Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.10 commit in: /
Date: Thu, 01 Oct 2015 13:14:03
Message-Id: 1444701898.ecbcbadac50cb64adb3f10a399e0a77d53228854.mpagano@gentoo
1 commit: ecbcbadac50cb64adb3f10a399e0a77d53228854
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Oct 13 02:04:58 2015 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Oct 13 02:04:58 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=ecbcbada
7
8 Linux patch 3.10.90
9
10 0000_README | 4 +
11 1089_linux-3.10.90.patch | 2146 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 2150 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 2d39ba5..1a0d13e 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -398,6 +398,10 @@ Patch: 1088_linux-3.10.89.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.10.89
21
22 +Patch: 1089_linux-3.10.90.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.10.90
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1089_linux-3.10.90.patch b/1089_linux-3.10.90.patch
31 new file mode 100644
32 index 0000000..d5611b8
33 --- /dev/null
34 +++ b/1089_linux-3.10.90.patch
35 @@ -0,0 +1,2146 @@
36 +diff --git a/Makefile b/Makefile
37 +index ca82393e1eea..ce741a9f5b1c 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 3
42 + PATCHLEVEL = 10
43 +-SUBLEVEL = 89
44 ++SUBLEVEL = 90
45 + EXTRAVERSION =
46 + NAME = TOSSUG Baby Fish
47 +
48 +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
49 +index 0677ff4814fa..661ccf87b9ad 100644
50 +--- a/arch/arm64/Kconfig
51 ++++ b/arch/arm64/Kconfig
52 +@@ -56,6 +56,10 @@ config NO_IOPORT
53 + config STACKTRACE_SUPPORT
54 + def_bool y
55 +
56 ++config ILLEGAL_POINTER_VALUE
57 ++ hex
58 ++ default 0xdead000000000000
59 ++
60 + config LOCKDEP_SUPPORT
61 + def_bool y
62 +
63 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
64 +index 53dcae49e729..f480e7d6e8b2 100644
65 +--- a/arch/arm64/kernel/head.S
66 ++++ b/arch/arm64/kernel/head.S
67 +@@ -184,6 +184,11 @@ ENTRY(el2_setup)
68 + msr hstr_el2, xzr // Disable CP15 traps to EL2
69 + #endif
70 +
71 ++ /* EL2 debug */
72 ++ mrs x0, pmcr_el0 // Disable debug access traps
73 ++ ubfx x0, x0, #11, #5 // to EL2 and allow access to
74 ++ msr mdcr_el2, x0 // all PMU counters from EL1
75 ++
76 + /* Stage-2 translation */
77 + msr vttbr_el2, xzr
78 +
79 +diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
80 +index b9564b8d6bab..1e60acc6a4d7 100644
81 +--- a/arch/arm64/kernel/signal32.c
82 ++++ b/arch/arm64/kernel/signal32.c
83 +@@ -231,14 +231,32 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
84 +
85 + /*
86 + * VFP save/restore code.
87 ++ *
88 ++ * We have to be careful with endianness, since the fpsimd context-switch
89 ++ * code operates on 128-bit (Q) register values whereas the compat ABI
90 ++ * uses an array of 64-bit (D) registers. Consequently, we need to swap
91 ++ * the two halves of each Q register when running on a big-endian CPU.
92 + */
93 ++union __fpsimd_vreg {
94 ++ __uint128_t raw;
95 ++ struct {
96 ++#ifdef __AARCH64EB__
97 ++ u64 hi;
98 ++ u64 lo;
99 ++#else
100 ++ u64 lo;
101 ++ u64 hi;
102 ++#endif
103 ++ };
104 ++};
105 ++
106 + static int compat_preserve_vfp_context(struct compat_vfp_sigframe __user *frame)
107 + {
108 + struct fpsimd_state *fpsimd = &current->thread.fpsimd_state;
109 + compat_ulong_t magic = VFP_MAGIC;
110 + compat_ulong_t size = VFP_STORAGE_SIZE;
111 + compat_ulong_t fpscr, fpexc;
112 +- int err = 0;
113 ++ int i, err = 0;
114 +
115 + /*
116 + * Save the hardware registers to the fpsimd_state structure.
117 +@@ -254,10 +272,15 @@ static int compat_preserve_vfp_context(struct compat_vfp_sigframe __user *frame)
118 + /*
119 + * Now copy the FP registers. Since the registers are packed,
120 + * we can copy the prefix we want (V0-V15) as it is.
121 +- * FIXME: Won't work if big endian.
122 + */
123 +- err |= __copy_to_user(&frame->ufp.fpregs, fpsimd->vregs,
124 +- sizeof(frame->ufp.fpregs));
125 ++ for (i = 0; i < ARRAY_SIZE(frame->ufp.fpregs); i += 2) {
126 ++ union __fpsimd_vreg vreg = {
127 ++ .raw = fpsimd->vregs[i >> 1],
128 ++ };
129 ++
130 ++ __put_user_error(vreg.lo, &frame->ufp.fpregs[i], err);
131 ++ __put_user_error(vreg.hi, &frame->ufp.fpregs[i + 1], err);
132 ++ }
133 +
134 + /* Create an AArch32 fpscr from the fpsr and the fpcr. */
135 + fpscr = (fpsimd->fpsr & VFP_FPSCR_STAT_MASK) |
136 +@@ -282,7 +305,7 @@ static int compat_restore_vfp_context(struct compat_vfp_sigframe __user *frame)
137 + compat_ulong_t magic = VFP_MAGIC;
138 + compat_ulong_t size = VFP_STORAGE_SIZE;
139 + compat_ulong_t fpscr;
140 +- int err = 0;
141 ++ int i, err = 0;
142 +
143 + __get_user_error(magic, &frame->magic, err);
144 + __get_user_error(size, &frame->size, err);
145 +@@ -292,12 +315,14 @@ static int compat_restore_vfp_context(struct compat_vfp_sigframe __user *frame)
146 + if (magic != VFP_MAGIC || size != VFP_STORAGE_SIZE)
147 + return -EINVAL;
148 +
149 +- /*
150 +- * Copy the FP registers into the start of the fpsimd_state.
151 +- * FIXME: Won't work if big endian.
152 +- */
153 +- err |= __copy_from_user(fpsimd.vregs, frame->ufp.fpregs,
154 +- sizeof(frame->ufp.fpregs));
155 ++ /* Copy the FP registers into the start of the fpsimd_state. */
156 ++ for (i = 0; i < ARRAY_SIZE(frame->ufp.fpregs); i += 2) {
157 ++ union __fpsimd_vreg vreg;
158 ++
159 ++ __get_user_error(vreg.lo, &frame->ufp.fpregs[i], err);
160 ++ __get_user_error(vreg.hi, &frame->ufp.fpregs[i + 1], err);
161 ++ fpsimd.vregs[i >> 1] = vreg.raw;
162 ++ }
163 +
164 + /* Extract the fpsr and the fpcr from the fpscr */
165 + __get_user_error(fpscr, &frame->ufp.fpscr, err);
166 +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
167 +index 2e6443b1e922..c32a37e0e0d2 100644
168 +--- a/arch/parisc/kernel/irq.c
169 ++++ b/arch/parisc/kernel/irq.c
170 +@@ -524,8 +524,8 @@ void do_cpu_irq_mask(struct pt_regs *regs)
171 + struct pt_regs *old_regs;
172 + unsigned long eirr_val;
173 + int irq, cpu = smp_processor_id();
174 +-#ifdef CONFIG_SMP
175 + struct irq_desc *desc;
176 ++#ifdef CONFIG_SMP
177 + cpumask_t dest;
178 + #endif
179 +
180 +@@ -538,8 +538,12 @@ void do_cpu_irq_mask(struct pt_regs *regs)
181 + goto set_out;
182 + irq = eirr_to_irq(eirr_val);
183 +
184 +-#ifdef CONFIG_SMP
185 ++ /* Filter out spurious interrupts, mostly from serial port at bootup */
186 + desc = irq_to_desc(irq);
187 ++ if (unlikely(!desc->action))
188 ++ goto set_out;
189 ++
190 ++#ifdef CONFIG_SMP
191 + cpumask_copy(&dest, desc->irq_data.affinity);
192 + if (irqd_is_per_cpu(&desc->irq_data) &&
193 + !cpu_isset(smp_processor_id(), dest)) {
194 +diff --git a/arch/powerpc/include/asm/pgtable-ppc64.h b/arch/powerpc/include/asm/pgtable-ppc64.h
195 +index e3d55f6f24fe..6fbb2b46098c 100644
196 +--- a/arch/powerpc/include/asm/pgtable-ppc64.h
197 ++++ b/arch/powerpc/include/asm/pgtable-ppc64.h
198 +@@ -130,7 +130,19 @@
199 + #define pte_iterate_hashed_end() } while(0)
200 +
201 + #ifdef CONFIG_PPC_HAS_HASH_64K
202 +-#define pte_pagesize_index(mm, addr, pte) get_slice_psize(mm, addr)
203 ++/*
204 ++ * We expect this to be called only for user addresses or kernel virtual
205 ++ * addresses other than the linear mapping.
206 ++ */
207 ++#define pte_pagesize_index(mm, addr, pte) \
208 ++ ({ \
209 ++ unsigned int psize; \
210 ++ if (is_kernel_addr(addr)) \
211 ++ psize = MMU_PAGE_4K; \
212 ++ else \
213 ++ psize = get_slice_psize(mm, addr); \
214 ++ psize; \
215 ++ })
216 + #else
217 + #define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K
218 + #endif
219 +diff --git a/arch/powerpc/include/asm/rtas.h b/arch/powerpc/include/asm/rtas.h
220 +index 34fd70488d83..c5d5cb36f6c6 100644
221 +--- a/arch/powerpc/include/asm/rtas.h
222 ++++ b/arch/powerpc/include/asm/rtas.h
223 +@@ -255,6 +255,7 @@ extern void rtas_power_off(void);
224 + extern void rtas_halt(void);
225 + extern void rtas_os_term(char *str);
226 + extern int rtas_get_sensor(int sensor, int index, int *state);
227 ++extern int rtas_get_sensor_fast(int sensor, int index, int *state);
228 + extern int rtas_get_power_level(int powerdomain, int *level);
229 + extern int rtas_set_power_level(int powerdomain, int level, int *setlevel);
230 + extern bool rtas_indicator_present(int token, int *maxindex);
231 +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
232 +index 52add6f3e201..f956a2f84a15 100644
233 +--- a/arch/powerpc/kernel/rtas.c
234 ++++ b/arch/powerpc/kernel/rtas.c
235 +@@ -584,6 +584,23 @@ int rtas_get_sensor(int sensor, int index, int *state)
236 + }
237 + EXPORT_SYMBOL(rtas_get_sensor);
238 +
239 ++int rtas_get_sensor_fast(int sensor, int index, int *state)
240 ++{
241 ++ int token = rtas_token("get-sensor-state");
242 ++ int rc;
243 ++
244 ++ if (token == RTAS_UNKNOWN_SERVICE)
245 ++ return -ENOENT;
246 ++
247 ++ rc = rtas_call(token, 2, 2, state, sensor, index);
248 ++ WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN &&
249 ++ rc <= RTAS_EXTENDED_DELAY_MAX));
250 ++
251 ++ if (rc < 0)
252 ++ return rtas_error_rc(rc);
253 ++ return rc;
254 ++}
255 ++
256 + bool rtas_indicator_present(int token, int *maxindex)
257 + {
258 + int proplen, count, i;
259 +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
260 +index c4dfccd3a3d9..2338e6e98483 100644
261 +--- a/arch/powerpc/platforms/pseries/ras.c
262 ++++ b/arch/powerpc/platforms/pseries/ras.c
263 +@@ -187,7 +187,8 @@ static irqreturn_t ras_epow_interrupt(int irq, void *dev_id)
264 + int state;
265 + int critical;
266 +
267 +- status = rtas_get_sensor(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, &state);
268 ++ status = rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX,
269 ++ &state);
270 +
271 + if (state > 3)
272 + critical = 1; /* Time Critical */
273 +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
274 +index 3ac7e319918d..6a70f0ee4092 100644
275 +--- a/arch/x86/mm/init_32.c
276 ++++ b/arch/x86/mm/init_32.c
277 +@@ -137,6 +137,7 @@ page_table_range_init_count(unsigned long start, unsigned long end)
278 +
279 + vaddr = start;
280 + pgd_idx = pgd_index(vaddr);
281 ++ pmd_idx = pmd_index(vaddr);
282 +
283 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd_idx++) {
284 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
285 +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
286 +index 0c966fecfb8c..5479d677f9be 100644
287 +--- a/arch/x86/net/bpf_jit_comp.c
288 ++++ b/arch/x86/net/bpf_jit_comp.c
289 +@@ -176,7 +176,12 @@ void bpf_jit_compile(struct sk_filter *fp)
290 + }
291 + cleanup_addr = proglen; /* epilogue address */
292 +
293 +- for (pass = 0; pass < 10; pass++) {
294 ++ /* JITed image shrinks with every pass and the loop iterates
295 ++ * until the image stops shrinking. Very large bpf programs
296 ++ * may converge on the last pass. In such case do one more
297 ++ * pass to emit the final image
298 ++ */
299 ++ for (pass = 0; pass < 10 || image; pass++) {
300 + u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
301 + /* no prologue/epilogue for trivial filters (RET something) */
302 + proglen = 0;
303 +diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
304 +index 8cac69819054..9c64a973190e 100644
305 +--- a/drivers/gpu/drm/radeon/radeon_combios.c
306 ++++ b/drivers/gpu/drm/radeon/radeon_combios.c
307 +@@ -3403,6 +3403,14 @@ void radeon_combios_asic_init(struct drm_device *dev)
308 + rdev->pdev->subsystem_device == 0x30ae)
309 + return;
310 +
311 ++ /* quirk for rs4xx HP Compaq dc5750 Small Form Factor to make it resume
312 ++ * - it hangs on resume inside the dynclk 1 table.
