Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.6 commit in: /
Date: Fri, 24 Jun 2016 20:41:57
Message-Id: 1466800899.a36656eef665f797c9827b7866e5c9894656770c.mpagano@gentoo
1 commit: a36656eef665f797c9827b7866e5c9894656770c
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Fri Jun 24 20:41:39 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Fri Jun 24 20:41:39 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a36656ee
7
8 Linux patch 4.6.3
9
10 0000_README | 4 +
11 1002_linux-4.6.3.patch | 4713 ++++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 4717 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 61071b1..8feba45 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -51,6 +51,10 @@ Patch: 1001_linux-4.6.2.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.6.2
21
22 +Patch: 1002_linux-4.6.3.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.6.3
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1002_linux-4.6.3.patch b/1002_linux-4.6.3.patch
31 new file mode 100644
32 index 0000000..e81ef72
33 --- /dev/null
34 +++ b/1002_linux-4.6.3.patch
35 @@ -0,0 +1,4713 @@
36 +diff --git a/Makefile b/Makefile
37 +index 93068c2d0656..c62b531d5a85 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 6
43 +-SUBLEVEL = 2
44 ++SUBLEVEL = 3
45 + EXTRAVERSION =
46 + NAME = Charred Weasel
47 +
48 +diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
49 +index ef9119f7462e..4d9375814b53 100644
50 +--- a/arch/arm/kernel/ptrace.c
51 ++++ b/arch/arm/kernel/ptrace.c
52 +@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *target,
53 + if (ret)
54 + return ret;
55 +
56 +- vfp_flush_hwstate(thread);
57 + thread->vfpstate.hard = new_vfp;
58 ++ vfp_flush_hwstate(thread);
59 +
60 + return 0;
61 + }
62 +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
63 +index 24ed037f09fd..83d48a599f69 100644
64 +--- a/arch/arm64/include/asm/elf.h
65 ++++ b/arch/arm64/include/asm/elf.h
66 +@@ -160,14 +160,14 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm,
67 + #define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12))
68 + #endif
69 +
70 +-#ifdef CONFIG_COMPAT
71 +-
72 + #ifdef __AARCH64EB__
73 + #define COMPAT_ELF_PLATFORM ("v8b")
74 + #else
75 + #define COMPAT_ELF_PLATFORM ("v8l")
76 + #endif
77 +
78 ++#ifdef CONFIG_COMPAT
79 ++
80 + #define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3)
81 +
82 + /* AArch32 registers. */
83 +diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c
84 +index f0c3fb7ec8cf..2d2d7cb04a5d 100644
85 +--- a/arch/arm64/kernel/cpuinfo.c
86 ++++ b/arch/arm64/kernel/cpuinfo.c
87 +@@ -22,6 +22,8 @@
88 +
89 + #include <linux/bitops.h>
90 + #include <linux/bug.h>
91 ++#include <linux/compat.h>
92 ++#include <linux/elf.h>
93 + #include <linux/init.h>
94 + #include <linux/kernel.h>
95 + #include <linux/personality.h>
96 +@@ -104,6 +106,7 @@ static const char *const compat_hwcap2_str[] = {
97 + static int c_show(struct seq_file *m, void *v)
98 + {
99 + int i, j;
100 ++ bool compat = personality(current->personality) == PER_LINUX32;
101 +
102 + for_each_online_cpu(i) {
103 + struct cpuinfo_arm64 *cpuinfo = &per_cpu(cpu_data, i);
104 +@@ -115,6 +118,9 @@ static int c_show(struct seq_file *m, void *v)
105 + * "processor". Give glibc what it expects.
106 + */
107 + seq_printf(m, "processor\t: %d\n", i);
108 ++ if (compat)
109 ++ seq_printf(m, "model name\t: ARMv8 Processor rev %d (%s)\n",
110 ++ MIDR_REVISION(midr), COMPAT_ELF_PLATFORM);
111 +
112 + seq_printf(m, "BogoMIPS\t: %lu.%02lu\n",
113 + loops_per_jiffy / (500000UL/HZ),
114 +@@ -127,7 +133,7 @@ static int c_show(struct seq_file *m, void *v)
115 + * software which does already (at least for 32-bit).
116 + */
117 + seq_puts(m, "Features\t:");
118 +- if (personality(current->personality) == PER_LINUX32) {
119 ++ if (compat) {
120 + #ifdef CONFIG_COMPAT
121 + for (j = 0; compat_hwcap_str[j]; j++)
122 + if (compat_elf_hwcap & (1 << j))
123 +diff --git a/arch/arm64/kvm/hyp/vgic-v3-sr.c b/arch/arm64/kvm/hyp/vgic-v3-sr.c
124 +index fff7cd42b3a3..3129df9d3a73 100644
125 +--- a/arch/arm64/kvm/hyp/vgic-v3-sr.c
126 ++++ b/arch/arm64/kvm/hyp/vgic-v3-sr.c
127 +@@ -190,12 +190,11 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
128 + if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i)))
129 + continue;
130 +
131 +- if (cpu_if->vgic_elrsr & (1 << i)) {
132 ++ if (cpu_if->vgic_elrsr & (1 << i))
133 + cpu_if->vgic_lr[i] &= ~ICH_LR_STATE;
134 +- continue;
135 +- }
136 ++ else
137 ++ cpu_if->vgic_lr[i] = __gic_v3_get_lr(i);
138 +
139 +- cpu_if->vgic_lr[i] = __gic_v3_get_lr(i);
140 + __gic_v3_set_lr(0, i);
141 + }
142 +
143 +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
144 +index 3ae4a28c4aed..10b79e9e87d1 100644
145 +--- a/arch/arm64/mm/fault.c
146 ++++ b/arch/arm64/mm/fault.c
147 +@@ -109,7 +109,7 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
148 + * PTE_RDONLY is cleared by default in the asm below, so set it in
149 + * back if necessary (read-only or clean PTE).
150 + */
151 +- if (!pte_write(entry) || !dirty)
152 ++ if (!pte_write(entry) || !pte_sw_dirty(entry))
153 + pte_val(entry) |= PTE_RDONLY;
154 +
155 + /*
156 +diff --git a/arch/parisc/kernel/unaligned.c b/arch/parisc/kernel/unaligned.c
157 +index d7c0acb35ec2..8d49614d600d 100644
158 +--- a/arch/parisc/kernel/unaligned.c
159 ++++ b/arch/parisc/kernel/unaligned.c
160 +@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *regs)
161 + break;
162 + }
163 +
164 +- if (modify && R1(regs->iir))
165 ++ if (ret == 0 && modify && R1(regs->iir))
166 + regs->gr[R1(regs->iir)] = newbase;
167 +
168 +
169 +@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *regs)
170 +
171 + if (ret)
172 + {
173 ++ /*
174 ++ * The unaligned handler failed.
175 ++ * If we were called by __get_user() or __put_user() jump
176 ++ * to it's exception fixup handler instead of crashing.
177 ++ */
178 ++ if (!user_mode(regs) && fixup_exception(regs))
179 ++ return;
180 ++
181 + printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
182 + die_if_kernel("Unaligned data reference", regs, 28);
183 +
184 +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
185 +index f5f4c66bbbc9..166d8631747f 100644
186 +--- a/arch/powerpc/include/asm/reg.h
187 ++++ b/arch/powerpc/include/asm/reg.h
188 +@@ -715,7 +715,7 @@
189 + #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
190 + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
191 + #define SPRN_MMCR1 798
192 +-#define SPRN_MMCR2 769
193 ++#define SPRN_MMCR2 785
194 + #define SPRN_MMCRA 0x312
195 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
196 + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
197 +@@ -752,13 +752,13 @@
198 + #define SPRN_PMC6 792
199 + #define SPRN_PMC7 793
200 + #define SPRN_PMC8 794
201 +-#define SPRN_SIAR 780
202 +-#define SPRN_SDAR 781
203 + #define SPRN_SIER 784
204 + #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
205 + #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
206 + #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
207 + #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
208 ++#define SPRN_SIAR 796
209 ++#define SPRN_SDAR 797
210 + #define SPRN_TACR 888
211 + #define SPRN_TCSCR 889
212 + #define SPRN_CSIGR 890
213 +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
214 +index da5192590c44..ccd2037c797f 100644
215 +--- a/arch/powerpc/kernel/prom_init.c
216 ++++ b/arch/powerpc/kernel/prom_init.c
217 +@@ -656,6 +656,7 @@ unsigned char ibm_architecture_vec[] = {
218 + W(0xffff0000), W(0x003e0000), /* POWER6 */
219 + W(0xffff0000), W(0x003f0000), /* POWER7 */
220 + W(0xffff0000), W(0x004b0000), /* POWER8E */
221 ++ W(0xffff0000), W(0x004c0000), /* POWER8NVL */
222 + W(0xffff0000), W(0x004d0000), /* POWER8 */
223 + W(0xffffffff), W(0x0f000004), /* all 2.07-compliant */
224 + W(0xffffffff), W(0x0f000003), /* all 2.06-compliant */
225 +diff --git a/arch/powerpc/mm/hash_utils_64.c b/arch/powerpc/mm/hash_utils_64.c
226 +index 7635b1c6b5da..f4acba25fa5e 100644
227 +--- a/arch/powerpc/mm/hash_utils_64.c
228 ++++ b/arch/powerpc/mm/hash_utils_64.c
229 +@@ -159,6 +159,19 @@ static struct mmu_psize_def mmu_psize_defaults_gp[] = {
230 + },
231 + };
232 +
233 ++/*
234 ++ * 'R' and 'C' update notes:
235 ++ * - Under pHyp or KVM, the updatepp path will not set C, thus it *will*
236 ++ * create writeable HPTEs without C set, because the hcall H_PROTECT
237 ++ * that we use in that case will not update C
238 ++ * - The above is however not a problem, because we also don't do that
239 ++ * fancy "no flush" variant of eviction and we use H_REMOVE which will
240 ++ * do the right thing and thus we don't have the race I described earlier
241 ++ *
242 ++ * - Under bare metal, we do have the race, so we need R and C set
243 ++ * - We make sure R is always set and never lost
244 ++ * - C is _PAGE_DIRTY, and *should* always be set for a writeable mapping
245 ++ */
246 + unsigned long htab_convert_pte_flags(unsigned long pteflags)
247 + {
248 + unsigned long rflags = 0;
249 +@@ -180,9 +193,14 @@ unsigned long htab_convert_pte_flags(unsigned long pteflags)
250 + rflags |= 0x1;
251 + }
252 + /*
253 +- * Always add "C" bit for perf. Memory coherence is always enabled
254 ++ * We can't allow hardware to update hpte bits. Hence always
255 ++ * set 'R' bit and set 'C' if it is a write fault
256 ++ * Memory coherence is always enabled
257 + */
258 +- rflags |= HPTE_R_C | HPTE_R_M;
259 ++ rflags |= HPTE_R_R | HPTE_R_M;
260 ++
261 ++ if (pteflags & _PAGE_DIRTY)
262 ++ rflags |= HPTE_R_C;
263 + /*
264 + * Add in WIG bits
265 + */
266 +diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
267 +index ac3ffd97e059..405baaf96864 100644
268 +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
269 ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
270 +@@ -615,29 +615,50 @@ static int pseries_eeh_configure_bridge(struct eeh_pe *pe)
271 + {
272 + int config_addr;
273 + int ret;
274 ++ /* Waiting 0.2s maximum before skipping configuration */
275 ++ int max_wait = 200;
276 +
277 + /* Figure out the PE address */
278 + config_addr = pe->config_addr;
279 + if (pe->addr)
280 + config_addr = pe->addr;
281 +
282 +- /* Use new configure-pe function, if supported */
283 +- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
284 +- ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
285 +- config_addr, BUID_HI(pe->phb->buid),
286 +- BUID_LO(pe->phb->buid));
287 +- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
288 +- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
289 +- config_addr, BUID_HI(pe->phb->buid),
290 +- BUID_LO(pe->phb->buid));
291 +- } else {
292 +- return -EFAULT;
293 +- }
294 ++ while (max_wait > 0) {
295 ++ /* Use new configure-pe function, if supported */
296 ++ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
297 ++ ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
298 ++ config_addr, BUID_HI(pe->phb->buid),
299 ++ BUID_LO(pe->phb->buid));
300 ++ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
301 ++ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
302 ++ config_addr, BUID_HI(pe->phb->buid),
303 ++ BUID_LO(pe->phb->buid));
304 ++ } else {
305 ++ return -EFAULT;
306 ++ }
307 +
308 +- if (ret)
309 +- pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
310 +- __func__, pe->phb->global_number, pe->addr, ret);
311 ++ if (!ret)
312 ++ return ret;
313 ++
314 ++ /*
315 ++ * If RTAS returns a delay value that's above 100ms, cut it
316 ++ * down to 100ms in case firmware made a mistake. For more
317 ++ * on how these delay values work see rtas_busy_delay_time
318 ++ */
319 ++ if (ret > RTAS_EXTENDED_DELAY_MIN+2 &&
320 ++ ret <= RTAS_EXTENDED_DELAY_MAX)
321 ++ ret = RTAS_EXTENDED_DELAY_MIN+2;
322 ++
323 ++ max_wait -= rtas_busy_delay_time(ret);
324 ++
325 ++ if (max_wait < 0)
326 ++ break;
327 ++
328 ++ rtas_busy_delay(ret);
329 ++ }
330 +
331 ++ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
332 ++ __func__, pe->phb->global_number, pe->addr, ret);
333 + return ret;
334 + }
335 +
336 +diff --git a/arch/s390/net/bpf_jit.h b/arch/s390/net/bpf_jit.h
337 +index f010c93a88b1..fda605dbc1b4 100644
338 +--- a/arch/s390/net/bpf_jit.h
339 ++++ b/arch/s390/net/bpf_jit.h
340 +@@ -37,7 +37,7 @@ extern u8 sk_load_word[], sk_load_half[], sk_load_byte[];
341 + * | | |
342 + * +---------------+ |
343 + * | 8 byte skbp | |
344 +- * R15+170 -> +---------------+ |
345 ++ * R15+176 -> +---------------+ |
346 + * | 8 byte hlen | |
347 + * R15+168 -> +---------------+ |
348 + * | 4 byte align | |
349 +@@ -58,7 +58,7 @@ extern u8 sk_load_word[], sk_load_half[], sk_load_byte[];
350 + #define STK_OFF (STK_SPACE - STK_160_UNUSED)
351 + #define STK_OFF_TMP 160 /* Offset of tmp buffer on stack */
352 + #define STK_OFF_HLEN 168 /* Offset of SKB header length on stack */
353 +-#define STK_OFF_SKBP 170 /* Offset of SKB pointer on stack */
354 ++#define STK_OFF_SKBP 176 /* Offset of SKB pointer on stack */
355 +
356 + #define STK_OFF_R6 (160 - 11 * 8) /* Offset of r6 on stack */
357 + #define STK_OFF_TCCNT (160 - 12 * 8) /* Offset of tail_call_cnt on stack */
358 +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
359 +index 3c0bfc1f2694..2662fcc67f8d 100644
360 +--- a/arch/s390/net/bpf_jit_comp.c
361 ++++ b/arch/s390/net/bpf_jit_comp.c
362 +@@ -45,7 +45,7 @@ struct bpf_jit {
363 + int labels[1]; /* Labels for local jumps */
364 + };
365 +
366 +-#define BPF_SIZE_MAX 0x7ffff /* Max size for program (20 bit signed displ) */
367 ++#define BPF_SIZE_MAX 0xffff /* Max size for program (16 bit branches) */
368 +
369 + #define SEEN_SKB 1 /* skb access */
370 + #define SEEN_MEM 2 /* use mem[] for temporary storage */
371 +@@ -446,7 +446,7 @@ static void bpf_jit_prologue(struct bpf_jit *jit)
372 + emit_load_skb_data_hlen(jit);
373 + if (jit->seen & SEEN_SKB_CHANGE)
374 + /* stg %b1,ST_OFF_SKBP(%r0,%r15) */
375 +- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, REG_15,
376 ++ EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
377 + STK_OFF_SKBP);
378 + }
379 +
380 +diff --git a/arch/sparc/include/asm/head_64.h b/arch/sparc/include/asm/head_64.h
381 +index 10e9dabc4c41..f0700cfeedd7 100644
382 +--- a/arch/sparc/include/asm/head_64.h
383 ++++ b/arch/sparc/include/asm/head_64.h
384 +@@ -15,6 +15,10 @@
385 +
386 + #define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ)
387 +
388 ++#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
389 ++#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
390 ++#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
391 ++
392 + #define __CHEETAH_ID 0x003e0014
393 + #define __JALAPENO_ID 0x003e0016
394 + #define __SERRANO_ID 0x003e0022
395 +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h
396 +index f089cfa249f3..5a189bf3c8ac 100644
397 +--- a/arch/sparc/include/asm/pgtable_64.h
398 ++++ b/arch/sparc/include/asm/pgtable_64.h
399 +@@ -375,7 +375,7 @@ static inline pgprot_t pgprot_noncached(pgprot_t prot)
400 + #define pgprot_noncached pgprot_noncached
401 +
402 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
403 +-static inline pte_t pte_mkhuge(pte_t pte)
404 ++static inline unsigned long __pte_huge_mask(void)
405 + {
406 + unsigned long mask;
407 +
408 +@@ -390,8 +390,19 @@ static inline pte_t pte_mkhuge(pte_t pte)
409 + : "=r" (mask)
410 + : "i" (_PAGE_SZHUGE_4U), "i" (_PAGE_SZHUGE_4V));
411 +
412 +- return __pte(pte_val(pte) | mask);
413 ++ return mask;
414 ++}
415 ++
416 ++static inline pte_t pte_mkhuge(pte_t pte)
417 ++{
418 ++ return __pte(pte_val(pte) | __pte_huge_mask());
419 ++}
420 ++
421 ++static inline bool is_hugetlb_pte(pte_t pte)
422 ++{
423 ++ return !!(pte_val(pte) & __pte_huge_mask());
424 + }
425 ++
426 + #ifdef CONFIG_TRANSPARENT_HUGEPAGE
427 + static inline pmd_t pmd_mkhuge(pmd_t pmd)
428 + {
429 +@@ -403,6 +414,11 @@ static inline pmd_t pmd_mkhuge(pmd_t pmd)
430 + return __pmd(pte_val(pte));
431 + }
432 + #endif
433 ++#else
434 ++static inline bool is_hugetlb_pte(pte_t pte)
435 ++{
436 ++ return false;
437 ++}
438 + #endif
439 +
440 + static inline pte_t pte_mkdirty(pte_t pte)
441 +@@ -858,6 +874,19 @@ static inline unsigned long pud_pfn(pud_t pud)
442 + void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
443 + pte_t *ptep, pte_t orig, int fullmm);
444 +
445 ++static void maybe_tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
446 ++ pte_t *ptep, pte_t orig, int fullmm)
447 ++{
448 ++ /* It is more efficient to let flush_tlb_kernel_range()
449 ++ * handle init_mm tlb flushes.
450 ++ *
451 ++ * SUN4V NOTE: _PAGE_VALID is the same value in both the SUN4U
452 ++ * and SUN4V pte layout, so this inline test is fine.
453 ++ */
454 ++ if (likely(mm != &init_mm) && pte_accessible(mm, orig))
455 ++ tlb_batch_add(mm, vaddr, ptep, orig, fullmm);
456 ++}
457 ++
458 + #define __HAVE_ARCH_PMDP_HUGE_GET_AND_CLEAR
459 + static inline pmd_t pmdp_huge_get_and_clear(struct mm_struct *mm,
460 + unsigned long addr,
461 +@@ -874,15 +903,7 @@ static inline void __set_pte_at(struct mm_struct *mm, unsigned long addr,
462 + pte_t orig = *ptep;
463 +
464 + *ptep = pte;
465 +-
466 +- /* It is more efficient to let flush_tlb_kernel_range()
467 +- * handle init_mm tlb flushes.
468 +- *
469 +- * SUN4V NOTE: _PAGE_VALID is the same value in both the SUN4U
470 +- * and SUN4V pte layout, so this inline test is fine.
