Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.2 commit in: /
Date: Tue, 15 Dec 2015 11:15:24
Message-Id: 1450178105.3a9d9184e1f0d412574eabf24e5cd3586f69d3e9.mpagano@gentoo
1 commit: 3a9d9184e1f0d412574eabf24e5cd3586f69d3e9
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Dec 15 11:15:05 2015 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Dec 15 11:15:05 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=3a9d9184
7
8 Linux patch 4.2.8
9
10 0000_README | 4 +
11 1007_linux-4.2.8.patch | 3882 ++++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3886 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 2299001..5645178 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -71,6 +71,10 @@ Patch: 1006_linux-4.2.7.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.2.7
21
22 +Patch: 1007_linux-4.2.8.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.2.8
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1007_linux-4.2.8.patch b/1007_linux-4.2.8.patch
31 new file mode 100644
32 index 0000000..7aca417
33 --- /dev/null
34 +++ b/1007_linux-4.2.8.patch
35 @@ -0,0 +1,3882 @@
36 +diff --git a/Makefile b/Makefile
37 +index f5014eaf2532..06b988951ccb 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 2
43 +-SUBLEVEL = 7
44 ++SUBLEVEL = 8
45 + EXTRAVERSION =
46 + NAME = Hurr durr I'ma sheep
47 +
48 +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
49 +index 017b7d58ae06..55f8a6a706fc 100644
50 +--- a/drivers/block/rbd.c
51 ++++ b/drivers/block/rbd.c
52 +@@ -3439,6 +3439,7 @@ static void rbd_queue_workfn(struct work_struct *work)
53 + goto err_rq;
54 + }
55 + img_request->rq = rq;
56 ++ snapc = NULL; /* img_request consumes a ref */
57 +
58 + if (op_type == OBJ_OP_DISCARD)
59 + result = rbd_img_request_fill(img_request, OBJ_REQUEST_NODATA,
60 +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
61 +index f51d376d10ba..c2f5117fd8cb 100644
62 +--- a/drivers/firewire/ohci.c
63 ++++ b/drivers/firewire/ohci.c
64 +@@ -3675,6 +3675,11 @@ static int pci_probe(struct pci_dev *dev,
65 +
66 + reg_write(ohci, OHCI1394_IsoXmitIntMaskSet, ~0);
67 + ohci->it_context_support = reg_read(ohci, OHCI1394_IsoXmitIntMaskSet);
68 ++ /* JMicron JMB38x often shows 0 at first read, just ignore it */
69 ++ if (!ohci->it_context_support) {
70 ++ ohci_notice(ohci, "overriding IsoXmitIntMask\n");
71 ++ ohci->it_context_support = 0xf;
72 ++ }
73 + reg_write(ohci, OHCI1394_IsoXmitIntMaskClear, ~0);
74 + ohci->it_context_mask = ohci->it_context_support;
75 + ohci->n_it = hweight32(ohci->it_context_mask);
76 +diff --git a/drivers/media/pci/cobalt/Kconfig b/drivers/media/pci/cobalt/Kconfig
77 +index 6a1c0089bb62..4ecf171d14a2 100644
78 +--- a/drivers/media/pci/cobalt/Kconfig
79 ++++ b/drivers/media/pci/cobalt/Kconfig
80 +@@ -1,6 +1,6 @@
81 + config VIDEO_COBALT
82 + tristate "Cisco Cobalt support"
83 +- depends on VIDEO_V4L2 && I2C && MEDIA_CONTROLLER
84 ++ depends on VIDEO_V4L2 && I2C && VIDEO_V4L2_SUBDEV_API
85 + depends on PCI_MSI && MTD_COMPLEX_MAPPINGS && GPIOLIB
86 + depends on SND
87 + select I2C_ALGOBIT
88 +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
89 +index 3b90afb8c293..6f2a748524f3 100644
90 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
91 ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
92 +@@ -1325,7 +1325,12 @@ err_disable_device:
93 + static void nicvf_remove(struct pci_dev *pdev)
94 + {
95 + struct net_device *netdev = pci_get_drvdata(pdev);
96 +- struct nicvf *nic = netdev_priv(netdev);
97 ++ struct nicvf *nic;
98 ++
99 ++ if (!netdev)
100 ++ return;
101 ++
102 ++ nic = netdev_priv(netdev);
103 +
104 + unregister_netdev(netdev);
105 + nicvf_unregister_interrupts(nic);
106 +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
107 +index 731423ca575d..8bead97373ab 100644
108 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
109 ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
110 +@@ -4934,26 +4934,41 @@ static void rem_slave_counters(struct mlx4_dev *dev, int slave)
111 + struct res_counter *counter;
112 + struct res_counter *tmp;
113 + int err;
114 +- int index;
115 ++ int *counters_arr = NULL;
116 ++ int i, j;
117 +
118 + err = move_all_busy(dev, slave, RES_COUNTER);
119 + if (err)
120 + mlx4_warn(dev, "rem_slave_counters: Could not move all counters - too busy for slave %d\n",
121 + slave);
122 +
123 +- spin_lock_irq(mlx4_tlock(dev));
124 +- list_for_each_entry_safe(counter, tmp, counter_list, com.list) {
125 +- if (counter->com.owner == slave) {
126 +- index = counter->com.res_id;
127 +- rb_erase(&counter->com.node,
128 +- &tracker->res_tree[RES_COUNTER]);
129 +- list_del(&counter->com.list);
130 +- kfree(counter);
131 +- __mlx4_counter_free(dev, index);
132 ++ counters_arr = kmalloc_array(dev->caps.max_counters,
133 ++ sizeof(*counters_arr), GFP_KERNEL);
134 ++ if (!counters_arr)
135 ++ return;
136 ++
137 ++ do {
138 ++ i = 0;
139 ++ j = 0;
140 ++ spin_lock_irq(mlx4_tlock(dev));
141 ++ list_for_each_entry_safe(counter, tmp, counter_list, com.list) {
142 ++ if (counter->com.owner == slave) {
143 ++ counters_arr[i++] = counter->com.res_id;
144 ++ rb_erase(&counter->com.node,
145 ++ &tracker->res_tree[RES_COUNTER]);
146 ++ list_del(&counter->com.list);
147 ++ kfree(counter);
148 ++ }
149 ++ }
150 ++ spin_unlock_irq(mlx4_tlock(dev));
151 ++
152 ++ while (j < i) {
153 ++ __mlx4_counter_free(dev, counters_arr[j++]);
154 + mlx4_release_resource(dev, slave, RES_COUNTER, 1, 0);
155 + }
156 +- }
157 +- spin_unlock_irq(mlx4_tlock(dev));
158 ++ } while (i);
159 ++
160 ++ kfree(counters_arr);
161 + }
162 +
163 + static void rem_slave_xrcdns(struct mlx4_dev *dev, int slave)
164 +diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c
165 +index a83263743665..2b7550c43f78 100644
166 +--- a/drivers/net/ethernet/via/via-rhine.c
167 ++++ b/drivers/net/ethernet/via/via-rhine.c
168 +@@ -2134,10 +2134,11 @@ static int rhine_rx(struct net_device *dev, int limit)
169 + }
170 +
171 + skb_put(skb, pkt_len);
172 +- skb->protocol = eth_type_trans(skb, dev);
173 +
174 + rhine_rx_vlan_tag(skb, desc, data_size);
175 +
176 ++ skb->protocol = eth_type_trans(skb, dev);
177 ++
178 + netif_receive_skb(skb);
179 +
180 + u64_stats_update_begin(&rp->rx_stats.syncp);
181 +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c
182 +index 9c71295f2fef..85e640440bd9 100644
183 +--- a/drivers/net/phy/broadcom.c
184 ++++ b/drivers/net/phy/broadcom.c
185 +@@ -675,7 +675,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = {
186 + { PHY_ID_BCM5461, 0xfffffff0 },
187 + { PHY_ID_BCM54616S, 0xfffffff0 },
188 + { PHY_ID_BCM5464, 0xfffffff0 },
189 +- { PHY_ID_BCM5482, 0xfffffff0 },
190 ++ { PHY_ID_BCM5481, 0xfffffff0 },
191 + { PHY_ID_BCM5482, 0xfffffff0 },
192 + { PHY_ID_BCM50610, 0xfffffff0 },
193 + { PHY_ID_BCM50610M, 0xfffffff0 },
194 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
195 +index 8f1738c3b3c5..de27f510c0f3 100644
196 +--- a/drivers/net/usb/qmi_wwan.c
197 ++++ b/drivers/net/usb/qmi_wwan.c
198 +@@ -775,6 +775,7 @@ static const struct usb_device_id products[] = {
199 + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
200 + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
201 + {QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
202 ++ {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */
203 + {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */
204 + {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */
205 + {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */
206 +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
207 +index aac314e14188..bb25b8d00570 100644
208 +--- a/fs/btrfs/ctree.h
209 ++++ b/fs/btrfs/ctree.h
210 +@@ -3404,7 +3404,7 @@ int btrfs_set_disk_extent_flags(struct btrfs_trans_handle *trans,
211 + int btrfs_free_extent(struct btrfs_trans_handle *trans,
212 + struct btrfs_root *root,
213 + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid,
214 +- u64 owner, u64 offset, int no_quota);
215 ++ u64 owner, u64 offset);
216 +
217 + int btrfs_free_reserved_extent(struct btrfs_root *root, u64 start, u64 len,
218 + int delalloc);
219 +@@ -3417,7 +3417,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans,
220 + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
221 + struct btrfs_root *root,
222 + u64 bytenr, u64 num_bytes, u64 parent,
223 +- u64 root_objectid, u64 owner, u64 offset, int no_quota);
224 ++ u64 root_objectid, u64 owner, u64 offset);
225 +
226 + int btrfs_start_dirty_block_groups(struct btrfs_trans_handle *trans,
227 + struct btrfs_root *root);
228 +diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
229 +index ac3e81da6d4e..7832031fef68 100644
230 +--- a/fs/btrfs/delayed-ref.c
231 ++++ b/fs/btrfs/delayed-ref.c
232 +@@ -197,6 +197,119 @@ static inline void drop_delayed_ref(struct btrfs_trans_handle *trans,
233 + trans->delayed_ref_updates--;
234 + }
235 +
236 ++static bool merge_ref(struct btrfs_trans_handle *trans,
237 ++ struct btrfs_delayed_ref_root *delayed_refs,
238 ++ struct btrfs_delayed_ref_head *head,
239 ++ struct btrfs_delayed_ref_node *ref,
240 ++ u64 seq)
241 ++{
242 ++ struct btrfs_delayed_ref_node *next;
243 ++ bool done = false;
244 ++
245 ++ next = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node,
246 ++ list);
247 ++ while (!done && &next->list != &head->ref_list) {
248 ++ int mod;
249 ++ struct btrfs_delayed_ref_node *next2;
250 ++
251 ++ next2 = list_next_entry(next, list);
252 ++
253 ++ if (next == ref)
254 ++ goto next;
255 ++
256 ++ if (seq && next->seq >= seq)
257 ++ goto next;
258 ++
259 ++ if (next->type != ref->type)
260 ++ goto next;
261 ++
262 ++ if ((ref->type == BTRFS_TREE_BLOCK_REF_KEY ||
263 ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY) &&
264 ++ comp_tree_refs(btrfs_delayed_node_to_tree_ref(ref),
265 ++ btrfs_delayed_node_to_tree_ref(next),
266 ++ ref->type))
267 ++ goto next;
268 ++ if ((ref->type == BTRFS_EXTENT_DATA_REF_KEY ||
269 ++ ref->type == BTRFS_SHARED_DATA_REF_KEY) &&
270 ++ comp_data_refs(btrfs_delayed_node_to_data_ref(ref),
271 ++ btrfs_delayed_node_to_data_ref(next)))
272 ++ goto next;
273 ++
274 ++ if (ref->action == next->action) {
275 ++ mod = next->ref_mod;
276 ++ } else {
277 ++ if (ref->ref_mod < next->ref_mod) {
278 ++ swap(ref, next);
279 ++ done = true;
280 ++ }
281 ++ mod = -next->ref_mod;
282 ++ }
283 ++
284 ++ drop_delayed_ref(trans, delayed_refs, head, next);
285 ++ ref->ref_mod += mod;
286 ++ if (ref->ref_mod == 0) {
287 ++ drop_delayed_ref(trans, delayed_refs, head, ref);
288 ++ done = true;
289 ++ } else {
290 ++ /*
291 ++ * Can't have multiples of the same ref on a tree block.
292 ++ */
293 ++ WARN_ON(ref->type == BTRFS_TREE_BLOCK_REF_KEY ||
294 ++ ref->type == BTRFS_SHARED_BLOCK_REF_KEY);
295 ++ }
296 ++next:
297 ++ next = next2;
298 ++ }
299 ++
300 ++ return done;
301 ++}
302 ++
303 ++void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans,
304 ++ struct btrfs_fs_info *fs_info,
305 ++ struct btrfs_delayed_ref_root *delayed_refs,
306 ++ struct btrfs_delayed_ref_head *head)
307 ++{
308 ++ struct btrfs_delayed_ref_node *ref;
309 ++ u64 seq = 0;
310 ++
311 ++ assert_spin_locked(&head->lock);
312 ++
313 ++ if (list_empty(&head->ref_list))
314 ++ return;
315 ++
316 ++ /* We don't have too many refs to merge for data. */
317 ++ if (head->is_data)
318 ++ return;
319 ++
320 ++ spin_lock(&fs_info->tree_mod_seq_lock);
321 ++ if (!list_empty(&fs_info->tree_mod_seq_list)) {
322 ++ struct seq_list *elem;
323 ++
324 ++ elem = list_first_entry(&fs_info->tree_mod_seq_list,
325 ++ struct seq_list, list);
326 ++ seq = elem->seq;
327 ++ }
328 ++ spin_unlock(&fs_info->tree_mod_seq_lock);
329 ++
330 ++ ref = list_first_entry(&head->ref_list, struct btrfs_delayed_ref_node,
331 ++ list);
332 ++ while (&ref->list != &head->ref_list) {
333 ++ if (seq && ref->seq >= seq)
334 ++ goto next;
335 ++
336 ++ if (merge_ref(trans, delayed_refs, head, ref, seq)) {
337 ++ if (list_empty(&head->ref_list))
338 ++ break;
339 ++ ref = list_first_entry(&head->ref_list,
340 ++ struct btrfs_delayed_ref_node,
341 ++ list);
342 ++ continue;
343 ++ }
344 ++next:
345 ++ ref = list_next_entry(ref, list);
346 ++ }
347 ++}
348 ++
349 + int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info,
350 + struct btrfs_delayed_ref_root *delayed_refs,
351 + u64 seq)
352 +@@ -292,8 +405,7 @@ add_delayed_ref_tail_merge(struct btrfs_trans_handle *trans,
353 + exist = list_entry(href->ref_list.prev, struct btrfs_delayed_ref_node,
354 + list);
355 + /* No need to compare bytenr nor is_head */
356 +- if (exist->type != ref->type || exist->no_quota != ref->no_quota ||
357 +- exist->seq != ref->seq)
358 ++ if (exist->type != ref->type || exist->seq != ref->seq)
359 + goto add_tail;
360 +
361 + if ((exist->type == BTRFS_TREE_BLOCK_REF_KEY ||
362 +@@ -524,7 +636,7 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
363 + struct btrfs_delayed_ref_head *head_ref,
364 + struct btrfs_delayed_ref_node *ref, u64 bytenr,
365 + u64 num_bytes, u64 parent, u64 ref_root, int level,
366 +- int action, int no_quota)
367 ++ int action)
368 + {
369 + struct btrfs_delayed_tree_ref *full_ref;
370 + struct btrfs_delayed_ref_root *delayed_refs;
371 +@@ -546,7 +658,6 @@ add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
372 + ref->action = action;
373 + ref->is_head = 0;
374 + ref->in_tree = 1;
375 +- ref->no_quota = no_quota;
376 + ref->seq = seq;
377 +
378 + full_ref = btrfs_delayed_node_to_tree_ref(ref);
379 +@@ -579,7 +690,7 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info,
380 + struct btrfs_delayed_ref_head *head_ref,
381 + struct btrfs_delayed_ref_node *ref, u64 bytenr,
382 + u64 num_bytes, u64 parent, u64 ref_root, u64 owner,
383 +- u64 offset, int action, int no_quota)
384 ++ u64 offset, int action)
385 + {
386 + struct btrfs_delayed_data_ref *full_ref;
387 + struct btrfs_delayed_ref_root *delayed_refs;
388 +@@ -602,7 +713,6 @@ add_delayed_data_ref(struct btrfs_fs_info *fs_info,
389 + ref->action = action;
390 + ref->is_head = 0;
391 + ref->in_tree = 1;
392 +- ref->no_quota = no_quota;
393 + ref->seq = seq;
394 +
395 + full_ref = btrfs_delayed_node_to_data_ref(ref);
396 +@@ -633,17 +743,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
397 + struct btrfs_trans_handle *trans,
398 + u64 bytenr, u64 num_bytes, u64 parent,
399 + u64 ref_root, int level, int action,
400 +- struct btrfs_delayed_extent_op *extent_op,
401 +- int no_quota)
402 ++ struct btrfs_delayed_extent_op *extent_op)
403 + {
404 + struct btrfs_delayed_tree_ref *ref;
405 + struct btrfs_delayed_ref_head *head_ref;
406 + struct btrfs_delayed_ref_root *delayed_refs;
407 + struct btrfs_qgroup_extent_record *record = NULL;
408 +
409 +- if (!is_fstree(ref_root) || !fs_info->quota_enabled)
410 +- no_quota = 0;
411 +-
412 + BUG_ON(extent_op && extent_op->is_data);
413 + ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS);
414 + if (!ref)
415 +@@ -672,8 +778,7 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
416 + bytenr, num_bytes, action, 0);
417 +
418 + add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr,
419 +- num_bytes, parent, ref_root, level, action,
420 +- no_quota);
421 ++ num_bytes, parent, ref_root, level, action);
422 + spin_unlock(&delayed_refs->lock);
423 +
424 + return 0;
425 +@@ -694,17 +799,13 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
426 + u64 bytenr, u64 num_bytes,
427 + u64 parent, u64 ref_root,
428 + u64 owner, u64 offset, int action,
429 +- struct btrfs_delayed_extent_op *extent_op,
430 +- int no_quota)
431 ++ struct btrfs_delayed_extent_op *extent_op)
432 + {
433 + struct btrfs_delayed_data_ref *ref;
434 + struct btrfs_delayed_ref_head *head_ref;
435 + struct btrfs_delayed_ref_root *delayed_refs;
436 + struct btrfs_qgroup_extent_record *record = NULL;
437 +
438 +- if (!is_fstree(ref_root) || !fs_info->quota_enabled)
439 +- no_quota = 0;
440 +-
441 + BUG_ON(extent_op && !extent_op->is_data);
442 + ref = kmem_cache_alloc(btrfs_delayed_data_ref_cachep, GFP_NOFS);
443 + if (!ref)
444 +@@ -740,7 +841,7 @@ int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
445 +
446 + add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr,
447 + num_bytes, parent, ref_root, owner, offset,
448 +- action, no_quota);
449 ++ action);
450 + spin_unlock(&delayed_refs->lock);
451 +
452 + return 0;
453 +diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h
454 +index 13fb5e6090fe..930887a4275f 100644
455 +--- a/fs/btrfs/delayed-ref.h
456 ++++ b/fs/btrfs/delayed-ref.h
457 +@@ -68,7 +68,6 @@ struct btrfs_delayed_ref_node {
458 +
459 + unsigned int action:8;
460 + unsigned int type:8;
461 +- unsigned int no_quota:1;
462 + /* is this node still in the rbtree? */
463 + unsigned int is_head:1;
464 + unsigned int in_tree:1;
465 +@@ -233,15 +232,13 @@ int btrfs_add_delayed_tree_ref(struct btrfs_fs_info *fs_info,
466 + struct btrfs_trans_handle *trans,
467 + u64 bytenr, u64 num_bytes, u64 parent,
468 + u64 ref_root, int level, int action,
469 +- struct btrfs_delayed_extent_op *extent_op,
470 +- int no_quota);
471 ++ struct btrfs_delayed_extent_op *extent_op);
472 + int btrfs_add_delayed_data_ref(struct btrfs_fs_info *fs_info,
473 + struct btrfs_trans_handle *trans,
474 + u64 bytenr, u64 num_bytes,
475 + u64 parent, u64 ref_root,
476 + u64 owner, u64 offset, int action,
477 +- struct btrfs_delayed_extent_op *extent_op,
478 +- int no_quota);
479 ++ struct btrfs_delayed_extent_op *extent_op);
480 + int btrfs_add_delayed_extent_op(struct btrfs_fs_info *fs_info,
481 + struct btrfs_trans_handle *trans,
482 + u64 bytenr, u64 num_bytes,
483 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
484 +index 07204bf601ed..5d870c4eac05 100644
485 +--- a/fs/btrfs/extent-tree.c
486 ++++ b/fs/btrfs/extent-tree.c
487 +@@ -95,8 +95,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans,
488 + struct btrfs_root *root,
489 + u64 parent, u64 root_objectid,
490 + u64 flags, struct btrfs_disk_key *key,
491 +- int level, struct btrfs_key *ins,
492 +- int no_quota);
493 ++ int level, struct btrfs_key *ins);
494 + static int do_chunk_alloc(struct btrfs_trans_handle *trans,
495 + struct btrfs_root *extent_root, u64 flags,
496 + int force);
497 +@@ -1941,8 +1940,7 @@ int btrfs_discard_extent(struct btrfs_root *root, u64 bytenr,
498 + int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
499 + struct btrfs_root *root,
500 + u64 bytenr, u64 num_bytes, u64 parent,
501 +- u64 root_objectid, u64 owner, u64 offset,
502 +- int no_quota)
503 ++ u64 root_objectid, u64 owner, u64 offset)
504 + {
505 + int ret;
506 + struct btrfs_fs_info *fs_info = root->fs_info;
507 +@@ -1954,12 +1952,12 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
508 + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr,
509 + num_bytes,
510 + parent, root_objectid, (int)owner,
511 +- BTRFS_ADD_DELAYED_REF, NULL, no_quota);
512 ++ BTRFS_ADD_DELAYED_REF, NULL);
513 + } else {
514 + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr,
515 + num_bytes,
516 + parent, root_objectid, owner, offset,
517 +- BTRFS_ADD_DELAYED_REF, NULL, no_quota);
518 ++ BTRFS_ADD_DELAYED_REF, NULL);
519 + }
520 + return ret;
521 + }
522 +@@ -1980,15 +1978,11 @@ static int __btrfs_inc_extent_ref(struct btrfs_trans_handle *trans,
523 + u64 num_bytes = node->num_bytes;
524 + u64 refs;
525 + int ret;
526 +- int no_quota = node->no_quota;
527 +
528 + path = btrfs_alloc_path();
529 + if (!path)
530 + return -ENOMEM;
531 +
532 +- if (!is_fstree(root_objectid) || !root->fs_info->quota_enabled)
533 +- no_quota = 1;
534 +-
535 + path->reada = 1;
536 + path->leave_spinning = 1;
537 + /* this will setup the path even if it fails to insert the back ref */
538 +@@ -2223,8 +2217,7 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans,
539 + parent, ref_root,
540 + extent_op->flags_to_set,
541 + &extent_op->key,
542 +- ref->level, &ins,
543 +- node->no_quota);
544 ++ ref->level, &ins);
545 + } else if (node->action == BTRFS_ADD_DELAYED_REF) {
546 + ret = __btrfs_inc_extent_ref(trans, root, node,
547 + parent, ref_root,
548 +@@ -2365,7 +2358,21 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans,
549 + }
550 + }
551 +
552 ++ /*
553 ++ * We need to try and merge add/drops of the same ref since we
554 ++ * can run into issues with relocate dropping the implicit ref
555 ++ * and then it being added back again before the drop can
556 ++ * finish. If we merged anything we need to re-loop so we can
557 ++ * get a good ref.