313 ++ */
314 ++ if (rdev->family == CHIP_RS480 &&
315 ++ rdev->pdev->subsystem_vendor == 0x103c &&
316 ++ rdev->pdev->subsystem_device == 0x280a)
317 ++ return;
318 ++
319 + /* DYN CLK 1 */
320 + table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE);
321 + if (table)
322 +diff --git a/drivers/iio/gyro/Kconfig b/drivers/iio/gyro/Kconfig
323 +index 953a0621c6fe..107cafcb89da 100644
324 +--- a/drivers/iio/gyro/Kconfig
325 ++++ b/drivers/iio/gyro/Kconfig
326 +@@ -73,8 +73,7 @@ config IIO_ST_GYRO_SPI_3AXIS
327 + config ITG3200
328 + tristate "InvenSense ITG3200 Digital 3-Axis Gyroscope I2C driver"
329 + depends on I2C
330 +- select IIO_BUFFER
331 +- select IIO_TRIGGERED_BUFFER
332 ++ select IIO_TRIGGERED_BUFFER if IIO_BUFFER
333 + help
334 + Say yes here to add support for the InvenSense ITG3200 digital
335 + 3-axis gyroscope sensor.
336 +diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
337 +index 0fcd7aa26fa2..8b8de21bfdc5 100644
338 +--- a/drivers/infiniband/core/uverbs.h
339 ++++ b/drivers/infiniband/core/uverbs.h
340 +@@ -69,7 +69,7 @@
341 + */
342 +
343 + struct ib_uverbs_device {
344 +- struct kref ref;
345 ++ atomic_t refcount;
346 + int num_comp_vectors;
347 + struct completion comp;
348 + struct device *dev;
349 +@@ -78,6 +78,7 @@ struct ib_uverbs_device {
350 + struct cdev cdev;
351 + struct rb_root xrcd_tree;
352 + struct mutex xrcd_tree_mutex;
353 ++ struct kobject kobj;
354 + };
355 +
356 + struct ib_uverbs_event_file {
357 +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
358 +index a7d00f6b3bc1..44c15cebd43f 100644
359 +--- a/drivers/infiniband/core/uverbs_cmd.c
360 ++++ b/drivers/infiniband/core/uverbs_cmd.c
361 +@@ -2106,6 +2106,12 @@ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
362 + next->send_flags = user_wr->send_flags;
363 +
364 + if (is_ud) {
365 ++ if (next->opcode != IB_WR_SEND &&
366 ++ next->opcode != IB_WR_SEND_WITH_IMM) {
367 ++ ret = -EINVAL;
368 ++ goto out_put;
369 ++ }
370 ++
371 + next->wr.ud.ah = idr_read_ah(user_wr->wr.ud.ah,
372 + file->ucontext);
373 + if (!next->wr.ud.ah) {
374 +@@ -2142,9 +2148,11 @@ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
375 + user_wr->wr.atomic.compare_add;
376 + next->wr.atomic.swap = user_wr->wr.atomic.swap;
377 + next->wr.atomic.rkey = user_wr->wr.atomic.rkey;
378 ++ case IB_WR_SEND:
379 + break;
380 + default:
381 +- break;
382 ++ ret = -EINVAL;
383 ++ goto out_put;
384 + }
385 + }
386 +
387 +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
388 +index 949b38633496..b6062b9236a2 100644
389 +--- a/drivers/infiniband/core/uverbs_main.c
390 ++++ b/drivers/infiniband/core/uverbs_main.c
391 +@@ -119,14 +119,18 @@ static ssize_t (*uverbs_cmd_table[])(struct ib_uverbs_file *file,
392 + static void ib_uverbs_add_one(struct ib_device *device);
393 + static void ib_uverbs_remove_one(struct ib_device *device);
394 +
395 +-static void ib_uverbs_release_dev(struct kref *ref)
396 ++static void ib_uverbs_release_dev(struct kobject *kobj)
397 + {
398 + struct ib_uverbs_device *dev =
399 +- container_of(ref, struct ib_uverbs_device, ref);
400 ++ container_of(kobj, struct ib_uverbs_device, kobj);
401 +
402 +- complete(&dev->comp);
403 ++ kfree(dev);
404 + }
405 +
406 ++static struct kobj_type ib_uverbs_dev_ktype = {
407 ++ .release = ib_uverbs_release_dev,
408 ++};
409 ++
410 + static void ib_uverbs_release_event_file(struct kref *ref)
411 + {
412 + struct ib_uverbs_event_file *file =
413 +@@ -282,13 +286,19 @@ static int ib_uverbs_cleanup_ucontext(struct ib_uverbs_file *file,
414 + return context->device->dealloc_ucontext(context);
415 + }
416 +
417 ++static void ib_uverbs_comp_dev(struct ib_uverbs_device *dev)
418 ++{
419 ++ complete(&dev->comp);
420 ++}
421 ++
422 + static void ib_uverbs_release_file(struct kref *ref)
423 + {
424 + struct ib_uverbs_file *file =
425 + container_of(ref, struct ib_uverbs_file, ref);
426 +
427 + module_put(file->device->ib_dev->owner);
428 +- kref_put(&file->device->ref, ib_uverbs_release_dev);
429 ++ if (atomic_dec_and_test(&file->device->refcount))
430 ++ ib_uverbs_comp_dev(file->device);
431 +
432 + kfree(file);
433 + }
434 +@@ -629,9 +639,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp)
435 + int ret;
436 +
437 + dev = container_of(inode->i_cdev, struct ib_uverbs_device, cdev);
438 +- if (dev)
439 +- kref_get(&dev->ref);
440 +- else
441 ++ if (!atomic_inc_not_zero(&dev->refcount))
442 + return -ENXIO;
443 +
444 + if (!try_module_get(dev->ib_dev->owner)) {
445 +@@ -652,6 +660,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp)
446 + mutex_init(&file->mutex);
447 +
448 + filp->private_data = file;
449 ++ kobject_get(&dev->kobj);
450 +
451 + return nonseekable_open(inode, filp);
452 +
453 +@@ -659,13 +668,16 @@ err_module:
454 + module_put(dev->ib_dev->owner);
455 +
456 + err:
457 +- kref_put(&dev->ref, ib_uverbs_release_dev);
458 ++ if (atomic_dec_and_test(&dev->refcount))
459 ++ ib_uverbs_comp_dev(dev);
460 ++
461 + return ret;
462 + }
463 +
464 + static int ib_uverbs_close(struct inode *inode, struct file *filp)
465 + {
466 + struct ib_uverbs_file *file = filp->private_data;
467 ++ struct ib_uverbs_device *dev = file->device;
468 +
469 + ib_uverbs_cleanup_ucontext(file, file->ucontext);
470 +
471 +@@ -673,6 +685,7 @@ static int ib_uverbs_close(struct inode *inode, struct file *filp)
472 + kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
473 +
474 + kref_put(&file->ref, ib_uverbs_release_file);
475 ++ kobject_put(&dev->kobj);
476 +
477 + return 0;
478 + }
479 +@@ -768,10 +781,11 @@ static void ib_uverbs_add_one(struct ib_device *device)
480 + if (!uverbs_dev)
481 + return;
482 +
483 +- kref_init(&uverbs_dev->ref);
484 ++ atomic_set(&uverbs_dev->refcount, 1);
485 + init_completion(&uverbs_dev->comp);
486 + uverbs_dev->xrcd_tree = RB_ROOT;
487 + mutex_init(&uverbs_dev->xrcd_tree_mutex);
488 ++ kobject_init(&uverbs_dev->kobj, &ib_uverbs_dev_ktype);
489 +
490 + spin_lock(&map_lock);
491 + devnum = find_first_zero_bit(dev_map, IB_UVERBS_MAX_DEVICES);
492 +@@ -798,6 +812,7 @@ static void ib_uverbs_add_one(struct ib_device *device)
493 + cdev_init(&uverbs_dev->cdev, NULL);
494 + uverbs_dev->cdev.owner = THIS_MODULE;
495 + uverbs_dev->cdev.ops = device->mmap ? &uverbs_mmap_fops : &uverbs_fops;
496 ++ uverbs_dev->cdev.kobj.parent = &uverbs_dev->kobj;
497 + kobject_set_name(&uverbs_dev->cdev.kobj, "uverbs%d", uverbs_dev->devnum);
498 + if (cdev_add(&uverbs_dev->cdev, base, 1))
499 + goto err_cdev;
500 +@@ -828,9 +843,10 @@ err_cdev:
501 + clear_bit(devnum, overflow_map);
502 +
503 + err:
504 +- kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
505 ++ if (atomic_dec_and_test(&uverbs_dev->refcount))
506 ++ ib_uverbs_comp_dev(uverbs_dev);
507 + wait_for_completion(&uverbs_dev->comp);
508 +- kfree(uverbs_dev);
509 ++ kobject_put(&uverbs_dev->kobj);
510 + return;
511 + }
512 +
513 +@@ -850,9 +866,10 @@ static void ib_uverbs_remove_one(struct ib_device *device)
514 + else
515 + clear_bit(uverbs_dev->devnum - IB_UVERBS_MAX_DEVICES, overflow_map);
516 +
517 +- kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
518 ++ if (atomic_dec_and_test(&uverbs_dev->refcount))
519 ++ ib_uverbs_comp_dev(uverbs_dev);
520 + wait_for_completion(&uverbs_dev->comp);
521 +- kfree(uverbs_dev);
522 ++ kobject_put(&uverbs_dev->kobj);
523 + }
524 +
525 + static char *uverbs_devnode(struct device *dev, umode_t *mode)
526 +diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
527 +index a251becdaa98..890c23b3d714 100644
528 +--- a/drivers/infiniband/hw/mlx4/ah.c
529 ++++ b/drivers/infiniband/hw/mlx4/ah.c
530 +@@ -169,9 +169,13 @@ int mlx4_ib_query_ah(struct ib_ah *ibah, struct ib_ah_attr *ah_attr)
531 + enum rdma_link_layer ll;
532 +
533 + memset(ah_attr, 0, sizeof *ah_attr);
534 +- ah_attr->sl = be32_to_cpu(ah->av.ib.sl_tclass_flowlabel) >> 28;
535 + ah_attr->port_num = be32_to_cpu(ah->av.ib.port_pd) >> 24;
536 + ll = rdma_port_get_link_layer(ibah->device, ah_attr->port_num);
537 ++ if (ll == IB_LINK_LAYER_ETHERNET)
538 ++ ah_attr->sl = be32_to_cpu(ah->av.eth.sl_tclass_flowlabel) >> 29;
539 ++ else
540 ++ ah_attr->sl = be32_to_cpu(ah->av.ib.sl_tclass_flowlabel) >> 28;
541 ++
542 + ah_attr->dlid = ll == IB_LINK_LAYER_INFINIBAND ? be16_to_cpu(ah->av.ib.dlid) : 0;
543 + if (ah->av.ib.stat_rate)
544 + ah_attr->static_rate = ah->av.ib.stat_rate - MLX4_STAT_RATE_OFFSET;
545 +diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx4/sysfs.c
546 +index 97516eb363b7..c5ce4082fdc7 100644
547 +--- a/drivers/infiniband/hw/mlx4/sysfs.c
548 ++++ b/drivers/infiniband/hw/mlx4/sysfs.c
549 +@@ -563,6 +563,8 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
550 + struct mlx4_port *p;
551 + int i;
552 + int ret;
553 ++ int is_eth = rdma_port_get_link_layer(&dev->ib_dev, port_num) ==
554 ++ IB_LINK_LAYER_ETHERNET;
555 +
556 + p = kzalloc(sizeof *p, GFP_KERNEL);
557 + if (!p)
558 +@@ -580,7 +582,8 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
559 +
560 + p->pkey_group.name = "pkey_idx";
561 + p->pkey_group.attrs =
562 +- alloc_group_attrs(show_port_pkey, store_port_pkey,
563 ++ alloc_group_attrs(show_port_pkey,
564 ++ is_eth ? NULL : store_port_pkey,
565 + dev->dev->caps.pkey_table_len[port_num]);
566 + if (!p->pkey_group.attrs)
567 + goto err_alloc;
568 +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
569 +index 8c91fd5eb6fd..3ac9c4194814 100644
570 +--- a/drivers/isdn/gigaset/ser-gigaset.c
571 ++++ b/drivers/isdn/gigaset/ser-gigaset.c
572 +@@ -524,9 +524,18 @@ gigaset_tty_open(struct tty_struct *tty)
573 + cs->hw.ser->tty = tty;
574 + atomic_set(&cs->hw.ser->refcnt, 1);
575 + init_completion(&cs->hw.ser->dead_cmp);
576 +-
577 + tty->disc_data = cs;
578 +
579 ++ /* Set the amount of data we're willing to receive per call
580 ++ * from the hardware driver to half of the input buffer size
581 ++ * to leave some reserve.
