Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Sun, 17 Oct 2021 13:13:52
Message-Id: 1634476414.f20406284f321ba74df51fe0b25dd503e072eb82.mpagano@gentoo
1 commit: f20406284f321ba74df51fe0b25dd503e072eb82
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Oct 17 13:13:34 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Oct 17 13:13:34 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=f2040628
7
8 Linux patch 4.14.251
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1250_linux-4.14.251.patch | 1057 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1061 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 2892a8e..82dbb98 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1047,6 +1047,10 @@ Patch: 1249_linux-4.14.250.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.14.250
23
24 +Patch: 1250_linux-4.14.251.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.14.251
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1250_linux-4.14.251.patch b/1250_linux-4.14.251.patch
33 new file mode 100644
34 index 0000000..244cb17
35 --- /dev/null
36 +++ b/1250_linux-4.14.251.patch
37 @@ -0,0 +1,1057 @@
38 +diff --git a/Makefile b/Makefile
39 +index 7fed41bc6a4f6..184089eb1bdb5 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 14
46 +-SUBLEVEL = 250
47 ++SUBLEVEL = 251
48 + EXTRAVERSION =
49 + NAME = Petit Gorille
50 +
51 +diff --git a/arch/arm/boot/dts/omap3430-sdp.dts b/arch/arm/boot/dts/omap3430-sdp.dts
52 +index 908951eb5943e..e4ee935f7b382 100644
53 +--- a/arch/arm/boot/dts/omap3430-sdp.dts
54 ++++ b/arch/arm/boot/dts/omap3430-sdp.dts
55 +@@ -104,7 +104,7 @@
56 +
57 + nand@1,0 {
58 + compatible = "ti,omap2-nand";
59 +- reg = <0 0 4>; /* CS0, offset 0, IO size 4 */
60 ++ reg = <1 0 4>; /* CS1, offset 0, IO size 4 */
61 + interrupt-parent = <&gpmc>;
62 + interrupts = <0 IRQ_TYPE_NONE>, /* fifoevent */
63 + <1 IRQ_TYPE_NONE>; /* termcount */
64 +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
65 +index eef243998392d..459358b54ab42 100644
66 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
67 ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
68 +@@ -1114,7 +1114,7 @@
69 + };
70 +
71 + gpu: adreno-3xx@4300000 {
72 +- compatible = "qcom,adreno-3xx";
73 ++ compatible = "qcom,adreno-320.2", "qcom,adreno";
74 + reg = <0x04300000 0x20000>;
75 + reg-names = "kgsl_3d0_reg_memory";
76 + interrupts = <GIC_SPI 80 0>;
77 +@@ -1129,7 +1129,6 @@
78 + <&mmcc GFX3D_AHB_CLK>,
79 + <&mmcc GFX3D_AXI_CLK>,
80 + <&mmcc MMSS_IMEM_AHB_CLK>;
81 +- qcom,chipid = <0x03020002>;
82 +
83 + iommus = <&gfx3d 0
84 + &gfx3d 1
85 +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
86 +index c7dcb0b207301..5182b04ac878b 100644
87 +--- a/arch/arm/mach-imx/pm-imx6.c
88 ++++ b/arch/arm/mach-imx/pm-imx6.c
89 +@@ -15,6 +15,7 @@
90 + #include <linux/io.h>
91 + #include <linux/irq.h>
92 + #include <linux/genalloc.h>
93 ++#include <linux/irqchip/arm-gic.h>
94 + #include <linux/mfd/syscon.h>
95 + #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
96 + #include <linux/of.h>
97 +@@ -608,6 +609,7 @@ static void __init imx6_pm_common_init(const struct imx6_pm_socdata
98 +
99 + static void imx6_pm_stby_poweroff(void)
100 + {
101 ++ gic_cpu_if_down(0);
102 + imx6_set_lpm(STOP_POWER_OFF);
103 + imx6q_suspend_finish(0);
104 +
105 +diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
106 +index e79421f5b9cd9..20a3ff41d0d5a 100644
107 +--- a/arch/m68k/kernel/signal.c
108 ++++ b/arch/m68k/kernel/signal.c
109 +@@ -448,7 +448,7 @@ static inline void save_fpu_state(struct sigcontext *sc, struct pt_regs *regs)
110 +
111 + if (CPU_IS_060 ? sc->sc_fpstate[2] : sc->sc_fpstate[0]) {
112 + fpu_version = sc->sc_fpstate[0];
113 +- if (CPU_IS_020_OR_030 &&
114 ++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
115 + regs->vector >= (VEC_FPBRUC * 4) &&
116 + regs->vector <= (VEC_FPNAN * 4)) {
117 + /* Clear pending exception in 68882 idle frame */
118 +@@ -511,7 +511,7 @@ static inline int rt_save_fpu_state(struct ucontext __user *uc, struct pt_regs *
119 + if (!(CPU_IS_060 || CPU_IS_COLDFIRE))
120 + context_size = fpstate[1];
121 + fpu_version = fpstate[0];
122 +- if (CPU_IS_020_OR_030 &&
123 ++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
124 + regs->vector >= (VEC_FPBRUC * 4) &&
125 + regs->vector <= (VEC_FPNAN * 4)) {
126 + /* Clear pending exception in 68882 idle frame */
127 +@@ -765,18 +765,24 @@ badframe:
128 + return 0;
129 + }
130 +
131 ++static inline struct pt_regs *rte_regs(struct pt_regs *regs)
132 ++{
133 ++ return (void *)regs + regs->stkadj;
134 ++}
135 ++
136 + static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
137 + unsigned long mask)
138 + {
139 ++ struct pt_regs *tregs = rte_regs(regs);
140 + sc->sc_mask = mask;
141 + sc->sc_usp = rdusp();
142 + sc->sc_d0 = regs->d0;
143 + sc->sc_d1 = regs->d1;
144 + sc->sc_a0 = regs->a0;
145 + sc->sc_a1 = regs->a1;
146 +- sc->sc_sr = regs->sr;
147 +- sc->sc_pc = regs->pc;
148 +- sc->sc_formatvec = regs->format << 12 | regs->vector;
149 ++ sc->sc_sr = tregs->sr;
150 ++ sc->sc_pc = tregs->pc;
151 ++ sc->sc_formatvec = tregs->format << 12 | tregs->vector;
