity, TP_SENS, TP_DEF_SENS);
1060 + TRACKPOINT_INT_ATTR(speed, TP_SPEED, TP_DEF_SPEED);
1061 + TRACKPOINT_INT_ATTR(inertia, TP_INERTIA, TP_DEF_INERTIA);
1062 +@@ -229,13 +207,33 @@ TRACKPOINT_INT_ATTR(ztime, TP_Z_TIME, TP_DEF_Z_TIME);
1063 + TRACKPOINT_INT_ATTR(jenks, TP_JENKS_CURV, TP_DEF_JENKS_CURV);
1064 + TRACKPOINT_INT_ATTR(drift_time, TP_DRIFT_TIME, TP_DEF_DRIFT_TIME);
1065 +
1066 +-TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, 0,
1067 ++TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, false,
1068 + TP_DEF_PTSON);
1069 +-TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, 0,
1070 ++TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, false,
1071 + TP_DEF_SKIPBACK);
1072 +-TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, 1,
1073 ++TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, true,
1074 + TP_DEF_EXT_DEV);
1075 +
1076 ++static bool trackpoint_is_attr_available(struct psmouse *psmouse,
1077 ++ struct attribute *attr)
1078 ++{
1079 ++ struct trackpoint_data *tp = psmouse->private;
1080 ++
1081 ++ return tp->variant_id == TP_VARIANT_IBM ||
1082 ++ attr == &psmouse_attr_sensitivity.dattr.attr ||
1083 ++ attr == &psmouse_attr_press_to_select.dattr.attr;
1084 ++}
1085 ++
1086 ++static umode_t trackpoint_is_attr_visible(struct kobject *kobj,
1087 ++ struct attribute *attr, int n)
1088 ++{
1089 ++ struct device *dev = container_of(kobj, struct device, kobj);
1090 ++ struct serio *serio = to_serio_port(dev);
1091 ++ struct psmouse *psmouse = serio_get_drvdata(serio);
1092 ++
1093 ++ return trackpoint_is_attr_available(psmouse, attr) ? attr->mode : 0;
1094 ++}
1095 ++
1096 + static struct attribute *trackpoint_attrs[] = {
1097 + &psmouse_attr_sensitivity.dattr.attr,
1098 + &psmouse_attr_speed.dattr.attr,
1099 +@@ -255,24 +253,56 @@ static struct attribute *trackpoint_attrs[] = {
1100 + };
1101 +
1102 + static struct attribute_group trackpoint_attr_group = {
1103 +- .attrs = trackpoint_attrs,
1104 ++ .is_visible = trackpoint_is_attr_visible,
1105 ++ .attrs = trackpoint_attrs,
1106 + };
1107 +
1108 +-static int trackpoint_start_protocol(struct psmouse *psmouse, unsigned char *firmware_id)
1109 +-{
1110 +- unsigned char param[2] = { 0 };
1111 ++#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name) \
1112 ++do { \
1113 ++ struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name; \
1114 ++ \
1115 ++ if ((!_power_on || _tp->_name != _attr->power_on_default) && \
1116 ++ trackpoint_is_attr_available(_psmouse, \
1117 ++ &psmouse_attr_##_name.dattr.attr)) { \
1118 ++ if (!_attr->mask) \
1119 ++ trackpoint_write(&_psmouse->ps2dev, \
1120 ++ _attr->command, _tp->_name); \
1121 ++ else \
1122 ++ trackpoint_update_bit(&_psmouse->ps2dev, \
1123 ++ _attr->command, _attr->mask, \
1124 ++ _tp->_name); \
1125 ++ } \
1126 ++} while (0)
1127 +
1128 +- if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
1129 +- return -1;
1130 ++#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name) \
1131 ++do { \
1132 ++ _tp->_name = trackpoint_attr_##_name.power_on_default; \
1133 ++} while (0)
1134 +
1135 +- /* add new TP ID. */
1136 +- if (!(param[0] & TP_MAGIC_IDENT))
1137 +- return -1;
1138 ++static int trackpoint_start_protocol(struct psmouse *psmouse,
1139 ++ u8 *variant_id, u8 *firmware_id)
1140 ++{
1141 ++ u8 param[2] = { 0 };
1142 ++ int error;
1143 +
1144 +- if (firmware_id)
1145 +- *firmware_id = param[1];
1146 ++ error = ps2_command(&psmouse->ps2dev,
1147 ++ param, MAKE_PS2_CMD(0, 2, TP_READ_ID));
1148 ++ if (error)
1149 ++ return error;
1150 ++
1151 ++ switch (param[0]) {
1152 ++ case TP_VARIANT_IBM:
1153 ++ case TP_VARIANT_ALPS:
1154 ++ case TP_VARIANT_ELAN:
1155 ++ case TP_VARIANT_NXP:
1156 ++ if (variant_id)
1157 ++ *variant_id = param[0];
1158 ++ if (firmware_id)
1159 ++ *firmware_id = param[1];
1160 ++ return 0;
1161 ++ }
1162 +
1163 +- return 0;
1164 ++ return -ENODEV;
1165 + }
1166 +
1167 + /*
1168 +@@ -285,7 +315,7 @@ static int trackpoint_sync(struct psmouse *psmouse, bool in_power_on_state)
1169 + {
1170 + struct trackpoint_data *tp = psmouse->private;
1171 +
1172 +- if (!in_power_on_state) {
1173 ++ if (!in_power_on_state && tp->variant_id == TP_VARIANT_IBM) {
1174 + /*
1175 + * Disable features that may make device unusable
1176 + * with this driver.
1177 +@@ -347,7 +377,8 @@ static void trackpoint_defaults(struct trackpoint_data *tp)
1178 +
1179 + static void trackpoint_disconnect(struct psmouse *psmouse)
1180 + {
1181 +- sysfs_remove_group(&psmouse->ps2dev.serio->dev.kobj, &trackpoint_attr_group);
1182 ++ device_remove_group(&psmouse->ps2dev.serio->dev,
1183 ++ &trackpoint_attr_group);
1184 +
1185 + kfree(psmouse->private);
1186 + psmouse->private = NULL;
1187 +@@ -355,14 +386,20 @@ static void trackpoint_disconnect(struct psmouse *psmouse)
1188 +
1189 + static int trackpoint_reconnect(struct psmouse *psmouse)
1190 + {
1191 +- int reset_fail;
1192 ++ struct trackpoint_data *tp = psmouse->private;
1193 ++ int error;
1194 ++ bool was_reset;
1195 +
1196 +- if (trackpoint_start_protocol(psmouse, NULL))
1197 +- return -1;
1198 ++ error = trackpoint_start_protocol(psmouse, NULL, NULL);
1199 ++ if (error)
1200 ++ return error;
1201 +
1202 +- reset_fail = trackpoint_power_on_reset(&psmouse->ps2dev);
1203 +- if (trackpoint_sync(psmouse, !reset_fail))
1204 +- return -1;
1205 ++ was_reset = tp->variant_id == TP_VARIANT_IBM &&
1206 ++ trackpoint_power_on_reset(&psmouse->ps2dev) == 0;
1207 ++
1208 ++ error = trackpoint_sync(psmouse, was_reset);
1209 ++ if (error)
1210 ++ return error;
1211 +
1212 + return 0;
1213 + }
1214 +@@ -370,46 +407,66 @@ static int trackpoint_reconnect(struct psmouse *psmouse)
1215 + int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
1216 + {
1217 + struct ps2dev *ps2dev = &psmouse->ps2dev;
1218 +- unsigned char firmware_id;
1219 +- unsigned char button_info;
1220 ++ struct trackpoint_data *tp;
1221 ++ u8 variant_id;
1222 ++ u8 firmware_id;
1223 ++ u8 button_info;
1224 + int error;
1225 +
1226 +- if (trackpoint_start_protocol(psmouse, &firmware_id))
1227 +- return -1;
1228 ++ error = trackpoint_start_protocol(psmouse, &variant_id, &firmware_id);
1229 ++ if (error)
1230 ++ return error;
1231 +
1232 + if (!set_properties)
1233 + return 0;
1234 +
1235 +- if (trackpoint_read(ps2dev, TP_EXT_BTN, &button_info)) {
1236 +- psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
1237 +- button_info = 0x33;
1238 +- }
1239 +-
1240 +- psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
1241 +- if (!psmouse->private)
1242 ++ tp = kzalloc(sizeof(*tp), GFP_KERNEL);
1243 ++ if (!tp)
1244 + return -ENOMEM;
1245 +
1246 +- psmouse->vendor = "IBM";
1247 ++ trackpoint_defaults(tp);
1248 ++ tp->variant_id = variant_id;
1249 ++ tp->firmware_id = firmware_id;
1250 ++
1251 ++ psmouse->private = tp;
1252 ++
1253 ++ psmouse->vendor = trackpoint_variants[variant_id];
1254 + psmouse->name = "TrackPoint";
1255 +
1256 + psmouse->reconnect = trackpoint_reconnect;
1257 + psmouse->disconnect = trackpoint_disconnect;
1258 +
1259 ++ if (variant_id != TP_VARIANT_IBM) {
1260 ++ /* Newer variants do not support extended button query. */
1261 ++ button_info = 0x33;
1262 ++ } else {
1263 ++ error = trackpoint_read(ps2dev, TP_EXT_BTN, &button_info);
1264 ++ if (error) {
1265 ++ psmouse_warn(psmouse,
1266 ++ "failed to get extended button data, assuming 3 buttons\n");
1267 ++ button_info = 0x33;
1268 ++ } else if (!button_info) {
1269 ++ psmouse_warn(psmouse,
1270 ++ "got 0 in extended button data, assuming 3 buttons\n");
1271 ++ button_info = 0x33;
1272 ++ }
1273 ++ }
1274 ++
1275 + if ((button_info & 0x0f) >= 3)
1276 +- __set_bit(BTN_MIDDLE, psmouse->dev->keybit);
1277 ++ input_set_capability(psmouse->dev, EV_KEY, BTN_MIDDLE);
1278 +
1279 + __set_bit(INPUT_PROP_POINTER, psmouse->dev->propbit);
1280 + __set_bit(INPUT_PROP_POINTING_STICK, psmouse->dev->propbit);
1281 +
1282 +- trackpoint_defaults(psmouse->private);
1283 +-
1284 +- error = trackpoint_power_on_reset(ps2dev);
1285 +-
1286 +- /* Write defaults to TP only if reset fails. */
1287 +- if (error)
1288 ++ if (variant_id != TP_VARIANT_IBM ||
1289 ++ trackpoint_power_on_reset(ps2dev) != 0) {
1290 ++ /*
1291 ++ * Write defaults to TP if we did not reset the trackpoint.
1292 ++ */
1293 + trackpoint_sync(psmouse, false);
1294 ++ }
1295 +
1296 +- error = sysfs_create_group(&ps2dev->serio->dev.kobj, &trackpoint_attr_group);
1297 ++ error = device_add_group(&ps2dev->serio->dev, &trackpoint_attr_group);
1298 + if (error) {
1299 + psmouse_err(psmouse,
1300 + "failed to create sysfs attributes, error: %d\n",
1301 +@@ -420,8 +477,8 @@ int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
1302 + }
1303 +
1304 + psmouse_info(psmouse,
1305 +- "IBM TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
1306 +- firmware_id,
1307 ++ "%s TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
1308 ++ psmouse->vendor, firmware_id,
1309 + (button_info & 0xf0) >> 4, button_info & 0x0f);
1310 +
1311 + return 0;
1312 +diff --git a/drivers/input/mouse/trackpoint.h b/drivers/input/mouse/trackpoint.h
1313 +index 88055755f82e..10a039148234 100644
1314 +--- a/drivers/input/mouse/trackpoint.h
1315 ++++ b/drivers/input/mouse/trackpoint.h
1316 +@@ -21,10 +21,16 @@
1317 + #define TP_COMMAND 0xE2 /* Commands start with this */
1318 +
1319 + #define TP_READ_ID 0xE1 /* Sent for device identification */
1320 +-#define TP_MAGIC_IDENT 0x03 /* Sent after a TP_READ_ID followed */
1321 +- /* by the firmware ID */
1322 +- /* Firmware ID includes 0x1, 0x2, 0x3 */
1323 +
1324 ++/*
1325 ++ * Valid first byte responses to the "Read Secondary ID" (0xE1) command.
