Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Thu, 10 Jun 2021 11:17:02
Message-Id: 1623323775.3a058e50f9b202f057a9193e77b4f3f96f6ebbfd.mpagano@gentoo
1 commit: 3a058e50f9b202f057a9193e77b4f3f96f6ebbfd
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jun 10 11:16:15 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Jun 10 11:16:15 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=3a058e50
7
8 Linux patch 4.14.236
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1235_linux-4.14.236.patch | 2016 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2020 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 661dd8d..1cbc4b5 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -983,6 +983,10 @@ Patch: 1234_linux-4.14.235.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.14.235
23
24 +Patch: 1235_linux-4.14.236.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.14.236
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1235_linux-4.14.236.patch b/1235_linux-4.14.236.patch
33 new file mode 100644
34 index 0000000..80038e5
35 --- /dev/null
36 +++ b/1235_linux-4.14.236.patch
37 @@ -0,0 +1,2016 @@
38 +diff --git a/Makefile b/Makefile
39 +index 8849d79161a37..3d162ef034d41 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 14
46 +-SUBLEVEL = 235
47 ++SUBLEVEL = 236
48 + EXTRAVERSION =
49 + NAME = Petit Gorille
50 +
51 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
52 +index cfd6e58e824b3..3571253b86907 100644
53 +--- a/arch/x86/kvm/svm.c
54 ++++ b/arch/x86/kvm/svm.c
55 +@@ -3532,7 +3532,7 @@ static int cr_interception(struct vcpu_svm *svm)
56 + err = 0;
57 + if (cr >= 16) { /* mov to cr */
58 + cr -= 16;
59 +- val = kvm_register_read(&svm->vcpu, reg);
60 ++ val = kvm_register_readl(&svm->vcpu, reg);
61 + switch (cr) {
62 + case 0:
63 + if (!check_selective_cr0_intercepted(svm, val))
64 +@@ -3577,7 +3577,7 @@ static int cr_interception(struct vcpu_svm *svm)
65 + kvm_queue_exception(&svm->vcpu, UD_VECTOR);
66 + return 1;
67 + }
68 +- kvm_register_write(&svm->vcpu, reg, val);
69 ++ kvm_register_writel(&svm->vcpu, reg, val);
70 + }
71 + return kvm_complete_insn_gp(&svm->vcpu, err);
72 + }
73 +@@ -3607,13 +3607,13 @@ static int dr_interception(struct vcpu_svm *svm)
74 + if (dr >= 16) { /* mov to DRn */
75 + if (!kvm_require_dr(&svm->vcpu, dr - 16))
76 + return 1;
77 +- val = kvm_register_read(&svm->vcpu, reg);
78 ++ val = kvm_register_readl(&svm->vcpu, reg);
79 + kvm_set_dr(&svm->vcpu, dr - 16, val);
80 + } else {
81 + if (!kvm_require_dr(&svm->vcpu, dr))
82 + return 1;
83 + kvm_get_dr(&svm->vcpu, dr, &val);
84 +- kvm_register_write(&svm->vcpu, reg, val);
85 ++ kvm_register_writel(&svm->vcpu, reg, val);
86 + }
87 +
88 + return kvm_skip_emulated_instruction(&svm->vcpu);
89 +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
90 +index 209dc5aefc310..efbb13c6581ec 100644
91 +--- a/drivers/firmware/efi/cper.c
92 ++++ b/drivers/firmware/efi/cper.c
93 +@@ -380,8 +380,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
94 + if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE))
95 + return 0;
96 +
97 +- n = 0;
98 +- len = CPER_REC_LEN - 1;
99 ++ len = CPER_REC_LEN;
100 + dmi_memdev_name(mem->mem_dev_handle, &bank, &device);
101 + if (bank && device)
102 + n = snprintf(msg, len, "DIMM location: %s %s ", bank, device);
103 +@@ -390,7 +389,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
104 + "DIMM location: not present. DMI handle: 0x%.4x ",
105 + mem->mem_dev_handle);
106 +
107 +- msg[n] = '\0';
108 + return n;
109 + }
110 +
111 +diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c
112 +index aac972b056d91..e0889922cc6d7 100644
113 +--- a/drivers/firmware/efi/memattr.c
114 ++++ b/drivers/firmware/efi/memattr.c
115 +@@ -69,11 +69,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out)
116 + return false;
117 + }
118 +
119 +- if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) {
120 +- pr_warn("Entry attributes invalid: RO and XP bits both cleared\n");
121 +- return false;
122 +- }
123 +-
124 + if (PAGE_SIZE > EFI_PAGE_SIZE &&
125 + (!PAGE_ALIGNED(in->phys_addr) ||
126 + !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) {
127 +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
128 +index 0294cac4c856d..b16bf43584852 100644
129 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c
130 ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
131 +@@ -1092,8 +1092,8 @@ static int i2c_hid_probe(struct i2c_client *client,
132 + hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID);
133 + hid->product = le16_to_cpu(ihid->hdesc.wProductID);
134 +
135 +- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX",
136 +- client->name, hid->vendor, hid->product);
137 ++ snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X",
138 ++ client->name, (u16)hid->vendor, (u16)hid->product);
139 + strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys));
140 +
141 + ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product);
142 +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
143 +index 08174d341f4a1..bc75f1efa0f4c 100644
144 +--- a/drivers/hid/usbhid/hid-pidff.c
145 ++++ b/drivers/hid/usbhid/hid-pidff.c
146 +@@ -1304,6 +1304,7 @@ int hid_pidff_init(struct hid_device *hid)
147 +
148 + if (pidff->pool[PID_DEVICE_MANAGED_POOL].value &&
149 + pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) {
150 ++ error = -EPERM;
151 + hid_notice(hid,
152 + "device does not support device managed pool\n");
153 + goto fail;
154 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
155 +index 42af96f2b5f6b..9135c3eccb588 100644
156 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
157 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
158 +@@ -4791,7 +4791,6 @@ static int bnxt_hwrm_func_qcaps(struct bnxt *bp)
159 +
160 + pf->fw_fid = le16_to_cpu(resp->fid);
161 + pf->port_id = le16_to_cpu(resp->port_id);
162 +- bp->dev->dev_port = pf->port_id;
163 + memcpy(pf->mac_addr, resp->mac_address, ETH_ALEN);
164 + pf->max_rsscos_ctxs = le16_to_cpu(resp->max_rsscos_ctx);
165 + pf->max_cp_rings = le16_to_cpu(resp->max_cmpl_rings);
166 +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
167 +index eef1412c058d3..468db50eb5e7e 100644
168 +--- a/drivers/net/usb/cdc_ncm.c
169 ++++ b/drivers/net/usb/cdc_ncm.c
170 +@@ -1591,6 +1591,15 @@ cdc_ncm_speed_change(struct usbnet *dev,
171 + uint32_t rx_speed = le32_to_cpu(data->DLBitRRate);
172 + uint32_t tx_speed = le32_to_cpu(data->ULBitRate);
173 +
174 ++ /* if the speed hasn't changed, don't report it.
175 ++ * RTL8156 shipped before 2021 sends notification about every 32ms.
176 ++ */
177 ++ if (dev->rx_speed == rx_speed && dev->tx_speed == tx_speed)
178 ++ return;
179 ++
180 ++ dev->rx_speed = rx_speed;
181 ++ dev->tx_speed = tx_speed;
182 ++
183 + /*
184 + * Currently the USB-NET API does not support reporting the actual
185 + * device speed. Do print it instead.
186 +@@ -1634,7 +1643,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
187 + * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be
188 + * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE.
189 + */
190 +- usbnet_link_change(dev, !!event->wValue, 0);
191 ++ if (netif_carrier_ok(dev->net) != !!event->wValue)
192 ++ usbnet_link_change(dev, !!event->wValue, 0);
193 + break;
194 +
195 + case USB_CDC_NOTIFY_SPEED_CHANGE:
196 +diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig
197 +index 24ee2605b9f04..0da884bfc7a80 100644
198 +--- a/drivers/vfio/pci/Kconfig
199 ++++ b/drivers/vfio/pci/Kconfig
200 +@@ -1,6 +1,7 @@
201 + config VFIO_PCI
202 + tristate "VFIO support for PCI devices"
203 + depends on VFIO && PCI && EVENTFD
204 ++ depends on MMU
205 + select VFIO_VIRQFD
206 + select IRQ_BYPASS_MANAGER
207 + help
208 +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
209 +index a1a26465d224c..86e917f1cc211 100644
210 +--- a/drivers/vfio/pci/vfio_pci_config.c
211 ++++ b/drivers/vfio/pci/vfio_pci_config.c
212 +@@ -1579,7 +1579,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev)
213 + if (len == 0xFF) {
214 + len = vfio_ext_cap_len(vdev, ecap, epos);
215 + if (len < 0)
216 +- return ret;
217 ++ return len;
218 + }
219 + }
220 +
221 +diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
222 +index aa9e792110e38..f42acc830c245 100644
223 +--- a/drivers/vfio/platform/vfio_platform_common.c
224 ++++ b/drivers/vfio/platform/vfio_platform_common.c
225 +@@ -288,7 +288,7 @@ err_irq:
226 + vfio_platform_regions_cleanup(vdev);
227 + err_reg:
228 + mutex_unlock(&driver_lock);
229 +- module_put(THIS_MODULE);
230 ++ module_put(vdev->parent_module);
231 + return ret;
232 + }
233 +
234 +diff --git a/drivers/xen/xen-pciback/vpci.c b/drivers/xen/xen-pciback/vpci.c
235 +index f6ba18191c0f9..30313084f06c1 100644
236 +--- a/drivers/xen/xen-pciback/vpci.c
237 ++++ b/drivers/xen/xen-pciback/vpci.c
238 +@@ -69,7 +69,7 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev,
239 + struct pci_dev *dev, int devid,
240 + publish_pci_dev_cb publish_cb)
241 + {
242 +- int err = 0, slot, func = -1;
243 ++ int err = 0, slot, func = PCI_FUNC(dev->devfn);
244 + struct pci_dev_entry *t, *dev_entry;
245 + struct vpci_dev_data *vpci_dev = pdev->pci_dev_data;
246 +
247 +@@ -94,23 +94,26 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev,
248 +
249 + /*
250 + * Keep multi-function devices together on the virtual PCI bus, except
251 +- * virtual functions.