471 +- */
472 +- if (likely(mm != &init_mm) && pte_accessible(mm, orig))
473 +- tlb_batch_add(mm, addr, ptep, orig, fullmm);
474 ++ maybe_tlb_batch_add(mm, addr, ptep, orig, fullmm);
475 + }
476 +
477 + #define set_pte_at(mm,addr,ptep,pte) \
478 +diff --git a/arch/sparc/include/asm/tlbflush_64.h b/arch/sparc/include/asm/tlbflush_64.h
479 +index dea1cfa2122b..a8e192e90700 100644
480 +--- a/arch/sparc/include/asm/tlbflush_64.h
481 ++++ b/arch/sparc/include/asm/tlbflush_64.h
482 +@@ -8,6 +8,7 @@
483 + #define TLB_BATCH_NR 192
484 +
485 + struct tlb_batch {
486 ++ bool huge;
487 + struct mm_struct *mm;
488 + unsigned long tlb_nr;
489 + unsigned long active;
490 +@@ -16,7 +17,7 @@ struct tlb_batch {
491 +
492 + void flush_tsb_kernel_range(unsigned long start, unsigned long end);
493 + void flush_tsb_user(struct tlb_batch *tb);
494 +-void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr);
495 ++void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr, bool huge);
496 +
497 + /* TLB flush operations. */
498 +
499 +diff --git a/arch/sparc/include/asm/ttable.h b/arch/sparc/include/asm/ttable.h
500 +index 71b5a67522ab..781b9f1dbdc2 100644
501 +--- a/arch/sparc/include/asm/ttable.h
502 ++++ b/arch/sparc/include/asm/ttable.h
503 +@@ -589,8 +589,8 @@ user_rtt_fill_64bit: \
504 + restored; \
505 + nop; nop; nop; nop; nop; nop; \
506 + nop; nop; nop; nop; nop; \
507 +- ba,a,pt %xcc, user_rtt_fill_fixup; \
508 +- ba,a,pt %xcc, user_rtt_fill_fixup; \
509 ++ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
510 ++ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
511 + ba,a,pt %xcc, user_rtt_fill_fixup;
512 +
513 +
514 +@@ -652,8 +652,8 @@ user_rtt_fill_32bit: \
515 + restored; \
516 + nop; nop; nop; nop; nop; \
517 + nop; nop; nop; \
518 +- ba,a,pt %xcc, user_rtt_fill_fixup; \
519 +- ba,a,pt %xcc, user_rtt_fill_fixup; \
520 ++ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
521 ++ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
522 + ba,a,pt %xcc, user_rtt_fill_fixup;
523 +
524 +
525 +diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
526 +index 7cf9c6ea3f1f..fdb13327fded 100644
527 +--- a/arch/sparc/kernel/Makefile
528 ++++ b/arch/sparc/kernel/Makefile
529 +@@ -21,6 +21,7 @@ CFLAGS_REMOVE_perf_event.o := -pg
530 + CFLAGS_REMOVE_pcr.o := -pg
531 + endif
532 +
533 ++obj-$(CONFIG_SPARC64) += urtt_fill.o
534 + obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o
535 + obj-$(CONFIG_SPARC32) += etrap_32.o
536 + obj-$(CONFIG_SPARC32) += rtrap_32.o
537 +diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
538 +index d08bdaffdbfc..216948ca4382 100644
539 +--- a/arch/sparc/kernel/rtrap_64.S
540 ++++ b/arch/sparc/kernel/rtrap_64.S
541 +@@ -14,10 +14,6 @@
542 + #include <asm/visasm.h>
543 + #include <asm/processor.h>
544 +
545 +-#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
546 +-#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
547 +-#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
548 +-
549 + #ifdef CONFIG_CONTEXT_TRACKING
550 + # define SCHEDULE_USER schedule_user
551 + #else
552 +@@ -242,52 +238,17 @@ rt_continue: ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1
553 + wrpr %g1, %cwp
554 + ba,a,pt %xcc, user_rtt_fill_64bit
555 +
556 +-user_rtt_fill_fixup:
557 +- rdpr %cwp, %g1
558 +- add %g1, 1, %g1
559 +- wrpr %g1, 0x0, %cwp
560 +-
561 +- rdpr %wstate, %g2
562 +- sll %g2, 3, %g2
563 +- wrpr %g2, 0x0, %wstate
564 +-
565 +- /* We know %canrestore and %otherwin are both zero. */
566 +-
567 +- sethi %hi(sparc64_kern_pri_context), %g2
568 +- ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
569 +- mov PRIMARY_CONTEXT, %g1
570 +-
571 +-661: stxa %g2, [%g1] ASI_DMMU
572 +- .section .sun4v_1insn_patch, "ax"
573 +- .word 661b
574 +- stxa %g2, [%g1] ASI_MMU
575 +- .previous
576 +-
577 +- sethi %hi(KERNBASE), %g1
578 +- flush %g1
579 ++user_rtt_fill_fixup_dax:
580 ++ ba,pt %xcc, user_rtt_fill_fixup_common
581 ++ mov 1, %g3
582 +
583 +- or %g4, FAULT_CODE_WINFIXUP, %g4
584 +- stb %g4, [%g6 + TI_FAULT_CODE]
585 +- stx %g5, [%g6 + TI_FAULT_ADDR]
586 ++user_rtt_fill_fixup_mna:
587 ++ ba,pt %xcc, user_rtt_fill_fixup_common
588 ++ mov 2, %g3
589 +
590 +- mov %g6, %l1
591 +- wrpr %g0, 0x0, %tl
592 +-
593 +-661: nop
594 +- .section .sun4v_1insn_patch, "ax"
595 +- .word 661b
596 +- SET_GL(0)
597 +- .previous
598 +-
599 +- wrpr %g0, RTRAP_PSTATE, %pstate
600 +-
601 +- mov %l1, %g6
602 +- ldx [%g6 + TI_TASK], %g4
603 +- LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
604 +- call do_sparc64_fault
605 +- add %sp, PTREGS_OFF, %o0
606 +- ba,pt %xcc, rtrap
607 +- nop
608 ++user_rtt_fill_fixup:
609 ++ ba,pt %xcc, user_rtt_fill_fixup_common
610 ++ clr %g3
611 +
612 + user_rtt_pre_restore:
613 + add %g1, 1, %g1
614 +diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c
615 +index 3c25241fa5cb..ebd0bfe25a72 100644
616 +--- a/arch/sparc/kernel/signal32.c
617 ++++ b/arch/sparc/kernel/signal32.c
618 +@@ -138,12 +138,24 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
619 + return 0;
620 + }
621 +
622 ++/* Checks if the fp is valid. We always build signal frames which are
623 ++ * 16-byte aligned, therefore we can always enforce that the restore
624 ++ * frame has that property as well.
625 ++ */
626 ++static bool invalid_frame_pointer(void __user *fp, int fplen)
627 ++{
628 ++ if ((((unsigned long) fp) & 15) ||
629 ++ ((unsigned long)fp) > 0x100000000ULL - fplen)
630 ++ return true;
631 ++ return false;
632 ++}
633 ++
634 + void do_sigreturn32(struct pt_regs *regs)
635 + {
636 + struct signal_frame32 __user *sf;
637 + compat_uptr_t fpu_save;
638 + compat_uptr_t rwin_save;
639 +- unsigned int psr;
640 ++ unsigned int psr, ufp;
641 + unsigned int pc, npc;
642 + sigset_t set;
643 + compat_sigset_t seta;
644 +@@ -158,11 +170,16 @@ void do_sigreturn32(struct pt_regs *regs)
645 + sf = (struct signal_frame32 __user *) regs->u_regs[UREG_FP];
646 +
647 + /* 1. Make sure we are not getting garbage from the user */
648 +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
649 +- (((unsigned long) sf) & 3))
650 ++ if (invalid_frame_pointer(sf, sizeof(*sf)))
651 ++ goto segv;
652 ++
653 ++ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
654 ++ goto segv;
655 ++
656 ++ if (ufp & 0x7)
657 + goto segv;
658 +
659 +- if (get_user(pc, &sf->info.si_regs.pc) ||
660 ++ if (__get_user(pc, &sf->info.si_regs.pc) ||
661 + __get_user(npc, &sf->info.si_regs.npc))
662 + goto segv;
663 +
664 +@@ -227,7 +244,7 @@ segv:
665 + asmlinkage void do_rt_sigreturn32(struct pt_regs *regs)
666 + {
667 + struct rt_signal_frame32 __user *sf;
668 +- unsigned int psr, pc, npc;
669 ++ unsigned int psr, pc, npc, ufp;
670 + compat_uptr_t fpu_save;
671 + compat_uptr_t rwin_save;
672 + sigset_t set;
673 +@@ -242,11 +259,16 @@ asmlinkage void do_rt_sigreturn32(struct pt_regs *regs)
674 + sf = (struct rt_signal_frame32 __user *) regs->u_regs[UREG_FP];
675 +
676 + /* 1. Make sure we are not getting garbage from the user */
677 +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
678 +- (((unsigned long) sf) & 3))
679 ++ if (invalid_frame_pointer(sf, sizeof(*sf)))
680 + goto segv;
681 +
682 +- if (get_user(pc, &sf->regs.pc) ||
683 ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
684 ++ goto segv;
685 ++
686 ++ if (ufp & 0x7)
687 ++ goto segv;
688 ++
689 ++ if (__get_user(pc, &sf->regs.pc) ||
690 + __get_user(npc, &sf->regs.npc))
691 + goto segv;
692 +
693 +@@ -307,14 +329,6 @@ segv:
694 + force_sig(SIGSEGV, current);
695 + }
696 +
697 +-/* Checks if the fp is valid */
698 +-static int invalid_frame_pointer(void __user *fp, int fplen)
699 +-{
700 +- if ((((unsigned long) fp) & 7) || ((unsigned long)fp) > 0x100000000ULL - fplen)
701 +- return 1;
702 +- return 0;
703 +-}
704 +-
705 + static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
706 + {
707 + unsigned long sp;
708 +diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c
709 +index 52aa5e4ce5e7..c3c12efe0bc0 100644
710 +--- a/arch/sparc/kernel/signal_32.c
711 ++++ b/arch/sparc/kernel/signal_32.c
712 +@@ -60,10 +60,22 @@ struct rt_signal_frame {
713 + #define SF_ALIGNEDSZ (((sizeof(struct signal_frame) + 7) & (~7)))
714 + #define RT_ALIGNEDSZ (((sizeof(struct rt_signal_frame) + 7) & (~7)))
715 +
716 ++/* Checks if the fp is valid. We always build signal frames which are
717 ++ * 16-byte aligned, therefore we can always enforce that the restore
718 ++ * frame has that property as well.
719 ++ */
720 ++static inline bool invalid_frame_pointer(void __user *fp, int fplen)
721 ++{
722 ++ if ((((unsigned long) fp) & 15) || !__access_ok((unsigned long)fp, fplen))
723 ++ return true;
724 ++
725 ++ return false;
726 ++}
727 ++
728 + asmlinkage void do_sigreturn(struct pt_regs *regs)
729 + {
730 ++ unsigned long up_psr, pc, npc, ufp;
731 + struct signal_frame __user *sf;
732 +- unsigned long up_psr, pc, npc;
733 + sigset_t set;
734 + __siginfo_fpu_t __user *fpu_save;
735 + __siginfo_rwin_t __user *rwin_save;
736 +@@ -77,10 +89,13 @@ asmlinkage void do_sigreturn(struct pt_regs *regs)
737 + sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
738 +
739 + /* 1. Make sure we are not getting garbage from the user */
740 +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
741 ++ if (!invalid_frame_pointer(sf, sizeof(*sf)))
742 ++ goto segv_and_exit;
743 ++
744 ++ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
745 + goto segv_and_exit;
746 +
747 +- if (((unsigned long) sf) & 3)
748 ++ if (ufp & 0x7)
749 + goto segv_and_exit;
750 +
751 + err = __get_user(pc, &sf->info.si_regs.pc);
752 +@@ -127,7 +142,7 @@ segv_and_exit:
753 + asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
754 + {
755 + struct rt_signal_frame __user *sf;
756 +- unsigned int psr, pc, npc;
757 ++ unsigned int psr, pc, npc, ufp;
758 + __siginfo_fpu_t __user *fpu_save;
759 + __siginfo_rwin_t __user *rwin_save;
760 + sigset_t set;
761 +@@ -135,8 +150,13 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
762 +
763 + synchronize_user_stack();
764 + sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
765 +- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
766 +- (((unsigned long) sf) & 0x03))
767 ++ if (!invalid_frame_pointer(sf, sizeof(*sf)))
768 ++ goto segv;
769 ++
770 ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
771 ++ goto segv;
772 ++
773 ++ if (ufp & 0x7)
774 + goto segv;
775 +
776 + err = __get_user(pc, &sf->regs.pc);
777 +@@ -178,15 +198,6 @@ segv:
778 + force_sig(SIGSEGV, current);
779 + }
780 +
781 +-/* Checks if the fp is valid */
782 +-static inline int invalid_frame_pointer(void __user *fp, int fplen)
783 +-{
784 +- if ((((unsigned long) fp) & 7) || !__access_ok((unsigned long)fp, fplen))
785 +- return 1;
786 +-
787 +- return 0;
788 +-}
789 +-
790 + static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
791 + {
792 + unsigned long sp = regs->u_regs[UREG_FP];
793 +diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c
794 +index 39aaec173f66..5ee930c48f4c 100644
795 +--- a/arch/sparc/kernel/signal_64.c
796 ++++ b/arch/sparc/kernel/signal_64.c
797 +@@ -234,6 +234,17 @@ do_sigsegv:
798 + goto out;
799 + }
800 +
801 ++/* Checks if the fp is valid. We always build rt signal frames which
802 ++ * are 16-byte aligned, therefore we can always enforce that the
803 ++ * restore frame has that property as well.
804 ++ */
805 ++static bool invalid_frame_pointer(void __user *fp)
806 ++{
807 ++ if (((unsigned long) fp) & 15)
808 ++ return true;
809 ++ return false;
810 ++}
811 ++
812 + struct rt_signal_frame {
813 + struct sparc_stackf ss;
814 + siginfo_t info;
815 +@@ -246,8 +257,8 @@ struct rt_signal_frame {
816 +
817 + void do_rt_sigreturn(struct pt_regs *regs)
818 + {
819 ++ unsigned long tpc, tnpc, tstate, ufp;
820 + struct rt_signal_frame __user *sf;
821 +- unsigned long tpc, tnpc, tstate;
822 + __siginfo_fpu_t __user *fpu_save;
823 + __siginfo_rwin_t __user *rwin_save;
824 + sigset_t set;
825 +@@ -261,10 +272,16 @@ void do_rt_sigreturn(struct pt_regs *regs)
826 + (regs->u_regs [UREG_FP] + STACK_BIAS);
827 +
828 + /* 1. Make sure we are not getting garbage from the user */
829 +- if (((unsigned long) sf) & 3)
830 ++ if (invalid_frame_pointer(sf))
831 ++ goto segv;
832 ++
833 ++ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
834 + goto segv;
835 +
836 +- err = get_user(tpc, &sf->regs.tpc);
837 ++ if ((ufp + STACK_BIAS) & 0x7)
838 ++ goto segv;
839 ++
840 ++ err = __get_user(tpc, &sf->regs.tpc);
841 + err |= __get_user(tnpc, &sf->regs.tnpc);
842 + if (test_thread_flag(TIF_32BIT)) {
843 + tpc &= 0xffffffff;
844 +@@ -308,14 +325,6 @@ segv:
845 + force_sig(SIGSEGV, current);
846 + }
847 +
848 +-/* Checks if the fp is valid */
849 +-static int invalid_frame_pointer(void __user *fp)
850 +-{
851 +- if (((unsigned long) fp) & 15)
852 +- return 1;
853 +- return 0;
854 +-}
855 +-
856 + static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
857 + {
858 + unsigned long sp = regs->u_regs[UREG_FP] + STACK_BIAS;
859 +diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c
860 +index 0f6eebe71e6c..e5fe8cef9a69 100644
861 +--- a/arch/sparc/kernel/sigutil_32.c
862 ++++ b/arch/sparc/kernel/sigutil_32.c
863 +@@ -48,6 +48,10 @@ int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
864 + int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
865 + {
866 + int err;
867 ++
868 ++ if (((unsigned long) fpu) & 3)
869 ++ return -EFAULT;
870 ++
871 + #ifdef CONFIG_SMP
872 + if (test_tsk_thread_flag(current, TIF_USEDFPU))
873 + regs->psr &= ~PSR_EF;
874 +@@ -97,7 +101,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp)
875 + struct thread_info *t = current_thread_info();
876 + int i, wsaved, err;
877 +
878 +- __get_user(wsaved, &rp->wsaved);
879 ++ if (((unsigned long) rp) & 3)
880 ++ return -EFAULT;
881 ++
882 ++ get_user(wsaved, &rp->wsaved);
883 + if (wsaved > NSWINS)
884 + return -EFAULT;
885 +
886 +diff --git a/arch/sparc/kernel/sigutil_64.c b/arch/sparc/kernel/sigutil_64.c
887 +index 387834a9c56a..36aadcbeac69 100644
888 +--- a/arch/sparc/kernel/sigutil_64.c
889 ++++ b/arch/sparc/kernel/sigutil_64.c
890 +@@ -37,7 +37,10 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
891 + unsigned long fprs;
892 + int err;
893 +
894 +- err = __get_user(fprs, &fpu->si_fprs);
895 ++ if (((unsigned long) fpu) & 7)
896 ++ return -EFAULT;
897 ++
898 ++ err = get_user(fprs, &fpu->si_fprs);
899 + fprs_write(0);
900 + regs->tstate &= ~TSTATE_PEF;
901 + if (fprs & FPRS_DL)
902 +@@ -72,7 +75,10 @@ int restore_rwin_state(__siginfo_rwin_t __user *rp)
903 + struct thread_info *t = current_thread_info();
904 + int i, wsaved, err;
905 +
906 +- __get_user(wsaved, &rp->wsaved);
907 ++ if (((unsigned long) rp) & 7)
908 ++ return -EFAULT;
909 ++
910 ++ get_user(wsaved, &rp->wsaved);
911 + if (wsaved > NSWINS)
912 + return -EFAULT;
913 +
914 +diff --git a/arch/sparc/kernel/urtt_fill.S b/arch/sparc/kernel/urtt_fill.S
915 +new file mode 100644
916 +index 000000000000..5604a2b051d4
917 +--- /dev/null
918 ++++ b/arch/sparc/kernel/urtt_fill.S
919 +@@ -0,0 +1,98 @@
920 ++#include <asm/thread_info.h>
921 ++#include <asm/trap_block.h>
922 ++#include <asm/spitfire.h>
923 ++#include <asm/ptrace.h>
924 ++#include <asm/head.h>
925 ++
926 ++ .text
927 ++ .align 8
928 ++ .globl user_rtt_fill_fixup_common
929 ++user_rtt_fill_fixup_common:
930 ++ rdpr %cwp, %g1
931 ++ add %g1, 1, %g1
932 ++ wrpr %g1, 0x0, %cwp
933 ++
934 ++ rdpr %wstate, %g2
935 ++ sll %g2, 3, %g2
936 ++ wrpr %g2, 0x0, %wstate
937 ++
938 ++ /* We know %canrestore and %otherwin are both zero. */
939 ++
940 ++ sethi %hi(sparc64_kern_pri_context), %g2
941 ++ ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
942 ++ mov PRIMARY_CONTEXT, %g1
943 ++
944 ++661: stxa %g2, [%g1] ASI_DMMU
945 ++ .section .sun4v_1insn_patch, "ax"
946 ++ .word 661b
947 ++ stxa %g2, [%g1] ASI_MMU
948 ++ .previous
949 ++
950 ++ sethi %hi(KERNBASE), %g1
951 ++ flush %g1
952 ++
953 ++ mov %g4, %l4
954 ++ mov %g5, %l5
955 ++ brnz,pn %g3, 1f
956 ++ mov %g3, %l3
957 ++
958 ++ or %g4, FAULT_CODE_WINFIXUP, %g4
959 ++ stb %g4, [%g6 + TI_FAULT_CODE]
960 ++ stx %g5, [%g6 + TI_FAULT_ADDR]
961 ++1:
962 ++ mov %g6, %l1
963 ++ wrpr %g0, 0x0, %tl
964 ++
965 ++661: nop
966 ++ .section .sun4v_1insn_patch, "ax"
967 ++ .word 661b
968 ++ SET_GL(0)
969 ++ .previous
970 ++
971 ++ wrpr %g0, RTRAP_PSTATE, %pstate
972 ++
973 ++ mov %l1, %g6
974 ++ ldx [%g6 + TI_TASK], %g4
975 ++ LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
976 ++
977 ++ brnz,pn %l3, 1f
978 ++ nop
979 ++
980 ++ call do_sparc64_fault
981 ++ add %sp, PTREGS_OFF, %o0
982 ++ ba,pt %xcc, rtrap
983 ++ nop
984 ++
985 ++1: cmp %g3, 2
986 ++ bne,pn %xcc, 2f
987 ++ nop
988 ++
989 ++ sethi %hi(tlb_type), %g1
990 ++ lduw [%g1 + %lo(tlb_type)], %g1
991 ++ cmp %g1, 3
992 ++ bne,pt %icc, 1f
993 ++ add %sp, PTREGS_OFF, %o0
994 ++ mov %l4, %o2
995 ++ call sun4v_do_mna
996 ++ mov %l5, %o1
997 ++ ba,a,pt %xcc, rtrap
998 ++1: mov %l4, %o1
999 ++ mov %l5, %o2
1000 ++ call mem_address_unaligned
1001 ++ nop
1002 ++ ba,a,pt %xcc, rtrap
1003 ++
1004 ++2: sethi %hi(tlb_type), %g1
1005 ++ mov %l4, %o1
1006 ++ lduw [%g1 + %lo(tlb_type)], %g1
1007 ++ mov %l5, %o2
1008 ++ cmp %g1, 3
1009 ++ bne,pt %icc, 1f
1010 ++ add %sp, PTREGS_OFF, %o0
1011 ++ call sun4v_data_access_exception
1012 ++ nop
1013 ++ ba,a,pt %xcc, rtrap
1014 ++
1015 ++1: call spitfire_data_access_exception
1016 ++ nop
1017 ++ ba,a,pt %xcc, rtrap
1018 +diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
1019 +index 4977800e9770..ba52e6466a82 100644
1020 +--- a/arch/sparc/mm/hugetlbpage.c
1021 ++++ b/arch/sparc/mm/hugetlbpage.c
1022 +@@ -176,17 +176,31 @@ void set_huge_pte_at(struct mm_struct *mm, unsigned long addr,
1023 + pte_t *ptep, pte_t entry)
1024 + {
1025 + int i;
1026 ++ pte_t orig[2];
1027 ++ unsigned long nptes;
1028 +
1029 + if (!pte_present(*ptep) && pte_present(entry))
1030 + mm->context.huge_pte_count++;
1031 +
1032 + addr &= HPAGE_MASK;
1033 +- for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) {
1034 +- set_pte_at(mm, addr, ptep, entry);
1035 ++
1036 ++ nptes = 1 << HUGETLB_PAGE_ORDER;
1037 ++ orig[0] = *ptep;
1038 ++ orig[1] = *(ptep + nptes / 2);
1039 ++ for (i = 0; i < nptes; i++) {
1040 ++ *ptep = entry;
1041 + ptep++;
1042 + addr += PAGE_SIZE;
1043 + pte_val(entry) += PAGE_SIZE;
1044 + }
1045 ++
1046 ++ /* Issue TLB flush at REAL_HPAGE_SIZE boundaries */
1047 ++ addr -= REAL_HPAGE_SIZE;
1048 ++ ptep -= nptes / 2;
1049 ++ maybe_tlb_batch_add(mm, addr, ptep, orig[1], 0);
1050 ++ addr -= REAL_HPAGE_SIZE;
1051 ++ ptep -= nptes / 2;
1052 ++ maybe_tlb_batch_add(mm, addr, ptep, orig[0], 0);
1053 + }
1054 +
1055 + pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
1056 +@@ -194,19 +208,28 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
1057 + {
1058 + pte_t entry;
1059 + int i;
1060 ++ unsigned long nptes;
1061 +
1062 + entry = *ptep;
1063 + if (pte_present(entry))
1064 + mm->context.huge_pte_count--;
1065 +
1066 + addr &= HPAGE_MASK;
1067 +-
1068 +- for (i = 0; i < (1 << HUGETLB_PAGE_ORDER); i++) {
1069 +- pte_clear(mm, addr, ptep);
1070 ++ nptes = 1 << HUGETLB_PAGE_ORDER;
1071 ++ for (i = 0; i < nptes; i++) {
1072 ++ *ptep = __pte(0UL);
1073 + addr += PAGE_SIZE;
1074 + ptep++;
1075 + }
1076 +
1077 ++ /* Issue TLB flush at REAL_HPAGE_SIZE boundaries */
1078 ++ addr -= REAL_HPAGE_SIZE;
1079 ++ ptep -= nptes / 2;
1080 ++ maybe_tlb_batch_add(mm, addr, ptep, entry, 0);
1081 ++ addr -= REAL_HPAGE_SIZE;
1082 ++ ptep -= nptes / 2;
1083 ++ maybe_tlb_batch_add(mm, addr, ptep, entry, 0);
1084 ++
1085 + return entry;
1086 + }
1087 +
1088 +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
1089 +index 09e838801e39..14bb0d5ed3c6 100644
1090 +--- a/arch/sparc/mm/init_64.c
1091 ++++ b/arch/sparc/mm/init_64.c
1092 +@@ -324,18 +324,6 @@ static void __update_mmu_tsb_insert(struct mm_struct *mm, unsigned long tsb_inde
1093 + tsb_insert(tsb, tag, tte);
1094 + }
1095 +
1096 +-#if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1097 +-static inline bool is_hugetlb_pte(pte_t pte)
1098 +-{
1099 +- if ((tlb_type == hypervisor &&
1100 +- (pte_val(pte) & _PAGE_SZALL_4V) == _PAGE_SZHUGE_4V) ||
1101 +- (tlb_type != hypervisor &&
1102 +- (pte_val(pte) & _PAGE_SZALL_4U) == _PAGE_SZHUGE_4U))
1103 +- return true;
1104 +- return false;
1105 +-}
1106 +-#endif
1107 +-
1108 + void update_mmu_cache(struct vm_area_struct *vma, unsigned long address, pte_t *ptep)
1109 + {
1110 + struct mm_struct *mm;
1111 +@@ -2836,9 +2824,10 @@ void hugetlb_setup(struct pt_regs *regs)
1112 + * the Data-TLB for huge pages.
