Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.10 commit in: /
Date: Wed, 31 Aug 2022 15:39:26
Message-Id: 1661960352.92fb566de11ac6624545feff2c5ffe8a51627926.mpagano@gentoo
1 commit: 92fb566de11ac6624545feff2c5ffe8a51627926
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Aug 31 15:39:12 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Aug 31 15:39:12 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=92fb566d
7
8 Linux patch 5.10.140
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1139_linux-5.10.140.patch | 3424 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3428 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 2f48b8ae..f5306e89 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -599,6 +599,10 @@ Patch: 1138_linux-5.10.139.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.10.139
23
24 +Patch: 1139_linux-5.10.140.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.10.140
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1139_linux-5.10.140.patch b/1139_linux-5.10.140.patch
33 new file mode 100644
34 index 00000000..d204d073
35 --- /dev/null
36 +++ b/1139_linux-5.10.140.patch
37 @@ -0,0 +1,3424 @@
38 +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
39 +index 44c6e57303988..500d5d8937cbb 100644
40 +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
41 ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
42 +@@ -511,6 +511,7 @@ What: /sys/devices/system/cpu/vulnerabilities
43 + /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
44 + /sys/devices/system/cpu/vulnerabilities/itlb_multihit
45 + /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
46 ++ /sys/devices/system/cpu/vulnerabilities/retbleed
47 + Date: January 2018
48 + Contact: Linux kernel mailing list <linux-kernel@×××××××××××.org>
49 + Description: Information about CPU vulnerabilities
50 +diff --git a/Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst b/Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
51 +index 9393c50b5afc9..c98fd11907cc8 100644
52 +--- a/Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
53 ++++ b/Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
54 +@@ -230,6 +230,20 @@ The possible values in this file are:
55 + * - 'Mitigation: Clear CPU buffers'
56 + - The processor is vulnerable and the CPU buffer clearing mitigation is
57 + enabled.
58 ++ * - 'Unknown: No mitigations'
59 ++ - The processor vulnerability status is unknown because it is
60 ++ out of Servicing period. Mitigation is not attempted.
61 ++
62 ++Definitions:
63 ++------------
64 ++
65 ++Servicing period: The process of providing functional and security updates to
66 ++Intel processors or platforms, utilizing the Intel Platform Update (IPU)
67 ++process or other similar mechanisms.
68 ++
69 ++End of Servicing Updates (ESU): ESU is the date at which Intel will no
70 ++longer provide Servicing, such as through IPU or other similar update
71 ++processes. ESU dates will typically be aligned to end of quarter.
72 +
73 + If the processor is vulnerable then the following information is appended to
74 + the above information:
75 +diff --git a/Documentation/admin-guide/sysctl/net.rst b/Documentation/admin-guide/sysctl/net.rst
76 +index f2ab8a5b6a4b8..7f553859dba82 100644
77 +--- a/Documentation/admin-guide/sysctl/net.rst
78 ++++ b/Documentation/admin-guide/sysctl/net.rst
79 +@@ -271,7 +271,7 @@ poll cycle or the number of packets processed reaches netdev_budget.
80 + netdev_max_backlog
81 + ------------------
82 +
83 +-Maximum number of packets, queued on the INPUT side, when the interface
84 ++Maximum number of packets, queued on the INPUT side, when the interface
85 + receives packets faster than kernel can process them.
86 +
87 + netdev_rss_key
88 +diff --git a/Makefile b/Makefile
89 +index 48140575f960b..a80179d2c0057 100644
90 +--- a/Makefile
91 ++++ b/Makefile
92 +@@ -1,7 +1,7 @@
93 + # SPDX-License-Identifier: GPL-2.0
94 + VERSION = 5
95 + PATCHLEVEL = 10
96 +-SUBLEVEL = 139
97 ++SUBLEVEL = 140
98 + EXTRAVERSION =
99 + NAME = Dare mighty things
100 +
101 +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
102 +index ca42d58e8c821..78263dadd00da 100644
103 +--- a/arch/arm64/kernel/cpu_errata.c
104 ++++ b/arch/arm64/kernel/cpu_errata.c
105 +@@ -220,6 +220,8 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
106 + #ifdef CONFIG_ARM64_ERRATUM_1286807
107 + {
108 + ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0),
109 ++ },
110 ++ {
111 + /* Kryo4xx Gold (rcpe to rfpe) => (r0p0 to r3p0) */
112 + ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe),
113 + },
114 +diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c
115 +index 286cec4d86d7b..cc6ed74960501 100644
116 +--- a/arch/parisc/kernel/unaligned.c
117 ++++ b/arch/parisc/kernel/unaligned.c
118 +@@ -107,7 +107,7 @@
119 + #define R1(i) (((i)>>21)&0x1f)
120 + #define R2(i) (((i)>>16)&0x1f)
121 + #define R3(i) ((i)&0x1f)
122 +-#define FR3(i) ((((i)<<1)&0x1f)|(((i)>>6)&1))
123 ++#define FR3(i) ((((i)&0x1f)<<1)|(((i)>>6)&1))
124 + #define IM(i,n) (((i)>>1&((1<<(n-1))-1))|((i)&1?((0-1L)<<(n-1)):0))
125 + #define IM5_2(i) IM((i)>>16,5)
126 + #define IM5_3(i) IM((i),5)
127 +diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
128 +index ec801d3bbb37a..137a170f47d4f 100644
129 +--- a/arch/s390/kernel/process.c
130 ++++ b/arch/s390/kernel/process.c
131 +@@ -77,6 +77,18 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
132 +
133 + memcpy(dst, src, arch_task_struct_size);
134 + dst->thread.fpu.regs = dst->thread.fpu.fprs;
135 ++
136 ++ /*
137 ++ * Don't transfer over the runtime instrumentation or the guarded
138 ++ * storage control block pointers. These fields are cleared here instead
139 ++ * of in copy_thread() to avoid premature freeing of associated memory
140 ++ * on fork() failure. Wait to clear the RI flag because ->stack still
141 ++ * refers to the source thread.
142 ++ */
143 ++ dst->thread.ri_cb = NULL;
144 ++ dst->thread.gs_cb = NULL;
145 ++ dst->thread.gs_bc_cb = NULL;
146 ++
147 + return 0;
148 + }
149 +
150 +@@ -134,13 +146,11 @@ int copy_thread(unsigned long clone_flags, unsigned long new_stackp,
151 + frame->childregs.flags = 0;
152 + if (new_stackp)
153 + frame->childregs.gprs[15] = new_stackp;
154 +-
155 +- /* Don't copy runtime instrumentation info */
156 +- p->thread.ri_cb = NULL;
157 ++ /*
158 ++ * Clear the runtime instrumentation flag after the above childregs
159 ++ * copy. The CB pointer was already cleared in arch_dup_task_struct().
160 ++ */
161 + frame->childregs.psw.mask &= ~PSW_MASK_RI;
162 +- /* Don't copy guarded storage control block */
163 +- p->thread.gs_cb = NULL;
164 +- p->thread.gs_bc_cb = NULL;
165 +
166 + /* Set a new TLS ? */
167 + if (clone_flags & CLONE_SETTLS) {
168 +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
169 +index bd8516e6c353c..42173a7be3bb4 100644
170 +--- a/arch/x86/events/intel/lbr.c
171 ++++ b/arch/x86/events/intel/lbr.c
172 +@@ -1114,6 +1114,14 @@ static int intel_pmu_setup_hw_lbr_filter(struct perf_event *event)
173 +
174 + if (static_cpu_has(X86_FEATURE_ARCH_LBR)) {
175 + reg->config = mask;
176 ++
177 ++ /*
178 ++ * The Arch LBR HW can retrieve the common branch types
179 ++ * from the LBR_INFO. It doesn't require the high overhead
180 ++ * SW disassemble.
181 ++ * Enable the branch type by default for the Arch LBR.
182 ++ */
183 ++ reg->reg |= X86_BR_TYPE_SAVE;
184 + return 0;
185 + }
186 +
187 +diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
188 +index bbd1120ae1610..fa9289718147a 100644
189 +--- a/arch/x86/events/intel/uncore_snb.c
190 ++++ b/arch/x86/events/intel/uncore_snb.c
191 +@@ -657,6 +657,22 @@ int snb_pci2phy_map_init(int devid)
192 + return 0;
193 + }
194 +
195 ++static u64 snb_uncore_imc_read_counter(struct intel_uncore_box *box, struct perf_event *event)
196 ++{
197 ++ struct hw_perf_event *hwc = &event->hw;
198 ++
199 ++ /*
200 ++ * SNB IMC counters are 32-bit and are laid out back to back
201 ++ * in MMIO space. Therefore we must use a 32-bit accessor function
202 ++ * using readq() from uncore_mmio_read_counter() causes problems
203 ++ * because it is reading 64-bit at a time. This is okay for the
204 ++ * uncore_perf_event_update() function because it drops the upper
205 ++ * 32-bits but not okay for plain uncore_read_counter() as invoked
206 ++ * in uncore_pmu_event_start().
207 ++ */
208 ++ return (u64)readl(box->io_addr + hwc->event_base);
209 ++}
210 ++
211 + static struct pmu snb_uncore_imc_pmu = {
212 + .task_ctx_nr = perf_invalid_context,
213 + .event_init = snb_uncore_imc_event_init,
214 +@@ -676,7 +692,7 @@ static struct intel_uncore_ops snb_uncore_imc_ops = {
215 + .disable_event = snb_uncore_imc_disable_event,
216 + .enable_event = snb_uncore_imc_enable_event,
217 + .hw_config = snb_uncore_imc_hw_config,
218 +- .read_counter = uncore_mmio_read_counter,
219 ++ .read_counter = snb_uncore_imc_read_counter,
220 + };
221 +
222 + static struct intel_uncore_type snb_uncore_imc = {
223 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
224 +index 37ba0cdf99aa8..f507ad7c7fd7b 100644
225 +--- a/arch/x86/include/asm/cpufeatures.h
226 ++++ b/arch/x86/include/asm/cpufeatures.h
227 +@@ -429,7 +429,8 @@
228 + #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
229 + #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
230 + #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
231 +-#define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */
232 +-#define X86_BUG_EIBRS_PBRSB X86_BUG(27) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
233 ++#define X86_BUG_MMIO_UNKNOWN X86_BUG(26) /* CPU is too old and its MMIO Stale Data status is unknown */
234 ++#define X86_BUG_RETBLEED X86_BUG(27) /* CPU is affected by RETBleed */
235 ++#define X86_BUG_EIBRS_PBRSB X86_BUG(28) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
236 +
237 + #endif /* _ASM_X86_CPUFEATURES_H */
238 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
239 +index aa4ee46f00ce5..a300a19255b66 100644
240 +--- a/arch/x86/kernel/cpu/bugs.c
241 ++++ b/arch/x86/kernel/cpu/bugs.c
242 +@@ -424,7 +424,8 @@ static void __init mmio_select_mitigation(void)
243 + u64 ia32_cap;
244 +
245 + if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
246 +- cpu_mitigations_off()) {
247 ++ boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
248 ++ cpu_mitigations_off()) {
249 + mmio_mitigation = MMIO_MITIGATION_OFF;
250 + return;
251 + }
252 +@@ -529,6 +530,8 @@ out:
253 + pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
254 + if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
255 + pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
256 ++ else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
257 ++ pr_info("MMIO Stale Data: Unknown: No mitigations\n");
258 + }
259 +
260 + static void __init md_clear_select_mitigation(void)
261 +@@ -2198,6 +2201,9 @@ static ssize_t tsx_async_abort_show_state(char *buf)
262 +
263 + static ssize_t mmio_stale_data_show_state(char *buf)
264 + {
265 ++ if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
266 ++ return sysfs_emit(buf, "Unknown: No mitigations\n");
267 ++
268 + if (mmio_mitigation == MMIO_MITIGATION_OFF)
269 + return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
270 +
271 +@@ -2344,6 +2350,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
272 + return srbds_show_state(buf);
273 +
274 + case X86_BUG_MMIO_STALE_DATA:
275 ++ case X86_BUG_MMIO_UNKNOWN:
276 + return mmio_stale_data_show_state(buf);
277 +
278 + case X86_BUG_RETBLEED:
279 +@@ -2403,7 +2410,10 @@ ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *
280 +
281 + ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
282 + {
283 +- return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
284 ++ if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
285 ++ return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
286 ++ else
287 ++ return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
288 + }
289 +
290 + ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
291 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
292 +index 9fc91482e85e3..56573241d0293 100644
293 +--- a/arch/x86/kernel/cpu/common.c
294 ++++ b/arch/x86/kernel/cpu/common.c
295 +@@ -1024,7 +1024,8 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
296 + #define NO_SWAPGS BIT(6)
297 + #define NO_ITLB_MULTIHIT BIT(7)
298 + #define NO_SPECTRE_V2 BIT(8)
299 +-#define NO_EIBRS_PBRSB BIT(9)
300 ++#define NO_MMIO BIT(9)
301 ++#define NO_EIBRS_PBRSB BIT(10)
302 +
303 + #define VULNWL(vendor, family, model, whitelist) \
304 + X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist)
305 +@@ -1045,6 +1046,11 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
306 + VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION),
307 +
308 + /* Intel Family 6 */
309 ++ VULNWL_INTEL(TIGERLAKE, NO_MMIO),
310 ++ VULNWL_INTEL(TIGERLAKE_L, NO_MMIO),
311 ++ VULNWL_INTEL(ALDERLAKE, NO_MMIO),
312 ++ VULNWL_INTEL(ALDERLAKE_L, NO_MMIO),
313 ++
314 + VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION | NO_ITLB_MULTIHIT),
315 + VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION | NO_ITLB_MULTIHIT),
316 + VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT),
317 +@@ -1063,9 +1069,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
318 + VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
319 + VULNWL_INTEL(ATOM_AIRMONT_NP, NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
320 +
321 +- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
322 +- VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
323 +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
324 ++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
325 ++ VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
326 ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB),
327 +
328 + /*
329 + * Technically, swapgs isn't serializing on AMD (despite it previously
330 +@@ -1080,18 +1086,18 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
331 + VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
332 +
333 + /* AMD Family 0xf - 0x12 */
334 +- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
335 +- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
336 +- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
337 +- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
338 ++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
339 ++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
340 ++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
341 ++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
342 +
343 + /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
344 +- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
345 +- VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
346 ++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
347 ++ VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
348 +
349 + /* Zhaoxin Family 7 */
350 +- VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS),
351 +- VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS),
352 ++ VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO),
353 ++ VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO),
354 + {}
355 + };
356 +
357 +@@ -1245,10 +1251,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
358 + * Affected CPU list is generally enough to enumerate the vulnerability,
359 + * but for virtualization case check for ARCH_CAP MSR bits also, VMM may
360 + * not want the guest to enumerate the bug.
361 ++ *
362 ++ * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist,
363 ++ * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits.
364 + */
365 +- if (cpu_matches(cpu_vuln_blacklist, MMIO) &&
366 +- !arch_cap_mmio_immune(ia32_cap))
367 +- setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
368 ++ if (!arch_cap_mmio_immune(ia32_cap)) {
369 ++ if (cpu_matches(cpu_vuln_blacklist, MMIO))
370 ++ setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
371 ++ else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO))
372 ++ setup_force_cpu_bug(X86_BUG_MMIO_UNKNOWN);
373 ++ }
374 +
375 + if (!cpu_has(c, X86_FEATURE_BTC_NO)) {
376 + if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))
377 +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
378 +index c451d5f6422f6..cc071c4c65240 100644
379 +--- a/arch/x86/kernel/unwind_orc.c
380 ++++ b/arch/x86/kernel/unwind_orc.c
381 +@@ -93,22 +93,27 @@ static struct orc_entry *orc_find(unsigned long ip);
382 + static struct orc_entry *orc_ftrace_find(unsigned long ip)
383 + {
384 + struct ftrace_ops *ops;
385 +- unsigned long caller;
386 ++ unsigned long tramp_addr, offset;
387 +
388 + ops = ftrace_ops_trampoline(ip);
389 + if (!ops)
390 + return NULL;
391 +
392 ++ /* Set tramp_addr to the start of the code copied by the trampoline */
393 + if (ops->flags & FTRACE_OPS_FL_SAVE_REGS)
394 +- caller = (unsigned long)ftrace_regs_call;
395 ++ tramp_addr = (unsigned long)ftrace_regs_caller;
396 + else
397 +- caller = (unsigned long)ftrace_call;
398 ++ tramp_addr = (unsigned long)ftrace_caller;
399 ++
400 ++ /* Now place tramp_addr to the location within the trampoline ip is at */
401 ++ offset = ip - ops->trampoline;
402 ++ tramp_addr += offset;
403 +
404 + /* Prevent unlikely recursion */
405 +- if (ip == caller)
406 ++ if (ip == tramp_addr)
407 + return NULL;
408 +
409 +- return orc_find(caller);
410 ++ return orc_find(tramp_addr);
411 + }
412 + #else
413 + static struct orc_entry *orc_ftrace_find(unsigned long ip)
414 +diff --git a/block/blk-mq.c b/block/blk-mq.c
415 +index 90f64bb42fbd1..cfc039fabf8ce 100644
416 +--- a/block/blk-mq.c
417 ++++ b/block/blk-mq.c
418 +@@ -1402,7 +1402,8 @@ out:
419 + /* If we didn't flush the entire list, we could have told the driver
420 + * there was more coming, but that turned out to be a lie.
421 + */
422 +- if ((!list_empty(list) || errors) && q->mq_ops->commit_rqs && queued)
423 ++ if ((!list_empty(list) || errors || needs_resource ||
424 ++ ret == BLK_STS_DEV_RESOURCE) && q->mq_ops->commit_rqs && queued)
425 + q->mq_ops->commit_rqs(hctx);
426 + /*
427 + * Any items that need requeuing? Stuff them into hctx->dispatch,
428 +@@ -2080,6 +2081,7 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,
429 + list_del_init(&rq->queuelist);
430 + ret = blk_mq_request_issue_directly(rq, list_empty(list));
431 + if (ret != BLK_STS_OK) {
432 ++ errors++;
433 + if (ret == BLK_STS_RESOURCE ||
434 + ret == BLK_STS_DEV_RESOURCE) {
435 + blk_mq_request_bypass_insert(rq, false,
436 +@@ -2087,7 +2089,6 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,
437 + break;
438 + }
439 + blk_mq_end_request(rq, ret);
440 +- errors++;
441 + } else
442 + queued++;
443 + }
444 +diff --git a/drivers/acpi/processor_thermal.c b/drivers/acpi/processor_thermal.c
445 +index 6c7d05b37c986..7df0c6e3ba63c 100644
446 +--- a/drivers/acpi/processor_thermal.c
447 ++++ b/drivers/acpi/processor_thermal.c
448 +@@ -148,7 +148,7 @@ void acpi_thermal_cpufreq_exit(struct cpufreq_policy *policy)
449 + unsigned int cpu;
450 +
451 + for_each_cpu(cpu, policy->related_cpus) {
452 +- struct acpi_processor *pr = per_cpu(processors, policy->cpu);
453 ++ struct acpi_processor *pr = per_cpu(processors, cpu);
454 +
455 + if (pr)
456 + freq_qos_remove_request(&pr->thermal_req);
457 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
458 +index e4517d483bdc3..b10410585a746 100644
459 +--- a/drivers/block/loop.c
460 ++++ b/drivers/block/loop.c
461 +@@ -1031,6 +1031,11 @@ loop_set_status_from_info(struct loop_device *lo,
462 +
463 + lo->lo_offset = info->lo_offset;
464 + lo->lo_sizelimit = info->lo_sizelimit;
465 ++
466 ++ /* loff_t vars have been assigned __u64 */
467 ++ if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
468 ++ return -EOVERFLOW;
469 ++
470 + memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
471 + memcpy(lo->lo_crypt_name, info->lo_crypt_name, LO_NAME_SIZE);
472 + lo->lo_file_name[LO_NAME_SIZE-1] = 0;
473 +diff --git a/drivers/md/md.c b/drivers/md/md.c
474 +index 884317ee1759f..0043dec37a870 100644
475 +--- a/drivers/md/md.c
476 ++++ b/drivers/md/md.c
477 +@@ -6278,11 +6278,11 @@ static void mddev_detach(struct mddev *mddev)
478 + static void __md_stop(struct mddev *mddev)
479 + {
480 + struct md_personality *pers = mddev->pers;
481 ++ md_bitmap_destroy(mddev);
482 + mddev_detach(mddev);
483 + /* Ensure ->event_work is done */
484 + if (mddev->event_work.func)
485 + flush_workqueue(md_misc_wq);
486 +- md_bitmap_destroy(mddev);
487 + spin_lock(&mddev->lock);
488 + mddev->pers = NULL;
489 + spin_unlock(&mddev->lock);
490 +@@ -6299,6 +6299,7 @@ void md_stop(struct mddev *mddev)
491 + /* stop the array and free an attached data structures.