558 ++ * Or we can get node references of the same type that weren't
559 ++ * merged when created due to bumps in the tree mod seq, and
560 ++ * we need to merge them to prevent adding an inline extent
561 ++ * backref before dropping it (triggering a BUG_ON at
562 ++ * insert_inline_extent_backref()).
563 ++ */
564 + spin_lock(&locked_ref->lock);
565 ++ btrfs_merge_delayed_refs(trans, fs_info, delayed_refs,
566 ++ locked_ref);
567 +
568 + /*
569 + * locked_ref is the head node, so we have to go one
570 +@@ -3038,7 +3045,7 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans,
571 + int level;
572 + int ret = 0;
573 + int (*process_func)(struct btrfs_trans_handle *, struct btrfs_root *,
574 +- u64, u64, u64, u64, u64, u64, int);
575 ++ u64, u64, u64, u64, u64, u64);
576 +
577 +
578 + if (btrfs_test_is_dummy_root(root))
579 +@@ -3079,15 +3086,14 @@ static int __btrfs_mod_ref(struct btrfs_trans_handle *trans,
580 + key.offset -= btrfs_file_extent_offset(buf, fi);
581 + ret = process_func(trans, root, bytenr, num_bytes,
582 + parent, ref_root, key.objectid,
583 +- key.offset, 1);
584 ++ key.offset);
585 + if (ret)
586 + goto fail;
587 + } else {
588 + bytenr = btrfs_node_blockptr(buf, i);
589 + num_bytes = root->nodesize;
590 + ret = process_func(trans, root, bytenr, num_bytes,
591 +- parent, ref_root, level - 1, 0,
592 +- 1);
593 ++ parent, ref_root, level - 1, 0);
594 + if (ret)
595 + goto fail;
596 + }
597 +@@ -6137,7 +6143,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans,
598 + int extent_slot = 0;
599 + int found_extent = 0;
600 + int num_to_del = 1;
601 +- int no_quota = node->no_quota;
602 + u32 item_size;
603 + u64 refs;
604 + u64 bytenr = node->bytenr;
605 +@@ -6146,9 +6151,6 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans,
606 + bool skinny_metadata = btrfs_fs_incompat(root->fs_info,
607 + SKINNY_METADATA);
608 +
609 +- if (!info->quota_enabled || !is_fstree(root_objectid))
610 +- no_quota = 1;
611 +-
612 + path = btrfs_alloc_path();
613 + if (!path)
614 + return -ENOMEM;
615 +@@ -6474,7 +6476,7 @@ void btrfs_free_tree_block(struct btrfs_trans_handle *trans,
616 + buf->start, buf->len,
617 + parent, root->root_key.objectid,
618 + btrfs_header_level(buf),
619 +- BTRFS_DROP_DELAYED_REF, NULL, 0);
620 ++ BTRFS_DROP_DELAYED_REF, NULL);
621 + BUG_ON(ret); /* -ENOMEM */
622 + }
623 +
624 +@@ -6522,7 +6524,7 @@ out:
625 + /* Can return -ENOMEM */
626 + int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root,
627 + u64 bytenr, u64 num_bytes, u64 parent, u64 root_objectid,
628 +- u64 owner, u64 offset, int no_quota)
629 ++ u64 owner, u64 offset)
630 + {
631 + int ret;
632 + struct btrfs_fs_info *fs_info = root->fs_info;
633 +@@ -6545,13 +6547,13 @@ int btrfs_free_extent(struct btrfs_trans_handle *trans, struct btrfs_root *root,
634 + ret = btrfs_add_delayed_tree_ref(fs_info, trans, bytenr,
635 + num_bytes,
636 + parent, root_objectid, (int)owner,
637 +- BTRFS_DROP_DELAYED_REF, NULL, no_quota);
638 ++ BTRFS_DROP_DELAYED_REF, NULL);
639 + } else {
640 + ret = btrfs_add_delayed_data_ref(fs_info, trans, bytenr,
641 + num_bytes,
642 + parent, root_objectid, owner,
643 + offset, BTRFS_DROP_DELAYED_REF,
644 +- NULL, no_quota);
645 ++ NULL);
646 + }
647 + return ret;
648 + }
649 +@@ -7333,8 +7335,7 @@ static int alloc_reserved_tree_block(struct btrfs_trans_handle *trans,
650 + struct btrfs_root *root,
651 + u64 parent, u64 root_objectid,
652 + u64 flags, struct btrfs_disk_key *key,
653 +- int level, struct btrfs_key *ins,
654 +- int no_quota)
655 ++ int level, struct btrfs_key *ins)
656 + {
657 + int ret;
658 + struct btrfs_fs_info *fs_info = root->fs_info;
659 +@@ -7424,7 +7425,7 @@ int btrfs_alloc_reserved_file_extent(struct btrfs_trans_handle *trans,
660 + ret = btrfs_add_delayed_data_ref(root->fs_info, trans, ins->objectid,
661 + ins->offset, 0,
662 + root_objectid, owner, offset,
663 +- BTRFS_ADD_DELAYED_EXTENT, NULL, 0);
664 ++ BTRFS_ADD_DELAYED_EXTENT, NULL);
665 + return ret;
666 + }
667 +
668 +@@ -7641,7 +7642,7 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans,
669 + ins.objectid, ins.offset,
670 + parent, root_objectid, level,
671 + BTRFS_ADD_DELAYED_EXTENT,
672 +- extent_op, 0);
673 ++ extent_op);
674 + if (ret)
675 + goto out_free_delayed;
676 + }
677 +@@ -8189,7 +8190,7 @@ skip:
678 + }
679 + }
680 + ret = btrfs_free_extent(trans, root, bytenr, blocksize, parent,
681 +- root->root_key.objectid, level - 1, 0, 0);
682 ++ root->root_key.objectid, level - 1, 0);
683 + BUG_ON(ret); /* -ENOMEM */
684 + }
685 + btrfs_tree_unlock(next);
686 +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
687 +index b823fac91c92..5e314856a58c 100644
688 +--- a/fs/btrfs/file.c
689 ++++ b/fs/btrfs/file.c
690 +@@ -756,8 +756,16 @@ next_slot:
691 + }
692 +
693 + btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
694 +- if (key.objectid > ino ||
695 +- key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end)
696 ++
697 ++ if (key.objectid > ino)
698 ++ break;
699 ++ if (WARN_ON_ONCE(key.objectid < ino) ||
700 ++ key.type < BTRFS_EXTENT_DATA_KEY) {
701 ++ ASSERT(del_nr == 0);
702 ++ path->slots[0]++;
703 ++ goto next_slot;
704 ++ }
705 ++ if (key.type > BTRFS_EXTENT_DATA_KEY || key.offset >= end)
706 + break;
707 +
708 + fi = btrfs_item_ptr(leaf, path->slots[0],
709 +@@ -776,8 +784,8 @@ next_slot:
710 + btrfs_file_extent_inline_len(leaf,
711 + path->slots[0], fi);
712 + } else {
713 +- WARN_ON(1);
714 +- extent_end = search_start;
715 ++ /* can't happen */
716 ++ BUG();
717 + }
718 +
719 + /*
720 +@@ -847,7 +855,7 @@ next_slot:
721 + disk_bytenr, num_bytes, 0,
722 + root->root_key.objectid,
723 + new_key.objectid,
724 +- start - extent_offset, 1);
725 ++ start - extent_offset);
726 + BUG_ON(ret); /* -ENOMEM */
727 + }
728 + key.offset = start;
729 +@@ -925,7 +933,7 @@ delete_extent_item:
730 + disk_bytenr, num_bytes, 0,
731 + root->root_key.objectid,
732 + key.objectid, key.offset -
733 +- extent_offset, 0);
734 ++ extent_offset);
735 + BUG_ON(ret); /* -ENOMEM */
736 + inode_sub_bytes(inode,
737 + extent_end - key.offset);
738 +@@ -1204,7 +1212,7 @@ again:
739 +
740 + ret = btrfs_inc_extent_ref(trans, root, bytenr, num_bytes, 0,
741 + root->root_key.objectid,
742 +- ino, orig_offset, 1);
743 ++ ino, orig_offset);
744 + BUG_ON(ret); /* -ENOMEM */
745 +
746 + if (split == start) {
747 +@@ -1231,7 +1239,7 @@ again:
748 + del_nr++;
749 + ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
750 + 0, root->root_key.objectid,
751 +- ino, orig_offset, 0);
752 ++ ino, orig_offset);
753 + BUG_ON(ret); /* -ENOMEM */
754 + }
755 + other_start = 0;
756 +@@ -1248,7 +1256,7 @@ again:
757 + del_nr++;
758 + ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
759 + 0, root->root_key.objectid,
760 +- ino, orig_offset, 0);
761 ++ ino, orig_offset);
762 + BUG_ON(ret); /* -ENOMEM */
763 + }
764 + if (del_nr == 0) {
765 +@@ -1868,8 +1876,13 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
766 + struct btrfs_log_ctx ctx;
767 + int ret = 0;
768 + bool full_sync = 0;
769 +- const u64 len = end - start + 1;
770 ++ u64 len;
771 +
772 ++ /*
773 ++ * The range length can be represented by u64, we have to do the typecasts
774 ++ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
775 ++ */
776 ++ len = (u64)end - (u64)start + 1;
777 + trace_btrfs_sync_file(file, datasync);
778 +
779 + /*
780 +@@ -2057,8 +2070,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
781 + }
782 + }
783 + if (!full_sync) {
784 +- ret = btrfs_wait_ordered_range(inode, start,
785 +- end - start + 1);
786 ++ ret = btrfs_wait_ordered_range(inode, start, len);
787 + if (ret) {
788 + btrfs_end_transaction(trans, root);
789 + goto out;
790 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
791 +index b54e63038b96..9aabff2102f8 100644
792 +--- a/fs/btrfs/inode.c
793 ++++ b/fs/btrfs/inode.c
794 +@@ -1294,8 +1294,14 @@ next_slot:
795 + num_bytes = 0;
796 + btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
797 +
798 +- if (found_key.objectid > ino ||
799 +- found_key.type > BTRFS_EXTENT_DATA_KEY ||
800 ++ if (found_key.objectid > ino)
801 ++ break;
802 ++ if (WARN_ON_ONCE(found_key.objectid < ino) ||
803 ++ found_key.type < BTRFS_EXTENT_DATA_KEY) {
804 ++ path->slots[0]++;
805 ++ goto next_slot;
806 ++ }
807 ++ if (found_key.type > BTRFS_EXTENT_DATA_KEY ||
808 + found_key.offset > end)
809 + break;
810 +
811 +@@ -2569,7 +2575,7 @@ again:
812 + ret = btrfs_inc_extent_ref(trans, root, new->bytenr,
813 + new->disk_len, 0,
814 + backref->root_id, backref->inum,
815 +- new->file_pos, 0); /* start - extent_offset */
816 ++ new->file_pos); /* start - extent_offset */
817 + if (ret) {
818 + btrfs_abort_transaction(trans, root, ret);
819 + goto out_free_path;
820 +@@ -4184,6 +4190,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans,
821 +
822 + }
823 +
824 ++static int truncate_inline_extent(struct inode *inode,
825 ++ struct btrfs_path *path,
826 ++ struct btrfs_key *found_key,
827 ++ const u64 item_end,
828 ++ const u64 new_size)
829 ++{
830 ++ struct extent_buffer *leaf = path->nodes[0];
831 ++ int slot = path->slots[0];
832 ++ struct btrfs_file_extent_item *fi;
833 ++ u32 size = (u32)(new_size - found_key->offset);
834 ++ struct btrfs_root *root = BTRFS_I(inode)->root;
835 ++
836 ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
837 ++
838 ++ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) {
839 ++ loff_t offset = new_size;
840 ++ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE);
841 ++
842 ++ /*
843 ++ * Zero out the remaining of the last page of our inline extent,
844 ++ * instead of directly truncating our inline extent here - that
845 ++ * would be much more complex (decompressing all the data, then
846 ++ * compressing the truncated data, which might be bigger than
847 ++ * the size of the inline extent, resize the extent, etc).
848 ++ * We release the path because to get the page we might need to
849 ++ * read the extent item from disk (data not in the page cache).
850 ++ */
851 ++ btrfs_release_path(path);
852 ++ return btrfs_truncate_page(inode, offset, page_end - offset, 0);
853 ++ }
854 ++
855 ++ btrfs_set_file_extent_ram_bytes(leaf, fi, size);
856 ++ size = btrfs_file_extent_calc_inline_size(size);
857 ++ btrfs_truncate_item(root, path, size, 1);
858 ++
859 ++ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
860 ++ inode_sub_bytes(inode, item_end + 1 - new_size);
861 ++
862 ++ return 0;
863 ++}
864 ++
865 + /*
866 + * this can truncate away extent items, csum items and directory items.
867 + * It starts at a high offset and removes keys until it can't find
868 +@@ -4378,27 +4425,40 @@ search_again:
869 + * special encodings
870 + */
871 + if (!del_item &&
872 +- btrfs_file_extent_compression(leaf, fi) == 0 &&
873 + btrfs_file_extent_encryption(leaf, fi) == 0 &&
874 + btrfs_file_extent_other_encoding(leaf, fi) == 0) {
875 +- u32 size = new_size - found_key.offset;
876 +-
877 +- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state))
878 +- inode_sub_bytes(inode, item_end + 1 -
879 +- new_size);
880 +
881 + /*
882 +- * update the ram bytes to properly reflect
883 +- * the new size of our item
884 ++ * Need to release path in order to truncate a
885 ++ * compressed extent. So delete any accumulated
886 ++ * extent items so far.
887 + */
888 +- btrfs_set_file_extent_ram_bytes(leaf, fi, size);
889 +- size =
890 +- btrfs_file_extent_calc_inline_size(size);
891 +- btrfs_truncate_item(root, path, size, 1);
892 ++ if (btrfs_file_extent_compression(leaf, fi) !=
893 ++ BTRFS_COMPRESS_NONE && pending_del_nr) {
894 ++ err = btrfs_del_items(trans, root, path,
895 ++ pending_del_slot,
896 ++ pending_del_nr);
897 ++ if (err) {
898 ++ btrfs_abort_transaction(trans,
899 ++ root,
900 ++ err);
901 ++ goto error;
902 ++ }
903 ++ pending_del_nr = 0;
904 ++ }
905 ++
906 ++ err = truncate_inline_extent(inode, path,
907 ++ &found_key,
908 ++ item_end,
909 ++ new_size);
910 ++ if (err) {
911 ++ btrfs_abort_transaction(trans,
912 ++ root, err);
913 ++ goto error;
914 ++ }
915 + } else if (test_bit(BTRFS_ROOT_REF_COWS,
916 + &root->state)) {
917 +- inode_sub_bytes(inode, item_end + 1 -
918 +- found_key.offset);
919 ++ inode_sub_bytes(inode, item_end + 1 - new_size);
920 + }
921 + }
922 + delete:
923 +@@ -4428,7 +4488,7 @@ delete:
924 + ret = btrfs_free_extent(trans, root, extent_start,
925 + extent_num_bytes, 0,
926 + btrfs_header_owner(leaf),
927 +- ino, extent_offset, 0);
928 ++ ino, extent_offset);
929 + BUG_ON(ret);
930 + if (btrfs_should_throttle_delayed_refs(trans, root))
931 + btrfs_async_run_delayed_refs(root,
932 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
933 +index 641d3dc4f31e..be4e53c61dd9 100644
934 +--- a/fs/btrfs/ioctl.c
935 ++++ b/fs/btrfs/ioctl.c
936 +@@ -3195,41 +3195,6 @@ out:
937 + return ret;
938 + }
939 +
940 +-/* Helper to check and see if this root currently has a ref on the given disk
941 +- * bytenr. If it does then we need to update the quota for this root. This
942 +- * doesn't do anything if quotas aren't enabled.
943 +- */
944 +-static int check_ref(struct btrfs_trans_handle *trans, struct btrfs_root *root,
945 +- u64 disko)
946 +-{
947 +- struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem);
948 +- struct ulist *roots;
949 +- struct ulist_iterator uiter;
950 +- struct ulist_node *root_node = NULL;
951 +- int ret;
952 +-
953 +- if (!root->fs_info->quota_enabled)
954 +- return 1;
955 +-
956 +- btrfs_get_tree_mod_seq(root->fs_info, &tree_mod_seq_elem);
957 +- ret = btrfs_find_all_roots(trans, root->fs_info, disko,
958 +- tree_mod_seq_elem.seq, &roots);
959 +- if (ret < 0)
960 +- goto out;
961 +- ret = 0;
962 +- ULIST_ITER_INIT(&uiter);
963 +- while ((root_node = ulist_next(roots, &uiter))) {
964 +- if (root_node->val == root->objectid) {
965 +- ret = 1;
966 +- break;
967 +- }
968 +- }
969 +- ulist_free(roots);
970 +-out:
971 +- btrfs_put_tree_mod_seq(root->fs_info, &tree_mod_seq_elem);
972 +- return ret;
973 +-}
974 +-
975 + static int clone_finish_inode_update(struct btrfs_trans_handle *trans,
976 + struct inode *inode,
977 + u64 endoff,
978 +@@ -3320,6 +3285,150 @@ static void clone_update_extent_map(struct inode *inode,
979 + &BTRFS_I(inode)->runtime_flags);
980 + }
981 +
982 ++/*
983 ++ * Make sure we do not end up inserting an inline extent into a file that has
984 ++ * already other (non-inline) extents. If a file has an inline extent it can
985 ++ * not have any other extents and the (single) inline extent must start at the
986 ++ * file offset 0. Failing to respect these rules will lead to file corruption,
987 ++ * resulting in EIO errors on read/write operations, hitting BUG_ON's in mm, etc
988 ++ *
989 ++ * We can have extents that have been already written to disk or we can have
990 ++ * dirty ranges still in delalloc, in which case the extent maps and items are
991 ++ * created only when we run delalloc, and the delalloc ranges might fall outside
992 ++ * the range we are currently locking in the inode's io tree. So we check the
993 ++ * inode's i_size because of that (i_size updates are done while holding the
994 ++ * i_mutex, which we are holding here).