152 + save_a5_state(sc, regs);
153 + save_fpu_state(sc, regs);
154 + }
155 +@@ -784,6 +790,7 @@ static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
156 + static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *regs)
157 + {
158 + struct switch_stack *sw = (struct switch_stack *)regs - 1;
159 ++ struct pt_regs *tregs = rte_regs(regs);
160 + greg_t __user *gregs = uc->uc_mcontext.gregs;
161 + int err = 0;
162 +
163 +@@ -804,9 +811,9 @@ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *
164 + err |= __put_user(sw->a5, &gregs[13]);
165 + err |= __put_user(sw->a6, &gregs[14]);
166 + err |= __put_user(rdusp(), &gregs[15]);
167 +- err |= __put_user(regs->pc, &gregs[16]);
168 +- err |= __put_user(regs->sr, &gregs[17]);
169 +- err |= __put_user((regs->format << 12) | regs->vector, &uc->uc_formatvec);
170 ++ err |= __put_user(tregs->pc, &gregs[16]);
171 ++ err |= __put_user(tregs->sr, &gregs[17]);
172 ++ err |= __put_user((tregs->format << 12) | tregs->vector, &uc->uc_formatvec);
173 + err |= rt_save_fpu_state(uc, regs);
174 + return err;
175 + }
176 +@@ -823,13 +830,14 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
177 + struct pt_regs *regs)
178 + {
179 + struct sigframe __user *frame;
180 +- int fsize = frame_extra_sizes(regs->format);
181 ++ struct pt_regs *tregs = rte_regs(regs);
182 ++ int fsize = frame_extra_sizes(tregs->format);
183 + struct sigcontext context;
184 + int err = 0, sig = ksig->sig;
185 +
186 + if (fsize < 0) {
187 + pr_debug("setup_frame: Unknown frame format %#x\n",
188 +- regs->format);
189 ++ tregs->format);
190 + return -EFAULT;
191 + }
192 +
193 +@@ -840,7 +848,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
194 +
195 + err |= __put_user(sig, &frame->sig);
196 +
197 +- err |= __put_user(regs->vector, &frame->code);
198 ++ err |= __put_user(tregs->vector, &frame->code);
199 + err |= __put_user(&frame->sc, &frame->psc);
200 +
201 + if (_NSIG_WORDS > 1)
202 +@@ -865,34 +873,28 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
203 +
204 + push_cache ((unsigned long) &frame->retcode);
205 +
206 +- /*
207 +- * Set up registers for signal handler. All the state we are about
208 +- * to destroy is successfully copied to sigframe.
209 +- */
210 +- wrusp ((unsigned long) frame);
211 +- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
212 +- adjustformat(regs);
213 +-
214 + /*
215 + * This is subtle; if we build more than one sigframe, all but the
216 + * first one will see frame format 0 and have fsize == 0, so we won't
217 + * screw stkadj.
218 + */
219 +- if (fsize)
220 ++ if (fsize) {
221 + regs->stkadj = fsize;
222 +-
223 +- /* Prepare to skip over the extra stuff in the exception frame. */
224 +- if (regs->stkadj) {
225 +- struct pt_regs *tregs =
226 +- (struct pt_regs *)((ulong)regs + regs->stkadj);
227 ++ tregs = rte_regs(regs);
228 + pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
229 +- /* This must be copied with decreasing addresses to
230 +- handle overlaps. */
231 + tregs->vector = 0;
232 + tregs->format = 0;
233 +- tregs->pc = regs->pc;
234 + tregs->sr = regs->sr;
235 + }
236 ++
237 ++ /*
238 ++ * Set up registers for signal handler. All the state we are about
239 ++ * to destroy is successfully copied to sigframe.
240 ++ */
241 ++ wrusp ((unsigned long) frame);
242 ++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
243 ++ adjustformat(regs);
244 ++
245 + return 0;
246 + }
247 +
248 +@@ -900,7 +902,8 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
249 + struct pt_regs *regs)
250 + {
251 + struct rt_sigframe __user *frame;
252 +- int fsize = frame_extra_sizes(regs->format);
253 ++ struct pt_regs *tregs = rte_regs(regs);
254 ++ int fsize = frame_extra_sizes(tregs->format);
255 + int err = 0, sig = ksig->sig;
256 +
257 + if (fsize < 0) {
258 +@@ -949,34 +952,27 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
259 +
260 + push_cache ((unsigned long) &frame->retcode);
261 +
262 +- /*
263 +- * Set up registers for signal handler. All the state we are about
264 +- * to destroy is successfully copied to sigframe.
265 +- */
266 +- wrusp ((unsigned long) frame);
267 +- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
268 +- adjustformat(regs);
269 +-
270 + /*
271 + * This is subtle; if we build more than one sigframe, all but the
272 + * first one will see frame format 0 and have fsize == 0, so we won't
273 + * screw stkadj.
274 + */
275 +- if (fsize)
276 ++ if (fsize) {
277 + regs->stkadj = fsize;
278 +-
279 +- /* Prepare to skip over the extra stuff in the exception frame. */
280 +- if (regs->stkadj) {
281 +- struct pt_regs *tregs =
282 +- (struct pt_regs *)((ulong)regs + regs->stkadj);
283 ++ tregs = rte_regs(regs);
284 + pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
285 +- /* This must be copied with decreasing addresses to
286 +- handle overlaps. */
287 + tregs->vector = 0;
288 + tregs->format = 0;
289 +- tregs->pc = regs->pc;
290 + tregs->sr = regs->sr;
291 + }
292 ++
293 ++ /*
294 ++ * Set up registers for signal handler. All the state we are about
295 ++ * to destroy is successfully copied to sigframe.