1113 + */
1114 + if (tlb_type == cheetah_plus) {
1115 ++ bool need_context_reload = false;
1116 + unsigned long ctx;
1117 +
1118 +- spin_lock(&ctx_alloc_lock);
1119 ++ spin_lock_irq(&ctx_alloc_lock);
1120 + ctx = mm->context.sparc64_ctx_val;
1121 + ctx &= ~CTX_PGSZ_MASK;
1122 + ctx |= CTX_PGSZ_BASE << CTX_PGSZ0_SHIFT;
1123 +@@ -2857,9 +2846,12 @@ void hugetlb_setup(struct pt_regs *regs)
1124 + * also executing in this address space.
1125 + */
1126 + mm->context.sparc64_ctx_val = ctx;
1127 +- on_each_cpu(context_reload, mm, 0);
1128 ++ need_context_reload = true;
1129 + }
1130 +- spin_unlock(&ctx_alloc_lock);
1131 ++ spin_unlock_irq(&ctx_alloc_lock);
1132 ++
1133 ++ if (need_context_reload)
1134 ++ on_each_cpu(context_reload, mm, 0);
1135 + }
1136 + }
1137 + #endif
1138 +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
1139 +index 9df2190c097e..f81cd9736700 100644
1140 +--- a/arch/sparc/mm/tlb.c
1141 ++++ b/arch/sparc/mm/tlb.c
1142 +@@ -67,7 +67,7 @@ void arch_leave_lazy_mmu_mode(void)
1143 + }
1144 +
1145 + static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
1146 +- bool exec)
1147 ++ bool exec, bool huge)
1148 + {
1149 + struct tlb_batch *tb = &get_cpu_var(tlb_batch);
1150 + unsigned long nr;
1151 +@@ -84,13 +84,21 @@ static void tlb_batch_add_one(struct mm_struct *mm, unsigned long vaddr,
1152 + }
1153 +
1154 + if (!tb->active) {
1155 +- flush_tsb_user_page(mm, vaddr);
1156 ++ flush_tsb_user_page(mm, vaddr, huge);
1157 + global_flush_tlb_page(mm, vaddr);
1158 + goto out;
1159 + }
1160 +
1161 +- if (nr == 0)
1162 ++ if (nr == 0) {
1163 + tb->mm = mm;
1164 ++ tb->huge = huge;
1165 ++ }
1166 ++
1167 ++ if (tb->huge != huge) {
1168 ++ flush_tlb_pending();
1169 ++ tb->huge = huge;
1170 ++ nr = 0;
1171 ++ }
1172 +
1173 + tb->vaddrs[nr] = vaddr;
1174 + tb->tlb_nr = ++nr;
1175 +@@ -104,6 +112,8 @@ out:
1176 + void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
1177 + pte_t *ptep, pte_t orig, int fullmm)
1178 + {
1179 ++ bool huge = is_hugetlb_pte(orig);
1180 ++
1181 + if (tlb_type != hypervisor &&
1182 + pte_dirty(orig)) {
1183 + unsigned long paddr, pfn = pte_pfn(orig);
1184 +@@ -129,7 +139,7 @@ void tlb_batch_add(struct mm_struct *mm, unsigned long vaddr,
1185 +
1186 + no_cache_flush:
1187 + if (!fullmm)
1188 +- tlb_batch_add_one(mm, vaddr, pte_exec(orig));
1189 ++ tlb_batch_add_one(mm, vaddr, pte_exec(orig), huge);
1190 + }
1191 +
1192 + #ifdef CONFIG_TRANSPARENT_HUGEPAGE
1193 +@@ -145,7 +155,7 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr,
1194 + if (pte_val(*pte) & _PAGE_VALID) {
1195 + bool exec = pte_exec(*pte);
1196 +
1197 +- tlb_batch_add_one(mm, vaddr, exec);
1198 ++ tlb_batch_add_one(mm, vaddr, exec, false);
1199 + }
1200 + pte++;
1201 + vaddr += PAGE_SIZE;
1202 +@@ -185,8 +195,9 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
1203 + pte_t orig_pte = __pte(pmd_val(orig));
1204 + bool exec = pte_exec(orig_pte);
1205 +
1206 +- tlb_batch_add_one(mm, addr, exec);
1207 +- tlb_batch_add_one(mm, addr + REAL_HPAGE_SIZE, exec);
1208 ++ tlb_batch_add_one(mm, addr, exec, true);
1209 ++ tlb_batch_add_one(mm, addr + REAL_HPAGE_SIZE, exec,
1210 ++ true);
1211 + } else {
1212 + tlb_batch_pmd_scan(mm, addr, orig);
1213 + }
1214 +diff --git a/arch/sparc/mm/tsb.c b/arch/sparc/mm/tsb.c
1215 +index a06576683c38..a0604a493a36 100644
1216 +--- a/arch/sparc/mm/tsb.c
1217 ++++ b/arch/sparc/mm/tsb.c
1218 +@@ -76,14 +76,15 @@ void flush_tsb_user(struct tlb_batch *tb)
1219 +
1220 + spin_lock_irqsave(&mm->context.lock, flags);
1221 +
1222 +- base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1223 +- nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1224 +- if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1225 +- base = __pa(base);
1226 +- __flush_tsb_one(tb, PAGE_SHIFT, base, nentries);
1227 +-
1228 ++ if (!tb->huge) {
1229 ++ base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1230 ++ nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1231 ++ if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1232 ++ base = __pa(base);
1233 ++ __flush_tsb_one(tb, PAGE_SHIFT, base, nentries);
1234 ++ }
1235 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1236 +- if (mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1237 ++ if (tb->huge && mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1238 + base = (unsigned long) mm->context.tsb_block[MM_TSB_HUGE].tsb;
1239 + nentries = mm->context.tsb_block[MM_TSB_HUGE].tsb_nentries;
1240 + if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1241 +@@ -94,20 +95,21 @@ void flush_tsb_user(struct tlb_batch *tb)
1242 + spin_unlock_irqrestore(&mm->context.lock, flags);
1243 + }
1244 +
1245 +-void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr)
1246 ++void flush_tsb_user_page(struct mm_struct *mm, unsigned long vaddr, bool huge)
1247 + {
1248 + unsigned long nentries, base, flags;
1249 +
1250 + spin_lock_irqsave(&mm->context.lock, flags);
1251 +
1252 +- base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1253 +- nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1254 +- if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1255 +- base = __pa(base);
1256 +- __flush_tsb_one_entry(base, vaddr, PAGE_SHIFT, nentries);
1257 +-
1258 ++ if (!huge) {
1259 ++ base = (unsigned long) mm->context.tsb_block[MM_TSB_BASE].tsb;
1260 ++ nentries = mm->context.tsb_block[MM_TSB_BASE].tsb_nentries;
1261 ++ if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1262 ++ base = __pa(base);
1263 ++ __flush_tsb_one_entry(base, vaddr, PAGE_SHIFT, nentries);
1264 ++ }
1265 + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
1266 +- if (mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1267 ++ if (huge && mm->context.tsb_block[MM_TSB_HUGE].tsb) {
1268 + base = (unsigned long) mm->context.tsb_block[MM_TSB_HUGE].tsb;
1269 + nentries = mm->context.tsb_block[MM_TSB_HUGE].tsb_nentries;
1270 + if (tlb_type == cheetah_plus || tlb_type == hypervisor)
1271 +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
1272 +index 06cbe25861f1..87bd6b6bf5bd 100644
1273 +--- a/arch/x86/kernel/traps.c
1274 ++++ b/arch/x86/kernel/traps.c
1275 +@@ -95,6 +95,12 @@ static inline void cond_local_irq_disable(struct pt_regs *regs)
1276 + local_irq_disable();
1277 + }
1278 +
1279 ++/*
1280 ++ * In IST context, we explicitly disable preemption. This serves two
1281 ++ * purposes: it makes it much less likely that we would accidentally
1282 ++ * schedule in IST context and it will force a warning if we somehow
1283 ++ * manage to schedule by accident.
1284 ++ */
1285 + void ist_enter(struct pt_regs *regs)
1286 + {
1287 + if (user_mode(regs)) {
1288 +@@ -109,13 +115,7 @@ void ist_enter(struct pt_regs *regs)
1289 + rcu_nmi_enter();
1290 + }
1291 +
1292 +- /*
1293 +- * We are atomic because we're on the IST stack; or we're on
1294 +- * x86_32, in which case we still shouldn't schedule; or we're
1295 +- * on x86_64 and entered from user mode, in which case we're
1296 +- * still atomic unless ist_begin_non_atomic is called.
1297 +- */
1298 +- preempt_count_add(HARDIRQ_OFFSET);
1299 ++ preempt_disable();
1300 +
1301 + /* This code is a bit fragile. Test it. */
1302 + RCU_LOCKDEP_WARN(!rcu_is_watching(), "ist_enter didn't work");
1303 +@@ -123,7 +123,7 @@ void ist_enter(struct pt_regs *regs)
1304 +
1305 + void ist_exit(struct pt_regs *regs)
1306 + {
1307 +- preempt_count_sub(HARDIRQ_OFFSET);
1308 ++ preempt_enable_no_resched();
1309 +
1310 + if (!user_mode(regs))
1311 + rcu_nmi_exit();
1312 +@@ -154,7 +154,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
1313 + BUG_ON((unsigned long)(current_top_of_stack() -
1314 + current_stack_pointer()) >= THREAD_SIZE);
1315 +
1316 +- preempt_count_sub(HARDIRQ_OFFSET);
1317 ++ preempt_enable_no_resched();
1318 + }
1319 +
1320 + /**
1321 +@@ -164,7 +164,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
1322 + */
1323 + void ist_end_non_atomic(void)
1324 + {
1325 +- preempt_count_add(HARDIRQ_OFFSET);
1326 ++ preempt_disable();
1327 + }
1328 +
1329 + static nokprobe_inline int
1330 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
1331 +index 9b7798c7b210..6b9701babaa1 100644
1332 +--- a/arch/x86/kvm/x86.c
1333 ++++ b/arch/x86/kvm/x86.c
1334 +@@ -3032,6 +3032,11 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
1335 + if (dbgregs->flags)
1336 + return -EINVAL;
1337 +
1338 ++ if (dbgregs->dr6 & ~0xffffffffull)
1339 ++ return -EINVAL;
1340 ++ if (dbgregs->dr7 & ~0xffffffffull)
1341 ++ return -EINVAL;
1342 ++
1343 + memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
1344 + kvm_update_dr0123(vcpu);
1345 + vcpu->arch.dr6 = dbgregs->dr6;
1346 +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
1347 +index 91a7e047a765..477cbf39e0fb 100644
1348 +--- a/crypto/asymmetric_keys/Kconfig
1349 ++++ b/crypto/asymmetric_keys/Kconfig
1350 +@@ -13,6 +13,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
1351 + tristate "Asymmetric public-key crypto algorithm subtype"
1352 + select MPILIB
1353 + select CRYPTO_HASH_INFO
1354 ++ select CRYPTO_AKCIPHER
1355 + help
1356 + This option provides support for asymmetric public key type handling.
1357 + If signature generation and/or verification are to be used,
1358 +diff --git a/drivers/crypto/ccp/ccp-crypto-aes-xts.c b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1359 +index 52c7395cb8d8..0d0d4529ee36 100644
1360 +--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1361 ++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
1362 +@@ -122,6 +122,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1363 + struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
1364 + struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
1365 + unsigned int unit;
1366 ++ u32 unit_size;
1367 + int ret;
1368 +
1369 + if (!ctx->u.aes.key_len)
1370 +@@ -133,11 +134,17 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1371 + if (!req->info)
1372 + return -EINVAL;
1373 +
1374 +- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++)
1375 +- if (!(req->nbytes & (unit_size_map[unit].size - 1)))
1376 +- break;
1377 ++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST;
1378 ++ if (req->nbytes <= unit_size_map[0].size) {
1379 ++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) {
1380 ++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) {
1381 ++ unit_size = unit_size_map[unit].value;
1382 ++ break;
1383 ++ }
1384 ++ }
1385 ++ }
1386 +
1387 +- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) ||
1388 ++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) ||
1389 + (ctx->u.aes.key_len != AES_KEYSIZE_128)) {
1390 + /* Use the fallback to process the request for any
1391 + * unsupported unit sizes or key sizes
1392 +@@ -158,7 +165,7 @@ static int ccp_aes_xts_crypt(struct ablkcipher_request *req,
1393 + rctx->cmd.engine = CCP_ENGINE_XTS_AES_128;
1394 + rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT
1395 + : CCP_AES_ACTION_DECRYPT;
1396 +- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value;
1397 ++ rctx->cmd.u.xts.unit_size = unit_size;
1398 + rctx->cmd.u.xts.key = &ctx->u.aes.key_sg;
1399 + rctx->cmd.u.xts.key_len = ctx->u.aes.key_len;
1400 + rctx->cmd.u.xts.iv = &rctx->iv_sg;
1401 +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
1402 +index 2fd38d598f3d..3c5e83263fe0 100644
1403 +--- a/drivers/gpio/gpio-bcm-kona.c
1404 ++++ b/drivers/gpio/gpio-bcm-kona.c
1405 +@@ -546,11 +546,11 @@ static void bcm_kona_gpio_reset(struct bcm_kona_gpio *kona_gpio)
1406 + /* disable interrupts and clear status */
1407 + for (i = 0; i < kona_gpio->num_bank; i++) {
1408 + /* Unlock the entire bank first */
1409 +- bcm_kona_gpio_write_lock_regs(kona_gpio, i, UNLOCK_CODE);
1410 ++ bcm_kona_gpio_write_lock_regs(reg_base, i, UNLOCK_CODE);
1411 + writel(0xffffffff, reg_base + GPIO_INT_MASK(i));
1412 + writel(0xffffffff, reg_base + GPIO_INT_STATUS(i));
1413 + /* Now re-lock the bank */
1414 +- bcm_kona_gpio_write_lock_regs(kona_gpio, i, LOCK_CODE);
1415 ++ bcm_kona_gpio_write_lock_regs(reg_base, i, LOCK_CODE);
1416 + }
1417 + }
1418 +
1419 +diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
1420 +index 66d3d247d76d..e72794e463aa 100644
1421 +--- a/drivers/gpio/gpio-zynq.c
1422 ++++ b/drivers/gpio/gpio-zynq.c
1423 +@@ -709,11 +709,17 @@ static int zynq_gpio_probe(struct platform_device *pdev)
1424 + dev_err(&pdev->dev, "input clock not found.\n");
1425 + return PTR_ERR(gpio->clk);
1426 + }
1427 ++ ret = clk_prepare_enable(gpio->clk);
1428 ++ if (ret) {
1429 ++ dev_err(&pdev->dev, "Unable to enable clock.\n");
1430 ++ return ret;
1431 ++ }
1432 +
1433 ++ pm_runtime_set_active(&pdev->dev);
1434 + pm_runtime_enable(&pdev->dev);
1435 + ret = pm_runtime_get_sync(&pdev->dev);
1436 + if (ret < 0)
1437 +- return ret;
1438 ++ goto err_pm_dis;
1439 +
1440 + /* report a bug if gpio chip registration fails */
1441 + ret = gpiochip_add_data(chip, gpio);
1442 +@@ -745,6 +751,9 @@ err_rm_gpiochip:
1443 + gpiochip_remove(chip);
1444 + err_pm_put:
1445 + pm_runtime_put(&pdev->dev);
1446 ++err_pm_dis:
1447 ++ pm_runtime_disable(&pdev->dev);
1448 ++ clk_disable_unprepare(gpio->clk);
1449 +
1450 + return ret;
1451 + }
1452 +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
1453 +index b747c76fd2b1..cf3e71243d6d 100644
1454 +--- a/drivers/gpio/gpiolib.c
1455 ++++ b/drivers/gpio/gpiolib.c
1456 +@@ -438,7 +438,6 @@ static void gpiodevice_release(struct device *dev)
1457 + {
1458 + struct gpio_device *gdev = dev_get_drvdata(dev);
1459 +
1460 +- cdev_del(&gdev->chrdev);
1461 + list_del(&gdev->list);
1462 + ida_simple_remove(&gpio_ida, gdev->id);
1463 + kfree(gdev->label);
1464 +@@ -471,7 +470,6 @@ static int gpiochip_setup_dev(struct gpio_device *gdev)
1465 +
1466 + /* From this point, the .release() function cleans up gpio_device */
1467 + gdev->dev.release = gpiodevice_release;
1468 +- get_device(&gdev->dev);
1469 + pr_debug("%s: registered GPIOs %d to %d on device: %s (%s)\n",
1470 + __func__, gdev->base, gdev->base + gdev->ngpio - 1,
1471 + dev_name(&gdev->dev), gdev->chip->label ? : "generic");
1472 +@@ -742,6 +740,8 @@ void gpiochip_remove(struct gpio_chip *chip)
1473 + * be removed, else it will be dangling until the last user is
1474 + * gone.
1475 + */
1476 ++ cdev_del(&gdev->chrdev);
1477 ++ device_del(&gdev->dev);
1478 + put_device(&gdev->dev);
1479 + }
1480 + EXPORT_SYMBOL_GPL(gpiochip_remove);
1481 +@@ -841,7 +841,7 @@ struct gpio_chip *gpiochip_find(void *data,
1482 +
1483 + spin_lock_irqsave(&gpio_lock, flags);
1484 + list_for_each_entry(gdev, &gpio_devices, list)
1485 +- if (match(gdev->chip, data))
1486 ++ if (gdev->chip && match(gdev->chip, data))
1487 + break;
1488 +
1489 + /* No match? */
1490 +@@ -1339,10 +1339,13 @@ done:
1491 + /*
1492 + * This descriptor validation needs to be inserted verbatim into each
1493 + * function taking a descriptor, so we need to use a preprocessor
1494 +- * macro to avoid endless duplication.
1495 ++ * macro to avoid endless duplication. If the desc is NULL it is an
1496 ++ * optional GPIO and calls should just bail out.
1497 + */
1498 + #define VALIDATE_DESC(desc) do { \
1499 +- if (!desc || !desc->gdev) { \
1500 ++ if (!desc) \
1501 ++ return 0; \
1502 ++ if (!desc->gdev) { \
1503 + pr_warn("%s: invalid GPIO\n", __func__); \
1504 + return -EINVAL; \
1505 + } \
1506 +@@ -1353,7 +1356,9 @@ done:
1507 + } } while (0)
1508 +
1509 + #define VALIDATE_DESC_VOID(desc) do { \
1510 +- if (!desc || !desc->gdev) { \
1511 ++ if (!desc) \
1512 ++ return; \
1513 ++ if (!desc->gdev) { \
1514 + pr_warn("%s: invalid GPIO\n", __func__); \
1515 + return; \
1516 + } \
1517 +@@ -2001,7 +2006,14 @@ int gpiod_to_irq(const struct gpio_desc *desc)
1518 + struct gpio_chip *chip;
1519 + int offset;
1520 +
1521 +- VALIDATE_DESC(desc);
1522 ++ /*
1523 ++ * Cannot VALIDATE_DESC() here as gpiod_to_irq() consumer semantics
1524 ++ * requires this function to not return zero on an invalid descriptor
1525 ++ * but rather a negative error number.
1526 ++ */
1527 ++ if (!desc || !desc->gdev || !desc->gdev->chip)
1528 ++ return -EINVAL;
1529 ++
1530 + chip = desc->gdev->chip;
1531 + offset = gpio_chip_hwgpio(desc);
1532 + return chip->to_irq ? chip->to_irq(chip, offset) : -ENXIO;
1533 +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
1534 +index e08f962288d9..f30de8053545 100644
1535 +--- a/drivers/gpu/drm/drm_crtc.c
1536 ++++ b/drivers/gpu/drm/drm_crtc.c
1537 +@@ -3434,6 +3434,24 @@ int drm_mode_addfb2(struct drm_device *dev,
1538 + return 0;
1539 + }
1540 +
1541 ++struct drm_mode_rmfb_work {
1542 ++ struct work_struct work;
1543 ++ struct list_head fbs;
1544 ++};
1545 ++
1546 ++static void drm_mode_rmfb_work_fn(struct work_struct *w)
1547 ++{
1548 ++ struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
1549 ++
1550 ++ while (!list_empty(&arg->fbs)) {
1551 ++ struct drm_framebuffer *fb =
1552 ++ list_first_entry(&arg->fbs, typeof(*fb), filp_head);
1553 ++
1554 ++ list_del_init(&fb->filp_head);
1555 ++ drm_framebuffer_remove(fb);
1556 ++ }
1557 ++}
1558 ++
1559 + /**
1560 + * drm_mode_rmfb - remove an FB from the configuration
1561 + * @dev: drm device for the ioctl
1562 +@@ -3474,7 +3492,25 @@ int drm_mode_rmfb(struct drm_device *dev,
1563 + mutex_unlock(&dev->mode_config.fb_lock);
1564 + mutex_unlock(&file_priv->fbs_lock);
1565 +
1566 +- drm_framebuffer_unreference(fb);
1567 ++ /*
1568 ++ * we now own the reference that was stored in the fbs list
1569 ++ *
1570 ++ * drm_framebuffer_remove may fail with -EINTR on pending signals,
1571 ++ * so run this in a separate stack as there's no way to correctly
1572 ++ * handle this after the fb is already removed from the lookup table.
1573 ++ */
1574 ++ if (atomic_read(&fb->refcount.refcount) > 1) {
1575 ++ struct drm_mode_rmfb_work arg;
1576 ++
1577 ++ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
1578 ++ INIT_LIST_HEAD(&arg.fbs);
1579 ++ list_add_tail(&fb->filp_head, &arg.fbs);
1580 ++
1581 ++ schedule_work(&arg.work);
1582 ++ flush_work(&arg.work);
1583 ++ destroy_work_on_stack(&arg.work);
1584 ++ } else
1585 ++ drm_framebuffer_unreference(fb);
1586 +
1587 + return 0;
1588 +
1589 +@@ -3627,7 +3663,6 @@ out_err1:
1590 + return ret;
1591 + }
1592 +
1593 +-
1594 + /**
1595 + * drm_fb_release - remove and free the FBs on this file
1596 + * @priv: drm file for the ioctl
1597 +@@ -3642,6 +3677,9 @@ out_err1:
1598 + void drm_fb_release(struct drm_file *priv)
1599 + {
1600 + struct drm_framebuffer *fb, *tfb;
1601 ++ struct drm_mode_rmfb_work arg;
1602 ++
1603 ++ INIT_LIST_HEAD(&arg.fbs);
1604 +
1605 + /*
1606 + * When the file gets released that means no one else can access the fb
1607 +@@ -3654,10 +3692,22 @@ void drm_fb_release(struct drm_file *priv)
1608 + * at it any more.