582 ++ * Note: We don't do flow control towards the hardware driver.
583 ++ * If more data is received than will fit into the input buffer,
584 ++ * it will be dropped and an error will be logged. This should
585 ++ * never happen as the device is slow and the buffer size ample.
586 ++ */
587 ++ tty->receive_room = RBUFSIZE/2;
588 ++
589 + /* OK.. Initialization of the datastructures and the HW is done.. Now
590 + * startup system and notify the LL that we are ready to run
591 + */
592 +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
593 +index a1ea2a753912..5b2a1eaea34d 100644
594 +--- a/drivers/md/raid10.c
595 ++++ b/drivers/md/raid10.c
596 +@@ -3578,6 +3578,7 @@ static struct r10conf *setup_conf(struct mddev *mddev)
597 + /* far_copies must be 1 */
598 + conf->prev.stride = conf->dev_sectors;
599 + }
600 ++ conf->reshape_safe = conf->reshape_progress;
601 + spin_lock_init(&conf->device_lock);
602 + INIT_LIST_HEAD(&conf->retry_list);
603 +
604 +@@ -3785,7 +3786,6 @@ static int run(struct mddev *mddev)
605 + }
606 + conf->offset_diff = min_offset_diff;
607 +
608 +- conf->reshape_safe = conf->reshape_progress;
609 + clear_bit(MD_RECOVERY_SYNC, &mddev->recovery);
610 + clear_bit(MD_RECOVERY_CHECK, &mddev->recovery);
611 + set_bit(MD_RECOVERY_RESHAPE, &mddev->recovery);
612 +@@ -4130,6 +4130,7 @@ static int raid10_start_reshape(struct mddev *mddev)
613 + conf->reshape_progress = size;
614 + } else
615 + conf->reshape_progress = 0;
616 ++ conf->reshape_safe = conf->reshape_progress;
617 + spin_unlock_irq(&conf->device_lock);
618 +
619 + if (mddev->delta_disks && mddev->bitmap) {
620 +@@ -4196,6 +4197,7 @@ abort:
621 + rdev->new_data_offset = rdev->data_offset;
622 + smp_wmb();
623 + conf->reshape_progress = MaxSector;
624 ++ conf->reshape_safe = MaxSector;
625 + mddev->reshape_position = MaxSector;
626 + spin_unlock_irq(&conf->device_lock);
627 + return ret;
628 +@@ -4543,6 +4545,7 @@ static void end_reshape(struct r10conf *conf)
629 + md_finish_reshape(conf->mddev);
630 + smp_wmb();
631 + conf->reshape_progress = MaxSector;
632 ++ conf->reshape_safe = MaxSector;
633 + spin_unlock_irq(&conf->device_lock);
634 +
635 + /* read-ahead size must cover two whole stripes, which is
636 +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
637 +index 1cf382a0b277..cf7bbb6c9807 100644
638 +--- a/drivers/media/rc/rc-main.c
639 ++++ b/drivers/media/rc/rc-main.c
640 +@@ -943,9 +943,6 @@ static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
641 + {
642 + struct rc_dev *dev = to_rc_dev(device);
643 +
644 +- if (!dev || !dev->input_dev)
645 +- return -ENODEV;
646 +-
647 + if (dev->rc_map.name)
648 + ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
649 + if (dev->driver_name)
650 +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
651 +index c40396f23202..68ab26385d06 100644
652 +--- a/drivers/mmc/core/core.c
653 ++++ b/drivers/mmc/core/core.c
654 +@@ -327,8 +327,10 @@ EXPORT_SYMBOL(mmc_start_bkops);
655 + */
656 + static void mmc_wait_data_done(struct mmc_request *mrq)
657 + {
658 +- mrq->host->context_info.is_done_rcv = true;
659 +- wake_up_interruptible(&mrq->host->context_info.wait);
660 ++ struct mmc_context_info *context_info = &mrq->host->context_info;
661 ++
662 ++ context_info->is_done_rcv = true;
663 ++ wake_up_interruptible(&context_info->wait);
664 + }
665 +
666 + static void mmc_wait_done(struct mmc_request *mrq)
667 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
668 +index b143ce91e081..6b5baf01512d 100644
669 +--- a/drivers/net/bonding/bond_main.c
670 ++++ b/drivers/net/bonding/bond_main.c
671 +@@ -2188,6 +2188,7 @@ static int bond_release_and_destroy(struct net_device *bond_dev,
672 + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL;
673 + pr_info("%s: destroying bond %s.\n",
674 + bond_dev->name, bond_dev->name);
675 ++ bond_remove_proc_entry(bond);
676 + unregister_netdevice(bond_dev);
677 + }
678 + return ret;
679 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
680 +index 680d26d6d2c3..518cc4b6c7dd 100644
681 +--- a/drivers/net/ethernet/broadcom/tg3.c
682 ++++ b/drivers/net/ethernet/broadcom/tg3.c
683 +@@ -10518,7 +10518,7 @@ static ssize_t tg3_show_temp(struct device *dev,
684 + tg3_ape_scratchpad_read(tp, &temperature, attr->index,
685 + sizeof(temperature));
686 + spin_unlock_bh(&tp->lock);
687 +- return sprintf(buf, "%u\n", temperature);
688 ++ return sprintf(buf, "%u\n", temperature * 1000);
689 + }
690 +
691 +
692 +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
693 +index 3d50e7db141e..fb068ada0c5a 100644
694 +--- a/drivers/net/usb/usbnet.c
695 ++++ b/drivers/net/usb/usbnet.c
696 +@@ -753,7 +753,7 @@ int usbnet_stop (struct net_device *net)
697 + {
698 + struct usbnet *dev = netdev_priv(net);
699 + struct driver_info *info = dev->driver_info;
700 +- int retval, pm;
701 ++ int retval, pm, mpn;
702 +
703 + clear_bit(EVENT_DEV_OPEN, &dev->flags);
704 + netif_stop_queue (net);
705 +@@ -784,6 +784,8 @@ int usbnet_stop (struct net_device *net)
706 +
707 + usbnet_purge_paused_rxq(dev);
708 +
709 ++ mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags);
710 ++
711 + /* deferred work (task, timer, softirq) must also stop.
712 + * can't flush_scheduled_work() until we drop rtnl (later),
713 + * else workers could deadlock; so make workers a NOP.
714 +@@ -794,8 +796,7 @@ int usbnet_stop (struct net_device *net)
715 + if (!pm)
716 + usb_autopm_put_interface(dev->intf);
717 +
718 +- if (info->manage_power &&
719 +- !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags))
720 ++ if (info->manage_power && mpn)
721 + info->manage_power(dev, 0);
722 + else
723 + usb_autopm_put_interface(dev->intf);
724 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
725 +index 7555095e0b74..fa669b52fc91 100644
726 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
727 ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
728 +@@ -313,6 +313,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
729 + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
730 + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
731 + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
732 ++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
733 + {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
734 + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
735 + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
736 +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
737 +index fb97bc0b80e7..2947eda522b2 100644
738 +--- a/drivers/vhost/scsi.c
739 ++++ b/drivers/vhost/scsi.c
740 +@@ -1088,7 +1088,7 @@ static void tcm_vhost_send_evt(struct vhost_scsi *vs, struct tcm_vhost_tpg *tpg,
741 + * lun[4-7] need to be zero according to virtio-scsi spec.
742 + */
743 + evt->event.lun[0] = 0x01;
744 +- evt->event.lun[1] = tpg->tport_tpgt & 0xFF;
745 ++ evt->event.lun[1] = tpg->tport_tpgt;
746 + if (lun->unpacked_lun >= 256)
747 + evt->event.lun[2] = lun->unpacked_lun >> 8 | 0x40 ;
748 + evt->event.lun[3] = lun->unpacked_lun & 0xFF;
749 +@@ -1894,12 +1894,12 @@ static struct se_portal_group *tcm_vhost_make_tpg(struct se_wwn *wwn,
750 + struct tcm_vhost_tport, tport_wwn);
751 +
752 + struct tcm_vhost_tpg *tpg;
753 +- unsigned long tpgt;
754 ++ u16 tpgt;
755 + int ret;
756 +
757 + if (strstr(name, "tpgt_") != name)
758 + return ERR_PTR(-EINVAL);
759 +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX)
760 ++ if (kstrtou16(name + 5, 10, &tpgt) || tpgt >= VHOST_SCSI_MAX_TARGET)
761 + return ERR_PTR(-EINVAL);
762 +
763 + tpg = kzalloc(sizeof(struct tcm_vhost_tpg), GFP_KERNEL);
764 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
765 +index 474d11499d0e..e68205cbc46e 100644
766 +--- a/drivers/xen/gntdev.c
767 ++++ b/drivers/xen/gntdev.c
768 +@@ -65,7 +65,7 @@ struct gntdev_priv {
769 + * Only populated if populate_freeable_maps == 1 */
770 + struct list_head freeable_maps;
771 + /* lock protects maps and freeable_maps */
772 +- spinlock_t lock;
773 ++ struct mutex lock;
774 + struct mm_struct *mm;
775 + struct mmu_notifier mn;
776 + };
777 +@@ -214,9 +214,9 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map)
778 + }
779 +
780 + if (populate_freeable_maps && priv) {
781 +- spin_lock(&priv->lock);
782 ++ mutex_lock(&priv->lock);
783 + list_del(&map->next);
784 +- spin_unlock(&priv->lock);
785 ++ mutex_unlock(&priv->lock);
786 + }
787 +
788 + if (map->pages && !use_ptemod)
789 +@@ -392,9 +392,9 @@ static void gntdev_vma_close(struct vm_area_struct *vma)
790 + * not do any unmapping, since that has been done prior to
791 + * closing the vma, but it may still iterate the unmap_ops list.