252 ++ * that we want to keep virtual functions at func 0 on their own. They
253 ++ * aren't multi-function devices and hence their presence at func 0
254 ++ * may cause guests to not scan the other functions.
255 + */
256 +- if (!dev->is_virtfn) {
257 ++ if (!dev->is_virtfn || func) {
258 + for (slot = 0; slot < PCI_SLOT_MAX; slot++) {
259 + if (list_empty(&vpci_dev->dev_list[slot]))
260 + continue;
261 +
262 + t = list_entry(list_first(&vpci_dev->dev_list[slot]),
263 + struct pci_dev_entry, list);
264 ++ if (t->dev->is_virtfn && !PCI_FUNC(t->dev->devfn))
265 ++ continue;
266 +
267 + if (match_slot(dev, t->dev)) {
268 + pr_info("vpci: %s: assign to virtual slot %d func %d\n",
269 + pci_name(dev), slot,
270 +- PCI_FUNC(dev->devfn));
271 ++ func);
272 + list_add_tail(&dev_entry->list,
273 + &vpci_dev->dev_list[slot]);
274 +- func = PCI_FUNC(dev->devfn);
275 + goto unlock;
276 + }
277 + }
278 +@@ -123,7 +126,6 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev,
279 + pci_name(dev), slot);
280 + list_add_tail(&dev_entry->list,
281 + &vpci_dev->dev_list[slot]);
282 +- func = dev->is_virtfn ? 0 : PCI_FUNC(dev->devfn);
283 + goto unlock;
284 + }
285 + }
286 +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
287 +index edd5f152e4487..684517086138c 100644
288 +--- a/fs/btrfs/file-item.c
289 ++++ b/fs/btrfs/file-item.c
290 +@@ -599,7 +599,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans,
291 + u64 end_byte = bytenr + len;
292 + u64 csum_end;
293 + struct extent_buffer *leaf;
294 +- int ret;
295 ++ int ret = 0;
296 + u16 csum_size = btrfs_super_csum_size(fs_info->super_copy);
297 + int blocksize_bits = fs_info->sb->s_blocksize_bits;
298 +
299 +@@ -615,6 +615,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans,
300 + path->leave_spinning = 1;
301 + ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
302 + if (ret > 0) {
303 ++ ret = 0;
304 + if (path->slots[0] == 0)
305 + break;
306 + path->slots[0]--;
307 +@@ -671,7 +672,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans,
308 + ret = btrfs_del_items(trans, root, path,
309 + path->slots[0], del_nr);
310 + if (ret)
311 +- goto out;
312 ++ break;
313 + if (key.offset == bytenr)
314 + break;
315 + } else if (key.offset < bytenr && csum_end > end_byte) {
316 +@@ -715,8 +716,9 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans,
317 + ret = btrfs_split_item(trans, root, path, &key, offset);
318 + if (ret && ret != -EAGAIN) {
319 + btrfs_abort_transaction(trans, ret);
320 +- goto out;
321 ++ break;
322 + }
323 ++ ret = 0;
324 +
325 + key.offset = end_byte - 1;
326 + } else {
327 +@@ -726,8 +728,6 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans,
328 + }
329 + btrfs_release_path(path);
330 + }
331 +- ret = 0;
332 +-out:
333 + btrfs_free_path(path);
334 + return ret;
335 + }
336 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
337 +index 035a2e2be156d..f890fdb59915b 100644
338 +--- a/fs/btrfs/tree-log.c
339 ++++ b/fs/btrfs/tree-log.c
340 +@@ -1558,6 +1558,7 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans,
341 + break;
342 +
343 + if (ret == 1) {
344 ++ ret = 0;
345 + if (path->slots[0] == 0)
346 + break;
347 + path->slots[0]--;
348 +@@ -1570,17 +1571,19 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans,
349 +
350 + ret = btrfs_del_item(trans, root, path);
351 + if (ret)
352 +- goto out;
353 ++ break;
354 +
355 + btrfs_release_path(path);
356 + inode = read_one_inode(root, key.offset);
357 +- if (!inode)
358 +- return -EIO;
359 ++ if (!inode) {
360 ++ ret = -EIO;
361 ++ break;
362 ++ }
363 +
364 + ret = fixup_inode_link_count(trans, root, inode);
365 + iput(inode);
366 + if (ret)
367 +- goto out;
368 ++ break;
369 +
370 + /*
371 + * fixup on a directory may create new entries,
372 +@@ -1589,8 +1592,6 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans,
373 + */
374 + key.offset = (u64)-1;
375 + }
376 +- ret = 0;
377 +-out:
378 + btrfs_release_path(path);
379 + return ret;
380 + }
381 +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
382 +index 264332fb0e776..17f6d995576f9 100644
383 +--- a/fs/ext4/extents.c
384 ++++ b/fs/ext4/extents.c
385 +@@ -3275,7 +3275,10 @@ static int ext4_split_extent_at(handle_t *handle,
386 + ext4_ext_mark_unwritten(ex2);
387 +
388 + err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
389 +- if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) {
390 ++ if (err != -ENOSPC && err != -EDQUOT)
391 ++ goto out;
392 ++
393 ++ if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
394 + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
395 + if (split_flag & EXT4_EXT_DATA_VALID1) {
396 + err = ext4_ext_zeroout(inode, ex2);
397 +@@ -3301,30 +3304,30 @@ static int ext4_split_extent_at(handle_t *handle,
398 + ext4_ext_pblock(&orig_ex));
399 + }
400 +
401 +- if (err)
402 +- goto fix_extent_len;
403 +- /* update the extent length and mark as initialized */
404 +- ex->ee_len = cpu_to_le16(ee_len);
405 +- ext4_ext_try_to_merge(handle, inode, path, ex);
406 +- err = ext4_ext_dirty(handle, inode, path + path->p_depth);
407 +- if (err)
408 +- goto fix_extent_len;
409 +-
410 +- /* update extent status tree */
411 +- err = ext4_zeroout_es(inode, &zero_ex);
412 +-
413 +- goto out;
414 +- } else if (err)
415 +- goto fix_extent_len;
416 +-
417 +-out:
418 +- ext4_ext_show_leaf(inode, path);
419 +- return err;
420 ++ if (!err) {
421 ++ /* update the extent length and mark as initialized */
422 ++ ex->ee_len = cpu_to_le16(ee_len);
423 ++ ext4_ext_try_to_merge(handle, inode, path, ex);
424 ++ err = ext4_ext_dirty(handle, inode, path + path->p_depth);
425 ++ if (!err)
426 ++ /* update extent status tree */
427 ++ err = ext4_zeroout_es(inode, &zero_ex);
428 ++ /* If we failed at this point, we don't know in which
429 ++ * state the extent tree exactly is so don't try to fix
430 ++ * length of the original extent as it may do even more
431 ++ * damage.
432 ++ */
433 ++ goto out;
434 ++ }
435 ++ }
436 +
437 + fix_extent_len:
438 + ex->ee_len = orig_ex.ee_len;
439 + ext4_ext_dirty(handle, inode, path + path->p_depth);
440 + return err;
441 ++out:
442 ++ ext4_ext_show_leaf(inode, path);
443 ++ return err;
444 + }
445 +
446 + /*
447 +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
448 +index baf5c4028fd62..90e658caa8deb 100644
449 +--- a/fs/ocfs2/file.c
450 ++++ b/fs/ocfs2/file.c
451 +@@ -1861,6 +1861,45 @@ out:
452 + return ret;
453 + }
454 +
455 ++/*
456 ++ * zero out partial blocks of one cluster.
457 ++ *
458 ++ * start: file offset where zero starts, will be made upper block aligned.
459 ++ * len: it will be trimmed to the end of current cluster if "start + len"
460 ++ * is bigger than it.
