Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Sun, 11 Aug 2019 10:59:58
Message-Id: 1565521176.9be44d2876e04a79365ed86a6cc3fb1ed9c3b492.mpagano@gentoo
1 commit: 9be44d2876e04a79365ed86a6cc3fb1ed9c3b492
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Aug 11 10:59:36 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Aug 11 10:59:36 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9be44d28
7
8 Linux patch 4.9.189
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1188_linux-4.9.189.patch | 1396 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1400 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 6e9f4e5..06f5715 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -795,6 +795,10 @@ Patch: 1187_linux-4.9.188.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.188
23
24 +Patch: 1188_linux-4.9.189.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.189
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1188_linux-4.9.189.patch b/1188_linux-4.9.189.patch
33 new file mode 100644
34 index 0000000..3707b77
35 --- /dev/null
36 +++ b/1188_linux-4.9.189.patch
37 @@ -0,0 +1,1396 @@
38 +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
39 +index 55a9bbbcf5e1..f4f0a1b9ba29 100644
40 +--- a/Documentation/kernel-parameters.txt
41 ++++ b/Documentation/kernel-parameters.txt
42 +@@ -2484,6 +2484,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
43 + improves system performance, but it may also
44 + expose users to several CPU vulnerabilities.
45 + Equivalent to: nopti [X86]
46 ++ nospectre_v1 [X86]
47 + nospectre_v2 [X86]
48 + spectre_v2_user=off [X86]
49 + spec_store_bypass_disable=off [X86]
50 +@@ -2819,10 +2820,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
51 +
52 + nohugeiomap [KNL,x86] Disable kernel huge I/O mappings.
53 +
54 +- nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds
55 +- check bypass). With this option data leaks are possible
56 +- in the system.
57 +-
58 + nosmt [KNL,S390] Disable symmetric multithreading (SMT).
59 + Equivalent to smt=1.
60 +
61 +@@ -2830,6 +2827,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
62 + nosmt=force: Force disable SMT, cannot be undone
63 + via the sysfs control file.
64 +
65 ++ nospectre_v1 [X86,PPC] Disable mitigations for Spectre Variant 1
66 ++ (bounds check bypass). With this option data leaks are
67 ++ possible in the system.
68 ++
69 + nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2
70 + (indirect branch prediction) vulnerability. System may
71 + allow data leaks with this option, which is equivalent
72 +diff --git a/Makefile b/Makefile
73 +index b6b54e6f67e8..4fdc9d984f80 100644
74 +--- a/Makefile
75 ++++ b/Makefile
76 +@@ -1,6 +1,6 @@
77 + VERSION = 4
78 + PATCHLEVEL = 9
79 +-SUBLEVEL = 188
80 ++SUBLEVEL = 189
81 + EXTRAVERSION =
82 + NAME = Roaring Lionus
83 +
84 +diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi
85 +index 876ed5f2922c..f82f193b8856 100644
86 +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi
87 ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi
88 +@@ -108,16 +108,21 @@
89 + twl_audio: audio {
90 + compatible = "ti,twl4030-audio";
91 + codec {
92 ++ ti,hs_extmute_gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>;
93 + };
94 + };
95 + };
96 + };
97 +
98 + &i2c2 {
99 ++ pinctrl-names = "default";
100 ++ pinctrl-0 = <&i2c2_pins>;
101 + clock-frequency = <400000>;
102 + };
103 +
104 + &i2c3 {
105 ++ pinctrl-names = "default";
106 ++ pinctrl-0 = <&i2c3_pins>;
107 + clock-frequency = <400000>;
108 + };
109 +
110 +@@ -221,6 +226,7 @@
111 + pinctrl-single,pins = <
112 + OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */
113 + OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */
114 ++ OMAP3_CORE1_IOPAD(0x20ba, PIN_OUTPUT | MUX_MODE4) /* gpmc_ncs6.gpio_57 */
115 + >;
116 + };
117 + };
118 +@@ -239,6 +245,18 @@
119 + OMAP3_WKUP_IOPAD(0x2a0c, PIN_OUTPUT | MUX_MODE4) /* sys_boot1.gpio_3 */
120 + >;
121 + };
122 ++ i2c2_pins: pinmux_i2c2_pins {
123 ++ pinctrl-single,pins = <
124 ++ OMAP3_CORE1_IOPAD(0x21be, PIN_INPUT | MUX_MODE0) /* i2c2_scl */
125 ++ OMAP3_CORE1_IOPAD(0x21c0, PIN_INPUT | MUX_MODE0) /* i2c2_sda */
126 ++ >;
127 ++ };
128 ++ i2c3_pins: pinmux_i2c3_pins {
129 ++ pinctrl-single,pins = <
130 ++ OMAP3_CORE1_IOPAD(0x21c2, PIN_INPUT | MUX_MODE0) /* i2c3_scl */
131 ++ OMAP3_CORE1_IOPAD(0x21c4, PIN_INPUT | MUX_MODE0) /* i2c3_sda */
132 ++ >;
133 ++ };
134 + };
135 +
136 + &omap3_pmx_core2 {
137 +diff --git a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
138 +index 08f0a35dc0d1..ceb49d15d243 100644
139 +--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
140 ++++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi
141 +@@ -117,10 +117,14 @@
142 + };
143 +
144 + &i2c2 {
145 ++ pinctrl-names = "default";
146 ++ pinctrl-0 = <&i2c2_pins>;
147 + clock-frequency = <400000>;
148 + };
149 +
150 + &i2c3 {
151 ++ pinctrl-names = "default";
152 ++ pinctrl-0 = <&i2c3_pins>;
153 + clock-frequency = <400000>;
154 + at24@50 {
155 + compatible = "atmel,24c64";
156 +@@ -215,6 +219,18 @@
157 + OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */
158 + >;
159 + };
160 ++ i2c2_pins: pinmux_i2c2_pins {
161 ++ pinctrl-single,pins = <
162 ++ OMAP3_CORE1_IOPAD(0x21be, PIN_INPUT | MUX_MODE0) /* i2c2_scl */
163 ++ OMAP3_CORE1_IOPAD(0x21c0, PIN_INPUT | MUX_MODE0) /* i2c2_sda */
164 ++ >;
165 ++ };
166 ++ i2c3_pins: pinmux_i2c3_pins {
167 ++ pinctrl-single,pins = <
168 ++ OMAP3_CORE1_IOPAD(0x21c2, PIN_INPUT | MUX_MODE0) /* i2c3_scl */
169 ++ OMAP3_CORE1_IOPAD(0x21c4, PIN_INPUT | MUX_MODE0) /* i2c3_sda */
170 ++ >;
171 ++ };
172 + };
173 +
174 + &uart2 {
175 +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
176 +index 15868eca58de..e7bef3d936d8 100644
177 +--- a/arch/arm64/include/asm/cpufeature.h
178 ++++ b/arch/arm64/include/asm/cpufeature.h
179 +@@ -31,9 +31,10 @@
180 +
181 + /* CPU feature register tracking */
182 + enum ftr_type {
183 +- FTR_EXACT, /* Use a predefined safe value */
184 +- FTR_LOWER_SAFE, /* Smaller value is safe */
185 +- FTR_HIGHER_SAFE,/* Bigger value is safe */
186 ++ FTR_EXACT, /* Use a predefined safe value */
187 ++ FTR_LOWER_SAFE, /* Smaller value is safe */
188 ++ FTR_HIGHER_SAFE, /* Bigger value is safe */
189 ++ FTR_HIGHER_OR_ZERO_SAFE, /* Bigger value is safe, but 0 is biggest */
190 + };
191 +
192 + #define FTR_STRICT true /* SANITY check strict matching required */
193 +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
194 +index a3ab7dfad50a..9a8e45dc36bd 100644
195 +--- a/arch/arm64/kernel/cpufeature.c
196 ++++ b/arch/arm64/kernel/cpufeature.c
197 +@@ -148,10 +148,12 @@ static const struct arm64_ftr_bits ftr_id_aa64mmfr2[] = {
198 + };
199 +
200 + static const struct arm64_ftr_bits ftr_ctr[] = {
201 +- ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 31, 1, 1), /* RAO */
202 +- ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 28, 3, 0),
203 +- ARM64_FTR_BITS(FTR_STRICT, FTR_HIGHER_SAFE, 24, 4, 0), /* CWG */
204 +- ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 20, 4, 0), /* ERG */
205 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 31, 1, 1), /* RES1 */
206 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_EXACT, 30, 1, 0),
207 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 29, 1, 1), /* DIC */
208 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, 28, 1, 1), /* IDC */
