Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Thu, 31 Jan 2019 11:22:49
Message-Id: 1548933736.b13a2c729503c4f75dd3091914dceafe4dfe1133.mpagano@gentoo
1 commit: b13a2c729503c4f75dd3091914dceafe4dfe1133
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 31 11:22:16 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 31 11:22:16 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b13a2c72
7
8 proj/linux-patches: Linux patch 4.9.154
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1153_linux-4.9.154.patch | 1657 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1661 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index f17614f..dfd18f6 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -655,6 +655,10 @@ Patch: 1152_linux-4.9.153.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.153
23
24 +Patch: 1153_linux-4.9.154.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.154
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1153_linux-4.9.154.patch b/1153_linux-4.9.154.patch
33 new file mode 100644
34 index 0000000..f397bc0
35 --- /dev/null
36 +++ b/1153_linux-4.9.154.patch
37 @@ -0,0 +1,1657 @@
38 +diff --git a/Makefile b/Makefile
39 +index 44a487ee24d2..9964792e200f 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 153
46 ++SUBLEVEL = 154
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +diff --git a/arch/arc/include/asm/perf_event.h b/arch/arc/include/asm/perf_event.h
51 +index 9185541035cc..6958545390f0 100644
52 +--- a/arch/arc/include/asm/perf_event.h
53 ++++ b/arch/arc/include/asm/perf_event.h
54 +@@ -103,7 +103,8 @@ static const char * const arc_pmu_ev_hw_map[] = {
55 +
56 + /* counts condition */
57 + [PERF_COUNT_HW_INSTRUCTIONS] = "iall",
58 +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmp", /* Excludes ZOL jumps */
59 ++ /* All jump instructions that are taken */
60 ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmptak",
61 + [PERF_COUNT_ARC_BPOK] = "bpok", /* NP-NT, PT-T, PNT-NT */
62 + #ifdef CONFIG_ISA_ARCV2
63 + [PERF_COUNT_HW_BRANCH_MISSES] = "bpmp",
64 +diff --git a/arch/arc/lib/memset-archs.S b/arch/arc/lib/memset-archs.S
65 +index 62ad4bcb841a..f230bb7092fd 100644
66 +--- a/arch/arc/lib/memset-archs.S
67 ++++ b/arch/arc/lib/memset-archs.S
68 +@@ -7,11 +7,39 @@
69 + */
70 +
71 + #include <linux/linkage.h>
72 ++#include <asm/cache.h>
73 +
74 +-#undef PREALLOC_NOT_AVAIL
75 ++/*
76 ++ * The memset implementation below is optimized to use prefetchw and prealloc
77 ++ * instruction in case of CPU with 64B L1 data cache line (L1_CACHE_SHIFT == 6)
78 ++ * If you want to implement optimized memset for other possible L1 data cache
79 ++ * line lengths (32B and 128B) you should rewrite code carefully checking
80 ++ * we don't call any prefetchw/prealloc instruction for L1 cache lines which
81 ++ * don't belongs to memset area.
82 ++ */
83 ++
84 ++#if L1_CACHE_SHIFT == 6
85 ++
86 ++.macro PREALLOC_INSTR reg, off
87 ++ prealloc [\reg, \off]
88 ++.endm
89 ++
90 ++.macro PREFETCHW_INSTR reg, off
91 ++ prefetchw [\reg, \off]
92 ++.endm
93 ++
94 ++#else
95 ++
96 ++.macro PREALLOC_INSTR
97 ++.endm
98 ++
99 ++.macro PREFETCHW_INSTR
100 ++.endm
101 ++
102 ++#endif
103 +
104 + ENTRY_CFI(memset)
105 +- prefetchw [r0] ; Prefetch the write location
106 ++ PREFETCHW_INSTR r0, 0 ; Prefetch the first write location
107 + mov.f 0, r2
108 + ;;; if size is zero
109 + jz.d [blink]
110 +@@ -48,11 +76,8 @@ ENTRY_CFI(memset)
111 +
112 + lpnz @.Lset64bytes
113 + ;; LOOP START
114 +-#ifdef PREALLOC_NOT_AVAIL
115 +- prefetchw [r3, 64] ;Prefetch the next write location
116 +-#else
117 +- prealloc [r3, 64]
118 +-#endif
119 ++ PREALLOC_INSTR r3, 64 ; alloc next line w/o fetching
120 ++
121 + #ifdef CONFIG_ARC_HAS_LL64
122 + std.ab r4, [r3, 8]
123 + std.ab r4, [r3, 8]
124 +@@ -85,7 +110,6 @@ ENTRY_CFI(memset)
125 + lsr.f lp_count, r2, 5 ;Last remaining max 124 bytes
126 + lpnz .Lset32bytes
127 + ;; LOOP START
128 +- prefetchw [r3, 32] ;Prefetch the next write location
129 + #ifdef CONFIG_ARC_HAS_LL64
130 + std.ab r4, [r3, 8]
131 + std.ab r4, [r3, 8]
132 +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
133 +index 0c7a7d5d95f1..a651c2bc94ef 100644
134 +--- a/arch/s390/kernel/early.c
135 ++++ b/arch/s390/kernel/early.c
136 +@@ -224,10 +224,10 @@ static noinline __init void detect_machine_type(void)
137 + if (stsi(vmms, 3, 2, 2) || !vmms->count)
138 + return;
139 +
140 +- /* Running under KVM? If not we assume z/VM */
141 ++ /* Detect known hypervisors */
142 + if (!memcmp(vmms->vm[0].cpi, "\xd2\xe5\xd4", 3))
143 + S390_lowcore.machine_flags |= MACHINE_FLAG_KVM;
144 +- else
145 ++ else if (!memcmp(vmms->vm[0].cpi, "\xa9\x61\xe5\xd4", 4))
146 + S390_lowcore.machine_flags |= MACHINE_FLAG_VM;
147 + }
148 +
149 +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
150 +index feb9d97a9d14..a559908d180e 100644
151 +--- a/arch/s390/kernel/setup.c
152 ++++ b/arch/s390/kernel/setup.c
153 +@@ -863,6 +863,8 @@ void __init setup_arch(char **cmdline_p)
154 + pr_info("Linux is running under KVM in 64-bit mode\n");
155 + else if (MACHINE_IS_LPAR)
156 + pr_info("Linux is running natively in 64-bit mode\n");
157 ++ else
158 ++ pr_info("Linux is running as a guest in 64-bit mode\n");
159 +
160 + /* Have one command line that is parsed and saved in /proc/cmdline */
161 + /* boot_command_line has been already set up in early.c */
162 +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
163 +index 0a31110f41f6..d52a94e9f57f 100644
164 +--- a/arch/s390/kernel/smp.c
165 ++++ b/arch/s390/kernel/smp.c
166 +@@ -357,9 +357,13 @@ void smp_call_online_cpu(void (*func)(void *), void *data)
167 + */
168 + void smp_call_ipl_cpu(void (*func)(void *), void *data)
169 + {
170 ++ struct lowcore *lc = pcpu_devices->lowcore;
171 ++
172 ++ if (pcpu_devices[0].address == stap())
173 ++ lc = &S390_lowcore;
174 ++
175 + pcpu_delegate(&pcpu_devices[0], func, data,
176 +- pcpu_devices->lowcore->panic_stack -
177 +- PANIC_FRAME_OFFSET + PAGE_SIZE);
178 ++ lc->panic_stack - PANIC_FRAME_OFFSET + PAGE_SIZE);
179 + }
180 +
181 + int smp_find_processor_id(u16 address)
182 +@@ -1139,7 +1143,11 @@ static ssize_t __ref rescan_store(struct device *dev,
183 + {
184 + int rc;
185 +
186 ++ rc = lock_device_hotplug_sysfs();
187 ++ if (rc)
188 ++ return rc;
189 + rc = smp_rescan_cpus();
190 ++ unlock_device_hotplug();
191 + return rc ? rc : count;
192 + }
193 + static DEVICE_ATTR(rescan, 0200, NULL, rescan_store);
194 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
195 +index 46e0ad71b4da..851e9d6c864f 100644
196 +--- a/arch/x86/kvm/x86.c
197 ++++ b/arch/x86/kvm/x86.c
198 +@@ -5795,8 +5795,7 @@ restart:
199 + toggle_interruptibility(vcpu, ctxt->interruptibility);
200 + vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
201 + kvm_rip_write(vcpu, ctxt->eip);
202 +- if (r == EMULATE_DONE &&
203 +- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
204 ++ if (r == EMULATE_DONE && ctxt->tf)
205 + kvm_vcpu_do_singlestep(vcpu, &r);
206 + if (!ctxt->have_exception ||
207 + exception_type(ctxt->exception.vector) == EXCPT_TRAP)
208 +diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c
209 +index 0c7fe444dcdd..d8d868070e24 100644
210 +--- a/arch/x86/lib/kaslr.c
211 ++++ b/arch/x86/lib/kaslr.c
212 +@@ -35,8 +35,8 @@ static inline u16 i8254(void)
213 + u16 status, timer;
214 +
215 + do {
216 +- outb(I8254_PORT_CONTROL,
217 +- I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
218 ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
219 ++ I8254_PORT_CONTROL);
220 + status = inb(I8254_PORT_COUNTER0);
221 + timer = inb(I8254_PORT_COUNTER0);
222 + timer |= inb(I8254_PORT_COUNTER0) << 8;
223 +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
224 +index ef32e5766a01..06cf7427d0c4 100644
225 +--- a/drivers/acpi/nfit/core.c
226 ++++ b/drivers/acpi/nfit/core.c
227 +@@ -185,6 +185,32 @@ static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd,
228 + return 0;
229 + }
230 +
231 ++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
232 ++ struct nd_cmd_pkg *call_pkg)
233 ++{
234 ++ if (call_pkg) {
235 ++ int i;
236 ++
237 ++ if (nfit_mem->family != call_pkg->nd_family)
238 ++ return -ENOTTY;
239 ++
240 ++ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
241 ++ if (call_pkg->nd_reserved2[i])
242 ++ return -EINVAL;
243 ++ return call_pkg->nd_command;
244 ++ }
245 ++
246 ++ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */
247 ++ if (nfit_mem->family == NVDIMM_FAMILY_INTEL)
248 ++ return cmd;
249 ++
250 ++ /*
251 ++ * Force function number validation to fail since 0 is never
252 ++ * published as a valid function in dsm_mask.