1609 + */
1610 + list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
1611 +- list_del_init(&fb->filp_head);
1612 ++ if (atomic_read(&fb->refcount.refcount) > 1) {
1613 ++ list_move_tail(&fb->filp_head, &arg.fbs);
1614 ++ } else {
1615 ++ list_del_init(&fb->filp_head);
1616 +
1617 +- /* This drops the fpriv->fbs reference. */
1618 +- drm_framebuffer_unreference(fb);
1619 ++ /* This drops the fpriv->fbs reference. */
1620 ++ drm_framebuffer_unreference(fb);
1621 ++ }
1622 ++ }
1623 ++
1624 ++ if (!list_empty(&arg.fbs)) {
1625 ++ INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
1626 ++
1627 ++ schedule_work(&arg.work);
1628 ++ flush_work(&arg.work);
1629 ++ destroy_work_on_stack(&arg.work);
1630 + }
1631 + }
1632 +
1633 +diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
1634 +index 1c212205d0e7..d1a46ef5ab3f 100644
1635 +--- a/drivers/gpu/drm/i915/i915_irq.c
1636 ++++ b/drivers/gpu/drm/i915/i915_irq.c
1637 +@@ -1829,7 +1829,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
1638 + /* IRQs are synced during runtime_suspend, we don't require a wakeref */
1639 + disable_rpm_wakeref_asserts(dev_priv);
1640 +
1641 +- do {
1642 ++ for (;;) {
1643 + master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL;
1644 + iir = I915_READ(VLV_IIR);
1645 +
1646 +@@ -1857,7 +1857,7 @@ static irqreturn_t cherryview_irq_handler(int irq, void *arg)
1647 +
1648 + I915_WRITE(GEN8_MASTER_IRQ, DE_MASTER_IRQ_CONTROL);
1649 + POSTING_READ(GEN8_MASTER_IRQ);
1650 +- } while (0);
1651 ++ }
1652 +
1653 + enable_rpm_wakeref_asserts(dev_priv);
1654 +
1655 +diff --git a/drivers/net/ethernet/atheros/alx/alx.h b/drivers/net/ethernet/atheros/alx/alx.h
1656 +index 8fc93c5f6abc..d02c4240b7df 100644
1657 +--- a/drivers/net/ethernet/atheros/alx/alx.h
1658 ++++ b/drivers/net/ethernet/atheros/alx/alx.h
1659 +@@ -96,6 +96,10 @@ struct alx_priv {
1660 + unsigned int rx_ringsz;
1661 + unsigned int rxbuf_size;
1662 +
1663 ++ struct page *rx_page;
1664 ++ unsigned int rx_page_offset;
1665 ++ unsigned int rx_frag_size;
1666 ++
1667 + struct napi_struct napi;
1668 + struct alx_tx_queue txq;
1669 + struct alx_rx_queue rxq;
1670 +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
1671 +index 55b118e876fd..8611811fbf88 100644
1672 +--- a/drivers/net/ethernet/atheros/alx/main.c
1673 ++++ b/drivers/net/ethernet/atheros/alx/main.c
1674 +@@ -70,6 +70,35 @@ static void alx_free_txbuf(struct alx_priv *alx, int entry)
1675 + }
1676 + }
1677 +
1678 ++static struct sk_buff *alx_alloc_skb(struct alx_priv *alx, gfp_t gfp)
1679 ++{
1680 ++ struct sk_buff *skb;
1681 ++ struct page *page;
1682 ++
1683 ++ if (alx->rx_frag_size > PAGE_SIZE)
1684 ++ return __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
1685 ++
1686 ++ page = alx->rx_page;
1687 ++ if (!page) {
1688 ++ alx->rx_page = page = alloc_page(gfp);
1689 ++ if (unlikely(!page))
1690 ++ return NULL;
1691 ++ alx->rx_page_offset = 0;
1692 ++ }
1693 ++
1694 ++ skb = build_skb(page_address(page) + alx->rx_page_offset,
1695 ++ alx->rx_frag_size);
1696 ++ if (likely(skb)) {
1697 ++ alx->rx_page_offset += alx->rx_frag_size;
1698 ++ if (alx->rx_page_offset >= PAGE_SIZE)
1699 ++ alx->rx_page = NULL;
1700 ++ else
1701 ++ get_page(page);
1702 ++ }
1703 ++ return skb;
1704 ++}
1705 ++
1706 ++
1707 + static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1708 + {
1709 + struct alx_rx_queue *rxq = &alx->rxq;
1710 +@@ -86,7 +115,7 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1711 + while (!cur_buf->skb && next != rxq->read_idx) {
1712 + struct alx_rfd *rfd = &rxq->rfd[cur];
1713 +
1714 +- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
1715 ++ skb = alx_alloc_skb(alx, gfp);
1716 + if (!skb)
1717 + break;
1718 + dma = dma_map_single(&alx->hw.pdev->dev,
1719 +@@ -124,6 +153,7 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
1720 + alx_write_mem16(&alx->hw, ALX_RFD_PIDX, cur);
1721 + }
1722 +
1723 ++
1724 + return count;
1725 + }
1726 +
1727 +@@ -592,6 +622,11 @@ static void alx_free_rings(struct alx_priv *alx)
1728 + kfree(alx->txq.bufs);
1729 + kfree(alx->rxq.bufs);
1730 +
1731 ++ if (alx->rx_page) {
1732 ++ put_page(alx->rx_page);
1733 ++ alx->rx_page = NULL;
1734 ++ }
1735 ++
1736 + dma_free_coherent(&alx->hw.pdev->dev,
1737 + alx->descmem.size,
1738 + alx->descmem.virt,
1739 +@@ -646,6 +681,7 @@ static int alx_request_irq(struct alx_priv *alx)
1740 + alx->dev->name, alx);
1741 + if (!err)
1742 + goto out;
1743 ++
1744 + /* fall back to legacy interrupt */
1745 + pci_disable_msi(alx->hw.pdev);
1746 + }
1747 +@@ -689,6 +725,7 @@ static int alx_init_sw(struct alx_priv *alx)
1748 + struct pci_dev *pdev = alx->hw.pdev;
1749 + struct alx_hw *hw = &alx->hw;
1750 + int err;
1751 ++ unsigned int head_size;
1752 +
1753 + err = alx_identify_hw(alx);
1754 + if (err) {
1755 +@@ -704,7 +741,12 @@ static int alx_init_sw(struct alx_priv *alx)
1756 +
1757 + hw->smb_timer = 400;
1758 + hw->mtu = alx->dev->mtu;
1759 ++
1760 + alx->rxbuf_size = ALX_MAX_FRAME_LEN(hw->mtu);
1761 ++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
1762 ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1763 ++ alx->rx_frag_size = roundup_pow_of_two(head_size);
1764 ++
1765 + alx->tx_ringsz = 256;
1766 + alx->rx_ringsz = 512;
1767 + hw->imt = 200;
1768 +@@ -806,6 +848,7 @@ static int alx_change_mtu(struct net_device *netdev, int mtu)
1769 + {
1770 + struct alx_priv *alx = netdev_priv(netdev);
1771 + int max_frame = ALX_MAX_FRAME_LEN(mtu);
1772 ++ unsigned int head_size;
1773 +
1774 + if ((max_frame < ALX_MIN_FRAME_SIZE) ||
1775 + (max_frame > ALX_MAX_FRAME_SIZE))
1776 +@@ -817,6 +860,9 @@ static int alx_change_mtu(struct net_device *netdev, int mtu)
1777 + netdev->mtu = mtu;
1778 + alx->hw.mtu = mtu;
1779 + alx->rxbuf_size = max(max_frame, ALX_DEF_RXBUF_SIZE);
1780 ++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
1781 ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1782 ++ alx->rx_frag_size = roundup_pow_of_two(head_size);
1783 + netdev_update_features(netdev);
1784 + if (netif_running(netdev))
1785 + alx_reinit(alx);
1786 +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
1787 +index 085f9125cf42..06f031715b57 100644
1788 +--- a/drivers/net/ethernet/ezchip/nps_enet.c
1789 ++++ b/drivers/net/ethernet/ezchip/nps_enet.c
1790 +@@ -205,8 +205,10 @@ static int nps_enet_poll(struct napi_struct *napi, int budget)
1791 + * re-adding ourselves to the poll list.
1792 + */
1793 +
1794 +- if (priv->tx_skb && !tx_ctrl_ct)
1795 ++ if (priv->tx_skb && !tx_ctrl_ct) {
1796 ++ nps_enet_reg_set(priv, NPS_ENET_REG_BUF_INT_ENABLE, 0);
1797 + napi_reschedule(napi);
1798 ++ }
1799 + }
1800 +
1801 + return work_done;
1802 +diff --git a/drivers/net/ethernet/marvell/mvneta_bm.c b/drivers/net/ethernet/marvell/mvneta_bm.c
1803 +index 01fccec632ec..466939f8f0cf 100644
1804 +--- a/drivers/net/ethernet/marvell/mvneta_bm.c
1805 ++++ b/drivers/net/ethernet/marvell/mvneta_bm.c
1806 +@@ -189,6 +189,7 @@ struct mvneta_bm_pool *mvneta_bm_pool_use(struct mvneta_bm *priv, u8 pool_id,
1807 + SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
1808 + hwbm_pool->construct = mvneta_bm_construct;
1809 + hwbm_pool->priv = new_pool;
1810 ++ spin_lock_init(&hwbm_pool->lock);
1811 +
1812 + /* Create new pool */
1813 + err = mvneta_bm_pool_create(priv, new_pool);
1814 +diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c
1815 +index 0e758bcb26b0..1ca796316173 100644
1816 +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
1817 ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
1818 +@@ -2727,7 +2727,7 @@ static int ofdpa_port_obj_fib4_add(struct rocker_port *rocker_port,
1819 +
1820 + return ofdpa_port_fib_ipv4(ofdpa_port, trans,
1821 + htonl(fib4->dst), fib4->dst_len,
1822 +- &fib4->fi, fib4->tb_id, 0);
1823 ++ fib4->fi, fib4->tb_id, 0);
1824 + }
1825 +
1826 + static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port,
1827 +@@ -2737,7 +2737,7 @@ static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port,
1828 +
1829 + return ofdpa_port_fib_ipv4(ofdpa_port, NULL,
1830 + htonl(fib4->dst), fib4->dst_len,
1831 +- &fib4->fi, fib4->tb_id,
1832 ++ fib4->fi, fib4->tb_id,
1833 + OFDPA_OP_FLAG_REMOVE);
1834 + }
1835 +
1836 +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
1837 +index 1681084cc96f..1f309127457d 100644
1838 +--- a/drivers/net/ethernet/sfc/ef10.c
1839 ++++ b/drivers/net/ethernet/sfc/ef10.c
1840 +@@ -619,6 +619,17 @@ fail:
1841 + return rc;
1842 + }
1843 +
1844 ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
1845 ++{
1846 ++ struct efx_channel *channel;
1847 ++ struct efx_tx_queue *tx_queue;
1848 ++
1849 ++ /* All our existing PIO buffers went away */
1850 ++ efx_for_each_channel(channel, efx)
1851 ++ efx_for_each_channel_tx_queue(tx_queue, channel)
1852 ++ tx_queue->piobuf = NULL;
1853 ++}
1854 ++
1855 + #else /* !EFX_USE_PIO */
1856 +
1857 + static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n)
1858 +@@ -635,6 +646,10 @@ static void efx_ef10_free_piobufs(struct efx_nic *efx)
1859 + {
1860 + }
1861 +
1862 ++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
1863 ++{
1864 ++}
1865 ++
1866 + #endif /* EFX_USE_PIO */
1867 +
1868 + static void efx_ef10_remove(struct efx_nic *efx)
1869 +@@ -1018,6 +1033,7 @@ static void efx_ef10_reset_mc_allocations(struct efx_nic *efx)
1870 + nic_data->must_realloc_vis = true;
1871 + nic_data->must_restore_filters = true;
1872 + nic_data->must_restore_piobufs = true;
1873 ++ efx_ef10_forget_old_piobufs(efx);
1874 + nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID;
1875 +
1876 + /* Driver-created vswitches and vports must be re-created */
1877 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1878 +index 06704ca6f9ca..8683a21690b5 100644
1879 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1880 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
1881 +@@ -209,7 +209,7 @@ int stmmac_mdio_register(struct net_device *ndev)
1882 + return -ENOMEM;
1883 +
1884 + if (mdio_bus_data->irqs)
1885 +- memcpy(new_bus->irq, mdio_bus_data, sizeof(new_bus->irq));
1886 ++ memcpy(new_bus->irq, mdio_bus_data->irqs, sizeof(new_bus->irq));
1887 +
1888 + #ifdef CONFIG_OF
1889 + if (priv->device->of_node)
1890 +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
1891 +index 7b0a644122eb..9fcb4898fb68 100644
1892 +--- a/drivers/net/geneve.c
1893 ++++ b/drivers/net/geneve.c
1894 +@@ -336,15 +336,15 @@ static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1895 +
1896 + /* Need Geneve and inner Ethernet header to be present */
1897 + if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN)))
1898 +- goto error;
1899 ++ goto drop;
1900 +
1901 + /* Return packets with reserved bits set */
1902 + geneveh = geneve_hdr(skb);
1903 + if (unlikely(geneveh->ver != GENEVE_VER))
1904 +- goto error;
1905 ++ goto drop;
1906 +
1907 + if (unlikely(geneveh->proto_type != htons(ETH_P_TEB)))
1908 +- goto error;
1909 ++ goto drop;
1910 +
1911 + gs = rcu_dereference_sk_user_data(sk);
1912 + if (!gs)
1913 +@@ -367,10 +367,6 @@ drop:
1914 + /* Consume bad packet */
1915 + kfree_skb(skb);
1916 + return 0;
1917 +-
1918 +-error:
1919 +- /* Let the UDP layer deal with the skb */
1920 +- return 1;
1921 + }
1922 +
1923 + static struct socket *geneve_create_sock(struct net *net, bool ipv6,
1924 +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
1925 +index 92eaab95ae2b..9e803bbcc0b6 100644
1926 +--- a/drivers/net/macsec.c
1927 ++++ b/drivers/net/macsec.c
1928 +@@ -1645,7 +1645,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
1929 + if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1930 + rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1931 +
1932 +- nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
1933 ++ nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1934 + rx_sa->sc = rx_sc;
1935 + rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
1936 +
1937 +@@ -1784,7 +1784,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
1938 + return -ENOMEM;
1939 + }
1940 +
1941 +- nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
1942 ++ nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1943 +
1944 + spin_lock_bh(&tx_sa->lock);
1945 + tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1946 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
1947 +index a0f64cba86ba..2ace126533cd 100644
1948 +--- a/drivers/net/team/team.c
1949 ++++ b/drivers/net/team/team.c
1950 +@@ -990,7 +990,7 @@ static void team_port_disable(struct team *team,
1951 + #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
1952 + NETIF_F_RXCSUM | NETIF_F_ALL_TSO)
1953 +
1954 +-static void __team_compute_features(struct team *team)
1955 ++static void ___team_compute_features(struct team *team)
1956 + {
1957 + struct team_port *port;
1958 + u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
1959 +@@ -1021,15 +1021,20 @@ static void __team_compute_features(struct team *team)
1960 + team->dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
1961 + if (dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM))
1962 + team->dev->priv_flags |= IFF_XMIT_DST_RELEASE;
1963 ++}
1964 +
1965 ++static void __team_compute_features(struct team *team)
1966 ++{
1967 ++ ___team_compute_features(team);
1968 + netdev_change_features(team->dev);
1969 + }
1970 +
1971 + static void team_compute_features(struct team *team)
1972 + {
1973 + mutex_lock(&team->lock);
1974 +- __team_compute_features(team);
1975 ++ ___team_compute_features(team);
1976 + mutex_unlock(&team->lock);
1977 ++ netdev_change_features(team->dev);
1978 + }
1979 +
1980 + static int team_port_enter(struct team *team, struct team_port *port)
1981 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1982 +index 2c9e45f50edb..dda490542624 100644
1983 +--- a/drivers/net/tun.c
1984 ++++ b/drivers/net/tun.c
1985 +@@ -568,11 +568,13 @@ static void tun_detach_all(struct net_device *dev)
1986 + for (i = 0; i < n; i++) {
1987 + tfile = rtnl_dereference(tun->tfiles[i]);
1988 + BUG_ON(!tfile);
1989 ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
1990 + tfile->socket.sk->sk_data_ready(tfile->socket.sk);
1991 + RCU_INIT_POINTER(tfile->tun, NULL);
1992 + --tun->numqueues;
1993 + }
1994 + list_for_each_entry(tfile, &tun->disabled, next) {
1995 ++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
1996 + tfile->socket.sk->sk_data_ready(tfile->socket.sk);
1997 + RCU_INIT_POINTER(tfile->tun, NULL);
1998 + }
1999 +@@ -628,6 +630,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte
2000 + goto out;
2001 + }
2002 + tfile->queue_index = tun->numqueues;
2003 ++ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
2004 + rcu_assign_pointer(tfile->tun, tun);
2005 + rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
2006 + tun->numqueues++;
2007 +@@ -1425,9 +1428,6 @@ static ssize_t tun_do_read(struct tun_struct *tun, struct tun_file *tfile,
2008 + if (!iov_iter_count(to))
2009 + return 0;
2010 +
2011 +- if (tun->dev->reg_state != NETREG_REGISTERED)
2012 +- return -EIO;
2013 +-
2014 + /* Read frames from queue */
2015 + skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,
2016 + &peeked, &off, &err);
2017 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
2018 +index 8ac261ab7d7d..7e29b55015d0 100644
2019 +--- a/drivers/net/vxlan.c
2020 ++++ b/drivers/net/vxlan.c
2021 +@@ -1262,7 +1262,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
2022 +
2023 + /* Need Vxlan and inner Ethernet header to be present */
2024 + if (!pskb_may_pull(skb, VXLAN_HLEN))
2025 +- return 1;
2026 ++ goto drop;
2027 +
2028 + unparsed = *vxlan_hdr(skb);
2029 + /* VNI flag always required to be set */
2030 +@@ -1271,7 +1271,7 @@ static int vxlan_rcv(struct sock *sk, struct sk_buff *skb)
2031 + ntohl(vxlan_hdr(skb)->vx_flags),
2032 + ntohl(vxlan_hdr(skb)->vx_vni));
2033 + /* Return non vxlan pkt */
2034 +- return 1;
2035 ++ goto drop;
2036 + }
2037 + unparsed.vx_flags &= ~VXLAN_HF_VNI;
2038 + unparsed.vx_vni &= ~VXLAN_VNI_MASK;
2039 +@@ -2959,6 +2959,9 @@ static int vxlan_newlink(struct net *src_net, struct net_device *dev,
2040 + if (data[IFLA_VXLAN_REMCSUM_NOPARTIAL])
2041 + conf.flags |= VXLAN_F_REMCSUM_NOPARTIAL;
2042 +
2043 ++ if (tb[IFLA_MTU])
2044 ++ conf.mtu = nla_get_u32(tb[IFLA_MTU]);
2045 ++
2046 + err = vxlan_dev_configure(src_net, dev, &conf);
2047 + switch (err) {
2048 + case -ENODEV:
2049 +diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
2050 +index f70090897fdf..0e537fdc1d08 100644
2051 +--- a/drivers/perf/arm_pmu.c
2052 ++++ b/drivers/perf/arm_pmu.c
2053 +@@ -987,9 +987,6 @@ int arm_pmu_device_probe(struct platform_device *pdev,
2054 +
2055 + armpmu_init(pmu);
2056 +
2057 +- if (!__oprofile_cpu_pmu)
2058 +- __oprofile_cpu_pmu = pmu;
2059 +-
2060 + pmu->plat_device = pdev;
2061 +
2062 + if (node && (of_id = of_match_node(of_table, pdev->dev.of_node))) {
2063 +@@ -1025,6 +1022,9 @@ int arm_pmu_device_probe(struct platform_device *pdev,
2064 + if (ret)
2065 + goto out_destroy;
2066 +
2067 ++ if (!__oprofile_cpu_pmu)
2068 ++ __oprofile_cpu_pmu = pmu;
2069 ++
2070 + pr_info("enabled with %s PMU driver, %d counters available\n",
2071 + pmu->name, pmu->num_events);
2072 +
2073 +diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2074 +index 6ab8c3ccdeea..fba2dd99ee95 100644
2075 +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2076 ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c
2077 +@@ -1256,9 +1256,10 @@ static void mtk_eint_irq_handler(struct irq_desc *desc)
2078 + const struct mtk_desc_pin *pin;
2079 +
2080 + chained_irq_enter(chip, desc);
2081 +- for (eint_num = 0; eint_num < pctl->devdata->ap_num; eint_num += 32) {
2082 ++ for (eint_num = 0;
2083 ++ eint_num < pctl->devdata->ap_num;
2084 ++ eint_num += 32, reg += 4) {
2085 + status = readl(reg);
2086 +- reg += 4;
2087 + while (status) {
2088 + offset = __ffs(status);
2089 + index = eint_num + offset;
2090 +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
2091 +index 3408578b08d6..ff41c310c900 100644
2092 +--- a/drivers/scsi/scsi_devinfo.c
2093 ++++ b/drivers/scsi/scsi_devinfo.c
2094 +@@ -230,6 +230,7 @@ static struct {
2095 + {"PIONEER", "CD-ROM DRM-624X", NULL, BLIST_FORCELUN | BLIST_SINGLELUN},
2096 + {"Promise", "VTrak E610f", NULL, BLIST_SPARSELUN | BLIST_NO_RSOC},
2097 + {"Promise", "", NULL, BLIST_SPARSELUN},
2098 ++ {"QEMU", "QEMU CD-ROM", NULL, BLIST_SKIP_VPD_PAGES},
2099 + {"QNAP", "iSCSI Storage", NULL, BLIST_MAX_1024},
2100 + {"SYNOLOGY", "iSCSI Storage", NULL, BLIST_MAX_1024},
2101 + {"QUANTUM", "XP34301", "1071", BLIST_NOTQ},
2102 +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
2103 +index 8106515d1df8..f704d02645f1 100644
2104 +--- a/drivers/scsi/scsi_lib.c
2105 ++++ b/drivers/scsi/scsi_lib.c
2106 +@@ -911,9 +911,12 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
2107 + }
2108 +
2109 + /*
2110 +- * If we finished all bytes in the request we are done now.
2111 ++ * special case: failed zero length commands always need to
2112 ++ * drop down into the retry code. Otherwise, if we finished
2113 ++ * all bytes in the request we are done now.