461 ++ */
462 ++static int ocfs2_zeroout_partial_cluster(struct inode *inode,
463 ++ u64 start, u64 len)
464 ++{
465 ++ int ret;
466 ++ u64 start_block, end_block, nr_blocks;
467 ++ u64 p_block, offset;
468 ++ u32 cluster, p_cluster, nr_clusters;
469 ++ struct super_block *sb = inode->i_sb;
470 ++ u64 end = ocfs2_align_bytes_to_clusters(sb, start);
471 ++
472 ++ if (start + len < end)
473 ++ end = start + len;
474 ++
475 ++ start_block = ocfs2_blocks_for_bytes(sb, start);
476 ++ end_block = ocfs2_blocks_for_bytes(sb, end);
477 ++ nr_blocks = end_block - start_block;
478 ++ if (!nr_blocks)
479 ++ return 0;
480 ++
481 ++ cluster = ocfs2_bytes_to_clusters(sb, start);
482 ++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
483 ++ &nr_clusters, NULL);
484 ++ if (ret)
485 ++ return ret;
486 ++ if (!p_cluster)
487 ++ return 0;
488 ++
489 ++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
490 ++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
491 ++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
492 ++}
493 ++
494 + /*
495 + * Parts of this function taken from xfs_change_file_space()
496 + */
497 +@@ -1871,7 +1910,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
498 + {
499 + int ret;
500 + s64 llen;
501 +- loff_t size;
502 ++ loff_t size, orig_isize;
503 + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
504 + struct buffer_head *di_bh = NULL;
505 + handle_t *handle;
506 +@@ -1902,6 +1941,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
507 + goto out_inode_unlock;
508 + }
509 +
510 ++ orig_isize = i_size_read(inode);
511 + switch (sr->l_whence) {
512 + case 0: /*SEEK_SET*/
513 + break;
514 +@@ -1909,7 +1949,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
515 + sr->l_start += f_pos;
516 + break;
517 + case 2: /*SEEK_END*/
518 +- sr->l_start += i_size_read(inode);
519 ++ sr->l_start += orig_isize;
520 + break;
521 + default:
522 + ret = -EINVAL;
523 +@@ -1963,6 +2003,14 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
524 + default:
525 + ret = -EINVAL;
526 + }
527 ++
528 ++ /* zeroout eof blocks in the cluster. */
529 ++ if (!ret && change_size && orig_isize < size) {
530 ++ ret = ocfs2_zeroout_partial_cluster(inode, orig_isize,
531 ++ size - orig_isize);
532 ++ if (!ret)
533 ++ i_size_write(inode, size);
534 ++ }
535 + up_write(&OCFS2_I(inode)->ip_alloc_sem);
536 + if (ret) {
537 + mlog_errno(ret);
538 +@@ -1979,9 +2027,6 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
539 + goto out_inode_unlock;
540 + }
541 +
542 +- if (change_size && i_size_read(inode) < size)
543 +- i_size_write(inode, size);
544 +-
545 + inode->i_ctime = inode->i_mtime = current_time(inode);
546 + ret = ocfs2_mark_inode_dirty(handle, inode, di_bh);
547 + if (ret < 0)
548 +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
549 +index d8b3240cfe6ee..8509484cada4a 100644
550 +--- a/include/linux/bpf_verifier.h
551 ++++ b/include/linux/bpf_verifier.h
552 +@@ -114,10 +114,11 @@ struct bpf_verifier_state_list {
553 + };
554 +
555 + /* Possible states for alu_state member. */
556 +-#define BPF_ALU_SANITIZE_SRC 1U
557 +-#define BPF_ALU_SANITIZE_DST 2U
558 ++#define BPF_ALU_SANITIZE_SRC (1U << 0)
559 ++#define BPF_ALU_SANITIZE_DST (1U << 1)
560 + #define BPF_ALU_NEG_VALUE (1U << 2)
561 + #define BPF_ALU_NON_POINTER (1U << 3)
562 ++#define BPF_ALU_IMMEDIATE (1U << 4)
563 + #define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \
564 + BPF_ALU_SANITIZE_DST)
565 +
566 +diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h
567 +index e87a805cbfeff..5df465dc7af8a 100644
568 +--- a/include/linux/usb/usbnet.h
569 ++++ b/include/linux/usb/usbnet.h
570 +@@ -82,6 +82,8 @@ struct usbnet {
571 + # define EVENT_LINK_CHANGE 11
572 + # define EVENT_SET_RX_MODE 12
573 + # define EVENT_NO_IP_ALIGN 13
574 ++ u32 rx_speed; /* in bps - NOT Mbps */
575 ++ u32 tx_speed; /* in bps - NOT Mbps */
576 + };
577 +
578 + static inline struct usb_driver *driver_of(struct usb_interface *intf)
579 +diff --git a/include/net/caif/caif_dev.h b/include/net/caif/caif_dev.h
580 +index 028b754ae9b17..0baf2e21a533f 100644
581 +--- a/include/net/caif/caif_dev.h
582 ++++ b/include/net/caif/caif_dev.h
583 +@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *adap_layer);
584 + * The link_support layer is used to add any Link Layer specific
585 + * framing.
586 + */
587 +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
588 ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
589 + struct cflayer *link_support, int head_room,
590 + struct cflayer **layer, int (**rcv_func)(
591 + struct sk_buff *, struct net_device *,
592 +diff --git a/include/net/caif/cfcnfg.h b/include/net/caif/cfcnfg.h
593 +index 70bfd017581fb..219094ace893c 100644
594 +--- a/include/net/caif/cfcnfg.h
595 ++++ b/include/net/caif/cfcnfg.h
596 +@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg);
597 + * @fcs: Specify if checksum is used in CAIF Framing Layer.
598 + * @head_room: Head space needed by link specific protocol.
599 + */
600 +-void
601 ++int
602 + cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
603 + struct net_device *dev, struct cflayer *phy_layer,
604 + enum cfcnfg_phy_preference pref,
605 +diff --git a/include/net/caif/cfserl.h b/include/net/caif/cfserl.h
606 +index b5b020f3c72eb..bc3fae07a25f9 100644
607 +--- a/include/net/caif/cfserl.h
608 ++++ b/include/net/caif/cfserl.h
609 +@@ -9,4 +9,5 @@
610 + #include <net/caif/caif_layer.h>
611 +
612 + struct cflayer *cfserl_create(int instance, bool use_stx);
613 ++void cfserl_release(struct cflayer *layer);
614 + #endif
615 +diff --git a/init/main.c b/init/main.c
616 +index 603b1ad88cb68..f0b2411a5fbf9 100644
617 +--- a/init/main.c
618 ++++ b/init/main.c
619 +@@ -1054,7 +1054,7 @@ static noinline void __init kernel_init_freeable(void)
620 + */
621 + set_mems_allowed(node_states[N_MEMORY]);
622 +
623 +- cad_pid = task_pid(current);
624 ++ cad_pid = get_pid(task_pid(current));
625 +
626 + smp_prepare_cpus(setup_max_cpus);
627 +
628 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
629 +index f28ba90a43a7f..4a3333039bf2a 100644
630 +--- a/kernel/bpf/verifier.c
631 ++++ b/kernel/bpf/verifier.c
632 +@@ -2024,37 +2024,43 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
633 + return &env->insn_aux_data[env->insn_idx];
634 + }
635 +
636 ++enum {
637 ++ REASON_BOUNDS = -1,
638 ++ REASON_TYPE = -2,
639 ++ REASON_PATHS = -3,
640 ++ REASON_LIMIT = -4,
641 ++ REASON_STACK = -5,
642 ++};
643 ++
644 + static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
645 +- u32 *ptr_limit, u8 opcode, bool off_is_neg)
646 ++ u32 *alu_limit, bool mask_to_left)
647 + {
648 +- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
649 +- (opcode == BPF_SUB && !off_is_neg);
650 +- u32 off, max;
651 ++ u32 max = 0, ptr_limit = 0;
652 +
653 + switch (ptr_reg->type) {
654 + case PTR_TO_STACK:
655 + /* Offset 0 is out-of-bounds, but acceptable start for the
656 +- * left direction, see BPF_REG_FP.
657 ++ * left direction, see BPF_REG_FP. Also, unknown scalar
658 ++ * offset where we would need to deal with min/max bounds is
659 ++ * currently prohibited for unprivileged.
660 + */
661 + max = MAX_BPF_STACK + mask_to_left;
662 +- off = ptr_reg->off + ptr_reg->var_off.value;
663 +- if (mask_to_left)
664 +- *ptr_limit = MAX_BPF_STACK + off;
665 +- else
666 +- *ptr_limit = -off - 1;
667 +- return *ptr_limit >= max ? -ERANGE : 0;
668 ++ ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off);
669 ++ break;
670 + case PTR_TO_MAP_VALUE:
671 + max = ptr_reg->map_ptr->value_size;
672 +- if (mask_to_left) {
673 +- *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
674 +- } else {
675 +- off = ptr_reg->smin_value + ptr_reg->off;
676 +- *ptr_limit = ptr_reg->map_ptr->value_size - off - 1;
677 +- }
678 +- return *ptr_limit >= max ? -ERANGE : 0;
679 ++ ptr_limit = (mask_to_left ?
680 ++ ptr_reg->smin_value :
681 ++ ptr_reg->umax_value) + ptr_reg->off;
682 ++ break;
683 + default:
684 +- return -EINVAL;
685 ++ return REASON_TYPE;
686 + }
687 ++
688 ++ if (ptr_limit >= max)
689 ++ return REASON_LIMIT;
690 ++ *alu_limit = ptr_limit;
691 ++ return 0;
692 + }
693 +
694 + static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,
695 +@@ -2072,7 +2078,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
696 + if (aux->alu_state &&
697 + (aux->alu_state != alu_state ||
698 + aux->alu_limit != alu_limit))
699 +- return -EACCES;
700 ++ return REASON_PATHS;
701 +
702 + /* Corresponding fixup done in fixup_bpf_calls(). */
703 + aux->alu_state = alu_state;
704 +@@ -2091,14 +2097,28 @@ static int sanitize_val_alu(struct bpf_verifier_env *env,
705 + return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
706 + }
707 +
708 ++static bool sanitize_needed(u8 opcode)
709 ++{
710 ++ return opcode == BPF_ADD || opcode == BPF_SUB;
711 ++}
712 ++
713 ++struct bpf_sanitize_info {
714 ++ struct bpf_insn_aux_data aux;
715 ++ bool mask_to_left;
716 ++};
717 ++
718 + static int sanitize_ptr_alu(struct bpf_verifier_env *env,
719 + struct bpf_insn *insn,
720 + const struct bpf_reg_state *ptr_reg,
721 ++ const struct bpf_reg_state *off_reg,
722 + struct bpf_reg_state *dst_reg,
723 +- bool off_is_neg)
724 ++ struct bpf_sanitize_info *info,
725 ++ const bool commit_window)
726 + {
727 ++ struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : &info->aux;
728 + struct bpf_verifier_state *vstate = env->cur_state;
729 +- struct bpf_insn_aux_data *aux = cur_aux(env);
730 ++ bool off_is_imm = tnum_is_const(off_reg->var_off);
731 ++ bool off_is_neg = off_reg->smin_value < 0;
732 + bool ptr_is_dst_reg = ptr_reg == dst_reg;
733 + u8 opcode = BPF_OP(insn->code);
734 + u32 alu_state, alu_limit;
735 +@@ -2116,18 +2136,47 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
736 + if (vstate->speculative)
737 + goto do_sim;
738 +
739 +- alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
740 +- alu_state |= ptr_is_dst_reg ?
741 +- BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
742 ++ if (!commit_window) {
743 ++ if (!tnum_is_const(off_reg->var_off) &&
744 ++ (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
745 ++ return REASON_BOUNDS;
746 +
747 +- err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg);
748 ++ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
749 ++ (opcode == BPF_SUB && !off_is_neg);
750 ++ }
751 ++
752 ++ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left);
753 + if (err < 0)
754 + return err;
755 +
756 ++ if (commit_window) {
757 ++ /* In commit phase we narrow the masking window based on
758 ++ * the observed pointer move after the simulated operation.
759 ++ */
760 ++ alu_state = info->aux.alu_state;
761 ++ alu_limit = abs(info->aux.alu_limit - alu_limit);
762 ++ } else {
763 ++ alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
764 ++ alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0;
765 ++ alu_state |= ptr_is_dst_reg ?
766 ++ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
767 ++ }
768 ++
769 + err = update_alu_sanitation_state(aux, alu_state, alu_limit);
770 + if (err < 0)
771 + return err;
772 + do_sim:
773 ++ /* If we're in commit phase, we're done here given we already
774 ++ * pushed the truncated dst_reg into the speculative verification
775 ++ * stack.