253 ++ */
254 ++ return 0;
255 ++}
256 ++
257 + int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
258 + unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
259 + {
260 +@@ -197,17 +223,11 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
261 + unsigned long cmd_mask, dsm_mask;
262 + u32 offset, fw_status = 0;
263 + acpi_handle handle;
264 +- unsigned int func;
265 + const u8 *uuid;
266 +- int rc, i;
267 ++ int func, rc, i;
268 +
269 + if (cmd_rc)
270 + *cmd_rc = -EINVAL;
271 +- func = cmd;
272 +- if (cmd == ND_CMD_CALL) {
273 +- call_pkg = buf;
274 +- func = call_pkg->nd_command;
275 +- }
276 +
277 + if (nvdimm) {
278 + struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
279 +@@ -215,9 +235,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
280 +
281 + if (!adev)
282 + return -ENOTTY;
283 +- if (call_pkg && nfit_mem->family != call_pkg->nd_family)
284 +- return -ENOTTY;
285 +
286 ++ if (cmd == ND_CMD_CALL)
287 ++ call_pkg = buf;
288 ++ func = cmd_to_func(nfit_mem, cmd, call_pkg);
289 ++ if (func < 0)
290 ++ return func;
291 + dimm_name = nvdimm_name(nvdimm);
292 + cmd_name = nvdimm_cmd_name(cmd);
293 + cmd_mask = nvdimm_cmd_mask(nvdimm);
294 +@@ -228,6 +251,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
295 + } else {
296 + struct acpi_device *adev = to_acpi_dev(acpi_desc);
297 +
298 ++ func = cmd;
299 + cmd_name = nvdimm_bus_cmd_name(cmd);
300 + cmd_mask = nd_desc->cmd_mask;
301 + dsm_mask = cmd_mask;
302 +@@ -240,7 +264,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
303 + if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
304 + return -ENOTTY;
305 +
306 +- if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask))
307 ++ /*
308 ++ * Check for a valid command. For ND_CMD_CALL, we also have to
309 ++ * make sure that the DSM function is supported.
310 ++ */
311 ++ if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask))
312 ++ return -ENOTTY;
313 ++ else if (!test_bit(cmd, &cmd_mask))
314 + return -ENOTTY;
315 +
316 + in_obj.type = ACPI_TYPE_PACKAGE;
317 +@@ -1433,6 +1463,13 @@ static int acpi_nfit_add_dimm(struct acpi_nfit_desc *acpi_desc,
318 + return 0;
319 + }
320 +
321 ++ /*
322 ++ * Function 0 is the command interrogation function, don't
323 ++ * export it to potential userspace use, and enable it to be
324 ++ * used as an error value in acpi_nfit_ctl().
325 ++ */
326 ++ dsm_mask &= ~1UL;
327 ++
328 + uuid = to_nfit_uuid(nfit_mem->family);
329 + for_each_set_bit(i, &dsm_mask, BITS_PER_LONG)
330 + if (acpi_check_dsm(adev_dimm->handle, uuid, 1, 1ULL << i))
331 +diff --git a/drivers/char/mwave/mwavedd.c b/drivers/char/mwave/mwavedd.c
332 +index 3a3ff2eb6cba..7a4f9346cccf 100644
333 +--- a/drivers/char/mwave/mwavedd.c
334 ++++ b/drivers/char/mwave/mwavedd.c
335 +@@ -59,6 +59,7 @@
336 + #include <linux/mutex.h>
337 + #include <linux/delay.h>
338 + #include <linux/serial_8250.h>
339 ++#include <linux/nospec.h>
340 + #include "smapi.h"
341 + #include "mwavedd.h"
342 + #include "3780i.h"
343 +@@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
344 + ipcnum);
345 + return -EINVAL;
346 + }
347 ++ ipcnum = array_index_nospec(ipcnum,
348 ++ ARRAY_SIZE(pDrvData->IPCs));
349 + PRINTK_3(TRACE_MWAVE,
350 + "mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC"
351 + " ipcnum %x entry usIntCount %x\n",
352 +@@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
353 + " Invalid ipcnum %x\n", ipcnum);
354 + return -EINVAL;
355 + }
356 ++ ipcnum = array_index_nospec(ipcnum,
357 ++ ARRAY_SIZE(pDrvData->IPCs));
358 + PRINTK_3(TRACE_MWAVE,
359 + "mwavedd::mwave_ioctl IOCTL_MW_GET_IPC"
360 + " ipcnum %x, usIntCount %x\n",
361 +@@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
362 + ipcnum);
363 + return -EINVAL;
364 + }
365 ++ ipcnum = array_index_nospec(ipcnum,
366 ++ ARRAY_SIZE(pDrvData->IPCs));
367 + mutex_lock(&mwave_mutex);
368 + if (pDrvData->IPCs[ipcnum].bIsEnabled == true) {
369 + pDrvData->IPCs[ipcnum].bIsEnabled = false;
370 +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
371 +index f55dcdf99bc5..26476a64e663 100644
372 +--- a/drivers/input/joystick/xpad.c
373 ++++ b/drivers/input/joystick/xpad.c
374 +@@ -255,6 +255,8 @@ static const struct xpad_device {
375 + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX },
376 + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX },
377 + { 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX },
378 ++ { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
379 ++ { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
380 + { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 },
381 + { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 },
382 + { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 },
383 +@@ -431,6 +433,7 @@ static const struct usb_device_id xpad_table[] = {
384 + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */
385 + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */
386 + XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */
387 ++ XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */
388 + XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */
389 + XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */
390 + XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */
391 +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
392 +index 022be0e22eba..a306453d40d2 100644
393 +--- a/drivers/input/misc/uinput.c
394 ++++ b/drivers/input/misc/uinput.c
395 +@@ -39,6 +39,7 @@
396 + #include <linux/fs.h>
397 + #include <linux/miscdevice.h>
398 + #include <linux/uinput.h>
399 ++#include <linux/overflow.h>
400 + #include <linux/input/mt.h>
401 + #include "../input-compat.h"
402 +
403 +@@ -335,7 +336,7 @@ static int uinput_open(struct inode *inode, struct file *file)
404 + static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
405 + const struct input_absinfo *abs)
406 + {
407 +- int min, max;
408 ++ int min, max, range;
409 +
410 + min = abs->minimum;
411 + max = abs->maximum;
412 +@@ -347,7 +348,7 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
413 + return -EINVAL;
414 + }
415 +
416 +- if (abs->flat > max - min) {
417 ++ if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
418 + printk(KERN_DEBUG
419 + "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
420 + UINPUT_NAME, code, abs->flat, min, max);
421 +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
422 +index 558c7589c329..83ca754250fb 100644
423 +--- a/drivers/irqchip/irq-gic-v3-its.c
424 ++++ b/drivers/irqchip/irq-gic-v3-its.c
425 +@@ -1372,13 +1372,14 @@ static void its_free_device(struct its_device *its_dev)
426 + kfree(its_dev);
427 + }
428 +
429 +-static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq)
430 ++static int its_alloc_device_irq(struct its_device *dev, int nvecs, irq_hw_number_t *hwirq)
431 + {
432 + int idx;
433 +
434 +- idx = find_first_zero_bit(dev->event_map.lpi_map,
435 +- dev->event_map.nr_lpis);
436 +- if (idx == dev->event_map.nr_lpis)
437 ++ idx = bitmap_find_free_region(dev->event_map.lpi_map,
438 ++ dev->event_map.nr_lpis,
439 ++ get_count_order(nvecs));
440 ++ if (idx < 0)
441 + return -ENOSPC;
442 +
443 + *hwirq = dev->event_map.lpi_base + idx;