2114 + */
2115 +- if (!scsi_end_request(req, error, good_bytes, 0))
2116 ++ if (!(blk_rq_bytes(req) == 0 && error) &&
2117 ++ !scsi_end_request(req, error, good_bytes, 0))
2118 + return;
2119 +
2120 + /*
2121 +diff --git a/fs/dcache.c b/fs/dcache.c
2122 +index d5ecc6e477da..44008e3fafc4 100644
2123 +--- a/fs/dcache.c
2124 ++++ b/fs/dcache.c
2125 +@@ -1619,7 +1619,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name)
2126 + struct dentry *dentry = __d_alloc(parent->d_sb, name);
2127 + if (!dentry)
2128 + return NULL;
2129 +-
2130 ++ dentry->d_flags |= DCACHE_RCUACCESS;
2131 + spin_lock(&parent->d_lock);
2132 + /*
2133 + * don't need child lock because it is not subject
2134 +@@ -2338,7 +2338,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b)
2135 + {
2136 + BUG_ON(!d_unhashed(entry));
2137 + hlist_bl_lock(b);
2138 +- entry->d_flags |= DCACHE_RCUACCESS;
2139 + hlist_bl_add_head_rcu(&entry->d_hash, b);
2140 + hlist_bl_unlock(b);
2141 + }
2142 +@@ -2637,6 +2636,7 @@ static void __d_move(struct dentry *dentry, struct dentry *target,
2143 + /* ... and switch them in the tree */
2144 + if (IS_ROOT(dentry)) {
2145 + /* splicing a tree */
2146 ++ dentry->d_flags |= DCACHE_RCUACCESS;
2147 + dentry->d_parent = target->d_parent;
2148 + target->d_parent = target;
2149 + list_del_init(&target->d_child);
2150 +diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
2151 +index 866bb18efefe..e818f5ac7a26 100644
2152 +--- a/fs/ecryptfs/kthread.c
2153 ++++ b/fs/ecryptfs/kthread.c
2154 +@@ -25,6 +25,7 @@
2155 + #include <linux/slab.h>
2156 + #include <linux/wait.h>
2157 + #include <linux/mount.h>
2158 ++#include <linux/file.h>
2159 + #include "ecryptfs_kernel.h"
2160 +
2161 + struct ecryptfs_open_req {
2162 +@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
2163 + flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
2164 + (*lower_file) = dentry_open(&req.path, flags, cred);
2165 + if (!IS_ERR(*lower_file))
2166 +- goto out;
2167 ++ goto have_file;
2168 + if ((flags & O_ACCMODE) == O_RDONLY) {
2169 + rc = PTR_ERR((*lower_file));
2170 + goto out;
2171 +@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
2172 + mutex_unlock(&ecryptfs_kthread_ctl.mux);
2173 + wake_up(&ecryptfs_kthread_ctl.wait);
2174 + wait_for_completion(&req.done);
2175 +- if (IS_ERR(*lower_file))
2176 ++ if (IS_ERR(*lower_file)) {
2177 + rc = PTR_ERR(*lower_file);
2178 ++ goto out;
2179 ++ }
2180 ++have_file:
2181 ++ if ((*lower_file)->f_op->mmap == NULL) {
2182 ++ fput(*lower_file);
2183 ++ *lower_file = NULL;
2184 ++ rc = -EMEDIUMTYPE;
2185 ++ }
2186 + out:
2187 + return rc;
2188 + }
2189 +diff --git a/fs/proc/root.c b/fs/proc/root.c
2190 +index 361ab4ee42fc..ec649c92d270 100644
2191 +--- a/fs/proc/root.c
2192 ++++ b/fs/proc/root.c
2193 +@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
2194 + if (IS_ERR(sb))
2195 + return ERR_CAST(sb);
2196 +
2197 ++ /*
2198 ++ * procfs isn't actually a stacking filesystem; however, there is
2199 ++ * too much magic going on inside it to permit stacking things on
2200 ++ * top of it
2201 ++ */
2202 ++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
2203 ++
2204 + if (!proc_parse_options(options, ns)) {
2205 + deactivate_locked_super(sb);
2206 + return ERR_PTR(-EINVAL);
2207 +diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm-gic-v3.h
2208 +index d5d798b35c1f..e98425058f20 100644
2209 +--- a/include/linux/irqchip/arm-gic-v3.h
2210 ++++ b/include/linux/irqchip/arm-gic-v3.h
2211 +@@ -301,7 +301,7 @@
2212 + #define ICC_SGI1R_AFFINITY_1_SHIFT 16
2213 + #define ICC_SGI1R_AFFINITY_1_MASK (0xff << ICC_SGI1R_AFFINITY_1_SHIFT)
2214 + #define ICC_SGI1R_SGI_ID_SHIFT 24
2215 +-#define ICC_SGI1R_SGI_ID_MASK (0xff << ICC_SGI1R_SGI_ID_SHIFT)
2216 ++#define ICC_SGI1R_SGI_ID_MASK (0xfULL << ICC_SGI1R_SGI_ID_SHIFT)
2217 + #define ICC_SGI1R_AFFINITY_2_SHIFT 32
2218 + #define ICC_SGI1R_AFFINITY_2_MASK (0xffULL << ICC_SGI1R_AFFINITY_1_SHIFT)
2219 + #define ICC_SGI1R_IRQ_ROUTING_MODE_BIT 40
2220 +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
2221 +index 80a305b85323..4dd9306c9d56 100644
2222 +--- a/include/linux/netfilter/x_tables.h
2223 ++++ b/include/linux/netfilter/x_tables.h
2224 +@@ -242,11 +242,18 @@ void xt_unregister_match(struct xt_match *target);
2225 + int xt_register_matches(struct xt_match *match, unsigned int n);
2226 + void xt_unregister_matches(struct xt_match *match, unsigned int n);
2227 +
2228 ++int xt_check_entry_offsets(const void *base, const char *elems,
2229 ++ unsigned int target_offset,
2230 ++ unsigned int next_offset);
2231 ++
2232 + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
2233 + bool inv_proto);
2234 + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
2235 + bool inv_proto);
2236 +
2237 ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
2238 ++ struct xt_counters_info *info, bool compat);
2239 ++
2240 + struct xt_table *xt_register_table(struct net *net,
2241 + const struct xt_table *table,
2242 + struct xt_table_info *bootstrap,
2243 +@@ -480,7 +487,7 @@ void xt_compat_init_offsets(u_int8_t af, unsigned int number);
2244 + int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
2245 +
2246 + int xt_compat_match_offset(const struct xt_match *match);
2247 +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
2248 ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
2249 + unsigned int *size);
2250 + int xt_compat_match_to_user(const struct xt_entry_match *m,
2251 + void __user **dstptr, unsigned int *size);
2252 +@@ -490,6 +497,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
2253 + unsigned int *size);
2254 + int xt_compat_target_to_user(const struct xt_entry_target *t,
2255 + void __user **dstptr, unsigned int *size);
2256 ++int xt_compat_check_entry_offsets(const void *base, const char *elems,
2257 ++ unsigned int target_offset,
2258 ++ unsigned int next_offset);
2259 +
2260 + #endif /* CONFIG_COMPAT */
2261 + #endif /* _X_TABLES_H */
2262 +diff --git a/include/net/switchdev.h b/include/net/switchdev.h
2263 +index 51d77b2ce2b2..985619a59323 100644
2264 +--- a/include/net/switchdev.h
2265 ++++ b/include/net/switchdev.h
2266 +@@ -97,7 +97,7 @@ struct switchdev_obj_ipv4_fib {
2267 + struct switchdev_obj obj;
2268 + u32 dst;
2269 + int dst_len;
2270 +- struct fib_info fi;
2271 ++ struct fib_info *fi;
2272 + u8 tos;
2273 + u8 type;
2274 + u32 nlflags;
2275 +diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
2276 +index d5e38c73377c..e4f048ee7043 100644
2277 +--- a/include/uapi/linux/libc-compat.h
2278 ++++ b/include/uapi/linux/libc-compat.h
2279 +@@ -52,7 +52,7 @@
2280 + #if defined(__GLIBC__)
2281 +
2282 + /* Coordinate with glibc net/if.h header. */
2283 +-#if defined(_NET_IF_H)
2284 ++#if defined(_NET_IF_H) && defined(__USE_MISC)
2285 +
2286 + /* GLIBC headers included first so don't define anything
2287 + * that would already be defined. */
2288 +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
2289 +index 8f94ca1860cf..b2aefa2d123a 100644
2290 +--- a/kernel/bpf/inode.c
2291 ++++ b/kernel/bpf/inode.c
2292 +@@ -378,7 +378,7 @@ static int bpf_fill_super(struct super_block *sb, void *data, int silent)
2293 + static struct dentry *bpf_mount(struct file_system_type *type, int flags,
2294 + const char *dev_name, void *data)
2295 + {
2296 +- return mount_ns(type, flags, current->nsproxy->mnt_ns, bpf_fill_super);
2297 ++ return mount_nodev(type, flags, data, bpf_fill_super);
2298 + }
2299 +
2300 + static struct file_system_type bpf_fs_type = {
2301 +@@ -386,7 +386,6 @@ static struct file_system_type bpf_fs_type = {
2302 + .name = "bpf",
2303 + .mount = bpf_mount,
2304 + .kill_sb = kill_litter_super,
2305 +- .fs_flags = FS_USERNS_MOUNT,
2306 + };
2307 +
2308 + MODULE_ALIAS_FS("bpf");
2309 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2310 +index d1f7149f8704..11546a6ed5df 100644
2311 +--- a/kernel/sched/core.c
2312 ++++ b/kernel/sched/core.c
2313 +@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
2314 + static inline void schedule_debug(struct task_struct *prev)
2315 + {
2316 + #ifdef CONFIG_SCHED_STACK_END_CHECK
2317 +- BUG_ON(task_stack_end_corrupted(prev));
2318 ++ if (task_stack_end_corrupted(prev))
2319 ++ panic("corrupted stack end detected inside scheduler\n");
2320 + #endif
2321 +
2322 + if (unlikely(in_atomic_preempt_off())) {
2323 +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
2324 +index 3e4ffb3ace5f..d0289414cdeb 100644
2325 +--- a/kernel/trace/bpf_trace.c
2326 ++++ b/kernel/trace/bpf_trace.c
2327 +@@ -194,7 +194,7 @@ static u64 bpf_perf_event_read(u64 r1, u64 index, u64 r3, u64 r4, u64 r5)
2328 + if (unlikely(index >= array->map.max_entries))
2329 + return -E2BIG;
2330 +
2331 +- file = (struct file *)array->ptrs[index];
2332 ++ file = READ_ONCE(array->ptrs[index]);
2333 + if (unlikely(!file))
2334 + return -ENOENT;
2335 +
2336 +@@ -238,7 +238,7 @@ static u64 bpf_perf_event_output(u64 r1, u64 r2, u64 index, u64 r4, u64 size)
2337 + if (unlikely(index >= array->map.max_entries))
2338 + return -E2BIG;
2339 +
2340 +- file = (struct file *)array->ptrs[index];
2341 ++ file = READ_ONCE(array->ptrs[index]);
2342 + if (unlikely(!file))
2343 + return -ENOENT;
2344 +
2345 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
2346 +index fe787f5c41bd..a2e79b83920f 100644
2347 +--- a/mm/memcontrol.c
2348 ++++ b/mm/memcontrol.c
2349 +@@ -2877,6 +2877,7 @@ static void memcg_offline_kmem(struct mem_cgroup *memcg)
2350 + * ordering is imposed by list_lru_node->lock taken by
2351 + * memcg_drain_all_list_lrus().
2352 + */
2353 ++ rcu_read_lock(); /* can be called from css_free w/o cgroup_mutex */
2354 + css_for_each_descendant_pre(css, &memcg->css) {
2355 + child = mem_cgroup_from_css(css);
2356 + BUG_ON(child->kmemcg_id != kmemcg_id);
2357 +@@ -2884,6 +2885,8 @@ static void memcg_offline_kmem(struct mem_cgroup *memcg)
2358 + if (!memcg->use_hierarchy)
2359 + break;
2360 + }
2361 ++ rcu_read_unlock();
2362 ++
2363 + memcg_drain_all_list_lrus(kmemcg_id, parent->kmemcg_id);
2364 +
2365 + memcg_free_cache_id(kmemcg_id);
2366 +diff --git a/mm/swap_state.c b/mm/swap_state.c
2367 +index 366ce3518703..1155a6831a3d 100644
2368 +--- a/mm/swap_state.c
2369 ++++ b/mm/swap_state.c
2370 +@@ -252,7 +252,10 @@ static inline void free_swap_cache(struct page *page)
2371 + void free_page_and_swap_cache(struct page *page)
2372 + {
2373 + free_swap_cache(page);
2374 +- put_page(page);
2375 ++ if (is_huge_zero_page(page))
2376 ++ put_huge_zero_page();
2377 ++ else
2378 ++ put_page(page);
2379 + }
2380 +
2381 + /*
2382 +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
2383 +index dcea4f4c62b3..c18080ad4085 100644
2384 +--- a/net/bridge/br_fdb.c
2385 ++++ b/net/bridge/br_fdb.c
2386 +@@ -279,6 +279,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
2387 + * change from under us.
2388 + */
2389 + list_for_each_entry(v, &vg->vlan_list, vlist) {
2390 ++ if (!br_vlan_should_use(v))
2391 ++ continue;
2392 + f = __br_fdb_get(br, br->dev->dev_addr, v->vid);
2393 + if (f && f->is_local && !f->dst)
2394 + fdb_delete_local(br, NULL, f);
2395 +diff --git a/net/core/hwbm.c b/net/core/hwbm.c
2396 +index 941c28486896..2cab489ae62e 100644
2397 +--- a/net/core/hwbm.c
2398 ++++ b/net/core/hwbm.c
2399 +@@ -55,18 +55,21 @@ int hwbm_pool_add(struct hwbm_pool *bm_pool, unsigned int buf_num, gfp_t gfp)
2400 + spin_lock_irqsave(&bm_pool->lock, flags);
2401 + if (bm_pool->buf_num == bm_pool->size) {
2402 + pr_warn("pool already filled\n");
2403 ++ spin_unlock_irqrestore(&bm_pool->lock, flags);
2404 + return bm_pool->buf_num;
2405 + }
2406 +
2407 + if (buf_num + bm_pool->buf_num > bm_pool->size) {
2408 + pr_warn("cannot allocate %d buffers for pool\n",
2409 + buf_num);
2410 ++ spin_unlock_irqrestore(&bm_pool->lock, flags);
2411 + return 0;
2412 + }
2413 +
2414 + if ((buf_num + bm_pool->buf_num) < bm_pool->buf_num) {
2415 + pr_warn("Adding %d buffers to the %d current buffers will overflow\n",
2416 + buf_num, bm_pool->buf_num);
2417 ++ spin_unlock_irqrestore(&bm_pool->lock, flags);
2418 + return 0;
2419 + }
2420 +
2421 +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
2422 +index 9e481992dbae..7ad0e567cf10 100644
2423 +--- a/net/ipv4/af_inet.c
2424 ++++ b/net/ipv4/af_inet.c
2425 +@@ -1660,6 +1660,14 @@ static __net_init int inet_init_net(struct net *net)
2426 + */
2427 + net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1);
2428 + net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0);
2429 ++
2430 ++ /* Default values for sysctl-controlled parameters.
2431 ++ * We set them here, in case sysctl is not compiled.
2432 ++ */
2433 ++ net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
2434 ++ net->ipv4.sysctl_ip_dynaddr = 0;
2435 ++ net->ipv4.sysctl_ip_early_demux = 1;
2436 ++
2437 + return 0;
2438 + }
2439 +
2440 +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
2441 +index 4133b0f513af..85d60c69bfe3 100644
2442 +--- a/net/ipv4/netfilter/arp_tables.c
2443 ++++ b/net/ipv4/netfilter/arp_tables.c
2444 +@@ -367,6 +367,18 @@ static inline bool unconditional(const struct arpt_entry *e)
2445 + memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
2446 + }
2447 +
2448 ++static bool find_jump_target(const struct xt_table_info *t,
2449 ++ const struct arpt_entry *target)
2450 ++{
2451 ++ struct arpt_entry *iter;
2452 ++
2453 ++ xt_entry_foreach(iter, t->entries, t->size) {
2454 ++ if (iter == target)
2455 ++ return true;
2456 ++ }
2457 ++ return false;
2458 ++}
2459 ++
2460 + /* Figures out from what hook each rule can be called: returns 0 if
2461 + * there are loops. Puts hook bitmask in comefrom.
2462 + */
2463 +@@ -439,6 +451,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
2464 + size = e->next_offset;
2465 + e = (struct arpt_entry *)
2466 + (entry0 + pos + size);
2467 ++ if (pos + size >= newinfo->size)
2468 ++ return 0;
2469 + e->counters.pcnt = pos;
2470 + pos += size;
2471 + } else {
2472 +@@ -458,9 +472,15 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
2473 + /* This a jump; chase it. */
2474 + duprintf("Jump rule %u -> %u\n",
2475 + pos, newpos);
2476 ++ e = (struct arpt_entry *)
2477 ++ (entry0 + newpos);
2478 ++ if (!find_jump_target(newinfo, e))
2479 ++ return 0;
2480 + } else {
2481 + /* ... this is a fallthru */
2482 + newpos = pos + e->next_offset;
2483 ++ if (newpos >= newinfo->size)
2484 ++ return 0;
2485 + }
2486 + e = (struct arpt_entry *)
2487 + (entry0 + newpos);
2488 +@@ -474,23 +494,6 @@ next:
2489 + return 1;
2490 + }
2491 +
2492 +-static inline int check_entry(const struct arpt_entry *e)
2493 +-{
2494 +- const struct xt_entry_target *t;
2495 +-
2496 +- if (!arp_checkentry(&e->arp))
2497 +- return -EINVAL;
2498 +-
2499 +- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
2500 +- return -EINVAL;
2501 +-
2502 +- t = arpt_get_target_c(e);
2503 +- if (e->target_offset + t->u.target_size > e->next_offset)
2504 +- return -EINVAL;
2505 +-
2506 +- return 0;
2507 +-}
2508 +-
2509 + static inline int check_target(struct arpt_entry *e, const char *name)
2510 + {
2511 + struct xt_entry_target *t = arpt_get_target(e);
2512 +@@ -586,7 +589,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
2513 + return -EINVAL;
2514 + }
2515 +
2516 +- err = check_entry(e);
2517 ++ if (!arp_checkentry(&e->arp))
2518 ++ return -EINVAL;
2519 ++
2520 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
2521 ++ e->next_offset);
2522 + if (err)
2523 + return err;
2524 +
2525 +@@ -691,10 +698,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
2526 + }
2527 + }
2528 +
2529 +- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
2530 +- duprintf("Looping hook\n");
2531 ++ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
2532 + return -ELOOP;
2533 +- }
2534 +
2535 + /* Finally, each sanity check must pass */
2536 + i = 0;
2537 +@@ -1126,55 +1131,17 @@ static int do_add_counters(struct net *net, const void __user *user,
2538 + unsigned int i;
2539 + struct xt_counters_info tmp;
2540 + struct xt_counters *paddc;
2541 +- unsigned int num_counters;
2542 +- const char *name;
2543 +- int size;
2544 +- void *ptmp;
2545 + struct xt_table *t;
2546 + const struct xt_table_info *private;
2547 + int ret = 0;
2548 + struct arpt_entry *iter;
2549 + unsigned int addend;
2550 +-#ifdef CONFIG_COMPAT
2551 +- struct compat_xt_counters_info compat_tmp;
2552 +
2553 +- if (compat) {
2554 +- ptmp = &compat_tmp;
2555 +- size = sizeof(struct compat_xt_counters_info);
2556 +- } else
2557 +-#endif
2558 +- {
2559 +- ptmp = &tmp;
2560 +- size = sizeof(struct xt_counters_info);
2561 +- }
2562 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
2563 ++ if (IS_ERR(paddc))
2564 ++ return PTR_ERR(paddc);
2565 +
2566 +- if (copy_from_user(ptmp, user, size) != 0)
2567 +- return -EFAULT;
2568 +-
2569 +-#ifdef CONFIG_COMPAT
2570 +- if (compat) {
2571 +- num_counters = compat_tmp.num_counters;
2572 +- name = compat_tmp.name;
2573 +- } else
2574 +-#endif
2575 +- {
2576 +- num_counters = tmp.num_counters;
2577 +- name = tmp.name;
2578 +- }
2579 +-
2580 +- if (len != size + num_counters * sizeof(struct xt_counters))
2581 +- return -EINVAL;
2582 +-
2583 +- paddc = vmalloc(len - size);
2584 +- if (!paddc)
2585 +- return -ENOMEM;
2586 +-
2587 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
2588 +- ret = -EFAULT;
2589 +- goto free;
2590 +- }
2591 +-
2592 +- t = xt_find_table_lock(net, NFPROTO_ARP, name);
2593 ++ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
2594 + if (IS_ERR_OR_NULL(t)) {
2595 + ret = t ? PTR_ERR(t) : -ENOENT;
2596 + goto free;
2597 +@@ -1182,7 +1149,7 @@ static int do_add_counters(struct net *net, const void __user *user,
2598 +
2599 + local_bh_disable();
2600 + private = t->private;
2601 +- if (private->number != num_counters) {
2602 ++ if (private->number != tmp.num_counters) {
2603 + ret = -EINVAL;
2604 + goto unlock_up_free;
2605 + }
2606 +@@ -1209,6 +1176,18 @@ static int do_add_counters(struct net *net, const void __user *user,
2607 + }
2608 +
2609 + #ifdef CONFIG_COMPAT
2610 ++struct compat_arpt_replace {
2611 ++ char name[XT_TABLE_MAXNAMELEN];
2612 ++ u32 valid_hooks;
2613 ++ u32 num_entries;
2614 ++ u32 size;
2615 ++ u32 hook_entry[NF_ARP_NUMHOOKS];
2616 ++ u32 underflow[NF_ARP_NUMHOOKS];
2617 ++ u32 num_counters;
2618 ++ compat_uptr_t counters;
2619 ++ struct compat_arpt_entry entries[0];
2620 ++};
2621 ++
2622 + static inline void compat_release_entry(struct compat_arpt_entry *e)
2623 + {
2624 + struct xt_entry_target *t;
2625 +@@ -1217,20 +1196,17 @@ static inline void compat_release_entry(struct compat_arpt_entry *e)
2626 + module_put(t->u.kernel.target->me);
2627 + }
2628 +
2629 +-static inline int
2630 ++static int
2631 + check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2632 + struct xt_table_info *newinfo,
2633 + unsigned int *size,
2634 + const unsigned char *base,
2635 +- const unsigned char *limit,
2636 +- const unsigned int *hook_entries,
2637 +- const unsigned int *underflows,
2638 +- const char *name)
2639 ++ const unsigned char *limit)
2640 + {
2641 + struct xt_entry_target *t;
2642 + struct xt_target *target;
2643 + unsigned int entry_offset;
2644 +- int ret, off, h;
2645 ++ int ret, off;
2646 +
2647 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
2648 + if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
2649 +@@ -1247,8 +1223,11 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2650 + return -EINVAL;
2651 + }
2652 +
2653 +- /* For purposes of check_entry casting the compat entry is fine */
2654 +- ret = check_entry((struct arpt_entry *)e);
2655 ++ if (!arp_checkentry(&e->arp))
2656 ++ return -EINVAL;
2657 ++
2658 ++ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
2659 ++ e->next_offset);
2660 + if (ret)
2661 + return ret;
2662 +
2663 +@@ -1272,17 +1251,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
2664 + if (ret)
2665 + goto release_target;
2666 +
2667 +- /* Check hooks & underflows */
2668 +- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
2669 +- if ((unsigned char *)e - base == hook_entries[h])
2670 +- newinfo->hook_entry[h] = hook_entries[h];
2671 +- if ((unsigned char *)e - base == underflows[h])
2672 +- newinfo->underflow[h] = underflows[h];
2673 +- }
2674 +-
2675 +- /* Clear counters and comefrom */
2676 +- memset(&e->counters, 0, sizeof(e->counters));
2677 +- e->comefrom = 0;
2678 + return 0;
2679 +
2680 + release_target:
2681 +@@ -1291,18 +1259,17 @@ out:
2682 + return ret;
2683 + }
2684 +
2685 +-static int
2686 ++static void
2687 + compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
2688 +- unsigned int *size, const char *name,
2689 ++ unsigned int *size,
2690 + struct xt_table_info *newinfo, unsigned char *base)
2691 + {
2692 + struct xt_entry_target *t;
2693 + struct xt_target *target;
2694 + struct arpt_entry *de;
2695 + unsigned int origsize;
2696 +- int ret, h;
2697 ++ int h;
2698 +
2699 +- ret = 0;
2700 + origsize = *size;
2701 + de = (struct arpt_entry *)*dstptr;
2702 + memcpy(de, e, sizeof(struct arpt_entry));
2703 +@@ -1323,148 +1290,82 @@ compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
2704 + if ((unsigned char *)de - base < newinfo->underflow[h])
2705 + newinfo->underflow[h] -= origsize - *size;
2706 + }
2707 +- return ret;
2708 + }
2709 +
2710 +-static int translate_compat_table(const char *name,
2711 +- unsigned int valid_hooks,
2712 +- struct xt_table_info **pinfo,
2713 ++static int translate_compat_table(struct xt_table_info **pinfo,
2714 + void **pentry0,
2715 +- unsigned int total_size,
2716 +- unsigned int number,
2717 +- unsigned int *hook_entries,
2718 +- unsigned int *underflows)
2719 ++ const struct compat_arpt_replace *compatr)
2720 + {
2721 + unsigned int i, j;
2722 + struct xt_table_info *newinfo, *info;
2723 + void *pos, *entry0, *entry1;
2724 + struct compat_arpt_entry *iter0;
2725 +- struct arpt_entry *iter1;
2726 ++ struct arpt_replace repl;
2727 + unsigned int size;
2728 + int ret = 0;
2729 +
2730 + info = *pinfo;
2731 + entry0 = *pentry0;
2732 +- size = total_size;
2733 +- info->number = number;
2734 +-
2735 +- /* Init all hooks to impossible value. */
2736 +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2737 +- info->hook_entry[i] = 0xFFFFFFFF;
2738 +- info->underflow[i] = 0xFFFFFFFF;
2739 +- }
2740 ++ size = compatr->size;
2741 ++ info->number = compatr->num_entries;
2742 +
2743 + duprintf("translate_compat_table: size %u\n", info->size);
2744 + j = 0;
2745 + xt_compat_lock(NFPROTO_ARP);
2746 +- xt_compat_init_offsets(NFPROTO_ARP, number);
2747 ++ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries);
2748 + /* Walk through entries, checking offsets. */
2749 +- xt_entry_foreach(iter0, entry0, total_size) {
2750 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
2751 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
2752 + entry0,
2753 +- entry0 + total_size,
2754 +- hook_entries,
2755 +- underflows,
2756 +- name);
2757 ++ entry0 + compatr->size);
2758 + if (ret != 0)
2759 + goto out_unlock;
2760 + ++j;
2761 + }
2762 +
2763 + ret = -EINVAL;
2764 +- if (j != number) {
2765 ++ if (j != compatr->num_entries) {
2766 + duprintf("translate_compat_table: %u not %u entries\n",
2767 +- j, number);
2768 ++ j, compatr->num_entries);
2769 + goto out_unlock;
2770 + }
2771 +
2772 +- /* Check hooks all assigned */
2773 +- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2774 +- /* Only hooks which are valid */
2775 +- if (!(valid_hooks & (1 << i)))
2776 +- continue;
2777 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
2778 +- duprintf("Invalid hook entry %u %u\n",
2779 +- i, hook_entries[i]);
2780 +- goto out_unlock;
2781 +- }
2782 +- if (info->underflow[i] == 0xFFFFFFFF) {
2783 +- duprintf("Invalid underflow %u %u\n",
2784 +- i, underflows[i]);
2785 +- goto out_unlock;
2786 +- }
2787 +- }
2788 +-
2789 + ret = -ENOMEM;
2790 + newinfo = xt_alloc_table_info(size);
2791 + if (!newinfo)
2792 + goto out_unlock;
2793 +
2794 +- newinfo->number = number;
2795 ++ newinfo->number = compatr->num_entries;
2796 + for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2797 + newinfo->hook_entry[i] = info->hook_entry[i];
2798 + newinfo->underflow[i] = info->underflow[i];
2799 + }
2800 + entry1 = newinfo->entries;
2801 + pos = entry1;
2802 +- size = total_size;
2803 +- xt_entry_foreach(iter0, entry0, total_size) {
2804 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
2805 +- name, newinfo, entry1);
2806 +- if (ret != 0)
2807 +- break;
2808 +- }
2809 ++ size = compatr->size;
2810 ++ xt_entry_foreach(iter0, entry0, compatr->size)
2811 ++ compat_copy_entry_from_user(iter0, &pos, &size,
2812 ++ newinfo, entry1);
2813 ++
2814 ++ /* all module references in entry0 are now gone */
2815 ++
2816 + xt_compat_flush_offsets(NFPROTO_ARP);
2817 + xt_compat_unlock(NFPROTO_ARP);
2818 +- if (ret)
2819 +- goto free_newinfo;
2820 +
2821 +- ret = -ELOOP;
2822 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
2823 +- goto free_newinfo;
2824 ++ memcpy(&repl, compatr, sizeof(*compatr));
2825 +
2826 +- i = 0;
2827 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
2828 +- iter1->counters.pcnt = xt_percpu_counter_alloc();
2829 +- if (IS_ERR_VALUE(iter1->counters.pcnt)) {
2830 +- ret = -ENOMEM;
2831 +- break;
2832 +- }
2833 +-
2834 +- ret = check_target(iter1, name);
2835 +- if (ret != 0) {
2836 +- xt_percpu_counter_free(iter1->counters.pcnt);
2837 +- break;
2838 +- }
2839 +- ++i;
2840 +- if (strcmp(arpt_get_target(iter1)->u.user.name,
2841 +- XT_ERROR_TARGET) == 0)
2842 +- ++newinfo->stacksize;
2843 +- }
2844 +- if (ret) {
2845 +- /*
2846 +- * The first i matches need cleanup_entry (calls ->destroy)
2847 +- * because they had called ->check already. The other j-i
2848 +- * entries need only release.