209 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_HIGHER_OR_ZERO_SAFE, 24, 4, 0), /* CWG */
210 ++ ARM64_FTR_BITS(FTR_STRICT, FTR_HIGHER_OR_ZERO_SAFE, 20, 4, 0), /* ERG */
211 + ARM64_FTR_BITS(FTR_STRICT, FTR_LOWER_SAFE, CTR_DMINLINE_SHIFT, 4, 1),
212 + /*
213 + * Linux can handle differing I-cache policies. Userspace JITs will
214 +@@ -390,6 +392,10 @@ static s64 arm64_ftr_safe_value(const struct arm64_ftr_bits *ftrp, s64 new,
215 + case FTR_LOWER_SAFE:
216 + ret = new < cur ? new : cur;
217 + break;
218 ++ case FTR_HIGHER_OR_ZERO_SAFE:
219 ++ if (!cur || !new)
220 ++ break;
221 ++ /* Fallthrough */
222 + case FTR_HIGHER_SAFE:
223 + ret = new > cur ? new : cur;
224 + break;
225 +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
226 +index 9a9e5884066c..8af8c070f213 100644
227 +--- a/arch/x86/entry/calling.h
228 ++++ b/arch/x86/entry/calling.h
229 +@@ -1,4 +1,5 @@
230 + #include <linux/jump_label.h>
231 ++#include <asm/cpufeatures.h>
232 +
233 + /*
234 +
235 +@@ -201,6 +202,23 @@ For 32-bit we have the following conventions - kernel is built with
236 + .byte 0xf1
237 + .endm
238 +
239 ++/*
240 ++ * Mitigate Spectre v1 for conditional swapgs code paths.
241 ++ *
242 ++ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
243 ++ * prevent a speculative swapgs when coming from kernel space.
244 ++ *
245 ++ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
246 ++ * to prevent the swapgs from getting speculatively skipped when coming from
247 ++ * user space.
248 ++ */
249 ++.macro FENCE_SWAPGS_USER_ENTRY
250 ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
251 ++.endm
252 ++.macro FENCE_SWAPGS_KERNEL_ENTRY
253 ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
254 ++.endm
255 ++
256 + #endif /* CONFIG_X86_64 */
257 +
258 + /*
259 +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
260 +index 8252d9dc48eb..10ecfba43dff 100644
261 +--- a/arch/x86/entry/entry_64.S
262 ++++ b/arch/x86/entry/entry_64.S
263 +@@ -420,6 +420,7 @@ END(irq_entries_start)
264 + * tracking that we're in kernel mode.
265 + */
266 + SWAPGS
267 ++ FENCE_SWAPGS_USER_ENTRY
268 + SWITCH_KERNEL_CR3
269 +
270 + /*
271 +@@ -433,8 +434,10 @@ END(irq_entries_start)
272 + TRACE_IRQS_OFF
273 +
274 + CALL_enter_from_user_mode
275 +-
276 ++ jmp 2f
277 + 1:
278 ++ FENCE_SWAPGS_KERNEL_ENTRY
279 ++2:
280 + /*
281 + * Save previous stack pointer, optionally switch to interrupt stack.
282 + * irq_count is used to check if a CPU is already on an interrupt stack
283 +@@ -1004,6 +1007,13 @@ ENTRY(paranoid_entry)
284 + movq %rax, %cr3
285 + 2:
286 + #endif
287 ++ /*
288 ++ * The above doesn't do an unconditional CR3 write, even in the PTI
289 ++ * case. So do an lfence to prevent GS speculation, regardless of
290 ++ * whether PTI is enabled.
291 ++ */
292 ++ FENCE_SWAPGS_KERNEL_ENTRY
293 ++
294 + ret
295 + END(paranoid_entry)
296 +
297 +@@ -1065,6 +1075,7 @@ ENTRY(error_entry)
298 + * from user mode due to an IRET fault.
299 + */
300 + SWAPGS
301 ++ FENCE_SWAPGS_USER_ENTRY
302 +
303 + .Lerror_entry_from_usermode_after_swapgs:
304 + /*
305 +@@ -1076,6 +1087,8 @@ ENTRY(error_entry)
306 + CALL_enter_from_user_mode
307 + ret
308 +
309 ++.Lerror_entry_done_lfence:
310 ++ FENCE_SWAPGS_KERNEL_ENTRY
311 + .Lerror_entry_done:
312 + TRACE_IRQS_OFF
313 + ret
314 +@@ -1094,7 +1107,7 @@ ENTRY(error_entry)
315 + cmpq %rax, RIP+8(%rsp)
316 + je .Lbstep_iret
317 + cmpq $.Lgs_change, RIP+8(%rsp)
318 +- jne .Lerror_entry_done
319 ++ jne .Lerror_entry_done_lfence
320 +
321 + /*
322 + * hack: .Lgs_change can fail with user gsbase. If this happens, fix up
323 +@@ -1102,6 +1115,7 @@ ENTRY(error_entry)
324 + * .Lgs_change's error handler with kernel gsbase.
325 + */
326 + SWAPGS
327 ++ FENCE_SWAPGS_USER_ENTRY
328 + jmp .Lerror_entry_done
329 +
330 + .Lbstep_iret:
331 +@@ -1115,6 +1129,7 @@ ENTRY(error_entry)
332 + * Switch to kernel gsbase:
333 + */
334 + SWAPGS
335 ++ FENCE_SWAPGS_USER_ENTRY
336 +
337 + /*
338 + * Pretend that the exception came from user mode: set up pt_regs
339 +@@ -1211,6 +1226,7 @@ ENTRY(nmi)
340 + * to switch CR3 here.
341 + */
342 + cld
343 ++ FENCE_SWAPGS_USER_ENTRY
344 + movq %rsp, %rdx
345 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
346 + pushq 5*8(%rdx) /* pt_regs->ss */
347 +@@ -1499,6 +1515,7 @@ end_repeat_nmi:
348 + movq %rax, %cr3
349 + 2:
350 + #endif
351 ++ FENCE_SWAPGS_KERNEL_ENTRY
352 +
353 + /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
354 + call do_nmi
355 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
356 +index 06de338be0d8..3a972da155d6 100644
357 +--- a/arch/x86/include/asm/cpufeatures.h
358 ++++ b/arch/x86/include/asm/cpufeatures.h
359 +@@ -192,7 +192,8 @@
360 +
361 + #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
362 + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
363 +-
364 ++#define X86_FEATURE_FENCE_SWAPGS_USER ( 7*32+10) /* "" LFENCE in user entry SWAPGS path */
365 ++#define X86_FEATURE_FENCE_SWAPGS_KERNEL ( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */
366 + #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */
367 + #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
368 +
369 +@@ -201,9 +202,6 @@
370 +
371 + #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
372 +
373 +-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
374 +-#define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
375 +-
376 + #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
377 + #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
378 + #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
379 +@@ -214,6 +212,7 @@
380 + #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
381 + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
382 + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
383 ++#define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
384 +
385 + /* Virtualization flags: Linux defined, word 8 */
386 + #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
387 +@@ -357,5 +356,6 @@
388 + #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */
389 + #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
390 + #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */
391 ++#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
392 +
393 + #endif /* _ASM_X86_CPUFEATURES_H */
394 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
395 +index a4f343ac042e..2a42fef275ad 100644
396 +--- a/arch/x86/kernel/cpu/bugs.c
397 ++++ b/arch/x86/kernel/cpu/bugs.c
398 +@@ -31,6 +31,7 @@
399 + #include <asm/intel-family.h>
400 + #include <asm/e820.h>
401 +
402 ++static void __init spectre_v1_select_mitigation(void);
403 + static void __init spectre_v2_select_mitigation(void);
404 + static void __init ssb_select_mitigation(void);
405 + static void __init l1tf_select_mitigation(void);
406 +@@ -95,17 +96,11 @@ void __init check_bugs(void)
407 + if (boot_cpu_has(X86_FEATURE_STIBP))
408 + x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
409 +
410 +- /* Select the proper spectre mitigation before patching alternatives */
411 ++ /* Select the proper CPU mitigations before patching alternatives: */
412 ++ spectre_v1_select_mitigation();
413 + spectre_v2_select_mitigation();
414 +-
415 +- /*
416 +- * Select proper mitigation for any exposure to the Speculative Store
417 +- * Bypass vulnerability.