1326 ++ * 0x01 was the original IBM trackpoint, others implement very limited
1327 ++ * subset of trackpoint features.
1328 ++ */
1329 ++#define TP_VARIANT_IBM 0x01
1330 ++#define TP_VARIANT_ALPS 0x02
1331 ++#define TP_VARIANT_ELAN 0x03
1332 ++#define TP_VARIANT_NXP 0x04
1333 +
1334 + /*
1335 + * Commands
1336 +@@ -136,18 +142,20 @@
1337 +
1338 + #define MAKE_PS2_CMD(params, results, cmd) ((params<<12) | (results<<8) | (cmd))
1339 +
1340 +-struct trackpoint_data
1341 +-{
1342 +- unsigned char sensitivity, speed, inertia, reach;
1343 +- unsigned char draghys, mindrag;
1344 +- unsigned char thresh, upthresh;
1345 +- unsigned char ztime, jenks;
1346 +- unsigned char drift_time;
1347 ++struct trackpoint_data {
1348 ++ u8 variant_id;
1349 ++ u8 firmware_id;
1350 ++
1351 ++ u8 sensitivity, speed, inertia, reach;
1352 ++ u8 draghys, mindrag;
1353 ++ u8 thresh, upthresh;
1354 ++ u8 ztime, jenks;
1355 ++ u8 drift_time;
1356 +
1357 + /* toggles */
1358 +- unsigned char press_to_select;
1359 +- unsigned char skipback;
1360 +- unsigned char ext_dev;
1361 ++ bool press_to_select;
1362 ++ bool skipback;
1363 ++ bool ext_dev;
1364 + };
1365 +
1366 + #ifdef CONFIG_MOUSE_PS2_TRACKPOINT
1367 +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
1368 +index 0e3d9f39a807..1b03c32afc1f 100644
1369 +--- a/drivers/net/ethernet/emulex/benet/be_main.c
1370 ++++ b/drivers/net/ethernet/emulex/benet/be_main.c
1371 +@@ -4634,6 +4634,15 @@ int be_update_queues(struct be_adapter *adapter)
1372 +
1373 + be_schedule_worker(adapter);
1374 +
1375 ++ /*
1376 ++ * The IF was destroyed and re-created. We need to clear
1377 ++ * all promiscuous flags valid for the destroyed IF.
1378 ++ * Without this promisc mode is not restored during
1379 ++ * be_open() because the driver thinks that it is
1380 ++ * already enabled in HW.
1381 ++ */
1382 ++ adapter->if_flags &= ~BE_IF_FLAGS_ALL_PROMISCUOUS;
1383 ++
1384 + if (netif_running(netdev))
1385 + status = be_open(netdev);
1386 +
1387 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
1388 +index acf32fe952cd..3d3b1f97dc27 100644
1389 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
1390 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
1391 +@@ -197,9 +197,15 @@ static int mlx5e_am_stats_compare(struct mlx5e_rx_am_stats *curr,
1392 + return (curr->bpms > prev->bpms) ? MLX5E_AM_STATS_BETTER :
1393 + MLX5E_AM_STATS_WORSE;
1394 +
1395 ++ if (!prev->ppms)
1396 ++ return curr->ppms ? MLX5E_AM_STATS_BETTER :
1397 ++ MLX5E_AM_STATS_SAME;
1398 ++
1399 + if (IS_SIGNIFICANT_DIFF(curr->ppms, prev->ppms))
1400 + return (curr->ppms > prev->ppms) ? MLX5E_AM_STATS_BETTER :
1401 + MLX5E_AM_STATS_WORSE;
1402 ++ if (!prev->epms)
1403 ++ return MLX5E_AM_STATS_SAME;
1404 +
1405 + if (IS_SIGNIFICANT_DIFF(curr->epms, prev->epms))
1406 + return (curr->epms < prev->epms) ? MLX5E_AM_STATS_BETTER :
1407 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c b/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
1408 +index 1f1f8af87d4d..5a4608281f38 100644
1409 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
1410 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
1411 +@@ -238,15 +238,19 @@ static int mlx5e_test_loopback_setup(struct mlx5e_priv *priv,
1412 + int err = 0;
1413 +
1414 + /* Temporarily enable local_lb */
1415 +- if (MLX5_CAP_GEN(priv->mdev, disable_local_lb)) {
1416 +- mlx5_nic_vport_query_local_lb(priv->mdev, &lbtp->local_lb);
1417 +- if (!lbtp->local_lb)
1418 +- mlx5_nic_vport_update_local_lb(priv->mdev, true);
1419 ++ err = mlx5_nic_vport_query_local_lb(priv->mdev, &lbtp->local_lb);
1420 ++ if (err)
1421 ++ return err;
1422 ++
1423 ++ if (!lbtp->local_lb) {
1424 ++ err = mlx5_nic_vport_update_local_lb(priv->mdev, true);
1425 ++ if (err)
1426 ++ return err;
1427 + }
1428 +
1429 + err = mlx5e_refresh_tirs(priv, true);
1430 + if (err)
1431 +- return err;
1432 ++ goto out;
1433 +
1434 + lbtp->loopback_ok = false;
1435 + init_completion(&lbtp->comp);
1436 +@@ -256,16 +260,21 @@ static int mlx5e_test_loopback_setup(struct mlx5e_priv *priv,
1437 + lbtp->pt.dev = priv->netdev;
1438 + lbtp->pt.af_packet_priv = lbtp;
1439 + dev_add_pack(&lbtp->pt);
1440 ++
1441 ++ return 0;
1442 ++
1443 ++out:
1444 ++ if (!lbtp->local_lb)
1445 ++ mlx5_nic_vport_update_local_lb(priv->mdev, false);
1446 ++
1447 + return err;
1448 + }
1449 +
1450 + static void mlx5e_test_loopback_cleanup(struct mlx5e_priv *priv,
1451 + struct mlx5e_lbt_priv *lbtp)
1452 + {
1453 +- if (MLX5_CAP_GEN(priv->mdev, disable_local_lb)) {
1454 +- if (!lbtp->local_lb)
1455 +- mlx5_nic_vport_update_local_lb(priv->mdev, false);
1456 +- }
1457 ++ if (!lbtp->local_lb)
1458 ++ mlx5_nic_vport_update_local_lb(priv->mdev, false);
1459 +
1460 + dev_remove_pack(&lbtp->pt);
1461 + mlx5e_refresh_tirs(priv, false);
1462 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
1463 +index 8bfc37e4ec87..4ddd632d10f9 100644
1464 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
1465 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
1466 +@@ -577,8 +577,7 @@ static int mlx5_core_set_hca_defaults(struct mlx5_core_dev *dev)
1467 + int ret = 0;
1468 +
1469 + /* Disable local_lb by default */
1470 +- if ((MLX5_CAP_GEN(dev, port_type) == MLX5_CAP_PORT_TYPE_ETH) &&
1471 +- MLX5_CAP_GEN(dev, disable_local_lb))
1472 ++ if (MLX5_CAP_GEN(dev, port_type) == MLX5_CAP_PORT_TYPE_ETH)
1473 + ret = mlx5_nic_vport_update_local_lb(dev, false);
1474 +
1475 + return ret;
1476 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
1477 +index d653b0025b13..a1296a62497d 100644
1478 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
1479 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
1480 +@@ -908,23 +908,33 @@ int mlx5_nic_vport_update_local_lb(struct mlx5_core_dev *mdev, bool enable)
1481 + void *in;
1482 + int err;
1483 +
1484 +- mlx5_core_dbg(mdev, "%s local_lb\n", enable ? "enable" : "disable");
1485 ++ if (!MLX5_CAP_GEN(mdev, disable_local_lb_mc) &&
1486 ++ !MLX5_CAP_GEN(mdev, disable_local_lb_uc))
1487 ++ return 0;
1488 ++
1489 + in = kvzalloc(inlen, GFP_KERNEL);
1490 + if (!in)
1491 + return -ENOMEM;
1492 +
1493 +- MLX5_SET(modify_nic_vport_context_in, in,
1494 +- field_select.disable_mc_local_lb, 1);
1495 + MLX5_SET(modify_nic_vport_context_in, in,
1496 + nic_vport_context.disable_mc_local_lb, !enable);
1497 +-
1498 +- MLX5_SET(modify_nic_vport_context_in, in,
1499 +- field_select.disable_uc_local_lb, 1);
1500 + MLX5_SET(modify_nic_vport_context_in, in,
1501 + nic_vport_context.disable_uc_local_lb, !enable);
1502 +
1503 ++ if (MLX5_CAP_GEN(mdev, disable_local_lb_mc))
1504 ++ MLX5_SET(modify_nic_vport_context_in, in,
1505 ++ field_select.disable_mc_local_lb, 1);
1506 ++
1507 ++ if (MLX5_CAP_GEN(mdev, disable_local_lb_uc))
1508 ++ MLX5_SET(modify_nic_vport_context_in, in,
1509 ++ field_select.disable_uc_local_lb, 1);
1510 ++
1511 + err = mlx5_modify_nic_vport_context(mdev, in, inlen);
1512 +
1513 ++ if (!err)
1514 ++ mlx5_core_dbg(mdev, "%s local_lb\n",
1515 ++ enable ? "enable" : "disable");
1516 ++
1517 + kvfree(in);
1518 + return err;
1519 + }
1520 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1521 +index c23cc51bb5a5..7bef80676464 100644
1522 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1523 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1524 +@@ -1531,11 +1531,8 @@ static void mlxsw_sp_router_neigh_ent_ipv4_process(struct mlxsw_sp *mlxsw_sp,
1525 + dipn = htonl(dip);
1526 + dev = mlxsw_sp->router->rifs[rif]->dev;
1527 + n = neigh_lookup(&arp_tbl, &dipn, dev);
1528 +- if (!n) {
1529 +- netdev_err(dev, "Failed to find matching neighbour for IP=%pI4h\n",
1530 +- &dip);
1531 ++ if (!n)
1532 + return;
1533 +- }
1534 +
1535 + netdev_dbg(dev, "Updating neighbour with IP=%pI4h\n", &dip);
1536 + neigh_event_send(n, NULL);
1537 +@@ -1562,11 +1559,8 @@ static void mlxsw_sp_router_neigh_ent_ipv6_process(struct mlxsw_sp *mlxsw_sp,
1538 +
1539 + dev = mlxsw_sp->router->rifs[rif]->dev;
1540 + n = neigh_lookup(&nd_tbl, &dip, dev);
1541 +- if (!n) {
1542 +- netdev_err(dev, "Failed to find matching neighbour for IP=%pI6c\n",
1543 +- &dip);
1544 ++ if (!n)
1545 + return;
1546 +- }
1547 +
1548 + netdev_dbg(dev, "Updating neighbour with IP=%pI6c\n", &dip);
1549 + neigh_event_send(n, NULL);
1550 +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
1551 +index dc016dfec64d..8e623d8fa78e 100644
1552 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
1553 ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
1554 +@@ -306,7 +306,7 @@ nfp_net_get_link_ksettings(struct net_device *netdev,
1555 + ls >= ARRAY_SIZE(ls_to_ethtool))
1556 + return 0;
1557 +
1558 +- cmd->base.speed = ls_to_ethtool[sts];
1559 ++ cmd->base.speed = ls_to_ethtool[ls];
1560 + cmd->base.duplex = DUPLEX_FULL;
1561 +
1562 + return 0;
1563 +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
1564 +index 9541465e43e9..958ff931e790 100644
1565 +--- a/drivers/net/ethernet/realtek/r8169.c
1566 ++++ b/drivers/net/ethernet/realtek/r8169.c
1567 +@@ -2239,19 +2239,14 @@ static bool rtl8169_do_counters(struct net_device *dev, u32 counter_cmd)
1568 + void __iomem *ioaddr = tp->mmio_addr;
1569 + dma_addr_t paddr = tp->counters_phys_addr;
1570 + u32 cmd;
1571 +- bool ret;
1572 +
1573 + RTL_W32(CounterAddrHigh, (u64)paddr >> 32);
1574 ++ RTL_R32(CounterAddrHigh);
1575 + cmd = (u64)paddr & DMA_BIT_MASK(32);
1576 + RTL_W32(CounterAddrLow, cmd);
1577 + RTL_W32(CounterAddrLow, cmd | counter_cmd);
1578 +
1579 +- ret = rtl_udelay_loop_wait_low(tp, &rtl_counters_cond, 10, 1000);
1580 +-
1581 +- RTL_W32(CounterAddrLow, 0);
1582 +- RTL_W32(CounterAddrHigh, 0);
1583 +-
1584 +- return ret;
1585 ++ return rtl_udelay_loop_wait_low(tp, &rtl_counters_cond, 10, 1000);