2849 +- */
2850 +- int skip = i;
2851 +- j -= i;
2852 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
2853 +- if (skip-- > 0)
2854 +- continue;
2855 +- if (j-- == 0)
2856 +- break;
2857 +- compat_release_entry(iter0);
2858 +- }
2859 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
2860 +- if (i-- == 0)
2861 +- break;
2862 +- cleanup_entry(iter1);
2863 +- }
2864 +- xt_free_table_info(newinfo);
2865 +- return ret;
2866 ++ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
2867 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
2868 ++ repl.underflow[i] = newinfo->underflow[i];
2869 + }
2870 +
2871 ++ repl.num_counters = 0;
2872 ++ repl.counters = NULL;
2873 ++ repl.size = newinfo->size;
2874 ++ ret = translate_table(newinfo, entry1, &repl);
2875 ++ if (ret)
2876 ++ goto free_newinfo;
2877 ++
2878 + *pinfo = newinfo;
2879 + *pentry0 = entry1;
2880 + xt_free_table_info(info);
2881 +@@ -1472,31 +1373,18 @@ static int translate_compat_table(const char *name,
2882 +
2883 + free_newinfo:
2884 + xt_free_table_info(newinfo);
2885 +-out:
2886 +- xt_entry_foreach(iter0, entry0, total_size) {
2887 ++ return ret;
2888 ++out_unlock:
2889 ++ xt_compat_flush_offsets(NFPROTO_ARP);
2890 ++ xt_compat_unlock(NFPROTO_ARP);
2891 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
2892 + if (j-- == 0)
2893 + break;
2894 + compat_release_entry(iter0);
2895 + }
2896 + return ret;
2897 +-out_unlock:
2898 +- xt_compat_flush_offsets(NFPROTO_ARP);
2899 +- xt_compat_unlock(NFPROTO_ARP);
2900 +- goto out;
2901 + }
2902 +
2903 +-struct compat_arpt_replace {
2904 +- char name[XT_TABLE_MAXNAMELEN];
2905 +- u32 valid_hooks;
2906 +- u32 num_entries;
2907 +- u32 size;
2908 +- u32 hook_entry[NF_ARP_NUMHOOKS];
2909 +- u32 underflow[NF_ARP_NUMHOOKS];
2910 +- u32 num_counters;
2911 +- compat_uptr_t counters;
2912 +- struct compat_arpt_entry entries[0];
2913 +-};
2914 +-
2915 + static int compat_do_replace(struct net *net, void __user *user,
2916 + unsigned int len)
2917 + {
2918 +@@ -1529,10 +1417,7 @@ static int compat_do_replace(struct net *net, void __user *user,
2919 + goto free_newinfo;
2920 + }
2921 +
2922 +- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
2923 +- &newinfo, &loc_cpu_entry, tmp.size,
2924 +- tmp.num_entries, tmp.hook_entry,
2925 +- tmp.underflow);
2926 ++ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
2927 + if (ret != 0)
2928 + goto free_newinfo;
2929 +
2930 +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
2931 +index 631c100a1338..0984ea3fcf14 100644
2932 +--- a/net/ipv4/netfilter/ip_tables.c
2933 ++++ b/net/ipv4/netfilter/ip_tables.c
2934 +@@ -443,6 +443,18 @@ ipt_do_table(struct sk_buff *skb,
2935 + #endif
2936 + }
2937 +
2938 ++static bool find_jump_target(const struct xt_table_info *t,
2939 ++ const struct ipt_entry *target)
2940 ++{
2941 ++ struct ipt_entry *iter;
2942 ++
2943 ++ xt_entry_foreach(iter, t->entries, t->size) {
2944 ++ if (iter == target)
2945 ++ return true;
2946 ++ }
2947 ++ return false;
2948 ++}
2949 ++
2950 + /* Figures out from what hook each rule can be called: returns 0 if
2951 + there are loops. Puts hook bitmask in comefrom. */
2952 + static int
2953 +@@ -520,6 +532,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
2954 + size = e->next_offset;
2955 + e = (struct ipt_entry *)
2956 + (entry0 + pos + size);
2957 ++ if (pos + size >= newinfo->size)
2958 ++ return 0;
2959 + e->counters.pcnt = pos;
2960 + pos += size;
2961 + } else {
2962 +@@ -538,9 +552,15 @@ mark_source_chains(const struct xt_table_info *newinfo,
2963 + /* This a jump; chase it. */
2964 + duprintf("Jump rule %u -> %u\n",
2965 + pos, newpos);
2966 ++ e = (struct ipt_entry *)
2967 ++ (entry0 + newpos);
2968 ++ if (!find_jump_target(newinfo, e))
2969 ++ return 0;
2970 + } else {
2971 + /* ... this is a fallthru */
2972 + newpos = pos + e->next_offset;
2973 ++ if (newpos >= newinfo->size)
2974 ++ return 0;
2975 + }
2976 + e = (struct ipt_entry *)
2977 + (entry0 + newpos);
2978 +@@ -568,25 +588,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
2979 + }
2980 +
2981 + static int
2982 +-check_entry(const struct ipt_entry *e)
2983 +-{
2984 +- const struct xt_entry_target *t;
2985 +-
2986 +- if (!ip_checkentry(&e->ip))
2987 +- return -EINVAL;
2988 +-
2989 +- if (e->target_offset + sizeof(struct xt_entry_target) >
2990 +- e->next_offset)
2991 +- return -EINVAL;
2992 +-
2993 +- t = ipt_get_target_c(e);
2994 +- if (e->target_offset + t->u.target_size > e->next_offset)
2995 +- return -EINVAL;
2996 +-
2997 +- return 0;
2998 +-}
2999 +-
3000 +-static int
3001 + check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
3002 + {
3003 + const struct ipt_ip *ip = par->entryinfo;
3004 +@@ -750,7 +751,11 @@ check_entry_size_and_hooks(struct ipt_entry *e,
3005 + return -EINVAL;
3006 + }
3007 +
3008 +- err = check_entry(e);
3009 ++ if (!ip_checkentry(&e->ip))
3010 ++ return -EINVAL;
3011 ++
3012 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
3013 ++ e->next_offset);
3014 + if (err)
3015 + return err;
3016 +
3017 +@@ -1309,55 +1314,17 @@ do_add_counters(struct net *net, const void __user *user,
3018 + unsigned int i;
3019 + struct xt_counters_info tmp;
3020 + struct xt_counters *paddc;
3021 +- unsigned int num_counters;
3022 +- const char *name;
3023 +- int size;
3024 +- void *ptmp;
3025 + struct xt_table *t;
3026 + const struct xt_table_info *private;
3027 + int ret = 0;
3028 + struct ipt_entry *iter;
3029 + unsigned int addend;
3030 +-#ifdef CONFIG_COMPAT
3031 +- struct compat_xt_counters_info compat_tmp;
3032 +
3033 +- if (compat) {
3034 +- ptmp = &compat_tmp;
3035 +- size = sizeof(struct compat_xt_counters_info);
3036 +- } else
3037 +-#endif
3038 +- {
3039 +- ptmp = &tmp;
3040 +- size = sizeof(struct xt_counters_info);
3041 +- }
3042 +-
3043 +- if (copy_from_user(ptmp, user, size) != 0)
3044 +- return -EFAULT;
3045 +-
3046 +-#ifdef CONFIG_COMPAT
3047 +- if (compat) {
3048 +- num_counters = compat_tmp.num_counters;
3049 +- name = compat_tmp.name;
3050 +- } else
3051 +-#endif
3052 +- {
3053 +- num_counters = tmp.num_counters;
3054 +- name = tmp.name;
3055 +- }
3056 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
3057 ++ if (IS_ERR(paddc))
3058 ++ return PTR_ERR(paddc);
3059 +
3060 +- if (len != size + num_counters * sizeof(struct xt_counters))
3061 +- return -EINVAL;
3062 +-
3063 +- paddc = vmalloc(len - size);
3064 +- if (!paddc)
3065 +- return -ENOMEM;
3066 +-
3067 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
3068 +- ret = -EFAULT;
3069 +- goto free;
3070 +- }
3071 +-
3072 +- t = xt_find_table_lock(net, AF_INET, name);
3073 ++ t = xt_find_table_lock(net, AF_INET, tmp.name);
3074 + if (IS_ERR_OR_NULL(t)) {
3075 + ret = t ? PTR_ERR(t) : -ENOENT;
3076 + goto free;
3077 +@@ -1365,7 +1332,7 @@ do_add_counters(struct net *net, const void __user *user,
3078 +
3079 + local_bh_disable();
3080 + private = t->private;
3081 +- if (private->number != num_counters) {
3082 ++ if (private->number != tmp.num_counters) {
3083 + ret = -EINVAL;
3084 + goto unlock_up_free;
3085 + }
3086 +@@ -1444,7 +1411,6 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
3087 +
3088 + static int
3089 + compat_find_calc_match(struct xt_entry_match *m,
3090 +- const char *name,
3091 + const struct ipt_ip *ip,
3092 + int *size)
3093 + {
3094 +@@ -1479,17 +1445,14 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3095 + struct xt_table_info *newinfo,
3096 + unsigned int *size,
3097 + const unsigned char *base,
3098 +- const unsigned char *limit,
3099 +- const unsigned int *hook_entries,
3100 +- const unsigned int *underflows,
3101 +- const char *name)
3102 ++ const unsigned char *limit)
3103 + {
3104 + struct xt_entry_match *ematch;
3105 + struct xt_entry_target *t;
3106 + struct xt_target *target;
3107 + unsigned int entry_offset;
3108 + unsigned int j;
3109 +- int ret, off, h;
3110 ++ int ret, off;
3111 +
3112 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
3113 + if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
3114 +@@ -1506,8 +1469,11 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3115 + return -EINVAL;
3116 + }
3117 +
3118 +- /* For purposes of check_entry casting the compat entry is fine */
3119 +- ret = check_entry((struct ipt_entry *)e);
3120 ++ if (!ip_checkentry(&e->ip))
3121 ++ return -EINVAL;
3122 ++
3123 ++ ret = xt_compat_check_entry_offsets(e, e->elems,
3124 ++ e->target_offset, e->next_offset);
3125 + if (ret)
3126 + return ret;
3127 +
3128 +@@ -1515,7 +1481,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3129 + entry_offset = (void *)e - (void *)base;
3130 + j = 0;
3131 + xt_ematch_foreach(ematch, e) {
3132 +- ret = compat_find_calc_match(ematch, name, &e->ip, &off);
3133 ++ ret = compat_find_calc_match(ematch, &e->ip, &off);
3134 + if (ret != 0)
3135 + goto release_matches;
3136 + ++j;
3137 +@@ -1538,17 +1504,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
3138 + if (ret)
3139 + goto out;
3140 +
3141 +- /* Check hooks & underflows */
3142 +- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3143 +- if ((unsigned char *)e - base == hook_entries[h])
3144 +- newinfo->hook_entry[h] = hook_entries[h];
3145 +- if ((unsigned char *)e - base == underflows[h])
3146 +- newinfo->underflow[h] = underflows[h];
3147 +- }
3148 +-
3149 +- /* Clear counters and comefrom */
3150 +- memset(&e->counters, 0, sizeof(e->counters));
3151 +- e->comefrom = 0;
3152 + return 0;
3153 +
3154 + out:
3155 +@@ -1562,19 +1517,18 @@ release_matches:
3156 + return ret;
3157 + }
3158 +
3159 +-static int
3160 ++static void
3161 + compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
3162 +- unsigned int *size, const char *name,
3163 ++ unsigned int *size,
3164 + struct xt_table_info *newinfo, unsigned char *base)
3165 + {
3166 + struct xt_entry_target *t;
3167 + struct xt_target *target;
3168 + struct ipt_entry *de;
3169 + unsigned int origsize;
3170 +- int ret, h;
3171 ++ int h;
3172 + struct xt_entry_match *ematch;
3173 +
3174 +- ret = 0;
3175 + origsize = *size;
3176 + de = (struct ipt_entry *)*dstptr;
3177 + memcpy(de, e, sizeof(struct ipt_entry));
3178 +@@ -1583,201 +1537,105 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
3179 + *dstptr += sizeof(struct ipt_entry);
3180 + *size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
3181 +
3182 +- xt_ematch_foreach(ematch, e) {
3183 +- ret = xt_compat_match_from_user(ematch, dstptr, size);
3184 +- if (ret != 0)
3185 +- return ret;
3186 +- }
3187 ++ xt_ematch_foreach(ematch, e)
3188 ++ xt_compat_match_from_user(ematch, dstptr, size);
3189 ++
3190 + de->target_offset = e->target_offset - (origsize - *size);
3191 + t = compat_ipt_get_target(e);
3192 + target = t->u.kernel.target;
3193 + xt_compat_target_from_user(t, dstptr, size);
3194 +
3195 + de->next_offset = e->next_offset - (origsize - *size);
3196 ++
3197 + for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3198 + if ((unsigned char *)de - base < newinfo->hook_entry[h])
3199 + newinfo->hook_entry[h] -= origsize - *size;
3200 + if ((unsigned char *)de - base < newinfo->underflow[h])
3201 + newinfo->underflow[h] -= origsize - *size;
3202 + }
3203 +- return ret;
3204 +-}
3205 +-
3206 +-static int
3207 +-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
3208 +-{
3209 +- struct xt_entry_match *ematch;
3210 +- struct xt_mtchk_param mtpar;
3211 +- unsigned int j;
3212 +- int ret = 0;
3213 +-
3214 +- e->counters.pcnt = xt_percpu_counter_alloc();
3215 +- if (IS_ERR_VALUE(e->counters.pcnt))
3216 +- return -ENOMEM;
3217 +-
3218 +- j = 0;
3219 +- mtpar.net = net;
3220 +- mtpar.table = name;
3221 +- mtpar.entryinfo = &e->ip;
3222 +- mtpar.hook_mask = e->comefrom;
3223 +- mtpar.family = NFPROTO_IPV4;
3224 +- xt_ematch_foreach(ematch, e) {
3225 +- ret = check_match(ematch, &mtpar);
3226 +- if (ret != 0)
3227 +- goto cleanup_matches;
3228 +- ++j;
3229 +- }
3230 +-
3231 +- ret = check_target(e, net, name);
3232 +- if (ret)
3233 +- goto cleanup_matches;
3234 +- return 0;
3235 +-
3236 +- cleanup_matches:
3237 +- xt_ematch_foreach(ematch, e) {
3238 +- if (j-- == 0)
3239 +- break;
3240 +- cleanup_match(ematch, net);
3241 +- }
3242 +-
3243 +- xt_percpu_counter_free(e->counters.pcnt);
3244 +-
3245 +- return ret;
3246 + }
3247 +
3248 + static int
3249 + translate_compat_table(struct net *net,
3250 +- const char *name,
3251 +- unsigned int valid_hooks,
3252 + struct xt_table_info **pinfo,
3253 + void **pentry0,
3254 +- unsigned int total_size,
3255 +- unsigned int number,
3256 +- unsigned int *hook_entries,
3257 +- unsigned int *underflows)
3258 ++ const struct compat_ipt_replace *compatr)
3259 + {
3260 + unsigned int i, j;
3261 + struct xt_table_info *newinfo, *info;
3262 + void *pos, *entry0, *entry1;
3263 + struct compat_ipt_entry *iter0;
3264 +- struct ipt_entry *iter1;
3265 ++ struct ipt_replace repl;
3266 + unsigned int size;
3267 + int ret;
3268 +
3269 + info = *pinfo;
3270 + entry0 = *pentry0;
3271 +- size = total_size;
3272 +- info->number = number;
3273 +-
3274 +- /* Init all hooks to impossible value. */
3275 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3276 +- info->hook_entry[i] = 0xFFFFFFFF;
3277 +- info->underflow[i] = 0xFFFFFFFF;
3278 +- }
3279 ++ size = compatr->size;
3280 ++ info->number = compatr->num_entries;
3281 +
3282 + duprintf("translate_compat_table: size %u\n", info->size);
3283 + j = 0;
3284 + xt_compat_lock(AF_INET);
3285 +- xt_compat_init_offsets(AF_INET, number);
3286 ++ xt_compat_init_offsets(AF_INET, compatr->num_entries);
3287 + /* Walk through entries, checking offsets. */
3288 +- xt_entry_foreach(iter0, entry0, total_size) {
3289 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
3290 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
3291 + entry0,
3292 +- entry0 + total_size,
3293 +- hook_entries,
3294 +- underflows,
3295 +- name);
3296 ++ entry0 + compatr->size);
3297 + if (ret != 0)
3298 + goto out_unlock;
3299 + ++j;
3300 + }
3301 +
3302 + ret = -EINVAL;
3303 +- if (j != number) {
3304 ++ if (j != compatr->num_entries) {
3305 + duprintf("translate_compat_table: %u not %u entries\n",
3306 +- j, number);
3307 ++ j, compatr->num_entries);
3308 + goto out_unlock;
3309 + }
3310 +
3311 +- /* Check hooks all assigned */
3312 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3313 +- /* Only hooks which are valid */
3314 +- if (!(valid_hooks & (1 << i)))
3315 +- continue;
3316 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
3317 +- duprintf("Invalid hook entry %u %u\n",
3318 +- i, hook_entries[i]);
3319 +- goto out_unlock;
3320 +- }
3321 +- if (info->underflow[i] == 0xFFFFFFFF) {
3322 +- duprintf("Invalid underflow %u %u\n",
3323 +- i, underflows[i]);
3324 +- goto out_unlock;
3325 +- }
3326 +- }
3327 +-
3328 + ret = -ENOMEM;
3329 + newinfo = xt_alloc_table_info(size);
3330 + if (!newinfo)
3331 + goto out_unlock;
3332 +
3333 +- newinfo->number = number;
3334 ++ newinfo->number = compatr->num_entries;
3335 + for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3336 +- newinfo->hook_entry[i] = info->hook_entry[i];
3337 +- newinfo->underflow[i] = info->underflow[i];
3338 ++ newinfo->hook_entry[i] = compatr->hook_entry[i];
3339 ++ newinfo->underflow[i] = compatr->underflow[i];
3340 + }
3341 + entry1 = newinfo->entries;
3342 + pos = entry1;
3343 +- size = total_size;
3344 +- xt_entry_foreach(iter0, entry0, total_size) {
3345 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
3346 +- name, newinfo, entry1);
3347 +- if (ret != 0)
3348 +- break;
3349 +- }
3350 ++ size = compatr->size;
3351 ++ xt_entry_foreach(iter0, entry0, compatr->size)
3352 ++ compat_copy_entry_from_user(iter0, &pos, &size,
3353 ++ newinfo, entry1);
3354 ++
3355 ++ /* all module references in entry0 are now gone.