792 + */
793 +- spin_lock(&priv->lock);
794 ++ mutex_lock(&priv->lock);
795 + map->vma = NULL;
796 +- spin_unlock(&priv->lock);
797 ++ mutex_unlock(&priv->lock);
798 + }
799 + vma->vm_private_data = NULL;
800 + gntdev_put_map(priv, map);
801 +@@ -438,14 +438,14 @@ static void mn_invl_range_start(struct mmu_notifier *mn,
802 + struct gntdev_priv *priv = container_of(mn, struct gntdev_priv, mn);
803 + struct grant_map *map;
804 +
805 +- spin_lock(&priv->lock);
806 ++ mutex_lock(&priv->lock);
807 + list_for_each_entry(map, &priv->maps, next) {
808 + unmap_if_in_range(map, start, end);
809 + }
810 + list_for_each_entry(map, &priv->freeable_maps, next) {
811 + unmap_if_in_range(map, start, end);
812 + }
813 +- spin_unlock(&priv->lock);
814 ++ mutex_unlock(&priv->lock);
815 + }
816 +
817 + static void mn_invl_page(struct mmu_notifier *mn,
818 +@@ -462,7 +462,7 @@ static void mn_release(struct mmu_notifier *mn,
819 + struct grant_map *map;
820 + int err;
821 +
822 +- spin_lock(&priv->lock);
823 ++ mutex_lock(&priv->lock);
824 + list_for_each_entry(map, &priv->maps, next) {
825 + if (!map->vma)
826 + continue;
827 +@@ -481,7 +481,7 @@ static void mn_release(struct mmu_notifier *mn,
828 + err = unmap_grant_pages(map, /* offset */ 0, map->count);
829 + WARN_ON(err);
830 + }
831 +- spin_unlock(&priv->lock);
832 ++ mutex_unlock(&priv->lock);
833 + }
834 +
835 + static struct mmu_notifier_ops gntdev_mmu_ops = {
836 +@@ -503,7 +503,7 @@ static int gntdev_open(struct inode *inode, struct file *flip)
837 +
838 + INIT_LIST_HEAD(&priv->maps);
839 + INIT_LIST_HEAD(&priv->freeable_maps);
840 +- spin_lock_init(&priv->lock);
841 ++ mutex_init(&priv->lock);
842 +
843 + if (use_ptemod) {
844 + priv->mm = get_task_mm(current);
845 +@@ -579,10 +579,10 @@ static long gntdev_ioctl_map_grant_ref(struct gntdev_priv *priv,
846 + return -EFAULT;
847 + }
848 +
849 +- spin_lock(&priv->lock);
850 ++ mutex_lock(&priv->lock);
851 + gntdev_add_map(priv, map);
852 + op.index = map->index << PAGE_SHIFT;
853 +- spin_unlock(&priv->lock);
854 ++ mutex_unlock(&priv->lock);
855 +
856 + if (copy_to_user(u, &op, sizeof(op)) != 0)
857 + return -EFAULT;
858 +@@ -601,7 +601,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
859 + return -EFAULT;
860 + pr_debug("priv %p, del %d+%d\n", priv, (int)op.index, (int)op.count);
861 +
862 +- spin_lock(&priv->lock);
863 ++ mutex_lock(&priv->lock);
864 + map = gntdev_find_map_index(priv, op.index >> PAGE_SHIFT, op.count);
865 + if (map) {
866 + list_del(&map->next);
867 +@@ -609,7 +609,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
868 + list_add_tail(&map->next, &priv->freeable_maps);
869 + err = 0;
870 + }
871 +- spin_unlock(&priv->lock);
872 ++ mutex_unlock(&priv->lock);
873 + if (map)
874 + gntdev_put_map(priv, map);
875 + return err;
876 +@@ -677,7 +677,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
877 + out_flags = op.action;
878 + out_event = op.event_channel_port;
879 +
880 +- spin_lock(&priv->lock);
881 ++ mutex_lock(&priv->lock);
882 +
883 + list_for_each_entry(map, &priv->maps, next) {
884 + uint64_t begin = map->index << PAGE_SHIFT;
885 +@@ -705,7 +705,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
886 + rc = 0;
887 +
888 + unlock_out:
889 +- spin_unlock(&priv->lock);
890 ++ mutex_unlock(&priv->lock);
891 +
892 + /* Drop the reference to the event channel we did not save in the map */
893 + if (out_flags & UNMAP_NOTIFY_SEND_EVENT)
894 +@@ -755,7 +755,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
895 + pr_debug("map %d+%d at %lx (pgoff %lx)\n",
896 + index, count, vma->vm_start, vma->vm_pgoff);
897 +
898 +- spin_lock(&priv->lock);
899 ++ mutex_lock(&priv->lock);
900 + map = gntdev_find_map_index(priv, index, count);
901 + if (!map)
902 + goto unlock_out;
903 +@@ -790,7 +790,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
904 + map->flags |= GNTMAP_readonly;
905 + }
906 +
907 +- spin_unlock(&priv->lock);
908 ++ mutex_unlock(&priv->lock);
909 +
910 + if (use_ptemod) {
911 + err = apply_to_page_range(vma->vm_mm, vma->vm_start,
912 +@@ -818,11 +818,11 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
913 + return 0;
914 +
915 + unlock_out:
916 +- spin_unlock(&priv->lock);
917 ++ mutex_unlock(&priv->lock);
918 + return err;
919 +
920 + out_unlock_put:
921 +- spin_unlock(&priv->lock);
922 ++ mutex_unlock(&priv->lock);
923 + out_put_map:
924 + if (use_ptemod)
925 + map->vma = NULL;
926 +diff --git a/fs/coredump.c b/fs/coredump.c
927 +index 1d402ce5b72f..4f03b2b50375 100644
928 +--- a/fs/coredump.c
929 ++++ b/fs/coredump.c
930 +@@ -491,10 +491,10 @@ void do_coredump(siginfo_t *siginfo)
931 + const struct cred *old_cred;
932 + struct cred *cred;
933 + int retval = 0;
934 +- int flag = 0;
935 + int ispipe;
936 + struct files_struct *displaced;
937 +- bool need_nonrelative = false;
938 ++ /* require nonrelative corefile path and be extra careful */
939 ++ bool need_suid_safe = false;
940 + bool core_dumped = false;
941 + static atomic_t core_dump_count = ATOMIC_INIT(0);
942 + struct coredump_params cprm = {
943 +@@ -528,9 +528,8 @@ void do_coredump(siginfo_t *siginfo)
944 + */
945 + if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
946 + /* Setuid core dump mode */
947 +- flag = O_EXCL; /* Stop rewrite attacks */
948 + cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */
949 +- need_nonrelative = true;
950 ++ need_suid_safe = true;
951 + }
952 +
953 + retval = coredump_wait(siginfo->si_signo, &core_state);
954 +@@ -611,7 +610,7 @@ void do_coredump(siginfo_t *siginfo)
955 + if (cprm.limit < binfmt->min_coredump)
956 + goto fail_unlock;
957 +
958 +- if (need_nonrelative && cn.corename[0] != '/') {
959 ++ if (need_suid_safe && cn.corename[0] != '/') {
960 + printk(KERN_WARNING "Pid %d(%s) can only dump core "\
961 + "to fully qualified path!\n",
962 + task_tgid_vnr(current), current->comm);
963 +@@ -619,8 +618,35 @@ void do_coredump(siginfo_t *siginfo)
964 + goto fail_unlock;
965 + }
966 +
967 ++ /*
968 ++ * Unlink the file if it exists unless this is a SUID
969 ++ * binary - in that case, we're running around with root
970 ++ * privs and don't want to unlink another user's coredump.
971 ++ */
972 ++ if (!need_suid_safe) {
973 ++ mm_segment_t old_fs;
974 ++
975 ++ old_fs = get_fs();
976 ++ set_fs(KERNEL_DS);
977 ++ /*
978 ++ * If it doesn't exist, that's fine. If there's some
979 ++ * other problem, we'll catch it at the filp_open().
980 ++ */
981 ++ (void) sys_unlink((const char __user *)cn.corename);
982 ++ set_fs(old_fs);
983 ++ }
984 ++
985 ++ /*
986 ++ * There is a race between unlinking and creating the
987 ++ * file, but if that causes an EEXIST here, that's
988 ++ * fine - another process raced with us while creating
989 ++ * the corefile, and the other process won. To userspace,
990 ++ * what matters is that at least one of the two processes
991 ++ * writes its coredump successfully, not which one.