1586 + }
1587 +
1588 + static bool rtl8169_reset_counters(struct net_device *dev)
1589 +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
1590 +index bf14c51f35e1..8c6b8918ec31 100644
1591 +--- a/drivers/net/ppp/ppp_generic.c
1592 ++++ b/drivers/net/ppp/ppp_generic.c
1593 +@@ -1003,17 +1003,18 @@ static int ppp_unit_register(struct ppp *ppp, int unit, bool ifname_is_set)
1594 + if (!ifname_is_set)
1595 + snprintf(ppp->dev->name, IFNAMSIZ, "ppp%i", ppp->file.index);
1596 +
1597 ++ mutex_unlock(&pn->all_ppp_mutex);
1598 ++
1599 + ret = register_netdevice(ppp->dev);
1600 + if (ret < 0)
1601 + goto err_unit;
1602 +
1603 + atomic_inc(&ppp_unit_count);
1604 +
1605 +- mutex_unlock(&pn->all_ppp_mutex);
1606 +-
1607 + return 0;
1608 +
1609 + err_unit:
1610 ++ mutex_lock(&pn->all_ppp_mutex);
1611 + unit_put(&pn->units_idr, ppp->file.index);
1612 + err:
1613 + mutex_unlock(&pn->all_ppp_mutex);
1614 +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
1615 +index 4e1da1645b15..5aa59f41bf8c 100644
1616 +--- a/drivers/net/ppp/pppoe.c
1617 ++++ b/drivers/net/ppp/pppoe.c
1618 +@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
1619 + struct pppoe_hdr *ph;
1620 + struct net_device *dev;
1621 + char *start;
1622 ++ int hlen;
1623 +
1624 + lock_sock(sk);
1625 + if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
1626 +@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
1627 + if (total_len > (dev->mtu + dev->hard_header_len))
1628 + goto end;
1629 +
1630 +-
1631 +- skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
1632 +- 0, GFP_KERNEL);
1633 ++ hlen = LL_RESERVED_SPACE(dev);
1634 ++ skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
1635 ++ dev->needed_tailroom, 0, GFP_KERNEL);
1636 + if (!skb) {
1637 + error = -ENOMEM;
1638 + goto end;
1639 + }
1640 +
1641 + /* Reserve space for headers. */
1642 +- skb_reserve(skb, dev->hard_header_len);
1643 ++ skb_reserve(skb, hlen);
1644 + skb_reset_network_header(skb);
1645 +
1646 + skb->dev = dev;
1647 +@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
1648 + /* Copy the data if there is no space for the header or if it's
1649 + * read-only.
1650 + */
1651 +- if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
1652 ++ if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
1653 + goto abort;
1654 +
1655 + __skb_push(skb, sizeof(*ph));
1656 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1657 +index c91b110f2169..fa51b7b0e9ea 100644
1658 +--- a/drivers/net/tun.c
1659 ++++ b/drivers/net/tun.c
1660 +@@ -534,6 +534,14 @@ static void tun_queue_purge(struct tun_file *tfile)
1661 + skb_queue_purge(&tfile->sk.sk_error_queue);
1662 + }
1663 +
1664 ++static void tun_cleanup_tx_array(struct tun_file *tfile)
1665 ++{
1666 ++ if (tfile->tx_array.ring.queue) {
1667 ++ skb_array_cleanup(&tfile->tx_array);
1668 ++ memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
1669 ++ }
1670 ++}
1671 ++
1672 + static void __tun_detach(struct tun_file *tfile, bool clean)
1673 + {
1674 + struct tun_file *ntfile;
1675 +@@ -575,8 +583,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
1676 + tun->dev->reg_state == NETREG_REGISTERED)
1677 + unregister_netdevice(tun->dev);
1678 + }
1679 +- if (tun)
1680 +- skb_array_cleanup(&tfile->tx_array);
1681 ++ tun_cleanup_tx_array(tfile);
1682 + sock_put(&tfile->sk);
1683 + }
1684 + }
1685 +@@ -616,11 +623,13 @@ static void tun_detach_all(struct net_device *dev)
1686 + /* Drop read queue */
1687 + tun_queue_purge(tfile);
1688 + sock_put(&tfile->sk);
1689 ++ tun_cleanup_tx_array(tfile);
1690 + }
1691 + list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
1692 + tun_enable_queue(tfile);
1693 + tun_queue_purge(tfile);
1694 + sock_put(&tfile->sk);
1695 ++ tun_cleanup_tx_array(tfile);
1696 + }
1697 + BUG_ON(tun->numdisabled != 0);
1698 +
1699 +@@ -2624,6 +2633,8 @@ static int tun_chr_open(struct inode *inode, struct file * file)
1700 +
1701 + sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
1702 +
1703 ++ memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
1704 ++
1705 + return 0;
1706 + }
1707 +
1708 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
1709 +index 0161f77641fa..a8dd1c7a08cb 100644
1710 +--- a/drivers/net/usb/lan78xx.c
1711 ++++ b/drivers/net/usb/lan78xx.c
1712 +@@ -2396,6 +2396,7 @@ static int lan78xx_reset(struct lan78xx_net *dev)
1713 + buf = DEFAULT_BURST_CAP_SIZE / FS_USB_PKT_SIZE;
1714 + dev->rx_urb_size = DEFAULT_BURST_CAP_SIZE;
1715 + dev->rx_qlen = 4;
1716 ++ dev->tx_qlen = 4;
1717 + }
1718 +
1719 + ret = lan78xx_write_reg(dev, BURST_CAP, buf);
1720 +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
1721 +index d1c7029ded7c..cf95290b160c 100644
1722 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c
1723 ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
1724 +@@ -1616,7 +1616,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
1725 + rq->rx_ring[i].basePA);
1726 + rq->rx_ring[i].base = NULL;
1727 + }
1728 +- rq->buf_info[i] = NULL;
1729 + }
1730 +
1731 + if (rq->data_ring.base) {
1732 +@@ -1638,6 +1637,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
1733 + (rq->rx_ring[0].size + rq->rx_ring[1].size);
1734 + dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0],
1735 + rq->buf_info_pa);
1736 ++ rq->buf_info[0] = rq->buf_info[1] = NULL;
1737 + }
1738 + }
1739 +
1740 +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
1741 +index 7dc3bcac3506..67ecf2425b88 100644
1742 +--- a/drivers/net/vrf.c
1743 ++++ b/drivers/net/vrf.c
1744 +@@ -674,8 +674,9 @@ static struct sk_buff *vrf_ip_out(struct net_device *vrf_dev,
1745 + struct sock *sk,
1746 + struct sk_buff *skb)
1747 + {
1748 +- /* don't divert multicast */
1749 +- if (ipv4_is_multicast(ip_hdr(skb)->daddr))
1750 ++ /* don't divert multicast or local broadcast */
1751 ++ if (ipv4_is_multicast(ip_hdr(skb)->daddr) ||
1752 ++ ipv4_is_lbcast(ip_hdr(skb)->daddr))
1753 + return skb;
1754 +
1755 + if (qdisc_tx_is_default(vrf_dev))
1756 +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
1757 +index 0c4b690cf761..04f39111fafb 100644
1758 +--- a/fs/btrfs/delayed-inode.c
1759 ++++ b/fs/btrfs/delayed-inode.c
1760 +@@ -1677,28 +1677,18 @@ void btrfs_readdir_put_delayed_items(struct inode *inode,
1761 + int btrfs_should_delete_dir_index(struct list_head *del_list,
1762 + u64 index)
1763 + {
1764 +- struct btrfs_delayed_item *curr, *next;
1765 +- int ret;
1766 +-
1767 +- if (list_empty(del_list))
1768 +- return 0;
1769 ++ struct btrfs_delayed_item *curr;
1770 ++ int ret = 0;
1771 +
1772 +- list_for_each_entry_safe(curr, next, del_list, readdir_list) {
1773 ++ list_for_each_entry(curr, del_list, readdir_list) {
1774 + if (curr->key.offset > index)
1775 + break;
1776 +-
1777 +- list_del(&curr->readdir_list);
1778 +- ret = (curr->key.offset == index);
1779 +-
1780 +- if (refcount_dec_and_test(&curr->refs))
1781 +- kfree(curr);
1782 +-
1783 +- if (ret)
1784 +- return 1;
1785 +- else
1786 +- continue;
1787 ++ if (curr->key.offset == index) {
1788 ++ ret = 1;
1789 ++ break;
1790 ++ }
1791 + }
1792 +- return 0;
1793 ++ return ret;
1794 + }
1795 +
1796 + /*
1797 +diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
1798 +index f650e475d8f0..fdf2aad73470 100644
1799 +--- a/fs/nfsd/auth.c
1800 ++++ b/fs/nfsd/auth.c
1801 +@@ -60,10 +60,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
1802 + gi->gid[i] = exp->ex_anon_gid;
1803 + else
1804 + gi->gid[i] = rqgi->gid[i];
1805 +-
1806 +- /* Each thread allocates its own gi, no race */
1807 +- groups_sort(gi);
1808 + }
1809 ++
1810 ++ /* Each thread allocates its own gi, no race */
1811 ++ groups_sort(gi);
1812 + } else {
1813 + gi = get_group_info(rqgi);
1814 + }
1815 +diff --git a/fs/orangefs/devorangefs-req.c b/fs/orangefs/devorangefs-req.c
1816 +index ded456f17de6..c584ad8d023c 100644
1817 +--- a/fs/orangefs/devorangefs-req.c
1818 ++++ b/fs/orangefs/devorangefs-req.c
1819 +@@ -162,7 +162,7 @@ static ssize_t orangefs_devreq_read(struct file *file,
1820 + struct orangefs_kernel_op_s *op, *temp;
1821 + __s32 proto_ver = ORANGEFS_KERNEL_PROTO_VERSION;
1822 + static __s32 magic = ORANGEFS_DEVREQ_MAGIC;
1823 +- struct orangefs_kernel_op_s *cur_op = NULL;
1824 ++ struct orangefs_kernel_op_s *cur_op;
1825 + unsigned long ret;
1826 +
1827 + /* We do not support blocking IO. */
1828 +@@ -186,6 +186,7 @@ static ssize_t orangefs_devreq_read(struct file *file,
1829 + return -EAGAIN;
1830 +
1831 + restart:
1832 ++ cur_op = NULL;
1833 + /* Get next op (if any) from top of list. */
1834 + spin_lock(&orangefs_request_list_lock);
1835 + list_for_each_entry_safe(op, temp, &orangefs_request_list, list) {
1836 +diff --git a/fs/orangefs/file.c b/fs/orangefs/file.c
1837 +index e4a8e6a7eb17..962bf4824283 100644
1838 +--- a/fs/orangefs/file.c
1839 ++++ b/fs/orangefs/file.c
1840 +@@ -446,7 +446,7 @@ ssize_t orangefs_inode_read(struct inode *inode,
1841 + static ssize_t orangefs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)
1842 + {
1843 + struct file *file = iocb->ki_filp;
1844 +- loff_t pos = *(&iocb->ki_pos);
1845 ++ loff_t pos = iocb->ki_pos;
1846 + ssize_t rc = 0;
1847 +
1848 + BUG_ON(iocb->private);
1849 +@@ -486,9 +486,6 @@ static ssize_t orangefs_file_write_iter(struct kiocb *iocb, struct iov_iter *ite
1850 + }
1851 + }
1852 +
1853 +- if (file->f_pos > i_size_read(file->f_mapping->host))
1854 +- orangefs_i_size_write(file->f_mapping->host, file->f_pos);
1855 +-
1856 + rc = generic_write_checks(iocb, iter);
1857 +
1858 + if (rc <= 0) {
1859 +@@ -502,7 +499,7 @@ static ssize_t orangefs_file_write_iter(struct kiocb *iocb, struct iov_iter *ite
1860 + * pos to the end of the file, so we will wait till now to set
1861 + * pos...