296 ++ */
297 ++ wrusp ((unsigned long) frame);
298 ++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
299 ++ adjustformat(regs);
300 + return 0;
301 + }
302 +
303 +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
304 +index 4d8cb9bb8365d..43e6597c720c2 100644
305 +--- a/arch/mips/net/bpf_jit.c
306 ++++ b/arch/mips/net/bpf_jit.c
307 +@@ -662,6 +662,11 @@ static void build_epilogue(struct jit_ctx *ctx)
308 + ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative : func) : \
309 + func##_positive)
310 +
311 ++static bool is_bad_offset(int b_off)
312 ++{
313 ++ return b_off > 0x1ffff || b_off < -0x20000;
314 ++}
315 ++
316 + static int build_body(struct jit_ctx *ctx)
317 + {
318 + const struct bpf_prog *prog = ctx->skf;
319 +@@ -728,7 +733,10 @@ load_common:
320 + /* Load return register on DS for failures */
321 + emit_reg_move(r_ret, r_zero, ctx);
322 + /* Return with error */
323 +- emit_b(b_imm(prog->len, ctx), ctx);
324 ++ b_off = b_imm(prog->len, ctx);
325 ++ if (is_bad_offset(b_off))
326 ++ return -E2BIG;
327 ++ emit_b(b_off, ctx);
328 + emit_nop(ctx);
329 + break;
330 + case BPF_LD | BPF_W | BPF_IND:
331 +@@ -775,8 +783,10 @@ load_ind:
332 + emit_jalr(MIPS_R_RA, r_s0, ctx);
333 + emit_reg_move(MIPS_R_A0, r_skb, ctx); /* delay slot */
334 + /* Check the error value */
335 +- emit_bcond(MIPS_COND_NE, r_ret, 0,
336 +- b_imm(prog->len, ctx), ctx);
337 ++ b_off = b_imm(prog->len, ctx);
338 ++ if (is_bad_offset(b_off))
339 ++ return -E2BIG;
340 ++ emit_bcond(MIPS_COND_NE, r_ret, 0, b_off, ctx);
341 + emit_reg_move(r_ret, r_zero, ctx);
342 + /* We are good */
343 + /* X <- P[1:K] & 0xf */
344 +@@ -855,8 +865,10 @@ load_ind:
345 + /* A /= X */
346 + ctx->flags |= SEEN_X | SEEN_A;
347 + /* Check if r_X is zero */
348 +- emit_bcond(MIPS_COND_EQ, r_X, r_zero,
349 +- b_imm(prog->len, ctx), ctx);
350 ++ b_off = b_imm(prog->len, ctx);
351 ++ if (is_bad_offset(b_off))
352 ++ return -E2BIG;
353 ++ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
354 + emit_load_imm(r_ret, 0, ctx); /* delay slot */
355 + emit_div(r_A, r_X, ctx);
356 + break;
357 +@@ -864,8 +876,10 @@ load_ind:
358 + /* A %= X */
359 + ctx->flags |= SEEN_X | SEEN_A;
360 + /* Check if r_X is zero */
361 +- emit_bcond(MIPS_COND_EQ, r_X, r_zero,
362 +- b_imm(prog->len, ctx), ctx);
363 ++ b_off = b_imm(prog->len, ctx);
364 ++ if (is_bad_offset(b_off))
365 ++ return -E2BIG;
366 ++ emit_bcond(MIPS_COND_EQ, r_X, r_zero, b_off, ctx);
367 + emit_load_imm(r_ret, 0, ctx); /* delay slot */
368 + emit_mod(r_A, r_X, ctx);
369 + break;
370 +@@ -926,7 +940,10 @@ load_ind:
371 + break;
372 + case BPF_JMP | BPF_JA:
373 + /* pc += K */
374 +- emit_b(b_imm(i + k + 1, ctx), ctx);
375 ++ b_off = b_imm(i + k + 1, ctx);
376 ++ if (is_bad_offset(b_off))
377 ++ return -E2BIG;
378 ++ emit_b(b_off, ctx);
379 + emit_nop(ctx);
380 + break;
381 + case BPF_JMP | BPF_JEQ | BPF_K:
382 +@@ -1056,12 +1073,16 @@ jmp_cmp:
383 + break;
384 + case BPF_RET | BPF_A:
385 + ctx->flags |= SEEN_A;
386 +- if (i != prog->len - 1)
387 ++ if (i != prog->len - 1) {
388 + /*
389 + * If this is not the last instruction
390 + * then jump to the epilogue
391 + */
392 +- emit_b(b_imm(prog->len, ctx), ctx);
393 ++ b_off = b_imm(prog->len, ctx);
394 ++ if (is_bad_offset(b_off))
395 ++ return -E2BIG;
396 ++ emit_b(b_off, ctx);
397 ++ }
398 + emit_reg_move(r_ret, r_A, ctx); /* delay slot */
399 + break;
400 + case BPF_RET | BPF_K:
401 +@@ -1075,7 +1096,10 @@ jmp_cmp:
402 + * If this is not the last instruction
403 + * then jump to the epilogue
404 + */
405 +- emit_b(b_imm(prog->len, ctx), ctx);
406 ++ b_off = b_imm(prog->len, ctx);
407 ++ if (is_bad_offset(b_off))
408 ++ return -E2BIG;
409 ++ emit_b(b_off, ctx);
410 + emit_nop(ctx);
411 + }
412 + break;
413 +@@ -1133,8 +1157,10 @@ jmp_cmp:
414 + /* Load *dev pointer */
415 + emit_load_ptr(r_s0, r_skb, off, ctx);
416 + /* error (0) in the delay slot */
417 +- emit_bcond(MIPS_COND_EQ, r_s0, r_zero,
418 +- b_imm(prog->len, ctx), ctx);
419 ++ b_off = b_imm(prog->len, ctx);
420 ++ if (is_bad_offset(b_off))
421 ++ return -E2BIG;
422 ++ emit_bcond(MIPS_COND_EQ, r_s0, r_zero, b_off, ctx);
423 + emit_reg_move(r_ret, r_zero, ctx);
424 + if (code == (BPF_ANC | SKF_AD_IFINDEX)) {
425 + BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
426 +@@ -1244,7 +1270,10 @@ void bpf_jit_compile(struct bpf_prog *fp)
427 +
428 + /* Generate the actual JIT code */
