Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Sun, 17 Oct 2021 13:14:30
Message-Id: 1634476454.afc4f366b7eba5142a76771c67c034493f4441f4.mpagano@gentoo
1 commit: afc4f366b7eba5142a76771c67c034493f4441f4
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Oct 17 13:14:14 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Oct 17 13:14:14 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=afc4f366
7
8 Linux patch 4.9.287
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1286_linux-4.9.287.patch | 543 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 547 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index af7e135..6a1cf52 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -1187,6 +1187,10 @@ Patch: 1285_linux-4.9.286.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.286
23
24 +Patch: 1286_linux-4.9.287.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.287
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1286_linux-4.9.287.patch b/1286_linux-4.9.287.patch
33 new file mode 100644
34 index 0000000..f3751cc
35 --- /dev/null
36 +++ b/1286_linux-4.9.287.patch
37 @@ -0,0 +1,543 @@
38 +diff --git a/Makefile b/Makefile
39 +index 68f2c6f3869e2..76eff0f592346 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 286
46 ++SUBLEVEL = 287
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +diff --git a/arch/arm/boot/dts/omap3430-sdp.dts b/arch/arm/boot/dts/omap3430-sdp.dts
51 +index abd6921143beb..e0ba97bd41b79 100644
52 +--- a/arch/arm/boot/dts/omap3430-sdp.dts
53 ++++ b/arch/arm/boot/dts/omap3430-sdp.dts
54 +@@ -104,7 +104,7 @@
55 +
56 + nand@1,0 {
57 + compatible = "ti,omap2-nand";
58 +- reg = <0 0 4>; /* CS0, offset 0, IO size 4 */
59 ++ reg = <1 0 4>; /* CS1, offset 0, IO size 4 */
60 + interrupt-parent = <&gpmc>;
61 + interrupts = <0 IRQ_TYPE_NONE>, /* fifoevent */
62 + <1 IRQ_TYPE_NONE>; /* termcount */
63 +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
64 +index 6da26692f2fde..950c9f2ffe005 100644
65 +--- a/arch/arm/mach-imx/pm-imx6.c
66 ++++ b/arch/arm/mach-imx/pm-imx6.c
67 +@@ -15,6 +15,7 @@
68 + #include <linux/io.h>
69 + #include <linux/irq.h>
70 + #include <linux/genalloc.h>
71 ++#include <linux/irqchip/arm-gic.h>
72 + #include <linux/mfd/syscon.h>
73 + #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
74 + #include <linux/of.h>
75 +@@ -606,6 +607,7 @@ static void __init imx6_pm_common_init(const struct imx6_pm_socdata
76 +
77 + static void imx6_pm_stby_poweroff(void)
78 + {
79 ++ gic_cpu_if_down(0);
80 + imx6_set_lpm(STOP_POWER_OFF);
81 + imx6q_suspend_finish(0);
82 +
83 +diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
84 +index 29757623e5baf..f5f8f969dd586 100644
85 +--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
86 ++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
87 +@@ -125,7 +125,7 @@
88 +
89 + fm1mac3: ethernet@e4000 {
90 + phy-handle = <&sgmii_aqr_phy3>;
91 +- phy-connection-type = "sgmii-2500";
92 ++ phy-connection-type = "2500base-x";
93 + sleep = <&rcpm 0x20000000>;
94 + };
95 +
96 +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
97 +index c26cca506f646..c20df6a3540c2 100644
98 +--- a/arch/x86/events/core.c
99 ++++ b/arch/x86/events/core.c
100 +@@ -2075,6 +2075,7 @@ static int x86_pmu_event_init(struct perf_event *event)
101 + if (err) {
102 + if (event->destroy)
103 + event->destroy(event);
104 ++ event->destroy = NULL;
105 + }
106 +
107 + if (ACCESS_ONCE(x86_pmu.attr_rdpmc))
108 +diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