1862 + */
1863 +- pos = *(&iocb->ki_pos);
1864 ++ pos = iocb->ki_pos;
1865 +
1866 + rc = do_readv_writev(ORANGEFS_IO_WRITE,
1867 + file,
1868 +diff --git a/fs/orangefs/orangefs-kernel.h b/fs/orangefs/orangefs-kernel.h
1869 +index 004af348fb80..c244bbf494bc 100644
1870 +--- a/fs/orangefs/orangefs-kernel.h
1871 ++++ b/fs/orangefs/orangefs-kernel.h
1872 +@@ -566,17 +566,6 @@ do { \
1873 + sys_attr.mask = ORANGEFS_ATTR_SYS_ALL_SETABLE; \
1874 + } while (0)
1875 +
1876 +-static inline void orangefs_i_size_write(struct inode *inode, loff_t i_size)
1877 +-{
1878 +-#if BITS_PER_LONG == 32 && defined(CONFIG_SMP)
1879 +- inode_lock(inode);
1880 +-#endif
1881 +- i_size_write(inode, i_size);
1882 +-#if BITS_PER_LONG == 32 && defined(CONFIG_SMP)
1883 +- inode_unlock(inode);
1884 +-#endif
1885 +-}
1886 +-
1887 + static inline void orangefs_set_timeout(struct dentry *dentry)
1888 + {
1889 + unsigned long time = jiffies + orangefs_dcache_timeout_msecs*HZ/1000;
1890 +diff --git a/fs/orangefs/waitqueue.c b/fs/orangefs/waitqueue.c
1891 +index 835c6e148afc..0577d6dba8c8 100644
1892 +--- a/fs/orangefs/waitqueue.c
1893 ++++ b/fs/orangefs/waitqueue.c
1894 +@@ -29,10 +29,10 @@ static void orangefs_clean_up_interrupted_operation(struct orangefs_kernel_op_s
1895 + */
1896 + void purge_waiting_ops(void)
1897 + {
1898 +- struct orangefs_kernel_op_s *op;
1899 ++ struct orangefs_kernel_op_s *op, *tmp;
1900 +
1901 + spin_lock(&orangefs_request_list_lock);
1902 +- list_for_each_entry(op, &orangefs_request_list, list) {
1903 ++ list_for_each_entry_safe(op, tmp, &orangefs_request_list, list) {
1904 + gossip_debug(GOSSIP_WAIT_DEBUG,
1905 + "pvfs2-client-core: purging op tag %llu %s\n",
1906 + llu(op->tag),
1907 +diff --git a/include/linux/bpf.h b/include/linux/bpf.h
1908 +index 0bcf803f20de..5c5be80ce802 100644
1909 +--- a/include/linux/bpf.h
1910 ++++ b/include/linux/bpf.h
1911 +@@ -42,7 +42,14 @@ struct bpf_map_ops {
1912 + };
1913 +
1914 + struct bpf_map {
1915 +- atomic_t refcnt;
1916 ++ /* 1st cacheline with read-mostly members of which some
1917 ++ * are also accessed in fast-path (e.g. ops, max_entries).
1918 ++ */
1919 ++ const struct bpf_map_ops *ops ____cacheline_aligned;
1920 ++ struct bpf_map *inner_map_meta;
1921 ++#ifdef CONFIG_SECURITY
1922 ++ void *security;
1923 ++#endif
1924 + enum bpf_map_type map_type;
1925 + u32 key_size;
1926 + u32 value_size;
1927 +@@ -52,11 +59,15 @@ struct bpf_map {
1928 + u32 id;
1929 + int numa_node;
1930 + bool unpriv_array;
1931 +- struct user_struct *user;
1932 +- const struct bpf_map_ops *ops;
1933 +- struct work_struct work;
1934 ++ /* 7 bytes hole */
1935 ++
1936 ++ /* 2nd cacheline with misc members to avoid false sharing
1937 ++ * particularly with refcounting.
1938 ++ */
1939 ++ struct user_struct *user ____cacheline_aligned;
1940 ++ atomic_t refcnt;
1941 + atomic_t usercnt;
1942 +- struct bpf_map *inner_map_meta;
1943 ++ struct work_struct work;
1944 + };
1945 +
1946 + /* function argument constraints */
1947 +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
1948 +index 8b3d0103c03a..a13525daf09b 100644
1949 +--- a/include/linux/mlx5/driver.h
1950 ++++ b/include/linux/mlx5/driver.h
1951 +@@ -36,6 +36,7 @@
1952 + #include <linux/kernel.h>
1953 + #include <linux/completion.h>
1954 + #include <linux/pci.h>
1955 ++#include <linux/irq.h>
1956 + #include <linux/spinlock_types.h>
1957 + #include <linux/semaphore.h>
1958 + #include <linux/slab.h>
1959 +@@ -1194,7 +1195,23 @@ enum {
1960 + static inline const struct cpumask *
1961 + mlx5_get_vector_affinity(struct mlx5_core_dev *dev, int vector)
1962 + {
1963 +- return pci_irq_get_affinity(dev->pdev, MLX5_EQ_VEC_COMP_BASE + vector);
1964 ++ const struct cpumask *mask;
1965 ++ struct irq_desc *desc;
1966 ++ unsigned int irq;
1967 ++ int eqn;
1968 ++ int err;
1969 ++
1970 ++ err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
1971 ++ if (err)
1972 ++ return NULL;
1973 ++
1974 ++ desc = irq_to_desc(irq);
1975 ++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
1976 ++ mask = irq_data_get_effective_affinity_mask(&desc->irq_data);
1977 ++#else
1978 ++ mask = desc->irq_common_data.affinity;
1979 ++#endif
1980 ++ return mask;
1981 + }
1982 +
1983 + #endif /* MLX5_DRIVER_H */
1984 +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
1985 +index c8091f06eaa4..f3765155fa4d 100644
1986 +--- a/include/linux/mlx5/mlx5_ifc.h
1987 ++++ b/include/linux/mlx5/mlx5_ifc.h
1988 +@@ -1023,8 +1023,9 @@ struct mlx5_ifc_cmd_hca_cap_bits {
1989 + u8 log_max_wq_sz[0x5];
1990 +
1991 + u8 nic_vport_change_event[0x1];
1992 +- u8 disable_local_lb[0x1];
1993 +- u8 reserved_at_3e2[0x9];
1994 ++ u8 disable_local_lb_uc[0x1];
1995 ++ u8 disable_local_lb_mc[0x1];
1996 ++ u8 reserved_at_3e3[0x8];
1997 + u8 log_max_vlan_list[0x5];
1998 + u8 reserved_at_3f0[0x3];
1999 + u8 log_max_current_mc_list[0x5];
2000 +diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
2001 +index 853291714ae0..bae807eb2933 100644
2002 +--- a/include/linux/vermagic.h
2003 ++++ b/include/linux/vermagic.h
2004 +@@ -31,17 +31,11 @@
2005 + #else
2006 + #define MODULE_RANDSTRUCT_PLUGIN
2007 + #endif
2008 +-#ifdef RETPOLINE
2009 +-#define MODULE_VERMAGIC_RETPOLINE "retpoline "
2010 +-#else
2011 +-#define MODULE_VERMAGIC_RETPOLINE ""
2012 +-#endif
2013 +
2014 + #define VERMAGIC_STRING \
2015 + UTS_RELEASE " " \
2016 + MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
2017 + MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
2018 + MODULE_ARCH_VERMAGIC \
2019 +- MODULE_RANDSTRUCT_PLUGIN \
2020 +- MODULE_VERMAGIC_RETPOLINE
2021 ++ MODULE_RANDSTRUCT_PLUGIN
2022 +
2023 +diff --git a/include/net/arp.h b/include/net/arp.h
2024 +index dc8cd47f883b..977aabfcdc03 100644
2025 +--- a/include/net/arp.h
2026 ++++ b/include/net/arp.h
2027 +@@ -20,6 +20,9 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32
2028 +
2029 + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
2030 + {
2031 ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
2032 ++ key = INADDR_ANY;
2033 ++
2034 + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev);
2035 + }
2036 +
2037 +diff --git a/include/net/ipv6.h b/include/net/ipv6.h
2038 +index 35e9dd2d18ba..9596aa93d6ef 100644
2039 +--- a/include/net/ipv6.h
2040 ++++ b/include/net/ipv6.h
2041 +@@ -291,6 +291,7 @@ int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq,
2042 + int flags);
2043 + int ip6_flowlabel_init(void);
2044 + void ip6_flowlabel_cleanup(void);
2045 ++bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np);
2046 +
2047 + static inline void fl6_sock_release(struct ip6_flowlabel *fl)
2048 + {
2049 +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
2050 +index 10f99dafd5ac..049008493faf 100644
2051 +--- a/include/net/net_namespace.h
2052 ++++ b/include/net/net_namespace.h
2053 +@@ -223,6 +223,11 @@ int net_eq(const struct net *net1, const struct net *net2)
2054 + return net1 == net2;
2055 + }
2056 +
2057 ++static inline int check_net(const struct net *net)
2058 ++{
2059 ++ return atomic_read(&net->count) != 0;
2060 ++}
2061 ++
2062 + void net_drop_ns(void *);
2063 +
2064 + #else
2065 +@@ -247,6 +252,11 @@ int net_eq(const struct net *net1, const struct net *net2)
2066 + return 1;
2067 + }
2068 +
2069 ++static inline int check_net(const struct net *net)
2070 ++{
2071 ++ return 1;
2072 ++}
2073 ++
2074 + #define net_drop_ns NULL
2075 + #endif
2076 +
2077 +diff --git a/include/net/tls.h b/include/net/tls.h
2078 +index c06db1eadac2..df950383b8c1 100644
2079 +--- a/include/net/tls.h
2080 ++++ b/include/net/tls.h
2081 +@@ -168,7 +168,7 @@ static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx)
2082 +
2083 + static inline void tls_err_abort(struct sock *sk)
2084 + {
2085 +- sk->sk_err = -EBADMSG;
2086 ++ sk->sk_err = EBADMSG;
2087 + sk->sk_error_report(sk);
2088 + }
2089 +
2090 +diff --git a/init/Kconfig b/init/Kconfig
2091 +index 3c1faaa2af4a..46075327c165 100644
2092 +--- a/init/Kconfig
2093 ++++ b/init/Kconfig
2094 +@@ -1342,6 +1342,13 @@ config BPF_SYSCALL
2095 + Enable the bpf() system call that allows to manipulate eBPF
2096 + programs and maps via file descriptors.