418 +- */
419 + ssb_select_mitigation();
420 +-
421 + l1tf_select_mitigation();
422 +-
423 + mds_select_mitigation();
424 +
425 + arch_smt_update();
426 +@@ -270,6 +265,98 @@ static int __init mds_cmdline(char *str)
427 + }
428 + early_param("mds", mds_cmdline);
429 +
430 ++#undef pr_fmt
431 ++#define pr_fmt(fmt) "Spectre V1 : " fmt
432 ++
433 ++enum spectre_v1_mitigation {
434 ++ SPECTRE_V1_MITIGATION_NONE,
435 ++ SPECTRE_V1_MITIGATION_AUTO,
436 ++};
437 ++
438 ++static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
439 ++ SPECTRE_V1_MITIGATION_AUTO;
440 ++
441 ++static const char * const spectre_v1_strings[] = {
442 ++ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
443 ++ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
444 ++};
445 ++
446 ++/*
447 ++ * Does SMAP provide full mitigation against speculative kernel access to
448 ++ * userspace?
449 ++ */
450 ++static bool smap_works_speculatively(void)
451 ++{
452 ++ if (!boot_cpu_has(X86_FEATURE_SMAP))
453 ++ return false;
454 ++
455 ++ /*
456 ++ * On CPUs which are vulnerable to Meltdown, SMAP does not
457 ++ * prevent speculative access to user data in the L1 cache.
458 ++ * Consider SMAP to be non-functional as a mitigation on these
459 ++ * CPUs.
460 ++ */
461 ++ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
462 ++ return false;
463 ++
464 ++ return true;
465 ++}
466 ++
467 ++static void __init spectre_v1_select_mitigation(void)
468 ++{
469 ++ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
470 ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
471 ++ return;
472 ++ }
473 ++
474 ++ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
475 ++ /*
476 ++ * With Spectre v1, a user can speculatively control either
477 ++ * path of a conditional swapgs with a user-controlled GS
478 ++ * value. The mitigation is to add lfences to both code paths.
479 ++ *
480 ++ * If FSGSBASE is enabled, the user can put a kernel address in
481 ++ * GS, in which case SMAP provides no protection.
482 ++ *
483 ++ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
484 ++ * FSGSBASE enablement patches have been merged. ]
485 ++ *
486 ++ * If FSGSBASE is disabled, the user can only put a user space
487 ++ * address in GS. That makes an attack harder, but still
488 ++ * possible if there's no SMAP protection.
489 ++ */
490 ++ if (!smap_works_speculatively()) {
491 ++ /*
492 ++ * Mitigation can be provided from SWAPGS itself or
493 ++ * PTI as the CR3 write in the Meltdown mitigation
494 ++ * is serializing.
495 ++ *
496 ++ * If neither is there, mitigate with an LFENCE to
497 ++ * stop speculation through swapgs.
498 ++ */
499 ++ if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
500 ++ !boot_cpu_has(X86_FEATURE_KAISER))
501 ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
502 ++
503 ++ /*
504 ++ * Enable lfences in the kernel entry (non-swapgs)
505 ++ * paths, to prevent user entry from speculatively
506 ++ * skipping swapgs.
507 ++ */
508 ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
509 ++ }
510 ++ }
511 ++
512 ++ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
513 ++}
514 ++
515 ++static int __init nospectre_v1_cmdline(char *str)
516 ++{
517 ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
518 ++ return 0;
519 ++}
520 ++early_param("nospectre_v1", nospectre_v1_cmdline);
521 ++
522 + #undef pr_fmt
523 + #define pr_fmt(fmt) "Spectre V2 : " fmt
524 +
525 +@@ -1265,7 +1352,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
526 + break;
527 +
528 + case X86_BUG_SPECTRE_V1:
529 +- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
530 ++ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
531 +
532 + case X86_BUG_SPECTRE_V2:
533 + return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
534 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
535 +index cda130dc56b9..12fa16051871 100644
536 +--- a/arch/x86/kernel/cpu/common.c
537 ++++ b/arch/x86/kernel/cpu/common.c
538 +@@ -897,6 +897,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
539 + #define NO_L1TF BIT(3)
540 + #define NO_MDS BIT(4)
541 + #define MSBDS_ONLY BIT(5)
542 ++#define NO_SWAPGS BIT(6)
543 +
544 + #define VULNWL(_vendor, _family, _model, _whitelist) \
545 + { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
546 +@@ -920,29 +921,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
547 + VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION),
548 + VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION),
549 +
550 +- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
551 +- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY),
552 +- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY),
553 +- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
554 +- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY),
555 +- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY),
556 ++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
557 ++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
558 ++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
559 ++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
560 ++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
561 ++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
562 +
563 + VULNWL_INTEL(CORE_YONAH, NO_SSB),
564 +
565 +- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY),
566 ++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
567 +
568 +- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF),
569 +- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF),
570 +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF),
571 ++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS),
572 ++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS),
573 ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS),
574 ++
575 ++ /*
576 ++ * Technically, swapgs isn't serializing on AMD (despite it previously
577 ++ * being documented as such in the APM). But according to AMD, %gs is
578 ++ * updated non-speculatively, and the issuing of %gs-relative memory
579 ++ * operands will be blocked until the %gs update completes, which is
580 ++ * good enough for our purposes.