109 +index 441694464b1e4..fbbc24b914e30 100644
110 +--- a/arch/xtensa/kernel/irq.c
111 ++++ b/arch/xtensa/kernel/irq.c
112 +@@ -144,7 +144,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
113 +
114 + void __init init_IRQ(void)
115 + {
116 +-#ifdef CONFIG_OF
117 ++#ifdef CONFIG_USE_OF
118 + irqchip_init();
119 + #else
120 + #ifdef CONFIG_HAVE_SMP
121 +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
122 +index 411c12cdb2499..bb516eb124213 100644
123 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
124 ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
125 +@@ -178,6 +178,7 @@ static const struct file_operations nouveau_pstate_fops = {
126 + .open = nouveau_debugfs_pstate_open,
127 + .read = seq_read,
128 + .write = nouveau_debugfs_pstate_set,
129 ++ .release = single_release,
130 + };
131 +
132 + static struct drm_info_list nouveau_debugfs_list[] = {
133 +diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
134 +index 959a9e38b4f54..149902619cbc8 100644
135 +--- a/drivers/hid/hid-apple.c
136 ++++ b/drivers/hid/hid-apple.c
137 +@@ -302,12 +302,19 @@ static int apple_event(struct hid_device *hdev, struct hid_field *field,
138 +
139 + /*
140 + * MacBook JIS keyboard has wrong logical maximum
141 ++ * Magic Keyboard JIS has wrong logical maximum
142 + */
143 + static __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
144 + unsigned int *rsize)
145 + {
146 + struct apple_sc *asc = hid_get_drvdata(hdev);
147 +
148 ++ if(*rsize >=71 && rdesc[70] == 0x65 && rdesc[64] == 0x65) {
149 ++ hid_info(hdev,
150 ++ "fixing up Magic Keyboard JIS report descriptor\n");
151 ++ rdesc[64] = rdesc[70] = 0xe7;
152 ++ }
153 ++
154 + if ((asc->quirks & APPLE_RDESC_JIS) && *rsize >= 60 &&
155 + rdesc[53] == 0x65 && rdesc[59] == 0x65) {
156 + hid_info(hdev,
157 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
158 +index 832fffed4a1fa..e7585f6c4665b 100644
159 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
160 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
161 +@@ -6646,7 +6646,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf)
162 + if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
163 + /* retry with a larger buffer */
164 + buf_len = data_size;
165 +- } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
166 ++ } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
167 + dev_info(&pf->pdev->dev,
168 + "capability discovery failed, err %s aq_err %s\n",
169 + i40e_stat_str(&pf->hw, err),
170 +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
171 +index 8cc7563ab103b..92fb664b56fbb 100644
172 +--- a/drivers/net/phy/mdio_bus.c
173 ++++ b/drivers/net/phy/mdio_bus.c
174 +@@ -316,6 +316,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
175 + bus->dev.groups = NULL;
176 + dev_set_name(&bus->dev, "%s", bus->id);
177 +
178 ++ /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
179 ++ * the device in mdiobus_free()
180 ++ *
181 ++ * State will be updated later in this function in case of success
182 ++ */
183 ++ bus->state = MDIOBUS_UNREGISTERED;
184 ++
185 + err = device_register(&bus->dev);
186 + if (err) {
187 + pr_err("mii_bus %s failed to register\n", bus->id);
188 +diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
189 +index 3aa22ae4d94c0..a911325fc0b4f 100644
190 +--- a/drivers/ptp/ptp_pch.c
191 ++++ b/drivers/ptp/ptp_pch.c
192 +@@ -698,6 +698,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] = {
193 + },
194 + {0}
195 + };
196 ++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
197 +