2097 +
2098 ++config BPF_JIT_ALWAYS_ON
2099 ++ bool "Permanently enable BPF JIT and remove BPF interpreter"
2100 ++ depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
2101 ++ help
2102 ++ Enables BPF JIT and removes BPF interpreter to avoid
2103 ++ speculative execution of BPF instructions by the interpreter
2104 ++
2105 + config SHMEM
2106 + bool "Use full shmem filesystem" if EXPERT
2107 + default y
2108 +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
2109 +index 7b62df86be1d..2246115365d9 100644
2110 +--- a/kernel/bpf/core.c
2111 ++++ b/kernel/bpf/core.c
2112 +@@ -760,6 +760,7 @@ noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
2113 + }
2114 + EXPORT_SYMBOL_GPL(__bpf_call_base);
2115 +
2116 ++#ifndef CONFIG_BPF_JIT_ALWAYS_ON
2117 + /**
2118 + * __bpf_prog_run - run eBPF program on a given context
2119 + * @ctx: is the data we are operating on
2120 +@@ -948,7 +949,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,
2121 + DST = tmp;
2122 + CONT;
2123 + ALU_MOD_X:
2124 +- if (unlikely(SRC == 0))
2125 ++ if (unlikely((u32)SRC == 0))
2126 + return 0;
2127 + tmp = (u32) DST;
2128 + DST = do_div(tmp, (u32) SRC);
2129 +@@ -967,7 +968,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,
2130 + DST = div64_u64(DST, SRC);
2131 + CONT;
2132 + ALU_DIV_X:
2133 +- if (unlikely(SRC == 0))
2134 ++ if (unlikely((u32)SRC == 0))
2135 + return 0;
2136 + tmp = (u32) DST;
2137 + do_div(tmp, (u32) SRC);
2138 +@@ -1310,6 +1311,14 @@ EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
2139 + EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
2140 + };
2141 +
2142 ++#else
2143 ++static unsigned int __bpf_prog_ret0(const void *ctx,
2144 ++ const struct bpf_insn *insn)
2145 ++{
2146 ++ return 0;
2147 ++}
2148 ++#endif
2149 ++
2150 + bool bpf_prog_array_compatible(struct bpf_array *array,
2151 + const struct bpf_prog *fp)
2152 + {
2153 +@@ -1357,9 +1366,13 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)
2154 + */
2155 + struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
2156 + {
2157 ++#ifndef CONFIG_BPF_JIT_ALWAYS_ON
2158 + u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1);
2159 +
2160 + fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1];
2161 ++#else
2162 ++ fp->bpf_func = __bpf_prog_ret0;
2163 ++#endif
2164 +
2165 + /* eBPF JITs can rewrite the program in case constant
2166 + * blinding is active. However, in case of error during
2167 +@@ -1368,6 +1381,12 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
2168 + * be JITed, but falls back to the interpreter.
2169 + */
2170 + fp = bpf_int_jit_compile(fp);
2171 ++#ifdef CONFIG_BPF_JIT_ALWAYS_ON
2172 ++ if (!fp->jited) {
2173 ++ *err = -ENOTSUPP;
2174 ++ return fp;
2175 ++ }
2176 ++#endif
2177 + bpf_prog_lock_ro(fp);
2178 +
2179 + /* The tail call compatibility check can only be done at
2180 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
2181 +index 75a5c3312f46..f9339c3219bc 100644
2182 +--- a/kernel/bpf/verifier.c
2183 ++++ b/kernel/bpf/verifier.c
2184 +@@ -986,6 +986,13 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
2185 + return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
2186 + }
2187 +
2188 ++static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
2189 ++{
2190 ++ const struct bpf_reg_state *reg = &env->cur_state.regs[regno];
2191 ++
2192 ++ return reg->type == PTR_TO_CTX;
2193 ++}
2194 ++
2195 + static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg,
2196 + int off, int size, bool strict)
2197 + {
2198 +@@ -1258,6 +1265,12 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins
2199 + return -EACCES;
2200 + }
2201 +
2202 ++ if (is_ctx_reg(env, insn->dst_reg)) {
2203 ++ verbose("BPF_XADD stores into R%d context is not allowed\n",
2204 ++ insn->dst_reg);
2205 ++ return -EACCES;
2206 ++ }
2207 ++
2208 + /* check whether atomic_add can read the memory */
2209 + err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
2210 + BPF_SIZE(insn->code), BPF_READ, -1);
2211 +@@ -3859,6 +3872,12 @@ static int do_check(struct bpf_verifier_env *env)
2212 + if (err)
2213 + return err;
2214 +
2215 ++ if (is_ctx_reg(env, insn->dst_reg)) {
2216 ++ verbose("BPF_ST stores into R%d context is not allowed\n",
2217 ++ insn->dst_reg);
2218 ++ return -EACCES;
2219 ++ }
2220 ++
2221 + /* check that memory (dst_reg + off) is writeable */
2222 + err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
2223 + BPF_SIZE(insn->code), BPF_WRITE,
2224 +@@ -4304,6 +4323,24 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
2225 + int i, cnt, delta = 0;
2226 +
2227 + for (i = 0; i < insn_cnt; i++, insn++) {
2228 ++ if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
2229 ++ insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
2230 ++ /* due to JIT bugs clear upper 32-bits of src register
2231 ++ * before div/mod operation
2232 ++ */
2233 ++ insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
2234 ++ insn_buf[1] = *insn;
2235 ++ cnt = 2;
2236 ++ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
2237 ++ if (!new_prog)
2238 ++ return -ENOMEM;
2239 ++
2240 ++ delta += cnt - 1;
2241 ++ env->prog = prog = new_prog;
2242 ++ insn = new_prog->insnsi + i + delta;
2243 ++ continue;
2244 ++ }
2245 ++
2246 + if (insn->code != (BPF_JMP | BPF_CALL))
2247 + continue;
2248 +
2249 +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
2250 +index 88f75f92ef36..052773df9f03 100644
2251 +--- a/kernel/time/hrtimer.c
2252 ++++ b/kernel/time/hrtimer.c
2253 +@@ -655,7 +655,9 @@ static void hrtimer_reprogram(struct hrtimer *timer,
2254 + static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
2255 + {
2256 + base->expires_next = KTIME_MAX;
2257 ++ base->hang_detected = 0;
2258 + base->hres_active = 0;
2259 ++ base->next_timer = NULL;
2260 + }
2261 +
2262 + /*
2263 +@@ -1591,6 +1593,7 @@ int hrtimers_prepare_cpu(unsigned int cpu)
2264 + timerqueue_init_head(&cpu_base->clock_base[i].active);
2265 + }
2266 +
2267 ++ cpu_base->active_bases = 0;
2268 + cpu_base->cpu = cpu;
2269 + hrtimer_init_hres(cpu_base);
2270 + return 0;
2271 +diff --git a/lib/test_bpf.c b/lib/test_bpf.c
2272 +index aa8812ae6776..6fbb73f3f531 100644
2273 +--- a/lib/test_bpf.c
2274 ++++ b/lib/test_bpf.c
2275 +@@ -6207,9 +6207,8 @@ static struct bpf_prog *generate_filter(int which, int *err)
2276 + return NULL;
2277 + }
2278 + }
2279 +- /* We don't expect to fail. */
2280 + if (*err) {
2281 +- pr_cont("FAIL to attach err=%d len=%d\n",
2282 ++ pr_cont("FAIL to prog_create err=%d len=%d\n",
2283 + *err, fprog.len);
2284 + return NULL;
2285 + }
2286 +@@ -6233,6 +6232,10 @@ static struct bpf_prog *generate_filter(int which, int *err)
2287 + * checks.
2288 + */
2289 + fp = bpf_prog_select_runtime(fp, err);
2290 ++ if (*err) {
2291 ++ pr_cont("FAIL to select_runtime err=%d\n", *err);
2292 ++ return NULL;
2293 ++ }
2294 + break;
2295 + }
2296 +
2297 +@@ -6418,8 +6421,8 @@ static __init int test_bpf(void)
2298 + pass_cnt++;
2299 + continue;
2300 + }
2301 +-
2302 +- return err;
2303 ++ err_cnt++;
2304 ++ continue;
2305 + }
2306 +
2307 + pr_cont("jited:%u ", fp->jited);
2308 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
2309 +index d51c2087c498..2de080003693 100644
2310 +--- a/mm/page_alloc.c
2311 ++++ b/mm/page_alloc.c
2312 +@@ -3011,9 +3011,6 @@ bool __zone_watermark_ok(struct zone *z, unsigned int order, unsigned long mark,
2313 + if (!area->nr_free)
2314 + continue;
2315 +
2316 +- if (alloc_harder)
2317 +- return true;
2318 +-
2319 + for (mt = 0; mt < MIGRATE_PCPTYPES; mt++) {
2320 + if (!list_empty(&area->free_list[mt]))
2321 + return true;
2322 +@@ -3025,6 +3022,9 @@ bool __zone_watermark_ok(struct zone *z, unsigned int order, unsigned long mark,
2323 + return true;
2324 + }
2325 + #endif
2326 ++ if (alloc_harder &&
2327 ++ !list_empty(&area->free_list[MIGRATE_HIGHATOMIC]))
2328 ++ return true;
2329 + }
2330 + return false;
2331 + }
2332 +diff --git a/net/core/dev.c b/net/core/dev.c
2333 +index 27357fc1730b..ffee085f0357 100644
2334 +--- a/net/core/dev.c
2335 ++++ b/net/core/dev.c
2336 +@@ -3128,10 +3128,21 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
2337 + hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
2338 +
2339 + /* + transport layer */
2340 +- if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
2341 +- hdr_len += tcp_hdrlen(skb);
2342 +- else
2343 +- hdr_len += sizeof(struct udphdr);
2344 ++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
2345 ++ const struct tcphdr *th;
2346 ++ struct tcphdr _tcphdr;
2347 ++
2348 ++ th = skb_header_pointer(skb, skb_transport_offset(skb),
2349 ++ sizeof(_tcphdr), &_tcphdr);
2350 ++ if (likely(th))
2351 ++ hdr_len += __tcp_hdrlen(th);
2352 ++ } else {
2353 ++ struct udphdr _udphdr;
2354 ++
2355 ++ if (skb_header_pointer(skb, skb_transport_offset(skb),
2356 ++ sizeof(_udphdr), &_udphdr))
2357 ++ hdr_len += sizeof(struct udphdr);
2358 ++ }
2359 +
2360 + if (shinfo->gso_type & SKB_GSO_DODGY)
2361 + gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
2362 +diff --git a/net/core/filter.c b/net/core/filter.c
2363 +index 6ae94f825f72..d5158a10ac8f 100644
2364 +--- a/net/core/filter.c
2365 ++++ b/net/core/filter.c
2366 +@@ -457,6 +457,10 @@ static int bpf_convert_filter(struct sock_filter *prog, int len,
2367 + convert_bpf_extensions(fp, &insn))
2368 + break;
2369 +
2370 ++ if (fp->code == (BPF_ALU | BPF_DIV | BPF_X) ||
2371 ++ fp->code == (BPF_ALU | BPF_MOD | BPF_X))
2372 ++ *insn++ = BPF_MOV32_REG(BPF_REG_X, BPF_REG_X);
2373 ++
2374 + *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k);
2375 + break;
2376 +
2377 +@@ -1053,11 +1057,9 @@ static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
2378 + */
2379 + goto out_err_free;
2380 +
2381 +- /* We are guaranteed to never error here with cBPF to eBPF
2382 +- * transitions, since there's no issue with type compatibility
2383 +- * checks on program arrays.