581 ++ */
582 +
583 + /* AMD Family 0xf - 0x12 */
584 +- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
585 +- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
586 +- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
587 +- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
588 ++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
589 ++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
590 ++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
591 ++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
592 +
593 + /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
594 +- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS),
595 ++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
596 + {}
597 + };
598 +
599 +@@ -979,6 +988,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
600 + setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
601 + }
602 +
603 ++ if (!cpu_matches(NO_SWAPGS))
604 ++ setup_force_cpu_bug(X86_BUG_SWAPGS);
605 ++
606 + if (cpu_matches(NO_MELTDOWN))
607 + return;
608 +
609 +diff --git a/block/blk-core.c b/block/blk-core.c
610 +index 77b99bf16c83..bdb906bbfe19 100644
611 +--- a/block/blk-core.c
612 ++++ b/block/blk-core.c
613 +@@ -881,6 +881,7 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn,
614 +
615 + fail:
616 + blk_free_flush_queue(q->fq);
617 ++ q->fq = NULL;
618 + return NULL;
619 + }
620 + EXPORT_SYMBOL(blk_init_allocated_queue);
621 +diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
622 +index b2756765950e..fe47c924dc64 100644
623 +--- a/drivers/atm/iphase.c
624 ++++ b/drivers/atm/iphase.c
625 +@@ -63,6 +63,7 @@
626 + #include <asm/byteorder.h>
627 + #include <linux/vmalloc.h>
628 + #include <linux/jiffies.h>
629 ++#include <linux/nospec.h>
630 + #include "iphase.h"
631 + #include "suni.h"
632 + #define swap_byte_order(x) (((x & 0xff) << 8) | ((x & 0xff00) >> 8))
633 +@@ -2760,8 +2761,11 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
634 + }
635 + if (copy_from_user(&ia_cmds, arg, sizeof ia_cmds)) return -EFAULT;
636 + board = ia_cmds.status;
637 +- if ((board < 0) || (board > iadev_count))
638 +- board = 0;
639 ++
640 ++ if ((board < 0) || (board > iadev_count))
641 ++ board = 0;
642 ++ board = array_index_nospec(board, iadev_count + 1);
643 ++
644 + iadev = ia_dev[board];
645 + switch (ia_cmds.cmd) {
646 + case MEMDUMP:
647 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
648 +index 6f4c84d824e6..25c006338100 100644
649 +--- a/drivers/hid/hid-ids.h
650 ++++ b/drivers/hid/hid-ids.h
651 +@@ -509,6 +509,7 @@
652 + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a
653 + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a
654 + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a
655 ++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641 0x0641
656 +
657 + #define USB_VENDOR_ID_HUION 0x256c
658 + #define USB_DEVICE_ID_HUION_TABLET 0x006e
659 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
660 +index 617ae294a318..e851926be8b0 100644
661 +--- a/drivers/hid/usbhid/hid-quirks.c
662 ++++ b/drivers/hid/usbhid/hid-quirks.c
663 +@@ -98,6 +98,7 @@ static const struct hid_blacklist {
664 + { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A, HID_QUIRK_ALWAYS_POLL },
665 + { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A, HID_QUIRK_ALWAYS_POLL },
666 + { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
667 ++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641, HID_QUIRK_ALWAYS_POLL },
668 + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
669 + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS, HID_QUIRK_NOGET },
670 + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C01A, HID_QUIRK_ALWAYS_POLL },
671 +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
672 +index b1ad378cb2a6..6c3bf8846b52 100644
673 +--- a/drivers/hid/wacom_wac.c
674 ++++ b/drivers/hid/wacom_wac.c
675 +@@ -529,14 +529,14 @@ static int wacom_intuos_pad(struct wacom_wac *wacom)
676 + */
677 + buttons = (data[4] << 1) | (data[3] & 0x01);
678 + } else if (features->type == CINTIQ_COMPANION_2) {
679 +- /* d-pad right -> data[4] & 0x10
680 +- * d-pad up -> data[4] & 0x20
681 +- * d-pad left -> data[4] & 0x40
682 +- * d-pad down -> data[4] & 0x80
683 +- * d-pad center -> data[3] & 0x01
684 ++ /* d-pad right -> data[2] & 0x10
685 ++ * d-pad up -> data[2] & 0x20
686 ++ * d-pad left -> data[2] & 0x40
687 ++ * d-pad down -> data[2] & 0x80
688 ++ * d-pad center -> data[1] & 0x01
689 + */
690 + buttons = ((data[2] >> 4) << 7) |
691 +- ((data[1] & 0x04) << 6) |
692 ++ ((data[1] & 0x04) << 4) |
693 + ((data[2] & 0x0F) << 2) |
694 + (data[1] & 0x03);
695 + } else if (features->type >= INTUOS5S && features->type <= INTUOSPL) {
696 +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
697 +index 978b8d94f9a4..1baa25e82bdd 100644
698 +--- a/drivers/infiniband/core/addr.c
699 ++++ b/drivers/infiniband/core/addr.c
700 +@@ -735,14 +735,13 @@ int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,
701 + struct net_device *dev;
702 +
703 + union {
704 +- struct sockaddr _sockaddr;
705 + struct sockaddr_in _sockaddr_in;
706 + struct sockaddr_in6 _sockaddr_in6;
707 + } sgid_addr, dgid_addr;
708 +
709 +
710 +- rdma_gid2ip(&sgid_addr._sockaddr, sgid);
711 +- rdma_gid2ip(&dgid_addr._sockaddr, dgid);
712 ++ rdma_gid2ip((struct sockaddr *)&sgid_addr, sgid);
713 ++ rdma_gid2ip((struct sockaddr *)&dgid_addr, dgid);
714 +
715 + memset(&dev_addr, 0, sizeof(dev_addr));
716 + if (if_index)
717 +@@ -751,8 +750,9 @@ int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,
718 +
719 + ctx.addr = &dev_addr;
720 + init_completion(&ctx.comp);
721 +- ret = rdma_resolve_ip(&self, &sgid_addr._sockaddr, &dgid_addr._sockaddr,
722 +- &dev_addr, 1000, resolve_cb, &ctx);
723 ++ ret = rdma_resolve_ip(&self, (struct sockaddr *)&sgid_addr,
724 ++ (struct sockaddr *)&dgid_addr, &dev_addr, 1000,
725 ++ resolve_cb, &ctx);
726 + if (ret)
727 + return ret;
728 +
729 +@@ -782,16 +782,15 @@ int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id)
730 + int ret = 0;
731 + struct rdma_dev_addr dev_addr;
732 + union {
733 +- struct sockaddr _sockaddr;
734 + struct sockaddr_in _sockaddr_in;
735 + struct sockaddr_in6 _sockaddr_in6;
736 + } gid_addr;
737 +
738 +- rdma_gid2ip(&gid_addr._sockaddr, sgid);
739 ++ rdma_gid2ip((struct sockaddr *)&gid_addr, sgid);
740 +
741 + memset(&dev_addr, 0, sizeof(dev_addr));
742 + dev_addr.net = &init_net;
743 +- ret = rdma_translate_ip(&gid_addr._sockaddr, &dev_addr, vlan_id);
744 ++ ret = rdma_translate_ip((struct sockaddr *)&gid_addr, &dev_addr, vlan_id);
745 + if (ret)
746 + return ret;
747 +
748 +diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c
749 +index 4baf3b864a57..5879a06ada93 100644
750 +--- a/drivers/infiniband/core/sa_query.c