492 + * This is called from dm-raid
493 + */
494 ++ __md_stop_writes(mddev);
495 + __md_stop(mddev);
496 + bioset_exit(&mddev->bio_set);
497 + bioset_exit(&mddev->sync_set);
498 +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
499 +index 325b20729d8ba..b0f8d551b61db 100644
500 +--- a/drivers/net/bonding/bond_3ad.c
501 ++++ b/drivers/net/bonding/bond_3ad.c
502 +@@ -1988,30 +1988,24 @@ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout)
503 + */
504 + void bond_3ad_initialize(struct bonding *bond, u16 tick_resolution)
505 + {
506 +- /* check that the bond is not initialized yet */
507 +- if (!MAC_ADDRESS_EQUAL(&(BOND_AD_INFO(bond).system.sys_mac_addr),
508 +- bond->dev->dev_addr)) {
509 +-
510 +- BOND_AD_INFO(bond).aggregator_identifier = 0;
511 +-
512 +- BOND_AD_INFO(bond).system.sys_priority =
513 +- bond->params.ad_actor_sys_prio;
514 +- if (is_zero_ether_addr(bond->params.ad_actor_system))
515 +- BOND_AD_INFO(bond).system.sys_mac_addr =
516 +- *((struct mac_addr *)bond->dev->dev_addr);
517 +- else
518 +- BOND_AD_INFO(bond).system.sys_mac_addr =
519 +- *((struct mac_addr *)bond->params.ad_actor_system);
520 ++ BOND_AD_INFO(bond).aggregator_identifier = 0;
521 ++ BOND_AD_INFO(bond).system.sys_priority =
522 ++ bond->params.ad_actor_sys_prio;
523 ++ if (is_zero_ether_addr(bond->params.ad_actor_system))
524 ++ BOND_AD_INFO(bond).system.sys_mac_addr =
525 ++ *((struct mac_addr *)bond->dev->dev_addr);
526 ++ else
527 ++ BOND_AD_INFO(bond).system.sys_mac_addr =
528 ++ *((struct mac_addr *)bond->params.ad_actor_system);
529 +
530 +- /* initialize how many times this module is called in one
531 +- * second (should be about every 100ms)
532 +- */
533 +- ad_ticks_per_sec = tick_resolution;
534 ++ /* initialize how many times this module is called in one
535 ++ * second (should be about every 100ms)
536 ++ */
537 ++ ad_ticks_per_sec = tick_resolution;
538 +
539 +- bond_3ad_initiate_agg_selection(bond,
540 +- AD_AGGREGATOR_SELECTION_TIMER *
541 +- ad_ticks_per_sec);
542 +- }
543 ++ bond_3ad_initiate_agg_selection(bond,
544 ++ AD_AGGREGATOR_SELECTION_TIMER *
545 ++ ad_ticks_per_sec);
546 + }
547 +
548 + /**
549 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
550 +index 23b80aa171dd0..819f9df9425c6 100644
551 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
552 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
553 +@@ -599,7 +599,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(struct bnxt *bp, int num_vfs, bool reset)
554 + hw_resc->max_stat_ctxs -= le16_to_cpu(req.min_stat_ctx) * n;
555 + hw_resc->max_vnics -= le16_to_cpu(req.min_vnics) * n;
556 + if (bp->flags & BNXT_FLAG_CHIP_P5)
557 +- hw_resc->max_irqs -= vf_msix * n;
558 ++ hw_resc->max_nqs -= vf_msix;
559 +
560 + rc = pf->active_vfs;
561 + }
562 +diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
563 +index 5733526fa245c..59963b901be0f 100644
564 +--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
565 ++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
566 +@@ -371,6 +371,19 @@ int ice_xsk_pool_setup(struct ice_vsi *vsi, struct xsk_buff_pool *pool, u16 qid)
567 + bool if_running, pool_present = !!pool;
568 + int ret = 0, pool_failure = 0;
569 +
570 ++ if (qid >= vsi->num_rxq || qid >= vsi->num_txq) {
571 ++ netdev_err(vsi->netdev, "Please use queue id in scope of combined queues count\n");
572 ++ pool_failure = -EINVAL;
573 ++ goto failure;
574 ++ }
575 ++
576 ++ if (!is_power_of_2(vsi->rx_rings[qid]->count) ||
577 ++ !is_power_of_2(vsi->tx_rings[qid]->count)) {
578 ++ netdev_err(vsi->netdev, "Please align ring sizes to power of 2\n");
579 ++ pool_failure = -EINVAL;
580 ++ goto failure;
581 ++ }
582 ++
583 + if_running = netif_running(vsi->netdev) && ice_is_xdp_ena_vsi(vsi);
584 +
585 + if (if_running) {
586 +@@ -393,6 +406,7 @@ xsk_pool_if_up:
587 + netdev_err(vsi->netdev, "ice_qp_ena error = %d\n", ret);
588 + }
589 +
590 ++failure:
591 + if (pool_failure) {
592 + netdev_err(vsi->netdev, "Could not %sable buffer pool, error = %d\n",
593 + pool_present ? "en" : "dis", pool_failure);
594 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
595 +index 22a874eee2e84..8b7f300355710 100644
596 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
597 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
598 +@@ -1211,7 +1211,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
599 + struct cyclecounter cc;
600 + unsigned long flags;
601 + u32 incval = 0;
602 +- u32 tsauxc = 0;
603 + u32 fuse0 = 0;
604 +
605 + /* For some of the boards below this mask is technically incorrect.
606 +@@ -1246,18 +1245,6 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
607 + case ixgbe_mac_x550em_a:
608 + case ixgbe_mac_X550:
609 + cc.read = ixgbe_ptp_read_X550;
610 +-
611 +- /* enable SYSTIME counter */
612 +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0);
613 +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0);
614 +- IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0);
615 +- tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC);
616 +- IXGBE_WRITE_REG(hw, IXGBE_TSAUXC,
617 +- tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME);
618 +- IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS);
619 +- IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC);
620 +-
621 +- IXGBE_WRITE_FLUSH(hw);
622 + break;
623 + case ixgbe_mac_X540:
624 + cc.read = ixgbe_ptp_read_82599;
625 +@@ -1289,6 +1276,50 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
626 + spin_unlock_irqrestore(&adapter->tmreg_lock, flags);
627 + }
628 +
629 ++/**
630 ++ * ixgbe_ptp_init_systime - Initialize SYSTIME registers
631 ++ * @adapter: the ixgbe private board structure
632 ++ *
633 ++ * Initialize and start the SYSTIME registers.
634 ++ */
635 ++static void ixgbe_ptp_init_systime(struct ixgbe_adapter *adapter)
636 ++{
637 ++ struct ixgbe_hw *hw = &adapter->hw;
638 ++ u32 tsauxc;
639 ++
640 ++ switch (hw->mac.type) {
641 ++ case ixgbe_mac_X550EM_x:
642 ++ case ixgbe_mac_x550em_a:
643 ++ case ixgbe_mac_X550:
644 ++ tsauxc = IXGBE_READ_REG(hw, IXGBE_TSAUXC);
645 ++
646 ++ /* Reset SYSTIME registers to 0 */
647 ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMR, 0);
648 ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0);
649 ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0);
650 ++
651 ++ /* Reset interrupt settings */
652 ++ IXGBE_WRITE_REG(hw, IXGBE_TSIM, IXGBE_TSIM_TXTS);
653 ++ IXGBE_WRITE_REG(hw, IXGBE_EIMS, IXGBE_EIMS_TIMESYNC);
654 ++
655 ++ /* Activate the SYSTIME counter */
656 ++ IXGBE_WRITE_REG(hw, IXGBE_TSAUXC,
657 ++ tsauxc & ~IXGBE_TSAUXC_DISABLE_SYSTIME);
658 ++ break;
659 ++ case ixgbe_mac_X540:
660 ++ case ixgbe_mac_82599EB:
661 ++ /* Reset SYSTIME registers to 0 */
662 ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIML, 0);
663 ++ IXGBE_WRITE_REG(hw, IXGBE_SYSTIMH, 0);
664 ++ break;
665 ++ default:
666 ++ /* Other devices aren't supported */
667 ++ return;
668 ++ };
669 ++
670 ++ IXGBE_WRITE_FLUSH(hw);
671 ++}
672 ++
673 + /**
674 + * ixgbe_ptp_reset
675 + * @adapter: the ixgbe private board structure
676 +@@ -1315,6 +1346,8 @@ void ixgbe_ptp_reset(struct ixgbe_adapter *adapter)
677 +
678 + ixgbe_ptp_start_cyclecounter(adapter);
679 +
680 ++ ixgbe_ptp_init_systime(adapter);
681 ++
682 + spin_lock_irqsave(&adapter->tmreg_lock, flags);
683 + timecounter_init(&adapter->hw_tc, &adapter->hw_cc,
684 + ktime_to_ns(ktime_get_real()));
685 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
686 +index 304435e561170..b991f03c7e991 100644
687 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
688 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
689 +@@ -706,6 +706,8 @@ static void mlx5e_build_rep_params(struct net_device *netdev)
690 +
691 + params->num_tc = 1;
692 + params->tunneled_offload_en = false;
693 ++ if (rep->vport != MLX5_VPORT_UPLINK)
694 ++ params->vlan_strip_disable = true;
695 +
696 + mlx5_query_min_inline(mdev, &params->tx_min_inline_mode);
697 +
698 +diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
699 +index 6137000b11c5c..73aac97fb5c96 100644
700 +--- a/drivers/net/ethernet/moxa/moxart_ether.c
701 ++++ b/drivers/net/ethernet/moxa/moxart_ether.c
702 +@@ -74,11 +74,6 @@ static int moxart_set_mac_address(struct net_device *ndev, void *addr)
703 + static void moxart_mac_free_memory(struct net_device *ndev)
704 + {
705 + struct moxart_mac_priv_t *priv = netdev_priv(ndev);
706 +- int i;
707 +-
708 +- for (i = 0; i < RX_DESC_NUM; i++)
709 +- dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i],
710 +- priv->rx_buf_size, DMA_FROM_DEVICE);
711 +
712 + if (priv->tx_desc_base)
713 + dma_free_coherent(&priv->pdev->dev,
714 +@@ -193,6 +188,7 @@ static int moxart_mac_open(struct net_device *ndev)
715 + static int moxart_mac_stop(struct net_device *ndev)
716 + {
717 + struct moxart_mac_priv_t *priv = netdev_priv(ndev);
718 ++ int i;
719 +
720 + napi_disable(&priv->napi);
721 +
722 +@@ -204,6 +200,11 @@ static int moxart_mac_stop(struct net_device *ndev)
723 + /* disable all functions */
724 + writel(0, priv->base + REG_MAC_CTRL);
725 +
726 ++ /* unmap areas mapped in moxart_mac_setup_desc_ring() */
727 ++ for (i = 0; i < RX_DESC_NUM; i++)
728 ++ dma_unmap_single(&priv->pdev->dev, priv->rx_mapping[i],
729 ++ priv->rx_buf_size, DMA_FROM_DEVICE);
730 ++
731 + return 0;
732 + }
733 +
734 +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c
735 +index e14869a2e24a5..f60ffef33e0ce 100644
736 +--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c
737 ++++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c
738 +@@ -378,8 +378,8 @@ try_again:
739 + ionic_opcode_to_str(opcode), opcode,
740 + ionic_error_to_str(err), err);
741 +
742 +- msleep(1000);
743 + iowrite32(0, &idev->dev_cmd_regs->done);
744 ++ msleep(1000);
745 + iowrite32(1, &idev->dev_cmd_regs->doorbell);
746 + goto try_again;
747 + }
748 +@@ -392,6 +392,8 @@ try_again:
749 + return ionic_error_to_errno(err);
750 + }
751 +
752 ++ ionic_dev_cmd_clean(ionic);
753 ++
754 + return 0;
755 + }
756 +
757 +diff --git a/drivers/net/ipa/ipa_mem.c b/drivers/net/ipa/ipa_mem.c
758 +index a78d66051a17d..25a8d029f2075 100644
759 +--- a/drivers/net/ipa/ipa_mem.c
760 ++++ b/drivers/net/ipa/ipa_mem.c
761 +@@ -414,7 +414,7 @@ static int ipa_smem_init(struct ipa *ipa, u32 item, size_t size)
762 + }
763 +
764 + /* Align the address down and the size up to a page boundary */
765 +- addr = qcom_smem_virt_to_phys(virt) & PAGE_MASK;
766 ++ addr = qcom_smem_virt_to_phys(virt);
767 + phys = addr & PAGE_MASK;
768 + size = PAGE_ALIGN(size + addr - phys);
769 + iova = phys; /* We just want a direct mapping */
770 +diff --git a/drivers/net/ipvlan/ipvtap.c b/drivers/net/ipvlan/ipvtap.c
771 +index 1cedb634f4f7b..f01078b2581ce 100644
772 +--- a/drivers/net/ipvlan/ipvtap.c
773 ++++ b/drivers/net/ipvlan/ipvtap.c
774 +@@ -194,7 +194,7 @@ static struct notifier_block ipvtap_notifier_block __read_mostly = {
775 + .notifier_call = ipvtap_device_event,
776 + };
777 +
778 +-static int ipvtap_init(void)
779 ++static int __init ipvtap_init(void)
780 + {
781 + int err;
782 +
783 +@@ -228,7 +228,7 @@ out1:
784 + }
785 + module_init(ipvtap_init);
786 +
787 +-static void ipvtap_exit(void)
788 ++static void __exit ipvtap_exit(void)
789 + {
790 + rtnl_link_unregister(&ipvtap_link_ops);
791 + unregister_netdevice_notifier(&ipvtap_notifier_block);
792 +diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
793 +index a0665d8ea85bc..e92535ebb5287 100644
794 +--- a/drivers/nfc/pn533/uart.c
795 ++++ b/drivers/nfc/pn533/uart.c
796 +@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)
797 + pn53x_unregister_nfc(pn532->priv);
798 + serdev_device_close(serdev);
799 + pn53x_common_clean(pn532->priv);
800 ++ del_timer_sync(&pn532->cmd_timeout);
801 + kfree_skb(pn532->recv_skb);
802 + kfree(pn532);
803 + }
804 +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c
805 +index e20bcc835d6a8..82b658a3c220a 100644
806 +--- a/drivers/pinctrl/pinctrl-amd.c
807 ++++ b/drivers/pinctrl/pinctrl-amd.c
808 +@@ -815,6 +815,7 @@ static int amd_gpio_suspend(struct device *dev)
809 + {
810 + struct amd_gpio *gpio_dev = dev_get_drvdata(dev);
811 + struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
812 ++ unsigned long flags;
813 + int i;
814 +
815 + for (i = 0; i < desc->npins; i++) {
816 +@@ -823,7 +824,9 @@ static int amd_gpio_suspend(struct device *dev)
817 + if (!amd_gpio_should_save(gpio_dev, pin))
818 + continue;
819 +
820 +- gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
821 ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags);
822 ++ gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin * 4) & ~PIN_IRQ_PENDING;
823 ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
824 + }
825 +
826 + return 0;
827 +@@ -833,6 +836,7 @@ static int amd_gpio_resume(struct device *dev)
828 + {
829 + struct amd_gpio *gpio_dev = dev_get_drvdata(dev);
830 + struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
831 ++ unsigned long flags;
832 + int i;
833 +
834 + for (i = 0; i < desc->npins; i++) {
835 +@@ -841,7 +845,10 @@ static int amd_gpio_resume(struct device *dev)
836 + if (!amd_gpio_should_save(gpio_dev, pin))
837 + continue;
838 +
839 +- writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
840 ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags);
841 ++ gpio_dev->saved_regs[i] |= readl(gpio_dev->base + pin * 4) & PIN_IRQ_PENDING;
842 ++ writel(gpio_dev->saved_regs[i], gpio_dev->base + pin * 4);
843 ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
844 + }
845 +
846 + return 0;
847 +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
848 +index 0ee0b80006e05..7ac1090d4379c 100644
849 +--- a/drivers/scsi/storvsc_drv.c
850 ++++ b/drivers/scsi/storvsc_drv.c
851 +@@ -1997,7 +1997,7 @@ static int storvsc_probe(struct hv_device *device,
852 + */
853 + host_dev->handle_error_wq =
854 + alloc_ordered_workqueue("storvsc_error_wq_%d",
855 +- WQ_MEM_RECLAIM,
856 ++ 0,
857 + host->host_no);
858 + if (!host_dev->handle_error_wq) {
859 + ret = -ENOMEM;
860 +diff --git a/drivers/scsi/ufs/ufshci.h b/drivers/scsi/ufs/ufshci.h
861 +index 1d999228efc85..e380941318117 100644
862 +--- a/drivers/scsi/ufs/ufshci.h
863 ++++ b/drivers/scsi/ufs/ufshci.h
864 +@@ -129,11 +129,7 @@ enum {
865 +
866 + #define UFSHCD_UIC_MASK (UIC_COMMAND_COMPL | UFSHCD_UIC_PWR_MASK)
867 +
868 +-#define UFSHCD_ERROR_MASK (UIC_ERROR |\
869 +- DEVICE_FATAL_ERROR |\
870 +- CONTROLLER_FATAL_ERROR |\
871 +- SYSTEM_BUS_FATAL_ERROR |\
872 +- CRYPTO_ENGINE_FATAL_ERROR)
873 ++#define UFSHCD_ERROR_MASK (UIC_ERROR | INT_FATAL_ERRORS)
874 +
875 + #define INT_FATAL_ERRORS (DEVICE_FATAL_ERROR |\
876 + CONTROLLER_FATAL_ERROR |\
877 +diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
878 +index fe8df32bb612b..cd5f2f09468e2 100644
879 +--- a/drivers/xen/privcmd.c
880 ++++ b/drivers/xen/privcmd.c
881 +@@ -581,27 +581,30 @@ static int lock_pages(
882 + struct privcmd_dm_op_buf kbufs[], unsigned int num,
883 + struct page *pages[], unsigned int nr_pages, unsigned int *pinned)
884 + {
885 +- unsigned int i;
886 ++ unsigned int i, off = 0;
887 +
888 +- for (i = 0; i < num; i++) {
889 ++ for (i = 0; i < num; ) {
890 + unsigned int requested;
891 + int page_count;
892 +
893 + requested = DIV_ROUND_UP(