2384 +- */
2385 + fp = bpf_prog_select_runtime(fp, &err);
2386 ++ if (err)
2387 ++ goto out_err_free;
2388 +
2389 + kfree(old_prog);
2390 + return fp;
2391 +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
2392 +index 0a977373d003..f950b80c0dd1 100644
2393 +--- a/net/core/flow_dissector.c
2394 ++++ b/net/core/flow_dissector.c
2395 +@@ -876,8 +876,8 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
2396 + out_good:
2397 + ret = true;
2398 +
2399 +- key_control->thoff = (u16)nhoff;
2400 + out:
2401 ++ key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
2402 + key_basic->n_proto = proto;
2403 + key_basic->ip_proto = ip_proto;
2404 +
2405 +@@ -885,7 +885,6 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
2406 +
2407 + out_bad:
2408 + ret = false;
2409 +- key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
2410 + goto out;
2411 + }
2412 + EXPORT_SYMBOL(__skb_flow_dissect);
2413 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
2414 +index 16a1a4c4eb57..741ae2554190 100644
2415 +--- a/net/core/neighbour.c
2416 ++++ b/net/core/neighbour.c
2417 +@@ -532,7 +532,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
2418 + if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
2419 + nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
2420 +
2421 +- hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
2422 ++ hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
2423 +
2424 + if (n->parms->dead) {
2425 + rc = ERR_PTR(-EINVAL);
2426 +@@ -544,7 +544,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
2427 + n1 != NULL;
2428 + n1 = rcu_dereference_protected(n1->next,
2429 + lockdep_is_held(&tbl->lock))) {
2430 +- if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) {
2431 ++ if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
2432 + if (want_ref)
2433 + neigh_hold(n1);
2434 + rc = n1;
2435 +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
2436 +index cbc3dde4cfcc..a47ad6cd41c0 100644
2437 +--- a/net/core/sysctl_net_core.c
2438 ++++ b/net/core/sysctl_net_core.c
2439 +@@ -325,7 +325,13 @@ static struct ctl_table net_core_table[] = {
2440 + .data = &bpf_jit_enable,
2441 + .maxlen = sizeof(int),
2442 + .mode = 0644,
2443 ++#ifndef CONFIG_BPF_JIT_ALWAYS_ON
2444 + .proc_handler = proc_dointvec
2445 ++#else
2446 ++ .proc_handler = proc_dointvec_minmax,
2447 ++ .extra1 = &one,
2448 ++ .extra2 = &one,
2449 ++#endif
2450 + },
2451 + # ifdef CONFIG_HAVE_EBPF_JIT
2452 + {
2453 +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
2454 +index e1295d5f2c56..97791b0b1b51 100644
2455 +--- a/net/dccp/ccids/ccid2.c
2456 ++++ b/net/dccp/ccids/ccid2.c
2457 +@@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(unsigned long data)
2458 +
2459 + ccid2_pr_debug("RTO_EXPIRE\n");
2460 +
2461 ++ if (sk->sk_state == DCCP_CLOSED)
2462 ++ goto out;
2463 ++
2464 + /* back-off timer */
2465 + hc->tx_rto <<= 1;
2466 + if (hc->tx_rto > DCCP_RTO_MAX)
2467 +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
2468 +index 7c45b8896709..a1d1f50e0e19 100644
2469 +--- a/net/ipv4/arp.c
2470 ++++ b/net/ipv4/arp.c
2471 +@@ -223,11 +223,16 @@ static bool arp_key_eq(const struct neighbour *neigh, const void *pkey)
2472 +
2473 + static int arp_constructor(struct neighbour *neigh)
2474 + {
2475 +- __be32 addr = *(__be32 *)neigh->primary_key;
2476 ++ __be32 addr;
2477 + struct net_device *dev = neigh->dev;
2478 + struct in_device *in_dev;
2479 + struct neigh_parms *parms;
2480 ++ u32 inaddr_any = INADDR_ANY;
2481 +
2482 ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
2483 ++ memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len);
2484 ++
2485 ++ addr = *(__be32 *)neigh->primary_key;
2486 + rcu_read_lock();
2487 + in_dev = __in_dev_get_rcu(dev);
2488 + if (!in_dev) {
2489 +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
2490 +index f8b918c766b0..56c49623bb9d 100644
2491 +--- a/net/ipv4/esp4_offload.c
2492 ++++ b/net/ipv4/esp4_offload.c
2493 +@@ -121,6 +121,9 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
2494 + if (!xo)
2495 + goto out;
2496 +
2497 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
2498 ++ goto out;
2499 ++
2500 + seq = xo->seq.low;
2501 +
2502 + x = skb->sp->xvec[skb->sp->len - 1];
2503 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
2504 +index c621266e0306..013fed55b610 100644
2505 +--- a/net/ipv4/igmp.c
2506 ++++ b/net/ipv4/igmp.c
2507 +@@ -332,7 +332,7 @@ static __be32 igmpv3_get_srcaddr(struct net_device *dev,
2508 + return htonl(INADDR_ANY);
2509 +
2510 + for_ifa(in_dev) {
2511 +- if (inet_ifa_match(fl4->saddr, ifa))
2512 ++ if (fl4->saddr == ifa->ifa_local)
2513 + return fl4->saddr;
2514 + } endfor_ifa(in_dev);
2515 +
2516 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
2517 +index 804bead564db..0ba88efca7ad 100644
2518 +--- a/net/ipv4/route.c
2519 ++++ b/net/ipv4/route.c
2520 +@@ -2762,6 +2762,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
2521 + if (err == 0 && rt->dst.error)
2522 + err = -rt->dst.error;
2523 + } else {
2524 ++ fl4.flowi4_iif = LOOPBACK_IFINDEX;
2525 + rt = ip_route_output_key_hash_rcu(net, &fl4, &res, skb);
2526 + err = 0;
2527 + if (IS_ERR(rt))
2528 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
2529 +index a0c72b09cefc..2a65d806b562 100644
2530 +--- a/net/ipv4/tcp.c
2531 ++++ b/net/ipv4/tcp.c
2532 +@@ -2273,6 +2273,9 @@ void tcp_close(struct sock *sk, long timeout)
2533 + tcp_send_active_reset(sk, GFP_ATOMIC);
2534 + __NET_INC_STATS(sock_net(sk),
2535 + LINUX_MIB_TCPABORTONMEMORY);
2536 ++ } else if (!check_net(sock_net(sk))) {
2537 ++ /* Not possible to send reset; just close */
2538 ++ tcp_set_state(sk, TCP_CLOSE);
2539 + }
2540 + }
2541 +
2542 +diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
2543 +index b6a2aa1dcf56..4d58e2ce0b5b 100644
2544 +--- a/net/ipv4/tcp_offload.c
2545 ++++ b/net/ipv4/tcp_offload.c
2546 +@@ -32,6 +32,9 @@ static void tcp_gso_tstamp(struct sk_buff *skb, unsigned int ts_seq,
2547 + static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
2548 + netdev_features_t features)
2549 + {
2550 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4))
2551 ++ return ERR_PTR(-EINVAL);
2552 ++
2553 + if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
2554 + return ERR_PTR(-EINVAL);
2555 +
2556 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
2557 +index e9af1879cd53..14ac7df95380 100644
2558 +--- a/net/ipv4/tcp_timer.c
2559 ++++ b/net/ipv4/tcp_timer.c
2560 +@@ -50,11 +50,19 @@ static void tcp_write_err(struct sock *sk)
2561 + * to prevent DoS attacks. It is called when a retransmission timeout
2562 + * or zero probe timeout occurs on orphaned socket.
2563 + *
2564 ++ * Also close if our net namespace is exiting; in that case there is no
2565 ++ * hope of ever communicating again since all netns interfaces are already
2566 ++ * down (or about to be down), and we need to release our dst references,
2567 ++ * which have been moved to the netns loopback interface, so the namespace
2568 ++ * can finish exiting. This condition is only possible if we are a kernel
2569 ++ * socket, as those do not hold references to the namespace.
2570 ++ *
2571 + * Criteria is still not confirmed experimentally and may change.
2572 + * We kill the socket, if:
2573 + * 1. If number of orphaned sockets exceeds an administratively configured
2574 + * limit.
2575 + * 2. If we have strong memory pressure.
2576 ++ * 3. If our net namespace is exiting.