444 +@@ -1464,20 +1465,20 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq,
445 + int err;
446 + int i;
447 +
448 +- for (i = 0; i < nr_irqs; i++) {
449 +- err = its_alloc_device_irq(its_dev, &hwirq);
450 +- if (err)
451 +- return err;
452 ++ err = its_alloc_device_irq(its_dev, nr_irqs, &hwirq);
453 ++ if (err)
454 ++ return err;
455 +
456 +- err = its_irq_gic_domain_alloc(domain, virq + i, hwirq);
457 ++ for (i = 0; i < nr_irqs; i++) {
458 ++ err = its_irq_gic_domain_alloc(domain, virq + i, hwirq + i);
459 + if (err)
460 + return err;
461 +
462 + irq_domain_set_hwirq_and_chip(domain, virq + i,
463 +- hwirq, &its_irq_chip, its_dev);
464 ++ hwirq + i, &its_irq_chip, its_dev);
465 + pr_debug("ID:%d pID:%d vID:%d\n",
466 +- (int)(hwirq - its_dev->event_map.lpi_base),
467 +- (int) hwirq, virq + i);
468 ++ (int)(hwirq + i - its_dev->event_map.lpi_base),
469 ++ (int)(hwirq + i), virq + i);
470 + }
471 +
472 + return 0;
473 +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
474 +index 149fbac97cb6..d20f4023f6c1 100644
475 +--- a/drivers/md/dm-thin-metadata.c
476 ++++ b/drivers/md/dm-thin-metadata.c
477 +@@ -1689,7 +1689,7 @@ int dm_thin_remove_range(struct dm_thin_device *td,
478 + return r;
479 + }
480 +
481 +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
482 ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
483 + {
484 + int r;
485 + uint32_t ref_count;
486 +@@ -1697,7 +1697,7 @@ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *resu
487 + down_read(&pmd->root_lock);
488 + r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
489 + if (!r)
490 +- *result = (ref_count != 0);
491 ++ *result = (ref_count > 1);
492 + up_read(&pmd->root_lock);
493 +
494 + return r;
495 +diff --git a/drivers/md/dm-thin-metadata.h b/drivers/md/dm-thin-metadata.h
496 +index 35e954ea20a9..f6be0d733c20 100644
497 +--- a/drivers/md/dm-thin-metadata.h
498 ++++ b/drivers/md/dm-thin-metadata.h
499 +@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct dm_pool_metadata *pmd,
500 +
501 + int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result);
502 +
503 +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
504 ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
505 +
506 + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
507 + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
508 +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
509 +index 81309d7836c5..914c8a6bf93c 100644
510 +--- a/drivers/md/dm-thin.c
511 ++++ b/drivers/md/dm-thin.c
512 +@@ -1017,7 +1017,7 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
513 + * passdown we have to check that these blocks are now unused.
514 + */
515 + int r = 0;
516 +- bool used = true;
517 ++ bool shared = true;
518 + struct thin_c *tc = m->tc;
519 + struct pool *pool = tc->pool;
520 + dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin;
521 +@@ -1027,11 +1027,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
522 + while (b != end) {
523 + /* find start of unmapped run */
524 + for (; b < end; b++) {
525 +- r = dm_pool_block_is_used(pool->pmd, b, &used);
526 ++ r = dm_pool_block_is_shared(pool->pmd, b, &shared);
527 + if (r)
528 + goto out;
529 +
530 +- if (!used)
531 ++ if (!shared)
532 + break;
533 + }
534 +
535 +@@ -1040,11 +1040,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
536 +
537 + /* find end of run */
538 + for (e = b + 1; e != end; e++) {
539 +- r = dm_pool_block_is_used(pool->pmd, e, &used);
540 ++ r = dm_pool_block_is_shared(pool->pmd, e, &shared);
541 + if (r)
542 + goto out;
543 +
544 +- if (used)
545 ++ if (shared)
546 + break;
547 + }
548 +
549 +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
550 +index ff3d9fc0f1b3..214a48703a4e 100644
551 +--- a/drivers/net/can/dev.c
552 ++++ b/drivers/net/can/dev.c
553 +@@ -456,8 +456,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
554 + struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
555 + {
556 + struct can_priv *priv = netdev_priv(dev);
557 +- struct sk_buff *skb = priv->echo_skb[idx];
558 +- struct canfd_frame *cf;
559 +
560 + if (idx >= priv->echo_skb_max) {
561 + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
562 +@@ -465,20 +463,21 @@ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8
563 + return NULL;
564 + }
565 +
566 +- if (!skb) {
567 +- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
568 +- __func__, idx);
569 +- return NULL;
570 +- }
571 ++ if (priv->echo_skb[idx]) {
572 ++ /* Using "struct canfd_frame::len" for the frame
573 ++ * length is supported on both CAN and CANFD frames.
574 ++ */
575 ++ struct sk_buff *skb = priv->echo_skb[idx];
576 ++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
577 ++ u8 len = cf->len;
578 ++
579 ++ *len_ptr = len;
580 ++ priv->echo_skb[idx] = NULL;
581 +
582 +- /* Using "struct canfd_frame::len" for the frame
583 +- * length is supported on both CAN and CANFD frames.
584 +- */
585 +- cf = (struct canfd_frame *)skb->data;
586 +- *len_ptr = cf->len;
587 +- priv->echo_skb[idx] = NULL;
588 ++ return skb;
589 ++ }
590 +
591 +- return skb;
592 ++ return NULL;
593 + }
594 +
595 + /*
596 +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
597 +index fa2c7bd638be..8c93ed5c9763 100644
598 +--- a/drivers/net/ppp/pppoe.c
599 ++++ b/drivers/net/ppp/pppoe.c
600 +@@ -442,6 +442,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
601 + if (pskb_trim_rcsum(skb, len))
602 + goto drop;
603 +
604 ++ ph = pppoe_hdr(skb);
605 + pn = pppoe_pernet(dev_net(dev));
606 +
607 + /* Note that get_item does a sock_hold(), so sk_pppox(po)
608 +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
609 +index 486393fa4f3e..0f1201e6e957 100644
610 +--- a/drivers/nvme/target/rdma.c
611 ++++ b/drivers/nvme/target/rdma.c
612 +@@ -137,6 +137,10 @@ static void nvmet_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc);
613 + static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc);
614 + static void nvmet_rdma_qp_event(struct ib_event *event, void *priv);
615 + static void nvmet_rdma_queue_disconnect(struct nvmet_rdma_queue *queue);
616 ++static void nvmet_rdma_free_rsp(struct nvmet_rdma_device *ndev,
617 ++ struct nvmet_rdma_rsp *r);
618 ++static int nvmet_rdma_alloc_rsp(struct nvmet_rdma_device *ndev,
619 ++ struct nvmet_rdma_rsp *r);
620 +
621 + static struct nvmet_fabrics_ops nvmet_rdma_ops;
622 +
623 +@@ -175,9 +179,17 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_queue *queue)
624 + spin_unlock_irqrestore(&queue->rsps_lock, flags);
625 +
626 + if (unlikely(!rsp)) {
627 +- rsp = kmalloc(sizeof(*rsp), GFP_KERNEL);
628 ++ int ret;
629 ++
630 ++ rsp = kzalloc(sizeof(*rsp), GFP_KERNEL);
631 + if (unlikely(!rsp))
632 + return NULL;
633 ++ ret = nvmet_rdma_alloc_rsp(queue->dev, rsp);
634 ++ if (unlikely(ret)) {
635 ++ kfree(rsp);
636 ++ return NULL;
637 ++ }
638 ++
639 + rsp->allocated = true;
640 + }
641 +
642 +@@ -189,7 +201,8 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp *rsp)
643 + {
644 + unsigned long flags;
645 +
646 +- if (rsp->allocated) {
647 ++ if (unlikely(rsp->allocated)) {
648 ++ nvmet_rdma_free_rsp(rsp->queue->dev, rsp);
649 + kfree(rsp);
650 + return;
651 + }