429 + build_prologue(&ctx);
430 +- build_body(&ctx);
431 ++ if (build_body(&ctx)) {
432 ++ module_memfree(ctx.target);
433 ++ goto out;
434 ++ }
435 + build_epilogue(&ctx);
436 +
437 + /* Update the icache */
438 +diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
439 +index 5ba6fbfca2742..f82f85c65964c 100644
440 +--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
441 ++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
442 +@@ -154,7 +154,7 @@
443 +
444 + fm1mac3: ethernet@e4000 {
445 + phy-handle = <&sgmii_aqr_phy3>;
446 +- phy-connection-type = "sgmii-2500";
447 ++ phy-connection-type = "2500base-x";
448 + sleep = <&rcpm 0x20000000>;
449 + };
450 +
451 +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
452 +index c1f7b3cb84a9b..39c298afa2eaa 100644
453 +--- a/arch/x86/events/core.c
454 ++++ b/arch/x86/events/core.c
455 +@@ -2094,6 +2094,7 @@ static int x86_pmu_event_init(struct perf_event *event)
456 + if (err) {
457 + if (event->destroy)
458 + event->destroy(event);
459 ++ event->destroy = NULL;
460 + }
461 +
462 + if (ACCESS_ONCE(x86_pmu.attr_rdpmc))
463 +diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
464 +index 18e4ef34ac455..4182189b29de7 100644
465 +--- a/arch/xtensa/kernel/irq.c
466 ++++ b/arch/xtensa/kernel/irq.c
467 +@@ -145,7 +145,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
468 +
469 + void __init init_IRQ(void)
470 + {
471 +-#ifdef CONFIG_OF
472 ++#ifdef CONFIG_USE_OF
473 + irqchip_init();
474 + #else
475 + #ifdef CONFIG_HAVE_SMP
476 +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
477 +index 4561a786fab07..cce4833a60832 100644
478 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
479 ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
480 +@@ -185,6 +185,7 @@ static const struct file_operations nouveau_pstate_fops = {
481 + .open = nouveau_debugfs_pstate_open,
482 + .read = seq_read,
483 + .write = nouveau_debugfs_pstate_set,
484 ++ .release = single_release,
485 + };
486 +
487 + static struct drm_info_list nouveau_debugfs_list[] = {
488 +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
489 +index b58ab769aa7b3..4e3dd3f55a963 100644
490 +--- a/drivers/hid/hid-apple.c
491 ++++ b/drivers/hid/hid-apple.c
492 +@@ -304,12 +304,19 @@ static int apple_event(struct hid_device *hdev, struct hid_field *field,
493 +
494 + /*
495 + * MacBook JIS keyboard has wrong logical maximum
496 ++ * Magic Keyboard JIS has wrong logical maximum
497 + */
498 + static __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
499 + unsigned int *rsize)
500 + {
501 + struct apple_sc *asc = hid_get_drvdata(hdev);
502 +
503 ++ if(*rsize >=71 && rdesc[70] == 0x65 && rdesc[64] == 0x65) {
504 ++ hid_info(hdev,
505 ++ "fixing up Magic Keyboard JIS report descriptor\n");
506 ++ rdesc[64] = rdesc[70] = 0xe7;
507 ++ }
508 ++
509 + if ((asc->quirks & APPLE_RDESC_JIS) && *rsize >= 60 &&
510 + rdesc[53] == 0x65 && rdesc[59] == 0x65) {
511 + hid_info(hdev,
512 +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
513 +index 52ae674ebf5bf..6f42856c15079 100644
514 +--- a/drivers/i2c/i2c-core-acpi.c
515 ++++ b/drivers/i2c/i2c-core-acpi.c
516 +@@ -395,6 +395,7 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
517 + break;
518 +
519 + i2c_acpi_register_device(adapter, adev, &info);
520 ++ put_device(&adapter->dev);
521 + break;
522 + case ACPI_RECONFIG_DEVICE_REMOVE:
523 + if (!acpi_device_enumerated(adev))
524 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
525 +index 65c17e39c405f..1555d32ddb962 100644
526 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
527 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
528 +@@ -6958,7 +6958,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf)
529 + if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
530 + /* retry with a larger buffer */
531 + buf_len = data_size;
532 +- } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
533 ++ } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
534 + dev_info(&pf->pdev->dev,
535 + "capability discovery failed, err %s aq_err %s\n",
536 + i40e_stat_str(&pf->hw, err),
537 +diff --git a/drivers/net/ethernet/sun/Kconfig b/drivers/net/ethernet/sun/Kconfig
538 +index b2caf5132bd2b..eea4179e63eb1 100644
539 +--- a/drivers/net/ethernet/sun/Kconfig
540 ++++ b/drivers/net/ethernet/sun/Kconfig
541 +@@ -72,6 +72,7 @@ config CASSINI
542 + config SUNVNET_COMMON