2577 + */
2578 + static int tcp_out_of_resources(struct sock *sk, bool do_reset)
2579 + {
2580 +@@ -83,6 +91,13 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset)
2581 + __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY);
2582 + return 1;
2583 + }
2584 ++
2585 ++ if (!check_net(sock_net(sk))) {
2586 ++ /* Not possible to send reset; just close */
2587 ++ tcp_done(sk);
2588 ++ return 1;
2589 ++ }
2590 ++
2591 + return 0;
2592 + }
2593 +
2594 +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
2595 +index 01801b77bd0d..ea6e6e7df0ee 100644
2596 +--- a/net/ipv4/udp_offload.c
2597 ++++ b/net/ipv4/udp_offload.c
2598 +@@ -203,6 +203,9 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
2599 + goto out;
2600 + }
2601 +
2602 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
2603 ++ goto out;
2604 ++
2605 + if (!pskb_may_pull(skb, sizeof(struct udphdr)))
2606 + goto out;
2607 +
2608 +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
2609 +index 333a478aa161..1ea9d794447e 100644
2610 +--- a/net/ipv6/esp6_offload.c
2611 ++++ b/net/ipv6/esp6_offload.c
2612 +@@ -148,6 +148,9 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
2613 + if (!xo)
2614 + goto out;
2615 +
2616 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
2617 ++ goto out;
2618 ++
2619 + seq = xo->seq.low;
2620 +
2621 + x = skb->sp->xvec[skb->sp->len - 1];
2622 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
2623 +index 7a2df6646486..5b4870caf268 100644
2624 +--- a/net/ipv6/ip6_gre.c
2625 ++++ b/net/ipv6/ip6_gre.c
2626 +@@ -337,11 +337,12 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net,
2627 +
2628 + nt->dev = dev;
2629 + nt->net = dev_net(dev);
2630 +- ip6gre_tnl_link_config(nt, 1);
2631 +
2632 + if (register_netdevice(dev) < 0)
2633 + goto failed_free;
2634 +
2635 ++ ip6gre_tnl_link_config(nt, 1);
2636 ++
2637 + /* Can use a lockless transmit, unless we generate output sequences */
2638 + if (!(nt->parms.o_flags & TUNNEL_SEQ))
2639 + dev->features |= NETIF_F_LLTX;
2640 +@@ -1307,7 +1308,6 @@ static void ip6gre_netlink_parms(struct nlattr *data[],
2641 +
2642 + static int ip6gre_tap_init(struct net_device *dev)
2643 + {
2644 +- struct ip6_tnl *tunnel;
2645 + int ret;
2646 +
2647 + ret = ip6gre_tunnel_init_common(dev);
2648 +@@ -1316,10 +1316,6 @@ static int ip6gre_tap_init(struct net_device *dev)
2649 +
2650 + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
2651 +
2652 +- tunnel = netdev_priv(dev);
2653 +-
2654 +- ip6gre_tnl_link_config(tunnel, 1);
2655 +-
2656 + return 0;
2657 + }
2658 +
2659 +@@ -1411,12 +1407,16 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
2660 +
2661 + nt->dev = dev;
2662 + nt->net = dev_net(dev);
2663 +- ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
2664 +
2665 + err = register_netdevice(dev);
2666 + if (err)
2667 + goto out;
2668 +
2669 ++ ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
2670 ++
2671 ++ if (tb[IFLA_MTU])
2672 ++ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
2673 ++
2674 + dev_hold(dev);
2675 + ip6gre_tunnel_link(ign, nt);
2676 +
2677 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
2678 +index 688ba5f7516b..3763dc01e374 100644
2679 +--- a/net/ipv6/ip6_output.c
2680 ++++ b/net/ipv6/ip6_output.c
2681 +@@ -166,7 +166,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
2682 + !(IP6CB(skb)->flags & IP6SKB_REROUTED));
2683 + }
2684 +
2685 +-static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
2686 ++bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
2687 + {
2688 + if (!np->autoflowlabel_set)
2689 + return ip6_default_np_autolabel(net);
2690 +@@ -1206,14 +1206,16 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
2691 + v6_cork->tclass = ipc6->tclass;
2692 + if (rt->dst.flags & DST_XFRM_TUNNEL)
2693 + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
2694 +- rt->dst.dev->mtu : dst_mtu(&rt->dst);
2695 ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
2696 + else
2697 + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
2698 +- rt->dst.dev->mtu : dst_mtu(rt->dst.path);
2699 ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
2700 + if (np->frag_size < mtu) {
2701 + if (np->frag_size)
2702 + mtu = np->frag_size;
2703 + }
2704 ++ if (mtu < IPV6_MIN_MTU)
2705 ++ return -EINVAL;
2706 + cork->base.fragsize = mtu;
2707 + if (dst_allfrag(rt->dst.path))
2708 + cork->base.flags |= IPCORK_ALLFRAG;
2709 +@@ -1733,6 +1735,7 @@ struct sk_buff *ip6_make_skb(struct sock *sk,
2710 + cork.base.flags = 0;
2711 + cork.base.addr = 0;
2712 + cork.base.opt = NULL;
2713 ++ cork.base.dst = NULL;
2714 + v6_cork.opt = NULL;
2715 + err = ip6_setup_cork(sk, &cork, &v6_cork, ipc6, rt, fl6);
2716 + if (err) {
2717 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
2718 +index 90dbfa78a390..3b251760cb8c 100644
2719 +--- a/net/ipv6/ipv6_sockglue.c
2720 ++++ b/net/ipv6/ipv6_sockglue.c
2721 +@@ -1324,7 +1324,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
2722 + break;
2723 +
2724 + case IPV6_AUTOFLOWLABEL:
2725 +- val = np->autoflowlabel;
2726 ++ val = ip6_autoflowlabel(sock_net(sk), np);
2727 + break;
2728 +
2729 + case IPV6_RECVFRAGSIZE:
2730 +diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c
2731 +index d883c9204c01..278e49cd67d4 100644
2732 +--- a/net/ipv6/tcpv6_offload.c
2733 ++++ b/net/ipv6/tcpv6_offload.c
2734 +@@ -46,6 +46,9 @@ static struct sk_buff *tcp6_gso_segment(struct sk_buff *skb,
2735 + {
2736 + struct tcphdr *th;
2737 +
2738 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6))
2739 ++ return ERR_PTR(-EINVAL);
2740 ++
2741 + if (!pskb_may_pull(skb, sizeof(*th)))
2742 + return ERR_PTR(-EINVAL);
2743 +
2744 +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
2745 +index a0f89ad76f9d..2a04dc9c781b 100644
2746 +--- a/net/ipv6/udp_offload.c
2747 ++++ b/net/ipv6/udp_offload.c
2748 +@@ -42,6 +42,9 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
2749 + const struct ipv6hdr *ipv6h;
2750 + struct udphdr *uh;
2751 +
2752 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
2753 ++ goto out;
2754 ++
2755 + if (!pskb_may_pull(skb, sizeof(struct udphdr)))
2756 + goto out;
2757 +
2758 +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
2759 +index 41628b393673..d33ce6d5ebce 100644
2760 +--- a/net/netfilter/nfnetlink_cthelper.c
2761 ++++ b/net/netfilter/nfnetlink_cthelper.c
2762 +@@ -17,6 +17,7 @@
2763 + #include <linux/types.h>
2764 + #include <linux/list.h>
2765 + #include <linux/errno.h>
2766 ++#include <linux/capability.h>
2767 + #include <net/netlink.h>
2768 + #include <net/sock.h>
2769 +
2770 +@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
2771 + struct nfnl_cthelper *nlcth;
2772 + int ret = 0;
2773 +
2774 ++ if (!capable(CAP_NET_ADMIN))
2775 ++ return -EPERM;
2776 ++
2777 + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
2778 + return -EINVAL;
2779 +
2780 +@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
2781 + struct nfnl_cthelper *nlcth;
2782 + bool tuple_set = false;
2783 +
2784 ++ if (!capable(CAP_NET_ADMIN))
2785 ++ return -EPERM;
2786 ++
2787 + if (nlh->nlmsg_flags & NLM_F_DUMP) {
2788 + struct netlink_dump_control c = {
2789 + .dump = nfnl_cthelper_dump_table,
2790 +@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
2791 + struct nfnl_cthelper *nlcth, *n;
2792 + int j = 0, ret;
2793 +
2794 ++ if (!capable(CAP_NET_ADMIN))
2795 ++ return -EPERM;
2796 ++
2797 + if (tb[NFCTH_NAME])
2798 + helper_name = nla_data(tb[NFCTH_NAME]);
2799 +
2800 +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
2801 +index 36e14b1f061d..a34f314a8c23 100644
2802 +--- a/net/netfilter/xt_osf.c
2803 ++++ b/net/netfilter/xt_osf.c
2804 +@@ -19,6 +19,7 @@
2805 + #include <linux/module.h>
2806 + #include <linux/kernel.h>
2807 +
2808 ++#include <linux/capability.h>
2809 + #include <linux/if.h>
2810 + #include <linux/inetdevice.h>
2811 + #include <linux/ip.h>
2812 +@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
2813 + struct xt_osf_finger *kf = NULL, *sf;
2814 + int err = 0;
2815 +
2816 ++ if (!capable(CAP_NET_ADMIN))
2817 ++ return -EPERM;
2818 ++
2819 + if (!osf_attrs[OSF_ATTR_FINGER])
2820 + return -EINVAL;
2821 +
2822 +@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
2823 + struct xt_osf_finger *sf;
2824 + int err = -ENOENT;
2825 +
2826 ++ if (!capable(CAP_NET_ADMIN))
2827 ++ return -EPERM;
2828 ++
2829 + if (!osf_attrs[OSF_ATTR_FINGER])
2830 + return -EINVAL;
2831 +
2832 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
2833 +index aac9d68b4636..533fd0503ba0 100644
2834 +--- a/net/netlink/af_netlink.c
2835 ++++ b/net/netlink/af_netlink.c
2836 +@@ -2393,13 +2393,14 @@ int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
2837 + struct nlmsghdr *,
2838 + struct netlink_ext_ack *))
2839 + {
2840 +- struct netlink_ext_ack extack = {};
2841 ++ struct netlink_ext_ack extack;
2842 + struct nlmsghdr *nlh;
2843 + int err;
2844 +
2845 + while (skb->len >= nlmsg_total_size(0)) {
2846 + int msglen;
2847 +
2848 ++ memset(&extack, 0, sizeof(extack));
2849 + nlh = nlmsg_hdr(skb);
2850 + err = 0;
2851 +
2852 +diff --git a/net/sctp/offload.c b/net/sctp/offload.c
2853 +index 275925b93b29..35bc7106d182 100644
2854 +--- a/net/sctp/offload.c
2855 ++++ b/net/sctp/offload.c
2856 +@@ -45,6 +45,9 @@ static struct sk_buff *sctp_gso_segment(struct sk_buff *skb,
2857 + struct sk_buff *segs = ERR_PTR(-EINVAL);
2858 + struct sctphdr *sh;
2859 +
2860 ++ if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP))
2861 ++ goto out;
2862 ++
2863 + sh = sctp_hdr(skb);
2864 + if (!pskb_may_pull(skb, sizeof(*sh)))
2865 + goto out;
2866 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
2867 +index df806b8819aa..1c08d86efe94 100644
2868 +--- a/net/sctp/socket.c
2869 ++++ b/net/sctp/socket.c
2870 +@@ -84,7 +84,7 @@
2871 + static int sctp_writeable(struct sock *sk);
2872 + static void sctp_wfree(struct sk_buff *skb);
2873 + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
2874 +- size_t msg_len, struct sock **orig_sk);
2875 ++ size_t msg_len);
2876 + static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
2877 + static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
2878 + static int sctp_wait_for_accept(struct sock *sk, long timeo);
2879 +@@ -334,16 +334,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
2880 + if (len < sizeof (struct sockaddr))
2881 + return NULL;
2882 +
2883 ++ if (!opt->pf->af_supported(addr->sa.sa_family, opt))
2884 ++ return NULL;
2885 ++
2886 + /* V4 mapped address are really of AF_INET family */
2887 + if (addr->sa.sa_family == AF_INET6 &&
2888 +- ipv6_addr_v4mapped(&addr->v6.sin6_addr)) {
2889 +- if (!opt->pf->af_supported(AF_INET, opt))
2890 +- return NULL;
2891 +- } else {
2892 +- /* Does this PF support this AF? */
2893 +- if (!opt->pf->af_supported(addr->sa.sa_family, opt))
2894 +- return NULL;
2895 +- }
2896 ++ ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