776 ++ *
777 ++ * Also, when register is a known constant, we rewrite register-based
778 ++ * operation to immediate-based, and thus do not need masking (and as
779 ++ * a consequence, do not need to simulate the zero-truncation either).
780 ++ */
781 ++ if (commit_window || off_is_imm)
782 ++ return 0;
783 ++
784 + /* Simulate and find potential out-of-bounds access under
785 + * speculative execution from truncation as a result of
786 + * masking when off was not within expected range. If off
787 +@@ -2144,7 +2193,81 @@ do_sim:
788 + ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
789 + if (!ptr_is_dst_reg && ret)
790 + *dst_reg = tmp;
791 +- return !ret ? -EFAULT : 0;
792 ++ return !ret ? REASON_STACK : 0;
793 ++}
794 ++
795 ++static int sanitize_err(struct bpf_verifier_env *env,
796 ++ const struct bpf_insn *insn, int reason,
797 ++ const struct bpf_reg_state *off_reg,
798 ++ const struct bpf_reg_state *dst_reg)
799 ++{
800 ++ static const char *err = "pointer arithmetic with it prohibited for !root";
801 ++ const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub";
802 ++ u32 dst = insn->dst_reg, src = insn->src_reg;
803 ++
804 ++ switch (reason) {
805 ++ case REASON_BOUNDS:
806 ++ verbose("R%d has unknown scalar with mixed signed bounds, %s\n",
807 ++ off_reg == dst_reg ? dst : src, err);
808 ++ break;
809 ++ case REASON_TYPE:
810 ++ verbose("R%d has pointer with unsupported alu operation, %s\n",
811 ++ off_reg == dst_reg ? src : dst, err);
812 ++ break;
813 ++ case REASON_PATHS:
814 ++ verbose("R%d tried to %s from different maps, paths or scalars, %s\n",
815 ++ dst, op, err);
816 ++ break;
817 ++ case REASON_LIMIT:
818 ++ verbose("R%d tried to %s beyond pointer bounds, %s\n",
819 ++ dst, op, err);
820 ++ break;
821 ++ case REASON_STACK:
822 ++ verbose("R%d could not be pushed for speculative verification, %s\n",
823 ++ dst, err);
824 ++ break;
825 ++ default:
826 ++ verbose("verifier internal error: unknown reason (%d)\n",
827 ++ reason);
828 ++ break;
829 ++ }
830 ++
831 ++ return -EACCES;
832 ++}
833 ++
834 ++static int sanitize_check_bounds(struct bpf_verifier_env *env,
835 ++ const struct bpf_insn *insn,
836 ++ const struct bpf_reg_state *dst_reg)
837 ++{
838 ++ u32 dst = insn->dst_reg;
839 ++
840 ++ /* For unprivileged we require that resulting offset must be in bounds
841 ++ * in order to be able to sanitize access later on.
842 ++ */
843 ++ if (env->allow_ptr_leaks)
844 ++ return 0;
845 ++
846 ++ switch (dst_reg->type) {
847 ++ case PTR_TO_STACK:
848 ++ if (check_stack_access(env, dst_reg, dst_reg->off +
849 ++ dst_reg->var_off.value, 1)) {
850 ++ verbose("R%d stack pointer arithmetic goes out of range, "
851 ++ "prohibited for !root\n", dst);
852 ++ return -EACCES;
853 ++ }
854 ++ break;
855 ++ case PTR_TO_MAP_VALUE:
856 ++ if (check_map_access(env, dst, dst_reg->off, 1)) {
857 ++ verbose("R%d pointer arithmetic of map value goes out of range, "
858 ++ "prohibited for !root\n", dst);
859 ++ return -EACCES;
860 ++ }
861 ++ break;
862 ++ default:
863 ++ break;
864 ++ }
865 ++
866 ++ return 0;
867 + }
868 +
869 + /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
870 +@@ -2163,8 +2286,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
871 + smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
872 + u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
873 + umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
874 +- u32 dst = insn->dst_reg, src = insn->src_reg;
875 ++ struct bpf_sanitize_info info = {};
876 + u8 opcode = BPF_OP(insn->code);
877 ++ u32 dst = insn->dst_reg;
878 + int ret;
879 +
880 + dst_reg = &regs[dst];
881 +@@ -2180,37 +2304,26 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
882 +
883 + if (BPF_CLASS(insn->code) != BPF_ALU64) {
884 + /* 32-bit ALU ops on pointers produce (meaningless) scalars */
885 +- if (!env->allow_ptr_leaks)
886 +- verbose("R%d 32-bit pointer arithmetic prohibited\n",
887 +- dst);
888 ++ verbose("R%d 32-bit pointer arithmetic prohibited\n",
889 ++ dst);
890 + return -EACCES;
891 + }
892 +
893 + if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
894 +- if (!env->allow_ptr_leaks)
895 +- verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n",
896 +- dst);
897 ++ verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n",
898 ++ dst);
899 + return -EACCES;
900 + }
901 + if (ptr_reg->type == CONST_PTR_TO_MAP) {
902 +- if (!env->allow_ptr_leaks)
903 +- verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n",
904 +- dst);
905 ++ verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n",
906 ++ dst);
907 + return -EACCES;
908 + }
909 + if (ptr_reg->type == PTR_TO_PACKET_END) {
910 +- if (!env->allow_ptr_leaks)
911 +- verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n",
912 +- dst);
913 ++ verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n",
914 ++ dst);
915 + return -EACCES;
916 + }
917 +- if (ptr_reg->type == PTR_TO_MAP_VALUE) {
918 +- if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
919 +- verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
920 +- off_reg == dst_reg ? dst : src);
921 +- return -EACCES;
922 +- }
923 +- }
924 +
925 + /* In case of 'scalar += pointer', dst_reg inherits pointer type and id.
926 + * The id may be overwritten later if we create a new variable offset.
927 +@@ -2222,13 +2335,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
928 + !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
929 + return -EINVAL;
930 +
931 ++ if (sanitize_needed(opcode)) {
932 ++ ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg,
933 ++ &info, false);
934 ++ if (ret < 0)
935 ++ return sanitize_err(env, insn, ret, off_reg, dst_reg);
936 ++ }
937 ++
938 + switch (opcode) {
939 + case BPF_ADD:
940 +- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
941 +- if (ret < 0) {
942 +- verbose("R%d tried to add from different maps, paths, or prohibited types\n", dst);
943 +- return ret;
944 +- }
945 + /* We can take a fixed offset as long as it doesn't overflow
946 + * the s32 'off' field
947 + */
948 +@@ -2279,16 +2394,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
949 + }
950 + break;
951 + case BPF_SUB:
952 +- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
953 +- if (ret < 0) {
954 +- verbose("R%d tried to sub from different maps, paths, or prohibited types\n", dst);
955 +- return ret;
956 +- }
957 + if (dst_reg == off_reg) {
958 + /* scalar -= pointer. Creates an unknown scalar */
959 +- if (!env->allow_ptr_leaks)
960 +- verbose("R%d tried to subtract pointer from scalar\n",
961 +- dst);
962 ++ verbose("R%d tried to subtract pointer from scalar\n",
963 ++ dst);
964 + return -EACCES;
965 + }
966 + /* We don't allow subtraction from FP, because (according to
967 +@@ -2296,9 +2405,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
968 + * be able to deal with it.
969 + */
970 + if (ptr_reg->type == PTR_TO_STACK) {
971 +- if (!env->allow_ptr_leaks)
972 +- verbose("R%d subtraction from stack pointer prohibited\n",
973 +- dst);
974 ++ verbose("R%d subtraction from stack pointer prohibited\n",
975 ++ dst);
976 + return -EACCES;
977 + }
978 + if (known && (ptr_reg->off - smin_val ==
979 +@@ -2348,19 +2456,14 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
980 + case BPF_AND:
981 + case BPF_OR:
982 + case BPF_XOR:
983 +- /* bitwise ops on pointers are troublesome, prohibit for now.
984 +- * (However, in principle we could allow some cases, e.g.
985 +- * ptr &= ~3 which would reduce min_value by 3.)
986 +- */
987 +- if (!env->allow_ptr_leaks)
988 +- verbose("R%d bitwise operator %s on pointer prohibited\n",
989 +- dst, bpf_alu_string[opcode >> 4]);
990 ++ /* bitwise ops on pointers are troublesome. */
991 ++ verbose("R%d bitwise operator %s on pointer prohibited\n",
992 ++ dst, bpf_alu_string[opcode >> 4]);
993 + return -EACCES;
994 + default:
995 + /* other operators (e.g. MUL,LSH) produce non-pointer results */
996 +- if (!env->allow_ptr_leaks)
997 +- verbose("R%d pointer arithmetic with %s operator prohibited\n",
998 +- dst, bpf_alu_string[opcode >> 4]);
999 ++ verbose("R%d pointer arithmetic with %s operator prohibited\n",
1000 ++ dst, bpf_alu_string[opcode >> 4]);
1001 + return -EACCES;
1002 + }
1003 +
1004 +@@ -2371,22 +2474,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
1005 + __reg_deduce_bounds(dst_reg);
1006 + __reg_bound_offset(dst_reg);
1007 +
1008 +- /* For unprivileged we require that resulting offset must be in bounds
1009 +- * in order to be able to sanitize access later on.