995 ++ * We also check to see if the inode has a size not greater than "datal" but has
996 ++ * extents beyond it, due to an fallocate with FALLOC_FL_KEEP_SIZE (and we are
997 ++ * protected against such concurrent fallocate calls by the i_mutex).
998 ++ *
999 ++ * If the file has no extents but a size greater than datal, do not allow the
1000 ++ * copy because we would need turn the inline extent into a non-inline one (even
1001 ++ * with NO_HOLES enabled). If we find our destination inode only has one inline
1002 ++ * extent, just overwrite it with the source inline extent if its size is less
1003 ++ * than the source extent's size, or we could copy the source inline extent's
1004 ++ * data into the destination inode's inline extent if the later is greater then
1005 ++ * the former.
1006 ++ */
1007 ++static int clone_copy_inline_extent(struct inode *src,
1008 ++ struct inode *dst,
1009 ++ struct btrfs_trans_handle *trans,
1010 ++ struct btrfs_path *path,
1011 ++ struct btrfs_key *new_key,
1012 ++ const u64 drop_start,
1013 ++ const u64 datal,
1014 ++ const u64 skip,
1015 ++ const u64 size,
1016 ++ char *inline_data)
1017 ++{
1018 ++ struct btrfs_root *root = BTRFS_I(dst)->root;
1019 ++ const u64 aligned_end = ALIGN(new_key->offset + datal,
1020 ++ root->sectorsize);
1021 ++ int ret;
1022 ++ struct btrfs_key key;
1023 ++
1024 ++ if (new_key->offset > 0)
1025 ++ return -EOPNOTSUPP;
1026 ++
1027 ++ key.objectid = btrfs_ino(dst);
1028 ++ key.type = BTRFS_EXTENT_DATA_KEY;
1029 ++ key.offset = 0;
1030 ++ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
1031 ++ if (ret < 0) {
1032 ++ return ret;
1033 ++ } else if (ret > 0) {
1034 ++ if (path->slots[0] >= btrfs_header_nritems(path->nodes[0])) {
1035 ++ ret = btrfs_next_leaf(root, path);
1036 ++ if (ret < 0)
1037 ++ return ret;
1038 ++ else if (ret > 0)
1039 ++ goto copy_inline_extent;
1040 ++ }
1041 ++ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
1042 ++ if (key.objectid == btrfs_ino(dst) &&
1043 ++ key.type == BTRFS_EXTENT_DATA_KEY) {
1044 ++ ASSERT(key.offset > 0);
1045 ++ return -EOPNOTSUPP;
1046 ++ }
1047 ++ } else if (i_size_read(dst) <= datal) {
1048 ++ struct btrfs_file_extent_item *ei;
1049 ++ u64 ext_len;
1050 ++
1051 ++ /*
1052 ++ * If the file size is <= datal, make sure there are no other
1053 ++ * extents following (can happen do to an fallocate call with
1054 ++ * the flag FALLOC_FL_KEEP_SIZE).
1055 ++ */
1056 ++ ei = btrfs_item_ptr(path->nodes[0], path->slots[0],
1057 ++ struct btrfs_file_extent_item);
1058 ++ /*
1059 ++ * If it's an inline extent, it can not have other extents
1060 ++ * following it.
1061 ++ */
1062 ++ if (btrfs_file_extent_type(path->nodes[0], ei) ==
1063 ++ BTRFS_FILE_EXTENT_INLINE)
1064 ++ goto copy_inline_extent;
1065 ++
1066 ++ ext_len = btrfs_file_extent_num_bytes(path->nodes[0], ei);
1067 ++ if (ext_len > aligned_end)
1068 ++ return -EOPNOTSUPP;
1069 ++
1070 ++ ret = btrfs_next_item(root, path);
1071 ++ if (ret < 0) {
1072 ++ return ret;
1073 ++ } else if (ret == 0) {
1074 ++ btrfs_item_key_to_cpu(path->nodes[0], &key,
1075 ++ path->slots[0]);
1076 ++ if (key.objectid == btrfs_ino(dst) &&
1077 ++ key.type == BTRFS_EXTENT_DATA_KEY)
1078 ++ return -EOPNOTSUPP;
1079 ++ }
1080 ++ }
1081 ++
1082 ++copy_inline_extent:
1083 ++ /*
1084 ++ * We have no extent items, or we have an extent at offset 0 which may
1085 ++ * or may not be inlined. All these cases are dealt the same way.
1086 ++ */
1087 ++ if (i_size_read(dst) > datal) {
1088 ++ /*
1089 ++ * If the destination inode has an inline extent...
1090 ++ * This would require copying the data from the source inline
1091 ++ * extent into the beginning of the destination's inline extent.
1092 ++ * But this is really complex, both extents can be compressed
1093 ++ * or just one of them, which would require decompressing and
1094 ++ * re-compressing data (which could increase the new compressed
1095 ++ * size, not allowing the compressed data to fit anymore in an
1096 ++ * inline extent).
1097 ++ * So just don't support this case for now (it should be rare,
1098 ++ * we are not really saving space when cloning inline extents).
1099 ++ */
1100 ++ return -EOPNOTSUPP;
1101 ++ }
1102 ++
1103 ++ btrfs_release_path(path);
1104 ++ ret = btrfs_drop_extents(trans, root, dst, drop_start, aligned_end, 1);
1105 ++ if (ret)
1106 ++ return ret;
1107 ++ ret = btrfs_insert_empty_item(trans, root, path, new_key, size);
1108 ++ if (ret)
1109 ++ return ret;
1110 ++
1111 ++ if (skip) {
1112 ++ const u32 start = btrfs_file_extent_calc_inline_size(0);
1113 ++
1114 ++ memmove(inline_data + start, inline_data + start + skip, datal);
1115 ++ }
1116 ++
1117 ++ write_extent_buffer(path->nodes[0], inline_data,
1118 ++ btrfs_item_ptr_offset(path->nodes[0],
1119 ++ path->slots[0]),
1120 ++ size);
1121 ++ inode_add_bytes(dst, datal);
1122 ++
1123 ++ return 0;
1124 ++}
1125 ++
1126 + /**
1127 + * btrfs_clone() - clone a range from inode file to another
1128 + *
1129 +@@ -3344,9 +3453,7 @@ static int btrfs_clone(struct inode *src, struct inode *inode,
1130 + u32 nritems;
1131 + int slot;
1132 + int ret;
1133 +- int no_quota;
1134 + const u64 len = olen_aligned;
1135 +- u64 last_disko = 0;
1136 + u64 last_dest_end = destoff;
1137 +
1138 + ret = -ENOMEM;
1139 +@@ -3392,7 +3499,6 @@ static int btrfs_clone(struct inode *src, struct inode *inode,
1140 +
1141 + nritems = btrfs_header_nritems(path->nodes[0]);
1142 + process_slot:
1143 +- no_quota = 1;
1144 + if (path->slots[0] >= nritems) {
1145 + ret = btrfs_next_leaf(BTRFS_I(src)->root, path);
1146 + if (ret < 0)
1147 +@@ -3544,35 +3650,13 @@ process_slot:
1148 + btrfs_set_file_extent_num_bytes(leaf, extent,
1149 + datal);
1150 +
1151 +- /*
1152 +- * We need to look up the roots that point at
1153 +- * this bytenr and see if the new root does. If
1154 +- * it does not we need to make sure we update
1155 +- * quotas appropriately.
1156 +- */
1157 +- if (disko && root != BTRFS_I(src)->root &&
1158 +- disko != last_disko) {
1159 +- no_quota = check_ref(trans, root,
1160 +- disko);
1161 +- if (no_quota < 0) {
1162 +- btrfs_abort_transaction(trans,
1163 +- root,
1164 +- ret);
1165 +- btrfs_end_transaction(trans,
1166 +- root);
1167 +- ret = no_quota;
1168 +- goto out;
1169 +- }
1170 +- }
1171 +-
1172 + if (disko) {
1173 + inode_add_bytes(inode, datal);
1174 + ret = btrfs_inc_extent_ref(trans, root,
1175 + disko, diskl, 0,
1176 + root->root_key.objectid,
1177 + btrfs_ino(inode),
1178 +- new_key.offset - datao,
1179 +- no_quota);
1180 ++ new_key.offset - datao);
1181 + if (ret) {
1182 + btrfs_abort_transaction(trans,
1183 + root,
1184 +@@ -3586,21 +3670,6 @@ process_slot:
1185 + } else if (type == BTRFS_FILE_EXTENT_INLINE) {
1186 + u64 skip = 0;
1187 + u64 trim = 0;
1188 +- u64 aligned_end = 0;
1189 +-
1190 +- /*
1191 +- * Don't copy an inline extent into an offset
1192 +- * greater than zero. Having an inline extent
1193 +- * at such an offset results in chaos as btrfs
1194 +- * isn't prepared for such cases. Just skip
1195 +- * this case for the same reasons as commented
1196 +- * at btrfs_ioctl_clone().
1197 +- */
1198 +- if (last_dest_end > 0) {
1199 +- ret = -EOPNOTSUPP;
1200 +- btrfs_end_transaction(trans, root);
1201 +- goto out;
1202 +- }
1203 +
1204 + if (off > key.offset) {
1205 + skip = off - key.offset;
1206 +@@ -3618,42 +3687,22 @@ process_slot:
1207 + size -= skip + trim;
1208 + datal -= skip + trim;
1209 +
1210 +- aligned_end = ALIGN(new_key.offset + datal,
1211 +- root->sectorsize);
1212 +- ret = btrfs_drop_extents(trans, root, inode,
1213 +- drop_start,
1214 +- aligned_end,
1215 +- 1);
1216 ++ ret = clone_copy_inline_extent(src, inode,
1217 ++ trans, path,
1218 ++ &new_key,
1219 ++ drop_start,
1220 ++ datal,
1221 ++ skip, size, buf);
1222 + if (ret) {
1223 + if (ret != -EOPNOTSUPP)
1224 + btrfs_abort_transaction(trans,
1225 +- root, ret);
1226 +- btrfs_end_transaction(trans, root);
1227 +- goto out;
1228 +- }
1229 +-
1230 +- ret = btrfs_insert_empty_item(trans, root, path,
1231 +- &new_key, size);
1232 +- if (ret) {
1233 +- btrfs_abort_transaction(trans, root,
1234 +- ret);
1235 ++ root,
1236 ++ ret);
1237 + btrfs_end_transaction(trans, root);
1238 + goto out;
1239 + }
1240 +-
1241 +- if (skip) {
1242 +- u32 start =
1243 +- btrfs_file_extent_calc_inline_size(0);
1244 +- memmove(buf+start, buf+start+skip,
1245 +- datal);
1246 +- }
1247 +-
1248 + leaf = path->nodes[0];
1249 + slot = path->slots[0];
1250 +- write_extent_buffer(leaf, buf,
1251 +- btrfs_item_ptr_offset(leaf, slot),
1252 +- size);
1253 +- inode_add_bytes(inode, datal);
1254 + }
1255 +
1256 + /* If we have an implicit hole (NO_HOLES feature). */
1257 +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
1258 +index 88cbb5995667..3a828a33cd67 100644
1259 +--- a/fs/btrfs/relocation.c
1260 ++++ b/fs/btrfs/relocation.c
1261 +@@ -1716,7 +1716,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans,
1262 + ret = btrfs_inc_extent_ref(trans, root, new_bytenr,
1263 + num_bytes, parent,
1264 + btrfs_header_owner(leaf),
1265 +- key.objectid, key.offset, 1);
1266 ++ key.objectid, key.offset);
1267 + if (ret) {
1268 + btrfs_abort_transaction(trans, root, ret);
1269 + break;
1270 +@@ -1724,7 +1724,7 @@ int replace_file_extents(struct btrfs_trans_handle *trans,
1271 +
1272 + ret = btrfs_free_extent(trans, root, bytenr, num_bytes,
1273 + parent, btrfs_header_owner(leaf),
1274 +- key.objectid, key.offset, 1);
1275 ++ key.objectid, key.offset);
1276 + if (ret) {
1277 + btrfs_abort_transaction(trans, root, ret);
1278 + break;
1279 +@@ -1900,23 +1900,21 @@ again:
1280 +
1281 + ret = btrfs_inc_extent_ref(trans, src, old_bytenr, blocksize,
1282 + path->nodes[level]->start,
1283 +- src->root_key.objectid, level - 1, 0,
1284 +- 1);
1285 ++ src->root_key.objectid, level - 1, 0);
1286 + BUG_ON(ret);
1287 + ret = btrfs_inc_extent_ref(trans, dest, new_bytenr, blocksize,
1288 + 0, dest->root_key.objectid, level - 1,
1289 +- 0, 1);
1290 ++ 0);
1291 + BUG_ON(ret);
1292 +
1293 + ret = btrfs_free_extent(trans, src, new_bytenr, blocksize,
1294 + path->nodes[level]->start,
1295 +- src->root_key.objectid, level - 1, 0,
1296 +- 1);
1297 ++ src->root_key.objectid, level - 1, 0);
1298 + BUG_ON(ret);
1299 +
1300 + ret = btrfs_free_extent(trans, dest, old_bytenr, blocksize,
1301 + 0, dest->root_key.objectid, level - 1,
1302 +- 0, 1);
1303 ++ 0);
1304 + BUG_ON(ret);
1305 +
1306 + btrfs_unlock_up_safe(path, 0);
1307 +@@ -2746,7 +2744,7 @@ static int do_relocation(struct btrfs_trans_handle *trans,
1308 + node->eb->start, blocksize,
1309 + upper->eb->start,
1310 + btrfs_header_owner(upper->eb),
1311 +- node->level, 0, 1);
1312 ++ node->level, 0);
1313 + BUG_ON(ret);
1314 +
1315 + ret = btrfs_drop_subtree(trans, root, eb, upper->eb);
1316 +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
1317 +index aa72bfd28f7d..890933b61267 100644
1318 +--- a/fs/btrfs/send.c
1319 ++++ b/fs/btrfs/send.c
1320 +@@ -2351,8 +2351,14 @@ static int send_subvol_begin(struct send_ctx *sctx)
1321 + }
1322 +
1323 + TLV_PUT_STRING(sctx, BTRFS_SEND_A_PATH, name, namelen);
1324 +- TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1325 +- sctx->send_root->root_item.uuid);
1326 ++
1327 ++ if (!btrfs_is_empty_uuid(sctx->send_root->root_item.received_uuid))
1328 ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1329 ++ sctx->send_root->root_item.received_uuid);
1330 ++ else
1331 ++ TLV_PUT_UUID(sctx, BTRFS_SEND_A_UUID,
1332 ++ sctx->send_root->root_item.uuid);
1333 ++
1334 + TLV_PUT_U64(sctx, BTRFS_SEND_A_CTRANSID,
1335 + le64_to_cpu(sctx->send_root->root_item.ctransid));
1336 + if (parent_root) {
1337 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
1338 +index 9c45431e69ab..7639695075dd 100644
1339 +--- a/fs/btrfs/tree-log.c
1340 ++++ b/fs/btrfs/tree-log.c
1341 +@@ -700,7 +700,7 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans,
1342 + ret = btrfs_inc_extent_ref(trans, root,
1343 + ins.objectid, ins.offset,
1344 + 0, root->root_key.objectid,
1345 +- key->objectid, offset, 0);
1346 ++ key->objectid, offset);
1347 + if (ret)
1348 + goto out;
1349 + } else {
1350 +diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c
1351 +index 6f518c90e1c1..1fcd7b6e7564 100644
1352 +--- a/fs/btrfs/xattr.c
1353 ++++ b/fs/btrfs/xattr.c
1354 +@@ -313,8 +313,10 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size)
1355 + /* check to make sure this item is what we want */
1356 + if (found_key.objectid != key.objectid)
1357 + break;
1358 +- if (found_key.type != BTRFS_XATTR_ITEM_KEY)
1359 ++ if (found_key.type > BTRFS_XATTR_ITEM_KEY)
1360 + break;
1361 ++ if (found_key.type < BTRFS_XATTR_ITEM_KEY)
1362 ++ goto next;
1363 +
1364 + di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
1365 + if (verify_dir_item(root, leaf, di))
1366 +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
1367 +index 6aa07af67603..df45a818c570 100644
1368 +--- a/fs/ceph/mds_client.c
1369 ++++ b/fs/ceph/mds_client.c
1370 +@@ -1935,7 +1935,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
1371 +
1372 + len = sizeof(*head) +
1373 + pathlen1 + pathlen2 + 2*(1 + sizeof(u32) + sizeof(u64)) +
1374 +- sizeof(struct timespec);
1375 ++ sizeof(struct ceph_timespec);
1376 +
1377 + /* calculate (max) length for cap releases */
1378 + len += sizeof(struct ceph_mds_request_release) *
1379 +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
1380 +index c711be8d6a3c..9c8d23316da1 100644
1381 +--- a/fs/debugfs/inode.c
1382 ++++ b/fs/debugfs/inode.c
1383 +@@ -271,8 +271,12 @@ static struct dentry *start_creating(const char *name, struct dentry *parent)
1384 + dput(dentry);
1385 + dentry = ERR_PTR(-EEXIST);
1386 + }
1387 +- if (IS_ERR(dentry))
1388 ++
1389 ++ if (IS_ERR(dentry)) {
1390 + mutex_unlock(&d_inode(parent)->i_mutex);
1391 ++ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
1392 ++ }
1393 ++
1394 + return dentry;
1395 + }
1396 +
1397 +diff --git a/fs/ext4/crypto.c b/fs/ext4/crypto.c
1398 +index 45731558138c..54a5169327a3 100644
1399 +--- a/fs/ext4/crypto.c
1400 ++++ b/fs/ext4/crypto.c
1401 +@@ -296,7 +296,6 @@ static int ext4_page_crypto(struct ext4_crypto_ctx *ctx,
1402 + else
1403 + res = crypto_ablkcipher_encrypt(req);
1404 + if (res == -EINPROGRESS || res == -EBUSY) {
1405 +- BUG_ON(req->base.data != &ecr);
1406 + wait_for_completion(&ecr.completion);
1407 + res = ecr.res;
1408 + }
1409 +diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c
1410 +index 7dc4eb55913c..f9d53c2bd756 100644
1411 +--- a/fs/ext4/crypto_fname.c
1412 ++++ b/fs/ext4/crypto_fname.c
1413 +@@ -121,7 +121,6 @@ static int ext4_fname_encrypt(struct inode *inode,
1414 + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, ciphertext_len, iv);
1415 + res = crypto_ablkcipher_encrypt(req);
1416 + if (res == -EINPROGRESS || res == -EBUSY) {
1417 +- BUG_ON(req->base.data != &ecr);
1418 + wait_for_completion(&ecr.completion);
1419 + res = ecr.res;
1420 + }
1421 +@@ -183,7 +182,6 @@ static int ext4_fname_decrypt(struct inode *inode,
1422 + ablkcipher_request_set_crypt(req, &src_sg, &dst_sg, iname->len, iv);
1423 + res = crypto_ablkcipher_decrypt(req);
1424 + if (res == -EINPROGRESS || res == -EBUSY) {
1425 +- BUG_ON(req->base.data != &ecr);
1426 + wait_for_completion(&ecr.completion);
1427 + res = ecr.res;
1428 + }
1429 +diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c
1430 +index 442d24e8efc0..9bad1132ac8f 100644
1431 +--- a/fs/ext4/crypto_key.c
1432 ++++ b/fs/ext4/crypto_key.c
1433 +@@ -71,7 +71,6 @@ static int ext4_derive_key_aes(char deriving_key[EXT4_AES_128_ECB_KEY_SIZE],
1434 + EXT4_AES_256_XTS_KEY_SIZE, NULL);
1435 + res = crypto_ablkcipher_encrypt(req);
1436 + if (res == -EINPROGRESS || res == -EBUSY) {
1437 +- BUG_ON(req->base.data != &ecr);
1438 + wait_for_completion(&ecr.completion);
1439 + res = ecr.res;
1440 + }
1441 +@@ -208,7 +207,12 @@ retry:
1442 + goto out;
1443 + }
1444 + crypt_info->ci_keyring_key = keyring_key;
1445 +- BUG_ON(keyring_key->type != &key_type_logon);
1446 ++ if (keyring_key->type != &key_type_logon) {
1447 ++ printk_once(KERN_WARNING
1448 ++ "ext4: key type must be logon\n");
1449 ++ res = -ENOKEY;
1450 ++ goto out;
1451 ++ }
1452 + ukp = ((struct user_key_payload *)keyring_key->payload.data);
1453 + if (ukp->datalen != sizeof(struct ext4_encryption_key)) {
1454 + res = -EINVAL;
1455 +@@ -217,7 +221,13 @@ retry:
1456 + master_key = (struct ext4_encryption_key *)ukp->data;