894 + offset_in_page(kbufs[i].uptr) + kbufs[i].size,
895 +- PAGE_SIZE);
896 ++ PAGE_SIZE) - off;
897 + if (requested > nr_pages)
898 + return -ENOSPC;
899 +
900 + page_count = pin_user_pages_fast(
901 +- (unsigned long) kbufs[i].uptr,
902 ++ (unsigned long)kbufs[i].uptr + off * PAGE_SIZE,
903 + requested, FOLL_WRITE, pages);
904 +- if (page_count < 0)
905 +- return page_count;
906 ++ if (page_count <= 0)
907 ++ return page_count ? : -EFAULT;
908 +
909 + *pinned += page_count;
910 + nr_pages -= page_count;
911 + pages += page_count;
912 ++
913 ++ off = (requested == page_count) ? 0 : off + page_count;
914 ++ i += !off;
915 + }
916 +
917 + return 0;
918 +@@ -677,10 +680,8 @@ static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
919 + }
920 +
921 + rc = lock_pages(kbufs, kdata.num, pages, nr_pages, &pinned);
922 +- if (rc < 0) {
923 +- nr_pages = pinned;
924 ++ if (rc < 0)
925 + goto out;
926 +- }
927 +
928 + for (i = 0; i < kdata.num; i++) {
929 + set_xen_guest_handle(xbufs[i].h, kbufs[i].uptr);
930 +@@ -692,7 +693,7 @@ static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
931 + xen_preemptible_hcall_end();
932 +
933 + out:
934 +- unlock_pages(pages, nr_pages);
935 ++ unlock_pages(pages, pinned);
936 + kfree(xbufs);
937 + kfree(pages);
938 + kfree(kbufs);
939 +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
940 +index d297804631829..be6935d191970 100644
941 +--- a/fs/btrfs/dev-replace.c
942 ++++ b/fs/btrfs/dev-replace.c
943 +@@ -161,7 +161,7 @@ no_valid_dev_replace_entry_found:
944 + if (btrfs_find_device(fs_info->fs_devices,
945 + BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) {
946 + btrfs_err(fs_info,
947 +- "replace devid present without an active replace item");
948 ++"replace without active item, run 'device scan --forget' on the target device");
949 + ret = -EUCLEAN;
950 + } else {
951 + dev_replace->srcdev = NULL;
952 +@@ -954,8 +954,7 @@ int btrfs_dev_replace_cancel(struct btrfs_fs_info *fs_info)
953 + up_write(&dev_replace->rwsem);
954 +
955 + /* Scrub for replace must not be running in suspended state */
956 +- ret = btrfs_scrub_cancel(fs_info);
957 +- ASSERT(ret != -ENOTCONN);
958 ++ btrfs_scrub_cancel(fs_info);
959 +
960 + trans = btrfs_start_transaction(root, 0);
961 + if (IS_ERR(trans)) {
962 +diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
963 +index db37a37996497..e9e8ca4e98a75 100644
964 +--- a/fs/btrfs/root-tree.c
965 ++++ b/fs/btrfs/root-tree.c
966 +@@ -336,9 +336,10 @@ int btrfs_del_root_ref(struct btrfs_trans_handle *trans, u64 root_id,
967 + key.offset = ref_id;
968 + again:
969 + ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
970 +- if (ret < 0)
971 ++ if (ret < 0) {
972 ++ err = ret;
973 + goto out;
974 +- if (ret == 0) {
975 ++ } else if (ret == 0) {
976 + leaf = path->nodes[0];
977 + ref = btrfs_item_ptr(leaf, path->slots[0],
978 + struct btrfs_root_ref);
979 +diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
980 +index f1a60bcdb3db8..cd6049b0bde53 100644
981 +--- a/fs/btrfs/xattr.c
982 ++++ b/fs/btrfs/xattr.c
983 +@@ -389,6 +389,9 @@ static int btrfs_xattr_handler_set(const struct xattr_handler *handler,
984 + const char *name, const void *buffer,
985 + size_t size, int flags)
986 + {
987 ++ if (btrfs_root_readonly(BTRFS_I(inode)->root))
988 ++ return -EROFS;
989 ++
990 + name = xattr_full_name(handler, name);
991 + return btrfs_setxattr_trans(inode, name, buffer, size, flags);
992 + }
993 +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
994 +index 9fdecd9090493..70cd0d764c447 100644
995 +--- a/fs/nfs/nfs4file.c
996 ++++ b/fs/nfs/nfs4file.c
997 +@@ -321,7 +321,7 @@ static int read_name_gen = 1;
998 + static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
999 + struct nfs_fh *src_fh, nfs4_stateid *stateid)
1000 + {
1001 +- struct nfs_fattr fattr;
1002 ++ struct nfs_fattr *fattr = nfs_alloc_fattr();
1003 + struct file *filep, *res;
1004 + struct nfs_server *server;
1005 + struct inode *r_ino = NULL;
1006 +@@ -332,14 +332,20 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
1007 +
1008 + server = NFS_SERVER(ss_mnt->mnt_root->d_inode);
1009 +
1010 +- nfs_fattr_init(&fattr);
1011 ++ if (!fattr)
1012 ++ return ERR_PTR(-ENOMEM);
1013 +
1014 +- status = nfs4_proc_getattr(server, src_fh, &fattr, NULL, NULL);
1015 ++ status = nfs4_proc_getattr(server, src_fh, fattr, NULL, NULL);
1016 + if (status < 0) {
1017 + res = ERR_PTR(status);
1018 + goto out;
1019 + }
1020 +
1021 ++ if (!S_ISREG(fattr->mode)) {
1022 ++ res = ERR_PTR(-EBADF);
1023 ++ goto out;
1024 ++ }
1025 ++
1026 + res = ERR_PTR(-ENOMEM);
1027 + len = strlen(SSC_READ_NAME_BODY) + 16;
1028 + read_name = kzalloc(len, GFP_NOFS);
1029 +@@ -347,7 +353,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
1030 + goto out;
1031 + snprintf(read_name, len, SSC_READ_NAME_BODY, read_name_gen++);
1032 +
1033 +- r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, &fattr,
1034 ++ r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, fattr,
1035 + NULL);
1036 + if (IS_ERR(r_ino)) {
1037 + res = ERR_CAST(r_ino);
1038 +@@ -358,6 +364,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
1039 + r_ino->i_fop);
1040 + if (IS_ERR(filep)) {
1041 + res = ERR_CAST(filep);
1042 ++ iput(r_ino);
1043 + goto out_free_name;
1044 + }
1045 + filep->f_mode |= FMODE_READ;
1046 +@@ -392,6 +399,7 @@ static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
1047 + out_free_name:
1048 + kfree(read_name);
1049 + out:
1050 ++ nfs_free_fattr(fattr);
1051 + return res;
1052 + out_stateowner:
1053 + nfs4_put_state_owner(sp);
1054 +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
1055 +index ba98371e9d164..ef18f0d71b11b 100644
1056 +--- a/fs/proc/task_mmu.c
1057 ++++ b/fs/proc/task_mmu.c
1058 +@@ -503,10 +503,12 @@ static void smaps_pte_entry(pte_t *pte, unsigned long addr,
1059 + struct vm_area_struct *vma = walk->vma;
1060 + bool locked = !!(vma->vm_flags & VM_LOCKED);
1061 + struct page *page = NULL;
1062 +- bool migration = false;
1063 ++ bool migration = false, young = false, dirty = false;
1064 +
1065 + if (pte_present(*pte)) {
1066 + page = vm_normal_page(vma, addr, *pte);
1067 ++ young = pte_young(*pte);
1068 ++ dirty = pte_dirty(*pte);
1069 + } else if (is_swap_pte(*pte)) {
1070 + swp_entry_t swpent = pte_to_swp_entry(*pte);
1071 +
1072 +@@ -540,8 +542,7 @@ static void smaps_pte_entry(pte_t *pte, unsigned long addr,
1073 + if (!page)
1074 + return;
1075 +
1076 +- smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte),
1077 +- locked, migration);
1078 ++ smaps_account(mss, page, false, young, dirty, locked, migration);
1079 + }
1080 +
1081 + #ifdef CONFIG_TRANSPARENT_HUGEPAGE
1082 +diff --git a/fs/sync.c b/fs/sync.c
1083 +index 1373a610dc784..79180e58d8628 100644
1084 +--- a/fs/sync.c
1085 ++++ b/fs/sync.c
1086 +@@ -21,25 +21,6 @@
1087 + #define VALID_FLAGS (SYNC_FILE_RANGE_WAIT_BEFORE|SYNC_FILE_RANGE_WRITE| \
1088 + SYNC_FILE_RANGE_WAIT_AFTER)
1089 +
1090 +-/*
1091 +- * Do the filesystem syncing work. For simple filesystems
1092 +- * writeback_inodes_sb(sb) just dirties buffers with inodes so we have to
1093 +- * submit IO for these buffers via __sync_blockdev(). This also speeds up the
1094 +- * wait == 1 case since in that case write_inode() functions do
1095 +- * sync_dirty_buffer() and thus effectively write one block at a time.
1096 +- */
1097 +-static int __sync_filesystem(struct super_block *sb, int wait)
1098 +-{
1099 +- if (wait)
1100 +- sync_inodes_sb(sb);
1101 +- else
1102 +- writeback_inodes_sb(sb, WB_REASON_SYNC);
1103 +-
1104 +- if (sb->s_op->sync_fs)
1105 +- sb->s_op->sync_fs(sb, wait);
1106 +- return __sync_blockdev(sb->s_bdev, wait);
1107 +-}
1108 +-
1109 + /*
1110 + * Write out and wait upon all dirty data associated with this
1111 + * superblock. Filesystem data as well as the underlying block
1112 +@@ -47,7 +28,7 @@ static int __sync_filesystem(struct super_block *sb, int wait)
1113 + */
1114 + int sync_filesystem(struct super_block *sb)
1115 + {
1116 +- int ret;
1117 ++ int ret = 0;
1118 +
1119 + /*
1120 + * We need to be protected against the filesystem going from
1121 +@@ -61,10 +42,31 @@ int sync_filesystem(struct super_block *sb)
1122 + if (sb_rdonly(sb))
1123 + return 0;
1124 +
1125 +- ret = __sync_filesystem(sb, 0);
1126 +- if (ret < 0)
1127 ++ /*
1128 ++ * Do the filesystem syncing work. For simple filesystems
1129 ++ * writeback_inodes_sb(sb) just dirties buffers with inodes so we have
1130 ++ * to submit I/O for these buffers via __sync_blockdev(). This also
1131 ++ * speeds up the wait == 1 case since in that case write_inode()
1132 ++ * methods call sync_dirty_buffer() and thus effectively write one block
1133 ++ * at a time.
1134 ++ */
1135 ++ writeback_inodes_sb(sb, WB_REASON_SYNC);
1136 ++ if (sb->s_op->sync_fs) {
1137 ++ ret = sb->s_op->sync_fs(sb, 0);
1138 ++ if (ret)
1139 ++ return ret;
1140 ++ }
1141 ++ ret = __sync_blockdev(sb->s_bdev, 0);
1142 ++ if (ret)
1143 + return ret;
1144 +- return __sync_filesystem(sb, 1);
1145 ++
1146 ++ sync_inodes_sb(sb);
1147 ++ if (sb->s_op->sync_fs) {
1148 ++ ret = sb->s_op->sync_fs(sb, 1);
1149 ++ if (ret)
1150 ++ return ret;
1151 ++ }
1152 ++ return __sync_blockdev(sb->s_bdev, 1);
1153 + }
1154 + EXPORT_SYMBOL(sync_filesystem);
1155 +
1156 +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
1157 +index 646735aad45df..103fa8381e7dc 100644
1158 +--- a/fs/xfs/xfs_ioctl.c
1159 ++++ b/fs/xfs/xfs_ioctl.c
1160 +@@ -371,7 +371,7 @@ int
1161 + xfs_ioc_attr_list(
1162 + struct xfs_inode *dp,
1163 + void __user *ubuf,
1164 +- int bufsize,
1165 ++ size_t bufsize,
1166 + int flags,
1167 + struct xfs_attrlist_cursor __user *ucursor)
1168 + {
1169 +@@ -1689,7 +1689,7 @@ xfs_ioc_getbmap(
1170 +
1171 + if (bmx.bmv_count < 2)
1172 + return -EINVAL;
1173 +- if (bmx.bmv_count > ULONG_MAX / recsize)
1174 ++ if (bmx.bmv_count >= INT_MAX / recsize)
1175 + return -ENOMEM;
1176 +
1177 + buf = kvzalloc(bmx.bmv_count * sizeof(*buf), GFP_KERNEL);
1178 +diff --git a/fs/xfs/xfs_ioctl.h b/fs/xfs/xfs_ioctl.h
1179 +index bab6a5a924077..416e20de66e7d 100644
1180 +--- a/fs/xfs/xfs_ioctl.h
1181 ++++ b/fs/xfs/xfs_ioctl.h
1182 +@@ -38,8 +38,9 @@ xfs_readlink_by_handle(
1183 + int xfs_ioc_attrmulti_one(struct file *parfilp, struct inode *inode,
1184 + uint32_t opcode, void __user *uname, void __user *value,
1185 + uint32_t *len, uint32_t flags);
1186 +-int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf, int bufsize,
1187 +- int flags, struct xfs_attrlist_cursor __user *ucursor);
1188 ++int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf,
1189 ++ size_t bufsize, int flags,
1190 ++ struct xfs_attrlist_cursor __user *ucursor);
1191 +
1192 + extern struct dentry *
1193 + xfs_handle_to_dentry(
1194 +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
1195 +index 6323974d6b3e6..434c87cc9fbf5 100644
1196 +--- a/fs/xfs/xfs_super.c
1197 ++++ b/fs/xfs/xfs_super.c
1198 +@@ -757,6 +757,7 @@ xfs_fs_sync_fs(
1199 + int wait)
1200 + {
1201 + struct xfs_mount *mp = XFS_M(sb);
1202 ++ int error;
1203 +
1204 + /*
1205 + * Doing anything during the async pass would be counterproductive.
1206 +@@ -764,7 +765,10 @@ xfs_fs_sync_fs(
1207 + if (!wait)
1208 + return 0;
1209 +
1210 +- xfs_log_force(mp, XFS_LOG_SYNC);
1211 ++ error = xfs_log_force(mp, XFS_LOG_SYNC);
1212 ++ if (error)
1213 ++ return error;
1214 ++
1215 + if (laptop_mode) {
1216 + /*
1217 + * The disk must be active because we're syncing.
1218 +@@ -1716,6 +1720,11 @@ xfs_remount_ro(
1219 + };
1220 + int error;
1221 +
1222 ++ /* Flush all the dirty data to disk. */
1223 ++ error = sync_filesystem(mp->m_super);
1224 ++ if (error)
1225 ++ return error;
1226 ++
1227 + /*
1228 + * Cancel background eofb scanning so it cannot race with the final
1229 + * log force+buftarg wait and deadlock the remount.
1230 +@@ -1786,8 +1795,6 @@ xfs_fc_reconfigure(
1231 + if (error)
1232 + return error;
1233 +
1234 +- sync_filesystem(mp->m_super);
1235 +-
1236 + /* inode32 -> inode64 */
1237 + if ((mp->m_flags & XFS_MOUNT_SMALL_INUMS) &&
1238 + !(new_mp->m_flags & XFS_MOUNT_SMALL_INUMS)) {
1239 +diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
1240 +index d16302d3eb597..72f1e2a8c1670 100644
1241 +--- a/include/asm-generic/sections.h
1242 ++++ b/include/asm-generic/sections.h
1243 +@@ -114,7 +114,7 @@ static inline bool memory_contains(void *begin, void *end, void *virt,
1244 + /**
1245 + * memory_intersects - checks if the region occupied by an object intersects
1246 + * with another memory region
1247 +- * @begin: virtual address of the beginning of the memory regien
1248 ++ * @begin: virtual address of the beginning of the memory region
1249 + * @end: virtual address of the end of the memory region
1250 + * @virt: virtual address of the memory object
1251 + * @size: size of the memory object
1252 +@@ -127,7 +127,10 @@ static inline bool memory_intersects(void *begin, void *end, void *virt,
1253 + {
1254 + void *vend = virt + size;
1255 +
1256 +- return (virt >= begin && virt < end) || (vend >= begin && vend < end);
1257 ++ if (virt < end && vend > begin)
1258 ++ return true;
1259 ++
1260 ++ return false;
1261 + }
1262 +
1263 + /**
1264 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
1265 +index ed2d531400051..6564fb4ac49e1 100644
1266 +--- a/include/linux/netdevice.h
1267 ++++ b/include/linux/netdevice.h
1268 +@@ -633,9 +633,23 @@ extern int sysctl_devconf_inherit_init_net;
1269 + */
1270 + static inline bool net_has_fallback_tunnels(const struct net *net)
1271 + {
1272 +- return !IS_ENABLED(CONFIG_SYSCTL) ||
1273 +- !sysctl_fb_tunnels_only_for_init_net ||
1274 +- (net == &init_net && sysctl_fb_tunnels_only_for_init_net == 1);
1275 ++#if IS_ENABLED(CONFIG_SYSCTL)
1276 ++ int fb_tunnels_only_for_init_net = READ_ONCE(sysctl_fb_tunnels_only_for_init_net);
1277 ++
1278 ++ return !fb_tunnels_only_for_init_net ||
1279 ++ (net_eq(net, &init_net) && fb_tunnels_only_for_init_net == 1);
1280 ++#else
1281 ++ return true;
1282 ++#endif
1283 ++}
1284 ++
1285 ++static inline int net_inherit_devconf(void)
1286 ++{
1287 ++#if IS_ENABLED(CONFIG_SYSCTL)
1288 ++ return READ_ONCE(sysctl_devconf_inherit_init_net);
1289 ++#else
1290 ++ return 0;
1291 ++#endif
1292 + }
1293 +
1294 + static inline int netdev_queue_numa_node_read(const struct netdev_queue *q)
1295 +diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
1296 +index 3a956145a25cb..a18fb73a2b772 100644
1297 +--- a/include/linux/netfilter_bridge/ebtables.h
1298 ++++ b/include/linux/netfilter_bridge/ebtables.h
1299 +@@ -94,10 +94,6 @@ struct ebt_table {
1300 + struct ebt_replace_kernel *table;
1301 + unsigned int valid_hooks;
1302 + rwlock_t lock;
1303 +- /* e.g. could be the table explicitly only allows certain
1304 +- * matches, targets, ... 0 == let it in */
1305 +- int (*check)(const struct ebt_table_info *info,
1306 +- unsigned int valid_hooks);
1307 + /* the data used by the kernel */
1308 + struct ebt_table_info *private;
1309 + struct module *me;
1310 +diff --git a/include/linux/sched.h b/include/linux/sched.h
1311 +index 4e8425c1c5605..b055c217eb0be 100644
1312 +--- a/include/linux/sched.h
1313 ++++ b/include/linux/sched.h
1314 +@@ -542,10 +542,6 @@ struct sched_dl_entity {
1315 + * task has to wait for a replenishment to be performed at the
1316 + * next firing of dl_timer.