1010 +- */
1011 +- if (!env->allow_ptr_leaks) {
1012 +- if (dst_reg->type == PTR_TO_MAP_VALUE &&
1013 +- check_map_access(env, dst, dst_reg->off, 1)) {
1014 +- verbose("R%d pointer arithmetic of map value goes out of range, "
1015 +- "prohibited for !root\n", dst);
1016 +- return -EACCES;
1017 +- } else if (dst_reg->type == PTR_TO_STACK &&
1018 +- check_stack_access(env, dst_reg, dst_reg->off +
1019 +- dst_reg->var_off.value, 1)) {
1020 +- verbose("R%d stack pointer arithmetic goes out of range, "
1021 +- "prohibited for !root\n", dst);
1022 +- return -EACCES;
1023 +- }
1024 ++ if (sanitize_check_bounds(env, insn, dst_reg) < 0)
1025 ++ return -EACCES;
1026 ++ if (sanitize_needed(opcode)) {
1027 ++ ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg,
1028 ++ &info, true);
1029 ++ if (ret < 0)
1030 ++ return sanitize_err(env, insn, ret, off_reg, dst_reg);
1031 + }
1032 +
1033 + return 0;
1034 +@@ -2407,7 +2501,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
1035 + s64 smin_val, smax_val;
1036 + u64 umin_val, umax_val;
1037 + u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
1038 +- u32 dst = insn->dst_reg;
1039 + int ret;
1040 +
1041 + if (insn_bitness == 32) {
1042 +@@ -2441,13 +2534,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
1043 + return 0;
1044 + }
1045 +
1046 ++ if (sanitize_needed(opcode)) {
1047 ++ ret = sanitize_val_alu(env, insn);
1048 ++ if (ret < 0)
1049 ++ return sanitize_err(env, insn, ret, NULL, NULL);
1050 ++ }
1051 ++
1052 + switch (opcode) {
1053 + case BPF_ADD:
1054 +- ret = sanitize_val_alu(env, insn);
1055 +- if (ret < 0) {
1056 +- verbose("R%d tried to add from different pointers or scalars\n", dst);
1057 +- return ret;
1058 +- }
1059 + if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
1060 + signed_add_overflows(dst_reg->smax_value, smax_val)) {
1061 + dst_reg->smin_value = S64_MIN;
1062 +@@ -2467,11 +2561,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
1063 + dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
1064 + break;
1065 + case BPF_SUB:
1066 +- ret = sanitize_val_alu(env, insn);
1067 +- if (ret < 0) {
1068 +- verbose("R%d tried to sub from different pointers or scalars\n", dst);
1069 +- return ret;
1070 +- }
1071 + if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
1072 + signed_sub_overflows(dst_reg->smax_value, smin_val)) {
1073 + /* Overflow possible, we know nothing */
1074 +@@ -2664,7 +2753,6 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1075 + struct bpf_reg_state *regs = cur_regs(env), *dst_reg, *src_reg;
1076 + struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
1077 + u8 opcode = BPF_OP(insn->code);
1078 +- int rc;
1079 +
1080 + dst_reg = &regs[insn->dst_reg];
1081 + src_reg = NULL;
1082 +@@ -2675,43 +2763,29 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1083 + if (src_reg->type != SCALAR_VALUE) {
1084 + if (dst_reg->type != SCALAR_VALUE) {
1085 + /* Combining two pointers by any ALU op yields
1086 +- * an arbitrary scalar.
1087 ++ * an arbitrary scalar. Disallow all math except
1088 ++ * pointer subtraction
1089 + */
1090 +- if (!env->allow_ptr_leaks) {
1091 +- verbose("R%d pointer %s pointer prohibited\n",
1092 +- insn->dst_reg,
1093 +- bpf_alu_string[opcode >> 4]);
1094 +- return -EACCES;
1095 ++ if (opcode == BPF_SUB && env->allow_ptr_leaks) {
1096 ++ mark_reg_unknown(regs, insn->dst_reg);
1097 ++ return 0;
1098 + }
1099 +- mark_reg_unknown(regs, insn->dst_reg);
1100 +- return 0;
1101 ++ verbose("R%d pointer %s pointer prohibited\n",
1102 ++ insn->dst_reg,
1103 ++ bpf_alu_string[opcode >> 4]);
1104 ++ return -EACCES;
1105 + } else {
1106 + /* scalar += pointer
1107 + * This is legal, but we have to reverse our
1108 + * src/dest handling in computing the range
1109 + */
1110 +- rc = adjust_ptr_min_max_vals(env, insn,
1111 +- src_reg, dst_reg);
1112 +- if (rc == -EACCES && env->allow_ptr_leaks) {
1113 +- /* scalar += unknown scalar */
1114 +- __mark_reg_unknown(&off_reg);
1115 +- return adjust_scalar_min_max_vals(
1116 +- env, insn,
1117 +- dst_reg, off_reg);
1118 +- }
1119 +- return rc;
1120 ++ return adjust_ptr_min_max_vals(env, insn,
1121 ++ src_reg, dst_reg);
1122 + }
1123 + } else if (ptr_reg) {
1124 + /* pointer += scalar */
1125 +- rc = adjust_ptr_min_max_vals(env, insn,
1126 +- dst_reg, src_reg);
1127 +- if (rc == -EACCES && env->allow_ptr_leaks) {
1128 +- /* unknown scalar += scalar */
1129 +- __mark_reg_unknown(dst_reg);
1130 +- return adjust_scalar_min_max_vals(
1131 +- env, insn, dst_reg, *src_reg);
1132 +- }
1133 +- return rc;
1134 ++ return adjust_ptr_min_max_vals(env, insn,
1135 ++ dst_reg, src_reg);
1136 + }
1137 + } else {
1138 + /* Pretend the src is a reg with a known value, since we only
1139 +@@ -2720,17 +2794,9 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1140 + off_reg.type = SCALAR_VALUE;
1141 + __mark_reg_known(&off_reg, insn->imm);
1142 + src_reg = &off_reg;
1143 +- if (ptr_reg) { /* pointer += K */
1144 +- rc = adjust_ptr_min_max_vals(env, insn,
1145 +- ptr_reg, src_reg);
1146 +- if (rc == -EACCES && env->allow_ptr_leaks) {
1147 +- /* unknown scalar += K */
1148 +- __mark_reg_unknown(dst_reg);
1149 +- return adjust_scalar_min_max_vals(
1150 +- env, insn, dst_reg, off_reg);
1151 +- }
1152 +- return rc;
1153 +- }
1154 ++ if (ptr_reg) /* pointer += K */
1155 ++ return adjust_ptr_min_max_vals(env, insn,
1156 ++ ptr_reg, src_reg);
1157 + }
1158 +
1159 + /* Got here implies adding two SCALAR_VALUEs */
1160 +@@ -4796,7 +4862,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
1161 + const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
1162 + struct bpf_insn insn_buf[16];
1163 + struct bpf_insn *patch = &insn_buf[0];
1164 +- bool issrc, isneg;
1165 ++ bool issrc, isneg, isimm;
1166 + u32 off_reg;
1167 +
1168 + aux = &env->insn_aux_data[i + delta];
1169 +@@ -4807,16 +4873,21 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
1170 + isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
1171 + issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
1172 + BPF_ALU_SANITIZE_SRC;
1173 ++ isimm = aux->alu_state & BPF_ALU_IMMEDIATE;
1174 +
1175 + off_reg = issrc ? insn->src_reg : insn->dst_reg;
1176 +- if (isneg)
1177 +- *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
1178 +- *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
1179 +- *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
1180 +- *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
1181 +- *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
1182 +- *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
1183 +- *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg);
1184 ++ if (isimm) {
1185 ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
1186 ++ } else {
1187 ++ if (isneg)
1188 ++ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
1189 ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
1190 ++ *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
1191 ++ *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
1192 ++ *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
1193 ++ *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
1194 ++ *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg);
1195 ++ }
1196 + if (!issrc)
1197 + *patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg);
1198 + insn->src_reg = BPF_REG_AX;
1199 +@@ -4824,7 +4895,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
1200 + insn->code = insn->code == code_add ?
1201 + code_sub : code_add;
1202 + *patch++ = *insn;
1203 +- if (issrc && isneg)
1204 ++ if (issrc && isneg && !isimm)
1205 + *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
1206 + cnt = patch - insn_buf;
1207 +
1208 +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
1209 +index 81096dd0ca0c5..37ac76dce9089 100644
1210 +--- a/kernel/sched/fair.c
1211 ++++ b/kernel/sched/fair.c
1212 +@@ -5779,6 +5779,7 @@ static inline int select_idle_smt(struct task_struct *p, struct sched_domain *sd
1213 + */
1214 + static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int target)
1215 + {
1216 ++ struct cpumask *cpus = this_cpu_cpumask_var_ptr(select_idle_mask);
1217 + struct sched_domain *this_sd;
1218 + u64 avg_cost, avg_idle;
1219 + u64 time, cost;
1220 +@@ -5809,11 +5810,11 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t
1221 +
1222 + time = local_clock();
1223 +
1224 +- for_each_cpu_wrap(cpu, sched_domain_span(sd), target) {
1225 ++ cpumask_and(cpus, sched_domain_span(sd), &p->cpus_allowed);
1226 ++
1227 ++ for_each_cpu_wrap(cpu, cpus, target) {
1228 + if (!--nr)
1229 + return -1;
1230 +- if (!cpumask_test_cpu(cpu, &p->cpus_allowed))
1231 +- continue;
1232 + if (idle_cpu(cpu))
1233 + break;
1234 + }
1235 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1236 +index e59e0f7ed5620..0dc181290d1fb 100644
1237 +--- a/mm/hugetlb.c
1238 ++++ b/mm/hugetlb.c
1239 +@@ -4099,10 +4099,20 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
1240 + struct page *page;
1241 +
1242 + if (!*pagep) {
1243 +- ret = -ENOMEM;
1244 ++ /* If a page already exists, then it's UFFDIO_COPY for
1245 ++ * a non-missing case. Return -EEXIST.