1457 + BUILD_BUG_ON(EXT4_AES_128_ECB_KEY_SIZE !=
1458 + EXT4_KEY_DERIVATION_NONCE_SIZE);
1459 +- BUG_ON(master_key->size != EXT4_AES_256_XTS_KEY_SIZE);
1460 ++ if (master_key->size != EXT4_AES_256_XTS_KEY_SIZE) {
1461 ++ printk_once(KERN_WARNING
1462 ++ "ext4: key size incorrect: %d\n",
1463 ++ master_key->size);
1464 ++ res = -ENOKEY;
1465 ++ goto out;
1466 ++ }
1467 + res = ext4_derive_key_aes(ctx.nonce, master_key->raw,
1468 + raw_key);
1469 + got_key:
1470 +diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c
1471 +index 02c4e5df7afb..f92fa93e67f1 100644
1472 +--- a/fs/ext4/crypto_policy.c
1473 ++++ b/fs/ext4/crypto_policy.c
1474 +@@ -137,7 +137,8 @@ int ext4_is_child_context_consistent_with_parent(struct inode *parent,
1475 +
1476 + if ((parent == NULL) || (child == NULL)) {
1477 + pr_err("parent %p child %p\n", parent, child);
1478 +- BUG_ON(1);
1479 ++ WARN_ON(1); /* Should never happen */
1480 ++ return 0;
1481 + }
1482 + /* no restrictions if the parent directory is not encrypted */
1483 + if (!ext4_encrypted_inode(parent))
1484 +diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
1485 +index d41843181818..e770c1ee4613 100644
1486 +--- a/fs/ext4/ext4_jbd2.c
1487 ++++ b/fs/ext4/ext4_jbd2.c
1488 +@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
1489 + return 0;
1490 + }
1491 +
1492 ++ err = handle->h_err;
1493 + if (!handle->h_transaction) {
1494 +- err = jbd2_journal_stop(handle);
1495 +- return handle->h_err ? handle->h_err : err;
1496 ++ rc = jbd2_journal_stop(handle);
1497 ++ return err ? err : rc;
1498 + }
1499 +
1500 + sb = handle->h_transaction->t_journal->j_private;
1501 +- err = handle->h_err;
1502 + rc = jbd2_journal_stop(handle);
1503 +
1504 + if (!err)
1505 +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
1506 +index 5602450f03f6..89e96f99dae7 100644
1507 +--- a/fs/ext4/page-io.c
1508 ++++ b/fs/ext4/page-io.c
1509 +@@ -425,6 +425,7 @@ int ext4_bio_write_page(struct ext4_io_submit *io,
1510 + struct buffer_head *bh, *head;
1511 + int ret = 0;
1512 + int nr_submitted = 0;
1513 ++ int nr_to_submit = 0;
1514 +
1515 + blocksize = 1 << inode->i_blkbits;
1516 +
1517 +@@ -477,11 +478,13 @@ int ext4_bio_write_page(struct ext4_io_submit *io,
1518 + unmap_underlying_metadata(bh->b_bdev, bh->b_blocknr);
1519 + }
1520 + set_buffer_async_write(bh);
1521 ++ nr_to_submit++;
1522 + } while ((bh = bh->b_this_page) != head);
1523 +
1524 + bh = head = page_buffers(page);
1525 +
1526 +- if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode)) {
1527 ++ if (ext4_encrypted_inode(inode) && S_ISREG(inode->i_mode) &&
1528 ++ nr_to_submit) {
1529 + data_page = ext4_encrypt(inode, page);
1530 + if (IS_ERR(data_page)) {
1531 + ret = PTR_ERR(data_page);
1532 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1533 +index a5e8c744e962..bc24d1b44b8f 100644
1534 +--- a/fs/ext4/super.c
1535 ++++ b/fs/ext4/super.c
1536 +@@ -397,9 +397,13 @@ static void ext4_handle_error(struct super_block *sb)
1537 + smp_wmb();
1538 + sb->s_flags |= MS_RDONLY;
1539 + }
1540 +- if (test_opt(sb, ERRORS_PANIC))
1541 ++ if (test_opt(sb, ERRORS_PANIC)) {
1542 ++ if (EXT4_SB(sb)->s_journal &&
1543 ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
1544 ++ return;
1545 + panic("EXT4-fs (device %s): panic forced after error\n",
1546 + sb->s_id);
1547 ++ }
1548 + }
1549 +
1550 + #define ext4_error_ratelimit(sb) \
1551 +@@ -588,8 +592,12 @@ void __ext4_abort(struct super_block *sb, const char *function,
1552 + jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO);
1553 + save_error_info(sb, function, line);
1554 + }
1555 +- if (test_opt(sb, ERRORS_PANIC))
1556 ++ if (test_opt(sb, ERRORS_PANIC)) {
1557 ++ if (EXT4_SB(sb)->s_journal &&
1558 ++ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
1559 ++ return;
1560 + panic("EXT4-fs panic from previous error\n");
1561 ++ }
1562 + }
1563 +
1564 + void __ext4_msg(struct super_block *sb,
1565 +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
1566 +index 2721513adb1f..fd2787a39b87 100644
1567 +--- a/fs/jbd2/journal.c
1568 ++++ b/fs/jbd2/journal.c
1569 +@@ -2071,8 +2071,12 @@ static void __journal_abort_soft (journal_t *journal, int errno)
1570 +
1571 + __jbd2_journal_abort_hard(journal);
1572 +
1573 +- if (errno)
1574 ++ if (errno) {
1575 + jbd2_journal_update_sb_errno(journal);
1576 ++ write_lock(&journal->j_state_lock);
1577 ++ journal->j_flags |= JBD2_REC_ERR;
1578 ++ write_unlock(&journal->j_state_lock);
1579 ++ }
1580 + }
1581 +
1582 + /**
1583 +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
1584 +index 4afbe13321cb..f27cc76ed5e6 100644
1585 +--- a/fs/nfs/inode.c
1586 ++++ b/fs/nfs/inode.c
1587 +@@ -1816,7 +1816,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
1588 + if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
1589 + nfsi->attr_gencount = fattr->gencount;
1590 + }
1591 +- invalid &= ~NFS_INO_INVALID_ATTR;
1592 ++
1593 ++ /* Don't declare attrcache up to date if there were no attrs! */
1594 ++ if (fattr->valid != 0)
1595 ++ invalid &= ~NFS_INO_INVALID_ATTR;
1596 ++
1597 + /* Don't invalidate the data if we were to blame */
1598 + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
1599 + || S_ISLNK(inode->i_mode)))
1600 +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
1601 +index 3aa6a9ba5113..199648d5fcc5 100644
1602 +--- a/fs/nfs/nfs4client.c
1603 ++++ b/fs/nfs/nfs4client.c
1604 +@@ -33,7 +33,7 @@ static int nfs_get_cb_ident_idr(struct nfs_client *clp, int minorversion)
1605 + return ret;
1606 + idr_preload(GFP_KERNEL);
1607 + spin_lock(&nn->nfs_client_lock);
1608 +- ret = idr_alloc(&nn->cb_ident_idr, clp, 0, 0, GFP_NOWAIT);
1609 ++ ret = idr_alloc(&nn->cb_ident_idr, clp, 1, 0, GFP_NOWAIT);
1610 + if (ret >= 0)
1611 + clp->cl_cb_ident = ret;
1612 + spin_unlock(&nn->nfs_client_lock);
1613 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
1614 +index 75189cd34583..5ea13286e2b0 100644
1615 +--- a/fs/nfsd/nfs4state.c
1616 ++++ b/fs/nfsd/nfs4state.c
1617 +@@ -765,16 +765,68 @@ void nfs4_unhash_stid(struct nfs4_stid *s)
1618 + s->sc_type = 0;
1619 + }
1620 +
1621 +-static void
1622 ++/**
1623 ++ * nfs4_get_existing_delegation - Discover if this delegation already exists
1624 ++ * @clp: a pointer to the nfs4_client we're granting a delegation to
1625 ++ * @fp: a pointer to the nfs4_file we're granting a delegation on
1626 ++ *
1627 ++ * Return:
1628 ++ * On success: NULL if an existing delegation was not found.
1629 ++ *
1630 ++ * On error: -EAGAIN if one was previously granted to this nfs4_client
1631 ++ * for this nfs4_file.
1632 ++ *
1633 ++ */
1634 ++
1635 ++static int
1636 ++nfs4_get_existing_delegation(struct nfs4_client *clp, struct nfs4_file *fp)
1637 ++{
1638 ++ struct nfs4_delegation *searchdp = NULL;
1639 ++ struct nfs4_client *searchclp = NULL;
1640 ++
1641 ++ lockdep_assert_held(&state_lock);
1642 ++ lockdep_assert_held(&fp->fi_lock);
1643 ++
1644 ++ list_for_each_entry(searchdp, &fp->fi_delegations, dl_perfile) {
1645 ++ searchclp = searchdp->dl_stid.sc_client;
1646 ++ if (clp == searchclp) {
1647 ++ return -EAGAIN;
1648 ++ }
1649 ++ }
1650 ++ return 0;
1651 ++}
1652 ++
1653 ++/**
1654 ++ * hash_delegation_locked - Add a delegation to the appropriate lists
1655 ++ * @dp: a pointer to the nfs4_delegation we are adding.
1656 ++ * @fp: a pointer to the nfs4_file we're granting a delegation on
1657 ++ *
1658 ++ * Return:
1659 ++ * On success: NULL if the delegation was successfully hashed.
1660 ++ *
1661 ++ * On error: -EAGAIN if one was previously granted to this
1662 ++ * nfs4_client for this nfs4_file. Delegation is not hashed.
1663 ++ *
1664 ++ */
1665 ++
1666 ++static int
1667 + hash_delegation_locked(struct nfs4_delegation *dp, struct nfs4_file *fp)
1668 + {
1669 ++ int status;
1670 ++ struct nfs4_client *clp = dp->dl_stid.sc_client;
1671 ++
1672 + lockdep_assert_held(&state_lock);
1673 + lockdep_assert_held(&fp->fi_lock);
1674 +
1675 ++ status = nfs4_get_existing_delegation(clp, fp);
1676 ++ if (status)
1677 ++ return status;
1678 ++ ++fp->fi_delegees;
1679 + atomic_inc(&dp->dl_stid.sc_count);
1680 + dp->dl_stid.sc_type = NFS4_DELEG_STID;
1681 + list_add(&dp->dl_perfile, &fp->fi_delegations);
1682 +- list_add(&dp->dl_perclnt, &dp->dl_stid.sc_client->cl_delegations);
1683 ++ list_add(&dp->dl_perclnt, &clp->cl_delegations);
1684 ++ return 0;
1685 + }
1686 +
1687 + static bool
1688 +@@ -3351,6 +3403,7 @@ static void init_open_stateid(struct nfs4_ol_stateid *stp, struct nfs4_file *fp,
1689 + stp->st_access_bmap = 0;
1690 + stp->st_deny_bmap = 0;
1691 + stp->st_openstp = NULL;
1692 ++ init_rwsem(&stp->st_rwsem);
1693 + spin_lock(&oo->oo_owner.so_client->cl_lock);
1694 + list_add(&stp->st_perstateowner, &oo->oo_owner.so_stateids);
1695 + spin_lock(&fp->fi_lock);
1696 +@@ -3939,6 +3992,18 @@ static struct file_lock *nfs4_alloc_init_lease(struct nfs4_file *fp, int flag)
1697 + return fl;
1698 + }
1699 +
1700 ++/**
1701 ++ * nfs4_setlease - Obtain a delegation by requesting lease from vfs layer
1702 ++ * @dp: a pointer to the nfs4_delegation we're adding.
1703 ++ *
1704 ++ * Return:
1705 ++ * On success: Return code will be 0 on success.
1706 ++ *
1707 ++ * On error: -EAGAIN if there was an existing delegation.
1708 ++ * nonzero if there is an error in other cases.
1709 ++ *
1710 ++ */
1711 ++
1712 + static int nfs4_setlease(struct nfs4_delegation *dp)
1713 + {
1714 + struct nfs4_file *fp = dp->dl_stid.sc_file;
1715 +@@ -3970,16 +4035,19 @@ static int nfs4_setlease(struct nfs4_delegation *dp)
1716 + goto out_unlock;
1717 + /* Race breaker */
1718 + if (fp->fi_deleg_file) {
1719 +- status = 0;
1720 +- ++fp->fi_delegees;
1721 +- hash_delegation_locked(dp, fp);
1722 ++ status = hash_delegation_locked(dp, fp);
1723 + goto out_unlock;
1724 + }
1725 + fp->fi_deleg_file = filp;
1726 +- fp->fi_delegees = 1;
1727 +- hash_delegation_locked(dp, fp);
1728 ++ fp->fi_delegees = 0;
1729 ++ status = hash_delegation_locked(dp, fp);
1730 + spin_unlock(&fp->fi_lock);
1731 + spin_unlock(&state_lock);
1732 ++ if (status) {
1733 ++ /* Should never happen, this is a new fi_deleg_file */
1734 ++ WARN_ON_ONCE(1);
1735 ++ goto out_fput;
1736 ++ }
1737 + return 0;
1738 + out_unlock:
1739 + spin_unlock(&fp->fi_lock);
1740 +@@ -3999,6 +4067,15 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh,
1741 + if (fp->fi_had_conflict)
1742 + return ERR_PTR(-EAGAIN);
1743 +
1744 ++ spin_lock(&state_lock);
1745 ++ spin_lock(&fp->fi_lock);
1746 ++ status = nfs4_get_existing_delegation(clp, fp);
1747 ++ spin_unlock(&fp->fi_lock);
1748 ++ spin_unlock(&state_lock);
1749 ++
1750 ++ if (status)
1751 ++ return ERR_PTR(status);
1752 ++
1753 + dp = alloc_init_deleg(clp, fh, odstate);
1754 + if (!dp)
1755 + return ERR_PTR(-ENOMEM);
1756 +@@ -4017,9 +4094,7 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh,
1757 + status = -EAGAIN;
1758 + goto out_unlock;
1759 + }
1760 +- ++fp->fi_delegees;
1761 +- hash_delegation_locked(dp, fp);
1762 +- status = 0;
1763 ++ status = hash_delegation_locked(dp, fp);
1764 + out_unlock:
1765 + spin_unlock(&fp->fi_lock);
1766 + spin_unlock(&state_lock);
1767 +@@ -4180,15 +4255,20 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
1768 + */
1769 + if (stp) {
1770 + /* Stateid was found, this is an OPEN upgrade */
1771 ++ down_read(&stp->st_rwsem);
1772 + status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open);
1773 +- if (status)
1774 ++ if (status) {
1775 ++ up_read(&stp->st_rwsem);
1776 + goto out;
1777 ++ }
1778 + } else {
1779 + stp = open->op_stp;
1780 + open->op_stp = NULL;
1781 + init_open_stateid(stp, fp, open);
1782 ++ down_read(&stp->st_rwsem);
1783 + status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open);
1784 + if (status) {
1785 ++ up_read(&stp->st_rwsem);
1786 + release_open_stateid(stp);
1787 + goto out;
1788 + }
1789 +@@ -4200,6 +4280,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
1790 + }
1791 + update_stateid(&stp->st_stid.sc_stateid);
1792 + memcpy(&open->op_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
1793 ++ up_read(&stp->st_rwsem);
1794 +
1795 + if (nfsd4_has_session(&resp->cstate)) {
1796 + if (open->op_deleg_want & NFS4_SHARE_WANT_NO_DELEG) {
1797 +@@ -4814,10 +4895,13 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
1798 + * revoked delegations are kept only for free_stateid.
1799 + */
1800 + return nfserr_bad_stateid;
1801 ++ down_write(&stp->st_rwsem);
1802 + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
1803 +- if (status)
1804 +- return status;
1805 +- return nfs4_check_fh(current_fh, &stp->st_stid);
1806 ++ if (status == nfs_ok)
1807 ++ status = nfs4_check_fh(current_fh, &stp->st_stid);
1808 ++ if (status != nfs_ok)
1809 ++ up_write(&stp->st_rwsem);
1810 ++ return status;
1811 + }
1812 +
1813 + /*
1814 +@@ -4864,6 +4948,7 @@ static __be32 nfs4_preprocess_confirmed_seqid_op(struct nfsd4_compound_state *cs
1815 + return status;
1816 + oo = openowner(stp->st_stateowner);
1817 + if (!(oo->oo_flags & NFS4_OO_CONFIRMED)) {
1818 ++ up_write(&stp->st_rwsem);
1819 + nfs4_put_stid(&stp->st_stid);
1820 + return nfserr_bad_stateid;
1821 + }
1822 +@@ -4894,11 +4979,14 @@ nfsd4_open_confirm(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
1823 + goto out;
1824 + oo = openowner(stp->st_stateowner);
1825 + status = nfserr_bad_stateid;
1826 +- if (oo->oo_flags & NFS4_OO_CONFIRMED)
1827 ++ if (oo->oo_flags & NFS4_OO_CONFIRMED) {
1828 ++ up_write(&stp->st_rwsem);
1829 + goto put_stateid;
1830 ++ }
1831 + oo->oo_flags |= NFS4_OO_CONFIRMED;
1832 + update_stateid(&stp->st_stid.sc_stateid);
1833 + memcpy(&oc->oc_resp_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
1834 ++ up_write(&stp->st_rwsem);
1835 + dprintk("NFSD: %s: success, seqid=%d stateid=" STATEID_FMT "\n",
1836 + __func__, oc->oc_seqid, STATEID_VAL(&stp->st_stid.sc_stateid));
1837 +
1838 +@@ -4977,6 +5065,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp,
1839 + memcpy(&od->od_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
1840 + status = nfs_ok;
1841 + put_stateid:
1842 ++ up_write(&stp->st_rwsem);
1843 + nfs4_put_stid(&stp->st_stid);
1844 + out:
1845 + nfsd4_bump_seqid(cstate, status);
1846 +@@ -5030,6 +5119,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
1847 + goto out;
1848 + update_stateid(&stp->st_stid.sc_stateid);
1849 + memcpy(&close->cl_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
1850 ++ up_write(&stp->st_rwsem);
1851 +
1852 + nfsd4_close_open_stateid(stp);
1853 +
1854 +@@ -5260,6 +5350,7 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo,
1855 + stp->st_access_bmap = 0;
1856 + stp->st_deny_bmap = open_stp->st_deny_bmap;
1857 + stp->st_openstp = open_stp;
1858 ++ init_rwsem(&stp->st_rwsem);
1859 + list_add(&stp->st_locks, &open_stp->st_locks);
1860 + list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids);
1861 + spin_lock(&fp->fi_lock);
1862 +@@ -5428,6 +5519,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
1863 + &open_stp, nn);
1864 + if (status)
1865 + goto out;
1866 ++ up_write(&open_stp->st_rwsem);
1867 + open_sop = openowner(open_stp->st_stateowner);
1868 + status = nfserr_bad_stateid;
1869 + if (!same_clid(&open_sop->oo_owner.so_client->cl_clientid,
1870 +@@ -5435,6 +5527,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
1871 + goto out;
1872 + status = lookup_or_create_lock_state(cstate, open_stp, lock,
1873 + &lock_stp, &new);
1874 ++ if (status == nfs_ok)
1875 ++ down_write(&lock_stp->st_rwsem);
1876 + } else {
1877 + status = nfs4_preprocess_seqid_op(cstate,
1878 + lock->lk_old_lock_seqid,
1879 +@@ -5540,6 +5634,8 @@ out:
1880 + seqid_mutating_err(ntohl(status)))
1881 + lock_sop->lo_owner.so_seqid++;
1882 +
1883 ++ up_write(&lock_stp->st_rwsem);
1884 ++
1885 + /*
1886 + * If this is a new, never-before-used stateid, and we are
1887 + * returning an error, then just go ahead and release it.
1888 +@@ -5710,6 +5806,7 @@ nfsd4_locku(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
1889 + fput:
1890 + fput(filp);
1891 + put_stateid:
1892 ++ up_write(&stp->st_rwsem);
1893 + nfs4_put_stid(&stp->st_stid);
1894 + out:
1895 + nfsd4_bump_seqid(cstate, status);
1896 +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
1897 +index 4874ce515fc1..fada614d6db1 100644
1898 +--- a/fs/nfsd/state.h
1899 ++++ b/fs/nfsd/state.h
1900 +@@ -534,15 +534,16 @@ struct nfs4_file {
1901 + * Better suggestions welcome.