992 ++ */
993 + cprm.file = filp_open(cn.corename,
994 +- O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
995 ++ O_CREAT | 2 | O_NOFOLLOW |
996 ++ O_LARGEFILE | O_EXCL,
997 + 0600);
998 + if (IS_ERR(cprm.file))
999 + goto fail_unlock;
1000 +diff --git a/fs/dcache.c b/fs/dcache.c
1001 +index 90be2809e15a..f1e801785976 100644
1002 +--- a/fs/dcache.c
1003 ++++ b/fs/dcache.c
1004 +@@ -2569,15 +2569,6 @@ static int prepend_path(const struct path *path,
1005 + return error;
1006 +
1007 + global_root:
1008 +- /*
1009 +- * Filesystems needing to implement special "root names"
1010 +- * should do so with ->d_dname()
1011 +- */
1012 +- if (IS_ROOT(dentry) &&
1013 +- (dentry->d_name.len != 1 || dentry->d_name.name[0] != '/')) {
1014 +- WARN(1, "Root dentry has weird name <%.*s>\n",
1015 +- (int) dentry->d_name.len, dentry->d_name.name);
1016 +- }
1017 + if (!slash)
1018 + error = prepend(buffer, buflen, "/", 1);
1019 + if (!error)
1020 +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
1021 +index d3fa6bd9503e..221719eac5de 100644
1022 +--- a/fs/hfs/bnode.c
1023 ++++ b/fs/hfs/bnode.c
1024 +@@ -288,7 +288,6 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
1025 + page_cache_release(page);
1026 + goto fail;
1027 + }
1028 +- page_cache_release(page);
1029 + node->page[i] = page;
1030 + }
1031 +
1032 +@@ -398,11 +397,11 @@ node_error:
1033 +
1034 + void hfs_bnode_free(struct hfs_bnode *node)
1035 + {
1036 +- //int i;
1037 ++ int i;
1038 +
1039 +- //for (i = 0; i < node->tree->pages_per_bnode; i++)
1040 +- // if (node->page[i])
1041 +- // page_cache_release(node->page[i]);
1042 ++ for (i = 0; i < node->tree->pages_per_bnode; i++)
1043 ++ if (node->page[i])
1044 ++ page_cache_release(node->page[i]);
1045 + kfree(node);
1046 + }
1047 +
1048 +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
1049 +index 9f4ee7f52026..6fc766df0461 100644
1050 +--- a/fs/hfs/brec.c
1051 ++++ b/fs/hfs/brec.c
1052 +@@ -131,13 +131,16 @@ skip:
1053 + hfs_bnode_write(node, entry, data_off + key_len, entry_len);
1054 + hfs_bnode_dump(node);
1055 +
1056 +- if (new_node) {
1057 +- /* update parent key if we inserted a key
1058 +- * at the start of the first node
1059 +- */
1060 +- if (!rec && new_node != node)
1061 +- hfs_brec_update_parent(fd);
1062 ++ /*
1063 ++ * update parent key if we inserted a key
1064 ++ * at the start of the node and it is not the new node
1065 ++ */
1066 ++ if (!rec && new_node != node) {
1067 ++ hfs_bnode_read_key(node, fd->search_key, data_off + size);
1068 ++ hfs_brec_update_parent(fd);
1069 ++ }
1070 +
1071 ++ if (new_node) {
1072 + hfs_bnode_put(fd->bnode);
1073 + if (!new_node->parent) {
1074 + hfs_btree_inc_height(tree);
1075 +@@ -166,9 +169,6 @@ skip:
1076 + goto again;
1077 + }
1078 +
1079 +- if (!rec)
1080 +- hfs_brec_update_parent(fd);
1081 +-
1082 + return 0;
1083 + }
1084 +
1085 +@@ -366,6 +366,8 @@ again:
1086 + if (IS_ERR(parent))
1087 + return PTR_ERR(parent);
1088 + __hfs_brec_find(parent, fd);
1089 ++ if (fd->record < 0)
1090 ++ return -ENOENT;
1091 + hfs_bnode_dump(parent);
1092 + rec = fd->record;
1093 +
1094 +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
1095 +index 11c860204520..bedfe5f7d332 100644
1096 +--- a/fs/hfsplus/bnode.c
1097 ++++ b/fs/hfsplus/bnode.c
1098 +@@ -456,7 +456,6 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
1099 + page_cache_release(page);
1100 + goto fail;
1101 + }
1102 +- page_cache_release(page);
1103 + node->page[i] = page;
1104 + }
1105 +
1106 +@@ -568,13 +567,11 @@ node_error:
1107 +
1108 + void hfs_bnode_free(struct hfs_bnode *node)
1109 + {
1110 +-#if 0
1111 + int i;
1112 +
1113 + for (i = 0; i < node->tree->pages_per_bnode; i++)
1114 + if (node->page[i])
1115 + page_cache_release(node->page[i]);
1116 +-#endif
1117 + kfree(node);
1118 + }
1119 +
1120 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
1121 +index 20ebcfa3c92e..78679b489484 100644
1122 +--- a/fs/nfs/nfs4proc.c
1123 ++++ b/fs/nfs/nfs4proc.c
1124 +@@ -2043,7 +2043,7 @@ static int _nfs4_do_open(struct inode *dir,
1125 + if (status != 0)
1126 + goto err_opendata_put;
1127 +
1128 +- if ((opendata->o_arg.open_flags & O_EXCL) &&
1129 ++ if ((opendata->o_arg.open_flags & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL) &&
1130 + (opendata->o_arg.createmode != NFS4_CREATE_GUARDED)) {
1131 + nfs4_exclusive_attrset(opendata, sattr);
1132 +
1133 +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
1134 +index 29cfb7ade121..d852ca281c16 100644
1135 +--- a/fs/nfs/pagelist.c
1136 ++++ b/fs/nfs/pagelist.c
1137 +@@ -60,8 +60,8 @@ EXPORT_SYMBOL_GPL(nfs_pgheader_init);
1138 + void nfs_set_pgio_error(struct nfs_pgio_header *hdr, int error, loff_t pos)
1139 + {
1140 + spin_lock(&hdr->lock);
1141 +- if (pos < hdr->io_start + hdr->good_bytes) {
1142 +- set_bit(NFS_IOHDR_ERROR, &hdr->flags);
1143 ++ if (!test_and_set_bit(NFS_IOHDR_ERROR, &hdr->flags)
1144 ++ || pos < hdr->io_start + hdr->good_bytes) {
1145 + clear_bit(NFS_IOHDR_EOF, &hdr->flags);
1146 + hdr->good_bytes = pos - hdr->io_start;
1147 + hdr->error = error;
1148 +diff --git a/include/net/ip.h b/include/net/ip.h
1149 +index 0a62365149e2..ea9be6b407bc 100644
1150 +--- a/include/net/ip.h
1151 ++++ b/include/net/ip.h
1152 +@@ -141,6 +141,7 @@ static inline struct sk_buff *ip_finish_skb(struct sock *sk, struct flowi4 *fl4)
1153 + }
1154 +
1155 + /* datagram.c */
1156 ++int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);
1157 + extern int ip4_datagram_connect(struct sock *sk,
1158 + struct sockaddr *uaddr, int addr_len);
1159 +
1160 +diff --git a/include/net/netns/sctp.h b/include/net/netns/sctp.h
1161 +index 3573a81815ad..8ba379f9e467 100644
1162 +--- a/include/net/netns/sctp.h
1163 ++++ b/include/net/netns/sctp.h
1164 +@@ -31,6 +31,7 @@ struct netns_sctp {
1165 + struct list_head addr_waitq;
1166 + struct timer_list addr_wq_timer;
1167 + struct list_head auto_asconf_splist;
1168 ++ /* Lock that protects both addr_waitq and auto_asconf_splist */
1169 + spinlock_t addr_wq_lock;
1170 +
1171 + /* Lock that protects the local_addr_list writers */
1172 +diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
1173 +index da6b9a01ff75..b30c1d95be2c 100644
1174 +--- a/include/net/sctp/structs.h
1175 ++++ b/include/net/sctp/structs.h
1176 +@@ -228,6 +228,10 @@ struct sctp_sock {
1177 + atomic_t pd_mode;
1178 + /* Receive to here while partial delivery is in effect. */
1179 + struct sk_buff_head pd_lobby;
1180 ++
1181 ++ /* These must be the last fields, as they will skipped on copies,
1182 ++ * like on accept and peeloff operations
1183 ++ */
1184 + struct list_head auto_asconf_list;
1185 + int do_auto_asconf;
1186 + };
1187 +diff --git a/kernel/fork.c b/kernel/fork.c
1188 +index 514dbc40f98f..2358bd4c8757 100644
1189 +--- a/kernel/fork.c
1190 ++++ b/kernel/fork.c
1191 +@@ -1760,13 +1760,21 @@ static int check_unshare_flags(unsigned long unshare_flags)
1192 + CLONE_NEWUSER|CLONE_NEWPID))
1193 + return -EINVAL;
1194 + /*
1195 +- * Not implemented, but pretend it works if there is nothing to
1196 +- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
1197 +- * needs to unshare vm.
1198 ++ * Not implemented, but pretend it works if there is nothing
1199 ++ * to unshare. Note that unsharing the address space or the
1200 ++ * signal handlers also need to unshare the signal queues (aka
1201 ++ * CLONE_THREAD).
1202 + */
1203 + if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
1204 +- /* FIXME: get_task_mm() increments ->mm_users */
1205 +- if (atomic_read(&current->mm->mm_users) > 1)
1206 ++ if (!thread_group_empty(current))
1207 ++ return -EINVAL;
1208 ++ }
1209 ++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
1210 ++ if (atomic_read(&current->sighand->count) > 1)
1211 ++ return -EINVAL;
1212 ++ }
1213 ++ if (unshare_flags & CLONE_VM) {
1214 ++ if (!current_is_single_threaded())
1215 + return -EINVAL;
1216 + }
1217 +
1218 +@@ -1840,16 +1848,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
1219 + if (unshare_flags & CLONE_NEWPID)
1220 + unshare_flags |= CLONE_THREAD;
1221 + /*
1222 +- * If unsharing a thread from a thread group, must also unshare vm.
1223 +- */
1224 +- if (unshare_flags & CLONE_THREAD)
1225 +- unshare_flags |= CLONE_VM;
1226 +- /*
1227 + * If unsharing vm, must also unshare signal handlers.
1228 + */
1229 + if (unshare_flags & CLONE_VM)
1230 + unshare_flags |= CLONE_SIGHAND;
1231 + /*
1232 ++ * If unsharing a signal handlers, must also unshare the signal queues.
1233 ++ */
1234 ++ if (unshare_flags & CLONE_SIGHAND)
1235 ++ unshare_flags |= CLONE_THREAD;
1236 ++ /*
1237 + * If unsharing namespace, must also unshare filesystem information.
1238 + */
1239 + if (unshare_flags & CLONE_NEWNS)
1240 +diff --git a/mm/vmscan.c b/mm/vmscan.c
1241 +index 233f0011f768..a1e3becef05e 100644
1242 +--- a/mm/vmscan.c
1243 ++++ b/mm/vmscan.c
1244 +@@ -925,7 +925,7 @@ cull_mlocked:
1245 + if (PageSwapCache(page))
1246 + try_to_free_swap(page);
1247 + unlock_page(page);
1248 +- putback_lru_page(page);
1249 ++ list_add(&page->lru, &ret_pages);
1250 + continue;
1251 +
1252 + activate_locked:
1253 +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
1254 +index 19942e38fd2d..4e76d2a11284 100644
1255 +--- a/net/bridge/br_mdb.c
1256 ++++ b/net/bridge/br_mdb.c
1257 +@@ -345,7 +345,6 @@ static int br_mdb_add_group(struct net_bridge *br, struct net_bridge_port *port,
1258 + return -ENOMEM;
1259 + rcu_assign_pointer(*pp, p);
1260 +
1261 +- br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
1262 + return 0;
1263 + }
1264 +
1265 +@@ -368,6 +367,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br,
1266 + if (!p || p->br != br || p->state == BR_STATE_DISABLED)
1267 + return -EINVAL;
1268 +
1269 ++ memset(&ip, 0, sizeof(ip));
1270 + ip.proto = entry->addr.proto;
1271 + if (ip.proto == htons(ETH_P_IP))
1272 + ip.u.ip4 = entry->addr.u.ip4;
1273 +@@ -417,6 +417,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
1274 + if (timer_pending(&br->multicast_querier_timer))
1275 + return -EBUSY;
1276 +
1277 ++ memset(&ip, 0, sizeof(ip));
1278 + ip.proto = entry->addr.proto;
1279 + if (ip.proto == htons(ETH_P_IP))
1280 + ip.u.ip4 = entry->addr.u.ip4;
1281 +diff --git a/net/core/datagram.c b/net/core/datagram.c
1282 +index b71423db7785..052b71c5b1b4 100644
1283 +--- a/net/core/datagram.c
1284 ++++ b/net/core/datagram.c
1285 +@@ -128,6 +128,35 @@ out_noerr:
1286 + goto out;
1287 + }
1288 +
1289 ++static struct sk_buff *skb_set_peeked(struct sk_buff *skb)
1290 ++{
1291 ++ struct sk_buff *nskb;
1292 ++
1293 ++ if (skb->peeked)
1294 ++ return skb;
1295 ++
1296 ++ /* We have to unshare an skb before modifying it. */
1297 ++ if (!skb_shared(skb))
1298 ++ goto done;
1299 ++
1300 ++ nskb = skb_clone(skb, GFP_ATOMIC);
1301 ++ if (!nskb)
1302 ++ return ERR_PTR(-ENOMEM);
1303 ++
1304 ++ skb->prev->next = nskb;
1305 ++ skb->next->prev = nskb;
1306 ++ nskb->prev = skb->prev;
1307 ++ nskb->next = skb->next;
1308 ++
1309 ++ consume_skb(skb);
1310 ++ skb = nskb;
1311 ++
1312 ++done:
1313 ++ skb->peeked = 1;
1314 ++
1315 ++ return skb;
1316 ++}
1317 ++
1318 + /**
1319 + * __skb_recv_datagram - Receive a datagram skbuff
1320 + * @sk: socket
1321 +@@ -162,7 +191,9 @@ out_noerr:
1322 + struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
1323 + int *peeked, int *off, int *err)
1324 + {
1325 ++ struct sk_buff_head *queue = &sk->sk_receive_queue;
1326 + struct sk_buff *skb, *last;
1327 ++ unsigned long cpu_flags;
1328 + long timeo;
1329 + /*
1330 + * Caller is allowed not to check sk->sk_err before skb_recv_datagram()
1331 +@@ -181,8 +212,6 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
1332 + * Look at current nfs client by the way...