652 +diff --git a/drivers/s390/char/sclp_config.c b/drivers/s390/char/sclp_config.c
653 +index 1406fb688a26..73e2f89aded8 100644
654 +--- a/drivers/s390/char/sclp_config.c
655 ++++ b/drivers/s390/char/sclp_config.c
656 +@@ -59,7 +59,9 @@ static void sclp_cpu_capability_notify(struct work_struct *work)
657 +
658 + static void __ref sclp_cpu_change_notify(struct work_struct *work)
659 + {
660 ++ lock_device_hotplug();
661 + smp_rescan_cpus();
662 ++ unlock_device_hotplug();
663 + }
664 +
665 + static void sclp_conf_receiver_fn(struct evbuf_header *evbuf)
666 +diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
667 +index 0f63a36a519e..d22360849b88 100644
668 +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
669 ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
670 +@@ -43,6 +43,7 @@ static struct usb_device_id rtw_usb_id_tbl[] = {
671 + {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
672 + {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
673 + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
674 ++ {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
675 + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
676 + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
677 + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
678 +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
679 +index 6d1e2f746ab4..8d6253903f24 100644
680 +--- a/drivers/tty/n_hdlc.c
681 ++++ b/drivers/tty/n_hdlc.c
682 +@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
683 + /* too large for caller's buffer */
684 + ret = -EOVERFLOW;
685 + } else {
686 ++ __set_current_state(TASK_RUNNING);
687 + if (copy_to_user(buf, rbuf->buf, rbuf->count))
688 + ret = -EFAULT;
689 + else
690 +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
691 +index bcfdaf6ddbb2..95fc7e893fd2 100644
692 +--- a/drivers/tty/serial/serial_core.c
693 ++++ b/drivers/tty/serial/serial_core.c
694 +@@ -540,10 +540,12 @@ static int uart_put_char(struct tty_struct *tty, unsigned char c)
695 + int ret = 0;
696 +
697 + circ = &state->xmit;
698 +- if (!circ->buf)
699 ++ port = uart_port_lock(state, flags);
700 ++ if (!circ->buf) {
701 ++ uart_port_unlock(port, flags);
702 + return 0;
703 ++ }
704 +
705 +- port = uart_port_lock(state, flags);
706 + if (port && uart_circ_chars_free(circ) != 0) {
707 + circ->buf[circ->head] = c;
708 + circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1);
709 +@@ -576,11 +578,13 @@ static int uart_write(struct tty_struct *tty,
710 + return -EL3HLT;
711 + }
712 +
713 ++ port = uart_port_lock(state, flags);
714 + circ = &state->xmit;
715 +- if (!circ->buf)
716 ++ if (!circ->buf) {
717 ++ uart_port_unlock(port, flags);
718 + return 0;
719 ++ }
720 +
721 +- port = uart_port_lock(state, flags);
722 + while (port) {
723 + c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE);
724 + if (count < c)
725 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
726 +index f61f8650665f..19fe1e8fc124 100644
727 +--- a/drivers/tty/tty_io.c
728 ++++ b/drivers/tty/tty_io.c
729 +@@ -2324,7 +2324,8 @@ static int tiocsti(struct tty_struct *tty, char __user *p)
730 + ld = tty_ldisc_ref_wait(tty);
731 + if (!ld)
732 + return -EIO;
733 +- ld->ops->receive_buf(tty, &ch, &mbz, 1);
734 ++ if (ld->ops->receive_buf)
735 ++ ld->ops->receive_buf(tty, &ch, &mbz, 1);
736 + tty_ldisc_deref(ld);
737 + return 0;
738 + }
739 +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
740 +index 9d3e413f48c6..232cb0a760b9 100644
741 +--- a/drivers/tty/vt/vt.c
742 ++++ b/drivers/tty/vt/vt.c
743 +@@ -956,6 +956,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
744 + if (con_is_visible(vc))
745 + update_screen(vc);
746 + vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
747 ++ notify_update(vc);
748 + return err;
749 + }
750 +
751 +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
752 +index 4966768d3c98..9706d214c409 100644
753 +--- a/drivers/usb/serial/pl2303.c
754 ++++ b/drivers/usb/serial/pl2303.c
755 +@@ -47,6 +47,7 @@ static const struct usb_device_id id_table[] = {
756 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_HCR331) },
757 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MOTOROLA) },
758 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ZTEK) },
759 ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_TB) },
760 + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
761 + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
762 + { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID) },
763 +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
764 +index a84f0959ab34..d84c3b3d477b 100644
765 +--- a/drivers/usb/serial/pl2303.h
766 ++++ b/drivers/usb/serial/pl2303.h
767 +@@ -13,6 +13,7 @@
768 +
769 + #define PL2303_VENDOR_ID 0x067b
770 + #define PL2303_PRODUCT_ID 0x2303
771 ++#define PL2303_PRODUCT_ID_TB 0x2304
772 + #define PL2303_PRODUCT_ID_RSAQ2 0x04bb
773 + #define PL2303_PRODUCT_ID_DCU11 0x1234
774 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0
775 +@@ -25,6 +26,7 @@
776 + #define PL2303_PRODUCT_ID_MOTOROLA 0x0307
777 + #define PL2303_PRODUCT_ID_ZTEK 0xe1f1
778 +
779 ++
780 + #define ATEN_VENDOR_ID 0x0557
781 + #define ATEN_VENDOR_ID2 0x0547
782 + #define ATEN_PRODUCT_ID 0x2008
783 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
784 +index 6d6acf2c07c3..511242111403 100644
785 +--- a/drivers/usb/serial/usb-serial-simple.c
786 ++++ b/drivers/usb/serial/usb-serial-simple.c
787 +@@ -88,7 +88,8 @@ DEVICE(moto_modem, MOTO_IDS);
788 + /* Motorola Tetra driver */
789 + #define MOTOROLA_TETRA_IDS() \
790 + { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \
791 +- { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */
792 ++ { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \
793 ++ { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */
794 + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
795 +
796 + /* Novatel Wireless GPS driver */
797 +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
798 +index 353c93bc459b..681d0eade82f 100644
799 +--- a/drivers/vhost/net.c
800 ++++ b/drivers/vhost/net.c
801 +@@ -751,7 +751,8 @@ static void handle_rx(struct vhost_net *net)
802 + vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
803 + headcount);
804 + if (unlikely(vq_log))
805 +- vhost_log_write(vq, vq_log, log, vhost_len);
806 ++ vhost_log_write(vq, vq_log, log, vhost_len,
807 ++ vq->iov, in);
808 + total_len += vhost_len;
809 + if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
810 + vhost_poll_queue(&vq->poll);
811 +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
812 +index 53b1b3cfce84..dc387a974325 100644
813 +--- a/drivers/vhost/vhost.c
814 ++++ b/drivers/vhost/vhost.c
815 +@@ -1646,13 +1646,87 @@ static int log_write(void __user *log_base,
816 + return r;
817 + }
818 +
819 ++static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len)
820 ++{
821 ++ struct vhost_umem *umem = vq->umem;
822 ++ struct vhost_umem_node *u;
823 ++ u64 start, end, l, min;
824 ++ int r;
825 ++ bool hit = false;
826 ++
827 ++ while (len) {
828 ++ min = len;
829 ++ /* More than one GPAs can be mapped into a single HVA. So
830 ++ * iterate all possible umems here to be safe.