543 + tristate "Common routines to support Sun Virtual Networking"
544 + depends on SUN_LDOMS
545 ++ depends on INET
546 + default m
547 +
548 + config SUNVNET
549 +diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
550 +index 3c5b2a2e2fcc3..11f5a7116adbd 100644
551 +--- a/drivers/net/phy/bcm7xxx.c
552 ++++ b/drivers/net/phy/bcm7xxx.c
553 +@@ -30,7 +30,12 @@
554 + #define MII_BCM7XXX_SHD_2_ADDR_CTRL 0xe
555 + #define MII_BCM7XXX_SHD_2_CTRL_STAT 0xf
556 + #define MII_BCM7XXX_SHD_2_BIAS_TRIM 0x1a
557 ++#define MII_BCM7XXX_SHD_3_PCS_CTRL 0x0
558 ++#define MII_BCM7XXX_SHD_3_PCS_STATUS 0x1
559 ++#define MII_BCM7XXX_SHD_3_EEE_CAP 0x2
560 + #define MII_BCM7XXX_SHD_3_AN_EEE_ADV 0x3
561 ++#define MII_BCM7XXX_SHD_3_EEE_LP 0x4
562 ++#define MII_BCM7XXX_SHD_3_EEE_WK_ERR 0x5
563 + #define MII_BCM7XXX_SHD_3_PCS_CTRL_2 0x6
564 + #define MII_BCM7XXX_PCS_CTRL_2_DEF 0x4400
565 + #define MII_BCM7XXX_SHD_3_AN_STAT 0xb
566 +@@ -462,6 +467,93 @@ static int bcm7xxx_28nm_ephy_config_init(struct phy_device *phydev)
567 + return bcm7xxx_28nm_ephy_apd_enable(phydev);
568 + }
569 +
570 ++#define MII_BCM7XXX_REG_INVALID 0xff
571 ++
572 ++static u8 bcm7xxx_28nm_ephy_regnum_to_shd(u16 regnum)
573 ++{
574 ++ switch (regnum) {
575 ++ case MDIO_CTRL1:
576 ++ return MII_BCM7XXX_SHD_3_PCS_CTRL;
577 ++ case MDIO_STAT1:
578 ++ return MII_BCM7XXX_SHD_3_PCS_STATUS;
579 ++ case MDIO_PCS_EEE_ABLE:
580 ++ return MII_BCM7XXX_SHD_3_EEE_CAP;
581 ++ case MDIO_AN_EEE_ADV:
582 ++ return MII_BCM7XXX_SHD_3_AN_EEE_ADV;
583 ++ case MDIO_AN_EEE_LPABLE:
584 ++ return MII_BCM7XXX_SHD_3_EEE_LP;
585 ++ case MDIO_PCS_EEE_WK_ERR:
586 ++ return MII_BCM7XXX_SHD_3_EEE_WK_ERR;
587 ++ default:
588 ++ return MII_BCM7XXX_REG_INVALID;
589 ++ }
590 ++}
591 ++
592 ++static bool bcm7xxx_28nm_ephy_dev_valid(int devnum)
593 ++{
594 ++ return devnum == MDIO_MMD_AN || devnum == MDIO_MMD_PCS;
595 ++}
596 ++
597 ++static int bcm7xxx_28nm_ephy_read_mmd(struct phy_device *phydev,
598 ++ int devnum, u16 regnum)
599 ++{
600 ++ u8 shd = bcm7xxx_28nm_ephy_regnum_to_shd(regnum);
601 ++ int ret;
602 ++
603 ++ if (!bcm7xxx_28nm_ephy_dev_valid(devnum) ||
604 ++ shd == MII_BCM7XXX_REG_INVALID)
605 ++ return -EOPNOTSUPP;
606 ++
607 ++ /* set shadow mode 2 */
608 ++ ret = phy_set_clr_bits(phydev, MII_BCM7XXX_TEST,
609 ++ MII_BCM7XXX_SHD_MODE_2, 0);
610 ++ if (ret < 0)
611 ++ return ret;
612 ++
613 ++ /* Access the desired shadow register address */
614 ++ ret = phy_write(phydev, MII_BCM7XXX_SHD_2_ADDR_CTRL, shd);
615 ++ if (ret < 0)
616 ++ goto reset_shadow_mode;
617 ++
618 ++ ret = phy_read(phydev, MII_BCM7XXX_SHD_2_CTRL_STAT);
619 ++
620 ++reset_shadow_mode:
621 ++ /* reset shadow mode 2 */
622 ++ phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, 0,
623 ++ MII_BCM7XXX_SHD_MODE_2);
624 ++ return ret;
625 ++}
626 ++
627 ++static int bcm7xxx_28nm_ephy_write_mmd(struct phy_device *phydev,
628 ++ int devnum, u16 regnum, u16 val)
629 ++{
630 ++ u8 shd = bcm7xxx_28nm_ephy_regnum_to_shd(regnum);
631 ++ int ret;
632 ++
633 ++ if (!bcm7xxx_28nm_ephy_dev_valid(devnum) ||
634 ++ shd == MII_BCM7XXX_REG_INVALID)
635 ++ return -EOPNOTSUPP;
636 ++
637 ++ /* set shadow mode 2 */
638 ++ ret = phy_set_clr_bits(phydev, MII_BCM7XXX_TEST,
639 ++ MII_BCM7XXX_SHD_MODE_2, 0);
640 ++ if (ret < 0)
641 ++ return ret;
642 ++
643 ++ /* Access the desired shadow register address */
644 ++ ret = phy_write(phydev, MII_BCM7XXX_SHD_2_ADDR_CTRL, shd);
645 ++ if (ret < 0)
646 ++ goto reset_shadow_mode;
647 ++
648 ++ /* Write the desired value in the shadow register */
649 ++ phy_write(phydev, MII_BCM7XXX_SHD_2_CTRL_STAT, val);
650 ++
651 ++reset_shadow_mode:
652 ++ /* reset shadow mode 2 */
653 ++ return phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, 0,
654 ++ MII_BCM7XXX_SHD_MODE_2);
655 ++}
656 ++
657 + static int bcm7xxx_28nm_ephy_resume(struct phy_device *phydev)
658 + {
659 + int ret;
660 +@@ -637,6 +729,8 @@ static int bcm7xxx_28nm_probe(struct phy_device *phydev)
661 + .get_strings = bcm_phy_get_strings, \
662 + .get_stats = bcm7xxx_28nm_get_phy_stats, \
663 + .probe = bcm7xxx_28nm_probe, \
664 ++ .read_mmd = bcm7xxx_28nm_ephy_read_mmd, \
665 ++ .write_mmd = bcm7xxx_28nm_ephy_write_mmd, \
666 + }
667 +
668 + #define BCM7XXX_40NM_EPHY(_oui, _name) \
669 +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
670 +index 5fc7b6c1a4420..5ef9bbbab3dbb 100644
671 +--- a/drivers/net/phy/mdio_bus.c