1333 + * However, this function was correct in any case. 8)
1334 + */
1335 +- unsigned long cpu_flags;
1336 +- struct sk_buff_head *queue = &sk->sk_receive_queue;
1337 + int _off = *off;
1338 +
1339 + last = (struct sk_buff *)queue;
1340 +@@ -196,7 +225,12 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
1341 + _off -= skb->len;
1342 + continue;
1343 + }
1344 +- skb->peeked = 1;
1345 ++
1346 ++ skb = skb_set_peeked(skb);
1347 ++ error = PTR_ERR(skb);
1348 ++ if (IS_ERR(skb))
1349 ++ goto unlock_err;
1350 ++
1351 + atomic_inc(&skb->users);
1352 + } else
1353 + __skb_unlink(skb, queue);
1354 +@@ -216,6 +250,8 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
1355 +
1356 + return NULL;
1357 +
1358 ++unlock_err:
1359 ++ spin_unlock_irqrestore(&queue->lock, cpu_flags);
1360 + no_packet:
1361 + *err = error;
1362 + return NULL;
1363 +@@ -665,7 +701,8 @@ __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
1364 + if (likely(!sum)) {
1365 + if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE))
1366 + netdev_rx_csum_fault(skb->dev);
1367 +- skb->ip_summed = CHECKSUM_UNNECESSARY;
1368 ++ if (!skb_shared(skb))
1369 ++ skb->ip_summed = CHECKSUM_UNNECESSARY;
1370 + }
1371 + return sum;
1372 + }
1373 +diff --git a/net/core/dev.c b/net/core/dev.c
1374 +index aeca8dd88b2a..1ccfc49683b3 100644
1375 +--- a/net/core/dev.c
1376 ++++ b/net/core/dev.c
1377 +@@ -3443,8 +3443,6 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
1378 +
1379 + pt_prev = NULL;
1380 +
1381 +- rcu_read_lock();
1382 +-
1383 + another_round:
1384 + skb->skb_iif = skb->dev->ifindex;
1385 +
1386 +@@ -3454,7 +3452,7 @@ another_round:
1387 + skb->protocol == cpu_to_be16(ETH_P_8021AD)) {
1388 + skb = vlan_untag(skb);
1389 + if (unlikely(!skb))
1390 +- goto unlock;
1391 ++ goto out;
1392 + }
1393 +
1394 + #ifdef CONFIG_NET_CLS_ACT
1395 +@@ -3479,7 +3477,7 @@ skip_taps:
1396 + #ifdef CONFIG_NET_CLS_ACT
1397 + skb = handle_ing(skb, &pt_prev, &ret, orig_dev);
1398 + if (!skb)
1399 +- goto unlock;
1400 ++ goto out;
1401 + ncls:
1402 + #endif
1403 +
1404 +@@ -3494,7 +3492,7 @@ ncls:
1405 + if (vlan_do_receive(&skb))
1406 + goto another_round;
1407 + else if (unlikely(!skb))
1408 +- goto unlock;
1409 ++ goto out;
1410 + }
1411 +
1412 + rx_handler = rcu_dereference(skb->dev->rx_handler);
1413 +@@ -3506,7 +3504,7 @@ ncls:
1414 + switch (rx_handler(&skb)) {
1415 + case RX_HANDLER_CONSUMED:
1416 + ret = NET_RX_SUCCESS;
1417 +- goto unlock;
1418 ++ goto out;
1419 + case RX_HANDLER_ANOTHER:
1420 + goto another_round;
1421 + case RX_HANDLER_EXACT:
1422 +@@ -3558,8 +3556,6 @@ drop:
1423 + ret = NET_RX_DROP;
1424 + }
1425 +
1426 +-unlock:
1427 +- rcu_read_unlock();
1428 + out:
1429 + return ret;
1430 + }
1431 +@@ -3606,29 +3602,30 @@ static int __netif_receive_skb(struct sk_buff *skb)
1432 + */
1433 + int netif_receive_skb(struct sk_buff *skb)
1434 + {
1435 ++ int ret;
1436 ++
1437 + net_timestamp_check(netdev_tstamp_prequeue, skb);
1438 +
1439 + if (skb_defer_rx_timestamp(skb))
1440 + return NET_RX_SUCCESS;
1441 +
1442 ++ rcu_read_lock();
1443 ++
1444 + #ifdef CONFIG_RPS
1445 + if (static_key_false(&rps_needed)) {
1446 + struct rps_dev_flow voidflow, *rflow = &voidflow;
1447 +- int cpu, ret;
1448 +-
1449 +- rcu_read_lock();
1450 +-
1451 +- cpu = get_rps_cpu(skb->dev, skb, &rflow);
1452 ++ int cpu = get_rps_cpu(skb->dev, skb, &rflow);
1453 +
1454 + if (cpu >= 0) {
1455 + ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
1456 + rcu_read_unlock();
1457 + return ret;
1458 + }
1459 +- rcu_read_unlock();
1460 + }
1461 + #endif
1462 +- return __netif_receive_skb(skb);
1463 ++ ret = __netif_receive_skb(skb);
1464 ++ rcu_read_unlock();
1465 ++ return ret;
1466 + }
1467 + EXPORT_SYMBOL(netif_receive_skb);
1468 +
1469 +@@ -4038,8 +4035,10 @@ static int process_backlog(struct napi_struct *napi, int quota)
1470 + unsigned int qlen;
1471 +
1472 + while ((skb = __skb_dequeue(&sd->process_queue))) {
1473 ++ rcu_read_lock();
1474 + local_irq_enable();
1475 + __netif_receive_skb(skb);
1476 ++ rcu_read_unlock();
1477 + local_irq_disable();
1478 + input_queue_head_incr(sd);
1479 + if (++work >= quota) {
1480 +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
1481 +index 55e08e2de3a1..627e517077e4 100644
1482 +--- a/net/core/fib_rules.c
1483 ++++ b/net/core/fib_rules.c
1484 +@@ -596,15 +596,17 @@ static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
1485 + {
1486 + int idx = 0;
1487 + struct fib_rule *rule;
1488 ++ int err = 0;
1489 +
1490 + rcu_read_lock();
1491 + list_for_each_entry_rcu(rule, &ops->rules_list, list) {
1492 + if (idx < cb->args[1])
1493 + goto skip;
1494 +
1495 +- if (fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid,
1496 +- cb->nlh->nlmsg_seq, RTM_NEWRULE,
1497 +- NLM_F_MULTI, ops) < 0)
1498 ++ err = fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid,
1499 ++ cb->nlh->nlmsg_seq, RTM_NEWRULE,
1500 ++ NLM_F_MULTI, ops);
1501 ++ if (err)
1502 + break;
1503 + skip:
1504 + idx++;
1505 +@@ -613,7 +615,7 @@ skip:
1506 + cb->args[1] = idx;
1507 + rules_ops_put(ops);
1508 +
1509 +- return skb->len;
1510 ++ return err;
1511 + }
1512 +
1513 + static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
1514 +@@ -629,7 +631,9 @@ static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
1515 + if (ops == NULL)
1516 + return -EAFNOSUPPORT;
1517 +
1518 +- return dump_rules(skb, cb, ops);
1519 ++ dump_rules(skb, cb, ops);
1520 ++
1521 ++ return skb->len;
1522 + }
1523 +
1524 + rcu_read_lock();
1525 +diff --git a/net/core/pktgen.c b/net/core/pktgen.c
1526 +index ebbea5371967..21a23d97e99c 100644
1527 +--- a/net/core/pktgen.c
1528 ++++ b/net/core/pktgen.c
1529 +@@ -3377,8 +3377,10 @@ static int pktgen_thread_worker(void *arg)
1530 + pktgen_rem_thread(t);
1531 +
1532 + /* Wait for kthread_stop */
1533 +- while (!kthread_should_stop()) {
1534 ++ for (;;) {
1535 + set_current_state(TASK_INTERRUPTIBLE);
1536 ++ if (kthread_should_stop())
1537 ++ break;
1538 + schedule();
1539 + }
1540 + __set_current_state(TASK_RUNNING);
1541 +diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
1542 +index 5f3dc1df04bf..291b0821d1ac 100644
1543 +--- a/net/ipv4/datagram.c
1544 ++++ b/net/ipv4/datagram.c
1545 +@@ -20,7 +20,7 @@
1546 + #include <net/route.h>
1547 + #include <net/tcp_states.h>
1548 +
1549 +-int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1550 ++int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1551 + {
1552 + struct inet_sock *inet = inet_sk(sk);
1553 + struct sockaddr_in *usin = (struct sockaddr_in *) uaddr;
1554 +@@ -39,8 +39,6 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1555 +
1556 + sk_dst_reset(sk);
1557 +
1558 +- lock_sock(sk);
1559 +-
1560 + oif = sk->sk_bound_dev_if;
1561 + saddr = inet->inet_saddr;
1562 + if (ipv4_is_multicast(usin->sin_addr.s_addr)) {
1563 +@@ -81,9 +79,19 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1564 + sk_dst_set(sk, &rt->dst);
1565 + err = 0;
1566 + out:
1567 +- release_sock(sk);
1568 + return err;
1569 + }
1570 ++EXPORT_SYMBOL(__ip4_datagram_connect);
1571 ++
1572 ++int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1573 ++{
1574 ++ int res;
1575 ++
1576 ++ lock_sock(sk);
1577 ++ res = __ip4_datagram_connect(sk, uaddr, addr_len);
1578 ++ release_sock(sk);
1579 ++ return res;
1580 ++}
1581 + EXPORT_SYMBOL(ip4_datagram_connect);
1582 +
1583 + /* Because UDP xmit path can manipulate sk_dst_cache without holding
1584 +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
1585 +index 4c1884fed548..4d98a6b80b04 100644
1586 +--- a/net/ipv4/ip_fragment.c
1587 ++++ b/net/ipv4/ip_fragment.c
1588 +@@ -356,7 +356,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
1589 + ihl = ip_hdrlen(skb);
1590 +
1591 + /* Determine the position of this fragment. */
1592 +- end = offset + skb->len - ihl;
1593 ++ end = offset + skb->len - skb_network_offset(skb) - ihl;
1594 + err = -EINVAL;
1595 +
1596 + /* Is this the final fragment? */
1597 +@@ -386,7 +386,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
1598 + goto err;
1599 +
1600 + err = -ENOMEM;
1601 +- if (pskb_pull(skb, ihl) == NULL)
1602 ++ if (!pskb_pull(skb, skb_network_offset(skb) + ihl))
1603 + goto err;
1604 +
1605 + err = pskb_trim_rcsum(skb, end - offset);
1606 +@@ -627,6 +627,9 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
1607 + iph->frag_off = qp->q.max_size ? htons(IP_DF) : 0;
1608 + iph->tot_len = htons(len);
1609 + iph->tos |= ecn;
1610 ++
1611 ++ ip_send_check(iph);
1612 ++
1613 + IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
1614 + qp->q.fragments = NULL;
1615 + qp->q.fragments_tail = NULL;
1616 +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
1617 +index ce17d3da9b2b..b0d5d7eb9462 100644
1618 +--- a/net/ipv6/datagram.c
1619 ++++ b/net/ipv6/datagram.c
1620 +@@ -40,7 +40,7 @@ static bool ipv6_mapped_addr_any(const struct in6_addr *a)
1621 + return ipv6_addr_v4mapped(a) && (a->s6_addr32[3] == 0);
1622 + }
1623 +
1624 +-int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1625 ++static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1626 + {
1627 + struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
1628 + struct inet_sock *inet = inet_sk(sk);
1629 +@@ -56,7 +56,7 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1630 + if (usin->sin6_family == AF_INET) {
1631 + if (__ipv6_only_sock(sk))
1632 + return -EAFNOSUPPORT;
1633 +- err = ip4_datagram_connect(sk, uaddr, addr_len);
1634 ++ err = __ip4_datagram_connect(sk, uaddr, addr_len);
1635 + goto ipv4_connected;
1636 + }
1637 +
1638 +@@ -99,9 +99,9 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1639 + sin.sin_addr.s_addr = daddr->s6_addr32[3];