1246 ++ */
1247 ++ if (vm_shared &&
1248 ++ hugetlbfs_pagecache_present(h, dst_vma, dst_addr)) {
1249 ++ ret = -EEXIST;
1250 ++ goto out;
1251 ++ }
1252 ++
1253 + page = alloc_huge_page(dst_vma, dst_addr, 0);
1254 +- if (IS_ERR(page))
1255 ++ if (IS_ERR(page)) {
1256 ++ ret = -ENOMEM;
1257 + goto out;
1258 ++ }
1259 +
1260 + ret = copy_huge_page_from_user(page,
1261 + (const void __user *) src_addr,
1262 +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
1263 +index bf1263c1bc766..ba5c899d1edfa 100644
1264 +--- a/net/bluetooth/hci_core.c
1265 ++++ b/net/bluetooth/hci_core.c
1266 +@@ -1458,8 +1458,13 @@ static int hci_dev_do_open(struct hci_dev *hdev)
1267 + } else {
1268 + /* Init failed, cleanup */
1269 + flush_work(&hdev->tx_work);
1270 +- flush_work(&hdev->cmd_work);
1271 ++
1272 ++ /* Since hci_rx_work() is possible to awake new cmd_work
1273 ++ * it should be flushed first to avoid unexpected call of
1274 ++ * hci_cmd_work()
1275 ++ */
1276 + flush_work(&hdev->rx_work);
1277 ++ flush_work(&hdev->cmd_work);
1278 +
1279 + skb_queue_purge(&hdev->cmd_q);
1280 + skb_queue_purge(&hdev->rx_q);
1281 +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
1282 +index 93093d7c38240..120064e9cb2be 100644
1283 +--- a/net/bluetooth/hci_sock.c
1284 ++++ b/net/bluetooth/hci_sock.c
1285 +@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
1286 + /* Detach sockets from device */
1287 + read_lock(&hci_sk_list.lock);
1288 + sk_for_each(sk, &hci_sk_list.head) {
1289 +- bh_lock_sock_nested(sk);
1290 ++ lock_sock(sk);
1291 + if (hci_pi(sk)->hdev == hdev) {
1292 + hci_pi(sk)->hdev = NULL;
1293 + sk->sk_err = EPIPE;
1294 +@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
1295 +
1296 + hci_dev_put(hdev);
1297 + }
1298 +- bh_unlock_sock(sk);
1299 ++ release_sock(sk);
1300 + }
1301 + read_unlock(&hci_sk_list.lock);
1302 + }
1303 +diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
1304 +index 98b62a7990aa2..e1f9c9537e0f5 100644
1305 +--- a/net/caif/caif_dev.c
1306 ++++ b/net/caif/caif_dev.c
1307 +@@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_device *dev, int on)
1308 + caifd_put(caifd);
1309 + }
1310 +
1311 +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
1312 ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
1313 + struct cflayer *link_support, int head_room,
1314 + struct cflayer **layer,
1315 + int (**rcv_func)(struct sk_buff *, struct net_device *,
1316 +@@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
1317 + enum cfcnfg_phy_preference pref;
1318 + struct cfcnfg *cfg = get_cfcnfg(dev_net(dev));
1319 + struct caif_device_entry_list *caifdevs;
1320 ++ int res;
1321 +
1322 + caifdevs = caif_device_list(dev_net(dev));
1323 + caifd = caif_device_alloc(dev);
1324 + if (!caifd)
1325 +- return;
1326 ++ return -ENOMEM;
1327 + *layer = &caifd->layer;
1328 + spin_lock_init(&caifd->flow_lock);
1329 +
1330 +@@ -340,7 +341,7 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
1331 + sizeof(caifd->layer.name) - 1);
1332 + caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
1333 + caifd->layer.transmit = transmit;
1334 +- cfcnfg_add_phy_layer(cfg,
1335 ++ res = cfcnfg_add_phy_layer(cfg,
1336 + dev,
1337 + &caifd->layer,
1338 + pref,
1339 +@@ -350,6 +351,7 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
1340 + mutex_unlock(&caifdevs->lock);
1341 + if (rcv_func)
1342 + *rcv_func = receive;
1343 ++ return res;
1344 + }
1345 + EXPORT_SYMBOL(caif_enroll_dev);
1346 +
1347 +@@ -364,6 +366,7 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
1348 + struct cflayer *layer, *link_support;
1349 + int head_room = 0;
1350 + struct caif_device_entry_list *caifdevs;
1351 ++ int res;
1352 +
1353 + cfg = get_cfcnfg(dev_net(dev));
1354 + caifdevs = caif_device_list(dev_net(dev));
1355 +@@ -389,8 +392,10 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
1356 + break;
1357 + }
1358 + }
1359 +- caif_enroll_dev(dev, caifdev, link_support, head_room,
1360 ++ res = caif_enroll_dev(dev, caifdev, link_support, head_room,
1361 + &layer, NULL);
1362 ++ if (res)
1363 ++ cfserl_release(link_support);
1364 + caifdev->flowctrl = dev_flowctrl;
1365 + break;
1366 +
1367 +diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c
1368 +index 5cd44f001f647..485dde566c1a9 100644
1369 +--- a/net/caif/caif_usb.c
1370 ++++ b/net/caif/caif_usb.c
1371 +@@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int phyid, u8 ethaddr[ETH_ALEN],
1372 + return (struct cflayer *) this;
1373 + }
1374 +
1375 ++static void cfusbl_release(struct cflayer *layer)
1376 ++{
1377 ++ kfree(layer);
1378 ++}
1379 ++
1380 + static struct packet_type caif_usb_type __read_mostly = {
1381 + .type = cpu_to_be16(ETH_P_802_EX1),
1382 + };
1383 +@@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
1384 + struct cflayer *layer, *link_support;
1385 + struct usbnet *usbnet;
1386 + struct usb_device *usbdev;
1387 ++ int res;
1388 +
1389 + /* Check whether we have a NCM device, and find its VID/PID. */
1390 + if (!(dev->dev.parent && dev->dev.parent->driver &&
1391 +@@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
1392 + if (dev->num_tx_queues > 1)
1393 + pr_warn("USB device uses more than one tx queue\n");
1394 +
1395 +- caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
1396 ++ res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
1397 + &layer, &caif_usb_type.func);
1398 ++ if (res)
1399 ++ goto err;
1400 ++
1401 + if (!pack_added)
1402 + dev_add_pack(&caif_usb_type);
1403 + pack_added = true;
1404 +@@ -181,6 +190,9 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
1405 + layer->name[sizeof(layer->name) - 1] = 0;
1406 +
1407 + return 0;
1408 ++err:
1409 ++ cfusbl_release(link_support);
1410 ++ return res;
1411 + }
1412 +
1413 + static struct notifier_block caif_device_notifier = {
1414 +diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
1415 +index 273cb07f57d87..2e4aea9f00ef9 100644
1416 +--- a/net/caif/cfcnfg.c
1417 ++++ b/net/caif/cfcnfg.c
1418 +@@ -452,7 +452,7 @@ unlock:
1419 + rcu_read_unlock();
1420 + }
1421 +
1422 +-void
1423 ++int
1424 + cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
1425 + struct net_device *dev, struct cflayer *phy_layer,
1426 + enum cfcnfg_phy_preference pref,
1427 +@@ -461,7 +461,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
1428 + {
1429 + struct cflayer *frml;
1430 + struct cfcnfg_phyinfo *phyinfo = NULL;
1431 +- int i;
1432 ++ int i, res = 0;
1433 + u8 phyid;
1434 +
1435 + mutex_lock(&cnfg->lock);
1436 +@@ -475,12 +475,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
1437 + goto got_phyid;
1438 + }
1439 + pr_warn("Too many CAIF Link Layers (max 6)\n");
1440 ++ res = -EEXIST;
1441 + goto out;
1442 +
1443 + got_phyid:
1444 + phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
1445 +- if (!phyinfo)
1446 ++ if (!phyinfo) {
1447 ++ res = -ENOMEM;
1448 + goto out_err;
1449 ++ }
1450 +
1451 + phy_layer->id = phyid;
1452 + phyinfo->pref = pref;
1453 +@@ -494,8 +497,10 @@ got_phyid:
1454 +
1455 + frml = cffrml_create(phyid, fcs);
1456 +
1457 +- if (!frml)
1458 ++ if (!frml) {
1459 ++ res = -ENOMEM;
1460 + goto out_err;
1461 ++ }
1462 + phyinfo->frm_layer = frml;
1463 + layer_set_up(frml, cnfg->mux);
1464 +
1465 +@@ -513,11 +518,12 @@ got_phyid:
1466 + list_add_rcu(&phyinfo->node, &cnfg->phys);
1467 + out:
1468 + mutex_unlock(&cnfg->lock);
1469 +- return;
1470 ++ return res;
1471 +
1472 + out_err:
1473 + kfree(phyinfo);
1474 + mutex_unlock(&cnfg->lock);
1475 ++ return res;
1476 + }
1477 + EXPORT_SYMBOL(cfcnfg_add_phy_layer);
1478 +
1479 +diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c
1480 +index ce60f06d76de3..af1e1e36dc90a 100644
1481 +--- a/net/caif/cfserl.c
1482 ++++ b/net/caif/cfserl.c
1483 +@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflayer *layr, struct cfpkt *pkt);
1484 + static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
1485 + int phyid);
1486 +
1487 ++void cfserl_release(struct cflayer *layer)
1488 ++{
1489 ++ kfree(layer);
1490 ++}
1491 ++
1492 + struct cflayer *cfserl_create(int instance, bool use_stx)
1493 + {
1494 + struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC);
1495 +diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c
1496 +index c0930b9fe848b..7531cb1665d2b 100644
1497 +--- a/net/ieee802154/nl-mac.c
1498 ++++ b/net/ieee802154/nl-mac.c
1499 +@@ -688,8 +688,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info)
1500 + nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) ||
1501 + nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER,
1502 + be32_to_cpu(params.frame_counter)) ||
1503 +- ieee802154_llsec_fill_key_id(msg, &params.out_key))
1504 ++ ieee802154_llsec_fill_key_id(msg, &params.out_key)) {
1505 ++ rc = -ENOBUFS;
1506 + goto out_free;
1507 ++ }
1508 +
1509 + dev_put(dev);
1510 +
1511 +diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
1512 +index dc2960be51e0a..6a7fe415d5f44 100644
1513 +--- a/net/ieee802154/nl-phy.c
1514 ++++ b/net/ieee802154/nl-phy.c
1515 +@@ -249,8 +249,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info)
1516 + }
1517 +
1518 + if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) ||
1519 +- nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name))
1520 ++ nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) {
1521 ++ rc = -EMSGSIZE;
1522 + goto nla_put_failure;
1523 ++ }
1524 + dev_put(dev);
1525 +
1526 + wpan_phy_put(phy);
1527 +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
1528 +index c1672ff009637..eea0144aada7a 100644
1529 +--- a/net/netfilter/ipvs/ip_vs_ctl.c
1530 ++++ b/net/netfilter/ipvs/ip_vs_ctl.c
1531 +@@ -1262,7 +1262,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