1317 + *
1318 +- * @dl_boosted tells if we are boosted due to DI. If so we are
1319 +- * outside bandwidth enforcement mechanism (but only until we
1320 +- * exit the critical section);
1321 +- *
1322 + * @dl_yielded tells if task gave up the CPU before consuming
1323 + * all its available runtime during the last job.
1324 + *
1325 +diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h
1326 +index 716b7c5f6fdd9..36e5e75e71720 100644
1327 +--- a/include/net/busy_poll.h
1328 ++++ b/include/net/busy_poll.h
1329 +@@ -31,7 +31,7 @@ extern unsigned int sysctl_net_busy_poll __read_mostly;
1330 +
1331 + static inline bool net_busy_loop_on(void)
1332 + {
1333 +- return sysctl_net_busy_poll;
1334 ++ return READ_ONCE(sysctl_net_busy_poll);
1335 + }
1336 +
1337 + static inline bool sk_can_busy_loop(const struct sock *sk)
1338 +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
1339 +index b9948e7861f22..e66fee99ed3ea 100644
1340 +--- a/include/net/netfilter/nf_tables.h
1341 ++++ b/include/net/netfilter/nf_tables.h
1342 +@@ -176,13 +176,18 @@ struct nft_ctx {
1343 + bool report;
1344 + };
1345 +
1346 ++enum nft_data_desc_flags {
1347 ++ NFT_DATA_DESC_SETELEM = (1 << 0),
1348 ++};
1349 ++
1350 + struct nft_data_desc {
1351 + enum nft_data_types type;
1352 ++ unsigned int size;
1353 + unsigned int len;
1354 ++ unsigned int flags;
1355 + };
1356 +
1357 +-int nft_data_init(const struct nft_ctx *ctx,
1358 +- struct nft_data *data, unsigned int size,
1359 ++int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
1360 + struct nft_data_desc *desc, const struct nlattr *nla);
1361 + void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
1362 + void nft_data_release(const struct nft_data *data, enum nft_data_types type);
1363 +diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
1364 +index fd10a7862fdc6..ce75121782bf7 100644
1365 +--- a/include/net/netfilter/nf_tables_core.h
1366 ++++ b/include/net/netfilter/nf_tables_core.h
1367 +@@ -38,6 +38,14 @@ struct nft_cmp_fast_expr {
1368 + bool inv;
1369 + };
1370 +
1371 ++struct nft_cmp16_fast_expr {
1372 ++ struct nft_data data;
1373 ++ struct nft_data mask;
1374 ++ u8 sreg;
1375 ++ u8 len;
1376 ++ bool inv;
1377 ++};
1378 ++
1379 + struct nft_immediate_expr {
1380 + struct nft_data data;
1381 + u8 dreg;
1382 +@@ -55,6 +63,7 @@ static inline u32 nft_cmp_fast_mask(unsigned int len)
1383 + }
1384 +
1385 + extern const struct nft_expr_ops nft_cmp_fast_ops;
1386 ++extern const struct nft_expr_ops nft_cmp16_fast_ops;
1387 +
1388 + struct nft_payload {
1389 + enum nft_payload_bases base:8;
1390 +diff --git a/include/net/sock.h b/include/net/sock.h
1391 +index 333131f47ac13..d31c2b9107e54 100644
1392 +--- a/include/net/sock.h
1393 ++++ b/include/net/sock.h
1394 +@@ -2678,18 +2678,18 @@ static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
1395 + {
1396 + /* Does this proto have per netns sysctl_wmem ? */
1397 + if (proto->sysctl_wmem_offset)
1398 +- return *(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offset);
1399 ++ return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offset));
1400 +
1401 +- return *proto->sysctl_wmem;
1402 ++ return READ_ONCE(*proto->sysctl_wmem);
1403 + }
1404 +
1405 + static inline int sk_get_rmem0(const struct sock *sk, const struct proto *proto)
1406 + {
1407 + /* Does this proto have per netns sysctl_rmem ? */
1408 + if (proto->sysctl_rmem_offset)
1409 +- return *(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offset);
1410 ++ return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offset));
1411 +
1412 +- return *proto->sysctl_rmem;
1413 ++ return READ_ONCE(*proto->sysctl_rmem);
1414 + }
1415 +
1416 + /* Default TCP Small queue budget is ~1 ms of data (1sec >> 10)
1417 +diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
1418 +index 5b3f01da172bc..b2ebacd2f3097 100644
1419 +--- a/kernel/audit_fsnotify.c
1420 ++++ b/kernel/audit_fsnotify.c
1421 +@@ -102,6 +102,7 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa
1422 +
1423 + ret = fsnotify_add_inode_mark(&audit_mark->mark, inode, true);
1424 + if (ret < 0) {
1425 ++ audit_mark->path = NULL;
1426 + fsnotify_put_mark(&audit_mark->mark);
1427 + audit_mark = ERR_PTR(ret);
1428 + }
1429 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
1430 +index de636b7445b11..e4dcc23b52c01 100644
1431 +--- a/kernel/bpf/verifier.c
1432 ++++ b/kernel/bpf/verifier.c
1433 +@@ -5282,8 +5282,7 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
1434 + struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];
1435 + struct bpf_reg_state *regs = cur_regs(env), *reg;
1436 + struct bpf_map *map = meta->map_ptr;
1437 +- struct tnum range;
1438 +- u64 val;
1439 ++ u64 val, max;
1440 + int err;
1441 +
1442 + if (func_id != BPF_FUNC_tail_call)
1443 +@@ -5293,10 +5292,11 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
1444 + return -EINVAL;
1445 + }
1446 +
1447 +- range = tnum_range(0, map->max_entries - 1);
1448 + reg = &regs[BPF_REG_3];
1449 ++ val = reg->var_off.value;
1450 ++ max = map->max_entries;
1451 +
1452 +- if (!register_is_const(reg) || !tnum_in(range, reg->var_off)) {
1453 ++ if (!(register_is_const(reg) && val < max)) {
1454 + bpf_map_key_store(aux, BPF_MAP_KEY_POISON);
1455 + return 0;
1456 + }
1457 +@@ -5304,8 +5304,6 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
1458 + err = mark_chain_precision(env, BPF_REG_3);
1459 + if (err)
1460 + return err;
1461 +-
1462 +- val = reg->var_off.value;
1463 + if (bpf_map_key_unseen(aux))
1464 + bpf_map_key_store(aux, val);
1465 + else if (!bpf_map_key_poisoned(aux) &&
1466 +diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
1467 +index f27ac94d5fa72..cdecd47e5580d 100644
1468 +--- a/kernel/sys_ni.c
1469 ++++ b/kernel/sys_ni.c
1470 +@@ -268,6 +268,7 @@ COND_SYSCALL_COMPAT(keyctl);
1471 +
1472 + /* mm/fadvise.c */
1473 + COND_SYSCALL(fadvise64_64);
1474 ++COND_SYSCALL_COMPAT(fadvise64_64);
1475 +
1476 + /* mm/, CONFIG_MMU only */
1477 + COND_SYSCALL(swapon);
1478 +diff --git a/lib/ratelimit.c b/lib/ratelimit.c
1479 +index e01a93f46f833..ce945c17980b9 100644
1480 +--- a/lib/ratelimit.c
1481 ++++ b/lib/ratelimit.c
1482 +@@ -26,10 +26,16 @@
1483 + */
1484 + int ___ratelimit(struct ratelimit_state *rs, const char *func)
1485 + {
1486 ++ /* Paired with WRITE_ONCE() in .proc_handler().
1487 ++ * Changing two values seperately could be inconsistent
1488 ++ * and some message could be lost. (See: net_ratelimit_state).
1489 ++ */
1490 ++ int interval = READ_ONCE(rs->interval);
1491 ++ int burst = READ_ONCE(rs->burst);
1492 + unsigned long flags;
1493 + int ret;
1494 +
1495 +- if (!rs->interval)
1496 ++ if (!interval)
1497 + return 1;
1498 +
1499 + /*
1500 +@@ -44,7 +50,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func)
1501 + if (!rs->begin)
1502 + rs->begin = jiffies;
1503 +
1504 +- if (time_is_before_jiffies(rs->begin + rs->interval)) {
1505 ++ if (time_is_before_jiffies(rs->begin + interval)) {
1506 + if (rs->missed) {
1507 + if (!(rs->flags & RATELIMIT_MSG_ON_RELEASE)) {
1508 + printk_deferred(KERN_WARNING
1509 +@@ -56,7 +62,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func)
1510 + rs->begin = jiffies;
1511 + rs->printed = 0;
1512 + }
1513 +- if (rs->burst && rs->burst > rs->printed) {
1514 ++ if (burst && burst > rs->printed) {
1515 + rs->printed++;
1516 + ret = 1;
1517 + } else {
1518 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
1519 +index 594368f6134f1..cb7b0aead7096 100644
1520 +--- a/mm/huge_memory.c
1521 ++++ b/mm/huge_memory.c
1522 +@@ -1691,7 +1691,7 @@ int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
1523 +
1524 + VM_BUG_ON(!is_pmd_migration_entry(orig_pmd));
1525 + entry = pmd_to_swp_entry(orig_pmd);
1526 +- page = pfn_to_page(swp_offset(entry));
1527 ++ page = migration_entry_to_page(entry);
1528 + flush_needed = 0;
1529 + } else
1530 + WARN_ONCE(1, "Non present huge pmd without pmd migration enabled!");
1531 +@@ -2110,7 +2110,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
1532 + swp_entry_t entry;
1533 +
1534 + entry = pmd_to_swp_entry(old_pmd);
1535 +- page = pfn_to_page(swp_offset(entry));
1536 ++ page = migration_entry_to_page(entry);
1537 + write = is_write_migration_entry(entry);
1538 + young = false;
1539 + soft_dirty = pmd_swp_soft_dirty(old_pmd);
1540 +diff --git a/mm/mmap.c b/mm/mmap.c
1541 +index a50042918cc7e..a1ee93f55cebb 100644
1542 +--- a/mm/mmap.c
1543 ++++ b/mm/mmap.c
1544 +@@ -1694,8 +1694,12 @@ int vma_wants_writenotify(struct vm_area_struct *vma, pgprot_t vm_page_prot)
1545 + pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))
1546 + return 0;
1547 +
1548 +- /* Do we need to track softdirty? */
1549 +- if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY))
1550 ++ /*
1551 ++ * Do we need to track softdirty? hugetlb does not support softdirty
1552 ++ * tracking yet.
1553 ++ */
1554 ++ if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) &&
1555 ++ !is_vm_hugetlb_page(vma))
1556 + return 1;
1557 +
1558 + /* Specialty mapping? */
1559 +diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
1560 +index 32bc2821027f3..57f91efce0f73 100644
1561 +--- a/net/bridge/netfilter/ebtable_broute.c
1562 ++++ b/net/bridge/netfilter/ebtable_broute.c
1563 +@@ -36,18 +36,10 @@ static struct ebt_replace_kernel initial_table = {
1564 + .entries = (char *)&initial_chain,
1565 + };
1566 +
1567 +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
1568 +-{
1569 +- if (valid_hooks & ~(1 << NF_BR_BROUTING))
1570 +- return -EINVAL;
1571 +- return 0;
1572 +-}
1573 +-
1574 + static const struct ebt_table broute_table = {
1575 + .name = "broute",
1576 + .table = &initial_table,
1577 + .valid_hooks = 1 << NF_BR_BROUTING,
1578 +- .check = check,
1579 + .me = THIS_MODULE,
1580 + };
1581 +
1582 +diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
1583 +index bcf982e12f16b..7f2e620f4978f 100644
1584 +--- a/net/bridge/netfilter/ebtable_filter.c
1585 ++++ b/net/bridge/netfilter/ebtable_filter.c
1586 +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = {
1587 + .entries = (char *)initial_chains,
1588 + };
1589 +
1590 +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
1591 +-{
1592 +- if (valid_hooks & ~FILTER_VALID_HOOKS)
1593 +- return -EINVAL;
1594 +- return 0;
1595 +-}
1596 +-
1597 + static const struct ebt_table frame_filter = {
1598 + .name = "filter",
1599 + .table = &initial_table,
1600 + .valid_hooks = FILTER_VALID_HOOKS,
1601 +- .check = check,
1602 + .me = THIS_MODULE,
1603 + };
1604 +
1605 +diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
1606 +index 0d092773f8161..1743a105485c4 100644
1607 +--- a/net/bridge/netfilter/ebtable_nat.c
1608 ++++ b/net/bridge/netfilter/ebtable_nat.c
1609 +@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = {
1610 + .entries = (char *)initial_chains,
1611 + };
1612 +
1613 +-static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
1614 +-{
1615 +- if (valid_hooks & ~NAT_VALID_HOOKS)
1616 +- return -EINVAL;
1617 +- return 0;
1618 +-}
1619 +-
1620 + static const struct ebt_table frame_nat = {
1621 + .name = "nat",
1622 + .table = &initial_table,
1623 + .valid_hooks = NAT_VALID_HOOKS,
1624 +- .check = check,
1625 + .me = THIS_MODULE,
1626 + };
1627 +
1628 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
1629 +index d481ff24a1501..310740cc684ad 100644
1630 +--- a/net/bridge/netfilter/ebtables.c
1631 ++++ b/net/bridge/netfilter/ebtables.c
1632 +@@ -999,8 +999,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
1633 + goto free_iterate;
1634 + }
1635 +
1636 +- /* the table doesn't like it */
1637 +- if (t->check && (ret = t->check(newinfo, repl->valid_hooks)))
1638 ++ if (repl->valid_hooks != t->valid_hooks)
1639 + goto free_unlock;
1640 +
1641 + if (repl->num_counters && repl->num_counters != t->private->nentries) {
1642 +@@ -1186,11 +1185,6 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
1643 + if (ret != 0)
1644 + goto free_chainstack;
1645 +
1646 +- if (table->check && table->check(newinfo, table->valid_hooks)) {
1647 +- ret = -EINVAL;
1648 +- goto free_chainstack;
1649 +- }
1650 +-
1651 + table->private = newinfo;
1652 + rwlock_init(&table->lock);
1653 + mutex_lock(&ebt_mutex);
1654 +diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
1655 +index 5f773624948ff..d67d06d6b817c 100644
1656 +--- a/net/core/bpf_sk_storage.c
1657 ++++ b/net/core/bpf_sk_storage.c
1658 +@@ -15,18 +15,6 @@
1659 +
1660 + DEFINE_BPF_STORAGE_CACHE(sk_cache);
1661 +
1662 +-static int omem_charge(struct sock *sk, unsigned int size)
1663 +-{
1664 +- /* same check as in sock_kmalloc() */
1665 +- if (size <= sysctl_optmem_max &&
1666 +- atomic_read(&sk->sk_omem_alloc) + size < sysctl_optmem_max) {
1667 +- atomic_add(size, &sk->sk_omem_alloc);
1668 +- return 0;
1669 +- }
1670 +-
1671 +- return -ENOMEM;
1672 +-}
1673 +-
1674 + static struct bpf_local_storage_data *
1675 + sk_storage_lookup(struct sock *sk, struct bpf_map *map, bool cacheit_lockit)
1676 + {
1677 +@@ -316,7 +304,17 @@ BPF_CALL_2(bpf_sk_storage_delete, struct bpf_map *, map, struct sock *, sk)
1678 + static int sk_storage_charge(struct bpf_local_storage_map *smap,
1679 + void *owner, u32 size)
1680 + {
1681 +- return omem_charge(owner, size);
1682 ++ int optmem_max = READ_ONCE(sysctl_optmem_max);
1683 ++ struct sock *sk = (struct sock *)owner;
1684 ++
1685 ++ /* same check as in sock_kmalloc() */
1686 ++ if (size <= optmem_max &&
1687 ++ atomic_read(&sk->sk_omem_alloc) + size < optmem_max) {
1688 ++ atomic_add(size, &sk->sk_omem_alloc);
1689 ++ return 0;
1690 ++ }
1691 ++
1692 ++ return -ENOMEM;
1693 + }
1694 +
1695 + static void sk_storage_uncharge(struct bpf_local_storage_map *smap,
1696 +diff --git a/net/core/dev.c b/net/core/dev.c
1697 +index 637bc576fbd26..8355cc5e11a98 100644
1698 +--- a/net/core/dev.c
1699 ++++ b/net/core/dev.c
1700 +@@ -4516,7 +4516,7 @@ static bool skb_flow_limit(struct sk_buff *skb, unsigned int qlen)
1701 + struct softnet_data *sd;
1702 + unsigned int old_flow, new_flow;
1703 +
1704 +- if (qlen < (netdev_max_backlog >> 1))
1705 ++ if (qlen < (READ_ONCE(netdev_max_backlog) >> 1))
1706 + return false;
1707 +
1708 + sd = this_cpu_ptr(&softnet_data);
1709 +@@ -4564,7 +4564,7 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
1710 + if (!netif_running(skb->dev))
1711 + goto drop;
1712 + qlen = skb_queue_len(&sd->input_pkt_queue);
1713 +- if (qlen <= netdev_max_backlog && !skb_flow_limit(skb, qlen)) {
1714 ++ if (qlen <= READ_ONCE(netdev_max_backlog) && !skb_flow_limit(skb, qlen)) {
1715 + if (qlen) {
1716 + enqueue:
1717 + __skb_queue_tail(&sd->input_pkt_queue, skb);
1718 +@@ -4795,7 +4795,7 @@ static int netif_rx_internal(struct sk_buff *skb)
1719 + {
1720 + int ret;
1721 +
1722 +- net_timestamp_check(netdev_tstamp_prequeue, skb);
1723 ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb);
1724 +
1725 + trace_netif_rx(skb);
1726 +
1727 +@@ -5156,7 +5156,7 @@ static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc,
1728 + int ret = NET_RX_DROP;
1729 + __be16 type;
1730 +
1731 +- net_timestamp_check(!netdev_tstamp_prequeue, skb);
1732 ++ net_timestamp_check(!READ_ONCE(netdev_tstamp_prequeue), skb);
1733 +
1734 + trace_netif_receive_skb(skb);
1735 +
1736 +@@ -5558,7 +5558,7 @@ static int netif_receive_skb_internal(struct sk_buff *skb)
1737 + {
1738 + int ret;
1739 +
1740 +- net_timestamp_check(netdev_tstamp_prequeue, skb);
1741 ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb);
1742 +
1743 + if (skb_defer_rx_timestamp(skb))
1744 + return NET_RX_SUCCESS;
1745 +@@ -5588,7 +5588,7 @@ static void netif_receive_skb_list_internal(struct list_head *head)
1746 +
1747 + INIT_LIST_HEAD(&sublist);
1748 + list_for_each_entry_safe(skb, next, head, list) {
1749 +- net_timestamp_check(netdev_tstamp_prequeue, skb);
1750 ++ net_timestamp_check(READ_ONCE(netdev_tstamp_prequeue), skb);
1751 + skb_list_del_init(skb);
1752 + if (!skb_defer_rx_timestamp(skb))
1753 + list_add_tail(&skb->list, &sublist);
1754 +@@ -6371,7 +6371,7 @@ static int process_backlog(struct napi_struct *napi, int quota)
1755 + net_rps_action_and_irq_enable(sd);
1756 + }
1757 +
1758 +- napi->weight = dev_rx_weight;
1759 ++ napi->weight = READ_ONCE(dev_rx_weight);
1760 + while (again) {
1761 + struct sk_buff *skb;
1762 +
1763 +@@ -6879,8 +6879,8 @@ static __latent_entropy void net_rx_action(struct softirq_action *h)
1764 + {
1765 + struct softnet_data *sd = this_cpu_ptr(&softnet_data);
1766 + unsigned long time_limit = jiffies +
1767 +- usecs_to_jiffies(netdev_budget_usecs);
1768 +- int budget = netdev_budget;
1769 ++ usecs_to_jiffies(READ_ONCE(netdev_budget_usecs));
1770 ++ int budget = READ_ONCE(netdev_budget);
1771 + LIST_HEAD(list);
1772 + LIST_HEAD(repoll);
1773 +
1774 +diff --git a/net/core/filter.c b/net/core/filter.c
1775 +index 815edf7bc4390..4c22e6d1da746 100644
1776 +--- a/net/core/filter.c
1777 ++++ b/net/core/filter.c
1778 +@@ -1212,10 +1212,11 @@ void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp)
1779 + static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp)
1780 + {
1781 + u32 filter_size = bpf_prog_size(fp->prog->len);
1782 ++ int optmem_max = READ_ONCE(sysctl_optmem_max);
1783 +
1784 + /* same check as in sock_kmalloc() */
1785 +- if (filter_size <= sysctl_optmem_max &&
1786 +- atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) {
1787 ++ if (filter_size <= optmem_max &&
1788 ++ atomic_read(&sk->sk_omem_alloc) + filter_size < optmem_max) {
1789 + atomic_add(filter_size, &sk->sk_omem_alloc);
1790 + return true;
1791 + }
1792 +@@ -1547,7 +1548,7 @@ int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1793 + if (IS_ERR(prog))
1794 + return PTR_ERR(prog);
1795 +
1796 +- if (bpf_prog_size(prog->len) > sysctl_optmem_max)
1797 ++ if (bpf_prog_size(prog->len) > READ_ONCE(sysctl_optmem_max))
1798 + err = -ENOMEM;
1799 + else
1800 + err = reuseport_attach_prog(sk, prog);
1801 +@@ -1614,7 +1615,7 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
1802 + }
1803 + } else {
1804 + /* BPF_PROG_TYPE_SOCKET_FILTER */
1805 +- if (bpf_prog_size(prog->len) > sysctl_optmem_max) {
1806 ++ if (bpf_prog_size(prog->len) > READ_ONCE(sysctl_optmem_max)) {
1807 + err = -ENOMEM;
1808 + goto err_prog_put;
1809 + }
1810 +@@ -4713,14 +4714,14 @@ static int _bpf_setsockopt(struct sock *sk, int level, int optname,
1811 + /* Only some socketops are supported */
1812 + switch (optname) {
1813 + case SO_RCVBUF:
1814 +- val = min_t(u32, val, sysctl_rmem_max);
1815 ++ val = min_t(u32, val, READ_ONCE(sysctl_rmem_max));
1816 + val = min_t(int, val, INT_MAX / 2);
1817 + sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
1818 + WRITE_ONCE(sk->sk_rcvbuf,
1819 + max_t(int, val * 2, SOCK_MIN_RCVBUF));
1820 + break;
1821 + case SO_SNDBUF:
1822 +- val = min_t(u32, val, sysctl_wmem_max);
1823 ++ val = min_t(u32, val, READ_ONCE(sysctl_wmem_max));
1824 + val = min_t(int, val, INT_MAX / 2);
1825 + sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
1826 + WRITE_ONCE(sk->sk_sndbuf,
1827 +diff --git a/net/core/gro_cells.c b/net/core/gro_cells.c
1828 +index 6eb2e5ec2c506..2f66f3f295630 100644
1829 +--- a/net/core/gro_cells.c
1830 ++++ b/net/core/gro_cells.c
1831 +@@ -26,7 +26,7 @@ int gro_cells_receive(struct gro_cells *gcells, struct sk_buff *skb)
1832 +
1833 + cell = this_cpu_ptr(gcells->cells);
1834 +
1835 +- if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
1836 ++ if (skb_queue_len(&cell->napi_skbs) > READ_ONCE(netdev_max_backlog)) {
1837 + drop:
1838 + atomic_long_inc(&dev->rx_dropped);
1839 + kfree_skb(skb);
1840 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
1841 +index 48b6438f2a3d9..635cabcf8794f 100644
1842 +--- a/net/core/skbuff.c
1843 ++++ b/net/core/skbuff.c
1844 +@@ -4691,7 +4691,7 @@ static bool skb_may_tx_timestamp(struct sock *sk, bool tsonly)
1845 + {
1846 + bool ret;
1847 +
1848 +- if (likely(sysctl_tstamp_allow_data || tsonly))
1849 ++ if (likely(READ_ONCE(sysctl_tstamp_allow_data) || tsonly))
1850 + return true;
1851 +
1852 + read_lock_bh(&sk->sk_callback_lock);
1853 +diff --git a/net/core/sock.c b/net/core/sock.c
1854 +index 6d9af4ef93d7a..1bb6a003323b3 100644
1855 +--- a/net/core/sock.c
1856 ++++ b/net/core/sock.c
1857 +@@ -887,7 +887,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
1858 + * play 'guess the biggest size' games. RCVBUF/SNDBUF
1859 + * are treated in BSD as hints
1860 + */
1861 +- val = min_t(u32, val, sysctl_wmem_max);
1862 ++ val = min_t(u32, val, READ_ONCE(sysctl_wmem_max));
1863 + set_sndbuf:
1864 + /* Ensure val * 2 fits into an int, to prevent max_t()
1865 + * from treating it as a negative value.