1640 + sin.sin_port = usin->sin6_port;
1641 +
1642 +- err = ip4_datagram_connect(sk,
1643 +- (struct sockaddr *) &sin,
1644 +- sizeof(sin));
1645 ++ err = __ip4_datagram_connect(sk,
1646 ++ (struct sockaddr *) &sin,
1647 ++ sizeof(sin));
1648 +
1649 + ipv4_connected:
1650 + if (err)
1651 +@@ -204,6 +204,16 @@ out:
1652 + fl6_sock_release(flowlabel);
1653 + return err;
1654 + }
1655 ++
1656 ++int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
1657 ++{
1658 ++ int res;
1659 ++
1660 ++ lock_sock(sk);
1661 ++ res = __ip6_datagram_connect(sk, uaddr, addr_len);
1662 ++ release_sock(sk);
1663 ++ return res;
1664 ++}
1665 + EXPORT_SYMBOL_GPL(ip6_datagram_connect);
1666 +
1667 + void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err,
1668 +diff --git a/net/ipv6/exthdrs_offload.c b/net/ipv6/exthdrs_offload.c
1669 +index 447a7fbd1bb6..f5e2ba1c18bf 100644
1670 +--- a/net/ipv6/exthdrs_offload.c
1671 ++++ b/net/ipv6/exthdrs_offload.c
1672 +@@ -36,6 +36,6 @@ out:
1673 + return ret;
1674 +
1675 + out_rt:
1676 +- inet_del_offload(&rthdr_offload, IPPROTO_ROUTING);
1677 ++ inet6_del_offload(&rthdr_offload, IPPROTO_ROUTING);
1678 + goto out;
1679 + }
1680 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
1681 +index 65156a73b3f3..bf6233cdb753 100644
1682 +--- a/net/ipv6/ip6_gre.c
1683 ++++ b/net/ipv6/ip6_gre.c
1684 +@@ -359,6 +359,7 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
1685 + struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
1686 +
1687 + ip6gre_tunnel_unlink(ign, netdev_priv(dev));
1688 ++ ip6_tnl_dst_reset(netdev_priv(dev));
1689 + dev_put(dev);
1690 + }
1691 +
1692 +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
1693 +index 774b09cb2920..63264c9a15cb 100644
1694 +--- a/net/ipv6/ip6_input.c
1695 ++++ b/net/ipv6/ip6_input.c
1696 +@@ -325,10 +325,10 @@ int ip6_mc_input(struct sk_buff *skb)
1697 + if (offset < 0)
1698 + goto out;
1699 +
1700 +- if (!ipv6_is_mld(skb, nexthdr, offset))
1701 +- goto out;
1702 ++ if (ipv6_is_mld(skb, nexthdr, offset))
1703 ++ deliver = true;
1704 +
1705 +- deliver = true;
1706 ++ goto out;
1707 + }
1708 + /* unknown RA - process it normally */
1709 + }
1710 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
1711 +index 2c84072b1da7..57dd3e7d86cc 100644
1712 +--- a/net/ipv6/ip6mr.c
1713 ++++ b/net/ipv6/ip6mr.c
1714 +@@ -552,7 +552,7 @@ static void ipmr_mfc_seq_stop(struct seq_file *seq, void *v)
1715 +
1716 + if (it->cache == &mrt->mfc6_unres_queue)
1717 + spin_unlock_bh(&mfc_unres_lock);
1718 +- else if (it->cache == mrt->mfc6_cache_array)
1719 ++ else if (it->cache == &mrt->mfc6_cache_array[it->ct])
1720 + read_unlock(&mrt_lock);
1721 + }
1722 +
1723 +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
1724 +index 10eea2326022..e960fbe9e271 100644
1725 +--- a/net/mac80211/tx.c
1726 ++++ b/net/mac80211/tx.c
1727 +@@ -281,9 +281,6 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
1728 + if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
1729 + return TX_CONTINUE;
1730 +
1731 +- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
1732 +- return TX_CONTINUE;
1733 +-
1734 + if (tx->flags & IEEE80211_TX_PS_BUFFERED)
1735 + return TX_CONTINUE;
1736 +
1737 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
1738 +index f7ad5c630b65..56ff3b452277 100644
1739 +--- a/net/netlink/af_netlink.c
1740 ++++ b/net/netlink/af_netlink.c
1741 +@@ -214,25 +214,52 @@ err1:
1742 + return NULL;
1743 + }
1744 +
1745 ++
1746 ++static void
1747 ++__netlink_set_ring(struct sock *sk, struct nl_mmap_req *req, bool tx_ring, void **pg_vec,
1748 ++ unsigned int order)
1749 ++{
1750 ++ struct netlink_sock *nlk = nlk_sk(sk);
1751 ++ struct sk_buff_head *queue;
1752 ++ struct netlink_ring *ring;
1753 ++
1754 ++ queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
1755 ++ ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
1756 ++
1757 ++ spin_lock_bh(&queue->lock);
1758 ++
1759 ++ ring->frame_max = req->nm_frame_nr - 1;
1760 ++ ring->head = 0;
1761 ++ ring->frame_size = req->nm_frame_size;
1762 ++ ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
1763 ++
1764 ++ swap(ring->pg_vec_len, req->nm_block_nr);
1765 ++ swap(ring->pg_vec_order, order);
1766 ++ swap(ring->pg_vec, pg_vec);
1767 ++
1768 ++ __skb_queue_purge(queue);
1769 ++ spin_unlock_bh(&queue->lock);
1770 ++
1771 ++ WARN_ON(atomic_read(&nlk->mapped));
1772 ++
1773 ++ if (pg_vec)
1774 ++ free_pg_vec(pg_vec, order, req->nm_block_nr);
1775 ++}
1776 ++
1777 + static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
1778 +- bool closing, bool tx_ring)
1779 ++ bool tx_ring)
1780 + {
1781 + struct netlink_sock *nlk = nlk_sk(sk);
1782 + struct netlink_ring *ring;
1783 +- struct sk_buff_head *queue;
1784 + void **pg_vec = NULL;
1785 + unsigned int order = 0;
1786 +- int err;
1787 +
1788 + ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
1789 +- queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
1790 +
1791 +- if (!closing) {
1792 +- if (atomic_read(&nlk->mapped))
1793 +- return -EBUSY;
1794 +- if (atomic_read(&ring->pending))
1795 +- return -EBUSY;
1796 +- }
1797 ++ if (atomic_read(&nlk->mapped))
1798 ++ return -EBUSY;
1799 ++ if (atomic_read(&ring->pending))
1800 ++ return -EBUSY;
1801 +
1802 + if (req->nm_block_nr) {
1803 + if (ring->pg_vec != NULL)
1804 +@@ -264,31 +291,19 @@ static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
1805 + return -EINVAL;
1806 + }
1807 +
1808 +- err = -EBUSY;
1809 + mutex_lock(&nlk->pg_vec_lock);
1810 +- if (closing || atomic_read(&nlk->mapped) == 0) {
1811 +- err = 0;
1812 +- spin_lock_bh(&queue->lock);
1813 +-
1814 +- ring->frame_max = req->nm_frame_nr - 1;
1815 +- ring->head = 0;
1816 +- ring->frame_size = req->nm_frame_size;
1817 +- ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
1818 +-
1819 +- swap(ring->pg_vec_len, req->nm_block_nr);
1820 +- swap(ring->pg_vec_order, order);
1821 +- swap(ring->pg_vec, pg_vec);
1822 +-
1823 +- __skb_queue_purge(queue);
1824 +- spin_unlock_bh(&queue->lock);
1825 +-
1826 +- WARN_ON(atomic_read(&nlk->mapped));
1827 ++ if (atomic_read(&nlk->mapped) == 0) {
1828 ++ __netlink_set_ring(sk, req, tx_ring, pg_vec, order);
1829 ++ mutex_unlock(&nlk->pg_vec_lock);
1830 ++ return 0;
1831 + }
1832 ++
1833 + mutex_unlock(&nlk->pg_vec_lock);
1834 +
1835 + if (pg_vec)
1836 + free_pg_vec(pg_vec, order, req->nm_block_nr);
1837 +- return err;
1838 ++
1839 ++ return -EBUSY;
1840 + }
1841 +
1842 + static void netlink_mm_open(struct vm_area_struct *vma)
1843 +@@ -762,10 +777,10 @@ static void netlink_sock_destruct(struct sock *sk)
1844 +
1845 + memset(&req, 0, sizeof(req));
1846 + if (nlk->rx_ring.pg_vec)
1847 +- netlink_set_ring(sk, &req, true, false);
1848 ++ __netlink_set_ring(sk, &req, false, NULL, 0);
1849 + memset(&req, 0, sizeof(req));
1850 + if (nlk->tx_ring.pg_vec)
1851 +- netlink_set_ring(sk, &req, true, true);
1852 ++ __netlink_set_ring(sk, &req, true, NULL, 0);
1853 + }
1854 + #endif /* CONFIG_NETLINK_MMAP */
1855 +
1856 +@@ -2017,7 +2032,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
1857 + return -EINVAL;
1858 + if (copy_from_user(&req, optval, sizeof(req)))
1859 + return -EFAULT;
1860 +- err = netlink_set_ring(sk, &req, false,
1861 ++ err = netlink_set_ring(sk, &req,
1862 + optname == NETLINK_TX_RING);
1863 + break;
1864 + }
1865 +diff --git a/net/rds/info.c b/net/rds/info.c
1866 +index 9a6b4f66187c..140a44a5f7b7 100644
1867 +--- a/net/rds/info.c
1868 ++++ b/net/rds/info.c
1869 +@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
1870 +
1871 + /* check for all kinds of wrapping and the like */
1872 + start = (unsigned long)optval;
1873 +- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
1874 ++ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
1875 + ret = -EINVAL;
1876 + goto out;
1877 + }
1878 +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
1879 +index 5a3c1c0a84a1..57c2c4c0c97b 100644
1880 +--- a/net/sctp/protocol.c
1881 ++++ b/net/sctp/protocol.c
1882 +@@ -1170,7 +1170,7 @@ static void sctp_v4_del_protocol(void)
1883 + unregister_inetaddr_notifier(&sctp_inetaddr_notifier);
1884 + }
1885 +
1886 +-static int __net_init sctp_net_init(struct net *net)
1887 ++static int __net_init sctp_defaults_init(struct net *net)
1888 + {
1889 + int status;
1890 +
1891 +@@ -1263,12 +1263,6 @@ static int __net_init sctp_net_init(struct net *net)
1892 +
1893 + sctp_dbg_objcnt_init(net);
1894 +
1895 +- /* Initialize the control inode/socket for handling OOTB packets. */
1896 +- if ((status = sctp_ctl_sock_init(net))) {
1897 +- pr_err("Failed to initialize the SCTP control sock\n");
1898 +- goto err_ctl_sock_init;
1899 +- }
1900 +-
1901 + /* Initialize the local address list. */
1902 + INIT_LIST_HEAD(&net->sctp.local_addr_list);
1903 + spin_lock_init(&net->sctp.local_addr_lock);
1904 +@@ -1284,9 +1278,6 @@ static int __net_init sctp_net_init(struct net *net)
1905 +
1906 + return 0;
1907 +
1908 +-err_ctl_sock_init:
1909 +- sctp_dbg_objcnt_exit(net);
1910 +- sctp_proc_exit(net);
1911 + err_init_proc:
1912 + cleanup_sctp_mibs(net);
1913 + err_init_mibs:
1914 +@@ -1295,15 +1286,12 @@ err_sysctl_register:
1915 + return status;
1916 + }
1917 +
1918 +-static void __net_exit sctp_net_exit(struct net *net)
1919 ++static void __net_exit sctp_defaults_exit(struct net *net)
1920 + {
1921 + /* Free the local address list */
1922 + sctp_free_addr_wq(net);
1923 + sctp_free_local_addr_list(net);
1924 +
1925 +- /* Free the control endpoint. */
1926 +- inet_ctl_sock_destroy(net->sctp.ctl_sock);
1927 +-
1928 + sctp_dbg_objcnt_exit(net);
1929 +
1930 + sctp_proc_exit(net);