3356 ++ * entry1/newinfo contains a 64bit ruleset that looks exactly as
3357 ++ * generated by 64bit userspace.
3358 ++ *
3359 ++ * Call standard translate_table() to validate all hook_entrys,
3360 ++ * underflows, check for loops, etc.
3361 ++ */
3362 + xt_compat_flush_offsets(AF_INET);
3363 + xt_compat_unlock(AF_INET);
3364 +- if (ret)
3365 +- goto free_newinfo;
3366 +
3367 +- ret = -ELOOP;
3368 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
3369 +- goto free_newinfo;
3370 ++ memcpy(&repl, compatr, sizeof(*compatr));
3371 +
3372 +- i = 0;
3373 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
3374 +- ret = compat_check_entry(iter1, net, name);
3375 +- if (ret != 0)
3376 +- break;
3377 +- ++i;
3378 +- if (strcmp(ipt_get_target(iter1)->u.user.name,
3379 +- XT_ERROR_TARGET) == 0)
3380 +- ++newinfo->stacksize;
3381 +- }
3382 +- if (ret) {
3383 +- /*
3384 +- * The first i matches need cleanup_entry (calls ->destroy)
3385 +- * because they had called ->check already. The other j-i
3386 +- * entries need only release.
3387 +- */
3388 +- int skip = i;
3389 +- j -= i;
3390 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
3391 +- if (skip-- > 0)
3392 +- continue;
3393 +- if (j-- == 0)
3394 +- break;
3395 +- compat_release_entry(iter0);
3396 +- }
3397 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
3398 +- if (i-- == 0)
3399 +- break;
3400 +- cleanup_entry(iter1, net);
3401 +- }
3402 +- xt_free_table_info(newinfo);
3403 +- return ret;
3404 ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3405 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
3406 ++ repl.underflow[i] = newinfo->underflow[i];
3407 + }
3408 +
3409 ++ repl.num_counters = 0;
3410 ++ repl.counters = NULL;
3411 ++ repl.size = newinfo->size;
3412 ++ ret = translate_table(net, newinfo, entry1, &repl);
3413 ++ if (ret)
3414 ++ goto free_newinfo;
3415 ++
3416 + *pinfo = newinfo;
3417 + *pentry0 = entry1;
3418 + xt_free_table_info(info);
3419 +@@ -1785,17 +1643,16 @@ translate_compat_table(struct net *net,
3420 +
3421 + free_newinfo:
3422 + xt_free_table_info(newinfo);
3423 +-out:
3424 +- xt_entry_foreach(iter0, entry0, total_size) {
3425 ++ return ret;
3426 ++out_unlock:
3427 ++ xt_compat_flush_offsets(AF_INET);
3428 ++ xt_compat_unlock(AF_INET);
3429 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
3430 + if (j-- == 0)
3431 + break;
3432 + compat_release_entry(iter0);
3433 + }
3434 + return ret;
3435 +-out_unlock:
3436 +- xt_compat_flush_offsets(AF_INET);
3437 +- xt_compat_unlock(AF_INET);
3438 +- goto out;
3439 + }
3440 +
3441 + static int
3442 +@@ -1831,10 +1688,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
3443 + goto free_newinfo;
3444 + }
3445 +
3446 +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
3447 +- &newinfo, &loc_cpu_entry, tmp.size,
3448 +- tmp.num_entries, tmp.hook_entry,
3449 +- tmp.underflow);
3450 ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
3451 + if (ret != 0)
3452 + goto free_newinfo;
3453 +
3454 +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
3455 +index 1e1fe6086dd9..03112a3106ab 100644
3456 +--- a/net/ipv4/sysctl_net_ipv4.c
3457 ++++ b/net/ipv4/sysctl_net_ipv4.c
3458 +@@ -988,10 +988,6 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
3459 + if (!net->ipv4.sysctl_local_reserved_ports)
3460 + goto err_ports;
3461 +
3462 +- net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
3463 +- net->ipv4.sysctl_ip_dynaddr = 0;
3464 +- net->ipv4.sysctl_ip_early_demux = 1;
3465 +-
3466 + return 0;
3467 +
3468 + err_ports:
3469 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
3470 +index a2e7f55a1f61..e9853dff7b52 100644
3471 +--- a/net/ipv4/udp.c
3472 ++++ b/net/ipv4/udp.c
3473 +@@ -1616,7 +1616,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
3474 +
3475 + /* if we're overly short, let UDP handle it */
3476 + encap_rcv = ACCESS_ONCE(up->encap_rcv);
3477 +- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
3478 ++ if (encap_rcv) {
3479 + int ret;
3480 +
3481 + /* Verify checksum before giving to encap */
3482 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
3483 +index bc972e7152c7..da88de82b3b8 100644
3484 +--- a/net/ipv6/ip6_output.c
3485 ++++ b/net/ipv6/ip6_output.c
3486 +@@ -1071,17 +1071,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
3487 + const struct in6_addr *final_dst)
3488 + {
3489 + struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
3490 +- int err;
3491 +
3492 + dst = ip6_sk_dst_check(sk, dst, fl6);
3493 ++ if (!dst)
3494 ++ dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
3495 +
3496 +- err = ip6_dst_lookup_tail(sock_net(sk), sk, &dst, fl6);
3497 +- if (err)
3498 +- return ERR_PTR(err);
3499 +- if (final_dst)
3500 +- fl6->daddr = *final_dst;
3501 +-
3502 +- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
3503 ++ return dst;
3504 + }
3505 + EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
3506 +
3507 +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
3508 +index 86b67b70b626..9021b435506d 100644
3509 +--- a/net/ipv6/netfilter/ip6_tables.c
3510 ++++ b/net/ipv6/netfilter/ip6_tables.c
3511 +@@ -455,6 +455,18 @@ ip6t_do_table(struct sk_buff *skb,
3512 + #endif
3513 + }
3514 +
3515 ++static bool find_jump_target(const struct xt_table_info *t,
3516 ++ const struct ip6t_entry *target)
3517 ++{
3518 ++ struct ip6t_entry *iter;
3519 ++
3520 ++ xt_entry_foreach(iter, t->entries, t->size) {
3521 ++ if (iter == target)
3522 ++ return true;
3523 ++ }
3524 ++ return false;
3525 ++}
3526 ++
3527 + /* Figures out from what hook each rule can be called: returns 0 if
3528 + there are loops. Puts hook bitmask in comefrom. */
3529 + static int
3530 +@@ -532,6 +544,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
3531 + size = e->next_offset;
3532 + e = (struct ip6t_entry *)
3533 + (entry0 + pos + size);
3534 ++ if (pos + size >= newinfo->size)
3535 ++ return 0;
3536 + e->counters.pcnt = pos;
3537 + pos += size;
3538 + } else {
3539 +@@ -550,9 +564,15 @@ mark_source_chains(const struct xt_table_info *newinfo,
3540 + /* This a jump; chase it. */
3541 + duprintf("Jump rule %u -> %u\n",
3542 + pos, newpos);
3543 ++ e = (struct ip6t_entry *)
3544 ++ (entry0 + newpos);
3545 ++ if (!find_jump_target(newinfo, e))
3546 ++ return 0;
3547 + } else {
3548 + /* ... this is a fallthru */
3549 + newpos = pos + e->next_offset;
3550 ++ if (newpos >= newinfo->size)
3551 ++ return 0;
3552 + }
3553 + e = (struct ip6t_entry *)
3554 + (entry0 + newpos);
3555 +@@ -579,25 +599,6 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
3556 + module_put(par.match->me);
3557 + }
3558 +
3559 +-static int
3560 +-check_entry(const struct ip6t_entry *e)
3561 +-{
3562 +- const struct xt_entry_target *t;
3563 +-
3564 +- if (!ip6_checkentry(&e->ipv6))
3565 +- return -EINVAL;
3566 +-
3567 +- if (e->target_offset + sizeof(struct xt_entry_target) >
3568 +- e->next_offset)
3569 +- return -EINVAL;
3570 +-
3571 +- t = ip6t_get_target_c(e);
3572 +- if (e->target_offset + t->u.target_size > e->next_offset)
3573 +- return -EINVAL;
3574 +-
3575 +- return 0;
3576 +-}
3577 +-
3578 + static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
3579 + {
3580 + const struct ip6t_ip6 *ipv6 = par->entryinfo;
3581 +@@ -762,7 +763,11 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
3582 + return -EINVAL;
3583 + }
3584 +
3585 +- err = check_entry(e);
3586 ++ if (!ip6_checkentry(&e->ipv6))
3587 ++ return -EINVAL;
3588 ++
3589 ++ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
3590 ++ e->next_offset);
3591 + if (err)
3592 + return err;
3593 +
3594 +@@ -1321,55 +1326,16 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
3595 + unsigned int i;
3596 + struct xt_counters_info tmp;
3597 + struct xt_counters *paddc;
3598 +- unsigned int num_counters;
3599 +- char *name;
3600 +- int size;
3601 +- void *ptmp;
3602 + struct xt_table *t;
3603 + const struct xt_table_info *private;
3604 + int ret = 0;
3605 + struct ip6t_entry *iter;
3606 + unsigned int addend;
3607 +-#ifdef CONFIG_COMPAT
3608 +- struct compat_xt_counters_info compat_tmp;
3609 +-
3610 +- if (compat) {
3611 +- ptmp = &compat_tmp;
3612 +- size = sizeof(struct compat_xt_counters_info);
3613 +- } else
3614 +-#endif
3615 +- {
3616 +- ptmp = &tmp;
3617 +- size = sizeof(struct xt_counters_info);
3618 +- }
3619 +-
3620 +- if (copy_from_user(ptmp, user, size) != 0)
3621 +- return -EFAULT;
3622 +-
3623 +-#ifdef CONFIG_COMPAT
3624 +- if (compat) {
3625 +- num_counters = compat_tmp.num_counters;
3626 +- name = compat_tmp.name;
3627 +- } else
3628 +-#endif
3629 +- {
3630 +- num_counters = tmp.num_counters;
3631 +- name = tmp.name;
3632 +- }
3633 +-
3634 +- if (len != size + num_counters * sizeof(struct xt_counters))
3635 +- return -EINVAL;
3636 +-
3637 +- paddc = vmalloc(len - size);
3638 +- if (!paddc)
3639 +- return -ENOMEM;
3640 +
3641 +- if (copy_from_user(paddc, user + size, len - size) != 0) {
3642 +- ret = -EFAULT;
3643 +- goto free;
3644 +- }
3645 +-
3646 +- t = xt_find_table_lock(net, AF_INET6, name);
3647 ++ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
3648 ++ if (IS_ERR(paddc))
3649 ++ return PTR_ERR(paddc);
3650 ++ t = xt_find_table_lock(net, AF_INET6, tmp.name);
3651 + if (IS_ERR_OR_NULL(t)) {
3652 + ret = t ? PTR_ERR(t) : -ENOENT;
3653 + goto free;
3654 +@@ -1377,7 +1343,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
3655 +
3656 + local_bh_disable();
3657 + private = t->private;
3658 +- if (private->number != num_counters) {
3659 ++ if (private->number != tmp.num_counters) {
3660 + ret = -EINVAL;
3661 + goto unlock_up_free;
3662 + }
3663 +@@ -1456,7 +1422,6 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
3664 +
3665 + static int
3666 + compat_find_calc_match(struct xt_entry_match *m,
3667 +- const char *name,
3668 + const struct ip6t_ip6 *ipv6,
3669 + int *size)
3670 + {
3671 +@@ -1491,17 +1456,14 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3672 + struct xt_table_info *newinfo,
3673 + unsigned int *size,
3674 + const unsigned char *base,
3675 +- const unsigned char *limit,
3676 +- const unsigned int *hook_entries,
3677 +- const unsigned int *underflows,
3678 +- const char *name)
3679 ++ const unsigned char *limit)
3680 + {
3681 + struct xt_entry_match *ematch;
3682 + struct xt_entry_target *t;
3683 + struct xt_target *target;
3684 + unsigned int entry_offset;
3685 + unsigned int j;
3686 +- int ret, off, h;
3687 ++ int ret, off;
3688 +
3689 + duprintf("check_compat_entry_size_and_hooks %p\n", e);
3690 + if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
3691 +@@ -1518,8 +1480,11 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3692 + return -EINVAL;
3693 + }
3694 +
3695 +- /* For purposes of check_entry casting the compat entry is fine */
3696 +- ret = check_entry((struct ip6t_entry *)e);
3697 ++ if (!ip6_checkentry(&e->ipv6))
3698 ++ return -EINVAL;
3699 ++
3700 ++ ret = xt_compat_check_entry_offsets(e, e->elems,
3701 ++ e->target_offset, e->next_offset);
3702 + if (ret)
3703 + return ret;
3704 +
3705 +@@ -1527,7 +1492,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3706 + entry_offset = (void *)e - (void *)base;
3707 + j = 0;
3708 + xt_ematch_foreach(ematch, e) {
3709 +- ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
3710 ++ ret = compat_find_calc_match(ematch, &e->ipv6, &off);
3711 + if (ret != 0)
3712 + goto release_matches;
3713 + ++j;
3714 +@@ -1550,17 +1515,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
3715 + if (ret)
3716 + goto out;
3717 +
3718 +- /* Check hooks & underflows */
3719 +- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
3720 +- if ((unsigned char *)e - base == hook_entries[h])
3721 +- newinfo->hook_entry[h] = hook_entries[h];
3722 +- if ((unsigned char *)e - base == underflows[h])
3723 +- newinfo->underflow[h] = underflows[h];
3724 +- }
3725 +-
3726 +- /* Clear counters and comefrom */
3727 +- memset(&e->counters, 0, sizeof(e->counters));
3728 +- e->comefrom = 0;
3729 + return 0;
3730 +
3731 + out:
3732 +@@ -1574,18 +1528,17 @@ release_matches:
3733 + return ret;
3734 + }
3735 +
3736 +-static int
3737 ++static void
3738 + compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3739 +- unsigned int *size, const char *name,
3740 ++ unsigned int *size,
3741 + struct xt_table_info *newinfo, unsigned char *base)
3742 + {
3743 + struct xt_entry_target *t;
3744 + struct ip6t_entry *de;
3745 + unsigned int origsize;
3746 +- int ret, h;
3747 ++ int h;
3748 + struct xt_entry_match *ematch;
3749 +
3750 +- ret = 0;
3751 + origsize = *size;
3752 + de = (struct ip6t_entry *)*dstptr;
3753 + memcpy(de, e, sizeof(struct ip6t_entry));
3754 +@@ -1594,11 +1547,9 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3755 + *dstptr += sizeof(struct ip6t_entry);
3756 + *size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
3757 +
3758 +- xt_ematch_foreach(ematch, e) {
3759 +- ret = xt_compat_match_from_user(ematch, dstptr, size);
3760 +- if (ret != 0)
3761 +- return ret;
3762 +- }
3763 ++ xt_ematch_foreach(ematch, e)
3764 ++ xt_compat_match_from_user(ematch, dstptr, size);
3765 ++
3766 + de->target_offset = e->target_offset - (origsize - *size);
3767 + t = compat_ip6t_get_target(e);
3768 + xt_compat_target_from_user(t, dstptr, size);
3769 +@@ -1610,183 +1561,83 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
3770 + if ((unsigned char *)de - base < newinfo->underflow[h])
3771 + newinfo->underflow[h] -= origsize - *size;
3772 + }
3773 +- return ret;
3774 +-}
3775 +-
3776 +-static int compat_check_entry(struct ip6t_entry *e, struct net *net,
3777 +- const char *name)
3778 +-{
3779 +- unsigned int j;
3780 +- int ret = 0;
3781 +- struct xt_mtchk_param mtpar;
3782 +- struct xt_entry_match *ematch;
3783 +-
3784 +- e->counters.pcnt = xt_percpu_counter_alloc();
3785 +- if (IS_ERR_VALUE(e->counters.pcnt))
3786 +- return -ENOMEM;
3787 +- j = 0;
3788 +- mtpar.net = net;
3789 +- mtpar.table = name;
3790 +- mtpar.entryinfo = &e->ipv6;
3791 +- mtpar.hook_mask = e->comefrom;
3792 +- mtpar.family = NFPROTO_IPV6;
3793 +- xt_ematch_foreach(ematch, e) {
3794 +- ret = check_match(ematch, &mtpar);
3795 +- if (ret != 0)
3796 +- goto cleanup_matches;
3797 +- ++j;
3798 +- }
3799 +-
3800 +- ret = check_target(e, net, name);
3801 +- if (ret)
3802 +- goto cleanup_matches;
3803 +- return 0;
3804 +-
3805 +- cleanup_matches:
3806 +- xt_ematch_foreach(ematch, e) {
3807 +- if (j-- == 0)
3808 +- break;
3809 +- cleanup_match(ematch, net);
3810 +- }
3811 +-
3812 +- xt_percpu_counter_free(e->counters.pcnt);
3813 +-
3814 +- return ret;
3815 + }
3816 +
3817 + static int
3818 + translate_compat_table(struct net *net,
3819 +- const char *name,
3820 +- unsigned int valid_hooks,
3821 + struct xt_table_info **pinfo,
3822 + void **pentry0,
3823 +- unsigned int total_size,
3824 +- unsigned int number,
3825 +- unsigned int *hook_entries,
3826 +- unsigned int *underflows)
3827 ++ const struct compat_ip6t_replace *compatr)
3828 + {
3829 + unsigned int i, j;
3830 + struct xt_table_info *newinfo, *info;
3831 + void *pos, *entry0, *entry1;
3832 + struct compat_ip6t_entry *iter0;
3833 +- struct ip6t_entry *iter1;
3834 ++ struct ip6t_replace repl;
3835 + unsigned int size;
3836 + int ret = 0;
3837 +
3838 + info = *pinfo;
3839 + entry0 = *pentry0;
3840 +- size = total_size;
3841 +- info->number = number;
3842 +-
3843 +- /* Init all hooks to impossible value. */
3844 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3845 +- info->hook_entry[i] = 0xFFFFFFFF;
3846 +- info->underflow[i] = 0xFFFFFFFF;
3847 +- }
3848 ++ size = compatr->size;
3849 ++ info->number = compatr->num_entries;
3850 +
3851 + duprintf("translate_compat_table: size %u\n", info->size);
3852 + j = 0;
3853 + xt_compat_lock(AF_INET6);
3854 +- xt_compat_init_offsets(AF_INET6, number);
3855 ++ xt_compat_init_offsets(AF_INET6, compatr->num_entries);
3856 + /* Walk through entries, checking offsets. */
3857 +- xt_entry_foreach(iter0, entry0, total_size) {
3858 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
3859 + ret = check_compat_entry_size_and_hooks(iter0, info, &size,
3860 + entry0,
3861 +- entry0 + total_size,
3862 +- hook_entries,
3863 +- underflows,
3864 +- name);
3865 ++ entry0 + compatr->size);
3866 + if (ret != 0)
3867 + goto out_unlock;
3868 + ++j;
3869 + }
3870 +
3871 + ret = -EINVAL;
3872 +- if (j != number) {
3873 ++ if (j != compatr->num_entries) {
3874 + duprintf("translate_compat_table: %u not %u entries\n",
3875 +- j, number);
3876 ++ j, compatr->num_entries);
3877 + goto out_unlock;
3878 + }
3879 +
3880 +- /* Check hooks all assigned */
3881 +- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3882 +- /* Only hooks which are valid */
3883 +- if (!(valid_hooks & (1 << i)))
3884 +- continue;
3885 +- if (info->hook_entry[i] == 0xFFFFFFFF) {
3886 +- duprintf("Invalid hook entry %u %u\n",
3887 +- i, hook_entries[i]);
3888 +- goto out_unlock;
3889 +- }
3890 +- if (info->underflow[i] == 0xFFFFFFFF) {
3891 +- duprintf("Invalid underflow %u %u\n",
3892 +- i, underflows[i]);
3893 +- goto out_unlock;
3894 +- }
3895 +- }
3896 +-
3897 + ret = -ENOMEM;
3898 + newinfo = xt_alloc_table_info(size);
3899 + if (!newinfo)
3900 + goto out_unlock;
3901 +
3902 +- newinfo->number = number;
3903 ++ newinfo->number = compatr->num_entries;
3904 + for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3905 +- newinfo->hook_entry[i] = info->hook_entry[i];
3906 +- newinfo->underflow[i] = info->underflow[i];
3907 ++ newinfo->hook_entry[i] = compatr->hook_entry[i];
3908 ++ newinfo->underflow[i] = compatr->underflow[i];
3909 + }
3910 + entry1 = newinfo->entries;
3911 + pos = entry1;
3912 +- size = total_size;
3913 +- xt_entry_foreach(iter0, entry0, total_size) {
3914 +- ret = compat_copy_entry_from_user(iter0, &pos, &size,
3915 +- name, newinfo, entry1);
3916 +- if (ret != 0)
3917 +- break;
3918 +- }
3919 ++ size = compatr->size;
3920 ++ xt_entry_foreach(iter0, entry0, compatr->size)
3921 ++ compat_copy_entry_from_user(iter0, &pos, &size,
3922 ++ newinfo, entry1);
3923 ++
3924 ++ /* all module references in entry0 are now gone. */
3925 + xt_compat_flush_offsets(AF_INET6);
3926 + xt_compat_unlock(AF_INET6);
3927 +- if (ret)
3928 +- goto free_newinfo;
3929 +
3930 +- ret = -ELOOP;
3931 +- if (!mark_source_chains(newinfo, valid_hooks, entry1))
3932 +- goto free_newinfo;
3933 ++ memcpy(&repl, compatr, sizeof(*compatr));
3934 +
3935 +- i = 0;
3936 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
3937 +- ret = compat_check_entry(iter1, net, name);
3938 +- if (ret != 0)
3939 +- break;
3940 +- ++i;
3941 +- if (strcmp(ip6t_get_target(iter1)->u.user.name,
3942 +- XT_ERROR_TARGET) == 0)
3943 +- ++newinfo->stacksize;
3944 +- }
3945 +- if (ret) {
3946 +- /*
3947 +- * The first i matches need cleanup_entry (calls ->destroy)
3948 +- * because they had called ->check already. The other j-i
3949 +- * entries need only release.