1866 +@@ -919,7 +919,7 @@ set_sndbuf:
1867 + * play 'guess the biggest size' games. RCVBUF/SNDBUF
1868 + * are treated in BSD as hints
1869 + */
1870 +- __sock_set_rcvbuf(sk, min_t(u32, val, sysctl_rmem_max));
1871 ++ __sock_set_rcvbuf(sk, min_t(u32, val, READ_ONCE(sysctl_rmem_max)));
1872 + break;
1873 +
1874 + case SO_RCVBUFFORCE:
1875 +@@ -2219,7 +2219,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
1876 +
1877 + /* small safe race: SKB_TRUESIZE may differ from final skb->truesize */
1878 + if (atomic_read(&sk->sk_omem_alloc) + SKB_TRUESIZE(size) >
1879 +- sysctl_optmem_max)
1880 ++ READ_ONCE(sysctl_optmem_max))
1881 + return NULL;
1882 +
1883 + skb = alloc_skb(size, priority);
1884 +@@ -2237,8 +2237,10 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
1885 + */
1886 + void *sock_kmalloc(struct sock *sk, int size, gfp_t priority)
1887 + {
1888 +- if ((unsigned int)size <= sysctl_optmem_max &&
1889 +- atomic_read(&sk->sk_omem_alloc) + size < sysctl_optmem_max) {
1890 ++ int optmem_max = READ_ONCE(sysctl_optmem_max);
1891 ++
1892 ++ if ((unsigned int)size <= optmem_max &&
1893 ++ atomic_read(&sk->sk_omem_alloc) + size < optmem_max) {
1894 + void *mem;
1895 + /* First do the add, to avoid the race if kmalloc
1896 + * might sleep.
1897 +@@ -2974,8 +2976,8 @@ void sock_init_data(struct socket *sock, struct sock *sk)
1898 + timer_setup(&sk->sk_timer, NULL, 0);
1899 +
1900 + sk->sk_allocation = GFP_KERNEL;
1901 +- sk->sk_rcvbuf = sysctl_rmem_default;
1902 +- sk->sk_sndbuf = sysctl_wmem_default;
1903 ++ sk->sk_rcvbuf = READ_ONCE(sysctl_rmem_default);
1904 ++ sk->sk_sndbuf = READ_ONCE(sysctl_wmem_default);
1905 + sk->sk_state = TCP_CLOSE;
1906 + sk_set_socket(sk, sock);
1907 +
1908 +@@ -3030,7 +3032,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
1909 +
1910 + #ifdef CONFIG_NET_RX_BUSY_POLL
1911 + sk->sk_napi_id = 0;
1912 +- sk->sk_ll_usec = sysctl_net_busy_read;
1913 ++ sk->sk_ll_usec = READ_ONCE(sysctl_net_busy_read);
1914 + #endif
1915 +
1916 + sk->sk_max_pacing_rate = ~0UL;
1917 +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
1918 +index 2e0a4378e778a..0dfe9f255ab3a 100644
1919 +--- a/net/core/sysctl_net_core.c
1920 ++++ b/net/core/sysctl_net_core.c
1921 +@@ -235,14 +235,17 @@ static int set_default_qdisc(struct ctl_table *table, int write,
1922 + static int proc_do_dev_weight(struct ctl_table *table, int write,
1923 + void *buffer, size_t *lenp, loff_t *ppos)
1924 + {
1925 +- int ret;
1926 ++ static DEFINE_MUTEX(dev_weight_mutex);
1927 ++ int ret, weight;
1928 +
1929 ++ mutex_lock(&dev_weight_mutex);
1930 + ret = proc_dointvec(table, write, buffer, lenp, ppos);
1931 +- if (ret != 0)
1932 +- return ret;
1933 +-
1934 +- dev_rx_weight = weight_p * dev_weight_rx_bias;
1935 +- dev_tx_weight = weight_p * dev_weight_tx_bias;
1936 ++ if (!ret && write) {
1937 ++ weight = READ_ONCE(weight_p);
1938 ++ WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias);
1939 ++ WRITE_ONCE(dev_tx_weight, weight * dev_weight_tx_bias);
1940 ++ }
1941 ++ mutex_unlock(&dev_weight_mutex);
1942 +
1943 + return ret;
1944 + }
1945 +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
1946 +index dc92a67baea39..7d542eb461729 100644
1947 +--- a/net/decnet/af_decnet.c
1948 ++++ b/net/decnet/af_decnet.c
1949 +@@ -480,8 +480,8 @@ static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gf
1950 + sk->sk_family = PF_DECnet;
1951 + sk->sk_protocol = 0;
1952 + sk->sk_allocation = gfp;
1953 +- sk->sk_sndbuf = sysctl_decnet_wmem[1];
1954 +- sk->sk_rcvbuf = sysctl_decnet_rmem[1];
1955 ++ sk->sk_sndbuf = READ_ONCE(sysctl_decnet_wmem[1]);
1956 ++ sk->sk_rcvbuf = READ_ONCE(sysctl_decnet_rmem[1]);
1957 +
1958 + /* Initialization of DECnet Session Control Port */
1959 + scp = DN_SK(sk);
1960 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
1961 +index 148ef484a66ce..8f17538755507 100644
1962 +--- a/net/ipv4/devinet.c
1963 ++++ b/net/ipv4/devinet.c
1964 +@@ -2668,23 +2668,27 @@ static __net_init int devinet_init_net(struct net *net)
1965 + #endif
1966 +
1967 + if (!net_eq(net, &init_net)) {
1968 +- if (IS_ENABLED(CONFIG_SYSCTL) &&
1969 +- sysctl_devconf_inherit_init_net == 3) {
1970 ++ switch (net_inherit_devconf()) {
1971 ++ case 3:
1972 + /* copy from the current netns */
1973 + memcpy(all, current->nsproxy->net_ns->ipv4.devconf_all,
1974 + sizeof(ipv4_devconf));
1975 + memcpy(dflt,
1976 + current->nsproxy->net_ns->ipv4.devconf_dflt,
1977 + sizeof(ipv4_devconf_dflt));
1978 +- } else if (!IS_ENABLED(CONFIG_SYSCTL) ||
1979 +- sysctl_devconf_inherit_init_net != 2) {
1980 +- /* inherit == 0 or 1: copy from init_net */
1981 ++ break;
1982 ++ case 0:
1983 ++ case 1:
1984 ++ /* copy from init_net */
1985 + memcpy(all, init_net.ipv4.devconf_all,
1986 + sizeof(ipv4_devconf));
1987 + memcpy(dflt, init_net.ipv4.devconf_dflt,
1988 + sizeof(ipv4_devconf_dflt));
1989 ++ break;
1990 ++ case 2:
1991 ++ /* use compiled values */
1992 ++ break;
1993 + }
1994 +- /* else inherit == 2: use compiled values */
1995 + }
1996 +
1997 + #ifdef CONFIG_SYSCTL
1998 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
1999 +index f77b0af3cb657..0dbf950de832f 100644
2000 +--- a/net/ipv4/ip_output.c
2001 ++++ b/net/ipv4/ip_output.c
2002 +@@ -1721,7 +1721,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
2003 +
2004 + sk->sk_protocol = ip_hdr(skb)->protocol;
2005 + sk->sk_bound_dev_if = arg->bound_dev_if;
2006 +- sk->sk_sndbuf = sysctl_wmem_default;
2007 ++ sk->sk_sndbuf = READ_ONCE(sysctl_wmem_default);
2008 + ipc.sockc.mark = fl4.flowi4_mark;
2009 + err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
2010 + len, 0, &ipc, &rt, MSG_DONTWAIT);
2011 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
2012 +index 22507a6a3f71c..4cc39c62af55d 100644
2013 +--- a/net/ipv4/ip_sockglue.c
2014 ++++ b/net/ipv4/ip_sockglue.c
2015 +@@ -773,7 +773,7 @@ static int ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval, int optlen)
2016 +
2017 + if (optlen < GROUP_FILTER_SIZE(0))
2018 + return -EINVAL;
2019 +- if (optlen > sysctl_optmem_max)
2020 ++ if (optlen > READ_ONCE(sysctl_optmem_max))
2021 + return -ENOBUFS;
2022 +
2023 + gsf = memdup_sockptr(optval, optlen);
2024 +@@ -808,7 +808,7 @@ static int compat_ip_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
2025 +
2026 + if (optlen < size0)
2027 + return -EINVAL;
2028 +- if (optlen > sysctl_optmem_max - 4)
2029 ++ if (optlen > READ_ONCE(sysctl_optmem_max) - 4)
2030 + return -ENOBUFS;
2031 +
2032 + p = kmalloc(optlen + 4, GFP_KERNEL);
2033 +@@ -1231,7 +1231,7 @@ static int do_ip_setsockopt(struct sock *sk, int level, int optname,
2034 +
2035 + if (optlen < IP_MSFILTER_SIZE(0))
2036 + goto e_inval;
2037 +- if (optlen > sysctl_optmem_max) {
2038 ++ if (optlen > READ_ONCE(sysctl_optmem_max)) {
2039 + err = -ENOBUFS;
2040 + break;
2041 + }
2042 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
2043 +index 78460eb39b3af..bfeb05f62b94f 100644
2044 +--- a/net/ipv4/tcp.c
2045 ++++ b/net/ipv4/tcp.c
2046 +@@ -451,8 +451,8 @@ void tcp_init_sock(struct sock *sk)
2047 +
2048 + icsk->icsk_sync_mss = tcp_sync_mss;
2049 +
2050 +- WRITE_ONCE(sk->sk_sndbuf, sock_net(sk)->ipv4.sysctl_tcp_wmem[1]);
2051 +- WRITE_ONCE(sk->sk_rcvbuf, sock_net(sk)->ipv4.sysctl_tcp_rmem[1]);
2052 ++ WRITE_ONCE(sk->sk_sndbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[1]));
2053 ++ WRITE_ONCE(sk->sk_rcvbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[1]));
2054 +
2055 + sk_sockets_allocated_inc(sk);
2056 + sk->sk_route_forced_caps = NETIF_F_GSO;
2057 +@@ -1711,7 +1711,7 @@ int tcp_set_rcvlowat(struct sock *sk, int val)
2058 + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)
2059 + cap = sk->sk_rcvbuf >> 1;
2060 + else
2061 +- cap = sock_net(sk)->ipv4.sysctl_tcp_rmem[2] >> 1;
2062 ++ cap = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1;
2063 + val = min(val, cap);
2064 + WRITE_ONCE(sk->sk_rcvlowat, val ? : 1);
2065 +
2066 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
2067 +index d35e88b5ffcbe..41b44b311e8a0 100644
2068 +--- a/net/ipv4/tcp_input.c
2069 ++++ b/net/ipv4/tcp_input.c
2070 +@@ -425,7 +425,7 @@ static void tcp_sndbuf_expand(struct sock *sk)
2071 +
2072 + if (sk->sk_sndbuf < sndmem)
2073 + WRITE_ONCE(sk->sk_sndbuf,
2074 +- min(sndmem, sock_net(sk)->ipv4.sysctl_tcp_wmem[2]));
2075 ++ min(sndmem, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[2])));
2076 + }
2077 +
2078 + /* 2. Tuning advertised window (window_clamp, rcv_ssthresh)
2079 +@@ -454,12 +454,13 @@ static void tcp_sndbuf_expand(struct sock *sk)
2080 + */
2081 +
2082 + /* Slow part of check#2. */
2083 +-static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb)
2084 ++static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb,
2085 ++ unsigned int skbtruesize)
2086 + {
2087 + struct tcp_sock *tp = tcp_sk(sk);
2088 + /* Optimize this! */
2089 +- int truesize = tcp_win_from_space(sk, skb->truesize) >> 1;
2090 +- int window = tcp_win_from_space(sk, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1;
2091 ++ int truesize = tcp_win_from_space(sk, skbtruesize) >> 1;
2092 ++ int window = tcp_win_from_space(sk, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])) >> 1;
2093 +
2094 + while (tp->rcv_ssthresh <= window) {
2095 + if (truesize <= skb->len)
2096 +@@ -471,7 +472,27 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb)
2097 + return 0;
2098 + }
2099 +
2100 +-static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
2101 ++/* Even if skb appears to have a bad len/truesize ratio, TCP coalescing
2102 ++ * can play nice with us, as sk_buff and skb->head might be either
2103 ++ * freed or shared with up to MAX_SKB_FRAGS segments.
2104 ++ * Only give a boost to drivers using page frag(s) to hold the frame(s),
2105 ++ * and if no payload was pulled in skb->head before reaching us.
2106 ++ */
2107 ++static u32 truesize_adjust(bool adjust, const struct sk_buff *skb)
2108 ++{
2109 ++ u32 truesize = skb->truesize;
2110 ++
2111 ++ if (adjust && !skb_headlen(skb)) {
2112 ++ truesize -= SKB_TRUESIZE(skb_end_offset(skb));
2113 ++ /* paranoid check, some drivers might be buggy */
2114 ++ if (unlikely((int)truesize < (int)skb->len))
2115 ++ truesize = skb->truesize;
2116 ++ }
2117 ++ return truesize;
2118 ++}
2119 ++
2120 ++static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb,
2121 ++ bool adjust)
2122 + {
2123 + struct tcp_sock *tp = tcp_sk(sk);
2124 + int room;
2125 +@@ -480,15 +501,16 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
2126 +
2127 + /* Check #1 */
2128 + if (room > 0 && !tcp_under_memory_pressure(sk)) {
2129 ++ unsigned int truesize = truesize_adjust(adjust, skb);
2130 + int incr;
2131 +
2132 + /* Check #2. Increase window, if skb with such overhead
2133 + * will fit to rcvbuf in future.