1931 +@@ -1311,9 +1299,32 @@ static void __net_exit sctp_net_exit(struct net *net)
1932 + sctp_sysctl_net_unregister(net);
1933 + }
1934 +
1935 +-static struct pernet_operations sctp_net_ops = {
1936 +- .init = sctp_net_init,
1937 +- .exit = sctp_net_exit,
1938 ++static struct pernet_operations sctp_defaults_ops = {
1939 ++ .init = sctp_defaults_init,
1940 ++ .exit = sctp_defaults_exit,
1941 ++};
1942 ++
1943 ++static int __net_init sctp_ctrlsock_init(struct net *net)
1944 ++{
1945 ++ int status;
1946 ++
1947 ++ /* Initialize the control inode/socket for handling OOTB packets. */
1948 ++ status = sctp_ctl_sock_init(net);
1949 ++ if (status)
1950 ++ pr_err("Failed to initialize the SCTP control sock\n");
1951 ++
1952 ++ return status;
1953 ++}
1954 ++
1955 ++static void __net_init sctp_ctrlsock_exit(struct net *net)
1956 ++{
1957 ++ /* Free the control endpoint. */
1958 ++ inet_ctl_sock_destroy(net->sctp.ctl_sock);
1959 ++}
1960 ++
1961 ++static struct pernet_operations sctp_ctrlsock_ops = {
1962 ++ .init = sctp_ctrlsock_init,
1963 ++ .exit = sctp_ctrlsock_exit,
1964 + };
1965 +
1966 + /* Initialize the universe into something sensible. */
1967 +@@ -1448,8 +1459,11 @@ SCTP_STATIC __init int sctp_init(void)
1968 + sctp_v4_pf_init();
1969 + sctp_v6_pf_init();
1970 +
1971 +- status = sctp_v4_protosw_init();
1972 ++ status = register_pernet_subsys(&sctp_defaults_ops);
1973 ++ if (status)
1974 ++ goto err_register_defaults;
1975 +
1976 ++ status = sctp_v4_protosw_init();
1977 + if (status)
1978 + goto err_protosw_init;
1979 +
1980 +@@ -1457,9 +1471,9 @@ SCTP_STATIC __init int sctp_init(void)
1981 + if (status)
1982 + goto err_v6_protosw_init;
1983 +
1984 +- status = register_pernet_subsys(&sctp_net_ops);
1985 ++ status = register_pernet_subsys(&sctp_ctrlsock_ops);
1986 + if (status)
1987 +- goto err_register_pernet_subsys;
1988 ++ goto err_register_ctrlsock;
1989 +
1990 + status = sctp_v4_add_protocol();
1991 + if (status)
1992 +@@ -1476,12 +1490,14 @@ out:
1993 + err_v6_add_protocol:
1994 + sctp_v4_del_protocol();
1995 + err_add_protocol:
1996 +- unregister_pernet_subsys(&sctp_net_ops);
1997 +-err_register_pernet_subsys:
1998 ++ unregister_pernet_subsys(&sctp_ctrlsock_ops);
1999 ++err_register_ctrlsock:
2000 + sctp_v6_protosw_exit();
2001 + err_v6_protosw_init:
2002 + sctp_v4_protosw_exit();
2003 + err_protosw_init:
2004 ++ unregister_pernet_subsys(&sctp_defaults_ops);
2005 ++err_register_defaults:
2006 + sctp_v4_pf_exit();
2007 + sctp_v6_pf_exit();
2008 + sctp_sysctl_unregister();
2009 +@@ -1514,12 +1530,14 @@ SCTP_STATIC __exit void sctp_exit(void)
2010 + sctp_v6_del_protocol();
2011 + sctp_v4_del_protocol();
2012 +
2013 +- unregister_pernet_subsys(&sctp_net_ops);
2014 ++ unregister_pernet_subsys(&sctp_ctrlsock_ops);
2015 +
2016 + /* Free protosw registrations */
2017 + sctp_v6_protosw_exit();
2018 + sctp_v4_protosw_exit();
2019 +
2020 ++ unregister_pernet_subsys(&sctp_defaults_ops);
2021 ++
2022 + /* Unregister with socket layer. */
2023 + sctp_v6_pf_exit();
2024 + sctp_v4_pf_exit();
2025 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
2026 +index dfb9b133e662..ec5766dc3946 100644
2027 +--- a/net/sctp/socket.c
2028 ++++ b/net/sctp/socket.c
2029 +@@ -1548,8 +1548,10 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
2030 +
2031 + /* Supposedly, no process has access to the socket, but
2032 + * the net layers still may.
2033 ++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
2034 ++ * held and that should be grabbed before socket lock.
2035 + */
2036 +- sctp_local_bh_disable();
2037 ++ spin_lock_bh(&net->sctp.addr_wq_lock);
2038 + sctp_bh_lock_sock(sk);
2039 +
2040 + /* Hold the sock, since sk_common_release() will put sock_put()
2041 +@@ -1559,7 +1561,7 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
2042 + sk_common_release(sk);
2043 +
2044 + sctp_bh_unlock_sock(sk);
2045 +- sctp_local_bh_enable();
2046 ++ spin_unlock_bh(&net->sctp.addr_wq_lock);
2047 +
2048 + sock_put(sk);
2049 +
2050 +@@ -3508,6 +3510,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
2051 + if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
2052 + return 0;
2053 +
2054 ++ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
2055 + if (val == 0 && sp->do_auto_asconf) {
2056 + list_del(&sp->auto_asconf_list);
2057 + sp->do_auto_asconf = 0;
2058 +@@ -3516,6 +3519,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
2059 + &sock_net(sk)->sctp.auto_asconf_splist);
2060 + sp->do_auto_asconf = 1;
2061 + }
2062 ++ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
2063 + return 0;
2064 + }
2065 +
2066 +@@ -4007,18 +4011,28 @@ SCTP_STATIC int sctp_init_sock(struct sock *sk)
2067 + local_bh_disable();
2068 + percpu_counter_inc(&sctp_sockets_allocated);
2069 + sock_prot_inuse_add(net, sk->sk_prot, 1);
2070 ++
2071 ++ /* Nothing can fail after this block, otherwise
2072 ++ * sctp_destroy_sock() will be called without addr_wq_lock held
2073 ++ */
2074 + if (net->sctp.default_auto_asconf) {
2075 ++ spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
2076 + list_add_tail(&sp->auto_asconf_list,
2077 + &net->sctp.auto_asconf_splist);
2078 + sp->do_auto_asconf = 1;
2079 +- } else
2080 ++ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
2081 ++ } else {
2082 + sp->do_auto_asconf = 0;
2083 ++ }
2084 ++
2085 + local_bh_enable();
2086 +
2087 + return 0;
2088 + }
2089 +
2090 +-/* Cleanup any SCTP per socket resources. */
2091 ++/* Cleanup any SCTP per socket resources. Must be called with
2092 ++ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
2093 ++ */
2094 + SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
2095 + {
2096 + struct sctp_sock *sp;
2097 +@@ -6957,6 +6971,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
2098 + newinet->mc_list = NULL;
2099 + }
2100 +
2101 ++static inline void sctp_copy_descendant(struct sock *sk_to,
2102 ++ const struct sock *sk_from)
2103 ++{
2104 ++ int ancestor_size = sizeof(struct inet_sock) +
2105 ++ sizeof(struct sctp_sock) -
2106 ++ offsetof(struct sctp_sock, auto_asconf_list);
2107 ++
2108 ++ if (sk_from->sk_family == PF_INET6)
2109 ++ ancestor_size += sizeof(struct ipv6_pinfo);
2110 ++
2111 ++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
2112 ++}
2113 ++
2114 + /* Populate the fields of the newsk from the oldsk and migrate the assoc
2115 + * and its messages to the newsk.
2116 + */
2117 +@@ -6971,7 +6998,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
2118 + struct sk_buff *skb, *tmp;
2119 + struct sctp_ulpevent *event;
2120 + struct sctp_bind_hashbucket *head;
2121 +- struct list_head tmplist;
2122 +
2123 + /* Migrate socket buffer sizes and all the socket level options to the
2124 + * new socket.
2125 +@@ -6979,12 +7005,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
2126 + newsk->sk_sndbuf = oldsk->sk_sndbuf;
2127 + newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
2128 + /* Brute force copy old sctp opt. */
2129 +- if (oldsp->do_auto_asconf) {
2130 +- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
2131 +- inet_sk_copy_descendant(newsk, oldsk);
2132 +- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
2133 +- } else
2134 +- inet_sk_copy_descendant(newsk, oldsk);
2135 ++ sctp_copy_descendant(newsk, oldsk);
2136 +
2137 + /* Restore the ep value that was overwritten with the above structure
2138 + * copy.
2139 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
2140 +index 2b1d7c2d677d..e0cb5edc6d1d 100644
2141 +--- a/net/tipc/socket.c
2142 ++++ b/net/tipc/socket.c
2143 +@@ -1528,6 +1528,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags)
2144 + res = tipc_create(sock_net(sock->sk), new_sock, 0, 0);
2145 + if (res)
2146 + goto exit;
2147 ++ security_sk_clone(sock->sk, new_sock->sk);
2148 +
2149 + new_sk = new_sock->sk;
2150 + new_tsock = tipc_sk(new_sk);
2151 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
2152 +index d30252e7f3e8..183a96ab2533 100644
2153 +--- a/sound/pci/hda/patch_realtek.c
2154 ++++ b/sound/pci/hda/patch_realtek.c
2155 +@@ -1137,7 +1137,7 @@ static const struct hda_fixup alc880_fixups[] = {
2156 + /* override all pins as BIOS on old Amilo is broken */
2157 + .type = HDA_FIXUP_PINS,
2158 + .v.pins = (const struct hda_pintbl[]) {
2159 +- { 0x14, 0x0121411f }, /* HP */
2160 ++ { 0x14, 0x0121401f }, /* HP */
2161 + { 0x15, 0x99030120 }, /* speaker */
2162 + { 0x16, 0x99030130 }, /* bass speaker */
2163 + { 0x17, 0x411111f0 }, /* N/A */
2164 +@@ -1157,7 +1157,7 @@ static const struct hda_fixup alc880_fixups[] = {
2165 + /* almost compatible with FUJITSU, but no bass and SPDIF */
2166 + .type = HDA_FIXUP_PINS,
2167 + .v.pins = (const struct hda_pintbl[]) {
2168 +- { 0x14, 0x0121411f }, /* HP */
2169 ++ { 0x14, 0x0121401f }, /* HP */
2170 + { 0x15, 0x99030120 }, /* speaker */
2171 + { 0x16, 0x411111f0 }, /* N/A */
2172 + { 0x17, 0x411111f0 }, /* N/A */
2173 +@@ -1365,7 +1365,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = {
2174 + SND_PCI_QUIRK(0x161f, 0x203d, "W810", ALC880_FIXUP_W810),
2175 + SND_PCI_QUIRK(0x161f, 0x205d, "Medion Rim 2150", ALC880_FIXUP_MEDION_RIM),
2176 + SND_PCI_QUIRK(0x1631, 0xe011, "PB 13201056", ALC880_FIXUP_6ST_AUTOMUTE),
2177 +- SND_PCI_QUIRK(0x1734, 0x107c, "FSC F1734", ALC880_FIXUP_F1734),
2178 ++ SND_PCI_QUIRK(0x1734, 0x107c, "FSC Amilo M1437", ALC880_FIXUP_FUJITSU),
2179 + SND_PCI_QUIRK(0x1734, 0x1094, "FSC Amilo M1451G", ALC880_FIXUP_FUJITSU),
2180 + SND_PCI_QUIRK(0x1734, 0x10ac, "FSC AMILO Xi 1526", ALC880_FIXUP_F1734),
2181 + SND_PCI_QUIRK(0x1734, 0x10b0, "FSC Amilo Pi1556", ALC880_FIXUP_FUJITSU),
Report Message
Find on MARC Find on Google Groups