751 ++++ b/drivers/infiniband/core/sa_query.c
752 +@@ -1109,7 +1109,6 @@ int ib_init_ah_from_path(struct ib_device *device, u8 port_num,
753 + .net = rec->net ? rec->net :
754 + &init_net};
755 + union {
756 +- struct sockaddr _sockaddr;
757 + struct sockaddr_in _sockaddr_in;
758 + struct sockaddr_in6 _sockaddr_in6;
759 + } sgid_addr, dgid_addr;
760 +@@ -1117,12 +1116,13 @@ int ib_init_ah_from_path(struct ib_device *device, u8 port_num,
761 + if (!device->get_netdev)
762 + return -EOPNOTSUPP;
763 +
764 +- rdma_gid2ip(&sgid_addr._sockaddr, &rec->sgid);
765 +- rdma_gid2ip(&dgid_addr._sockaddr, &rec->dgid);
766 ++ rdma_gid2ip((struct sockaddr *)&sgid_addr, &rec->sgid);
767 ++ rdma_gid2ip((struct sockaddr *)&dgid_addr, &rec->dgid);
768 +
769 + /* validate the route */
770 +- ret = rdma_resolve_ip_route(&sgid_addr._sockaddr,
771 +- &dgid_addr._sockaddr, &dev_addr);
772 ++ ret = rdma_resolve_ip_route((struct sockaddr *)&sgid_addr,
773 ++ (struct sockaddr *)&dgid_addr,
774 ++ &dev_addr);
775 + if (ret)
776 + return ret;
777 +
778 +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_ah.c b/drivers/infiniband/hw/ocrdma/ocrdma_ah.c
779 +index 797362a297b2..35efd40ba47f 100644
780 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_ah.c
781 ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_ah.c
782 +@@ -82,7 +82,6 @@ static inline int set_av_attr(struct ocrdma_dev *dev, struct ocrdma_ah *ah,
783 + u8 nxthdr = 0x11;
784 + struct iphdr ipv4;
785 + union {
786 +- struct sockaddr _sockaddr;
787 + struct sockaddr_in _sockaddr_in;
788 + struct sockaddr_in6 _sockaddr_in6;
789 + } sgid_addr, dgid_addr;
790 +@@ -131,9 +130,9 @@ static inline int set_av_attr(struct ocrdma_dev *dev, struct ocrdma_ah *ah,
791 + ipv4.tot_len = htons(0);
792 + ipv4.ttl = attr->grh.hop_limit;
793 + ipv4.protocol = nxthdr;
794 +- rdma_gid2ip(&sgid_addr._sockaddr, sgid);
795 ++ rdma_gid2ip((struct sockaddr *)&sgid_addr, sgid);
796 + ipv4.saddr = sgid_addr._sockaddr_in.sin_addr.s_addr;
797 +- rdma_gid2ip(&dgid_addr._sockaddr, &attr->grh.dgid);
798 ++ rdma_gid2ip((struct sockaddr *)&dgid_addr, &attr->grh.dgid);
799 + ipv4.daddr = dgid_addr._sockaddr_in.sin_addr.s_addr;
800 + memcpy((u8 *)ah->av + eth_sz, &ipv4, sizeof(struct iphdr));
801 + } else {
802 +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_hw.c b/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
803 +index 67fc0b6857e1..edfa22847724 100644
804 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
805 ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
806 +@@ -2505,7 +2505,6 @@ static int ocrdma_set_av_params(struct ocrdma_qp *qp,
807 + u32 vlan_id = 0xFFFF;
808 + u8 mac_addr[6], hdr_type;
809 + union {
810 +- struct sockaddr _sockaddr;
811 + struct sockaddr_in _sockaddr_in;
812 + struct sockaddr_in6 _sockaddr_in6;
813 + } sgid_addr, dgid_addr;
814 +@@ -2550,8 +2549,8 @@ static int ocrdma_set_av_params(struct ocrdma_qp *qp,
815 +
816 + hdr_type = ib_gid_to_network_type(sgid_attr.gid_type, &sgid);
817 + if (hdr_type == RDMA_NETWORK_IPV4) {
818 +- rdma_gid2ip(&sgid_addr._sockaddr, &sgid);
819 +- rdma_gid2ip(&dgid_addr._sockaddr, &ah_attr->grh.dgid);
820 ++ rdma_gid2ip((struct sockaddr *)&sgid_addr, &sgid);
821 ++ rdma_gid2ip((struct sockaddr *)&dgid_addr, &ah_attr->grh.dgid);
822 + memcpy(&cmd->params.dgid[0],
823 + &dgid_addr._sockaddr_in.sin_addr.s_addr, 4);
824 + memcpy(&cmd->params.sgid[0],
825 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
826 +index 6167bb0c71ed..53a71166e784 100644
827 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
828 ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
829 +@@ -1939,7 +1939,7 @@ u16 bnx2x_select_queue(struct net_device *dev, struct sk_buff *skb,
830 + }
831 +
832 + /* select a non-FCoE queue */
833 +- return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos);
834 ++ return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp));
835 + }
836 +
837 + void bnx2x_set_num_queues(struct bnx2x *bp)
838 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
839 +index 524fff2b3dc6..2e6d6dfdcc80 100644
840 +--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
841 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
842 +@@ -207,7 +207,7 @@ void mlx5_unregister_device(struct mlx5_core_dev *dev)
843 + struct mlx5_interface *intf;
844 +
845 + mutex_lock(&mlx5_intf_mutex);
846 +- list_for_each_entry(intf, &intf_list, list)
847 ++ list_for_each_entry_reverse(intf, &intf_list, list)
848 + mlx5_remove_device(intf, priv);
849 + list_del(&priv->dev_list);
850 + mutex_unlock(&mlx5_intf_mutex);
851 +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
852 +index 8c93ed5c9763..fa8f7c40a384 100644
853 +--- a/drivers/net/ppp/pppoe.c
854 ++++ b/drivers/net/ppp/pppoe.c
855 +@@ -1134,6 +1134,9 @@ static const struct proto_ops pppoe_ops = {
856 + .recvmsg = pppoe_recvmsg,
857 + .mmap = sock_no_mmap,
858 + .ioctl = pppox_ioctl,
859 ++#ifdef CONFIG_COMPAT
860 ++ .compat_ioctl = pppox_compat_ioctl,
861 ++#endif
862 + };
863 +
864 + static const struct pppox_proto pppoe_proto = {
865 +diff --git a/drivers/net/ppp/pppox.c b/drivers/net/ppp/pppox.c
866 +index b9c8be6283d3..50856f9fe08a 100644
867 +--- a/drivers/net/ppp/pppox.c
868 ++++ b/drivers/net/ppp/pppox.c
869 +@@ -22,6 +22,7 @@
870 + #include <linux/string.h>
871 + #include <linux/module.h>
872 + #include <linux/kernel.h>
873 ++#include <linux/compat.h>
874 + #include <linux/errno.h>
875 + #include <linux/netdevice.h>
876 + #include <linux/net.h>
877 +@@ -103,6 +104,18 @@ int pppox_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
878 +
879 + EXPORT_SYMBOL(pppox_ioctl);
880 +
881 ++#ifdef CONFIG_COMPAT
882 ++int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
883 ++{
884 ++ if (cmd == PPPOEIOCSFWD32)
885 ++ cmd = PPPOEIOCSFWD;
886 ++
887 ++ return pppox_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
888 ++}
889 ++
890 ++EXPORT_SYMBOL(pppox_compat_ioctl);
891 ++#endif
892 ++
893 + static int pppox_create(struct net *net, struct socket *sock, int protocol,
894 + int kern)
895 + {
896 +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
897 +index 5a8befdfa5e4..fa14a67fb09a 100644
898 +--- a/drivers/net/ppp/pptp.c
899 ++++ b/drivers/net/ppp/pptp.c
900 +@@ -638,6 +638,9 @@ static const struct proto_ops pptp_ops = {
901 + .recvmsg = sock_no_recvmsg,
902 + .mmap = sock_no_mmap,
903 + .ioctl = pppox_ioctl,
904 ++#ifdef CONFIG_COMPAT
905 ++ .compat_ioctl = pppox_compat_ioctl,
906 ++#endif
907 + };
908 +
909 + static const struct pppox_proto pppox_pptp_proto = {
910 +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c
911 +index cc3994d4e7bc..3c2f34db937b 100644
912 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c
913 ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
914 +@@ -1984,7 +1984,7 @@ EXPORT_SYMBOL_GPL(fcoe_wwn_from_mac);