672 ++++ b/drivers/net/phy/mdio_bus.c
673 +@@ -344,6 +344,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
674 + bus->dev.groups = NULL;
675 + dev_set_name(&bus->dev, "%s", bus->id);
676 +
677 ++ /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
678 ++ * the device in mdiobus_free()
679 ++ *
680 ++ * State will be updated later in this function in case of success
681 ++ */
682 ++ bus->state = MDIOBUS_UNREGISTERED;
683 ++
684 + err = device_register(&bus->dev);
685 + if (err) {
686 + pr_err("mii_bus %s failed to register\n", bus->id);
687 +diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
688 +index b3285175f20f0..8461d7f92d313 100644
689 +--- a/drivers/ptp/ptp_pch.c
690 ++++ b/drivers/ptp/ptp_pch.c
691 +@@ -698,6 +698,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] = {
692 + },
693 + {0}
694 + };
695 ++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
696 +
697 + static struct pci_driver pch_driver = {
698 + .name = KBUILD_MODNAME,
699 +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
700 +index 4b993607887cf..84b234bbd07db 100644
701 +--- a/drivers/scsi/ses.c
702 ++++ b/drivers/scsi/ses.c
703 +@@ -134,7 +134,7 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
704 + static int ses_send_diag(struct scsi_device *sdev, int page_code,
705 + void *buf, int bufflen)
706 + {
707 +- u32 result;
708 ++ int result;
709 +
710 + unsigned char cmd[] = {
711 + SEND_DIAGNOSTIC,
712 +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
713 +index 1f4bd7d0154d4..2839701ffab5e 100644
714 +--- a/drivers/scsi/virtio_scsi.c
715 ++++ b/drivers/scsi/virtio_scsi.c
716 +@@ -336,7 +336,7 @@ static void virtscsi_handle_transport_reset(struct virtio_scsi *vscsi,
717 + }
718 + break;
719 + default:
720 +- pr_info("Unsupport virtio scsi event reason %x\n", event->reason);
721 ++ pr_info("Unsupported virtio scsi event reason %x\n", event->reason);
722 + }
723 + }
724 +
725 +@@ -389,7 +389,7 @@ static void virtscsi_handle_event(struct work_struct *work)
726 + virtscsi_handle_param_change(vscsi, event);
727 + break;
728 + default:
729 +- pr_err("Unsupport virtio scsi event %x\n", event->event);
730 ++ pr_err("Unsupported virtio scsi event %x\n", event->event);
731 + }
732 + virtscsi_kick_event(vscsi, event_node);
733 + }
734 +diff --git a/drivers/usb/Kconfig b/drivers/usb/Kconfig
735 +index 72eb3e41e3b65..5923ebcffcdf2 100644
736 +--- a/drivers/usb/Kconfig
737 ++++ b/drivers/usb/Kconfig
738 +@@ -174,8 +174,7 @@ source "drivers/usb/typec/Kconfig"
739 +
740 + config USB_LED_TRIG
741 + bool "USB LED Triggers"
742 +- depends on LEDS_CLASS && LEDS_TRIGGERS
743 +- select USB_COMMON
744 ++ depends on LEDS_CLASS && USB_COMMON && LEDS_TRIGGERS
745 + help
746 + This option adds LED triggers for USB host and/or gadget activity.
747 +
748 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
749 +index bd9a11782e154..c653635ce5c20 100644
750 +--- a/drivers/usb/class/cdc-acm.c
751 ++++ b/drivers/usb/class/cdc-acm.c
752 +@@ -351,6 +351,9 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf)
753 + acm->iocount.overrun++;
754 + spin_unlock(&acm->read_lock);
755 +
756 ++ if (newctrl & ACM_CTRL_BRK)
757 ++ tty_flip_buffer_push(&acm->port);
758 ++
759 + if (difference)
760 + wake_up_all(&acm->wioctl);
761 +
762 +@@ -486,11 +489,16 @@ static int acm_submit_read_urbs(struct acm *acm, gfp_t mem_flags)
763 +
764 + static void acm_process_read_urb(struct acm *acm, struct urb *urb)
765 + {
766 ++ unsigned long flags;
767 ++
768 + if (!urb->actual_length)
769 + return;
770 +
771 ++ spin_lock_irqsave(&acm->read_lock, flags);
772 + tty_insert_flip_string(&acm->port, urb->transfer_buffer,
773 + urb->actual_length);
774 ++ spin_unlock_irqrestore(&acm->read_lock, flags);
775 ++
776 + tty_flip_buffer_push(&acm->port);
777 + }
778 +
779 +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
780 +index a697c64a65067..92bb71c040f97 100644
781 +--- a/drivers/xen/balloon.c
782 ++++ b/drivers/xen/balloon.c
783 +@@ -571,12 +571,12 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
784 + }
785 +
786 + /*
787 +- * Stop waiting if either state is not BP_EAGAIN and ballooning action is
788 +- * needed, or if the credit has changed while state is BP_EAGAIN.
789 ++ * Stop waiting if either state is BP_DONE and ballooning action is
790 ++ * needed, or if the credit has changed while state is not BP_DONE.