2897 ++ !opt->pf->af_supported(AF_INET, opt))
2898 ++ return NULL;
2899 +
2900 + /* If we get this far, af is valid. */
2901 + af = sctp_get_af_specific(addr->sa.sa_family);
2902 +@@ -1882,8 +1880,14 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
2903 + */
2904 + if (sinit) {
2905 + if (sinit->sinit_num_ostreams) {
2906 +- asoc->c.sinit_num_ostreams =
2907 +- sinit->sinit_num_ostreams;
2908 ++ __u16 outcnt = sinit->sinit_num_ostreams;
2909 ++
2910 ++ asoc->c.sinit_num_ostreams = outcnt;
2911 ++ /* outcnt has been changed, so re-init stream */
2912 ++ err = sctp_stream_init(&asoc->stream, outcnt, 0,
2913 ++ GFP_KERNEL);
2914 ++ if (err)
2915 ++ goto out_free;
2916 + }
2917 + if (sinit->sinit_max_instreams) {
2918 + asoc->c.sinit_max_instreams =
2919 +@@ -1963,7 +1967,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
2920 + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
2921 + if (!sctp_wspace(asoc)) {
2922 + /* sk can be changed by peel off when waiting for buf. */
2923 +- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
2924 ++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
2925 + if (err) {
2926 + if (err == -ESRCH) {
2927 + /* asoc is already dead. */
2928 +@@ -7827,12 +7831,12 @@ void sctp_sock_rfree(struct sk_buff *skb)
2929 +
2930 + /* Helper function to wait for space in the sndbuf. */
2931 + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
2932 +- size_t msg_len, struct sock **orig_sk)
2933 ++ size_t msg_len)
2934 + {
2935 + struct sock *sk = asoc->base.sk;
2936 +- int err = 0;
2937 + long current_timeo = *timeo_p;
2938 + DEFINE_WAIT(wait);
2939 ++ int err = 0;
2940 +
2941 + pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
2942 + *timeo_p, msg_len);
2943 +@@ -7861,17 +7865,13 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
2944 + release_sock(sk);
2945 + current_timeo = schedule_timeout(current_timeo);
2946 + lock_sock(sk);
2947 +- if (sk != asoc->base.sk) {
2948 +- release_sock(sk);
2949 +- sk = asoc->base.sk;
2950 +- lock_sock(sk);
2951 +- }
2952 ++ if (sk != asoc->base.sk)
2953 ++ goto do_error;
2954 +
2955 + *timeo_p = current_timeo;
2956 + }
2957 +
2958 + out:
2959 +- *orig_sk = sk;
2960 + finish_wait(&asoc->wait, &wait);
2961 +
2962 + /* Release the association's refcnt. */
2963 +diff --git a/net/socket.c b/net/socket.c
2964 +index c729625eb5d3..d894c7c5fa54 100644
2965 +--- a/net/socket.c
2966 ++++ b/net/socket.c
2967 +@@ -2642,6 +2642,15 @@ static int __init sock_init(void)
2968 +
2969 + core_initcall(sock_init); /* early initcall */
2970 +
2971 ++static int __init jit_init(void)
2972 ++{
2973 ++#ifdef CONFIG_BPF_JIT_ALWAYS_ON
2974 ++ bpf_jit_enable = 1;
2975 ++#endif
2976 ++ return 0;
2977 ++}
2978 ++pure_initcall(jit_init);
2979 ++
2980 + #ifdef CONFIG_PROC_FS
2981 + void socket_seq_show(struct seq_file *seq)
2982 + {
2983 +diff --git a/net/tipc/node.c b/net/tipc/node.c
2984 +index 198dbc7adbe1..f6c5743c170e 100644
2985 +--- a/net/tipc/node.c
2986 ++++ b/net/tipc/node.c
2987 +@@ -1848,36 +1848,38 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
2988 +
2989 + if (strcmp(name, tipc_bclink_name) == 0) {
2990 + err = tipc_nl_add_bc_link(net, &msg);
2991 +- if (err) {
2992 +- nlmsg_free(msg.skb);
2993 +- return err;
2994 +- }
2995 ++ if (err)
2996 ++ goto err_free;
2997 + } else {
2998 + int bearer_id;
2999 + struct tipc_node *node;
3000 + struct tipc_link *link;
3001 +
3002 + node = tipc_node_find_by_name(net, name, &bearer_id);
3003 +- if (!node)
3004 +- return -EINVAL;
3005 ++ if (!node) {
3006 ++ err = -EINVAL;
3007 ++ goto err_free;
3008 ++ }
3009 +
3010 + tipc_node_read_lock(node);
3011 + link = node->links[bearer_id].link;
3012 + if (!link) {
3013 + tipc_node_read_unlock(node);
3014 +- nlmsg_free(msg.skb);
3015 +- return -EINVAL;
3016 ++ err = -EINVAL;
3017 ++ goto err_free;
3018 + }
3019 +
3020 + err = __tipc_nl_add_link(net, &msg, link, 0);
3021 + tipc_node_read_unlock(node);
3022 +- if (err) {
3023 +- nlmsg_free(msg.skb);
3024 +- return err;
3025 +- }
3026 ++ if (err)
3027 ++ goto err_free;
3028 + }
3029 +
3030 + return genlmsg_reply(msg.skb, info);
3031 ++
3032 ++err_free:
3033 ++ nlmsg_free(msg.skb);
3034 ++ return err;
3035 + }
3036 +
3037 + int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info)
3038 +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
3039 +index 60aff60e30ad..282361ac0263 100644
3040 +--- a/net/tls/tls_main.c
3041 ++++ b/net/tls/tls_main.c
3042 +@@ -364,14 +364,16 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
3043 + crypto_info = &ctx->crypto_send;
3044 +
3045 + /* Currently we don't support set crypto info more than one time */
3046 +- if (TLS_CRYPTO_INFO_READY(crypto_info))
3047 ++ if (TLS_CRYPTO_INFO_READY(crypto_info)) {
3048 ++ rc = -EBUSY;
3049 + goto out;
3050 ++ }
3051 +
3052 + switch (tmp_crypto_info.cipher_type) {
3053 + case TLS_CIPHER_AES_GCM_128: {
3054 + if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
3055 + rc = -EINVAL;
3056 +- goto out;
3057 ++ goto err_crypto_info;
3058 + }
3059 + rc = copy_from_user(
3060 + crypto_info,
3061 +@@ -386,7 +388,7 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
3062 + }
3063 + default:
3064 + rc = -EINVAL;
3065 +- goto out;
3066 ++ goto err_crypto_info;
3067 + }
3068 +
3069 + ctx->sk_write_space = sk->sk_write_space;
3070 +@@ -444,6 +446,15 @@ static int tls_init(struct sock *sk)
3071 + struct tls_context *ctx;
3072 + int rc = 0;
3073 +
3074 ++ /* The TLS ulp is currently supported only for TCP sockets
3075 ++ * in ESTABLISHED state.
3076 ++ * Supporting sockets in LISTEN state will require us
3077 ++ * to modify the accept implementation to clone rather then
3078 ++ * share the ulp context.
3079 ++ */
3080 ++ if (sk->sk_state != TCP_ESTABLISHED)
3081 ++ return -ENOTSUPP;
3082 ++
3083 + /* allocate tls context */
3084 + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
3085 + if (!ctx) {
3086 +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
3087 +index f00383a37622..83f886d7c1f8 100644
3088 +--- a/net/tls/tls_sw.c
3089 ++++ b/net/tls/tls_sw.c
3090 +@@ -407,7 +407,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
3091 +
3092 + while (msg_data_left(msg)) {
3093 + if (sk->sk_err) {
3094 +- ret = sk->sk_err;
3095 ++ ret = -sk->sk_err;
3096 + goto send_end;
3097 + }
3098 +
3099 +@@ -560,7 +560,7 @@ int tls_sw_sendpage(struct sock *sk, struct page *page,
3100 + size_t copy, required_size;
3101 +
3102 + if (sk->sk_err) {
3103 +- ret = sk->sk_err;
3104 ++ ret = -sk->sk_err;
3105 + goto sendpage_end;
3106 + }
3107 +
3108 +@@ -697,18 +697,17 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
3109 + }
3110 + default:
3111 + rc = -EINVAL;
3112 +- goto out;
3113 ++ goto free_priv;
3114 + }
3115 +
3116 + ctx->prepend_size = TLS_HEADER_SIZE + nonce_size;
3117 + ctx->tag_size = tag_size;
3118 + ctx->overhead_size = ctx->prepend_size + ctx->tag_size;
3119 + ctx->iv_size = iv_size;
3120 +- ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
3121 +- GFP_KERNEL);
3122 ++ ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE, GFP_KERNEL);
3123 + if (!ctx->iv) {
3124 + rc = -ENOMEM;
3125 +- goto out;
3126 ++ goto free_priv;
3127 + }
3128 + memcpy(ctx->iv, gcm_128_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
3129 + memcpy(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv, iv_size);
3130 +@@ -756,7 +755,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
3131 +
3132 + rc = crypto_aead_setauthsize(sw_ctx->aead_send, ctx->tag_size);
3133 + if (!rc)
3134 +- goto out;
3135 ++ return 0;
3136 +
3137 + free_aead:
3138 + crypto_free_aead(sw_ctx->aead_send);
3139 +@@ -767,6 +766,9 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
3140 + free_iv:
3141 + kfree(ctx->iv);
3142 + ctx->iv = NULL;
3143 ++free_priv:
3144 ++ kfree(ctx->priv_ctx);
3145 ++ ctx->priv_ctx = NULL;
3146 + out:
3147 + return rc;
3148 + }
3149 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
3150 +index 6bc16bb61b55..688ed34f0671 100644
3151 +--- a/net/xfrm/xfrm_policy.c
3152 ++++ b/net/xfrm/xfrm_policy.c
3153 +@@ -2056,8 +2056,11 @@ xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
3154 + if (num_xfrms <= 0)
3155 + goto make_dummy_bundle;
3156 +
3157 ++ local_bh_disable();
3158 + xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
3159 +- xflo->dst_orig);
3160 ++ xflo->dst_orig);
3161 ++ local_bh_enable();
3162 ++
3163 + if (IS_ERR(xdst)) {
3164 + err = PTR_ERR(xdst);
3165 + if (err != -EAGAIN)
3166 +@@ -2144,9 +2147,12 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
3167 + goto no_transform;
3168 + }
3169 +
3170 ++ local_bh_disable();
3171 + xdst = xfrm_resolve_and_create_bundle(
3172 + pols, num_pols, fl,
3173 + family, dst_orig);
3174 ++ local_bh_enable();
3175 ++
3176 + if (IS_ERR(xdst)) {
3177 + xfrm_pols_put(pols, num_pols);
3178 + err = PTR_ERR(xdst);
3179 +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
3180 +index 1241487de93f..16299939d3ff 100644
3181 +--- a/tools/testing/selftests/bpf/test_verifier.c
3182 ++++ b/tools/testing/selftests/bpf/test_verifier.c
3183 +@@ -2595,6 +2595,29 @@ static struct bpf_test tests[] = {
3184 + .result = ACCEPT,
3185 + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3186 + },
3187 ++ {
3188 ++ "context stores via ST",
3189 ++ .insns = {
3190 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
3191 ++ BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3192 ++ BPF_EXIT_INSN(),
3193 ++ },
3194 ++ .errstr = "BPF_ST stores into R1 context is not allowed",
3195 ++ .result = REJECT,
3196 ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3197 ++ },
3198 ++ {
3199 ++ "context stores via XADD",
3200 ++ .insns = {
3201 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
3202 ++ BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3203 ++ BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3204 ++ BPF_EXIT_INSN(),
3205 ++ },
3206 ++ .errstr = "BPF_XADD stores into R1 context is not allowed",
3207 ++ .result = REJECT,
3208 ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3209 ++ },
3210 + {
3211 + "direct packet access: test1",
3212 + .insns = {
3213 +@@ -4317,7 +4340,8 @@ static struct bpf_test tests[] = {
3214 + .fixup_map1 = { 2 },
3215 + .errstr_unpriv = "R2 leaks addr into mem",
3216 + .result_unpriv = REJECT,
3217 +- .result = ACCEPT,
3218 ++ .result = REJECT,
3219 ++ .errstr = "BPF_XADD stores into R1 context is not allowed",
3220 + },
3221 + {
3222 + "leak pointer into ctx 2",
3223 +@@ -4331,7 +4355,8 @@ static struct bpf_test tests[] = {
3224 + },
3225 + .errstr_unpriv = "R10 leaks addr into mem",
3226 + .result_unpriv = REJECT,
3227 +- .result = ACCEPT,
3228 ++ .result = REJECT,
3229 ++ .errstr = "BPF_XADD stores into R1 context is not allowed",
3230 + },
3231 + {
3232 + "leak pointer into ctx 3",
Report Message
Find on MARC Find on Google Groups