831 ++ */
832 ++ list_for_each_entry(u, &umem->umem_list, link) {
833 ++ if (u->userspace_addr > hva - 1 + len ||
834 ++ u->userspace_addr - 1 + u->size < hva)
835 ++ continue;
836 ++ start = max(u->userspace_addr, hva);
837 ++ end = min(u->userspace_addr - 1 + u->size,
838 ++ hva - 1 + len);
839 ++ l = end - start + 1;
840 ++ r = log_write(vq->log_base,
841 ++ u->start + start - u->userspace_addr,
842 ++ l);
843 ++ if (r < 0)
844 ++ return r;
845 ++ hit = true;
846 ++ min = min(l, min);
847 ++ }
848 ++
849 ++ if (!hit)
850 ++ return -EFAULT;
851 ++
852 ++ len -= min;
853 ++ hva += min;
854 ++ }
855 ++
856 ++ return 0;
857 ++}
858 ++
859 ++static int log_used(struct vhost_virtqueue *vq, u64 used_offset, u64 len)
860 ++{
861 ++ struct iovec iov[64];
862 ++ int i, ret;
863 ++
864 ++ if (!vq->iotlb)
865 ++ return log_write(vq->log_base, vq->log_addr + used_offset, len);
866 ++
867 ++ ret = translate_desc(vq, (uintptr_t)vq->used + used_offset,
868 ++ len, iov, 64, VHOST_ACCESS_WO);
869 ++ if (ret)
870 ++ return ret;
871 ++
872 ++ for (i = 0; i < ret; i++) {
873 ++ ret = log_write_hva(vq, (uintptr_t)iov[i].iov_base,
874 ++ iov[i].iov_len);
875 ++ if (ret)
876 ++ return ret;
877 ++ }
878 ++
879 ++ return 0;
880 ++}
881 ++
882 + int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
883 +- unsigned int log_num, u64 len)
884 ++ unsigned int log_num, u64 len, struct iovec *iov, int count)
885 + {
886 + int i, r;
887 +
888 + /* Make sure data written is seen before log. */
889 + smp_wmb();
890 ++
891 ++ if (vq->iotlb) {
892 ++ for (i = 0; i < count; i++) {
893 ++ r = log_write_hva(vq, (uintptr_t)iov[i].iov_base,
894 ++ iov[i].iov_len);
895 ++ if (r < 0)
896 ++ return r;
897 ++ }
898 ++ return 0;
899 ++ }
900 ++
901 + for (i = 0; i < log_num; ++i) {
902 + u64 l = min(log[i].len, len);
903 + r = log_write(vq->log_base, log[i].addr, l);
904 +@@ -1682,9 +1756,8 @@ static int vhost_update_used_flags(struct vhost_virtqueue *vq)
905 + smp_wmb();
906 + /* Log used flag write. */
907 + used = &vq->used->flags;
908 +- log_write(vq->log_base, vq->log_addr +
909 +- (used - (void __user *)vq->used),
910 +- sizeof vq->used->flags);
911 ++ log_used(vq, (used - (void __user *)vq->used),
912 ++ sizeof vq->used->flags);
913 + if (vq->log_ctx)
914 + eventfd_signal(vq->log_ctx, 1);
915 + }
916 +@@ -1702,9 +1775,8 @@ static int vhost_update_avail_event(struct vhost_virtqueue *vq, u16 avail_event)
917 + smp_wmb();
918 + /* Log avail event write */
919 + used = vhost_avail_event(vq);
920 +- log_write(vq->log_base, vq->log_addr +
921 +- (used - (void __user *)vq->used),
922 +- sizeof *vhost_avail_event(vq));
923 ++ log_used(vq, (used - (void __user *)vq->used),
924 ++ sizeof *vhost_avail_event(vq));
925 + if (vq->log_ctx)
926 + eventfd_signal(vq->log_ctx, 1);
927 + }
928 +@@ -2103,10 +2175,8 @@ static int __vhost_add_used_n(struct vhost_virtqueue *vq,
929 + /* Make sure data is seen before log. */
930 + smp_wmb();
931 + /* Log used ring entry write. */
932 +- log_write(vq->log_base,
933 +- vq->log_addr +
934 +- ((void __user *)used - (void __user *)vq->used),
935 +- count * sizeof *used);
936 ++ log_used(vq, ((void __user *)used - (void __user *)vq->used),
937 ++ count * sizeof *used);
938 + }
939 + old = vq->last_used_idx;
940 + new = (vq->last_used_idx += count);
941 +@@ -2148,9 +2218,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
942 + /* Make sure used idx is seen before log. */
943 + smp_wmb();
944 + /* Log used index update. */
945 +- log_write(vq->log_base,
946 +- vq->log_addr + offsetof(struct vring_used, idx),
947 +- sizeof vq->used->idx);
948 ++ log_used(vq, offsetof(struct vring_used, idx),
949 ++ sizeof vq->used->idx);
950 + if (vq->log_ctx)
951 + eventfd_signal(vq->log_ctx, 1);
952 + }
953 +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
954 +index 78f3c5fc02e4..e8efe1af7487 100644
955 +--- a/drivers/vhost/vhost.h
956 ++++ b/drivers/vhost/vhost.h
957 +@@ -199,7 +199,8 @@ bool vhost_vq_avail_empty(struct vhost_dev *, struct vhost_virtqueue *);
958 + bool vhost_enable_notify(struct vhost_dev *, struct vhost_virtqueue *);
959 +
960 + int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
961 +- unsigned int log_num, u64 len);
962 ++ unsigned int log_num, u64 len,
963 ++ struct iovec *iov, int count);
964 + int vq_iotlb_prefetch(struct vhost_virtqueue *vq);
965 +
966 + struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type);
967 +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
968 +index b450adf65236..fb973cc0af66 100644
969 +--- a/fs/btrfs/dev-replace.c
970 ++++ b/fs/btrfs/dev-replace.c
971 +@@ -350,6 +350,7 @@ int btrfs_dev_replace_start(struct btrfs_root *root, char *tgtdev_name,
972 + break;
973 + case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
974 + case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
975 ++ ASSERT(0);
976 + ret = BTRFS_IOCTL_DEV_REPLACE_RESULT_ALREADY_STARTED;
977 + goto leave;
978 + }
979 +@@ -394,6 +395,10 @@ int btrfs_dev_replace_start(struct btrfs_root *root, char *tgtdev_name,
980 + if (IS_ERR(trans)) {
981 + ret = PTR_ERR(trans);
982 + btrfs_dev_replace_lock(dev_replace, 1);
983 ++ dev_replace->replace_state =
984 ++ BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED;
985 ++ dev_replace->srcdev = NULL;
986 ++ dev_replace->tgtdev = NULL;
987 + goto leave;
988 + }
989 +
990 +@@ -415,8 +420,6 @@ int btrfs_dev_replace_start(struct btrfs_root *root, char *tgtdev_name,
991 + return ret;
992 +
993 + leave:
994 +- dev_replace->srcdev = NULL;
995 +- dev_replace->tgtdev = NULL;
996 + btrfs_dev_replace_unlock(dev_replace, 1);
997 + btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device);
998 + return ret;
999 +@@ -784,6 +787,8 @@ int btrfs_resume_dev_replace_async(struct btrfs_fs_info *fs_info)
1000 + "cannot continue dev_replace, tgtdev is missing");
1001 + btrfs_info(fs_info,
1002 + "you may cancel the operation after 'mount -o degraded'");
1003 ++ dev_replace->replace_state =
1004 ++ BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED;
1005 + btrfs_dev_replace_unlock(dev_replace, 1);
1006 + return 0;
1007 + }
1008 +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
1009 +index 08c1c86c2ad9..2db7968febfe 100644
1010 +--- a/fs/cifs/smb2ops.c
1011 ++++ b/fs/cifs/smb2ops.c
1012 +@@ -148,14 +148,14 @@ smb2_wait_mtu_credits(struct TCP_Server_Info *server, unsigned int size,
1013 +
1014 + scredits = server->credits;
1015 + /* can deadlock with reopen */
1016 +- if (scredits == 1) {
1017 ++ if (scredits <= 8) {
1018 + *num = SMB2_MAX_BUFFER_SIZE;
1019 + *credits = 0;
1020 + break;
1021 + }
1022 +
1023 +- /* leave one credit for a possible reopen */
1024 +- scredits--;
1025 ++ /* leave some credits for reopen and other ops */
1026 ++ scredits -= 8;
1027 + *num = min_t(unsigned int, size,
1028 + scredits * SMB2_MAX_BUFFER_SIZE);
1029 +
1030 +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
1031 +index f4fe54047fb7..d87c48e4a9ba 100644
1032 +--- a/fs/f2fs/node.c
1033 ++++ b/fs/f2fs/node.c
1034 +@@ -656,6 +656,7 @@ static void truncate_node(struct dnode_of_data *dn)
1035 + {
1036 + struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode);
1037 + struct node_info ni;
1038 ++ pgoff_t index;
1039 +
1040 + get_node_info(sbi, dn->nid, &ni);
1041 + if (dn->inode->i_blocks == 0) {
1042 +@@ -678,10 +679,11 @@ invalidate:
1043 + clear_node_page_dirty(dn->node_page);
1044 + set_sbi_flag(sbi, SBI_IS_DIRTY);
1045 +
1046 ++ index = dn->node_page->index;
1047 + f2fs_put_page(dn->node_page, 1);
1048 +
1049 + invalidate_mapping_pages(NODE_MAPPING(sbi),
1050 +- dn->node_page->index, dn->node_page->index);
1051 ++ index, index);
1052 +
1053 + dn->node_page = NULL;
1054 + trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr);
1055 +diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
1056 +index 21c88a7ac23b..697988be62df 100644
1057 +--- a/include/linux/compiler-clang.h
1058 ++++ b/include/linux/compiler-clang.h
1059 +@@ -23,3 +23,17 @@
1060 + #ifdef __noretpoline
1061 + #undef __noretpoline
1062 + #endif
1063 ++
1064 ++/*
1065 ++ * Not all versions of clang implement the the type-generic versions
1066 ++ * of the builtin overflow checkers. Fortunately, clang implements
1067 ++ * __has_builtin allowing us to avoid awkward version
1068 ++ * checks. Unfortunately, we don't know which version of gcc clang
1069 ++ * pretends to be, so the macro may or may not be defined.
1070 ++ */
1071 ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
1072 ++#if __has_builtin(__builtin_mul_overflow) && \
1073 ++ __has_builtin(__builtin_add_overflow) && \
1074 ++ __has_builtin(__builtin_sub_overflow)
1075 ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
1076 ++#endif
1077 +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
1078 +index 8e82e3373eaf..8e9b0cb8db41 100644
1079 +--- a/include/linux/compiler-gcc.h
1080 ++++ b/include/linux/compiler-gcc.h
1081 +@@ -334,3 +334,7 @@
1082 + * code
1083 + */
1084 + #define uninitialized_var(x) x = x
1085 ++
1086 ++#if GCC_VERSION >= 50100
1087 ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
1088 ++#endif
1089 +diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
1090 +index d4c71132d07f..8c9897b1b953 100644
1091 +--- a/include/linux/compiler-intel.h
1092 ++++ b/include/linux/compiler-intel.h
1093 +@@ -43,3 +43,7 @@
1094 + #define __builtin_bswap16 _bswap16
1095 + #endif
1096 +
1097 ++/*
1098 ++ * icc defines __GNUC__, but does not implement the builtin overflow checkers.