791 + */
792 + static bool balloon_thread_cond(enum bp_state state, long credit)
793 + {
794 +- if (state != BP_EAGAIN)
795 ++ if (state == BP_DONE)
796 + credit = 0;
797 +
798 + return current_credit() != credit || kthread_should_stop();
799 +@@ -596,10 +596,19 @@ static int balloon_thread(void *unused)
800 +
801 + set_freezable();
802 + for (;;) {
803 +- if (state == BP_EAGAIN)
804 +- timeout = balloon_stats.schedule_delay * HZ;
805 +- else
806 ++ switch (state) {
807 ++ case BP_DONE:
808 ++ case BP_ECANCELED:
809 + timeout = 3600 * HZ;
810 ++ break;
811 ++ case BP_EAGAIN:
812 ++ timeout = balloon_stats.schedule_delay * HZ;
813 ++ break;
814 ++ case BP_WAIT:
815 ++ timeout = HZ;
816 ++ break;
817 ++ }
818 ++
819 + credit = current_credit();
820 +
821 + wait_event_freezable_timeout(balloon_thread_wq,
822 +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
823 +index c1e9233340120..2e7349b2dd4d4 100644
824 +--- a/fs/nfsd/nfs4xdr.c
825 ++++ b/fs/nfsd/nfs4xdr.c
826 +@@ -3082,15 +3082,18 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
827 + goto fail;
828 + cd->rd_maxcount -= entry_bytes;
829 + /*
830 +- * RFC 3530 14.2.24 describes rd_dircount as only a "hint", so
831 +- * let's always let through the first entry, at least:
832 ++ * RFC 3530 14.2.24 describes rd_dircount as only a "hint", and
833 ++ * notes that it could be zero. If it is zero, then the server
834 ++ * should enforce only the rd_maxcount value.
835 + */
836 +- if (!cd->rd_dircount)
837 +- goto fail;
838 +- name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
839 +- if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
840 +- goto fail;
841 +- cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
842 ++ if (cd->rd_dircount) {
843 ++ name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
844 ++ if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
845 ++ goto fail;
846 ++ cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
847 ++ if (!cd->rd_dircount)
848 ++ cd->rd_maxcount = 0;
849 ++ }
850 +
851 + cd->cookie_offset = cookie_offset;
852 + skip_entry:
853 +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
854 +index 5bdc85ad13a2f..4869fa508616f 100644
855 +--- a/fs/overlayfs/dir.c
856 ++++ b/fs/overlayfs/dir.c
857 +@@ -1032,9 +1032,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old,
858 + goto out_dput;
859 + }
860 + } else {
861 +- if (!d_is_negative(newdentry) &&
862 +- (!new_opaque || !ovl_is_whiteout(newdentry)))
863 +- goto out_dput;
864 ++ if (!d_is_negative(newdentry)) {
865 ++ if (!new_opaque || !ovl_is_whiteout(newdentry))
866 ++ goto out_dput;
867 ++ } else {
868 ++ if (flags & RENAME_EXCHANGE)
869 ++ goto out_dput;
870 ++ }
871 + }
872 +
873 + if (olddentry == trap)
874 +diff --git a/include/linux/sched.h b/include/linux/sched.h
875 +index 99650f05c271a..914cc8b180eda 100644
876 +--- a/include/linux/sched.h
877 ++++ b/include/linux/sched.h
878 +@@ -1390,7 +1390,7 @@ extern struct pid *cad_pid;
879 + #define tsk_used_math(p) ((p)->flags & PF_USED_MATH)
880 + #define used_math() tsk_used_math(current)
881 +
882 +-static inline bool is_percpu_thread(void)
883 ++static __always_inline bool is_percpu_thread(void)
884 + {
885 + #ifdef CONFIG_SMP
886 + return (current->flags & PF_NO_SETAFFINITY) &&
887 +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
888 +index 1d4c3fba0f8cd..099dc780a92f2 100644
889 +--- a/kernel/bpf/stackmap.c
890 ++++ b/kernel/bpf/stackmap.c
891 +@@ -28,7 +28,8 @@ struct bpf_stack_map {
892 +
893 + static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
894 + {
895 +- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
896 ++ u64 elem_size = sizeof(struct stack_map_bucket) +
897 ++ (u64)smap->map.value_size;
898 + int err;
899 +
900 + smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
901 +diff --git a/lib/test_bpf.c b/lib/test_bpf.c
902 +index 9a8f957ad86e9..724674c421ca7 100644
903 +--- a/lib/test_bpf.c
904 ++++ b/lib/test_bpf.c
905 +@@ -355,6 +355,52 @@ static int bpf_fill_maxinsns11(struct bpf_test *self)
906 + return __bpf_fill_ja(self, BPF_MAXINSNS, 68);
907 + }
908 +
909 ++static int bpf_fill_maxinsns12(struct bpf_test *self)
910 ++{
911 ++ unsigned int len = BPF_MAXINSNS;
912 ++ struct sock_filter *insn;
913 ++ int i = 0;
914 ++
915 ++ insn = kmalloc_array(len, sizeof(*insn), GFP_KERNEL);
916 ++ if (!insn)
917 ++ return -ENOMEM;
918 ++
919 ++ insn[0] = __BPF_JUMP(BPF_JMP | BPF_JA, len - 2, 0, 0);
920 ++
921 ++ for (i = 1; i < len - 1; i++)
922 ++ insn[i] = __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0);
923 ++
924 ++ insn[len - 1] = __BPF_STMT(BPF_RET | BPF_K, 0xabababab);
925 ++
926 ++ self->u.ptr.insns = insn;
927 ++ self->u.ptr.len = len;
928 ++
929 ++ return 0;
930 ++}
931 ++
932 ++static int bpf_fill_maxinsns13(struct bpf_test *self)
933 ++{
934 ++ unsigned int len = BPF_MAXINSNS;
935 ++ struct sock_filter *insn;
936 ++ int i = 0;
937 ++
938 ++ insn = kmalloc_array(len, sizeof(*insn), GFP_KERNEL);
939 ++ if (!insn)
940 ++ return -ENOMEM;
941 ++
942 ++ for (i = 0; i < len - 3; i++)
943 ++ insn[i] = __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0);
944 ++
945 ++ insn[len - 3] = __BPF_STMT(BPF_LD | BPF_IMM, 0xabababab);
946 ++ insn[len - 2] = __BPF_STMT(BPF_ALU | BPF_XOR | BPF_X, 0);
947 ++ insn[len - 1] = __BPF_STMT(BPF_RET | BPF_A, 0);