1532 + ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
1533 + svc->port = u->port;
1534 + svc->fwmark = u->fwmark;
1535 +- svc->flags = u->flags;
1536 ++ svc->flags = u->flags & ~IP_VS_SVC_F_HASHED;
1537 + svc->timeout = u->timeout * HZ;
1538 + svc->netmask = u->netmask;
1539 + svc->ipvs = ipvs;
1540 +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
1541 +index dfe4e6787219c..2ebeb615db157 100644
1542 +--- a/net/netfilter/nfnetlink_cthelper.c
1543 ++++ b/net/netfilter/nfnetlink_cthelper.c
1544 +@@ -370,10 +370,14 @@ static int
1545 + nfnl_cthelper_update(const struct nlattr * const tb[],
1546 + struct nf_conntrack_helper *helper)
1547 + {
1548 ++ u32 size;
1549 + int ret;
1550 +
1551 +- if (tb[NFCTH_PRIV_DATA_LEN])
1552 +- return -EBUSY;
1553 ++ if (tb[NFCTH_PRIV_DATA_LEN]) {
1554 ++ size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
1555 ++ if (size != helper->data_len)
1556 ++ return -EBUSY;
1557 ++ }
1558 +
1559 + if (tb[NFCTH_POLICY]) {
1560 + ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
1561 +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
1562 +index 76f47b9112214..02aebc3187632 100644
1563 +--- a/net/nfc/llcp_sock.c
1564 ++++ b/net/nfc/llcp_sock.c
1565 +@@ -122,6 +122,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1566 + if (!llcp_sock->service_name) {
1567 + nfc_llcp_local_put(llcp_sock->local);
1568 + llcp_sock->local = NULL;
1569 ++ llcp_sock->dev = NULL;
1570 + ret = -ENOMEM;
1571 + goto put_dev;
1572 + }
1573 +@@ -131,6 +132,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1574 + llcp_sock->local = NULL;
1575 + kfree(llcp_sock->service_name);
1576 + llcp_sock->service_name = NULL;
1577 ++ llcp_sock->dev = NULL;
1578 + ret = -EADDRINUSE;
1579 + goto put_dev;
1580 + }
1581 +diff --git a/sound/core/timer.c b/sound/core/timer.c
1582 +index 22589a073423b..eb31c13c8ed0d 100644
1583 +--- a/sound/core/timer.c
1584 ++++ b/sound/core/timer.c
1585 +@@ -490,9 +490,10 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
1586 + return;
1587 + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
1588 + return;
1589 ++ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */
1590 + list_for_each_entry(ts, &ti->slave_active_head, active_list)
1591 + if (ts->ccallback)
1592 +- ts->ccallback(ts, event + 100, &tstamp, resolution);
1593 ++ ts->ccallback(ts, event, &tstamp, resolution);
1594 + }
1595 +
1596 + /* start/continue a master timer */
1597 +diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c
1598 +index 8591c89c0828a..5d530c90779e5 100644
1599 +--- a/tools/testing/selftests/bpf/test_align.c
1600 ++++ b/tools/testing/selftests/bpf/test_align.c
1601 +@@ -446,11 +446,9 @@ static struct bpf_align_test tests[] = {
1602 + .insns = {
1603 + PREP_PKT_POINTERS,
1604 + BPF_MOV64_IMM(BPF_REG_0, 0),
1605 +- /* ptr & const => unknown & const */
1606 +- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
1607 +- BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 0x40),
1608 +- /* ptr << const => unknown << const */
1609 +- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
1610 ++ /* (ptr - ptr) << 2 */
1611 ++ BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
1612 ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_5, BPF_REG_2),
1613 + BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 2),
1614 + /* We have a (4n) value. Let's make a packet offset
1615 + * out of it. First add 14, to make it a (4n+2)
1616 +@@ -473,20 +471,18 @@ static struct bpf_align_test tests[] = {
1617 + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1618 + .result = REJECT,
1619 + .matches = {
1620 +- {4, "R5=pkt(id=0,off=0,r=0,imm=0)"},
1621 +- /* ptr & 0x40 == either 0 or 0x40 */
1622 +- {5, "R5=inv(id=0,umax_value=64,var_off=(0x0; 0x40))"},
1623 +- /* ptr << 2 == unknown, (4n) */
1624 +- {7, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
1625 ++ {4, "R5=pkt_end(id=0,off=0,imm=0)"},
1626 ++ /* (ptr - ptr) << 2 == unknown, (4n) */
1627 ++ {6, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
1628 + /* (4n) + 14 == (4n+2). We blow our bounds, because
1629 + * the add could overflow.
1630 + */
1631 +- {8, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
1632 ++ {7, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
1633 + /* Checked s>=0 */
1634 +- {10, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1635 ++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1636 + /* packet pointer + nonnegative (4n+2) */
1637 +- {12, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1638 +- {14, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1639 ++ {11, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1640 ++ {13, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1641 + /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
1642 + * We checked the bounds, but it might have been able
1643 + * to overflow if the packet pointer started in the
1644 +@@ -494,7 +490,7 @@ static struct bpf_align_test tests[] = {
1645 + * So we did not get a 'range' on R6, and the access
1646 + * attempt will fail.
1647 + */
1648 +- {16, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1649 ++ {15, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
1650 + }
1651 + },
1652 + {
1653 +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
1654 +index 9f7fc30d247d1..d4f611546fc0b 100644
1655 +--- a/tools/testing/selftests/bpf/test_verifier.c
1656 ++++ b/tools/testing/selftests/bpf/test_verifier.c
1657 +@@ -462,9 +462,7 @@ static struct bpf_test tests[] = {
1658 + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
1659 + BPF_EXIT_INSN(),
1660 + },
1661 +- .errstr_unpriv = "R1 subtraction from stack pointer",
1662 +- .result_unpriv = REJECT,
1663 +- .errstr = "R1 invalid mem access",
1664 ++ .errstr = "R1 subtraction from stack pointer",
1665 + .result = REJECT,
1666 + },
1667 + {
1668 +@@ -1900,9 +1898,8 @@ static struct bpf_test tests[] = {
1669 + BPF_MOV64_IMM(BPF_REG_0, 0),
1670 + BPF_EXIT_INSN(),
1671 + },
1672 +- .result = ACCEPT,
1673 +- .result_unpriv = REJECT,
1674 +- .errstr_unpriv = "R1 pointer += pointer",
1675 ++ .result = REJECT,
1676 ++ .errstr = "R1 pointer += pointer",
1677 + },
1678 + {
1679 + "unpriv: neg pointer",
1680 +@@ -2235,7 +2232,7 @@ static struct bpf_test tests[] = {
1681 + .result = ACCEPT,
1682 + },
1683 + {
1684 +- "unpriv: adding of fp",
1685 ++ "unpriv: adding of fp, reg",
1686 + .insns = {
1687 + BPF_MOV64_IMM(BPF_REG_0, 0),
1688 + BPF_MOV64_IMM(BPF_REG_1, 0),
1689 +@@ -2243,9 +2240,22 @@ static struct bpf_test tests[] = {
1690 + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
1691 + BPF_EXIT_INSN(),
1692 + },
1693 +- .result = ACCEPT,
1694 ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
1695 + .result_unpriv = REJECT,
1696 ++ .result = ACCEPT,
1697 ++ },
1698 ++ {
1699 ++ "unpriv: adding of fp, imm",
1700 ++ .insns = {
1701 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1702 ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1703 ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
1704 ++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
1705 ++ BPF_EXIT_INSN(),
1706 ++ },
1707 + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
1708 ++ .result_unpriv = REJECT,
1709 ++ .result = ACCEPT,
1710 + },
1711 + {
1712 + "unpriv: cmp of stack pointer",
1713 +@@ -2681,7 +2691,8 @@ static struct bpf_test tests[] = {
1714 + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1715 + offsetof(struct __sk_buff, data)),
1716 + BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
1717 +- BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
1718 ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1719 ++ offsetof(struct __sk_buff, len)),
1720 + BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
1721 + BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
1722 + BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
1723 +@@ -2988,7 +2999,7 @@ static struct bpf_test tests[] = {
1724 + BPF_MOV64_IMM(BPF_REG_0, 0),
1725 + BPF_EXIT_INSN(),
1726 + },
1727 +- .errstr = "invalid access to packet",
1728 ++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
1729 + .result = REJECT,
1730 + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1731 + },
1732 +@@ -3975,9 +3986,7 @@ static struct bpf_test tests[] = {
1733 + BPF_EXIT_INSN(),
1734 + },
1735 + .fixup_map2 = { 3, 11 },
1736 +- .errstr_unpriv = "R0 pointer += pointer",
1737 +- .errstr = "R0 invalid mem access 'inv'",
1738 +- .result_unpriv = REJECT,
1739 ++ .errstr = "R0 pointer += pointer",
1740 + .result = REJECT,
1741 + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1742 + },
1743 +@@ -4018,7 +4027,7 @@ static struct bpf_test tests[] = {
1744 + BPF_EXIT_INSN(),
1745 + },
1746 + .fixup_map1 = { 4 },
1747 +- .errstr = "R4 invalid mem access",
1748 ++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
1749 + .result = REJECT,
1750 + .prog_type = BPF_PROG_TYPE_SCHED_CLS
1751 + },
1752 +@@ -4039,7 +4048,7 @@ static struct bpf_test tests[] = {
1753 + BPF_EXIT_INSN(),
1754 + },
1755 + .fixup_map1 = { 4 },
1756 +- .errstr = "R4 invalid mem access",
1757 ++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
1758 + .result = REJECT,
1759 + .prog_type = BPF_PROG_TYPE_SCHED_CLS
1760 + },
1761 +@@ -4060,7 +4069,7 @@ static struct bpf_test tests[] = {
1762 + BPF_EXIT_INSN(),
1763 + },
1764 + .fixup_map1 = { 4 },
1765 +- .errstr = "R4 invalid mem access",
1766 ++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
1767 + .result = REJECT,
1768 + .prog_type = BPF_PROG_TYPE_SCHED_CLS
1769 + },
1770 +@@ -5291,10 +5300,8 @@ static struct bpf_test tests[] = {
1771 + BPF_EXIT_INSN(),