1099 ++ */
1100 ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
1101 +diff --git a/include/linux/overflow.h b/include/linux/overflow.h
1102 +new file mode 100644
1103 +index 000000000000..c8890ec358a7
1104 +--- /dev/null
1105 ++++ b/include/linux/overflow.h
1106 +@@ -0,0 +1,205 @@
1107 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
1108 ++#ifndef __LINUX_OVERFLOW_H
1109 ++#define __LINUX_OVERFLOW_H
1110 ++
1111 ++#include <linux/compiler.h>
1112 ++
1113 ++/*
1114 ++ * In the fallback code below, we need to compute the minimum and
1115 ++ * maximum values representable in a given type. These macros may also
1116 ++ * be useful elsewhere, so we provide them outside the
1117 ++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
1118 ++ *
1119 ++ * It would seem more obvious to do something like
1120 ++ *
1121 ++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
1122 ++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
1123 ++ *
1124 ++ * Unfortunately, the middle expressions, strictly speaking, have
1125 ++ * undefined behaviour, and at least some versions of gcc warn about
1126 ++ * the type_max expression (but not if -fsanitize=undefined is in
1127 ++ * effect; in that case, the warning is deferred to runtime...).
1128 ++ *
1129 ++ * The slightly excessive casting in type_min is to make sure the
1130 ++ * macros also produce sensible values for the exotic type _Bool. [The
1131 ++ * overflow checkers only almost work for _Bool, but that's
1132 ++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
1133 ++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third
1134 ++ * argument.]
1135 ++ *
1136 ++ * Idea stolen from
1137 ++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
1138 ++ * credit to Christian Biere.
1139 ++ */
1140 ++#define is_signed_type(type) (((type)(-1)) < (type)1)
1141 ++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
1142 ++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
1143 ++#define type_min(T) ((T)((T)-type_max(T)-(T)1))
1144 ++
1145 ++
1146 ++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
1147 ++/*
1148 ++ * For simplicity and code hygiene, the fallback code below insists on
1149 ++ * a, b and *d having the same type (similar to the min() and max()
1150 ++ * macros), whereas gcc's type-generic overflow checkers accept
1151 ++ * different types. Hence we don't just make check_add_overflow an
1152 ++ * alias for __builtin_add_overflow, but add type checks similar to
1153 ++ * below.
1154 ++ */
1155 ++#define check_add_overflow(a, b, d) ({ \
1156 ++ typeof(a) __a = (a); \
1157 ++ typeof(b) __b = (b); \
1158 ++ typeof(d) __d = (d); \
1159 ++ (void) (&__a == &__b); \
1160 ++ (void) (&__a == __d); \
1161 ++ __builtin_add_overflow(__a, __b, __d); \
1162 ++})
1163 ++
1164 ++#define check_sub_overflow(a, b, d) ({ \
1165 ++ typeof(a) __a = (a); \
1166 ++ typeof(b) __b = (b); \
1167 ++ typeof(d) __d = (d); \
1168 ++ (void) (&__a == &__b); \
1169 ++ (void) (&__a == __d); \
1170 ++ __builtin_sub_overflow(__a, __b, __d); \
1171 ++})
1172 ++
1173 ++#define check_mul_overflow(a, b, d) ({ \
1174 ++ typeof(a) __a = (a); \
1175 ++ typeof(b) __b = (b); \
1176 ++ typeof(d) __d = (d); \
1177 ++ (void) (&__a == &__b); \
1178 ++ (void) (&__a == __d); \
1179 ++ __builtin_mul_overflow(__a, __b, __d); \
1180 ++})
1181 ++
1182 ++#else
1183 ++
1184 ++
1185 ++/* Checking for unsigned overflow is relatively easy without causing UB. */
1186 ++#define __unsigned_add_overflow(a, b, d) ({ \
1187 ++ typeof(a) __a = (a); \
1188 ++ typeof(b) __b = (b); \
1189 ++ typeof(d) __d = (d); \
1190 ++ (void) (&__a == &__b); \
1191 ++ (void) (&__a == __d); \
1192 ++ *__d = __a + __b; \
1193 ++ *__d < __a; \
1194 ++})
1195 ++#define __unsigned_sub_overflow(a, b, d) ({ \
1196 ++ typeof(a) __a = (a); \
1197 ++ typeof(b) __b = (b); \
1198 ++ typeof(d) __d = (d); \
1199 ++ (void) (&__a == &__b); \
1200 ++ (void) (&__a == __d); \
1201 ++ *__d = __a - __b; \
1202 ++ __a < __b; \
1203 ++})
1204 ++/*
1205 ++ * If one of a or b is a compile-time constant, this avoids a division.
1206 ++ */
1207 ++#define __unsigned_mul_overflow(a, b, d) ({ \
1208 ++ typeof(a) __a = (a); \
1209 ++ typeof(b) __b = (b); \
1210 ++ typeof(d) __d = (d); \
1211 ++ (void) (&__a == &__b); \
1212 ++ (void) (&__a == __d); \
1213 ++ *__d = __a * __b; \
1214 ++ __builtin_constant_p(__b) ? \
1215 ++ __b > 0 && __a > type_max(typeof(__a)) / __b : \
1216 ++ __a > 0 && __b > type_max(typeof(__b)) / __a; \
1217 ++})
1218 ++
1219 ++/*
1220 ++ * For signed types, detecting overflow is much harder, especially if
1221 ++ * we want to avoid UB. But the interface of these macros is such that
1222 ++ * we must provide a result in *d, and in fact we must produce the
1223 ++ * result promised by gcc's builtins, which is simply the possibly
1224 ++ * wrapped-around value. Fortunately, we can just formally do the
1225 ++ * operations in the widest relevant unsigned type (u64) and then
1226 ++ * truncate the result - gcc is smart enough to generate the same code
1227 ++ * with and without the (u64) casts.
1228 ++ */
1229 ++
1230 ++/*
1231 ++ * Adding two signed integers can overflow only if they have the same
1232 ++ * sign, and overflow has happened iff the result has the opposite
1233 ++ * sign.
1234 ++ */
1235 ++#define __signed_add_overflow(a, b, d) ({ \
1236 ++ typeof(a) __a = (a); \
1237 ++ typeof(b) __b = (b); \
1238 ++ typeof(d) __d = (d); \
1239 ++ (void) (&__a == &__b); \
1240 ++ (void) (&__a == __d); \
1241 ++ *__d = (u64)__a + (u64)__b; \
1242 ++ (((~(__a ^ __b)) & (*__d ^ __a)) \
1243 ++ & type_min(typeof(__a))) != 0; \
1244 ++})
1245 ++
1246 ++/*
1247 ++ * Subtraction is similar, except that overflow can now happen only
1248 ++ * when the signs are opposite. In this case, overflow has happened if
1249 ++ * the result has the opposite sign of a.
1250 ++ */
1251 ++#define __signed_sub_overflow(a, b, d) ({ \
1252 ++ typeof(a) __a = (a); \
1253 ++ typeof(b) __b = (b); \
1254 ++ typeof(d) __d = (d); \
1255 ++ (void) (&__a == &__b); \
1256 ++ (void) (&__a == __d); \
1257 ++ *__d = (u64)__a - (u64)__b; \
1258 ++ ((((__a ^ __b)) & (*__d ^ __a)) \
1259 ++ & type_min(typeof(__a))) != 0; \
1260 ++})
1261 ++
1262 ++/*
1263 ++ * Signed multiplication is rather hard. gcc always follows C99, so
1264 ++ * division is truncated towards 0. This means that we can write the
1265 ++ * overflow check like this:
1266 ++ *
1267 ++ * (a > 0 && (b > MAX/a || b < MIN/a)) ||
1268 ++ * (a < -1 && (b > MIN/a || b < MAX/a) ||
1269 ++ * (a == -1 && b == MIN)
1270 ++ *
1271 ++ * The redundant casts of -1 are to silence an annoying -Wtype-limits
1272 ++ * (included in -Wextra) warning: When the type is u8 or u16, the
1273 ++ * __b_c_e in check_mul_overflow obviously selects
1274 ++ * __unsigned_mul_overflow, but unfortunately gcc still parses this
1275 ++ * code and warns about the limited range of __b.