915 + */
916 + static inline struct fcoe_rport *fcoe_ctlr_rport(struct fc_rport_priv *rdata)
917 + {
918 +- return (struct fcoe_rport *)(rdata + 1);
919 ++ return container_of(rdata, struct fcoe_rport, rdata);
920 + }
921 +
922 + /**
923 +@@ -2244,7 +2244,7 @@ static void fcoe_ctlr_vn_start(struct fcoe_ctlr *fip)
924 + */
925 + static int fcoe_ctlr_vn_parse(struct fcoe_ctlr *fip,
926 + struct sk_buff *skb,
927 +- struct fc_rport_priv *rdata)
928 ++ struct fcoe_rport *frport)
929 + {
930 + struct fip_header *fiph;
931 + struct fip_desc *desc = NULL;
932 +@@ -2252,16 +2252,12 @@ static int fcoe_ctlr_vn_parse(struct fcoe_ctlr *fip,
933 + struct fip_wwn_desc *wwn = NULL;
934 + struct fip_vn_desc *vn = NULL;
935 + struct fip_size_desc *size = NULL;
936 +- struct fcoe_rport *frport;
937 + size_t rlen;
938 + size_t dlen;
939 + u32 desc_mask = 0;
940 + u32 dtype;
941 + u8 sub;
942 +
943 +- memset(rdata, 0, sizeof(*rdata) + sizeof(*frport));
944 +- frport = fcoe_ctlr_rport(rdata);
945 +-
946 + fiph = (struct fip_header *)skb->data;
947 + frport->flags = ntohs(fiph->fip_flags);
948 +
949 +@@ -2324,15 +2320,17 @@ static int fcoe_ctlr_vn_parse(struct fcoe_ctlr *fip,
950 + if (dlen != sizeof(struct fip_wwn_desc))
951 + goto len_err;
952 + wwn = (struct fip_wwn_desc *)desc;
953 +- rdata->ids.node_name = get_unaligned_be64(&wwn->fd_wwn);
954 ++ frport->rdata.ids.node_name =
955 ++ get_unaligned_be64(&wwn->fd_wwn);
956 + break;
957 + case FIP_DT_VN_ID:
958 + if (dlen != sizeof(struct fip_vn_desc))
959 + goto len_err;
960 + vn = (struct fip_vn_desc *)desc;
961 + memcpy(frport->vn_mac, vn->fd_mac, ETH_ALEN);
962 +- rdata->ids.port_id = ntoh24(vn->fd_fc_id);
963 +- rdata->ids.port_name = get_unaligned_be64(&vn->fd_wwpn);
964 ++ frport->rdata.ids.port_id = ntoh24(vn->fd_fc_id);
965 ++ frport->rdata.ids.port_name =
966 ++ get_unaligned_be64(&vn->fd_wwpn);
967 + break;
968 + case FIP_DT_FC4F:
969 + if (dlen != sizeof(struct fip_fc4_feat))
970 +@@ -2670,16 +2668,13 @@ static int fcoe_ctlr_vn_recv(struct fcoe_ctlr *fip, struct sk_buff *skb)
971 + {
972 + struct fip_header *fiph;
973 + enum fip_vn2vn_subcode sub;
974 +- struct {
975 +- struct fc_rport_priv rdata;
976 +- struct fcoe_rport frport;
977 +- } buf;
978 ++ struct fcoe_rport frport = { };
979 + int rc;
980 +
981 + fiph = (struct fip_header *)skb->data;
982 + sub = fiph->fip_subcode;
983 +
984 +- rc = fcoe_ctlr_vn_parse(fip, skb, &buf.rdata);
985 ++ rc = fcoe_ctlr_vn_parse(fip, skb, &frport);
986 + if (rc) {
987 + LIBFCOE_FIP_DBG(fip, "vn_recv vn_parse error %d\n", rc);
988 + goto drop;
989 +@@ -2688,19 +2683,19 @@ static int fcoe_ctlr_vn_recv(struct fcoe_ctlr *fip, struct sk_buff *skb)
990 + mutex_lock(&fip->ctlr_mutex);
991 + switch (sub) {
992 + case FIP_SC_VN_PROBE_REQ:
993 +- fcoe_ctlr_vn_probe_req(fip, &buf.rdata);
994 ++ fcoe_ctlr_vn_probe_req(fip, &frport.rdata);
995 + break;
996 + case FIP_SC_VN_PROBE_REP:
997 +- fcoe_ctlr_vn_probe_reply(fip, &buf.rdata);
998 ++ fcoe_ctlr_vn_probe_reply(fip, &frport.rdata);
999 + break;
1000 + case FIP_SC_VN_CLAIM_NOTIFY:
1001 +- fcoe_ctlr_vn_claim_notify(fip, &buf.rdata);
1002 ++ fcoe_ctlr_vn_claim_notify(fip, &frport.rdata);
1003 + break;
1004 + case FIP_SC_VN_CLAIM_REP:
1005 +- fcoe_ctlr_vn_claim_resp(fip, &buf.rdata);
1006 ++ fcoe_ctlr_vn_claim_resp(fip, &frport.rdata);
1007 + break;
1008 + case FIP_SC_VN_BEACON:
1009 +- fcoe_ctlr_vn_beacon(fip, &buf.rdata);
1010 ++ fcoe_ctlr_vn_beacon(fip, &frport.rdata);
1011 + break;
1012 + default:
1013 + LIBFCOE_FIP_DBG(fip, "vn_recv unknown subcode %d\n", sub);
1014 +@@ -2724,22 +2719,18 @@ drop:
1015 + */
1016 + static int fcoe_ctlr_vlan_parse(struct fcoe_ctlr *fip,
1017 + struct sk_buff *skb,
1018 +- struct fc_rport_priv *rdata)
1019 ++ struct fcoe_rport *frport)
1020 + {
1021 + struct fip_header *fiph;
1022 + struct fip_desc *desc = NULL;
1023 + struct fip_mac_desc *macd = NULL;
1024 + struct fip_wwn_desc *wwn = NULL;
1025 +- struct fcoe_rport *frport;
1026 + size_t rlen;
1027 + size_t dlen;
1028 + u32 desc_mask = 0;
1029 + u32 dtype;
1030 + u8 sub;
1031 +
1032 +- memset(rdata, 0, sizeof(*rdata) + sizeof(*frport));
1033 +- frport = fcoe_ctlr_rport(rdata);
1034 +-
1035 + fiph = (struct fip_header *)skb->data;
1036 + frport->flags = ntohs(fiph->fip_flags);
1037 +
1038 +@@ -2793,7 +2784,8 @@ static int fcoe_ctlr_vlan_parse(struct fcoe_ctlr *fip,
1039 + if (dlen != sizeof(struct fip_wwn_desc))
1040 + goto len_err;
1041 + wwn = (struct fip_wwn_desc *)desc;
1042 +- rdata->ids.node_name = get_unaligned_be64(&wwn->fd_wwn);
1043 ++ frport->rdata.ids.node_name =
1044 ++ get_unaligned_be64(&wwn->fd_wwn);
1045 + break;
1046 + default:
1047 + LIBFCOE_FIP_DBG(fip, "unexpected descriptor type %x "
1048 +@@ -2904,22 +2896,19 @@ static int fcoe_ctlr_vlan_recv(struct fcoe_ctlr *fip, struct sk_buff *skb)
1049 + {
1050 + struct fip_header *fiph;
1051 + enum fip_vlan_subcode sub;
1052 +- struct {
1053 +- struct fc_rport_priv rdata;
1054 +- struct fcoe_rport frport;
1055 +- } buf;
1056 ++ struct fcoe_rport frport = { };
1057 + int rc;
1058 +
1059 + fiph = (struct fip_header *)skb->data;
1060 + sub = fiph->fip_subcode;
1061 +- rc = fcoe_ctlr_vlan_parse(fip, skb, &buf.rdata);
1062 ++ rc = fcoe_ctlr_vlan_parse(fip, skb, &frport);
1063 + if (rc) {
1064 + LIBFCOE_FIP_DBG(fip, "vlan_recv vlan_parse error %d\n", rc);
1065 + goto drop;
1066 + }
1067 + mutex_lock(&fip->ctlr_mutex);
1068 + if (sub == FIP_SC_VL_REQ)
1069 +- fcoe_ctlr_vlan_disc_reply(fip, &buf.rdata);
1070 ++ fcoe_ctlr_vlan_disc_reply(fip, &frport.rdata);
1071 + mutex_unlock(&fip->ctlr_mutex);
1072 +
1073 + drop:
1074 +diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
1075 +index 97aeaddd600d..70e2958a69a0 100644
1076 +--- a/drivers/scsi/libfc/fc_rport.c
1077 ++++ b/drivers/scsi/libfc/fc_rport.c
1078 +@@ -127,12 +127,15 @@ static struct fc_rport_priv *fc_rport_create(struct fc_lport *lport,
1079 + u32 port_id)
1080 + {
1081 + struct fc_rport_priv *rdata;
1082 ++ size_t rport_priv_size = sizeof(*rdata);
1083 +
1084 + rdata = lport->tt.rport_lookup(lport, port_id);
1085 + if (rdata)
1086 + return rdata;
1087 +
1088 +- rdata = kzalloc(sizeof(*rdata) + lport->rport_priv_size, GFP_KERNEL);
1089 ++ if (lport->rport_priv_size > 0)
1090 ++ rport_priv_size = lport->rport_priv_size;
1091 ++ rdata = kzalloc(rport_priv_size, GFP_KERNEL);
1092 + if (!rdata)
1093 + return NULL;
1094 +
1095 +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
1096 +index 25abf2d1732a..eab27d41ba83 100644
1097 +--- a/drivers/spi/spi-bcm2835.c
1098 ++++ b/drivers/spi/spi-bcm2835.c
1099 +@@ -554,7 +554,8 @@ static int bcm2835_spi_transfer_one(struct spi_master *master,
1100 + bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv);
1101 +
1102 + /* handle all the 3-wire mode */