1902 + */
1903 + struct nfs4_ol_stateid {
1904 +- struct nfs4_stid st_stid; /* must be first field */
1905 +- struct list_head st_perfile;
1906 +- struct list_head st_perstateowner;
1907 +- struct list_head st_locks;
1908 +- struct nfs4_stateowner * st_stateowner;
1909 +- struct nfs4_clnt_odstate * st_clnt_odstate;
1910 +- unsigned char st_access_bmap;
1911 +- unsigned char st_deny_bmap;
1912 +- struct nfs4_ol_stateid * st_openstp;
1913 ++ struct nfs4_stid st_stid;
1914 ++ struct list_head st_perfile;
1915 ++ struct list_head st_perstateowner;
1916 ++ struct list_head st_locks;
1917 ++ struct nfs4_stateowner *st_stateowner;
1918 ++ struct nfs4_clnt_odstate *st_clnt_odstate;
1919 ++ unsigned char st_access_bmap;
1920 ++ unsigned char st_deny_bmap;
1921 ++ struct nfs4_ol_stateid *st_openstp;
1922 ++ struct rw_semaphore st_rwsem;
1923 + };
1924 +
1925 + static inline struct nfs4_ol_stateid *openlockstateid(struct nfs4_stid *s)
1926 +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c
1927 +index 6e6abb93fda5..ff040125c190 100644
1928 +--- a/fs/ocfs2/namei.c
1929 ++++ b/fs/ocfs2/namei.c
1930 +@@ -365,6 +365,8 @@ static int ocfs2_mknod(struct inode *dir,
1931 + mlog_errno(status);
1932 + goto leave;
1933 + }
1934 ++ /* update inode->i_mode after mask with "umask". */
1935 ++ inode->i_mode = mode;
1936 +
1937 + handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb,
1938 + S_ISDIR(mode),
1939 +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
1940 +index 82806c60aa42..e4b464983322 100644
1941 +--- a/include/linux/ipv6.h
1942 ++++ b/include/linux/ipv6.h
1943 +@@ -224,7 +224,7 @@ struct ipv6_pinfo {
1944 + struct ipv6_ac_socklist *ipv6_ac_list;
1945 + struct ipv6_fl_socklist __rcu *ipv6_fl_list;
1946 +
1947 +- struct ipv6_txoptions *opt;
1948 ++ struct ipv6_txoptions __rcu *opt;
1949 + struct sk_buff *pktoptions;
1950 + struct sk_buff *rxpmtu;
1951 + struct inet6_cork cork;
1952 +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
1953 +index eb1cebed3f36..c90c9b70e568 100644
1954 +--- a/include/linux/jbd2.h
1955 ++++ b/include/linux/jbd2.h
1956 +@@ -1007,6 +1007,7 @@ struct journal_s
1957 + #define JBD2_ABORT_ON_SYNCDATA_ERR 0x040 /* Abort the journal on file
1958 + * data write error in ordered
1959 + * mode */
1960 ++#define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */
1961 +
1962 + /*
1963 + * Function declarations for the journaling transaction and buffer
1964 +diff --git a/include/net/af_unix.h b/include/net/af_unix.h
1965 +index cb1b9bbda332..49c7683e1096 100644
1966 +--- a/include/net/af_unix.h
1967 ++++ b/include/net/af_unix.h
1968 +@@ -62,6 +62,7 @@ struct unix_sock {
1969 + #define UNIX_GC_CANDIDATE 0
1970 + #define UNIX_GC_MAYBE_CYCLE 1
1971 + struct socket_wq peer_wq;
1972 ++ wait_queue_t peer_wake;
1973 + };
1974 +
1975 + static inline struct unix_sock *unix_sk(struct sock *sk)
1976 +diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
1977 +index 3b76849c190f..75a888c254e4 100644
1978 +--- a/include/net/ip6_fib.h
1979 ++++ b/include/net/ip6_fib.h
1980 +@@ -165,7 +165,8 @@ static inline void rt6_update_expires(struct rt6_info *rt0, int timeout)
1981 +
1982 + static inline u32 rt6_get_cookie(const struct rt6_info *rt)
1983 + {
1984 +- if (rt->rt6i_flags & RTF_PCPU || unlikely(rt->dst.flags & DST_NOCACHE))
1985 ++ if (rt->rt6i_flags & RTF_PCPU ||
1986 ++ (unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from))
1987 + rt = (struct rt6_info *)(rt->dst.from);
1988 +
1989 + return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
1990 +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
1991 +index b8529aa1dae7..b0f7445c0fdc 100644
1992 +--- a/include/net/ip6_tunnel.h
1993 ++++ b/include/net/ip6_tunnel.h
1994 +@@ -83,11 +83,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
1995 + err = ip6_local_out_sk(sk, skb);
1996 +
1997 + if (net_xmit_eval(err) == 0) {
1998 +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
1999 ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(dev->tstats);
2000 + u64_stats_update_begin(&tstats->syncp);
2001 + tstats->tx_bytes += pkt_len;
2002 + tstats->tx_packets++;
2003 + u64_stats_update_end(&tstats->syncp);
2004 ++ put_cpu_ptr(tstats);
2005 + } else {
2006 + stats->tx_errors++;
2007 + stats->tx_aborted_errors++;
2008 +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
2009 +index d8214cb88bbc..9c2897e56ee1 100644
2010 +--- a/include/net/ip_tunnels.h
2011 ++++ b/include/net/ip_tunnels.h
2012 +@@ -207,12 +207,13 @@ static inline void iptunnel_xmit_stats(int err,
2013 + struct pcpu_sw_netstats __percpu *stats)
2014 + {
2015 + if (err > 0) {
2016 +- struct pcpu_sw_netstats *tstats = this_cpu_ptr(stats);
2017 ++ struct pcpu_sw_netstats *tstats = get_cpu_ptr(stats);
2018 +
2019 + u64_stats_update_begin(&tstats->syncp);
2020 + tstats->tx_bytes += err;
2021 + tstats->tx_packets++;
2022 + u64_stats_update_end(&tstats->syncp);
2023 ++ put_cpu_ptr(tstats);
2024 + } else if (err < 0) {
2025 + err_stats->tx_errors++;
2026 + err_stats->tx_aborted_errors++;
2027 +diff --git a/include/net/ipv6.h b/include/net/ipv6.h
2028 +index 82dbdb092a5d..177a89689095 100644
2029 +--- a/include/net/ipv6.h
2030 ++++ b/include/net/ipv6.h
2031 +@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock;
2032 + */
2033 +
2034 + struct ipv6_txoptions {
2035 ++ atomic_t refcnt;
2036 + /* Length of this structure */
2037 + int tot_len;
2038 +
2039 +@@ -217,7 +218,7 @@ struct ipv6_txoptions {
2040 + struct ipv6_opt_hdr *dst0opt;
2041 + struct ipv6_rt_hdr *srcrt; /* Routing Header */
2042 + struct ipv6_opt_hdr *dst1opt;
2043 +-
2044 ++ struct rcu_head rcu;
2045 + /* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */
2046 + };
2047 +
2048 +@@ -252,6 +253,24 @@ struct ipv6_fl_socklist {
2049 + struct rcu_head rcu;
2050 + };
2051 +
2052 ++static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
2053 ++{
2054 ++ struct ipv6_txoptions *opt;
2055 ++
2056 ++ rcu_read_lock();
2057 ++ opt = rcu_dereference(np->opt);
2058 ++ if (opt && !atomic_inc_not_zero(&opt->refcnt))
2059 ++ opt = NULL;
2060 ++ rcu_read_unlock();
2061 ++ return opt;
2062 ++}
2063 ++
2064 ++static inline void txopt_put(struct ipv6_txoptions *opt)
2065 ++{
2066 ++ if (opt && atomic_dec_and_test(&opt->refcnt))
2067 ++ kfree_rcu(opt, rcu);
2068 ++}
2069 ++
2070 + struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label);
2071 + struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
2072 + struct ip6_flowlabel *fl,
2073 +@@ -490,6 +509,7 @@ struct ip6_create_arg {
2074 + u32 user;
2075 + const struct in6_addr *src;
2076 + const struct in6_addr *dst;
2077 ++ int iif;
2078 + u8 ecn;
2079 + };
2080 +
2081 +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
2082 +index 2738f6f87908..49dda3835061 100644
2083 +--- a/include/net/sch_generic.h
2084 ++++ b/include/net/sch_generic.h
2085 +@@ -61,6 +61,9 @@ struct Qdisc {
2086 + */
2087 + #define TCQ_F_WARN_NONWC (1 << 16)
2088 + #define TCQ_F_CPUSTATS 0x20 /* run using percpu statistics */
2089 ++#define TCQ_F_NOPARENT 0x40 /* root of its hierarchy :
2090 ++ * qdisc_tree_decrease_qlen() should stop.
2091 ++ */
2092 + u32 limit;
2093 + const struct Qdisc_ops *ops;
2094 + struct qdisc_size_table __rcu *stab;
2095 +diff --git a/include/net/switchdev.h b/include/net/switchdev.h
2096 +index d5671f118bfc..0b9197975603 100644
2097 +--- a/include/net/switchdev.h
2098 ++++ b/include/net/switchdev.h
2099 +@@ -268,7 +268,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb,
2100 + struct net_device *filter_dev,
2101 + int idx)
2102 + {
2103 +- return -EOPNOTSUPP;
2104 ++ return idx;
2105 + }
2106 +
2107 + #endif
2108 +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
2109 +index cb31229a6fa4..34265a1ddb51 100644
2110 +--- a/kernel/bpf/arraymap.c
2111 ++++ b/kernel/bpf/arraymap.c
2112 +@@ -104,7 +104,7 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value,
2113 + /* all elements already exist */
2114 + return -EEXIST;
2115 +
2116 +- memcpy(array->value + array->elem_size * index, value, array->elem_size);
2117 ++ memcpy(array->value + array->elem_size * index, value, map->value_size);
2118 + return 0;
2119 + }
2120 +
2121 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
2122 +index 84195dacb8b6..ecdb1717ef3a 100644
2123 +--- a/net/core/neighbour.c
2124 ++++ b/net/core/neighbour.c
2125 +@@ -2210,7 +2210,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
2126 + ndm->ndm_pad2 = 0;
2127 + ndm->ndm_flags = pn->flags | NTF_PROXY;
2128 + ndm->ndm_type = RTN_UNICAST;
2129 +- ndm->ndm_ifindex = pn->dev->ifindex;
2130 ++ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
2131 + ndm->ndm_state = NUD_NONE;
2132 +
2133 + if (nla_put(skb, NDA_DST, tbl->key_len, pn->key))
2134 +@@ -2285,7 +2285,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2135 + if (h > s_h)
2136 + s_idx = 0;
2137 + for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
2138 +- if (dev_net(n->dev) != net)
2139 ++ if (pneigh_net(n) != net)
2140 + continue;
2141 + if (idx < s_idx)
2142 + goto next;
2143 +diff --git a/net/core/scm.c b/net/core/scm.c
2144 +index 3b6899b7d810..8a1741b14302 100644
2145 +--- a/net/core/scm.c
2146 ++++ b/net/core/scm.c
2147 +@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
2148 + err = put_user(cmlen, &cm->cmsg_len);
2149 + if (!err) {
2150 + cmlen = CMSG_SPACE(i*sizeof(int));
2151 ++ if (msg->msg_controllen < cmlen)
2152 ++ cmlen = msg->msg_controllen;
2153 + msg->msg_control += cmlen;
2154 + msg->msg_controllen -= cmlen;
2155 + }
2156 +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
2157 +index 5165571f397a..a0490508d213 100644
2158 +--- a/net/dccp/ipv6.c
2159 ++++ b/net/dccp/ipv6.c
2160 +@@ -202,7 +202,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
2161 + security_req_classify_flow(req, flowi6_to_flowi(&fl6));
2162 +
2163 +
2164 +- final_p = fl6_update_dst(&fl6, np->opt, &final);
2165 ++ rcu_read_lock();
2166 ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
2167 ++ rcu_read_unlock();
2168 +
2169 + dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2170 + if (IS_ERR(dst)) {
2171 +@@ -219,7 +221,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
2172 + &ireq->ir_v6_loc_addr,
2173 + &ireq->ir_v6_rmt_addr);
2174 + fl6.daddr = ireq->ir_v6_rmt_addr;
2175 +- err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
2176 ++ rcu_read_lock();
2177 ++ err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
2178 ++ np->tclass);
2179 ++ rcu_read_unlock();
2180 + err = net_xmit_eval(err);
2181 + }
2182 +
2183 +@@ -415,6 +420,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
2184 + {
2185 + struct inet_request_sock *ireq = inet_rsk(req);
2186 + struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
2187 ++ struct ipv6_txoptions *opt;
2188 + struct inet_sock *newinet;
2189 + struct dccp6_sock *newdp6;
2190 + struct sock *newsk;
2191 +@@ -534,13 +540,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
2192 + * Yes, keeping reference count would be much more clever, but we make
2193 + * one more one thing there: reattach optmem to newsk.
2194 + */
2195 +- if (np->opt != NULL)
2196 +- newnp->opt = ipv6_dup_options(newsk, np->opt);
2197 +-
2198 ++ opt = rcu_dereference(np->opt);
2199 ++ if (opt) {
2200 ++ opt = ipv6_dup_options(newsk, opt);
2201 ++ RCU_INIT_POINTER(newnp->opt, opt);
2202 ++ }
2203 + inet_csk(newsk)->icsk_ext_hdr_len = 0;
2204 +- if (newnp->opt != NULL)
2205 +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
2206 +- newnp->opt->opt_flen);
2207 ++ if (opt)
2208 ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
2209 ++ opt->opt_flen;
2210 +
2211 + dccp_sync_mss(newsk, dst_mtu(dst));
2212 +
2213 +@@ -793,6 +801,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2214 + struct ipv6_pinfo *np = inet6_sk(sk);
2215 + struct dccp_sock *dp = dccp_sk(sk);
2216 + struct in6_addr *saddr = NULL, *final_p, final;
2217 ++ struct ipv6_txoptions *opt;
2218 + struct flowi6 fl6;
2219 + struct dst_entry *dst;
2220 + int addr_type;
2221 +@@ -892,7 +901,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2222 + fl6.fl6_sport = inet->inet_sport;
2223 + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2224 +
2225 +- final_p = fl6_update_dst(&fl6, np->opt, &final);
2226 ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2227 ++ final_p = fl6_update_dst(&fl6, opt, &final);
2228 +
2229 + dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2230 + if (IS_ERR(dst)) {
2231 +@@ -912,9 +922,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2232 + __ip6_dst_store(sk, dst, NULL, NULL);
2233 +
2234 + icsk->icsk_ext_hdr_len = 0;
2235 +- if (np->opt != NULL)
2236 +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
2237 +- np->opt->opt_nflen);
2238 ++ if (opt)
2239 ++ icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
2240 +
2241 + inet->inet_dport = usin->sin6_port;
2242 +
2243 +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
2244 +index df28693f32e1..c3bfebd501ed 100644
2245 +--- a/net/ipv4/ipmr.c
2246 ++++ b/net/ipv4/ipmr.c
2247 +@@ -134,7 +134,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
2248 + struct mfc_cache *c, struct rtmsg *rtm);
2249 + static void mroute_netlink_event(struct mr_table *mrt, struct mfc_cache *mfc,
2250 + int cmd);
2251 +-static void mroute_clean_tables(struct mr_table *mrt);
2252 ++static void mroute_clean_tables(struct mr_table *mrt, bool all);
2253 + static void ipmr_expire_process(unsigned long arg);
2254 +
2255 + #ifdef CONFIG_IP_MROUTE_MULTIPLE_TABLES
2256 +@@ -351,7 +351,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
2257 + static void ipmr_free_table(struct mr_table *mrt)
2258 + {
2259 + del_timer_sync(&mrt->ipmr_expire_timer);
2260 +- mroute_clean_tables(mrt);
2261 ++ mroute_clean_tables(mrt, true);
2262 + kfree(mrt);
2263 + }
2264 +
2265 +@@ -1209,7 +1209,7 @@ static int ipmr_mfc_add(struct net *net, struct mr_table *mrt,
2266 + * Close the multicast socket, and clear the vif tables etc
2267 + */
2268 +
2269 +-static void mroute_clean_tables(struct mr_table *mrt)
2270 ++static void mroute_clean_tables(struct mr_table *mrt, bool all)
2271 + {
2272 + int i;
2273 + LIST_HEAD(list);
2274 +@@ -1218,8 +1218,9 @@ static void mroute_clean_tables(struct mr_table *mrt)
2275 + /* Shut down all active vif entries */
2276 +
2277 + for (i = 0; i < mrt->maxvif; i++) {
2278 +- if (!(mrt->vif_table[i].flags & VIFF_STATIC))
2279 +- vif_delete(mrt, i, 0, &list);
2280 ++ if (!all && (mrt->vif_table[i].flags & VIFF_STATIC))
2281 ++ continue;
2282 ++ vif_delete(mrt, i, 0, &list);
2283 + }
2284 + unregister_netdevice_many(&list);
2285 +
2286 +@@ -1227,7 +1228,7 @@ static void mroute_clean_tables(struct mr_table *mrt)
2287 +
2288 + for (i = 0; i < MFC_LINES; i++) {
2289 + list_for_each_entry_safe(c, next, &mrt->mfc_cache_array[i], list) {
2290 +- if (c->mfc_flags & MFC_STATIC)
2291 ++ if (!all && (c->mfc_flags & MFC_STATIC))
2292 + continue;
2293 + list_del_rcu(&c->list);
2294 + mroute_netlink_event(mrt, c, RTM_DELROUTE);
2295 +@@ -1262,7 +1263,7 @@ static void mrtsock_destruct(struct sock *sk)
2296 + NETCONFA_IFINDEX_ALL,
2297 + net->ipv4.devconf_all);
2298 + RCU_INIT_POINTER(mrt->mroute_sk, NULL);
2299 +- mroute_clean_tables(mrt);
2300 ++ mroute_clean_tables(mrt, false);
2301 + }
2302 + }
2303 + rtnl_unlock();
2304 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
2305 +index 728f5b3d3c64..77730b43469d 100644
2306 +--- a/net/ipv4/tcp_input.c
2307 ++++ b/net/ipv4/tcp_input.c
2308 +@@ -4434,19 +4434,34 @@ static int __must_check tcp_queue_rcv(struct sock *sk, struct sk_buff *skb, int
2309 + int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
2310 + {
2311 + struct sk_buff *skb;
2312 ++ int err = -ENOMEM;
2313 ++ int data_len = 0;
2314 + bool fragstolen;
2315 +
2316 + if (size == 0)
2317 + return 0;
2318 +
2319 +- skb = alloc_skb(size, sk->sk_allocation);
2320 ++ if (size > PAGE_SIZE) {
2321 ++ int npages = min_t(size_t, size >> PAGE_SHIFT, MAX_SKB_FRAGS);
2322 ++
2323 ++ data_len = npages << PAGE_SHIFT;
2324 ++ size = data_len + (size & ~PAGE_MASK);
2325 ++ }
2326 ++ skb = alloc_skb_with_frags(size - data_len, data_len,
2327 ++ PAGE_ALLOC_COSTLY_ORDER,
2328 ++ &err, sk->sk_allocation);
2329 + if (!skb)
2330 + goto err;
2331 +
2332 ++ skb_put(skb, size - data_len);
2333 ++ skb->data_len = data_len;
2334 ++ skb->len = size;
2335 ++
2336 + if (tcp_try_rmem_schedule(sk, skb, skb->truesize))
2337 + goto err_free;
2338 +
2339 +- if (memcpy_from_msg(skb_put(skb, size), msg, size))
2340 ++ err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
2341 ++ if (err)
2342 + goto err_free;
2343 +
2344 + TCP_SKB_CB(skb)->seq = tcp_sk(sk)->rcv_nxt;
2345 +@@ -4462,7 +4477,8 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
2346 + err_free:
2347 + kfree_skb(skb);
2348 + err:
2349 +- return -ENOMEM;
2350 ++ return err;
2351 ++
2352 + }
2353 +
2354 + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
2355 +@@ -5620,6 +5636,7 @@ discard:
2356 + }
2357 +
2358 + tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
2359 ++ tp->copied_seq = tp->rcv_nxt;
2360 + tp->rcv_wup = TCP_SKB_CB(skb)->seq + 1;
2361 +
2362 + /* RFC1323: The window in SYN & SYN/ACK segments is
2363 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
2364 +index 0ea2e1c5d395..569c63894472 100644
2365 +--- a/net/ipv4/tcp_ipv4.c
2366 ++++ b/net/ipv4/tcp_ipv4.c
2367 +@@ -922,7 +922,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
2368 + }
2369 +
2370 + md5sig = rcu_dereference_protected(tp->md5sig_info,
2371 +- sock_owned_by_user(sk));
2372 ++ sock_owned_by_user(sk) ||
2373 ++ lockdep_is_held(&sk->sk_lock.slock));
2374 + if (!md5sig) {
2375 + md5sig = kmalloc(sizeof(*md5sig), gfp);
2376 + if (!md5sig)
2377 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
2378 +index 5b752f58a900..1e63c8fe1db8 100644
2379 +--- a/net/ipv4/tcp_timer.c
2380 ++++ b/net/ipv4/tcp_timer.c
2381 +@@ -176,6 +176,18 @@ static int tcp_write_timeout(struct sock *sk)
2382 + syn_set = true;
2383 + } else {
2384 + if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0, 0)) {
2385 ++ /* Some middle-boxes may black-hole Fast Open _after_
2386 ++ * the handshake. Therefore we conservatively disable
2387 ++ * Fast Open on this path on recurring timeouts with
2388 ++ * few or zero bytes acked after Fast Open.