2134 + */
2135 +- if (tcp_win_from_space(sk, skb->truesize) <= skb->len)
2136 ++ if (tcp_win_from_space(sk, truesize) <= skb->len)
2137 + incr = 2 * tp->advmss;
2138 + else
2139 +- incr = __tcp_grow_window(sk, skb);
2140 ++ incr = __tcp_grow_window(sk, skb, truesize);
2141 +
2142 + if (incr) {
2143 + incr = max_t(int, incr, 2 * skb->len);
2144 +@@ -543,16 +565,17 @@ static void tcp_clamp_window(struct sock *sk)
2145 + struct tcp_sock *tp = tcp_sk(sk);
2146 + struct inet_connection_sock *icsk = inet_csk(sk);
2147 + struct net *net = sock_net(sk);
2148 ++ int rmem2;
2149 +
2150 + icsk->icsk_ack.quick = 0;
2151 ++ rmem2 = READ_ONCE(net->ipv4.sysctl_tcp_rmem[2]);
2152 +
2153 +- if (sk->sk_rcvbuf < net->ipv4.sysctl_tcp_rmem[2] &&
2154 ++ if (sk->sk_rcvbuf < rmem2 &&
2155 + !(sk->sk_userlocks & SOCK_RCVBUF_LOCK) &&
2156 + !tcp_under_memory_pressure(sk) &&
2157 + sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)) {
2158 + WRITE_ONCE(sk->sk_rcvbuf,
2159 +- min(atomic_read(&sk->sk_rmem_alloc),
2160 +- net->ipv4.sysctl_tcp_rmem[2]));
2161 ++ min(atomic_read(&sk->sk_rmem_alloc), rmem2));
2162 + }
2163 + if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
2164 + tp->rcv_ssthresh = min(tp->window_clamp, 2U * tp->advmss);
2165 +@@ -714,7 +737,7 @@ void tcp_rcv_space_adjust(struct sock *sk)
2166 +
2167 + do_div(rcvwin, tp->advmss);
2168 + rcvbuf = min_t(u64, rcvwin * rcvmem,
2169 +- sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);
2170 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));
2171 + if (rcvbuf > sk->sk_rcvbuf) {
2172 + WRITE_ONCE(sk->sk_rcvbuf, rcvbuf);
2173 +
2174 +@@ -782,7 +805,7 @@ static void tcp_event_data_recv(struct sock *sk, struct sk_buff *skb)
2175 + tcp_ecn_check_ce(sk, skb);
2176 +
2177 + if (skb->len >= 128)
2178 +- tcp_grow_window(sk, skb);
2179 ++ tcp_grow_window(sk, skb, true);
2180 + }
2181 +
2182 + /* Called to compute a smoothed rtt estimate. The data fed to this
2183 +@@ -4761,7 +4784,7 @@ coalesce_done:
2184 + * and trigger fast retransmit.
2185 + */
2186 + if (tcp_is_sack(tp))
2187 +- tcp_grow_window(sk, skb);
2188 ++ tcp_grow_window(sk, skb, true);
2189 + kfree_skb_partial(skb, fragstolen);
2190 + skb = NULL;
2191 + goto add_sack;
2192 +@@ -4849,7 +4872,7 @@ end:
2193 + * and trigger fast retransmit.
2194 + */
2195 + if (tcp_is_sack(tp))
2196 +- tcp_grow_window(sk, skb);
2197 ++ tcp_grow_window(sk, skb, false);
2198 + skb_condense(skb);
2199 + skb_set_owner_r(skb, sk);
2200 + }
2201 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
2202 +index 4c9274cb92d55..48fce999dc612 100644
2203 +--- a/net/ipv4/tcp_output.c
2204 ++++ b/net/ipv4/tcp_output.c
2205 +@@ -238,8 +238,8 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss,
2206 + *rcv_wscale = 0;
2207 + if (wscale_ok) {
2208 + /* Set window scaling on max possible window */
2209 +- space = max_t(u32, space, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);
2210 +- space = max_t(u32, space, sysctl_rmem_max);
2211 ++ space = max_t(u32, space, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));
2212 ++ space = max_t(u32, space, READ_ONCE(sysctl_rmem_max));
2213 + space = min_t(u32, space, *window_clamp);
2214 + *rcv_wscale = clamp_t(int, ilog2(space) - 15,
2215 + 0, TCP_MAX_WSCALE);
2216 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2217 +index 05317e6f48f8a..ed1e5bfc97b31 100644
2218 +--- a/net/ipv6/addrconf.c
2219 ++++ b/net/ipv6/addrconf.c
2220 +@@ -7042,9 +7042,8 @@ static int __net_init addrconf_init_net(struct net *net)
2221 + if (!dflt)
2222 + goto err_alloc_dflt;
2223 +
2224 +- if (IS_ENABLED(CONFIG_SYSCTL) &&
2225 +- !net_eq(net, &init_net)) {
2226 +- switch (sysctl_devconf_inherit_init_net) {
2227 ++ if (!net_eq(net, &init_net)) {
2228 ++ switch (net_inherit_devconf()) {
2229 + case 1: /* copy from init_net */
2230 + memcpy(all, init_net.ipv6.devconf_all,
2231 + sizeof(ipv6_devconf));
2232 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
2233 +index 43a894bf9a1be..6fa118bf40cdd 100644
2234 +--- a/net/ipv6/ipv6_sockglue.c
2235 ++++ b/net/ipv6/ipv6_sockglue.c
2236 +@@ -208,7 +208,7 @@ static int ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
2237 +
2238 + if (optlen < GROUP_FILTER_SIZE(0))
2239 + return -EINVAL;
2240 +- if (optlen > sysctl_optmem_max)
2241 ++ if (optlen > READ_ONCE(sysctl_optmem_max))
2242 + return -ENOBUFS;
2243 +
2244 + gsf = memdup_sockptr(optval, optlen);
2245 +@@ -242,7 +242,7 @@ static int compat_ipv6_set_mcast_msfilter(struct sock *sk, sockptr_t optval,
2246 +
2247 + if (optlen < size0)
2248 + return -EINVAL;
2249 +- if (optlen > sysctl_optmem_max - 4)
2250 ++ if (optlen > READ_ONCE(sysctl_optmem_max) - 4)
2251 + return -ENOBUFS;
2252 +
2253 + p = kmalloc(optlen + 4, GFP_KERNEL);
2254 +diff --git a/net/key/af_key.c b/net/key/af_key.c
2255 +index 2aa16a171285b..05e2710988883 100644
2256 +--- a/net/key/af_key.c
2257 ++++ b/net/key/af_key.c
2258 +@@ -1701,9 +1701,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
2259 + pfk->registered |= (1<<hdr->sadb_msg_satype);
2260 + }
2261 +
2262 ++ mutex_lock(&pfkey_mutex);
2263 + xfrm_probe_algs();
2264 +
2265 + supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
2266 ++ mutex_unlock(&pfkey_mutex);
2267 ++
2268 + if (!supp_skb) {
2269 + if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
2270 + pfk->registered &= ~(1<<hdr->sadb_msg_satype);
2271 +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
2272 +index d0e91aa7b30e5..e61c85873ea2f 100644
2273 +--- a/net/mptcp/protocol.c
2274 ++++ b/net/mptcp/protocol.c
2275 +@@ -1439,7 +1439,7 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
2276 +
2277 + do_div(rcvwin, advmss);
2278 + rcvbuf = min_t(u64, rcvwin * rcvmem,
2279 +- sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);
2280 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));
2281 +
2282 + if (rcvbuf > sk->sk_rcvbuf) {
2283 + u32 window_clamp;
2284 +@@ -1872,8 +1872,8 @@ static int mptcp_init_sock(struct sock *sk)
2285 + return ret;
2286 +
2287 + sk_sockets_allocated_inc(sk);
2288 +- sk->sk_rcvbuf = sock_net(sk)->ipv4.sysctl_tcp_rmem[1];
2289 +- sk->sk_sndbuf = sock_net(sk)->ipv4.sysctl_tcp_wmem[1];
2290 ++ sk->sk_rcvbuf = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[1]);
2291 ++ sk->sk_sndbuf = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[1]);
2292 +
2293 + return 0;
2294 + }
2295 +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
2296 +index 16b48064f715e..daab857c52a80 100644
2297 +--- a/net/netfilter/ipvs/ip_vs_sync.c
2298 ++++ b/net/netfilter/ipvs/ip_vs_sync.c
2299 +@@ -1280,12 +1280,12 @@ static void set_sock_size(struct sock *sk, int mode, int val)
2300 + lock_sock(sk);
2301 + if (mode) {
2302 + val = clamp_t(int, val, (SOCK_MIN_SNDBUF + 1) / 2,
2303 +- sysctl_wmem_max);
2304 ++ READ_ONCE(sysctl_wmem_max));
2305 + sk->sk_sndbuf = val * 2;
2306 + sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
2307 + } else {
2308 + val = clamp_t(int, val, (SOCK_MIN_RCVBUF + 1) / 2,
2309 +- sysctl_rmem_max);
2310 ++ READ_ONCE(sysctl_rmem_max));
2311 + sk->sk_rcvbuf = val * 2;
2312 + sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
2313 + }
2314 +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
2315 +index 30bd4b867912c..1b039476e4d6a 100644
2316 +--- a/net/netfilter/nf_tables_api.c
2317 ++++ b/net/netfilter/nf_tables_api.c
2318 +@@ -1999,9 +1999,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2319 + u8 policy, u32 flags)
2320 + {
2321 + const struct nlattr * const *nla = ctx->nla;
2322 ++ struct nft_stats __percpu *stats = NULL;
2323 + struct nft_table *table = ctx->table;
2324 + struct nft_base_chain *basechain;
2325 +- struct nft_stats __percpu *stats;
2326 + struct net *net = ctx->net;
2327 + char name[NFT_NAME_MAXLEN];
2328 + struct nft_trans *trans;
2329 +@@ -2037,7 +2037,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2330 + return PTR_ERR(stats);
2331 + }
2332 + rcu_assign_pointer(basechain->stats, stats);
2333 +- static_branch_inc(&nft_counters_enabled);
2334 + }
2335 +
2336 + err = nft_basechain_init(basechain, family, &hook, flags);
2337 +@@ -2120,6 +2119,9 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2338 + goto err_unregister_hook;
2339 + }
2340 +
2341 ++ if (stats)
2342 ++ static_branch_inc(&nft_counters_enabled);
2343 ++
2344 + table->use++;
2345 +
2346 + return 0;
2347 +@@ -4839,19 +4841,13 @@ static int nft_setelem_parse_flags(const struct nft_set *set,
2348 + static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
2349 + struct nft_data *key, struct nlattr *attr)
2350 + {
2351 +- struct nft_data_desc desc;
2352 +- int err;
2353 +-
2354 +- err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
2355 +- if (err < 0)
2356 +- return err;
2357 +-
2358 +- if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
2359 +- nft_data_release(key, desc.type);
2360 +- return -EINVAL;
2361 +- }
2362 ++ struct nft_data_desc desc = {
2363 ++ .type = NFT_DATA_VALUE,
2364 ++ .size = NFT_DATA_VALUE_MAXLEN,
2365 ++ .len = set->klen,
2366 ++ };
2367 +
2368 +- return 0;
2369 ++ return nft_data_init(ctx, key, &desc, attr);
2370 + }
2371 +
2372 + static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
2373 +@@ -4860,24 +4856,18 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
2374 + struct nlattr *attr)
2375 + {
2376 + u32 dtype;
2377 +- int err;
2378 +-
2379 +- err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
2380 +- if (err < 0)
2381 +- return err;
2382 +
2383 + if (set->dtype == NFT_DATA_VERDICT)
2384 + dtype = NFT_DATA_VERDICT;
2385 + else
2386 + dtype = NFT_DATA_VALUE;
2387 +
2388 +- if (dtype != desc->type ||
2389 +- set->dlen != desc->len) {
2390 +- nft_data_release(data, desc->type);
2391 +- return -EINVAL;
2392 +- }
2393 ++ desc->type = dtype;
2394 ++ desc->size = NFT_DATA_VALUE_MAXLEN;
2395 ++ desc->len = set->dlen;
2396 ++ desc->flags = NFT_DATA_DESC_SETELEM;
2397 +
2398 +- return 0;
2399 ++ return nft_data_init(ctx, data, desc, attr);
2400 + }
2401 +
2402 + static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
2403 +@@ -8688,6 +8678,11 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
2404 + return PTR_ERR(chain);
2405 + if (nft_is_base_chain(chain))
2406 + return -EOPNOTSUPP;
2407 ++ if (nft_chain_is_bound(chain))
2408 ++ return -EINVAL;
2409 ++ if (desc->flags & NFT_DATA_DESC_SETELEM &&
2410 ++ chain->flags & NFT_CHAIN_BINDING)
2411 ++ return -EINVAL;
2412 +
2413 + chain->use++;
2414 + data->verdict.chain = chain;
2415 +@@ -8695,7 +8690,7 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
2416 + }
2417 +
2418 + desc->len = sizeof(data->verdict);
2419 +- desc->type = NFT_DATA_VERDICT;
2420 ++
2421 + return 0;
2422 + }
2423 +
2424 +@@ -8748,20 +8743,25 @@ nla_put_failure:
2425 + }
2426 +
2427 + static int nft_value_init(const struct nft_ctx *ctx,
2428 +- struct nft_data *data, unsigned int size,
2429 +- struct nft_data_desc *desc, const struct nlattr *nla)
2430 ++ struct nft_data *data, struct nft_data_desc *desc,
2431 ++ const struct nlattr *nla)
2432 + {
2433 + unsigned int len;
2434 +
2435 + len = nla_len(nla);
2436 + if (len == 0)
2437 + return -EINVAL;
2438 +- if (len > size)
2439 ++ if (len > desc->size)
2440 + return -EOVERFLOW;
2441 ++ if (desc->len) {
2442 ++ if (len != desc->len)
2443 ++ return -EINVAL;
2444 ++ } else {
2445 ++ desc->len = len;
2446 ++ }
2447 +
2448 + nla_memcpy(data->data, nla, len);
2449 +- desc->type = NFT_DATA_VALUE;
2450 +- desc->len = len;
2451 ++
2452 + return 0;
2453 + }
2454 +
2455 +@@ -8781,7 +8781,6 @@ static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
2456 + *
2457 + * @ctx: context of the expression using the data
2458 + * @data: destination struct nft_data
2459 +- * @size: maximum data length
2460 + * @desc: data description
2461 + * @nla: netlink attribute containing data
2462 + *
2463 +@@ -8791,24 +8790,35 @@ static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
2464 + * The caller can indicate that it only wants to accept data of type
2465 + * NFT_DATA_VALUE by passing NULL for the ctx argument.