1103 +- if ((spi->mode & SPI_3WIRE) && (tfr->rx_buf))
1104 ++ if (spi->mode & SPI_3WIRE && tfr->rx_buf &&
1105 ++ tfr->rx_buf != master->dummy_rx)
1106 + cs |= BCM2835_SPI_CS_REN;
1107 + else
1108 + cs &= ~BCM2835_SPI_CS_REN;
1109 +diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
1110 +index 93c8e4a4bbd3..4b7da4409c60 100644
1111 +--- a/fs/compat_ioctl.c
1112 ++++ b/fs/compat_ioctl.c
1113 +@@ -1038,9 +1038,6 @@ COMPATIBLE_IOCTL(PPPIOCDISCONN)
1114 + COMPATIBLE_IOCTL(PPPIOCATTCHAN)
1115 + COMPATIBLE_IOCTL(PPPIOCGCHAN)
1116 + COMPATIBLE_IOCTL(PPPIOCGL2TPSTATS)
1117 +-/* PPPOX */
1118 +-COMPATIBLE_IOCTL(PPPOEIOCSFWD)
1119 +-COMPATIBLE_IOCTL(PPPOEIOCDFWD)
1120 + /* Big A */
1121 + /* sparc only */
1122 + /* Big Q for sound/OSS */
1123 +diff --git a/include/linux/ceph/ceph_debug.h b/include/linux/ceph/ceph_debug.h
1124 +index aa2e19182d99..51c5bd64bd00 100644
1125 +--- a/include/linux/ceph/ceph_debug.h
1126 ++++ b/include/linux/ceph/ceph_debug.h
1127 +@@ -3,6 +3,8 @@
1128 +
1129 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1130 +
1131 ++#include <linux/string.h>
1132 ++
1133 + #ifdef CONFIG_CEPH_LIB_PRETTYDEBUG
1134 +
1135 + /*
1136 +@@ -12,12 +14,10 @@
1137 + */
1138 +
1139 + # if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
1140 +-extern const char *ceph_file_part(const char *s, int len);
1141 + # define dout(fmt, ...) \
1142 + pr_debug("%.*s %12.12s:%-4d : " fmt, \
1143 + 8 - (int)sizeof(KBUILD_MODNAME), " ", \
1144 +- ceph_file_part(__FILE__, sizeof(__FILE__)), \
1145 +- __LINE__, ##__VA_ARGS__)
1146 ++ kbasename(__FILE__), __LINE__, ##__VA_ARGS__)
1147 + # else
1148 + /* faux printk call just to see any compiler warnings. */
1149 + # define dout(fmt, ...) do { \
1150 +diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h
1151 +index ba7a9b0c7c57..24e9b360da65 100644
1152 +--- a/include/linux/if_pppox.h
1153 ++++ b/include/linux/if_pppox.h
1154 +@@ -84,6 +84,9 @@ extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
1155 + extern void unregister_pppox_proto(int proto_num);
1156 + extern void pppox_unbind_sock(struct sock *sk);/* delete ppp-channel binding */
1157 + extern int pppox_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
1158 ++extern int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
1159 ++
1160 ++#define PPPOEIOCSFWD32 _IOW(0xB1 ,0, compat_size_t)
1161 +
1162 + /* PPPoX socket states */
1163 + enum {
1164 +diff --git a/include/net/tcp.h b/include/net/tcp.h
1165 +index 1eda31f7f013..a474213ca015 100644
1166 +--- a/include/net/tcp.h
1167 ++++ b/include/net/tcp.h
1168 +@@ -1595,6 +1595,23 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
1169 + tcp_sk(sk)->highest_sack = NULL;
1170 + }
1171 +
1172 ++static inline struct sk_buff *tcp_rtx_queue_head(const struct sock *sk)
1173 ++{
1174 ++ struct sk_buff *skb = tcp_write_queue_head(sk);
1175 ++
1176 ++ if (skb == tcp_send_head(sk))
1177 ++ skb = NULL;
1178 ++
1179 ++ return skb;
1180 ++}
1181 ++
1182 ++static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
1183 ++{
1184 ++ struct sk_buff *skb = tcp_send_head(sk);
1185 ++
1186 ++ return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
1187 ++}
1188 ++
1189 + static inline void __tcp_add_write_queue_tail(struct sock *sk, struct sk_buff *skb)
1190 + {
1191 + __skb_queue_tail(&sk->sk_write_queue, skb);
1192 +diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h
1193 +index 722d3264d3bf..6be92eede5c0 100644
1194 +--- a/include/scsi/libfcoe.h
1195 ++++ b/include/scsi/libfcoe.h
1196 +@@ -241,6 +241,7 @@ struct fcoe_fcf {
1197 + * @vn_mac: VN_Node assigned MAC address for data
1198 + */
1199 + struct fcoe_rport {
1200 ++ struct fc_rport_priv rdata;
1201 + unsigned long time;
1202 + u16 fcoe_len;
1203 + u16 flags;
1204 +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
1205 +index 3626174456b7..80c81c7e3cf9 100644
1206 +--- a/net/bridge/br_multicast.c
1207 ++++ b/net/bridge/br_multicast.c
1208 +@@ -1489,6 +1489,9 @@ br_multicast_leave_group(struct net_bridge *br,
1209 + if (p->port != port)
1210 + continue;
1211 +
1212 ++ if (p->flags & MDB_PG_FLAGS_PERMANENT)
1213 ++ break;
1214 ++
1215 + rcu_assign_pointer(*pp, p->next);
1216 + hlist_del_init(&p->mglist);
1217 + del_timer(&p->timer);
1218 +diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
1219 +index b6de4f457161..5172caac645c 100644
1220 +--- a/net/bridge/br_vlan.c
1221 ++++ b/net/bridge/br_vlan.c
1222 +@@ -622,6 +622,11 @@ void br_vlan_flush(struct net_bridge *br)
1223 +
1224 + ASSERT_RTNL();
1225 +
1226 ++ /* delete auto-added default pvid local fdb before flushing vlans
1227 ++ * otherwise it will be leaked on bridge device init failure
1228 ++ */
1229 ++ br_fdb_delete_by_port(br, NULL, 0, 1);
1230 ++
1231 + vg = br_vlan_group(br);
1232 + __vlan_flush(vg);
1233 + RCU_INIT_POINTER(br->vlgrp, NULL);
1234 +diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
1235 +index bf0294cf4d22..18c4b34bd6e0 100644
1236 +--- a/net/ceph/ceph_common.c
1237 ++++ b/net/ceph/ceph_common.c
1238 +@@ -45,19 +45,6 @@ bool libceph_compatible(void *data)
1239 + }
1240 + EXPORT_SYMBOL(libceph_compatible);
1241 +
1242 +-/*
1243 +- * find filename portion of a path (/foo/bar/baz -> baz)
1244 +- */
1245 +-const char *ceph_file_part(const char *s, int len)
1246 +-{
1247 +- const char *e = s + len;
1248 +-
1249 +- while (e != s && *(e-1) != '/')
1250 +- e--;
1251 +- return e;
1252 +-}
1253 +-EXPORT_SYMBOL(ceph_file_part);
1254 +-
1255 + const char *ceph_msg_type_name(int type)
1256 + {
1257 + switch (type) {
1258 +diff --git a/net/core/dev.c b/net/core/dev.c
1259 +index f693afe608d7..08bcbce16e12 100644
1260 +--- a/net/core/dev.c
1261 ++++ b/net/core/dev.c
1262 +@@ -8296,6 +8296,8 @@ static void __net_exit default_device_exit(struct net *net)
1263 +
1264 + /* Push remaining network devices to init_net */
1265 + snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
1266 ++ if (__dev_get_by_name(&init_net, fb_name))
1267 ++ snprintf(fb_name, IFNAMSIZ, "dev%%d");
1268 + err = dev_change_net_namespace(dev, &init_net, fb_name);
1269 + if (err) {
1270 + pr_emerg("%s: failed to move %s to init_net: %d\n",
1271 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
1272 +index 0c195b0f4216..9ddb05b98312 100644
1273 +--- a/net/ipv4/tcp_output.c
1274 ++++ b/net/ipv4/tcp_output.c
1275 +@@ -1175,6 +1175,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
1276 + struct tcp_sock *tp = tcp_sk(sk);
1277 + struct sk_buff *buff;
1278 + int nsize, old_factor;
1279 ++ long limit;
1280 + int nlen;
1281 + u8 flags;
1282 +
1283 +@@ -1185,7 +1186,15 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
1284 + if (nsize < 0)
1285 + nsize = 0;
1286 +
1287 +- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
1288 ++ /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb.