2389 ++ */
2390 ++ if (tp->syn_data_acked &&
2391 ++ tp->bytes_acked <= tp->rx_opt.mss_clamp) {
2392 ++ tcp_fastopen_cache_set(sk, 0, NULL, true, 0);
2393 ++ if (icsk->icsk_retransmits == sysctl_tcp_retries1)
2394 ++ NET_INC_STATS_BH(sock_net(sk),
2395 ++ LINUX_MIB_TCPFASTOPENACTIVEFAIL);
2396 ++ }
2397 + /* Black hole detection */
2398 + tcp_mtu_probing(icsk, sk);
2399 +
2400 +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
2401 +index 7de52b65173f..d87519efc3bd 100644
2402 +--- a/net/ipv6/af_inet6.c
2403 ++++ b/net/ipv6/af_inet6.c
2404 +@@ -426,9 +426,11 @@ void inet6_destroy_sock(struct sock *sk)
2405 +
2406 + /* Free tx options */
2407 +
2408 +- opt = xchg(&np->opt, NULL);
2409 +- if (opt)
2410 +- sock_kfree_s(sk, opt, opt->tot_len);
2411 ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
2412 ++ if (opt) {
2413 ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2414 ++ txopt_put(opt);
2415 ++ }
2416 + }
2417 + EXPORT_SYMBOL_GPL(inet6_destroy_sock);
2418 +
2419 +@@ -657,7 +659,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
2420 + fl6.fl6_sport = inet->inet_sport;
2421 + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2422 +
2423 +- final_p = fl6_update_dst(&fl6, np->opt, &final);
2424 ++ rcu_read_lock();
2425 ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt),
2426 ++ &final);
2427 ++ rcu_read_unlock();
2428 +
2429 + dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2430 + if (IS_ERR(dst)) {
2431 +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
2432 +index b10a88986a98..13ca4cf5616f 100644
2433 +--- a/net/ipv6/datagram.c
2434 ++++ b/net/ipv6/datagram.c
2435 +@@ -167,8 +167,10 @@ ipv4_connected:
2436 +
2437 + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2438 +
2439 +- opt = flowlabel ? flowlabel->opt : np->opt;
2440 ++ rcu_read_lock();
2441 ++ opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt);
2442 + final_p = fl6_update_dst(&fl6, opt, &final);
2443 ++ rcu_read_unlock();
2444 +
2445 + dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
2446 + err = 0;
2447 +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
2448 +index a7bbbe45570b..adbd6958c398 100644
2449 +--- a/net/ipv6/exthdrs.c
2450 ++++ b/net/ipv6/exthdrs.c
2451 +@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
2452 + *((char **)&opt2->dst1opt) += dif;
2453 + if (opt2->srcrt)
2454 + *((char **)&opt2->srcrt) += dif;
2455 ++ atomic_set(&opt2->refcnt, 1);
2456 + }
2457 + return opt2;
2458 + }
2459 +@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
2460 + return ERR_PTR(-ENOBUFS);
2461 +
2462 + memset(opt2, 0, tot_len);
2463 +-
2464 ++ atomic_set(&opt2->refcnt, 1);
2465 + opt2->tot_len = tot_len;
2466 + p = (char *)(opt2 + 1);
2467 +
2468 +diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
2469 +index 6927f3fb5597..9beed302eb36 100644
2470 +--- a/net/ipv6/inet6_connection_sock.c
2471 ++++ b/net/ipv6/inet6_connection_sock.c
2472 +@@ -77,7 +77,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
2473 + memset(fl6, 0, sizeof(*fl6));
2474 + fl6->flowi6_proto = IPPROTO_TCP;
2475 + fl6->daddr = ireq->ir_v6_rmt_addr;
2476 +- final_p = fl6_update_dst(fl6, np->opt, &final);
2477 ++ rcu_read_lock();
2478 ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
2479 ++ rcu_read_unlock();
2480 + fl6->saddr = ireq->ir_v6_loc_addr;
2481 + fl6->flowi6_oif = ireq->ir_iif;
2482 + fl6->flowi6_mark = ireq->ir_mark;
2483 +@@ -207,7 +209,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
2484 + fl6->fl6_dport = inet->inet_dport;
2485 + security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
2486 +
2487 +- final_p = fl6_update_dst(fl6, np->opt, &final);
2488 ++ rcu_read_lock();
2489 ++ final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
2490 ++ rcu_read_unlock();
2491 +
2492 + dst = __inet6_csk_dst_check(sk, np->dst_cookie);
2493 + if (!dst) {
2494 +@@ -240,7 +244,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
2495 + /* Restore final destination back after routing done */
2496 + fl6.daddr = sk->sk_v6_daddr;
2497 +
2498 +- res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
2499 ++ res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
2500 ++ np->tclass);
2501 + rcu_read_unlock();
2502 + return res;
2503 + }
2504 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
2505 +index 5f36266b1f5e..a7aef4b52d65 100644
2506 +--- a/net/ipv6/ip6mr.c
2507 ++++ b/net/ipv6/ip6mr.c
2508 +@@ -118,7 +118,7 @@ static void mr6_netlink_event(struct mr6_table *mrt, struct mfc6_cache *mfc,
2509 + int cmd);
2510 + static int ip6mr_rtm_dumproute(struct sk_buff *skb,
2511 + struct netlink_callback *cb);
2512 +-static void mroute_clean_tables(struct mr6_table *mrt);
2513 ++static void mroute_clean_tables(struct mr6_table *mrt, bool all);
2514 + static void ipmr_expire_process(unsigned long arg);
2515 +
2516 + #ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
2517 +@@ -335,7 +335,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
2518 + static void ip6mr_free_table(struct mr6_table *mrt)
2519 + {
2520 + del_timer_sync(&mrt->ipmr_expire_timer);
2521 +- mroute_clean_tables(mrt);
2522 ++ mroute_clean_tables(mrt, true);
2523 + kfree(mrt);
2524 + }
2525 +
2526 +@@ -1543,7 +1543,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt,
2527 + * Close the multicast socket, and clear the vif tables etc
2528 + */
2529 +
2530 +-static void mroute_clean_tables(struct mr6_table *mrt)
2531 ++static void mroute_clean_tables(struct mr6_table *mrt, bool all)
2532 + {
2533 + int i;
2534 + LIST_HEAD(list);
2535 +@@ -1553,8 +1553,9 @@ static void mroute_clean_tables(struct mr6_table *mrt)
2536 + * Shut down all active vif entries
2537 + */
2538 + for (i = 0; i < mrt->maxvif; i++) {
2539 +- if (!(mrt->vif6_table[i].flags & VIFF_STATIC))
2540 +- mif6_delete(mrt, i, &list);
2541 ++ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
2542 ++ continue;
2543 ++ mif6_delete(mrt, i, &list);
2544 + }
2545 + unregister_netdevice_many(&list);
2546 +
2547 +@@ -1563,7 +1564,7 @@ static void mroute_clean_tables(struct mr6_table *mrt)
2548 + */
2549 + for (i = 0; i < MFC6_LINES; i++) {
2550 + list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) {
2551 +- if (c->mfc_flags & MFC_STATIC)
2552 ++ if (!all && (c->mfc_flags & MFC_STATIC))
2553 + continue;
2554 + write_lock_bh(&mrt_lock);
2555 + list_del(&c->list);
2556 +@@ -1626,7 +1627,7 @@ int ip6mr_sk_done(struct sock *sk)
2557 + net->ipv6.devconf_all);
2558 + write_unlock_bh(&mrt_lock);
2559 +
2560 +- mroute_clean_tables(mrt);
2561 ++ mroute_clean_tables(mrt, false);
2562 + err = 0;
2563 + break;
2564 + }
2565 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
2566 +index 63e6956917c9..4449ad1f8114 100644
2567 +--- a/net/ipv6/ipv6_sockglue.c
2568 ++++ b/net/ipv6/ipv6_sockglue.c
2569 +@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
2570 + icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
2571 + }
2572 + }
2573 +- opt = xchg(&inet6_sk(sk)->opt, opt);
2574 ++ opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
2575 ++ opt);
2576 + sk_dst_reset(sk);
2577 +
2578 + return opt;
2579 +@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2580 + sk->sk_socket->ops = &inet_dgram_ops;
2581 + sk->sk_family = PF_INET;
2582 + }
2583 +- opt = xchg(&np->opt, NULL);
2584 +- if (opt)
2585 +- sock_kfree_s(sk, opt, opt->tot_len);
2586 ++ opt = xchg((__force struct ipv6_txoptions **)&np->opt,
2587 ++ NULL);
2588 ++ if (opt) {
2589 ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2590 ++ txopt_put(opt);
2591 ++ }
2592 + pktopt = xchg(&np->pktoptions, NULL);
2593 + kfree_skb(pktopt);
2594 +
2595 +@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2596 + if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
2597 + break;
2598 +
2599 +- opt = ipv6_renew_options(sk, np->opt, optname,
2600 ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2601 ++ opt = ipv6_renew_options(sk, opt, optname,
2602 + (struct ipv6_opt_hdr __user *)optval,
2603 + optlen);
2604 + if (IS_ERR(opt)) {
2605 +@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
2606 + retv = 0;
2607 + opt = ipv6_update_options(sk, opt);
2608 + sticky_done:
2609 +- if (opt)
2610 +- sock_kfree_s(sk, opt, opt->tot_len);
2611 ++ if (opt) {
2612 ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2613 ++ txopt_put(opt);
2614 ++ }
2615 + break;
2616 + }
2617 +
2618 +@@ -486,6 +493,7 @@ sticky_done:
2619 + break;
2620 +
2621 + memset(opt, 0, sizeof(*opt));
2622 ++ atomic_set(&opt->refcnt, 1);
2623 + opt->tot_len = sizeof(*opt) + optlen;
2624 + retv = -EFAULT;
2625 + if (copy_from_user(opt+1, optval, optlen))
2626 +@@ -502,8 +510,10 @@ update:
2627 + retv = 0;
2628 + opt = ipv6_update_options(sk, opt);
2629 + done:
2630 +- if (opt)
2631 +- sock_kfree_s(sk, opt, opt->tot_len);
2632 ++ if (opt) {
2633 ++ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
2634 ++ txopt_put(opt);
2635 ++ }
2636 + break;
2637 + }
2638 + case IPV6_UNICAST_HOPS:
2639 +@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
2640 + case IPV6_RTHDR:
2641 + case IPV6_DSTOPTS:
2642 + {
2643 ++ struct ipv6_txoptions *opt;
2644 +
2645 + lock_sock(sk);
2646 +- len = ipv6_getsockopt_sticky(sk, np->opt,
2647 +- optname, optval, len);
2648 ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2649 ++ len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len);
2650 + release_sock(sk);
2651 + /* check if ipv6_getsockopt_sticky() returns err code */
2652 + if (len < 0)
2653 +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
2654 +index 083b2927fc67..41e3b5ee8d0b 100644
2655 +--- a/net/ipv6/mcast.c
2656 ++++ b/net/ipv6/mcast.c
2657 +@@ -1651,7 +1651,6 @@ out:
2658 + if (!err) {
2659 + ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT);
2660 + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
2661 +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len);
2662 + } else {
2663 + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
2664 + }
2665 +@@ -2014,7 +2013,6 @@ out:
2666 + if (!err) {
2667 + ICMP6MSGOUT_INC_STATS(net, idev, type);
2668 + ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
2669 +- IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, full_len);
2670 + } else
2671 + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
2672 +
2673 +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
2674 +index 6d02498172c1..2a4682c847b0 100644
2675 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
2676 ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
2677 +@@ -190,7 +190,7 @@ static void nf_ct_frag6_expire(unsigned long data)
2678 + /* Creation primitives. */
2679 + static inline struct frag_queue *fq_find(struct net *net, __be32 id,
2680 + u32 user, struct in6_addr *src,
2681 +- struct in6_addr *dst, u8 ecn)
2682 ++ struct in6_addr *dst, int iif, u8 ecn)
2683 + {
2684 + struct inet_frag_queue *q;
2685 + struct ip6_create_arg arg;
2686 +@@ -200,6 +200,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
2687 + arg.user = user;
2688 + arg.src = src;
2689 + arg.dst = dst;
2690 ++ arg.iif = iif;
2691 + arg.ecn = ecn;
2692 +
2693 + local_bh_disable();
2694 +@@ -603,7 +604,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
2695 + fhdr = (struct frag_hdr *)skb_transport_header(clone);
2696 +
2697 + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
2698 +- ip6_frag_ecn(hdr));
2699 ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
2700 + if (fq == NULL) {
2701 + pr_debug("Can't find and can't create new queue\n");
2702 + goto ret_orig;
2703 +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
2704 +index ca4700cb26c4..92d532967c90 100644
2705 +--- a/net/ipv6/raw.c
2706 ++++ b/net/ipv6/raw.c
2707 +@@ -731,6 +731,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
2708 +
2709 + static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
2710 + {
2711 ++ struct ipv6_txoptions *opt_to_free = NULL;
2712 + struct ipv6_txoptions opt_space;
2713 + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
2714 + struct in6_addr *daddr, *final_p, final;
2715 +@@ -837,8 +838,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
2716 + if (!(opt->opt_nflen|opt->opt_flen))
2717 + opt = NULL;
2718 + }
2719 +- if (!opt)
2720 +- opt = np->opt;
2721 ++ if (!opt) {
2722 ++ opt = txopt_get(np);
2723 ++ opt_to_free = opt;
2724 ++ }
2725 + if (flowlabel)
2726 + opt = fl6_merge_options(&opt_space, flowlabel, opt);
2727 + opt = ipv6_fixup_options(&opt_space, opt);
2728 +@@ -904,6 +907,7 @@ done:
2729 + dst_release(dst);
2730 + out:
2731 + fl6_sock_release(flowlabel);
2732 ++ txopt_put(opt_to_free);
2733 + return err < 0 ? err : len;
2734 + do_confirm:
2735 + dst_confirm(dst);
2736 +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
2737 +index f1159bb76e0a..04013a910ce5 100644
2738 +--- a/net/ipv6/reassembly.c
2739 ++++ b/net/ipv6/reassembly.c
2740 +@@ -108,7 +108,10 @@ bool ip6_frag_match(const struct inet_frag_queue *q, const void *a)
2741 + return fq->id == arg->id &&
2742 + fq->user == arg->user &&
2743 + ipv6_addr_equal(&fq->saddr, arg->src) &&
2744 +- ipv6_addr_equal(&fq->daddr, arg->dst);
2745 ++ ipv6_addr_equal(&fq->daddr, arg->dst) &&
2746 ++ (arg->iif == fq->iif ||
2747 ++ !(ipv6_addr_type(arg->dst) & (IPV6_ADDR_MULTICAST |
2748 ++ IPV6_ADDR_LINKLOCAL)));
2749 + }
2750 + EXPORT_SYMBOL(ip6_frag_match);
2751 +
2752 +@@ -180,7 +183,7 @@ static void ip6_frag_expire(unsigned long data)
2753 +
2754 + static struct frag_queue *
2755 + fq_find(struct net *net, __be32 id, const struct in6_addr *src,
2756 +- const struct in6_addr *dst, u8 ecn)
2757 ++ const struct in6_addr *dst, int iif, u8 ecn)
2758 + {
2759 + struct inet_frag_queue *q;
2760 + struct ip6_create_arg arg;
2761 +@@ -190,6 +193,7 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src,
2762 + arg.user = IP6_DEFRAG_LOCAL_DELIVER;
2763 + arg.src = src;
2764 + arg.dst = dst;
2765 ++ arg.iif = iif;
2766 + arg.ecn = ecn;
2767 +
2768 + hash = inet6_hash_frag(id, src, dst);
2769 +@@ -551,7 +555,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
2770 + }
2771 +
2772 + fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr,
2773 +- ip6_frag_ecn(hdr));
2774 ++ skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
2775 + if (fq) {
2776 + int ret;
2777 +
2778 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
2779 +index dd6ebba5846c..8478719ef500 100644
2780 +--- a/net/ipv6/route.c
2781 ++++ b/net/ipv6/route.c
2782 +@@ -401,6 +401,14 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
2783 + }
2784 + }
2785 +
2786 ++static bool __rt6_check_expired(const struct rt6_info *rt)
2787 ++{
2788 ++ if (rt->rt6i_flags & RTF_EXPIRES)
2789 ++ return time_after(jiffies, rt->dst.expires);
2790 ++ else
2791 ++ return false;
2792 ++}
2793 ++
2794 + static bool rt6_check_expired(const struct rt6_info *rt)
2795 + {
2796 + if (rt->rt6i_flags & RTF_EXPIRES) {
2797 +@@ -1255,7 +1263,8 @@ static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie)
2798 +
2799 + static struct dst_entry *rt6_dst_from_check(struct rt6_info *rt, u32 cookie)
2800 + {
2801 +- if (rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
2802 ++ if (!__rt6_check_expired(rt) &&
2803 ++ rt->dst.obsolete == DST_OBSOLETE_FORCE_CHK &&
2804 + rt6_check((struct rt6_info *)(rt->dst.from), cookie))
2805 + return &rt->dst;
2806 + else
2807 +@@ -1275,7 +1284,8 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
2808 +
2809 + rt6_dst_from_metrics_check(rt);
2810 +
2811 +- if ((rt->rt6i_flags & RTF_PCPU) || unlikely(dst->flags & DST_NOCACHE))
2812 ++ if (rt->rt6i_flags & RTF_PCPU ||
2813 ++ (unlikely(dst->flags & DST_NOCACHE) && rt->dst.from))
2814 + return rt6_dst_from_check(rt, cookie);
2815 + else
2816 + return rt6_check(rt, cookie);
2817 +@@ -1326,6 +1336,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu)
2818 + rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires);
2819 + }
2820 +
2821 ++static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
2822 ++{
2823 ++ return !(rt->rt6i_flags & RTF_CACHE) &&
2824 ++ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
2825 ++}
2826 ++
2827 + static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
2828 + const struct ipv6hdr *iph, u32 mtu)
2829 + {
2830 +@@ -1339,7 +1355,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
2831 + if (mtu >= dst_mtu(dst))
2832 + return;
2833 +
2834 +- if (rt6->rt6i_flags & RTF_CACHE) {
2835 ++ if (!rt6_cache_allowed_for_pmtu(rt6)) {
2836 + rt6_do_update_pmtu(rt6, mtu);
2837 + } else {
2838 + const struct in6_addr *daddr, *saddr;
2839 +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
2840 +index 0909f4e0d53c..f30bfdcdea54 100644
2841 +--- a/net/ipv6/syncookies.c
2842 ++++ b/net/ipv6/syncookies.c
2843 +@@ -225,7 +225,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
2844 + memset(&fl6, 0, sizeof(fl6));
2845 + fl6.flowi6_proto = IPPROTO_TCP;
2846 + fl6.daddr = ireq->ir_v6_rmt_addr;
2847 +- final_p = fl6_update_dst(&fl6, np->opt, &final);
2848 ++ final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
2849 + fl6.saddr = ireq->ir_v6_loc_addr;
2850 + fl6.flowi6_oif = sk->sk_bound_dev_if;
2851 + fl6.flowi6_mark = ireq->ir_mark;
2852 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
2853 +index 7a6cea5e4274..45e473ee340b 100644
2854 +--- a/net/ipv6/tcp_ipv6.c
2855 ++++ b/net/ipv6/tcp_ipv6.c
2856 +@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2857 + struct ipv6_pinfo *np = inet6_sk(sk);
2858 + struct tcp_sock *tp = tcp_sk(sk);
2859 + struct in6_addr *saddr = NULL, *final_p, final;
2860 ++ struct ipv6_txoptions *opt;
2861 + struct flowi6 fl6;
2862 + struct dst_entry *dst;
2863 + int addr_type;
2864 +@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2865 + fl6.fl6_dport = usin->sin6_port;
2866 + fl6.fl6_sport = inet->inet_sport;
2867 +
2868 +- final_p = fl6_update_dst(&fl6, np->opt, &final);
2869 ++ opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
2870 ++ final_p = fl6_update_dst(&fl6, opt, &final);
2871 +
2872 + security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
2873 +
2874 +@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
2875 + tcp_fetch_timewait_stamp(sk, dst);
2876 +
2877 + icsk->icsk_ext_hdr_len = 0;
2878 +- if (np->opt)
2879 +- icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
2880 +- np->opt->opt_nflen);
2881 ++ if (opt)
2882 ++ icsk->icsk_ext_hdr_len = opt->opt_flen +
2883 ++ opt->opt_nflen;
2884 +
2885 + tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
2886 +
2887 +@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
2888 + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
2889 +
2890 + skb_set_queue_mapping(skb, queue_mapping);
2891 +- err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
2892 ++ err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
2893 ++ np->tclass);
2894 + err = net_xmit_eval(err);
2895 + }
2896 +
2897 +@@ -991,6 +994,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
2898 + struct inet_request_sock *ireq;
2899 + struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
2900 + struct tcp6_sock *newtcp6sk;
2901 ++ struct ipv6_txoptions *opt;
2902 + struct inet_sock *newinet;
2903 + struct tcp_sock *newtp;
2904 + struct sock *newsk;
2905 +@@ -1126,13 +1130,15 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
2906 + but we make one more one thing there: reattach optmem
2907 + to newsk.