198 + static struct pci_driver pch_driver = {
199 + .name = KBUILD_MODNAME,
200 +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
201 +index 69046d342bc5d..39396548f9b55 100644
202 +--- a/drivers/scsi/ses.c
203 ++++ b/drivers/scsi/ses.c
204 +@@ -120,7 +120,7 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
205 + static int ses_send_diag(struct scsi_device *sdev, int page_code,
206 + void *buf, int bufflen)
207 + {
208 +- u32 result;
209 ++ int result;
210 +
211 + unsigned char cmd[] = {
212 + SEND_DIAGNOSTIC,
213 +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
214 +index 7ba0031d3a738..d5575869a25c7 100644
215 +--- a/drivers/scsi/virtio_scsi.c
216 ++++ b/drivers/scsi/virtio_scsi.c
217 +@@ -343,7 +343,7 @@ static void virtscsi_handle_transport_reset(struct virtio_scsi *vscsi,
218 + }
219 + break;
220 + default:
221 +- pr_info("Unsupport virtio scsi event reason %x\n", event->reason);
222 ++ pr_info("Unsupported virtio scsi event reason %x\n", event->reason);
223 + }
224 + }
225 +
226 +@@ -396,7 +396,7 @@ static void virtscsi_handle_event(struct work_struct *work)
227 + virtscsi_handle_param_change(vscsi, event);
228 + break;
229 + default:
230 +- pr_err("Unsupport virtio scsi event %x\n", event->event);
231 ++ pr_err("Unsupported virtio scsi event %x\n", event->event);
232 + }
233 + virtscsi_kick_event(vscsi, event_node);
234 + }
235 +diff --git a/drivers/usb/Kconfig b/drivers/usb/Kconfig
236 +index 0103f777b97ad..bff5a15e59c00 100644
237 +--- a/drivers/usb/Kconfig
238 ++++ b/drivers/usb/Kconfig
239 +@@ -160,8 +160,7 @@ source "drivers/usb/gadget/Kconfig"
240 +
241 + config USB_LED_TRIG
242 + bool "USB LED Triggers"
243 +- depends on LEDS_CLASS && LEDS_TRIGGERS
244 +- select USB_COMMON
245 ++ depends on LEDS_CLASS && USB_COMMON && LEDS_TRIGGERS
246 + help
247 + This option adds LED triggers for USB host and/or gadget activity.
248 +
249 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
250 +index 23df1549eb0d8..b7b83ca83ba0d 100644
251 +--- a/drivers/usb/class/cdc-acm.c
252 ++++ b/drivers/usb/class/cdc-acm.c
253 +@@ -349,6 +349,9 @@ static void acm_ctrl_irq(struct urb *urb)
254 + acm->iocount.overrun++;
255 + spin_unlock(&acm->read_lock);
256 +
257 ++ if (newctrl & ACM_CTRL_BRK)
258 ++ tty_flip_buffer_push(&acm->port);
259 ++
260 + if (difference)
261 + wake_up_all(&acm->wioctl);
262 +
263 +@@ -408,11 +411,16 @@ static int acm_submit_read_urbs(struct acm *acm, gfp_t mem_flags)
264 +
265 + static void acm_process_read_urb(struct acm *acm, struct urb *urb)
266 + {
267 ++ unsigned long flags;
268 ++
269 + if (!urb->actual_length)
270 + return;
271 +
272 ++ spin_lock_irqsave(&acm->read_lock, flags);
273 + tty_insert_flip_string(&acm->port, urb->transfer_buffer,
274 + urb->actual_length);
275 ++ spin_unlock_irqrestore(&acm->read_lock, flags);
276 ++
277 + tty_flip_buffer_push(&acm->port);
278 + }
279 +
280 +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
281 +index b16a6c0363527..dc51011d670df 100644
282 +--- a/fs/nfsd/nfs4xdr.c
283 ++++ b/fs/nfsd/nfs4xdr.c
284 +@@ -3028,15 +3028,18 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
285 + goto fail;
286 + cd->rd_maxcount -= entry_bytes;
287 + /*
288 +- * RFC 3530 14.2.24 describes rd_dircount as only a "hint", so
289 +- * let's always let through the first entry, at least:
290 ++ * RFC 3530 14.2.24 describes rd_dircount as only a "hint", and
291 ++ * notes that it could be zero. If it is zero, then the server
292 ++ * should enforce only the rd_maxcount value.