1772 + },
1773 + .fixup_map2 = { 3 },
1774 +- .errstr_unpriv = "R0 bitwise operator &= on pointer",
1775 +- .errstr = "invalid mem access 'inv'",
1776 ++ .errstr = "R0 bitwise operator &= on pointer",
1777 + .result = REJECT,
1778 +- .result_unpriv = REJECT,
1779 + },
1780 + {
1781 + "map element value illegal alu op, 2",
1782 +@@ -5310,10 +5317,8 @@ static struct bpf_test tests[] = {
1783 + BPF_EXIT_INSN(),
1784 + },
1785 + .fixup_map2 = { 3 },
1786 +- .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
1787 +- .errstr = "invalid mem access 'inv'",
1788 ++ .errstr = "R0 32-bit pointer arithmetic prohibited",
1789 + .result = REJECT,
1790 +- .result_unpriv = REJECT,
1791 + },
1792 + {
1793 + "map element value illegal alu op, 3",
1794 +@@ -5329,10 +5334,8 @@ static struct bpf_test tests[] = {
1795 + BPF_EXIT_INSN(),
1796 + },
1797 + .fixup_map2 = { 3 },
1798 +- .errstr_unpriv = "R0 pointer arithmetic with /= operator",
1799 +- .errstr = "invalid mem access 'inv'",
1800 ++ .errstr = "R0 pointer arithmetic with /= operator",
1801 + .result = REJECT,
1802 +- .result_unpriv = REJECT,
1803 + },
1804 + {
1805 + "map element value illegal alu op, 4",
1806 +@@ -5925,8 +5928,7 @@ static struct bpf_test tests[] = {
1807 + BPF_EXIT_INSN(),
1808 + },
1809 + .fixup_map_in_map = { 3 },
1810 +- .errstr = "R1 type=inv expected=map_ptr",
1811 +- .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
1812 ++ .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
1813 + .result = REJECT,
1814 + },
1815 + {
1816 +@@ -6207,7 +6209,6 @@ static struct bpf_test tests[] = {
1817 + },
1818 + .fixup_map1 = { 3 },
1819 + .errstr = "unbounded min value",
1820 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1821 + .result = REJECT,
1822 + },
1823 + {
1824 +@@ -6232,7 +6233,6 @@ static struct bpf_test tests[] = {
1825 + },
1826 + .fixup_map1 = { 3 },
1827 + .errstr = "unbounded min value",
1828 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1829 + .result = REJECT,
1830 + },
1831 + {
1832 +@@ -6259,7 +6259,6 @@ static struct bpf_test tests[] = {
1833 + },
1834 + .fixup_map1 = { 3 },
1835 + .errstr = "unbounded min value",
1836 +- .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
1837 + .result = REJECT,
1838 + },
1839 + {
1840 +@@ -6285,7 +6284,6 @@ static struct bpf_test tests[] = {
1841 + },
1842 + .fixup_map1 = { 3 },
1843 + .errstr = "unbounded min value",
1844 +- .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
1845 + .result = REJECT,
1846 + },
1847 + {
1848 +@@ -6334,7 +6332,6 @@ static struct bpf_test tests[] = {
1849 + },
1850 + .fixup_map1 = { 3 },
1851 + .errstr = "unbounded min value",
1852 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1853 + .result = REJECT,
1854 + },
1855 + {
1856 +@@ -6406,7 +6403,6 @@ static struct bpf_test tests[] = {
1857 + },
1858 + .fixup_map1 = { 3 },
1859 + .errstr = "unbounded min value",
1860 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1861 + .result = REJECT,
1862 + },
1863 + {
1864 +@@ -6458,7 +6454,6 @@ static struct bpf_test tests[] = {
1865 + },
1866 + .fixup_map1 = { 3 },
1867 + .errstr = "unbounded min value",
1868 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1869 + .result = REJECT,
1870 + },
1871 + {
1872 +@@ -6486,7 +6481,6 @@ static struct bpf_test tests[] = {
1873 + },
1874 + .fixup_map1 = { 3 },
1875 + .errstr = "unbounded min value",
1876 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1877 + .result = REJECT,
1878 + },
1879 + {
1880 +@@ -6513,7 +6507,6 @@ static struct bpf_test tests[] = {
1881 + },
1882 + .fixup_map1 = { 3 },
1883 + .errstr = "unbounded min value",
1884 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1885 + .result = REJECT,
1886 + },
1887 + {
1888 +@@ -6543,7 +6536,6 @@ static struct bpf_test tests[] = {
1889 + },
1890 + .fixup_map1 = { 3 },
1891 + .errstr = "unbounded min value",
1892 +- .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
1893 + .result = REJECT,
1894 + },
1895 + {
1896 +@@ -6602,7 +6594,6 @@ static struct bpf_test tests[] = {
1897 + },
1898 + .fixup_map1 = { 3 },
1899 + .errstr = "unbounded min value",
1900 +- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
1901 + .result = REJECT,
1902 + .result_unpriv = REJECT,
1903 + },
1904 +@@ -7297,6 +7288,19 @@ static struct bpf_test tests[] = {
1905 + .result = REJECT,
1906 + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1907 + },
1908 ++ {
1909 ++ "pkt_end - pkt_start is allowed",
1910 ++ .insns = {
1911 ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1912 ++ offsetof(struct __sk_buff, data_end)),
1913 ++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1914 ++ offsetof(struct __sk_buff, data)),
1915 ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
1916 ++ BPF_EXIT_INSN(),
1917 ++ },
1918 ++ .result = ACCEPT,
1919 ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1920 ++ },
1921 + {
1922 + "XDP pkt read, pkt_end mangling, bad access 1",
1923 + .insns = {
1924 +@@ -7312,7 +7316,7 @@ static struct bpf_test tests[] = {
1925 + BPF_MOV64_IMM(BPF_REG_0, 0),
1926 + BPF_EXIT_INSN(),
1927 + },
1928 +- .errstr = "R1 offset is outside of the packet",
1929 ++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
1930 + .result = REJECT,
1931 + .prog_type = BPF_PROG_TYPE_XDP,
1932 + },
1933 +@@ -7331,7 +7335,7 @@ static struct bpf_test tests[] = {
1934 + BPF_MOV64_IMM(BPF_REG_0, 0),
1935 + BPF_EXIT_INSN(),
1936 + },
1937 +- .errstr = "R1 offset is outside of the packet",
1938 ++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
1939 + .result = REJECT,
1940 + .prog_type = BPF_PROG_TYPE_XDP,
1941 + },
1942 +@@ -7766,8 +7770,9 @@ static struct bpf_test tests[] = {
1943 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1944 + BPF_EXIT_INSN(),
1945 + },
1946 +- .result = REJECT,
1947 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
1948 + .errstr = "R0 tried to subtract pointer from scalar",
1949 ++ .result = REJECT,
1950 + },
1951 + {
1952 + "check deducing bounds from const, 2",
1953 +@@ -7780,6 +7785,8 @@ static struct bpf_test tests[] = {
1954 + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
1955 + BPF_EXIT_INSN(),
1956 + },
1957 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
1958 ++ .result_unpriv = REJECT,
1959 + .result = ACCEPT,
1960 + },
1961 + {
1962 +@@ -7790,20 +7797,24 @@ static struct bpf_test tests[] = {
1963 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1964 + BPF_EXIT_INSN(),
1965 + },
1966 +- .result = REJECT,
1967 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
1968 + .errstr = "R0 tried to subtract pointer from scalar",
1969 ++ .result = REJECT,
1970 + },
1971 + {
1972 + "check deducing bounds from const, 4",
1973 + .insns = {
1974 ++ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1975 + BPF_MOV64_IMM(BPF_REG_0, 0),
1976 + BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
1977 + BPF_EXIT_INSN(),
1978 + BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
1979 + BPF_EXIT_INSN(),
1980 +- BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
1981 ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0),
1982 + BPF_EXIT_INSN(),
1983 + },
1984 ++ .errstr_unpriv = "R6 has pointer with unsupported alu operation",
1985 ++ .result_unpriv = REJECT,
1986 + .result = ACCEPT,
1987 + },
1988 + {
1989 +@@ -7814,8 +7825,9 @@ static struct bpf_test tests[] = {
1990 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1991 + BPF_EXIT_INSN(),
1992 + },
1993 +- .result = REJECT,
1994 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
1995 + .errstr = "R0 tried to subtract pointer from scalar",
1996 ++ .result = REJECT,
1997 + },
1998 + {
1999 + "check deducing bounds from const, 6",
2000 +@@ -7826,8 +7838,9 @@ static struct bpf_test tests[] = {
2001 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
2002 + BPF_EXIT_INSN(),
2003 + },
2004 +- .result = REJECT,
2005 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
2006 + .errstr = "R0 tried to subtract pointer from scalar",
2007 ++ .result = REJECT,
2008 + },
2009 + {
2010 + "check deducing bounds from const, 7",
2011 +@@ -7839,8 +7852,9 @@ static struct bpf_test tests[] = {
2012 + offsetof(struct __sk_buff, mark)),
2013 + BPF_EXIT_INSN(),
2014 + },
2015 +- .result = REJECT,
2016 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
2017 + .errstr = "dereference of modified ctx ptr",
2018 ++ .result = REJECT,
2019 + },
2020 + {
2021 + "check deducing bounds from const, 8",
2022 +@@ -7852,8 +7866,9 @@ static struct bpf_test tests[] = {
2023 + offsetof(struct __sk_buff, mark)),
2024 + BPF_EXIT_INSN(),
2025 + },
2026 +- .result = REJECT,
2027 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
2028 + .errstr = "dereference of modified ctx ptr",
2029 ++ .result = REJECT,
2030 + },
2031 + {
2032 + "check deducing bounds from const, 9",
2033 +@@ -7863,8 +7878,9 @@ static struct bpf_test tests[] = {
2034 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
2035 + BPF_EXIT_INSN(),
2036 + },
2037 +- .result = REJECT,
2038 ++ .errstr_unpriv = "R1 has pointer with unsupported alu operation",
2039 + .errstr = "R0 tried to subtract pointer from scalar",
2040 ++ .result = REJECT,
2041 + },
2042 + {
2043 + "check deducing bounds from const, 10",
2044 +@@ -7876,8 +7892,8 @@ static struct bpf_test tests[] = {
2045 + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
2046 + BPF_EXIT_INSN(),
2047 + },
2048 +- .result = REJECT,
2049 + .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
2050 ++ .result = REJECT,
2051 + },
2052 + {
2053 + "XDP pkt read, pkt_end <= pkt_data', bad access 2",
Report Message
Find on MARC Find on Google Groups