2908 + */
2909 +- if (np->opt)
2910 +- newnp->opt = ipv6_dup_options(newsk, np->opt);
2911 +-
2912 ++ opt = rcu_dereference(np->opt);
2913 ++ if (opt) {
2914 ++ opt = ipv6_dup_options(newsk, opt);
2915 ++ RCU_INIT_POINTER(newnp->opt, opt);
2916 ++ }
2917 + inet_csk(newsk)->icsk_ext_hdr_len = 0;
2918 +- if (newnp->opt)
2919 +- inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
2920 +- newnp->opt->opt_flen);
2921 ++ if (opt)
2922 ++ inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
2923 ++ opt->opt_flen;
2924 +
2925 + tcp_ca_openreq_child(newsk, dst);
2926 +
2927 +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
2928 +index e51fc3eee6db..7333f3575fc5 100644
2929 +--- a/net/ipv6/udp.c
2930 ++++ b/net/ipv6/udp.c
2931 +@@ -1107,6 +1107,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
2932 + DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
2933 + struct in6_addr *daddr, *final_p, final;
2934 + struct ipv6_txoptions *opt = NULL;
2935 ++ struct ipv6_txoptions *opt_to_free = NULL;
2936 + struct ip6_flowlabel *flowlabel = NULL;
2937 + struct flowi6 fl6;
2938 + struct dst_entry *dst;
2939 +@@ -1260,8 +1261,10 @@ do_udp_sendmsg:
2940 + opt = NULL;
2941 + connected = 0;
2942 + }
2943 +- if (!opt)
2944 +- opt = np->opt;
2945 ++ if (!opt) {
2946 ++ opt = txopt_get(np);
2947 ++ opt_to_free = opt;
2948 ++ }
2949 + if (flowlabel)
2950 + opt = fl6_merge_options(&opt_space, flowlabel, opt);
2951 + opt = ipv6_fixup_options(&opt_space, opt);
2952 +@@ -1370,6 +1373,7 @@ release_dst:
2953 + out:
2954 + dst_release(dst);
2955 + fl6_sock_release(flowlabel);
2956 ++ txopt_put(opt_to_free);
2957 + if (!err)
2958 + return len;
2959 + /*
2960 +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
2961 +index d1ded3777815..0ce9da948ad7 100644
2962 +--- a/net/l2tp/l2tp_ip6.c
2963 ++++ b/net/l2tp/l2tp_ip6.c
2964 +@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
2965 + DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name);
2966 + struct in6_addr *daddr, *final_p, final;
2967 + struct ipv6_pinfo *np = inet6_sk(sk);
2968 ++ struct ipv6_txoptions *opt_to_free = NULL;
2969 + struct ipv6_txoptions *opt = NULL;
2970 + struct ip6_flowlabel *flowlabel = NULL;
2971 + struct dst_entry *dst = NULL;
2972 +@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
2973 + opt = NULL;
2974 + }
2975 +
2976 +- if (opt == NULL)
2977 +- opt = np->opt;
2978 ++ if (!opt) {
2979 ++ opt = txopt_get(np);
2980 ++ opt_to_free = opt;
2981 ++ }
2982 + if (flowlabel)
2983 + opt = fl6_merge_options(&opt_space, flowlabel, opt);
2984 + opt = ipv6_fixup_options(&opt_space, opt);
2985 +@@ -631,6 +634,7 @@ done:
2986 + dst_release(dst);
2987 + out:
2988 + fl6_sock_release(flowlabel);
2989 ++ txopt_put(opt_to_free);
2990 +
2991 + return err < 0 ? err : len;
2992 +
2993 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
2994 +index 71cb085e16fd..71d671c06952 100644
2995 +--- a/net/packet/af_packet.c
2996 ++++ b/net/packet/af_packet.c
2997 +@@ -1622,6 +1622,20 @@ static void fanout_release(struct sock *sk)
2998 + kfree_rcu(po->rollover, rcu);
2999 + }
3000 +
3001 ++static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
3002 ++ struct sk_buff *skb)
3003 ++{
3004 ++ /* Earlier code assumed this would be a VLAN pkt, double-check
3005 ++ * this now that we have the actual packet in hand. We can only
3006 ++ * do this check on Ethernet devices.
3007 ++ */
3008 ++ if (unlikely(dev->type != ARPHRD_ETHER))
3009 ++ return false;
3010 ++
3011 ++ skb_reset_mac_header(skb);
3012 ++ return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q));
3013 ++}
3014 ++
3015 + static const struct proto_ops packet_ops;
3016 +
3017 + static const struct proto_ops packet_ops_spkt;
3018 +@@ -1783,18 +1797,10 @@ retry:
3019 + goto retry;
3020 + }
3021 +
3022 +- if (len > (dev->mtu + dev->hard_header_len + extra_len)) {
3023 +- /* Earlier code assumed this would be a VLAN pkt,
3024 +- * double-check this now that we have the actual
3025 +- * packet in hand.
3026 +- */
3027 +- struct ethhdr *ehdr;
3028 +- skb_reset_mac_header(skb);
3029 +- ehdr = eth_hdr(skb);
3030 +- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
3031 +- err = -EMSGSIZE;
3032 +- goto out_unlock;
3033 +- }
3034 ++ if (len > (dev->mtu + dev->hard_header_len + extra_len) &&
3035 ++ !packet_extra_vlan_len_allowed(dev, skb)) {
3036 ++ err = -EMSGSIZE;
3037 ++ goto out_unlock;
3038 + }
3039 +
3040 + skb->protocol = proto;
3041 +@@ -2213,6 +2219,15 @@ static bool ll_header_truncated(const struct net_device *dev, int len)
3042 + return false;
3043 + }
3044 +
3045 ++static void tpacket_set_protocol(const struct net_device *dev,
3046 ++ struct sk_buff *skb)
3047 ++{
3048 ++ if (dev->type == ARPHRD_ETHER) {
3049 ++ skb_reset_mac_header(skb);
3050 ++ skb->protocol = eth_hdr(skb)->h_proto;
3051 ++ }
3052 ++}
3053 ++
3054 + static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3055 + void *frame, struct net_device *dev, int size_max,
3056 + __be16 proto, unsigned char *addr, int hlen)
3057 +@@ -2249,8 +2264,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3058 + skb_reserve(skb, hlen);
3059 + skb_reset_network_header(skb);
3060 +
3061 +- if (!packet_use_direct_xmit(po))
3062 +- skb_probe_transport_header(skb, 0);
3063 + if (unlikely(po->tp_tx_has_off)) {
3064 + int off_min, off_max, off;
3065 + off_min = po->tp_hdrlen - sizeof(struct sockaddr_ll);
3066 +@@ -2296,6 +2309,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3067 + dev->hard_header_len);
3068 + if (unlikely(err))
3069 + return err;
3070 ++ if (!skb->protocol)
3071 ++ tpacket_set_protocol(dev, skb);
3072 +
3073 + data += dev->hard_header_len;
3074 + to_write -= dev->hard_header_len;
3075 +@@ -2330,6 +2345,8 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
3076 + len = ((to_write > len_max) ? len_max : to_write);
3077 + }
3078 +
3079 ++ skb_probe_transport_header(skb, 0);
3080 ++
3081 + return tp_len;
3082 + }
3083 +
3084 +@@ -2374,12 +2391,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
3085 + if (unlikely(!(dev->flags & IFF_UP)))
3086 + goto out_put;
3087 +
3088 +- reserve = dev->hard_header_len + VLAN_HLEN;
3089 ++ if (po->sk.sk_socket->type == SOCK_RAW)
3090 ++ reserve = dev->hard_header_len;
3091 + size_max = po->tx_ring.frame_size
3092 + - (po->tp_hdrlen - sizeof(struct sockaddr_ll));
3093 +
3094 +- if (size_max > dev->mtu + reserve)
3095 +- size_max = dev->mtu + reserve;
3096 ++ if (size_max > dev->mtu + reserve + VLAN_HLEN)
3097 ++ size_max = dev->mtu + reserve + VLAN_HLEN;
3098 +
3099 + do {
3100 + ph = packet_current_frame(po, &po->tx_ring,
3101 +@@ -2406,18 +2424,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
3102 + tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
3103 + addr, hlen);
3104 + if (likely(tp_len >= 0) &&
3105 +- tp_len > dev->mtu + dev->hard_header_len) {
3106 +- struct ethhdr *ehdr;
3107 +- /* Earlier code assumed this would be a VLAN pkt,
3108 +- * double-check this now that we have the actual
3109 +- * packet in hand.
3110 +- */
3111 ++ tp_len > dev->mtu + reserve &&
3112 ++ !packet_extra_vlan_len_allowed(dev, skb))
3113 ++ tp_len = -EMSGSIZE;
3114 +
3115 +- skb_reset_mac_header(skb);
3116 +- ehdr = eth_hdr(skb);
3117 +- if (ehdr->h_proto != htons(ETH_P_8021Q))
3118 +- tp_len = -EMSGSIZE;
3119 +- }
3120 + if (unlikely(tp_len < 0)) {
3121 + if (po->tp_loss) {
3122 + __packet_set_status(po, ph,
3123 +@@ -2638,18 +2648,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
3124 +
3125 + sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
3126 +
3127 +- if (!gso_type && (len > dev->mtu + reserve + extra_len)) {
3128 +- /* Earlier code assumed this would be a VLAN pkt,
3129 +- * double-check this now that we have the actual
3130 +- * packet in hand.
3131 +- */
3132 +- struct ethhdr *ehdr;
3133 +- skb_reset_mac_header(skb);
3134 +- ehdr = eth_hdr(skb);
3135 +- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
3136 +- err = -EMSGSIZE;
3137 +- goto out_free;
3138 +- }
3139 ++ if (!gso_type && (len > dev->mtu + reserve + extra_len) &&
3140 ++ !packet_extra_vlan_len_allowed(dev, skb)) {
3141 ++ err = -EMSGSIZE;
3142 ++ goto out_free;
3143 + }
3144 +
3145 + skb->protocol = proto;
3146 +@@ -2680,8 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
3147 + len += vnet_hdr_len;
3148 + }
3149 +
3150 +- if (!packet_use_direct_xmit(po))
3151 +- skb_probe_transport_header(skb, reserve);
3152 ++ skb_probe_transport_header(skb, reserve);
3153 ++
3154 + if (unlikely(extra_len == 4))
3155 + skb->no_fcs = 1;
3156 +
3157 +diff --git a/net/rds/connection.c b/net/rds/connection.c
3158 +index 9d66705f9d41..da6da57e5f36 100644
3159 +--- a/net/rds/connection.c
3160 ++++ b/net/rds/connection.c
3161 +@@ -187,12 +187,6 @@ new_conn:
3162 + }
3163 + }
3164 +
3165 +- if (trans == NULL) {
3166 +- kmem_cache_free(rds_conn_slab, conn);
3167 +- conn = ERR_PTR(-ENODEV);
3168 +- goto out;
3169 +- }
3170 +-
3171 + conn->c_trans = trans;
3172 +
3173 + ret = trans->conn_alloc(conn, gfp);
3174 +diff --git a/net/rds/send.c b/net/rds/send.c
3175 +index e9430f537f9c..7b30c0f3180d 100644
3176 +--- a/net/rds/send.c
3177 ++++ b/net/rds/send.c
3178 +@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
3179 + release_sock(sk);
3180 + }
3181 +
3182 +- /* racing with another thread binding seems ok here */
3183 ++ lock_sock(sk);
3184 + if (daddr == 0 || rs->rs_bound_addr == 0) {
3185 ++ release_sock(sk);
3186 + ret = -ENOTCONN; /* XXX not a great errno */
3187 + goto out;
3188 + }
3189 ++ release_sock(sk);
3190 +
3191 + /* size of rm including all sgs */
3192 + ret = rds_rm_size(msg, payload_len);
3193 +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
3194 +index f06aa01d60fd..1a0aa2a7cfeb 100644
3195 +--- a/net/sched/sch_api.c
3196 ++++ b/net/sched/sch_api.c
3197 +@@ -253,7 +253,8 @@ int qdisc_set_default(const char *name)
3198 + }
3199 +
3200 + /* We know handle. Find qdisc among all qdisc's attached to device
3201 +- (root qdisc, all its children, children of children etc.)
3202 ++ * (root qdisc, all its children, children of children etc.)
3203 ++ * Note: caller either uses rtnl or rcu_read_lock()
3204 + */
3205 +
3206 + static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
3207 +@@ -264,7 +265,7 @@ static struct Qdisc *qdisc_match_from_root(struct Qdisc *root, u32 handle)
3208 + root->handle == handle)
3209 + return root;
3210 +
3211 +- list_for_each_entry(q, &root->list, list) {
3212 ++ list_for_each_entry_rcu(q, &root->list, list) {
3213 + if (q->handle == handle)
3214 + return q;
3215 + }
3216 +@@ -277,15 +278,18 @@ void qdisc_list_add(struct Qdisc *q)
3217 + struct Qdisc *root = qdisc_dev(q)->qdisc;
3218 +
3219 + WARN_ON_ONCE(root == &noop_qdisc);
3220 +- list_add_tail(&q->list, &root->list);
3221 ++ ASSERT_RTNL();
3222 ++ list_add_tail_rcu(&q->list, &root->list);
3223 + }
3224 + }
3225 + EXPORT_SYMBOL(qdisc_list_add);
3226 +
3227 + void qdisc_list_del(struct Qdisc *q)
3228 + {
3229 +- if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS))
3230 +- list_del(&q->list);
3231 ++ if ((q->parent != TC_H_ROOT) && !(q->flags & TCQ_F_INGRESS)) {
3232 ++ ASSERT_RTNL();
3233 ++ list_del_rcu(&q->list);
3234 ++ }
3235 + }
3236 + EXPORT_SYMBOL(qdisc_list_del);
3237 +
3238 +@@ -750,14 +754,18 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
3239 + if (n == 0)
3240 + return;
3241 + drops = max_t(int, n, 0);
3242 ++ rcu_read_lock();
3243 + while ((parentid = sch->parent)) {
3244 + if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
3245 +- return;
3246 ++ break;
3247 +
3248 ++ if (sch->flags & TCQ_F_NOPARENT)
3249 ++ break;
3250 ++ /* TODO: perform the search on a per txq basis */
3251 + sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid));
3252 + if (sch == NULL) {
3253 +- WARN_ON(parentid != TC_H_ROOT);
3254 +- return;
3255 ++ WARN_ON_ONCE(parentid != TC_H_ROOT);
3256 ++ break;
3257 + }
3258 + cops = sch->ops->cl_ops;
3259 + if (cops->qlen_notify) {
3260 +@@ -768,6 +776,7 @@ void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
3261 + sch->q.qlen -= n;
3262 + __qdisc_qstats_drop(sch, drops);
3263 + }
3264 ++ rcu_read_unlock();
3265 + }
3266 + EXPORT_SYMBOL(qdisc_tree_decrease_qlen);
3267 +
3268 +@@ -941,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
3269 + }
3270 + lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
3271 + if (!netif_is_multiqueue(dev))
3272 +- sch->flags |= TCQ_F_ONETXQUEUE;
3273 ++ sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3274 + }
3275 +
3276 + sch->handle = handle;
3277 +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3278 +index 6efca30894aa..b453270be3fd 100644
3279 +--- a/net/sched/sch_generic.c
3280 ++++ b/net/sched/sch_generic.c
3281 +@@ -743,7 +743,7 @@ static void attach_one_default_qdisc(struct net_device *dev,
3282 + return;
3283 + }
3284 + if (!netif_is_multiqueue(dev))
3285 +- qdisc->flags |= TCQ_F_ONETXQUEUE;
3286 ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3287 + }
3288 + dev_queue->qdisc_sleeping = qdisc;
3289 + }
3290 +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
3291 +index f3cbaecd283a..3e82f047caaf 100644
3292 +--- a/net/sched/sch_mq.c
3293 ++++ b/net/sched/sch_mq.c
3294 +@@ -63,7 +63,7 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt)
3295 + if (qdisc == NULL)
3296 + goto err;
3297 + priv->qdiscs[ntx] = qdisc;
3298 +- qdisc->flags |= TCQ_F_ONETXQUEUE;
3299 ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3300 + }
3301 +
3302 + sch->flags |= TCQ_F_MQROOT;
3303 +@@ -156,7 +156,7 @@ static int mq_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
3304 +
3305 + *old = dev_graft_qdisc(dev_queue, new);
3306 + if (new)
3307 +- new->flags |= TCQ_F_ONETXQUEUE;
3308 ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3309 + if (dev->flags & IFF_UP)
3310 + dev_activate(dev);
3311 + return 0;
3312 +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
3313 +index 3811a745452c..ad70ecf57ce7 100644
3314 +--- a/net/sched/sch_mqprio.c
3315 ++++ b/net/sched/sch_mqprio.c
3316 +@@ -132,7 +132,7 @@ static int mqprio_init(struct Qdisc *sch, struct nlattr *opt)
3317 + goto err;
3318 + }
3319 + priv->qdiscs[i] = qdisc;
3320 +- qdisc->flags |= TCQ_F_ONETXQUEUE;
3321 ++ qdisc->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3322 + }
3323 +
3324 + /* If the mqprio options indicate that hardware should own
3325 +@@ -209,7 +209,7 @@ static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
3326 + *old = dev_graft_qdisc(dev_queue, new);
3327 +
3328 + if (new)
3329 +- new->flags |= TCQ_F_ONETXQUEUE;
3330 ++ new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
3331 +
3332 + if (dev->flags & IFF_UP)
3333 + dev_activate(dev);
3334 +diff --git a/net/sctp/auth.c b/net/sctp/auth.c
3335 +index 4f15b7d730e1..1543e39f47c3 100644
3336 +--- a/net/sctp/auth.c
3337 ++++ b/net/sctp/auth.c
3338 +@@ -809,8 +809,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
3339 + if (!has_sha1)
3340 + return -EINVAL;
3341 +
3342 +- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0],
3343 +- hmacs->shmac_num_idents * sizeof(__u16));
3344 ++ for (i = 0; i < hmacs->shmac_num_idents; i++)
3345 ++ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]);
3346 + ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) +
3347 + hmacs->shmac_num_idents * sizeof(__u16));
3348 + return 0;
3349 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
3350 +index 17bef01b9aa3..3ec88be0faec 100644
3351 +--- a/net/sctp/socket.c
3352 ++++ b/net/sctp/socket.c
3353 +@@ -7375,6 +7375,13 @@ struct proto sctp_prot = {
3354 +
3355 + #if IS_ENABLED(CONFIG_IPV6)
3356 +
3357 ++#include <net/transp_v6.h>
3358 ++static void sctp_v6_destroy_sock(struct sock *sk)
3359 ++{
3360 ++ sctp_destroy_sock(sk);
3361 ++ inet6_destroy_sock(sk);
3362 ++}
3363 ++
3364 + struct proto sctpv6_prot = {
3365 + .name = "SCTPv6",
3366 + .owner = THIS_MODULE,
3367 +@@ -7384,7 +7391,7 @@ struct proto sctpv6_prot = {
3368 + .accept = sctp_accept,
3369 + .ioctl = sctp_ioctl,
3370 + .init = sctp_init_sock,
3371 +- .destroy = sctp_destroy_sock,
3372 ++ .destroy = sctp_v6_destroy_sock,
3373 + .shutdown = sctp_shutdown,
3374 + .setsockopt = sctp_setsockopt,
3375 + .getsockopt = sctp_getsockopt,
3376 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
3377 +index 94f658235fb4..128b0982c96b 100644
3378 +--- a/net/unix/af_unix.c
3379 ++++ b/net/unix/af_unix.c
3380 +@@ -326,6 +326,118 @@ found:
3381 + return s;
3382 + }
3383 +
3384 ++/* Support code for asymmetrically connected dgram sockets
3385 ++ *
3386 ++ * If a datagram socket is connected to a socket not itself connected
3387 ++ * to the first socket (eg, /dev/log), clients may only enqueue more
3388 ++ * messages if the present receive queue of the server socket is not
3389 ++ * "too large". This means there's a second writeability condition
3390 ++ * poll and sendmsg need to test. The dgram recv code will do a wake
3391 ++ * up on the peer_wait wait queue of a socket upon reception of a
3392 ++ * datagram which needs to be propagated to sleeping would-be writers
3393 ++ * since these might not have sent anything so far. This can't be
3394 ++ * accomplished via poll_wait because the lifetime of the server
3395 ++ * socket might be less than that of its clients if these break their
3396 ++ * association with it or if the server socket is closed while clients
3397 ++ * are still connected to it and there's no way to inform "a polling
3398 ++ * implementation" that it should let go of a certain wait queue
3399 ++ *
3400 ++ * In order to propagate a wake up, a wait_queue_t of the client
3401 ++ * socket is enqueued on the peer_wait queue of the server socket
3402 ++ * whose wake function does a wake_up on the ordinary client socket
3403 ++ * wait queue. This connection is established whenever a write (or
3404 ++ * poll for write) hit the flow control condition and broken when the
3405 ++ * association to the server socket is dissolved or after a wake up
3406 ++ * was relayed.