1276 ++ */
1277 ++
1278 ++#define __signed_mul_overflow(a, b, d) ({ \
1279 ++ typeof(a) __a = (a); \
1280 ++ typeof(b) __b = (b); \
1281 ++ typeof(d) __d = (d); \
1282 ++ typeof(a) __tmax = type_max(typeof(a)); \
1283 ++ typeof(a) __tmin = type_min(typeof(a)); \
1284 ++ (void) (&__a == &__b); \
1285 ++ (void) (&__a == __d); \
1286 ++ *__d = (u64)__a * (u64)__b; \
1287 ++ (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \
1288 ++ (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \
1289 ++ (__b == (typeof(__b))-1 && __a == __tmin); \
1290 ++})
1291 ++
1292 ++
1293 ++#define check_add_overflow(a, b, d) \
1294 ++ __builtin_choose_expr(is_signed_type(typeof(a)), \
1295 ++ __signed_add_overflow(a, b, d), \
1296 ++ __unsigned_add_overflow(a, b, d))
1297 ++
1298 ++#define check_sub_overflow(a, b, d) \
1299 ++ __builtin_choose_expr(is_signed_type(typeof(a)), \
1300 ++ __signed_sub_overflow(a, b, d), \
1301 ++ __unsigned_sub_overflow(a, b, d))
1302 ++
1303 ++#define check_mul_overflow(a, b, d) \
1304 ++ __builtin_choose_expr(is_signed_type(typeof(a)), \
1305 ++ __signed_mul_overflow(a, b, d), \
1306 ++ __unsigned_mul_overflow(a, b, d))
1307 ++
1308 ++
1309 ++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
1310 ++
1311 ++#endif /* __LINUX_OVERFLOW_H */
1312 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
1313 +index e90fe6b83e00..ed329a39d621 100644
1314 +--- a/include/linux/skbuff.h
1315 ++++ b/include/linux/skbuff.h
1316 +@@ -2962,6 +2962,7 @@ int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len);
1317 + *
1318 + * This is exactly the same as pskb_trim except that it ensures the
1319 + * checksum of received packets are still valid after the operation.
1320 ++ * It can change skb pointers.
1321 + */
1322 +
1323 + static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len)
1324 +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
1325 +index a6446d72c5d9..a85028e06b1e 100644
1326 +--- a/include/net/ip_fib.h
1327 ++++ b/include/net/ip_fib.h
1328 +@@ -242,7 +242,7 @@ int fib_table_insert(struct net *, struct fib_table *, struct fib_config *);
1329 + int fib_table_delete(struct net *, struct fib_table *, struct fib_config *);
1330 + int fib_table_dump(struct fib_table *table, struct sk_buff *skb,
1331 + struct netlink_callback *cb);
1332 +-int fib_table_flush(struct net *net, struct fib_table *table);
1333 ++int fib_table_flush(struct net *net, struct fib_table *table, bool flush_all);
1334 + struct fib_table *fib_trie_unmerge(struct fib_table *main_tb);
1335 + void fib_table_flush_external(struct fib_table *table);
1336 + void fib_free_table(struct fib_table *tb);
1337 +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
1338 +index 8498e3503605..5b675695c661 100644
1339 +--- a/net/bridge/br_forward.c
1340 ++++ b/net/bridge/br_forward.c
1341 +@@ -35,10 +35,10 @@ static inline int should_deliver(const struct net_bridge_port *p,
1342 +
1343 + int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
1344 + {
1345 ++ skb_push(skb, ETH_HLEN);
1346 + if (!is_skb_forwardable(skb->dev, skb))
1347 + goto drop;
1348 +
1349 +- skb_push(skb, ETH_HLEN);
1350 + br_drop_fake_rtable(skb);
1351 +
1352 + if (skb->ip_summed == CHECKSUM_PARTIAL &&
1353 +@@ -96,12 +96,11 @@ static void __br_forward(const struct net_bridge_port *to,
1354 + net = dev_net(indev);
1355 + } else {
1356 + if (unlikely(netpoll_tx_running(to->br->dev))) {
1357 +- if (!is_skb_forwardable(skb->dev, skb)) {
1358 ++ skb_push(skb, ETH_HLEN);
1359 ++ if (!is_skb_forwardable(skb->dev, skb))
1360 + kfree_skb(skb);
1361 +- } else {
1362 +- skb_push(skb, ETH_HLEN);
1363 ++ else
1364 + br_netpoll_send_skb(to, skb);
1365 +- }
1366 + return;
1367 + }
1368 + br_hook = NF_BR_LOCAL_OUT;
1369 +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
1370 +index 5989661c659f..a1b57cb07f1e 100644
1371 +--- a/net/bridge/br_netfilter_ipv6.c
1372 ++++ b/net/bridge/br_netfilter_ipv6.c
1373 +@@ -131,6 +131,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb)
1374 + IPSTATS_MIB_INDISCARDS);
1375 + goto drop;
1376 + }
1377 ++ hdr = ipv6_hdr(skb);
1378 + }
1379 + if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
1380 + goto drop;
1381 +diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
1382 +index 4b3df6b0e3b9..d94aaf7c7685 100644
1383 +--- a/net/bridge/netfilter/nft_reject_bridge.c
1384 ++++ b/net/bridge/netfilter/nft_reject_bridge.c
1385 +@@ -236,6 +236,7 @@ static bool reject6_br_csum_ok(struct sk_buff *skb, int hook)
1386 + pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h)))
1387 + return false;
1388 +
1389 ++ ip6h = ipv6_hdr(skb);
1390 + thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
1391 + if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
1392 + return false;
1393 +diff --git a/net/can/bcm.c b/net/can/bcm.c
1394 +index e4f694dfcf83..c99e7c75eeee 100644
1395 +--- a/net/can/bcm.c
1396 ++++ b/net/can/bcm.c
1397 +@@ -67,6 +67,9 @@
1398 + */
1399 + #define MAX_NFRAMES 256
1400 +
1401 ++/* limit timers to 400 days for sending/timeouts */
1402 ++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
1403 ++
1404 + /* use of last_frames[index].flags */
1405 + #define RX_RECV 0x40 /* received data for this element */
1406 + #define RX_THR 0x80 /* element not been sent due to throttle feature */
1407 +@@ -142,6 +145,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
1408 + return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
1409 + }
1410 +
1411 ++/* check limitations for timeval provided by user */
1412 ++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
1413 ++{
1414 ++ if ((msg_head->ival1.tv_sec < 0) ||
1415 ++ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
1416 ++ (msg_head->ival1.tv_usec < 0) ||
1417 ++ (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
1418 ++ (msg_head->ival2.tv_sec < 0) ||
1419 ++ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
1420 ++ (msg_head->ival2.tv_usec < 0) ||
1421 ++ (msg_head->ival2.tv_usec >= USEC_PER_SEC))
1422 ++ return true;
1423 ++
1424 ++ return false;
1425 ++}
1426 ++
1427 + #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
1428 + #define OPSIZ sizeof(struct bcm_op)
1429 + #define MHSIZ sizeof(struct bcm_msg_head)
1430 +@@ -884,6 +903,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
1431 + if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
1432 + return -EINVAL;
1433 +
1434 ++ /* check timeval limitations */
1435 ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
1436 ++ return -EINVAL;
1437 ++
1438 + /* check the given can_id */
1439 + op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
1440 + if (op) {
1441 +@@ -1063,6 +1086,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
1442 + (!(msg_head->can_id & CAN_RTR_FLAG))))
1443 + return -EINVAL;
1444 +
1445 ++ /* check timeval limitations */
1446 ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
1447 ++ return -EINVAL;
1448 ++
1449 + /* check the given can_id */
1450 + op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
1451 + if (op) {
1452 +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
1453 +index 9364c39d0555..cbe3fdba4a2c 100644
1454 +--- a/net/ipv4/fib_frontend.c
1455 ++++ b/net/ipv4/fib_frontend.c
1456 +@@ -193,7 +193,7 @@ static void fib_flush(struct net *net)
1457 + struct fib_table *tb;
1458 +
1459 + hlist_for_each_entry_safe(tb, tmp, head, tb_hlist)
1460 +- flushed += fib_table_flush(net, tb);
1461 ++ flushed += fib_table_flush(net, tb, false);
1462 + }
1463 +
1464 + if (flushed)
1465 +@@ -1277,7 +1277,7 @@ static void ip_fib_net_exit(struct net *net)
1466 +
1467 + hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) {
1468 + hlist_del(&tb->tb_hlist);
1469 +- fib_table_flush(net, tb);
1470 ++ fib_table_flush(net, tb, true);
1471 + fib_free_table(tb);
1472 + }
1473 + }
1474 +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
1475 +index ef40bb659a7a..36f0a8c581d0 100644
1476 +--- a/net/ipv4/fib_trie.c