2466 + */
2467 +-int nft_data_init(const struct nft_ctx *ctx,
2468 +- struct nft_data *data, unsigned int size,
2469 ++int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
2470 + struct nft_data_desc *desc, const struct nlattr *nla)
2471 + {
2472 + struct nlattr *tb[NFTA_DATA_MAX + 1];
2473 + int err;
2474 +
2475 ++ if (WARN_ON_ONCE(!desc->size))
2476 ++ return -EINVAL;
2477 ++
2478 + err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
2479 + nft_data_policy, NULL);
2480 + if (err < 0)
2481 + return err;
2482 +
2483 +- if (tb[NFTA_DATA_VALUE])
2484 +- return nft_value_init(ctx, data, size, desc,
2485 +- tb[NFTA_DATA_VALUE]);
2486 +- if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
2487 +- return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
2488 +- return -EINVAL;
2489 ++ if (tb[NFTA_DATA_VALUE]) {
2490 ++ if (desc->type != NFT_DATA_VALUE)
2491 ++ return -EINVAL;
2492 ++
2493 ++ err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
2494 ++ } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
2495 ++ if (desc->type != NFT_DATA_VERDICT)
2496 ++ return -EINVAL;
2497 ++
2498 ++ err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
2499 ++ } else {
2500 ++ err = -EINVAL;
2501 ++ }
2502 ++
2503 ++ return err;
2504 + }
2505 + EXPORT_SYMBOL_GPL(nft_data_init);
2506 +
2507 +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
2508 +index a61b5bf5aa0fb..9dc18429ed875 100644
2509 +--- a/net/netfilter/nf_tables_core.c
2510 ++++ b/net/netfilter/nf_tables_core.c
2511 +@@ -67,6 +67,50 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr,
2512 + regs->verdict.code = NFT_BREAK;
2513 + }
2514 +
2515 ++static void nft_cmp16_fast_eval(const struct nft_expr *expr,
2516 ++ struct nft_regs *regs)
2517 ++{
2518 ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr);
2519 ++ const u64 *reg_data = (const u64 *)&regs->data[priv->sreg];
2520 ++ const u64 *mask = (const u64 *)&priv->mask;
2521 ++ const u64 *data = (const u64 *)&priv->data;
2522 ++
2523 ++ if (((reg_data[0] & mask[0]) == data[0] &&
2524 ++ ((reg_data[1] & mask[1]) == data[1])) ^ priv->inv)
2525 ++ return;
2526 ++ regs->verdict.code = NFT_BREAK;
2527 ++}
2528 ++
2529 ++static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
2530 ++ const struct nft_chain *chain,
2531 ++ const struct nft_regs *regs)
2532 ++{
2533 ++ enum nft_trace_types type;
2534 ++
2535 ++ switch (regs->verdict.code) {
2536 ++ case NFT_CONTINUE:
2537 ++ case NFT_RETURN:
2538 ++ type = NFT_TRACETYPE_RETURN;
2539 ++ break;
2540 ++ default:
2541 ++ type = NFT_TRACETYPE_RULE;
2542 ++ break;
2543 ++ }
2544 ++
2545 ++ __nft_trace_packet(info, chain, type);
2546 ++}
2547 ++
2548 ++static inline void nft_trace_verdict(struct nft_traceinfo *info,
2549 ++ const struct nft_chain *chain,
2550 ++ const struct nft_rule *rule,
2551 ++ const struct nft_regs *regs)
2552 ++{
2553 ++ if (static_branch_unlikely(&nft_trace_enabled)) {
2554 ++ info->rule = rule;
2555 ++ __nft_trace_verdict(info, chain, regs);
2556 ++ }
2557 ++}
2558 ++
2559 + static bool nft_payload_fast_eval(const struct nft_expr *expr,
2560 + struct nft_regs *regs,
2561 + const struct nft_pktinfo *pkt)
2562 +@@ -185,6 +229,8 @@ next_rule:
2563 + nft_rule_for_each_expr(expr, last, rule) {
2564 + if (expr->ops == &nft_cmp_fast_ops)
2565 + nft_cmp_fast_eval(expr, &regs);
2566 ++ else if (expr->ops == &nft_cmp16_fast_ops)
2567 ++ nft_cmp16_fast_eval(expr, &regs);
2568 + else if (expr->ops == &nft_bitwise_fast_ops)
2569 + nft_bitwise_fast_eval(expr, &regs);
2570 + else if (expr->ops != &nft_payload_fast_ops ||
2571 +@@ -207,13 +253,13 @@ next_rule:
2572 + break;
2573 + }
2574 +
2575 ++ nft_trace_verdict(&info, chain, rule, &regs);
2576 ++
2577 + switch (regs.verdict.code & NF_VERDICT_MASK) {
2578 + case NF_ACCEPT:
2579 + case NF_DROP:
2580 + case NF_QUEUE:
2581 + case NF_STOLEN:
2582 +- nft_trace_packet(&info, chain, rule,
2583 +- NFT_TRACETYPE_RULE);
2584 + return regs.verdict.code;
2585 + }
2586 +
2587 +@@ -226,15 +272,10 @@ next_rule:
2588 + stackptr++;
2589 + fallthrough;
2590 + case NFT_GOTO:
2591 +- nft_trace_packet(&info, chain, rule,
2592 +- NFT_TRACETYPE_RULE);
2593 +-
2594 + chain = regs.verdict.chain;
2595 + goto do_chain;
2596 + case NFT_CONTINUE:
2597 + case NFT_RETURN:
2598 +- nft_trace_packet(&info, chain, rule,
2599 +- NFT_TRACETYPE_RETURN);
2600 + break;
2601 + default:
2602 + WARN_ON(1);
2603 +diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
2604 +index 47b0dba95054f..d6ab7aa14adc2 100644
2605 +--- a/net/netfilter/nft_bitwise.c
2606 ++++ b/net/netfilter/nft_bitwise.c
2607 +@@ -93,7 +93,16 @@ static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = {
2608 + static int nft_bitwise_init_bool(struct nft_bitwise *priv,
2609 + const struct nlattr *const tb[])
2610 + {
2611 +- struct nft_data_desc mask, xor;
2612 ++ struct nft_data_desc mask = {
2613 ++ .type = NFT_DATA_VALUE,
2614 ++ .size = sizeof(priv->mask),
2615 ++ .len = priv->len,
2616 ++ };
2617 ++ struct nft_data_desc xor = {
2618 ++ .type = NFT_DATA_VALUE,
2619 ++ .size = sizeof(priv->xor),
2620 ++ .len = priv->len,
2621 ++ };
2622 + int err;
2623 +
2624 + if (tb[NFTA_BITWISE_DATA])
2625 +@@ -103,36 +112,30 @@ static int nft_bitwise_init_bool(struct nft_bitwise *priv,
2626 + !tb[NFTA_BITWISE_XOR])
2627 + return -EINVAL;
2628 +
2629 +- err = nft_data_init(NULL, &priv->mask, sizeof(priv->mask), &mask,
2630 +- tb[NFTA_BITWISE_MASK]);
2631 ++ err = nft_data_init(NULL, &priv->mask, &mask, tb[NFTA_BITWISE_MASK]);
2632 + if (err < 0)
2633 + return err;
2634 +- if (mask.type != NFT_DATA_VALUE || mask.len != priv->len) {
2635 +- err = -EINVAL;
2636 +- goto err1;
2637 +- }
2638 +
2639 +- err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &xor,
2640 +- tb[NFTA_BITWISE_XOR]);
2641 ++ err = nft_data_init(NULL, &priv->xor, &xor, tb[NFTA_BITWISE_XOR]);
2642 + if (err < 0)
2643 +- goto err1;
2644 +- if (xor.type != NFT_DATA_VALUE || xor.len != priv->len) {
2645 +- err = -EINVAL;
2646 +- goto err2;
2647 +- }
2648 ++ goto err_xor_err;
2649 +
2650 + return 0;
2651 +-err2:
2652 +- nft_data_release(&priv->xor, xor.type);
2653 +-err1:
2654 ++
2655 ++err_xor_err:
2656 + nft_data_release(&priv->mask, mask.type);
2657 ++
2658 + return err;
2659 + }
2660 +
2661 + static int nft_bitwise_init_shift(struct nft_bitwise *priv,
2662 + const struct nlattr *const tb[])
2663 + {
2664 +- struct nft_data_desc d;
2665 ++ struct nft_data_desc desc = {
2666 ++ .type = NFT_DATA_VALUE,
2667 ++ .size = sizeof(priv->data),
2668 ++ .len = sizeof(u32),
2669 ++ };
2670 + int err;
2671 +
2672 + if (tb[NFTA_BITWISE_MASK] ||
2673 +@@ -142,13 +145,12 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
2674 + if (!tb[NFTA_BITWISE_DATA])
2675 + return -EINVAL;
2676 +
2677 +- err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &d,
2678 +- tb[NFTA_BITWISE_DATA]);
2679 ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_BITWISE_DATA]);
2680 + if (err < 0)
2681 + return err;
2682 +- if (d.type != NFT_DATA_VALUE || d.len != sizeof(u32) ||
2683 +- priv->data.data[0] >= BITS_PER_TYPE(u32)) {
2684 +- nft_data_release(&priv->data, d.type);
2685 ++
2686 ++ if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
2687 ++ nft_data_release(&priv->data, desc.type);
2688 + return -EINVAL;
2689 + }
2690 +
2691 +@@ -290,22 +292,21 @@ static const struct nft_expr_ops nft_bitwise_ops = {
2692 + static int
2693 + nft_bitwise_extract_u32_data(const struct nlattr * const tb, u32 *out)
2694 + {
2695 +- struct nft_data_desc desc;
2696 + struct nft_data data;
2697 +- int err = 0;
2698 ++ struct nft_data_desc desc = {
2699 ++ .type = NFT_DATA_VALUE,
2700 ++ .size = sizeof(data),
2701 ++ .len = sizeof(u32),
2702 ++ };
2703 ++ int err;
2704 +
2705 +- err = nft_data_init(NULL, &data, sizeof(data), &desc, tb);
2706 ++ err = nft_data_init(NULL, &data, &desc, tb);
2707 + if (err < 0)
2708 + return err;
2709 +
2710 +- if (desc.type != NFT_DATA_VALUE || desc.len != sizeof(u32)) {
2711 +- err = -EINVAL;
2712 +- goto err;
2713 +- }
2714 + *out = data.data[0];
2715 +-err:
2716 +- nft_data_release(&data, desc.type);
2717 +- return err;
2718 ++
2719 ++ return 0;
2720 + }
2721 +
2722 + static int nft_bitwise_fast_init(const struct nft_ctx *ctx,
2723 +diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
2724 +index b529c0e865466..461763a571f20 100644
2725 +--- a/net/netfilter/nft_cmp.c
2726 ++++ b/net/netfilter/nft_cmp.c
2727 +@@ -73,20 +73,16 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
2728 + const struct nlattr * const tb[])
2729 + {
2730 + struct nft_cmp_expr *priv = nft_expr_priv(expr);
2731 +- struct nft_data_desc desc;
2732 ++ struct nft_data_desc desc = {
2733 ++ .type = NFT_DATA_VALUE,
2734 ++ .size = sizeof(priv->data),
2735 ++ };
2736 + int err;
2737 +
2738 +- err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
2739 +- tb[NFTA_CMP_DATA]);
2740 ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]);
2741 + if (err < 0)
2742 + return err;
2743 +
2744 +- if (desc.type != NFT_DATA_VALUE) {
2745 +- err = -EINVAL;
2746 +- nft_data_release(&priv->data, desc.type);
2747 +- return err;
2748 +- }
2749 +-
2750 + err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
2751 + if (err < 0)
2752 + return err;
2753 +@@ -201,12 +197,14 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx,
2754 + const struct nlattr * const tb[])
2755 + {
2756 + struct nft_cmp_fast_expr *priv = nft_expr_priv(expr);
2757 +- struct nft_data_desc desc;
2758 + struct nft_data data;
2759 ++ struct nft_data_desc desc = {
2760 ++ .type = NFT_DATA_VALUE,
2761 ++ .size = sizeof(data),
2762 ++ };
2763 + int err;
2764 +
2765 +- err = nft_data_init(NULL, &data, sizeof(data), &desc,
2766 +- tb[NFTA_CMP_DATA]);
2767 ++ err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]);
2768 + if (err < 0)
2769 + return err;
2770 +
2771 +@@ -272,12 +270,108 @@ const struct nft_expr_ops nft_cmp_fast_ops = {
2772 + .offload = nft_cmp_fast_offload,
2773 + };
2774 +
2775 ++static u32 nft_cmp_mask(u32 bitlen)
2776 ++{
2777 ++ return (__force u32)cpu_to_le32(~0U >> (sizeof(u32) * BITS_PER_BYTE - bitlen));
2778 ++}
2779 ++
2780 ++static void nft_cmp16_fast_mask(struct nft_data *data, unsigned int bitlen)
2781 ++{
2782 ++ int len = bitlen / BITS_PER_BYTE;
2783 ++ int i, words = len / sizeof(u32);
2784 ++
2785 ++ for (i = 0; i < words; i++) {
2786 ++ data->data[i] = 0xffffffff;
2787 ++ bitlen -= sizeof(u32) * BITS_PER_BYTE;
2788 ++ }
2789 ++
2790 ++ if (len % sizeof(u32))
2791 ++ data->data[i++] = nft_cmp_mask(bitlen);
2792 ++
2793 ++ for (; i < 4; i++)
2794 ++ data->data[i] = 0;
2795 ++}
2796 ++
2797 ++static int nft_cmp16_fast_init(const struct nft_ctx *ctx,
2798 ++ const struct nft_expr *expr,
2799 ++ const struct nlattr * const tb[])
2800 ++{
2801 ++ struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr);
2802 ++ struct nft_data_desc desc = {
2803 ++ .type = NFT_DATA_VALUE,
2804 ++ .size = sizeof(priv->data),
2805 ++ };
2806 ++ int err;
2807 ++
2808 ++ err = nft_data_init(NULL, &priv->data, &desc, tb[NFTA_CMP_DATA]);
2809 ++ if (err < 0)
2810 ++ return err;
2811 ++
2812 ++ err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
2813 ++ if (err < 0)
2814 ++ return err;
2815 ++
2816 ++ nft_cmp16_fast_mask(&priv->mask, desc.len * BITS_PER_BYTE);
2817 ++ priv->inv = ntohl(nla_get_be32(tb[NFTA_CMP_OP])) != NFT_CMP_EQ;
2818 ++ priv->len = desc.len;
2819 ++
2820 ++ return 0;
2821 ++}
2822 ++
2823 ++static int nft_cmp16_fast_offload(struct nft_offload_ctx *ctx,
2824 ++ struct nft_flow_rule *flow,
2825 ++ const struct nft_expr *expr)
2826 ++{
2827 ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr);
2828 ++ struct nft_cmp_expr cmp = {
2829 ++ .data = priv->data,
2830 ++ .sreg = priv->sreg,
2831 ++ .len = priv->len,
2832 ++ .op = priv->inv ? NFT_CMP_NEQ : NFT_CMP_EQ,
2833 ++ };
2834 ++
2835 ++ return __nft_cmp_offload(ctx, flow, &cmp);
2836 ++}
2837 ++
2838 ++static int nft_cmp16_fast_dump(struct sk_buff *skb, const struct nft_expr *expr)
2839 ++{
2840 ++ const struct nft_cmp16_fast_expr *priv = nft_expr_priv(expr);
2841 ++ enum nft_cmp_ops op = priv->inv ? NFT_CMP_NEQ : NFT_CMP_EQ;
2842 ++
2843 ++ if (nft_dump_register(skb, NFTA_CMP_SREG, priv->sreg))
2844 ++ goto nla_put_failure;
2845 ++ if (nla_put_be32(skb, NFTA_CMP_OP, htonl(op)))
2846 ++ goto nla_put_failure;
2847 ++
2848 ++ if (nft_data_dump(skb, NFTA_CMP_DATA, &priv->data,
2849 ++ NFT_DATA_VALUE, priv->len) < 0)
2850 ++ goto nla_put_failure;
2851 ++ return 0;
2852 ++
2853 ++nla_put_failure:
2854 ++ return -1;
2855 ++}
2856 ++
2857 ++
2858 ++const struct nft_expr_ops nft_cmp16_fast_ops = {
2859 ++ .type = &nft_cmp_type,
2860 ++ .size = NFT_EXPR_SIZE(sizeof(struct nft_cmp16_fast_expr)),
2861 ++ .eval = NULL, /* inlined */
2862 ++ .init = nft_cmp16_fast_init,
2863 ++ .dump = nft_cmp16_fast_dump,
2864 ++ .offload = nft_cmp16_fast_offload,
2865 ++};
2866 ++
2867 + static const struct nft_expr_ops *
2868 + nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
2869 + {
2870 +- struct nft_data_desc desc;
2871 + struct nft_data data;
2872 ++ struct nft_data_desc desc = {
2873 ++ .type = NFT_DATA_VALUE,
2874 ++ .size = sizeof(data),
2875 ++ };
2876 + enum nft_cmp_ops op;
2877 ++ u8 sreg;
2878 + int err;
2879 +
2880 + if (tb[NFTA_CMP_SREG] == NULL ||
2881 +@@ -298,23 +392,21 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
2882 + return ERR_PTR(-EINVAL);
2883 + }
2884 +
2885 +- err = nft_data_init(NULL, &data, sizeof(data), &desc,
2886 +- tb[NFTA_CMP_DATA]);
2887 ++ err = nft_data_init(NULL, &data, &desc, tb[NFTA_CMP_DATA]);
2888 + if (err < 0)
2889 + return ERR_PTR(err);
2890 +
2891 +- if (desc.type != NFT_DATA_VALUE) {
2892 +- err = -EINVAL;
2893 +- goto err1;
2894 +- }
2895 +-
2896 +- if (desc.len <= sizeof(u32) && (op == NFT_CMP_EQ || op == NFT_CMP_NEQ))
2897 +- return &nft_cmp_fast_ops;
2898 ++ sreg = ntohl(nla_get_be32(tb[NFTA_CMP_SREG]));
2899 +
2900 ++ if (op == NFT_CMP_EQ || op == NFT_CMP_NEQ) {
2901 ++ if (desc.len <= sizeof(u32))
2902 ++ return &nft_cmp_fast_ops;
2903 ++ else if (desc.len <= sizeof(data) &&
2904 ++ ((sreg >= NFT_REG_1 && sreg <= NFT_REG_4) ||
2905 ++ (sreg >= NFT_REG32_00 && sreg <= NFT_REG32_12 && sreg % 2 == 0)))
2906 ++ return &nft_cmp16_fast_ops;
2907 ++ }
2908 + return &nft_cmp_ops;
2909 +-err1:
2910 +- nft_data_release(&data, desc.type);
2911 +- return ERR_PTR(-EINVAL);
2912 + }
2913 +
2914 + struct nft_expr_type nft_cmp_type __read_mostly = {
2915 +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
2916 +index d0f67d325bdfd..fcdbc5ed3f367 100644
2917 +--- a/net/netfilter/nft_immediate.c
2918 ++++ b/net/netfilter/nft_immediate.c
2919 +@@ -29,20 +29,36 @@ static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = {
2920 + [NFTA_IMMEDIATE_DATA] = { .type = NLA_NESTED },
2921 + };
2922 +
2923 ++static enum nft_data_types nft_reg_to_type(const struct nlattr *nla)
2924 ++{
2925 ++ enum nft_data_types type;
2926 ++ u8 reg;
2927 ++
2928 ++ reg = ntohl(nla_get_be32(nla));
2929 ++ if (reg == NFT_REG_VERDICT)
2930 ++ type = NFT_DATA_VERDICT;
2931 ++ else
2932 ++ type = NFT_DATA_VALUE;
2933 ++
2934 ++ return type;
2935 ++}
2936 ++
2937 + static int nft_immediate_init(const struct nft_ctx *ctx,
2938 + const struct nft_expr *expr,
2939 + const struct nlattr * const tb[])
2940 + {
2941 + struct nft_immediate_expr *priv = nft_expr_priv(expr);
2942 +- struct nft_data_desc desc;
2943 ++ struct nft_data_desc desc = {
2944 ++ .size = sizeof(priv->data),
2945 ++ };
2946 + int err;
2947 +
2948 + if (tb[NFTA_IMMEDIATE_DREG] == NULL ||
2949 + tb[NFTA_IMMEDIATE_DATA] == NULL)
2950 + return -EINVAL;
2951 +
2952 +- err = nft_data_init(ctx, &priv->data, sizeof(priv->data), &desc,
2953 +- tb[NFTA_IMMEDIATE_DATA]);
2954 ++ desc.type = nft_reg_to_type(tb[NFTA_IMMEDIATE_DREG]);
2955 ++ err = nft_data_init(ctx, &priv->data, &desc, tb[NFTA_IMMEDIATE_DATA]);
2956 + if (err < 0)
2957 + return err;
2958 +
2959 +diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
2960 +index d82677e83400b..720dc9fba6d4f 100644
2961 +--- a/net/netfilter/nft_osf.c
2962 ++++ b/net/netfilter/nft_osf.c
2963 +@@ -115,9 +115,21 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
2964 + const struct nft_expr *expr,
2965 + const struct nft_data **data)
2966 + {
2967 +- return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) |
2968 +- (1 << NF_INET_PRE_ROUTING) |
2969 +- (1 << NF_INET_FORWARD));
2970 ++ unsigned int hooks;
2971 ++
2972 ++ switch (ctx->family) {
2973 ++ case NFPROTO_IPV4:
2974 ++ case NFPROTO_IPV6:
2975 ++ case NFPROTO_INET:
2976 ++ hooks = (1 << NF_INET_LOCAL_IN) |
2977 ++ (1 << NF_INET_PRE_ROUTING) |
2978 ++ (1 << NF_INET_FORWARD);
2979 ++ break;
2980 ++ default:
2981 ++ return -EOPNOTSUPP;
2982 ++ }
2983 ++
2984 ++ return nft_chain_validate_hooks(ctx->chain, hooks);
2985 + }
2986 +
2987 + static struct nft_expr_type nft_osf_type;
2988 +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
2989 +index 01878c16418c2..551e0d6cf63d4 100644
2990 +--- a/net/netfilter/nft_payload.c
2991 ++++ b/net/netfilter/nft_payload.c
2992 +@@ -660,17 +660,23 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
2993 + const struct nlattr * const tb[])