3407 ++ */
3408 ++
3409 ++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
3410 ++ void *key)
3411 ++{
3412 ++ struct unix_sock *u;
3413 ++ wait_queue_head_t *u_sleep;
3414 ++
3415 ++ u = container_of(q, struct unix_sock, peer_wake);
3416 ++
3417 ++ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
3418 ++ q);
3419 ++ u->peer_wake.private = NULL;
3420 ++
3421 ++ /* relaying can only happen while the wq still exists */
3422 ++ u_sleep = sk_sleep(&u->sk);
3423 ++ if (u_sleep)
3424 ++ wake_up_interruptible_poll(u_sleep, key);
3425 ++
3426 ++ return 0;
3427 ++}
3428 ++
3429 ++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
3430 ++{
3431 ++ struct unix_sock *u, *u_other;
3432 ++ int rc;
3433 ++
3434 ++ u = unix_sk(sk);
3435 ++ u_other = unix_sk(other);
3436 ++ rc = 0;
3437 ++ spin_lock(&u_other->peer_wait.lock);
3438 ++
3439 ++ if (!u->peer_wake.private) {
3440 ++ u->peer_wake.private = other;
3441 ++ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
3442 ++
3443 ++ rc = 1;
3444 ++ }
3445 ++
3446 ++ spin_unlock(&u_other->peer_wait.lock);
3447 ++ return rc;
3448 ++}
3449 ++
3450 ++static void unix_dgram_peer_wake_disconnect(struct sock *sk,
3451 ++ struct sock *other)
3452 ++{
3453 ++ struct unix_sock *u, *u_other;
3454 ++
3455 ++ u = unix_sk(sk);
3456 ++ u_other = unix_sk(other);
3457 ++ spin_lock(&u_other->peer_wait.lock);
3458 ++
3459 ++ if (u->peer_wake.private == other) {
3460 ++ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
3461 ++ u->peer_wake.private = NULL;
3462 ++ }
3463 ++
3464 ++ spin_unlock(&u_other->peer_wait.lock);
3465 ++}
3466 ++
3467 ++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
3468 ++ struct sock *other)
3469 ++{
3470 ++ unix_dgram_peer_wake_disconnect(sk, other);
3471 ++ wake_up_interruptible_poll(sk_sleep(sk),
3472 ++ POLLOUT |
3473 ++ POLLWRNORM |
3474 ++ POLLWRBAND);
3475 ++}
3476 ++
3477 ++/* preconditions:
3478 ++ * - unix_peer(sk) == other
3479 ++ * - association is stable
3480 ++ */
3481 ++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
3482 ++{
3483 ++ int connected;
3484 ++
3485 ++ connected = unix_dgram_peer_wake_connect(sk, other);
3486 ++
3487 ++ if (unix_recvq_full(other))
3488 ++ return 1;
3489 ++
3490 ++ if (connected)
3491 ++ unix_dgram_peer_wake_disconnect(sk, other);
3492 ++
3493 ++ return 0;
3494 ++}
3495 ++
3496 + static inline int unix_writable(struct sock *sk)
3497 + {
3498 + return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
3499 +@@ -430,6 +542,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
3500 + skpair->sk_state_change(skpair);
3501 + sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
3502 + }
3503 ++
3504 ++ unix_dgram_peer_wake_disconnect(sk, skpair);
3505 + sock_put(skpair); /* It may now die */
3506 + unix_peer(sk) = NULL;
3507 + }
3508 +@@ -440,6 +554,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
3509 + if (state == TCP_LISTEN)
3510 + unix_release_sock(skb->sk, 1);
3511 + /* passed fds are erased in the kfree_skb hook */
3512 ++ UNIXCB(skb).consumed = skb->len;
3513 + kfree_skb(skb);
3514 + }
3515 +
3516 +@@ -664,6 +779,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
3517 + INIT_LIST_HEAD(&u->link);
3518 + mutex_init(&u->readlock); /* single task reading lock */
3519 + init_waitqueue_head(&u->peer_wait);
3520 ++ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
3521 + unix_insert_socket(unix_sockets_unbound(sk), sk);
3522 + out:
3523 + if (sk == NULL)
3524 +@@ -1031,6 +1147,8 @@ restart:
3525 + if (unix_peer(sk)) {
3526 + struct sock *old_peer = unix_peer(sk);
3527 + unix_peer(sk) = other;
3528 ++ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
3529 ++
3530 + unix_state_double_unlock(sk, other);
3531 +
3532 + if (other != old_peer)
3533 +@@ -1432,6 +1550,14 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen
3534 + return err;
3535 + }
3536 +
3537 ++static bool unix_passcred_enabled(const struct socket *sock,
3538 ++ const struct sock *other)
3539 ++{
3540 ++ return test_bit(SOCK_PASSCRED, &sock->flags) ||
3541 ++ !other->sk_socket ||
3542 ++ test_bit(SOCK_PASSCRED, &other->sk_socket->flags);
3543 ++}
3544 ++
3545 + /*
3546 + * Some apps rely on write() giving SCM_CREDENTIALS
3547 + * We include credentials if source or destination socket
3548 +@@ -1442,14 +1568,41 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
3549 + {
3550 + if (UNIXCB(skb).pid)
3551 + return;
3552 +- if (test_bit(SOCK_PASSCRED, &sock->flags) ||
3553 +- !other->sk_socket ||
3554 +- test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) {
3555 ++ if (unix_passcred_enabled(sock, other)) {
3556 + UNIXCB(skb).pid = get_pid(task_tgid(current));
3557 + current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
3558 + }
3559 + }
3560 +
3561 ++static int maybe_init_creds(struct scm_cookie *scm,
3562 ++ struct socket *socket,
3563 ++ const struct sock *other)
3564 ++{
3565 ++ int err;
3566 ++ struct msghdr msg = { .msg_controllen = 0 };
3567 ++
3568 ++ err = scm_send(socket, &msg, scm, false);
3569 ++ if (err)
3570 ++ return err;
3571 ++
3572 ++ if (unix_passcred_enabled(socket, other)) {
3573 ++ scm->pid = get_pid(task_tgid(current));
3574 ++ current_uid_gid(&scm->creds.uid, &scm->creds.gid);
3575 ++ }
3576 ++ return err;
3577 ++}
3578 ++
3579 ++static bool unix_skb_scm_eq(struct sk_buff *skb,
3580 ++ struct scm_cookie *scm)
3581 ++{
3582 ++ const struct unix_skb_parms *u = &UNIXCB(skb);
3583 ++
3584 ++ return u->pid == scm->pid &&
3585 ++ uid_eq(u->uid, scm->creds.uid) &&
3586 ++ gid_eq(u->gid, scm->creds.gid) &&
3587 ++ unix_secdata_eq(scm, skb);
3588 ++}
3589 ++
3590 + /*
3591 + * Send AF_UNIX data.
3592 + */
3593 +@@ -1470,6 +1623,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
3594 + struct scm_cookie scm;
3595 + int max_level;
3596 + int data_len = 0;
3597 ++ int sk_locked;
3598 +
3599 + wait_for_unix_gc();
3600 + err = scm_send(sock, msg, &scm, false);
3601 +@@ -1548,12 +1702,14 @@ restart:
3602 + goto out_free;
3603 + }
3604 +
3605 ++ sk_locked = 0;
3606 + unix_state_lock(other);
3607 ++restart_locked:
3608 + err = -EPERM;
3609 + if (!unix_may_send(sk, other))
3610 + goto out_unlock;
3611 +
3612 +- if (sock_flag(other, SOCK_DEAD)) {
3613 ++ if (unlikely(sock_flag(other, SOCK_DEAD))) {
3614 + /*
3615 + * Check with 1003.1g - what should
3616 + * datagram error
3617 +@@ -1561,10 +1717,14 @@ restart:
3618 + unix_state_unlock(other);
3619 + sock_put(other);
3620 +
3621 ++ if (!sk_locked)
3622 ++ unix_state_lock(sk);
3623 ++
3624 + err = 0;
3625 +- unix_state_lock(sk);
3626 + if (unix_peer(sk) == other) {
3627 + unix_peer(sk) = NULL;
3628 ++ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
3629 ++
3630 + unix_state_unlock(sk);
3631 +
3632 + unix_dgram_disconnected(sk, other);
3633 +@@ -1590,21 +1750,38 @@ restart:
3634 + goto out_unlock;
3635 + }
3636 +
3637 +- if (unix_peer(other) != sk && unix_recvq_full(other)) {
3638 +- if (!timeo) {
3639 +- err = -EAGAIN;
3640 +- goto out_unlock;
3641 ++ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
3642 ++ if (timeo) {
3643 ++ timeo = unix_wait_for_peer(other, timeo);
3644 ++
3645 ++ err = sock_intr_errno(timeo);
3646 ++ if (signal_pending(current))
3647 ++ goto out_free;
3648 ++
3649 ++ goto restart;
3650 + }
3651 +
3652 +- timeo = unix_wait_for_peer(other, timeo);
3653 ++ if (!sk_locked) {
3654 ++ unix_state_unlock(other);
3655 ++ unix_state_double_lock(sk, other);
3656 ++ }
3657 +
3658 +- err = sock_intr_errno(timeo);
3659 +- if (signal_pending(current))
3660 +- goto out_free;
3661 ++ if (unix_peer(sk) != other ||
3662 ++ unix_dgram_peer_wake_me(sk, other)) {
3663 ++ err = -EAGAIN;
3664 ++ sk_locked = 1;
3665 ++ goto out_unlock;
3666 ++ }
3667 +
3668 +- goto restart;
3669 ++ if (!sk_locked) {
3670 ++ sk_locked = 1;
3671 ++ goto restart_locked;
3672 ++ }
3673 + }
3674 +
3675 ++ if (unlikely(sk_locked))
3676 ++ unix_state_unlock(sk);
3677 ++
3678 + if (sock_flag(other, SOCK_RCVTSTAMP))
3679 + __net_timestamp(skb);
3680 + maybe_add_creds(skb, sock, other);
3681 +@@ -1618,6 +1795,8 @@ restart:
3682 + return len;
3683 +
3684 + out_unlock:
3685 ++ if (sk_locked)
3686 ++ unix_state_unlock(sk);
3687 + unix_state_unlock(other);
3688 + out_free:
3689 + kfree_skb(skb);
3690 +@@ -1739,8 +1918,10 @@ out_err:
3691 + static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
3692 + int offset, size_t size, int flags)
3693 + {
3694 +- int err = 0;
3695 +- bool send_sigpipe = true;
3696 ++ int err;
3697 ++ bool send_sigpipe = false;
3698 ++ bool init_scm = true;
3699 ++ struct scm_cookie scm;
3700 + struct sock *other, *sk = socket->sk;
3701 + struct sk_buff *skb, *newskb = NULL, *tail = NULL;
3702 +
3703 +@@ -1758,7 +1939,7 @@ alloc_skb:
3704 + newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
3705 + &err, 0);
3706 + if (!newskb)
3707 +- return err;
3708 ++ goto err;
3709 + }
3710 +
3711 + /* we must acquire readlock as we modify already present
3712 +@@ -1767,12 +1948,12 @@ alloc_skb:
3713 + err = mutex_lock_interruptible(&unix_sk(other)->readlock);
3714 + if (err) {
3715 + err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
3716 +- send_sigpipe = false;
3717 + goto err;
3718 + }
3719 +
3720 + if (sk->sk_shutdown & SEND_SHUTDOWN) {
3721 + err = -EPIPE;
3722 ++ send_sigpipe = true;
3723 + goto err_unlock;
3724 + }
3725 +
3726 +@@ -1781,23 +1962,34 @@ alloc_skb:
3727 + if (sock_flag(other, SOCK_DEAD) ||
3728 + other->sk_shutdown & RCV_SHUTDOWN) {
3729 + err = -EPIPE;
3730 ++ send_sigpipe = true;
3731 + goto err_state_unlock;
3732 + }
3733 +
3734 ++ if (init_scm) {
3735 ++ err = maybe_init_creds(&scm, socket, other);
3736 ++ if (err)
3737 ++ goto err_state_unlock;
3738 ++ init_scm = false;
3739 ++ }
3740 ++
3741 + skb = skb_peek_tail(&other->sk_receive_queue);
3742 + if (tail && tail == skb) {
3743 + skb = newskb;
3744 +- } else if (!skb) {
3745 +- if (newskb)
3746 ++ } else if (!skb || !unix_skb_scm_eq(skb, &scm)) {
3747 ++ if (newskb) {
3748 + skb = newskb;
3749 +- else
3750 ++ } else {
3751 ++ tail = skb;
3752 + goto alloc_skb;
3753 ++ }
3754 + } else if (newskb) {
3755 + /* this is fast path, we don't necessarily need to
3756 + * call to kfree_skb even though with newskb == NULL
3757 + * this - does no harm
3758 + */
3759 + consume_skb(newskb);
3760 ++ newskb = NULL;
3761 + }
3762 +
3763 + if (skb_append_pagefrags(skb, page, offset, size)) {
3764 +@@ -1810,14 +2002,20 @@ alloc_skb:
3765 + skb->truesize += size;
3766 + atomic_add(size, &sk->sk_wmem_alloc);
3767 +
3768 +- if (newskb)
3769 ++ if (newskb) {
3770 ++ err = unix_scm_to_skb(&scm, skb, false);
3771 ++ if (err)
3772 ++ goto err_state_unlock;
3773 ++ spin_lock(&other->sk_receive_queue.lock);
3774 + __skb_queue_tail(&other->sk_receive_queue, newskb);
3775 ++ spin_unlock(&other->sk_receive_queue.lock);
3776 ++ }
3777 +
3778 + unix_state_unlock(other);
3779 + mutex_unlock(&unix_sk(other)->readlock);
3780 +
3781 + other->sk_data_ready(other);
3782 +-
3783 ++ scm_destroy(&scm);
3784 + return size;
3785 +
3786 + err_state_unlock:
3787 +@@ -1828,6 +2026,8 @@ err:
3788 + kfree_skb(newskb);
3789 + if (send_sigpipe && !(flags & MSG_NOSIGNAL))
3790 + send_sig(SIGPIPE, current, 0);
3791 ++ if (!init_scm)
3792 ++ scm_destroy(&scm);
3793 + return err;
3794 + }
3795 +
3796 +@@ -2071,6 +2271,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
3797 +
3798 + do {
3799 + int chunk;
3800 ++ bool drop_skb;
3801 + struct sk_buff *skb, *last;
3802 +
3803 + unix_state_lock(sk);
3804 +@@ -2130,10 +2331,7 @@ unlock:
3805 +
3806 + if (check_creds) {
3807 + /* Never glue messages from different writers */
3808 +- if ((UNIXCB(skb).pid != scm.pid) ||
3809 +- !uid_eq(UNIXCB(skb).uid, scm.creds.uid) ||
3810 +- !gid_eq(UNIXCB(skb).gid, scm.creds.gid) ||
3811 +- !unix_secdata_eq(&scm, skb))
3812 ++ if (!unix_skb_scm_eq(skb, &scm))
3813 + break;
3814 + } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
3815 + /* Copy credentials */
3816 +@@ -2151,7 +2349,11 @@ unlock:
3817 + }
3818 +
3819 + chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
3820 ++ skb_get(skb);
3821 + chunk = state->recv_actor(skb, skip, chunk, state);
3822 ++ drop_skb = !unix_skb_len(skb);
3823 ++ /* skb is only safe to use if !drop_skb */
3824 ++ consume_skb(skb);
3825 + if (chunk < 0) {
3826 + if (copied == 0)
3827 + copied = -EFAULT;
3828 +@@ -2160,6 +2362,18 @@ unlock:
3829 + copied += chunk;
3830 + size -= chunk;
3831 +
3832 ++ if (drop_skb) {
3833 ++ /* the skb was touched by a concurrent reader;
3834 ++ * we should not expect anything from this skb
3835 ++ * anymore and assume it invalid - we can be
3836 ++ * sure it was dropped from the socket queue
3837 ++ *
3838 ++ * let's report a short read
3839 ++ */
3840 ++ err = 0;
3841 ++ break;
3842 ++ }
3843 ++
3844 + /* Mark read part of skb as used */
3845 + if (!(flags & MSG_PEEK)) {
3846 + UNIXCB(skb).consumed += chunk;
3847 +@@ -2453,14 +2667,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
3848 + return mask;
3849 +
3850 + writable = unix_writable(sk);
3851 +- other = unix_peer_get(sk);
3852 +- if (other) {
3853 +- if (unix_peer(other) != sk) {
3854 +- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
3855 +- if (unix_recvq_full(other))
3856 +- writable = 0;
3857 +- }
3858 +- sock_put(other);
3859 ++ if (writable) {
3860 ++ unix_state_lock(sk);
3861 ++
3862 ++ other = unix_peer(sk);
3863 ++ if (other && unix_peer(other) != sk &&
3864 ++ unix_recvq_full(other) &&
3865 ++ unix_dgram_peer_wake_me(sk, other))
3866 ++ writable = 0;
3867 ++
3868 ++ unix_state_unlock(sk);
3869 + }
3870 +
3871 + if (writable)
3872 +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
3873 +index a97db5fc8a15..9d1f91db57e6 100644
3874 +--- a/sound/pci/hda/patch_hdmi.c
3875 ++++ b/sound/pci/hda/patch_hdmi.c
3876 +@@ -48,8 +48,9 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info");
3877 + #define is_haswell(codec) ((codec)->core.vendor_id == 0x80862807)
3878 + #define is_broadwell(codec) ((codec)->core.vendor_id == 0x80862808)
3879 + #define is_skylake(codec) ((codec)->core.vendor_id == 0x80862809)
3880 ++#define is_broxton(codec) ((codec)->core.vendor_id == 0x8086280a)
3881 + #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \
3882 +- || is_skylake(codec))
3883 ++ || is_skylake(codec) || is_broxton(codec))
3884 +
3885 + #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882)
3886 + #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883)
3887 +diff --git a/tools/net/Makefile b/tools/net/Makefile
3888 +index ee577ea03ba5..ddf888010652 100644
3889 +--- a/tools/net/Makefile
3890 ++++ b/tools/net/Makefile
3891 +@@ -4,6 +4,9 @@ CC = gcc
3892 + LEX = flex
3893 + YACC = bison
3894 +
3895 ++CFLAGS += -Wall -O2
3896 ++CFLAGS += -D__EXPORTED_HEADERS__ -I../../include/uapi -I../../include
3897 ++
3898 + %.yacc.c: %.y
3899 + $(YACC) -o $@ -d $<
3900 +
3901 +@@ -12,15 +15,13 @@ YACC = bison
3902 +
3903 + all : bpf_jit_disasm bpf_dbg bpf_asm
3904 +
3905 +-bpf_jit_disasm : CFLAGS = -Wall -O2 -DPACKAGE='bpf_jit_disasm'
3906 ++bpf_jit_disasm : CFLAGS += -DPACKAGE='bpf_jit_disasm'
3907 + bpf_jit_disasm : LDLIBS = -lopcodes -lbfd -ldl
3908 + bpf_jit_disasm : bpf_jit_disasm.o
3909 +
3910 +-bpf_dbg : CFLAGS = -Wall -O2
3911 + bpf_dbg : LDLIBS = -lreadline
3912 + bpf_dbg : bpf_dbg.o
3913 +
3914 +-bpf_asm : CFLAGS = -Wall -O2 -I.
3915 + bpf_asm : LDLIBS =
3916 + bpf_asm : bpf_asm.o bpf_exp.yacc.o bpf_exp.lex.o
3917 + bpf_exp.lex.o : bpf_exp.yacc.c
Report Message
Find on MARC Find on Google Groups