1477 ++++ b/net/ipv4/fib_trie.c
1478 +@@ -1826,7 +1826,7 @@ void fib_table_flush_external(struct fib_table *tb)
1479 + }
1480 +
1481 + /* Caller must hold RTNL. */
1482 +-int fib_table_flush(struct net *net, struct fib_table *tb)
1483 ++int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
1484 + {
1485 + struct trie *t = (struct trie *)tb->tb_data;
1486 + struct key_vector *pn = t->kv;
1487 +@@ -1874,7 +1874,17 @@ int fib_table_flush(struct net *net, struct fib_table *tb)
1488 + hlist_for_each_entry_safe(fa, tmp, &n->leaf, fa_list) {
1489 + struct fib_info *fi = fa->fa_info;
1490 +
1491 +- if (!fi || !(fi->fib_flags & RTNH_F_DEAD)) {
1492 ++ if (!fi ||
1493 ++ (!(fi->fib_flags & RTNH_F_DEAD) &&
1494 ++ !fib_props[fa->fa_type].error)) {
1495 ++ slen = fa->fa_slen;
1496 ++ continue;
1497 ++ }
1498 ++
1499 ++ /* Do not flush error routes if network namespace is
1500 ++ * not being dismantled
1501 ++ */
1502 ++ if (!flush_all && fib_props[fa->fa_type].error) {
1503 + slen = fa->fa_slen;
1504 + continue;
1505 + }
1506 +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
1507 +index 5a8c26c9872d..0fb49dedc9fb 100644
1508 +--- a/net/ipv4/inet_fragment.c
1509 ++++ b/net/ipv4/inet_fragment.c
1510 +@@ -90,7 +90,7 @@ static void inet_frags_free_cb(void *ptr, void *arg)
1511 +
1512 + void inet_frags_exit_net(struct netns_frags *nf)
1513 + {
1514 +- nf->low_thresh = 0; /* prevent creation of new frags */
1515 ++ nf->high_thresh = 0; /* prevent creation of new frags */
1516 +
1517 + rhashtable_free_and_destroy(&nf->rhashtable, inet_frags_free_cb, NULL);
1518 + }
1519 +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
1520 +index d6feabb03516..bcadca26523b 100644
1521 +--- a/net/ipv4/ip_input.c
1522 ++++ b/net/ipv4/ip_input.c
1523 +@@ -475,6 +475,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
1524 + goto drop;
1525 + }
1526 +
1527 ++ iph = ip_hdr(skb);
1528 + skb->transport_header = skb->network_header + iph->ihl*4;
1529 +
1530 + /* Remove any debris in the socket control block */
1531 +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
1532 +index 326945d9be5f..3bd4d5d0c346 100644
1533 +--- a/net/openvswitch/flow_netlink.c
1534 ++++ b/net/openvswitch/flow_netlink.c
1535 +@@ -409,7 +409,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
1536 + return -EINVAL;
1537 + }
1538 +
1539 +- if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
1540 ++ if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
1541 + attrs |= 1 << type;
1542 + a[type] = nla;
1543 + }
1544 +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
1545 +index ea13df1be067..912ed9b901ac 100644
1546 +--- a/net/sched/sch_api.c
1547 ++++ b/net/sched/sch_api.c
1548 +@@ -1850,7 +1850,6 @@ done:
1549 + int tc_classify(struct sk_buff *skb, const struct tcf_proto *tp,
1550 + struct tcf_result *res, bool compat_mode)
1551 + {
1552 +- __be16 protocol = tc_skb_protocol(skb);
1553 + #ifdef CONFIG_NET_CLS_ACT
1554 + const struct tcf_proto *old_tp = tp;
1555 + int limit = 0;
1556 +@@ -1858,6 +1857,7 @@ int tc_classify(struct sk_buff *skb, const struct tcf_proto *tp,
1557 + reclassify:
1558 + #endif
1559 + for (; tp; tp = rcu_dereference_bh(tp->next)) {
1560 ++ __be16 protocol = tc_skb_protocol(skb);
1561 + int err;
1562 +
1563 + if (tp->protocol != protocol &&
1564 +@@ -1884,7 +1884,6 @@ reset:
1565 + }
1566 +
1567 + tp = old_tp;
1568 +- protocol = tc_skb_protocol(skb);
1569 + goto reclassify;
1570 + #endif
1571 + }
1572 +diff --git a/sound/soc/codecs/rt5514-spi.c b/sound/soc/codecs/rt5514-spi.c
1573 +index 09103aab0cb2..7d410e39d1a0 100644
1574 +--- a/sound/soc/codecs/rt5514-spi.c
1575 ++++ b/sound/soc/codecs/rt5514-spi.c
1576 +@@ -253,6 +253,8 @@ static int rt5514_spi_pcm_probe(struct snd_soc_platform *platform)
1577 +
1578 + rt5514_dsp = devm_kzalloc(platform->dev, sizeof(*rt5514_dsp),
1579 + GFP_KERNEL);
1580 ++ if (!rt5514_dsp)
1581 ++ return -ENOMEM;
1582 +
1583 + rt5514_dsp->dev = &rt5514_spi->dev;
1584 + mutex_init(&rt5514_dsp->dma_lock);
1585 +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
1586 +index f5a8050351b5..e83e314a76a5 100644
1587 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
1588 ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
1589 +@@ -399,7 +399,13 @@ static int sst_media_hw_params(struct snd_pcm_substream *substream,
1590 + struct snd_pcm_hw_params *params,
1591 + struct snd_soc_dai *dai)
1592 + {
1593 +- snd_pcm_lib_malloc_pages(substream, params_buffer_bytes(params));
1594 ++ int ret;
1595 ++
1596 ++ ret =
1597 ++ snd_pcm_lib_malloc_pages(substream,
1598 ++ params_buffer_bytes(params));
1599 ++ if (ret)
1600 ++ return ret;
1601 + memset(substream->runtime->dma_area, 0, params_buffer_bytes(params));
1602 + return 0;
1603 + }
1604 +diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
1605 +index b46e1cf347e5..046a4850e3df 100644
1606 +--- a/tools/perf/util/unwind-libdw.c
1607 ++++ b/tools/perf/util/unwind-libdw.c
1608 +@@ -42,13 +42,13 @@ static int __report_module(struct addr_location *al, u64 ip,
1609 + Dwarf_Addr s;
1610 +
1611 + dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
1612 +- if (s != al->map->start)
1613 ++ if (s != al->map->start - al->map->pgoff)
1614 + mod = 0;
1615 + }
1616 +
1617 + if (!mod)
1618 + mod = dwfl_report_elf(ui->dwfl, dso->short_name,
1619 +- dso->long_name, -1, al->map->start,
1620 ++ (dso->symsrc_filename ? dso->symsrc_filename : dso->long_name), -1, al->map->start - al->map->pgoff,
1621 + false);
1622 +
1623 + return mod && dwfl_addrmodule(ui->dwfl, ip) == mod ? 0 : -1;
1624 +diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c
1625 +index 85a78eba0a93..874972ccfc95 100644
1626 +--- a/tools/testing/selftests/x86/protection_keys.c
1627 ++++ b/tools/testing/selftests/x86/protection_keys.c
1628 +@@ -1129,6 +1129,21 @@ void test_pkey_syscalls_bad_args(int *ptr, u16 pkey)
1629 + pkey_assert(err);
1630 + }
1631 +
1632 ++void become_child(void)
1633 ++{
1634 ++ pid_t forkret;
1635 ++
1636 ++ forkret = fork();
1637 ++ pkey_assert(forkret >= 0);
1638 ++ dprintf3("[%d] fork() ret: %d\n", getpid(), forkret);
1639 ++
1640 ++ if (!forkret) {
1641 ++ /* in the child */
1642 ++ return;
1643 ++ }
1644 ++ exit(0);
1645 ++}
1646 ++
1647 + /* Assumes that all pkeys other than 'pkey' are unallocated */
1648 + void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
1649 + {
1650 +@@ -1139,7 +1154,7 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
1651 + int nr_allocated_pkeys = 0;
1652 + int i;
1653 +
1654 +- for (i = 0; i < NR_PKEYS*2; i++) {
1655 ++ for (i = 0; i < NR_PKEYS*3; i++) {
1656 + int new_pkey;
1657 + dprintf1("%s() alloc loop: %d\n", __func__, i);
1658 + new_pkey = alloc_pkey();
1659 +@@ -1150,20 +1165,26 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
1660 + if ((new_pkey == -1) && (errno == ENOSPC)) {
1661 + dprintf2("%s() failed to allocate pkey after %d tries\n",
1662 + __func__, nr_allocated_pkeys);
1663 +- break;
1664 ++ } else {
1665 ++ /*
1666 ++ * Ensure the number of successes never
1667 ++ * exceeds the number of keys supported
1668 ++ * in the hardware.
1669 ++ */
1670 ++ pkey_assert(nr_allocated_pkeys < NR_PKEYS);
1671 ++ allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
1672 + }
1673 +- pkey_assert(nr_allocated_pkeys < NR_PKEYS);
1674 +- allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
1675 ++
1676 ++ /*
1677 ++ * Make sure that allocation state is properly
1678 ++ * preserved across fork().
1679 ++ */
1680 ++ if (i == NR_PKEYS*2)
1681 ++ become_child();
1682 + }
1683 +
1684 + dprintf3("%s()::%d\n", __func__, __LINE__);
1685 +
1686 +- /*
1687 +- * ensure it did not reach the end of the loop without
1688 +- * failure:
1689 +- */
1690 +- pkey_assert(i < NR_PKEYS*2);
1691 +-
1692 + /*
1693 + * There are 16 pkeys supported in hardware. One is taken
1694 + * up for the default (0) and another can be taken up by
Report Message
Find on MARC Find on Google Groups