293 + */
294 +- if (!cd->rd_dircount)
295 +- goto fail;
296 +- name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
297 +- if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
298 +- goto fail;
299 +- cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
300 ++ if (cd->rd_dircount) {
301 ++ name_and_cookie = 4 + 4 * XDR_QUADLEN(namlen) + 8;
302 ++ if (name_and_cookie > cd->rd_dircount && cd->cookie_offset)
303 ++ goto fail;
304 ++ cd->rd_dircount -= min(cd->rd_dircount, name_and_cookie);
305 ++ if (!cd->rd_dircount)
306 ++ cd->rd_maxcount = 0;
307 ++ }
308 +
309 + cd->cookie_offset = cookie_offset;
310 + skip_entry:
311 +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
312 +index 8546384a5fdfd..edd5979aca4f6 100644
313 +--- a/fs/overlayfs/dir.c
314 ++++ b/fs/overlayfs/dir.c
315 +@@ -926,9 +926,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
316 + goto out_dput;
317 + }
318 + } else {
319 +- if (!d_is_negative(newdentry) &&
320 +- (!new_opaque || !ovl_is_whiteout(newdentry)))
321 +- goto out_dput;
322 ++ if (!d_is_negative(newdentry)) {
323 ++ if (!new_opaque || !ovl_is_whiteout(newdentry))
324 ++ goto out_dput;
325 ++ } else {
326 ++ if (flags & RENAME_EXCHANGE)
327 ++ goto out_dput;
328 ++ }
329 + }
330 +
331 + if (olddentry == trap)
332 +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
333 +index 2fdf6f96f9762..6f09728cd1dd3 100644
334 +--- a/kernel/bpf/stackmap.c
335 ++++ b/kernel/bpf/stackmap.c
336 +@@ -28,7 +28,8 @@ struct bpf_stack_map {
337 +
338 + static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
339 + {
340 +- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
341 ++ u64 elem_size = sizeof(struct stack_map_bucket) +
342 ++ (u64)smap->map.value_size;
343 + int err;
344 +
345 + smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries);
346 +diff --git a/mm/gup.c b/mm/gup.c
347 +index 6bb7a8eb7f820..301dd96ef176c 100644
348 +--- a/mm/gup.c
349 ++++ b/mm/gup.c
350 +@@ -61,13 +61,22 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
351 + }
352 +
353 + /*
354 +- * FOLL_FORCE can write to even unwritable pte's, but only
355 +- * after we've gone through a COW cycle and they are dirty.
356 ++ * FOLL_FORCE or a forced COW break can write even to unwritable pte's,
357 ++ * but only after we've gone through a COW cycle and they are dirty.
358 + */
359 + static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
360 + {
361 +- return pte_write(pte) ||
362 +- ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
363 ++ return pte_write(pte) || ((flags & FOLL_COW) && pte_dirty(pte));
364 ++}
365 ++
366 ++/*
367 ++ * A (separate) COW fault might break the page the other way and
368 ++ * get_user_pages() would return the page from what is now the wrong
369 ++ * VM. So we need to force a COW break at GUP time even for reads.
370 ++ */
371 ++static inline bool should_force_cow_break(struct vm_area_struct *vma, unsigned int flags)
372 ++{
373 ++ return is_cow_mapping(vma->vm_flags) && (flags & FOLL_GET);
374 + }
375 +
376 + static struct page *follow_page_pte(struct vm_area_struct *vma,
377 +@@ -577,12 +586,18 @@ static long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
378 + if (!vma || check_vma_flags(vma, gup_flags))
379 + return i ? : -EFAULT;
380 + if (is_vm_hugetlb_page(vma)) {
381 ++ if (should_force_cow_break(vma, foll_flags))
382 ++ foll_flags |= FOLL_WRITE;
383 + i = follow_hugetlb_page(mm, vma, pages, vmas,
384 + &start, &nr_pages, i,
385 +- gup_flags);
386 ++ foll_flags);
387 + continue;
388 + }
389 + }
390 ++
391 ++ if (should_force_cow_break(vma, foll_flags))
392 ++ foll_flags |= FOLL_WRITE;
393 ++
394 + retry:
395 + /*
396 + * If we have a pending SIGKILL, don't keep faulting pages and
397 +@@ -1503,6 +1518,10 @@ static int gup_pud_range(pgd_t pgd, unsigned long addr, unsigned long end,
398 + /*
399 + * Like get_user_pages_fast() except it's IRQ-safe in that it won't fall back to
400 + * the regular GUP. It will only return non-negative values.