1289 ++ * We need some allowance to not penalize applications setting small
1290 ++ * SO_SNDBUF values.
1291 ++ * Also allow first and last skb in retransmit queue to be split.
1292 ++ */
1293 ++ limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE);
1294 ++ if (unlikely((sk->sk_wmem_queued >> 1) > limit &&
1295 ++ skb != tcp_rtx_queue_head(sk) &&
1296 ++ skb != tcp_rtx_queue_tail(sk))) {
1297 + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
1298 + return -ENOMEM;
1299 + }
1300 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
1301 +index 42f363661d25..cc28b8646986 100644
1302 +--- a/net/ipv6/ip6_tunnel.c
1303 ++++ b/net/ipv6/ip6_tunnel.c
1304 +@@ -1275,11 +1275,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
1305 + fl6.flowi6_mark = skb->mark;
1306 + }
1307 +
1308 ++ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
1309 ++
1310 + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
1311 + return -1;
1312 +
1313 +- dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
1314 +-
1315 + skb_set_inner_ipproto(skb, IPPROTO_IPIP);
1316 +
1317 + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
1318 +@@ -1362,11 +1362,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
1319 + fl6.flowi6_mark = skb->mark;
1320 + }
1321 +
1322 ++ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
1323 ++
1324 + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
1325 + return -1;
1326 +
1327 +- dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
1328 +-
1329 + skb_set_inner_ipproto(skb, IPPROTO_IPV6);
1330 +
1331 + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
1332 +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
1333 +index 9b214f313cc0..16b63e60396f 100644
1334 +--- a/net/l2tp/l2tp_ppp.c
1335 ++++ b/net/l2tp/l2tp_ppp.c
1336 +@@ -1790,6 +1790,9 @@ static const struct proto_ops pppol2tp_ops = {
1337 + .recvmsg = pppol2tp_recvmsg,
1338 + .mmap = sock_no_mmap,
1339 + .ioctl = pppox_ioctl,
1340 ++#ifdef CONFIG_COMPAT
1341 ++ .compat_ioctl = pppox_compat_ioctl,
1342 ++#endif
1343 + };
1344 +
1345 + static const struct pppox_proto pppol2tp_proto = {
1346 +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
1347 +index d2932dc4c83d..36e4dcdac8dc 100644
1348 +--- a/net/sched/act_ife.c
1349 ++++ b/net/sched/act_ife.c
1350 +@@ -477,6 +477,9 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
1351 + int ret = 0;
1352 + int err;
1353 +
1354 ++ if (!nla)
1355 ++ return -EINVAL;
1356 ++
1357 + err = nla_parse_nested(tb, TCA_IFE_MAX, nla, ife_policy);
1358 + if (err < 0)
1359 + return err;
1360 +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
1361 +index 5bfa79ee657c..17a0838f8074 100644
1362 +--- a/net/sched/sch_codel.c
1363 ++++ b/net/sched/sch_codel.c
1364 +@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(struct codel_vars *vars, void *ctx)
1365 + struct Qdisc *sch = ctx;
1366 + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
1367 +
1368 +- if (skb)
1369 ++ if (skb) {
1370 + sch->qstats.backlog -= qdisc_pkt_len(skb);
1371 +-
1372 +- prefetch(&skb->end); /* we'll need skb_shinfo() */
1373 ++ prefetch(&skb->end); /* we'll need skb_shinfo() */
1374 ++ }
1375 + return skb;
1376 + }
1377 +
1378 +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
1379 +index b7c539a51da3..63a913b23873 100644
1380 +--- a/net/tipc/netlink_compat.c
1381 ++++ b/net/tipc/netlink_compat.c
1382 +@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg {
1383 + int rep_type;
1384 + int rep_size;
1385 + int req_type;
1386 ++ int req_size;
1387 + struct net *net;
1388 + struct sk_buff *rep;
1389 + struct tlv_desc *req;
1390 +@@ -252,7 +253,8 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
1391 + int err;
1392 + struct sk_buff *arg;
1393 +
1394 +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
1395 ++ if (msg->req_type && (!msg->req_size ||
1396 ++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
1397 + return -EINVAL;
1398 +
1399 + msg->rep = tipc_tlv_alloc(msg->rep_size);
1400 +@@ -345,7 +347,8 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
1401 + {
1402 + int err;
1403 +
1404 +- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
1405 ++ if (msg->req_type && (!msg->req_size ||
1406 ++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
1407 + return -EINVAL;
1408 +
1409 + err = __tipc_nl_compat_doit(cmd, msg);
1410 +@@ -1267,8 +1270,8 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
1411 + goto send;
1412 + }
1413 +
1414 +- len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
1415 +- if (!len || !TLV_OK(msg.req, len)) {
1416 ++ msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
1417 ++ if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) {
1418 + msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
1419 + err = -EOPNOTSUPP;
1420 + goto send;
1421 +diff --git a/tools/objtool/check.c b/tools/objtool/check.c
1422 +index 95326c6a7a24..09782ff427d0 100644
1423 +--- a/tools/objtool/check.c
1424 ++++ b/tools/objtool/check.c
1425 +@@ -165,6 +165,8 @@ static int __dead_end_function(struct objtool_file *file, struct symbol *func,
1426 + "__reiserfs_panic",
1427 + "lbug_with_loc",
1428 + "fortify_panic",
1429 ++ "machine_real_restart",
1430 ++ "rewind_stack_do_exit",
1431 + };
1432 +
1433 + if (func->bind == STB_WEAK)
Report Message
Find on MARC Find on Google Groups