948 ++
949 ++ self->u.ptr.insns = insn;
950 ++ self->u.ptr.len = len;
951 ++
952 ++ return 0;
953 ++}
954 ++
955 + static int bpf_fill_ja(struct bpf_test *self)
956 + {
957 + /* Hits exactly 11 passes on x86_64 JIT. */
958 +@@ -5437,6 +5483,23 @@ static struct bpf_test tests[] = {
959 + .fill_helper = bpf_fill_maxinsns11,
960 + .expected_errcode = -ENOTSUPP,
961 + },
962 ++ {
963 ++ "BPF_MAXINSNS: jump over MSH",
964 ++ { },
965 ++ CLASSIC | FLAG_EXPECTED_FAIL,
966 ++ { 0xfa, 0xfb, 0xfc, 0xfd, },
967 ++ { { 4, 0xabababab } },
968 ++ .fill_helper = bpf_fill_maxinsns12,
969 ++ .expected_errcode = -EINVAL,
970 ++ },
971 ++ {
972 ++ "BPF_MAXINSNS: exec all MSH",
973 ++ { },
974 ++ CLASSIC,
975 ++ { 0xfa, 0xfb, 0xfc, 0xfd, },
976 ++ { { 4, 0xababab83 } },
977 ++ .fill_helper = bpf_fill_maxinsns13,
978 ++ },
979 + {
980 + "BPF_MAXINSNS: ld_abs+get_processor_id",
981 + { },
982 +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
983 +index 08190db0a2dca..79e306ec1416c 100644
984 +--- a/net/bridge/br_netlink.c
985 ++++ b/net/bridge/br_netlink.c
986 +@@ -1437,7 +1437,7 @@ static size_t br_get_linkxstats_size(const struct net_device *dev, int attr)
987 + }
988 +
989 + return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
990 +- nla_total_size(sizeof(struct br_mcast_stats)) +
991 ++ nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
992 + nla_total_size(0);
993 + }
994 +
995 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
996 +index 3bcaecc7ba69f..d7e2cb7ae1fa4 100644
997 +--- a/net/core/rtnetlink.c
998 ++++ b/net/core/rtnetlink.c
999 +@@ -4053,7 +4053,7 @@ nla_put_failure:
1000 + static size_t if_nlmsg_stats_size(const struct net_device *dev,
1001 + u32 filter_mask)
1002 + {
1003 +- size_t size = 0;
1004 ++ size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
1005 +
1006 + if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
1007 + size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
1008 +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
1009 +index d0d5e43727307..93f4441547289 100644
1010 +--- a/net/ipv6/netfilter/ip6_tables.c
1011 ++++ b/net/ipv6/netfilter/ip6_tables.c
1012 +@@ -275,6 +275,7 @@ ip6t_do_table(struct sk_buff *skb,
1013 + * things we don't know, ie. tcp syn flag or ports). If the
1014 + * rule is also a fragment-specific rule, non-fragments won't
1015 + * match it. */
1016 ++ acpar.fragoff = 0;
1017 + acpar.hotdrop = false;
1018 + acpar.state = state;
1019 +
1020 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
1021 +index 87926c6fe0bf4..cbe1177d95f9e 100644
1022 +--- a/net/mac80211/rx.c
1023 ++++ b/net/mac80211/rx.c
1024 +@@ -3714,7 +3714,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
1025 + if (!bssid)
1026 + return false;
1027 + if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
1028 +- ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
1029 ++ ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) ||
1030 ++ !is_valid_ether_addr(hdr->addr2))
1031 + return false;
1032 + if (ieee80211_is_beacon(hdr->frame_control))
1033 + return true;
1034 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
1035 +index 955041c547025..d1fd9f7c867ef 100644
1036 +--- a/net/netlink/af_netlink.c
1037 ++++ b/net/netlink/af_netlink.c
1038 +@@ -567,7 +567,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
1039 +
1040 + /* We need to ensure that the socket is hashed and visible. */
1041 + smp_wmb();
1042 +- nlk_sk(sk)->bound = portid;
1043 ++ /* Paired with lockless reads from netlink_bind(),
1044 ++ * netlink_connect() and netlink_sendmsg().
1045 ++ */
1046 ++ WRITE_ONCE(nlk_sk(sk)->bound, portid);
1047 +
1048 + err:
1049 + release_sock(sk);
1050 +@@ -986,7 +989,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
1051 + else if (nlk->ngroups < 8*sizeof(groups))
1052 + groups &= (1UL << nlk->ngroups) - 1;
1053 +
1054 +- bound = nlk->bound;
1055 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
1056 ++ bound = READ_ONCE(nlk->bound);
1057 + if (bound) {
1058 + /* Ensure nlk->portid is up-to-date. */
1059 + smp_rmb();
1060 +@@ -1072,8 +1076,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
1061 +
1062 + /* No need for barriers here as we return to user-space without
1063 + * using any of the bound attributes.
1064 ++ * Paired with WRITE_ONCE() in netlink_insert().
1065 + */
1066 +- if (!nlk->bound)
1067 ++ if (!READ_ONCE(nlk->bound))
1068 + err = netlink_autobind(sock);
1069 +
1070 + if (err == 0) {
1071 +@@ -1839,7 +1844,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
1072 + dst_group = nlk->dst_group;
1073 + }
1074 +
1075 +- if (!nlk->bound) {
1076 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
1077 ++ if (!READ_ONCE(nlk->bound)) {
1078 + err = netlink_autobind(sock);
1079 + if (err)
1080 + goto out;
1081 +diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
1082 +index 1e37247656f80..8b7110cbcce4c 100644
1083 +--- a/net/sched/sch_fifo.c
1084 ++++ b/net/sched/sch_fifo.c
1085 +@@ -151,6 +151,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
1086 + if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
1087 + return 0;
1088 +
1089 ++ if (!q->ops->change)
1090 ++ return 0;
1091 ++
1092 + nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
1093 + if (nla) {
1094 + nla->nla_type = RTM_NEWQDISC;