401 ++ *
402 ++ * Careful, careful! COW breaking can go either way, so a non-write
403 ++ * access can get ambiguous page results. If you call this function without
404 ++ * 'write' set, you'd better be sure that you're ok with that ambiguity.
405 + */
406 + int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
407 + struct page **pages)
408 +@@ -1532,6 +1551,12 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
409 + *
410 + * We do not adopt an rcu_read_lock(.) here as we also want to
411 + * block IPIs that come from THPs splitting.
412 ++ *
413 ++ * NOTE! We allow read-only gup_fast() here, but you'd better be
414 ++ * careful about possible COW pages. You'll get _a_ COW page, but
415 ++ * not necessarily the one you intended to get depending on what
416 ++ * COW event happens after this. COW may break the page copy in a
417 ++ * random direction.
418 + */
419 +
420 + local_irq_save(flags);
421 +@@ -1542,15 +1567,22 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
422 + next = pgd_addr_end(addr, end);
423 + if (pgd_none(pgd))
424 + break;
425 ++ /*
426 ++ * The FAST_GUP case requires FOLL_WRITE even for pure reads,
427 ++ * because get_user_pages() may need to cause an early COW in
428 ++ * order to avoid confusing the normal COW routines. So only
429 ++ * targets that are already writable are safe to do by just
430 ++ * looking at the page tables.
431 ++ */
432 + if (unlikely(pgd_huge(pgd))) {
433 +- if (!gup_huge_pgd(pgd, pgdp, addr, next, write,
434 ++ if (!gup_huge_pgd(pgd, pgdp, addr, next, 1,
435 + pages, &nr))
436 + break;
437 + } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) {
438 + if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr,
439 +- PGDIR_SHIFT, next, write, pages, &nr))
440 ++ PGDIR_SHIFT, next, 1, pages, &nr))
441 + break;
442 +- } else if (!gup_pud_range(pgd, addr, next, write, pages, &nr))
443 ++ } else if (!gup_pud_range(pgd, addr, next, 1, pages, &nr))
444 + break;
445 + } while (pgdp++, addr = next, addr != end);
446 + local_irq_restore(flags);
447 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
448 +index 91f33bb43f178..3f3a86cc62b68 100644
449 +--- a/mm/huge_memory.c
450 ++++ b/mm/huge_memory.c
451 +@@ -1135,13 +1135,12 @@ out_unlock:
452 + }
453 +
454 + /*
455 +- * FOLL_FORCE can write to even unwritable pmd's, but only
456 +- * after we've gone through a COW cycle and they are dirty.
457 ++ * FOLL_FORCE or a forced COW break can write even to unwritable pmd's,
458 ++ * but only after we've gone through a COW cycle and they are dirty.