2994 + {
2995 + struct nft_payload_set *priv = nft_expr_priv(expr);
2996 ++ u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE;
2997 ++ int err;
2998 +
2999 + priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
3000 + priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
3001 + priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
3002 +
3003 + if (tb[NFTA_PAYLOAD_CSUM_TYPE])
3004 +- priv->csum_type =
3005 +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
3006 +- if (tb[NFTA_PAYLOAD_CSUM_OFFSET])
3007 +- priv->csum_offset =
3008 +- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET]));
3009 ++ csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
3010 ++ if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) {
3011 ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX,
3012 ++ &csum_offset);
3013 ++ if (err < 0)
3014 ++ return err;
3015 ++
3016 ++ priv->csum_offset = csum_offset;
3017 ++ }
3018 + if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) {
3019 + u32 flags;
3020 +
3021 +@@ -681,7 +687,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
3022 + priv->csum_flags = flags;
3023 + }
3024 +
3025 +- switch (priv->csum_type) {
3026 ++ switch (csum_type) {
3027 + case NFT_PAYLOAD_CSUM_NONE:
3028 + case NFT_PAYLOAD_CSUM_INET:
3029 + break;
3030 +@@ -695,6 +701,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
3031 + default:
3032 + return -EOPNOTSUPP;
3033 + }
3034 ++ priv->csum_type = csum_type;
3035 +
3036 + return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg,
3037 + priv->len);
3038 +@@ -733,6 +740,7 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
3039 + {
3040 + enum nft_payload_bases base;
3041 + unsigned int offset, len;
3042 ++ int err;
3043 +
3044 + if (tb[NFTA_PAYLOAD_BASE] == NULL ||
3045 + tb[NFTA_PAYLOAD_OFFSET] == NULL ||
3046 +@@ -758,8 +766,13 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
3047 + if (tb[NFTA_PAYLOAD_DREG] == NULL)
3048 + return ERR_PTR(-EINVAL);
3049 +
3050 +- offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
3051 +- len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
3052 ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset);
3053 ++ if (err < 0)
3054 ++ return ERR_PTR(err);
3055 ++
3056 ++ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len);
3057 ++ if (err < 0)
3058 ++ return ERR_PTR(err);
3059 +
3060 + if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
3061 + base != NFT_PAYLOAD_LL_HEADER)
3062 +diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
3063 +index e4a1c44d7f513..e6bbe32c323df 100644
3064 +--- a/net/netfilter/nft_range.c
3065 ++++ b/net/netfilter/nft_range.c
3066 +@@ -51,7 +51,14 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
3067 + const struct nlattr * const tb[])
3068 + {
3069 + struct nft_range_expr *priv = nft_expr_priv(expr);
3070 +- struct nft_data_desc desc_from, desc_to;
3071 ++ struct nft_data_desc desc_from = {
3072 ++ .type = NFT_DATA_VALUE,
3073 ++ .size = sizeof(priv->data_from),
3074 ++ };
3075 ++ struct nft_data_desc desc_to = {
3076 ++ .type = NFT_DATA_VALUE,
3077 ++ .size = sizeof(priv->data_to),
3078 ++ };
3079 + int err;
3080 + u32 op;
3081 +
3082 +@@ -61,26 +68,16 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
3083 + !tb[NFTA_RANGE_TO_DATA])
3084 + return -EINVAL;
3085 +
3086 +- err = nft_data_init(NULL, &priv->data_from, sizeof(priv->data_from),
3087 +- &desc_from, tb[NFTA_RANGE_FROM_DATA]);
3088 ++ err = nft_data_init(NULL, &priv->data_from, &desc_from,
3089 ++ tb[NFTA_RANGE_FROM_DATA]);
3090 + if (err < 0)
3091 + return err;
3092 +
3093 +- if (desc_from.type != NFT_DATA_VALUE) {
3094 +- err = -EINVAL;
3095 +- goto err1;
3096 +- }
3097 +-
3098 +- err = nft_data_init(NULL, &priv->data_to, sizeof(priv->data_to),
3099 +- &desc_to, tb[NFTA_RANGE_TO_DATA]);
3100 ++ err = nft_data_init(NULL, &priv->data_to, &desc_to,
3101 ++ tb[NFTA_RANGE_TO_DATA]);
3102 + if (err < 0)
3103 + goto err1;
3104 +
3105 +- if (desc_to.type != NFT_DATA_VALUE) {
3106 +- err = -EINVAL;
3107 +- goto err2;
3108 +- }
3109 +-
3110 + if (desc_from.len != desc_to.len) {
3111 + err = -EINVAL;
3112 + goto err2;
3113 +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
3114 +index 3b27926d5382c..2ee50996da8cc 100644
3115 +--- a/net/netfilter/nft_tunnel.c
3116 ++++ b/net/netfilter/nft_tunnel.c
3117 +@@ -133,6 +133,7 @@ static const struct nft_expr_ops nft_tunnel_get_ops = {
3118 +
3119 + static struct nft_expr_type nft_tunnel_type __read_mostly = {
3120 + .name = "tunnel",
3121 ++ .family = NFPROTO_NETDEV,
3122 + .ops = &nft_tunnel_get_ops,
3123 + .policy = nft_tunnel_policy,
3124 + .maxattr = NFTA_TUNNEL_MAX,
3125 +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
3126 +index 11c45c8c6c164..036d92c0ad794 100644
3127 +--- a/net/rose/rose_loopback.c
3128 ++++ b/net/rose/rose_loopback.c
3129 +@@ -96,7 +96,8 @@ static void rose_loopback_timer(struct timer_list *unused)
3130 + }
3131 +
3132 + if (frametype == ROSE_CALL_REQUEST) {
3133 +- if (!rose_loopback_neigh->dev) {
3134 ++ if (!rose_loopback_neigh->dev &&
3135 ++ !rose_loopback_neigh->loopback) {
3136 + kfree_skb(skb);
3137 + continue;
3138 + }
3139 +diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
3140 +index 043508fd8d8a5..150cd7b2154c8 100644
3141 +--- a/net/rxrpc/call_object.c
3142 ++++ b/net/rxrpc/call_object.c
3143 +@@ -285,8 +285,10 @@ struct rxrpc_call *rxrpc_new_client_call(struct rxrpc_sock *rx,
3144 + _enter("%p,%lx", rx, p->user_call_ID);
3145 +
3146 + limiter = rxrpc_get_call_slot(p, gfp);
3147 +- if (!limiter)
3148 ++ if (!limiter) {
3149 ++ release_sock(&rx->sk);
3150 + return ERR_PTR(-ERESTARTSYS);
3151 ++ }
3152 +
3153 + call = rxrpc_alloc_client_call(rx, srx, gfp, debug_id);
3154 + if (IS_ERR(call)) {
3155 +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
3156 +index aa23ba4e25662..eef3c14fd1c18 100644
3157 +--- a/net/rxrpc/sendmsg.c
3158 ++++ b/net/rxrpc/sendmsg.c
3159 +@@ -51,10 +51,7 @@ static int rxrpc_wait_for_tx_window_intr(struct rxrpc_sock *rx,
3160 + return sock_intr_errno(*timeo);
3161 +
3162 + trace_rxrpc_transmit(call, rxrpc_transmit_wait);
3163 +- mutex_unlock(&call->user_mutex);
3164 + *timeo = schedule_timeout(*timeo);
3165 +- if (mutex_lock_interruptible(&call->user_mutex) < 0)
3166 +- return sock_intr_errno(*timeo);
3167 + }
3168 + }
3169 +
3170 +@@ -290,37 +287,48 @@ out:
3171 + static int rxrpc_send_data(struct rxrpc_sock *rx,
3172 + struct rxrpc_call *call,
3173 + struct msghdr *msg, size_t len,
3174 +- rxrpc_notify_end_tx_t notify_end_tx)
3175 ++ rxrpc_notify_end_tx_t notify_end_tx,
3176 ++ bool *_dropped_lock)
3177 + {
3178 + struct rxrpc_skb_priv *sp;
3179 + struct sk_buff *skb;
3180 + struct sock *sk = &rx->sk;
3181 ++ enum rxrpc_call_state state;
3182 + long timeo;
3183 +- bool more;
3184 +- int ret, copied;
3185 ++ bool more = msg->msg_flags & MSG_MORE;
3186 ++ int ret, copied = 0;
3187 +
3188 + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
3189 +
3190 + /* this should be in poll */
3191 + sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
3192 +
3193 ++reload:
3194 ++ ret = -EPIPE;
3195 + if (sk->sk_shutdown & SEND_SHUTDOWN)
3196 +- return -EPIPE;
3197 +-
3198 +- more = msg->msg_flags & MSG_MORE;
3199 +-
3200 ++ goto maybe_error;
3201 ++ state = READ_ONCE(call->state);
3202 ++ ret = -ESHUTDOWN;
3203 ++ if (state >= RXRPC_CALL_COMPLETE)
3204 ++ goto maybe_error;
3205 ++ ret = -EPROTO;
3206 ++ if (state != RXRPC_CALL_CLIENT_SEND_REQUEST &&
3207 ++ state != RXRPC_CALL_SERVER_ACK_REQUEST &&
3208 ++ state != RXRPC_CALL_SERVER_SEND_REPLY)
3209 ++ goto maybe_error;
3210 ++
3211 ++ ret = -EMSGSIZE;
3212 + if (call->tx_total_len != -1) {
3213 +- if (len > call->tx_total_len)
3214 +- return -EMSGSIZE;
3215 +- if (!more && len != call->tx_total_len)
3216 +- return -EMSGSIZE;
3217 ++ if (len - copied > call->tx_total_len)
3218 ++ goto maybe_error;
3219 ++ if (!more && len - copied != call->tx_total_len)
3220 ++ goto maybe_error;
3221 + }
3222 +
3223 + skb = call->tx_pending;
3224 + call->tx_pending = NULL;
3225 + rxrpc_see_skb(skb, rxrpc_skb_seen);
3226 +
3227 +- copied = 0;
3228 + do {
3229 + /* Check to see if there's a ping ACK to reply to. */
3230 + if (call->ackr_reason == RXRPC_ACK_PING_RESPONSE)
3231 +@@ -331,16 +339,8 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
3232 +
3233 + _debug("alloc");
3234 +
3235 +- if (!rxrpc_check_tx_space(call, NULL)) {
3236 +- ret = -EAGAIN;
3237 +- if (msg->msg_flags & MSG_DONTWAIT)
3238 +- goto maybe_error;
3239 +- ret = rxrpc_wait_for_tx_window(rx, call,
3240 +- &timeo,
3241 +- msg->msg_flags & MSG_WAITALL);
3242 +- if (ret < 0)
3243 +- goto maybe_error;
3244 +- }
3245 ++ if (!rxrpc_check_tx_space(call, NULL))
3246 ++ goto wait_for_space;
3247 +
3248 + max = RXRPC_JUMBO_DATALEN;
3249 + max -= call->conn->security_size;
3250 +@@ -485,6 +485,27 @@ maybe_error:
3251 + efault:
3252 + ret = -EFAULT;
3253 + goto out;
3254 ++
3255 ++wait_for_space:
3256 ++ ret = -EAGAIN;
3257 ++ if (msg->msg_flags & MSG_DONTWAIT)
3258 ++ goto maybe_error;
3259 ++ mutex_unlock(&call->user_mutex);
3260 ++ *_dropped_lock = true;
3261 ++ ret = rxrpc_wait_for_tx_window(rx, call, &timeo,
3262 ++ msg->msg_flags & MSG_WAITALL);
3263 ++ if (ret < 0)
3264 ++ goto maybe_error;
3265 ++ if (call->interruptibility == RXRPC_INTERRUPTIBLE) {
3266 ++ if (mutex_lock_interruptible(&call->user_mutex) < 0) {
3267 ++ ret = sock_intr_errno(timeo);
3268 ++ goto maybe_error;
3269 ++ }
3270 ++ } else {
3271 ++ mutex_lock(&call->user_mutex);
3272 ++ }
3273 ++ *_dropped_lock = false;
3274 ++ goto reload;
3275 + }
3276 +
3277 + /*
3278 +@@ -646,6 +667,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
3279 + enum rxrpc_call_state state;
3280 + struct rxrpc_call *call;
3281 + unsigned long now, j;
3282 ++ bool dropped_lock = false;
3283 + int ret;
3284 +
3285 + struct rxrpc_send_params p = {
3286 +@@ -754,21 +776,13 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
3287 + ret = rxrpc_send_abort_packet(call);
3288 + } else if (p.command != RXRPC_CMD_SEND_DATA) {
3289 + ret = -EINVAL;
3290 +- } else if (rxrpc_is_client_call(call) &&
3291 +- state != RXRPC_CALL_CLIENT_SEND_REQUEST) {
3292 +- /* request phase complete for this client call */
3293 +- ret = -EPROTO;
3294 +- } else if (rxrpc_is_service_call(call) &&
3295 +- state != RXRPC_CALL_SERVER_ACK_REQUEST &&
3296 +- state != RXRPC_CALL_SERVER_SEND_REPLY) {
3297 +- /* Reply phase not begun or not complete for service call. */
3298 +- ret = -EPROTO;
3299 + } else {
3300 +- ret = rxrpc_send_data(rx, call, msg, len, NULL);
3301 ++ ret = rxrpc_send_data(rx, call, msg, len, NULL, &dropped_lock);
3302 + }
3303 +
3304 + out_put_unlock:
3305 +- mutex_unlock(&call->user_mutex);
3306 ++ if (!dropped_lock)
3307 ++ mutex_unlock(&call->user_mutex);
3308 + error_put:
3309 + rxrpc_put_call(call, rxrpc_call_put);
3310 + _leave(" = %d", ret);
3311 +@@ -796,6 +810,7 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
3312 + struct msghdr *msg, size_t len,
3313 + rxrpc_notify_end_tx_t notify_end_tx)
3314 + {
3315 ++ bool dropped_lock = false;
3316 + int ret;
3317 +
3318 + _enter("{%d,%s},", call->debug_id, rxrpc_call_states[call->state]);
3319 +@@ -813,7 +828,7 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
3320 + case RXRPC_CALL_SERVER_ACK_REQUEST:
3321 + case RXRPC_CALL_SERVER_SEND_REPLY:
3322 + ret = rxrpc_send_data(rxrpc_sk(sock->sk), call, msg, len,
3323 +- notify_end_tx);
3324 ++ notify_end_tx, &dropped_lock);
3325 + break;
3326 + case RXRPC_CALL_COMPLETE:
3327 + read_lock_bh(&call->state_lock);
3328 +@@ -827,7 +842,8 @@ int rxrpc_kernel_send_data(struct socket *sock, struct rxrpc_call *call,
3329 + break;
3330 + }
3331 +
3332 +- mutex_unlock(&call->user_mutex);
3333 ++ if (!dropped_lock)
3334 ++ mutex_unlock(&call->user_mutex);
3335 + _leave(" = %d", ret);
3336 + return ret;
3337 + }
3338 +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3339 +index 5d5391adb667c..68f1e89430b3b 100644
3340 +--- a/net/sched/sch_generic.c
3341 ++++ b/net/sched/sch_generic.c
3342 +@@ -403,7 +403,7 @@ static inline bool qdisc_restart(struct Qdisc *q, int *packets)
3343 +
3344 + void __qdisc_run(struct Qdisc *q)
3345 + {
3346 +- int quota = dev_tx_weight;
3347 ++ int quota = READ_ONCE(dev_tx_weight);
3348 + int packets;
3349 +
3350 + while (qdisc_restart(q, &packets)) {
3351 +diff --git a/net/socket.c b/net/socket.c
3352 +index d52c265ad449b..bcf68b150fe29 100644
3353 +--- a/net/socket.c
3354 ++++ b/net/socket.c
3355 +@@ -1670,7 +1670,7 @@ int __sys_listen(int fd, int backlog)
3356 +
3357 + sock = sockfd_lookup_light(fd, &err, &fput_needed);
3358 + if (sock) {
3359 +- somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
3360 ++ somaxconn = READ_ONCE(sock_net(sock->sk)->core.sysctl_somaxconn);
3361 + if ((unsigned int)backlog > somaxconn)
3362 + backlog = somaxconn;
3363 +
3364 +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
3365 +index c5af31312e0cf..78c6648af7827 100644
3366 +--- a/net/sunrpc/clnt.c
3367 ++++ b/net/sunrpc/clnt.c
3368 +@@ -1867,7 +1867,7 @@ call_encode(struct rpc_task *task)
3369 + break;
3370 + case -EKEYEXPIRED:
3371 + if (!task->tk_cred_retry) {
3372 +- rpc_exit(task, task->tk_status);
3373 ++ rpc_call_rpcerror(task, task->tk_status);
3374 + } else {
3375 + task->tk_action = call_refresh;
3376 + task->tk_cred_retry--;
3377 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
3378 +index 38256aabf4f1d..8f3c9fbb99165 100644
3379 +--- a/net/tipc/socket.c
3380 ++++ b/net/tipc/socket.c
3381 +@@ -504,7 +504,7 @@ static int tipc_sk_create(struct net *net, struct socket *sock,
3382 + timer_setup(&sk->sk_timer, tipc_sk_timeout, 0);
3383 + sk->sk_shutdown = 0;
3384 + sk->sk_backlog_rcv = tipc_sk_backlog_rcv;
3385 +- sk->sk_rcvbuf = sysctl_tipc_rmem[1];
3386 ++ sk->sk_rcvbuf = READ_ONCE(sysctl_tipc_rmem[1]);
3387 + sk->sk_data_ready = tipc_data_ready;
3388 + sk->sk_write_space = tipc_write_space;
3389 + sk->sk_destruct = tipc_sock_destruct;
3390 +diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c
3391 +index 1f08ebf7d80c5..24ca49ecebea3 100644
3392 +--- a/net/xfrm/espintcp.c
3393 ++++ b/net/xfrm/espintcp.c
3394 +@@ -170,7 +170,7 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb)
3395 + {
3396 + struct espintcp_ctx *ctx = espintcp_getctx(sk);
3397 +
3398 +- if (skb_queue_len(&ctx->out_queue) >= netdev_max_backlog)
3399 ++ if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog))
3400 + return -ENOBUFS;
3401 +
3402 + __skb_queue_tail(&ctx->out_queue, skb);
3403 +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
3404 +index 61e6220ddd5ae..77e82033ad700 100644
3405 +--- a/net/xfrm/xfrm_input.c
3406 ++++ b/net/xfrm/xfrm_input.c
3407 +@@ -782,7 +782,7 @@ int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
3408 +
3409 + trans = this_cpu_ptr(&xfrm_trans_tasklet);
3410 +
3411 +- if (skb_queue_len(&trans->queue) >= netdev_max_backlog)
3412 ++ if (skb_queue_len(&trans->queue) >= READ_ONCE(netdev_max_backlog))
3413 + return -ENOBUFS;
3414 +
3415 + BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
3416 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
3417 +index 603b05ed7eb4c..0d12bdf59d4cc 100644
3418 +--- a/net/xfrm/xfrm_policy.c
3419 ++++ b/net/xfrm/xfrm_policy.c
3420 +@@ -3164,7 +3164,7 @@ ok:
3421 + return dst;
3422 +
3423 + nopol:
3424 +- if (!(dst_orig->dev->flags & IFF_LOOPBACK) &&
3425 ++ if ((!dst_orig->dev || !(dst_orig->dev->flags & IFF_LOOPBACK)) &&
3426 + net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
3427 + err = -EPERM;
3428 + goto error;
3429 +@@ -3641,6 +3641,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
3430 + if (pols[1]) {
3431 + if (IS_ERR(pols[1])) {
3432 + XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
3433 ++ xfrm_pol_put(pols[0]);
3434 + return 0;
3435 + }
3436 + pols[1]->curlft.use_time = ktime_get_real_seconds();
3437 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
3438 +index bc0bbb1571cef..fdbd56ed4bd52 100644
3439 +--- a/net/xfrm/xfrm_state.c
3440 ++++ b/net/xfrm/xfrm_state.c
3441 +@@ -1557,6 +1557,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
3442 + x->replay = orig->replay;
3443 + x->preplay = orig->preplay;
3444 + x->mapping_maxage = orig->mapping_maxage;
3445 ++ x->lastused = orig->lastused;
3446 + x->new_mapping = 0;
3447 + x->new_mapping_sport = 0;
3448 +
3449 +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
3450 +index 5ee3c4d1fbb2b..3e7706c251e9e 100644
3451 +--- a/tools/perf/Makefile.config
3452 ++++ b/tools/perf/Makefile.config
3453 +@@ -248,7 +248,7 @@ endif
3454 + # defined. get-executable-or-default fails with an error if the first argument is supplied but
3455 + # doesn't exist.
3456 + override PYTHON_CONFIG := $(call get-executable-or-default,PYTHON_CONFIG,$(PYTHON_AUTO))
3457 +-override PYTHON := $(call get-executable-or-default,PYTHON,$(subst -config,,$(PYTHON_AUTO)))
3458 ++override PYTHON := $(call get-executable-or-default,PYTHON,$(subst -config,,$(PYTHON_CONFIG)))
3459 +
3460 + grep-libs = $(filter -l%,$(1))
3461 + strip-libs = $(filter-out -l%,$(1))
Report Message
Find on MARC Find on Google Groups