459 + */
460 + static inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)
461 + {
462 +- return pmd_write(pmd) ||
463 +- ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));
464 ++ return pmd_write(pmd) || ((flags & FOLL_COW) && pmd_dirty(pmd));
465 + }
466 +
467 + struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
468 +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
469 +index 4f831225d34f4..ca8757090ae35 100644
470 +--- a/net/bridge/br_netlink.c
471 ++++ b/net/bridge/br_netlink.c
472 +@@ -1298,7 +1298,7 @@ static size_t br_get_linkxstats_size(const struct net_device *dev, int attr)
473 + }
474 +
475 + return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
476 +- nla_total_size(sizeof(struct br_mcast_stats)) +
477 ++ nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
478 + nla_total_size(0);
479 + }
480 +
481 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
482 +index 911752e8a3e64..012143f313a87 100644
483 +--- a/net/core/rtnetlink.c
484 ++++ b/net/core/rtnetlink.c
485 +@@ -3900,7 +3900,7 @@ nla_put_failure:
486 + static size_t if_nlmsg_stats_size(const struct net_device *dev,
487 + u32 filter_mask)
488 + {
489 +- size_t size = 0;
490 ++ size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
491 +
492 + if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
493 + size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
494 +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
495 +index 579fda1bc45df..ce54e66b47a03 100644
496 +--- a/net/ipv6/netfilter/ip6_tables.c
497 ++++ b/net/ipv6/netfilter/ip6_tables.c
498 +@@ -290,6 +290,7 @@ ip6t_do_table(struct sk_buff *skb,
499 + * things we don't know, ie. tcp syn flag or ports). If the
500 + * rule is also a fragment-specific rule, non-fragments won't
501 + * match it. */
502 ++ acpar.fragoff = 0;
503 + acpar.hotdrop = false;
504 + acpar.net = state->net;
505 + acpar.in = state->in;
506 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
507 +index b40e71a5d7957..3dc370ad23bf6 100644
508 +--- a/net/mac80211/rx.c
509 ++++ b/net/mac80211/rx.c
510 +@@ -3692,7 +3692,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
511 + if (!bssid)
512 + return false;
513 + if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
514 +- ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
515 ++ ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) ||
516 ++ !is_valid_ether_addr(hdr->addr2))
517 + return false;
518 + if (ieee80211_is_beacon(hdr->frame_control))
519 + return true;
520 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
521 +index 453b0efdc0d71..1b70de5898c42 100644
522 +--- a/net/netlink/af_netlink.c
523 ++++ b/net/netlink/af_netlink.c
524 +@@ -574,7 +574,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
525 +
526 + /* We need to ensure that the socket is hashed and visible. */
527 + smp_wmb();
528 +- nlk_sk(sk)->bound = portid;
529 ++ /* Paired with lockless reads from netlink_bind(),
530 ++ * netlink_connect() and netlink_sendmsg().
531 ++ */
532 ++ WRITE_ONCE(nlk_sk(sk)->bound, portid);
533 +
534 + err:
535 + release_sock(sk);
536 +@@ -993,7 +996,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
537 + else if (nlk->ngroups < 8*sizeof(groups))
538 + groups &= (1UL << nlk->ngroups) - 1;
539 +
540 +- bound = nlk->bound;
541 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
542 ++ bound = READ_ONCE(nlk->bound);
543 + if (bound) {
544 + /* Ensure nlk->portid is up-to-date. */
545 + smp_rmb();
546 +@@ -1073,8 +1077,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
547 +
548 + /* No need for barriers here as we return to user-space without
549 + * using any of the bound attributes.
550 ++ * Paired with WRITE_ONCE() in netlink_insert().
551 + */
552 +- if (!nlk->bound)
553 ++ if (!READ_ONCE(nlk->bound))
554 + err = netlink_autobind(sock);
555 +
556 + if (err == 0) {
557 +@@ -1821,7 +1826,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
558 + dst_group = nlk->dst_group;
559 + }
560 +
561 +- if (!nlk->bound) {
562 ++ /* Paired with WRITE_ONCE() in netlink_insert() */
563 ++ if (!READ_ONCE(nlk->bound)) {
564 + err = netlink_autobind(sock);
565 + if (err)
566 + goto out;
567 +diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
568 +index 1e37247656f80..8b7110cbcce4c 100644
569 +--- a/net/sched/sch_fifo.c
570 ++++ b/net/sched/sch_fifo.c
571 +@@ -151,6 +151,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
572 + if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
573 + return 0;
574 +
575 ++ if (!q->ops->change)
576 ++ return 0;
577 ++
578 + nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
579 + if (nla) {
580 + nla->nla_type = RTM_NEWQDISC;