3950 +- */
3951 +- int skip = i;
3952 +- j -= i;
3953 +- xt_entry_foreach(iter0, entry0, newinfo->size) {
3954 +- if (skip-- > 0)
3955 +- continue;
3956 +- if (j-- == 0)
3957 +- break;
3958 +- compat_release_entry(iter0);
3959 +- }
3960 +- xt_entry_foreach(iter1, entry1, newinfo->size) {
3961 +- if (i-- == 0)
3962 +- break;
3963 +- cleanup_entry(iter1, net);
3964 +- }
3965 +- xt_free_table_info(newinfo);
3966 +- return ret;
3967 ++ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
3968 ++ repl.hook_entry[i] = newinfo->hook_entry[i];
3969 ++ repl.underflow[i] = newinfo->underflow[i];
3970 + }
3971 +
3972 ++ repl.num_counters = 0;
3973 ++ repl.counters = NULL;
3974 ++ repl.size = newinfo->size;
3975 ++ ret = translate_table(net, newinfo, entry1, &repl);
3976 ++ if (ret)
3977 ++ goto free_newinfo;
3978 ++
3979 + *pinfo = newinfo;
3980 + *pentry0 = entry1;
3981 + xt_free_table_info(info);
3982 +@@ -1794,17 +1645,16 @@ translate_compat_table(struct net *net,
3983 +
3984 + free_newinfo:
3985 + xt_free_table_info(newinfo);
3986 +-out:
3987 +- xt_entry_foreach(iter0, entry0, total_size) {
3988 ++ return ret;
3989 ++out_unlock:
3990 ++ xt_compat_flush_offsets(AF_INET6);
3991 ++ xt_compat_unlock(AF_INET6);
3992 ++ xt_entry_foreach(iter0, entry0, compatr->size) {
3993 + if (j-- == 0)
3994 + break;
3995 + compat_release_entry(iter0);
3996 + }
3997 + return ret;
3998 +-out_unlock:
3999 +- xt_compat_flush_offsets(AF_INET6);
4000 +- xt_compat_unlock(AF_INET6);
4001 +- goto out;
4002 + }
4003 +
4004 + static int
4005 +@@ -1840,10 +1690,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
4006 + goto free_newinfo;
4007 + }
4008 +
4009 +- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
4010 +- &newinfo, &loc_cpu_entry, tmp.size,
4011 +- tmp.num_entries, tmp.hook_entry,
4012 +- tmp.underflow);
4013 ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
4014 + if (ret != 0)
4015 + goto free_newinfo;
4016 +
4017 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
4018 +index f443c6b0ce16..f6d7516eeb8a 100644
4019 +--- a/net/ipv6/tcp_ipv6.c
4020 ++++ b/net/ipv6/tcp_ipv6.c
4021 +@@ -1717,7 +1717,9 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
4022 + destp = ntohs(inet->inet_dport);
4023 + srcp = ntohs(inet->inet_sport);
4024 +
4025 +- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
4026 ++ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
4027 ++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
4028 ++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
4029 + timer_active = 1;
4030 + timer_expires = icsk->icsk_timeout;
4031 + } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
4032 +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
4033 +index 6bc5c664fa46..f96831d9d419 100644
4034 +--- a/net/ipv6/udp.c
4035 ++++ b/net/ipv6/udp.c
4036 +@@ -653,7 +653,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
4037 +
4038 + /* if we're overly short, let UDP handle it */
4039 + encap_rcv = ACCESS_ONCE(up->encap_rcv);
4040 +- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
4041 ++ if (encap_rcv) {
4042 + int ret;
4043 +
4044 + /* Verify checksum before giving to encap */
4045 +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
4046 +index 6edfa9980314..1e40dacaa137 100644
4047 +--- a/net/l2tp/l2tp_core.c
4048 ++++ b/net/l2tp/l2tp_core.c
4049 +@@ -1581,7 +1581,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
4050 + /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
4051 + tunnel->encap = encap;
4052 + if (encap == L2TP_ENCAPTYPE_UDP) {
4053 +- struct udp_tunnel_sock_cfg udp_cfg;
4054 ++ struct udp_tunnel_sock_cfg udp_cfg = { };
4055 +
4056 + udp_cfg.sk_user_data = tunnel;
4057 + udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
4058 +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
4059 +index 582c9cfd6567..2675d580c490 100644
4060 +--- a/net/netfilter/x_tables.c
4061 ++++ b/net/netfilter/x_tables.c
4062 +@@ -416,6 +416,47 @@ int xt_check_match(struct xt_mtchk_param *par,
4063 + }
4064 + EXPORT_SYMBOL_GPL(xt_check_match);
4065 +
4066 ++/** xt_check_entry_match - check that matches end before start of target
4067 ++ *
4068 ++ * @match: beginning of xt_entry_match
4069 ++ * @target: beginning of this rules target (alleged end of matches)
4070 ++ * @alignment: alignment requirement of match structures
4071 ++ *
4072 ++ * Validates that all matches add up to the beginning of the target,
4073 ++ * and that each match covers at least the base structure size.
4074 ++ *
4075 ++ * Return: 0 on success, negative errno on failure.
4076 ++ */
4077 ++static int xt_check_entry_match(const char *match, const char *target,
4078 ++ const size_t alignment)
4079 ++{
4080 ++ const struct xt_entry_match *pos;
4081 ++ int length = target - match;
4082 ++
4083 ++ if (length == 0) /* no matches */
4084 ++ return 0;
4085 ++
4086 ++ pos = (struct xt_entry_match *)match;
4087 ++ do {
4088 ++ if ((unsigned long)pos % alignment)
4089 ++ return -EINVAL;
4090 ++
4091 ++ if (length < (int)sizeof(struct xt_entry_match))
4092 ++ return -EINVAL;
4093 ++
4094 ++ if (pos->u.match_size < sizeof(struct xt_entry_match))
4095 ++ return -EINVAL;
4096 ++
4097 ++ if (pos->u.match_size > length)
4098 ++ return -EINVAL;
4099 ++
4100 ++ length -= pos->u.match_size;
4101 ++ pos = ((void *)((char *)(pos) + (pos)->u.match_size));
4102 ++ } while (length > 0);
4103 ++
4104 ++ return 0;
4105 ++}
4106 ++
4107 + #ifdef CONFIG_COMPAT
4108 + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
4109 + {
4110 +@@ -485,13 +526,14 @@ int xt_compat_match_offset(const struct xt_match *match)
4111 + }
4112 + EXPORT_SYMBOL_GPL(xt_compat_match_offset);
4113 +
4114 +-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4115 +- unsigned int *size)
4116 ++void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4117 ++ unsigned int *size)
4118 + {
4119 + const struct xt_match *match = m->u.kernel.match;
4120 + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
4121 + int pad, off = xt_compat_match_offset(match);
4122 + u_int16_t msize = cm->u.user.match_size;
4123 ++ char name[sizeof(m->u.user.name)];
4124 +
4125 + m = *dstptr;
4126 + memcpy(m, cm, sizeof(*cm));
4127 +@@ -505,10 +547,12 @@ int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
4128 +
4129 + msize += off;
4130 + m->u.user.match_size = msize;
4131 ++ strlcpy(name, match->name, sizeof(name));
4132 ++ module_put(match->me);
4133 ++ strncpy(m->u.user.name, name, sizeof(m->u.user.name));
4134 +
4135 + *size += off;
4136 + *dstptr += msize;
4137 +- return 0;
4138 + }
4139 + EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
4140 +
4141 +@@ -539,8 +583,125 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
4142 + return 0;
4143 + }
4144 + EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
4145 ++
4146 ++/* non-compat version may have padding after verdict */
4147 ++struct compat_xt_standard_target {
4148 ++ struct compat_xt_entry_target t;
4149 ++ compat_uint_t verdict;
4150 ++};
4151 ++
4152 ++int xt_compat_check_entry_offsets(const void *base, const char *elems,
4153 ++ unsigned int target_offset,
4154 ++ unsigned int next_offset)
4155 ++{
4156 ++ long size_of_base_struct = elems - (const char *)base;
4157 ++ const struct compat_xt_entry_target *t;
4158 ++ const char *e = base;
4159 ++
4160 ++ if (target_offset < size_of_base_struct)
4161 ++ return -EINVAL;
4162 ++
4163 ++ if (target_offset + sizeof(*t) > next_offset)
4164 ++ return -EINVAL;
4165 ++
4166 ++ t = (void *)(e + target_offset);
4167 ++ if (t->u.target_size < sizeof(*t))
4168 ++ return -EINVAL;
4169 ++
4170 ++ if (target_offset + t->u.target_size > next_offset)
4171 ++ return -EINVAL;
4172 ++
4173 ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
4174 ++ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset)
4175 ++ return -EINVAL;
4176 ++
4177 ++ /* compat_xt_entry match has less strict aligment requirements,
4178 ++ * otherwise they are identical. In case of padding differences
4179 ++ * we need to add compat version of xt_check_entry_match.
4180 ++ */
4181 ++ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
4182 ++
4183 ++ return xt_check_entry_match(elems, base + target_offset,
4184 ++ __alignof__(struct compat_xt_entry_match));
4185 ++}
4186 ++EXPORT_SYMBOL(xt_compat_check_entry_offsets);
4187 + #endif /* CONFIG_COMPAT */
4188 +
4189 ++/**
4190 ++ * xt_check_entry_offsets - validate arp/ip/ip6t_entry
4191 ++ *
4192 ++ * @base: pointer to arp/ip/ip6t_entry
4193 ++ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
4194 ++ * @target_offset: the arp/ip/ip6_t->target_offset
4195 ++ * @next_offset: the arp/ip/ip6_t->next_offset
4196 ++ *
4197 ++ * validates that target_offset and next_offset are sane and that all
4198 ++ * match sizes (if any) align with the target offset.
4199 ++ *
4200 ++ * This function does not validate the targets or matches themselves, it
4201 ++ * only tests that all the offsets and sizes are correct, that all
4202 ++ * match structures are aligned, and that the last structure ends where
4203 ++ * the target structure begins.
4204 ++ *
4205 ++ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
4206 ++ *
4207 ++ * The arp/ip/ip6t_entry structure @base must have passed following tests:
4208 ++ * - it must point to a valid memory location
4209 ++ * - base to base + next_offset must be accessible, i.e. not exceed allocated
4210 ++ * length.
4211 ++ *
4212 ++ * A well-formed entry looks like this:
4213 ++ *
4214 ++ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
4215 ++ * e->elems[]-----' | |
4216 ++ * matchsize | |
4217 ++ * matchsize | |
4218 ++ * | |
4219 ++ * target_offset---------------------------------' |
4220 ++ * next_offset---------------------------------------------------'
4221 ++ *
4222 ++ * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
4223 ++ * This is where matches (if any) and the target reside.
4224 ++ * target_offset: beginning of target.
4225 ++ * next_offset: start of the next rule; also: size of this rule.
4226 ++ * Since targets have a minimum size, target_offset + minlen <= next_offset.
4227 ++ *
4228 ++ * Every match stores its size, sum of sizes must not exceed target_offset.
4229 ++ *
4230 ++ * Return: 0 on success, negative errno on failure.
4231 ++ */
4232 ++int xt_check_entry_offsets(const void *base,
4233 ++ const char *elems,
4234 ++ unsigned int target_offset,
4235 ++ unsigned int next_offset)
4236 ++{
4237 ++ long size_of_base_struct = elems - (const char *)base;
4238 ++ const struct xt_entry_target *t;
4239 ++ const char *e = base;
4240 ++
4241 ++ /* target start is within the ip/ip6/arpt_entry struct */
4242 ++ if (target_offset < size_of_base_struct)
4243 ++ return -EINVAL;
4244 ++
4245 ++ if (target_offset + sizeof(*t) > next_offset)
4246 ++ return -EINVAL;
4247 ++
4248 ++ t = (void *)(e + target_offset);
4249 ++ if (t->u.target_size < sizeof(*t))
4250 ++ return -EINVAL;
4251 ++
4252 ++ if (target_offset + t->u.target_size > next_offset)
4253 ++ return -EINVAL;
4254 ++
4255 ++ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
4256 ++ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset)
4257 ++ return -EINVAL;
4258 ++
4259 ++ return xt_check_entry_match(elems, base + target_offset,
4260 ++ __alignof__(struct xt_entry_match));
4261 ++}
4262 ++EXPORT_SYMBOL(xt_check_entry_offsets);
4263 ++
4264 + int xt_check_target(struct xt_tgchk_param *par,
4265 + unsigned int size, u_int8_t proto, bool inv_proto)
4266 + {
4267 +@@ -591,6 +752,80 @@ int xt_check_target(struct xt_tgchk_param *par,
4268 + }
4269 + EXPORT_SYMBOL_GPL(xt_check_target);
4270 +
4271 ++/**
4272 ++ * xt_copy_counters_from_user - copy counters and metadata from userspace
4273 ++ *
4274 ++ * @user: src pointer to userspace memory
4275 ++ * @len: alleged size of userspace memory
4276 ++ * @info: where to store the xt_counters_info metadata
4277 ++ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
4278 ++ *
4279 ++ * Copies counter meta data from @user and stores it in @info.
4280 ++ *
4281 ++ * vmallocs memory to hold the counters, then copies the counter data
4282 ++ * from @user to the new memory and returns a pointer to it.
4283 ++ *
4284 ++ * If @compat is true, @info gets converted automatically to the 64bit
4285 ++ * representation.
4286 ++ *
4287 ++ * The metadata associated with the counters is stored in @info.
4288 ++ *
4289 ++ * Return: returns pointer that caller has to test via IS_ERR().
4290 ++ * If IS_ERR is false, caller has to vfree the pointer.
4291 ++ */
4292 ++void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
4293 ++ struct xt_counters_info *info, bool compat)
4294 ++{
4295 ++ void *mem;
4296 ++ u64 size;
4297 ++
4298 ++#ifdef CONFIG_COMPAT
4299 ++ if (compat) {
4300 ++ /* structures only differ in size due to alignment */
4301 ++ struct compat_xt_counters_info compat_tmp;
4302 ++
4303 ++ if (len <= sizeof(compat_tmp))
4304 ++ return ERR_PTR(-EINVAL);
4305 ++
4306 ++ len -= sizeof(compat_tmp);
4307 ++ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
4308 ++ return ERR_PTR(-EFAULT);
4309 ++
4310 ++ strlcpy(info->name, compat_tmp.name, sizeof(info->name));
4311 ++ info->num_counters = compat_tmp.num_counters;
4312 ++ user += sizeof(compat_tmp);
4313 ++ } else
4314 ++#endif
4315 ++ {
4316 ++ if (len <= sizeof(*info))
4317 ++ return ERR_PTR(-EINVAL);
4318 ++
4319 ++ len -= sizeof(*info);
4320 ++ if (copy_from_user(info, user, sizeof(*info)) != 0)
4321 ++ return ERR_PTR(-EFAULT);
4322 ++
4323 ++ info->name[sizeof(info->name) - 1] = '\0';
4324 ++ user += sizeof(*info);
4325 ++ }
4326 ++
4327 ++ size = sizeof(struct xt_counters);
4328 ++ size *= info->num_counters;
4329 ++
4330 ++ if (size != (u64)len)
4331 ++ return ERR_PTR(-EINVAL);
4332 ++
4333 ++ mem = vmalloc(len);
4334 ++ if (!mem)
4335 ++ return ERR_PTR(-ENOMEM);
4336 ++
4337 ++ if (copy_from_user(mem, user, len) == 0)
4338 ++ return mem;
4339 ++
4340 ++ vfree(mem);
4341 ++ return ERR_PTR(-EFAULT);
4342 ++}
4343 ++EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
4344 ++
4345 + #ifdef CONFIG_COMPAT
4346 + int xt_compat_target_offset(const struct xt_target *target)
4347 + {
4348 +@@ -606,6 +841,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
4349 + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
4350 + int pad, off = xt_compat_target_offset(target);
4351 + u_int16_t tsize = ct->u.user.target_size;
4352 ++ char name[sizeof(t->u.user.name)];
4353 +
4354 + t = *dstptr;
4355 + memcpy(t, ct, sizeof(*ct));
4356 +@@ -619,6 +855,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
4357 +
4358 + tsize += off;
4359 + t->u.user.target_size = tsize;
4360 ++ strlcpy(name, target->name, sizeof(name));
4361 ++ module_put(target->me);
4362 ++ strncpy(t->u.user.name, name, sizeof(t->u.user.name));
4363 +
4364 + *size += off;
4365 + *dstptr += tsize;
4366 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
4367 +index 330ebd600f25..f48e3b3aedd5 100644
4368 +--- a/net/netlink/af_netlink.c
4369 ++++ b/net/netlink/af_netlink.c
4370 +@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
4371 + struct netlink_callback *cb;
4372 + struct sk_buff *skb = NULL;
4373 + struct nlmsghdr *nlh;
4374 ++ struct module *module;
4375 + int len, err = -ENOBUFS;
4376 + int alloc_min_size;
4377 + int alloc_size;
4378 +@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
4379 + cb->done(cb);
4380 +
4381 + nlk->cb_running = false;
4382 ++ module = cb->module;
4383 ++ skb = cb->skb;
4384 + mutex_unlock(nlk->cb_mutex);
4385 +- module_put(cb->module);
4386 +- consume_skb(cb->skb);
4387 ++ module_put(module);
4388 ++ consume_skb(skb);
4389 + return 0;
4390 +
4391 + errout_skb:
4392 +diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
4393 +index b7e01d88bdc5..59658b2e9cdf 100644
4394 +--- a/net/switchdev/switchdev.c
4395 ++++ b/net/switchdev/switchdev.c
4396 +@@ -1188,6 +1188,7 @@ int switchdev_fib_ipv4_add(u32 dst, int dst_len, struct fib_info *fi,
4397 + .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
4398 + .dst = dst,
4399 + .dst_len = dst_len,
4400 ++ .fi = fi,
4401 + .tos = tos,
4402 + .type = type,
4403 + .nlflags = nlflags,
4404 +@@ -1196,8 +1197,6 @@ int switchdev_fib_ipv4_add(u32 dst, int dst_len, struct fib_info *fi,
4405 + struct net_device *dev;
4406 + int err = 0;
4407 +
4408 +- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
4409 +-
4410 + /* Don't offload route if using custom ip rules or if
4411 + * IPv4 FIB offloading has been disabled completely.
4412 + */
4413 +@@ -1242,6 +1241,7 @@ int switchdev_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
4414 + .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
4415 + .dst = dst,
4416 + .dst_len = dst_len,
4417 ++ .fi = fi,
4418 + .tos = tos,
4419 + .type = type,
4420 + .nlflags = 0,
4421 +@@ -1250,8 +1250,6 @@ int switchdev_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
4422 + struct net_device *dev;
4423 + int err = 0;
4424 +
4425 +- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
4426 +-
4427 + if (!(fi->fib_flags & RTNH_F_OFFLOAD))
4428 + return 0;
4429 +
4430 +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
4431 +index d7d050f44fc1..4dfc5c14f8c3 100644
4432 +--- a/net/tipc/netlink_compat.c
4433 ++++ b/net/tipc/netlink_compat.c
4434 +@@ -802,7 +802,7 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
4435 + goto out;
4436 +
4437 + tipc_tlv_sprintf(msg->rep, "%-10u %s",
4438 +- nla_get_u32(publ[TIPC_NLA_PUBL_REF]),
4439 ++ nla_get_u32(publ[TIPC_NLA_PUBL_KEY]),
4440 + scope_str[nla_get_u32(publ[TIPC_NLA_PUBL_SCOPE])]);
4441 + out:
4442 + tipc_tlv_sprintf(msg->rep, "\n");
4443 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
4444 +index 3eeb50a27b89..5f80d3fa9c85 100644
4445 +--- a/net/tipc/socket.c
4446 ++++ b/net/tipc/socket.c
4447 +@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
4448 + if (err)
4449 + return err;
4450 +
4451 ++ if (!attrs[TIPC_NLA_SOCK])
4452 ++ return -EINVAL;
4453 ++
4454 + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
4455 + attrs[TIPC_NLA_SOCK],
4456 + tipc_nl_sock_policy);
4457 +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
4458 +index b50ee5d622e1..c753211cb83f 100644
4459 +--- a/net/wireless/wext-core.c
4460 ++++ b/net/wireless/wext-core.c
4461 +@@ -955,8 +955,29 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
4462 + return private(dev, iwr, cmd, info, handler);
4463 + }
4464 + /* Old driver API : call driver ioctl handler */
4465 +- if (dev->netdev_ops->ndo_do_ioctl)
4466 +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
4467 ++ if (dev->netdev_ops->ndo_do_ioctl) {
4468 ++#ifdef CONFIG_COMPAT
4469 ++ if (info->flags & IW_REQUEST_FLAG_COMPAT) {
4470 ++ int ret = 0;
4471 ++ struct iwreq iwr_lcl;
4472 ++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
4473 ++
4474 ++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
4475 ++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
4476 ++ iwr_lcl.u.data.length = iwp_compat->length;
4477 ++ iwr_lcl.u.data.flags = iwp_compat->flags;
4478 ++
4479 ++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
4480 ++
4481 ++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
4482 ++ iwp_compat->length = iwr_lcl.u.data.length;
4483 ++ iwp_compat->flags = iwr_lcl.u.data.flags;
4484 ++
4485 ++ return ret;
4486 ++ } else
4487 ++#endif
4488 ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
4489 ++ }
4490 + return -EOPNOTSUPP;
4491 + }
4492 +
4493 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4494 +index 9a0d1445ca5c..94089fc71884 100644
4495 +--- a/sound/pci/hda/hda_intel.c
4496 ++++ b/sound/pci/hda/hda_intel.c
4497 +@@ -365,8 +365,11 @@ enum {
4498 +
4499 + #define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170)
4500 + #define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70)
4501 ++#define IS_KBL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa171)
4502 ++#define IS_KBL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d71)
4503 + #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
4504 +-#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci))
4505 ++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) || \
4506 ++ IS_KBL(pci) || IS_KBL_LP(pci)
4507 +
4508 + static char *driver_short_names[] = {
4509 + [AZX_DRIVER_ICH] = "HDA Intel",
4510 +@@ -2181,6 +2184,12 @@ static const struct pci_device_id azx_ids[] = {
4511 + /* Sunrise Point-LP */
4512 + { PCI_DEVICE(0x8086, 0x9d70),
4513 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4514 ++ /* Kabylake */
4515 ++ { PCI_DEVICE(0x8086, 0xa171),
4516 ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4517 ++ /* Kabylake-LP */
4518 ++ { PCI_DEVICE(0x8086, 0x9d71),
4519 ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_SKYLAKE },
4520 + /* Broxton-P(Apollolake) */
4521 + { PCI_DEVICE(0x8086, 0x5a98),
4522 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_BROXTON },
4523 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
4524 +index d53c25e7a1c1..0fe18ede3e85 100644
4525 +--- a/sound/pci/hda/patch_realtek.c
4526 ++++ b/sound/pci/hda/patch_realtek.c
4527 +@@ -346,6 +346,9 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
4528 + case 0x10ec0234:
4529 + case 0x10ec0274:
4530 + case 0x10ec0294:
4531 ++ case 0x10ec0700:
4532 ++ case 0x10ec0701:
4533 ++ case 0x10ec0703:
4534 + alc_update_coef_idx(codec, 0x10, 1<<15, 0);
4535 + break;
4536 + case 0x10ec0662:
4537 +@@ -2655,6 +2658,7 @@ enum {
4538 + ALC269_TYPE_ALC256,
4539 + ALC269_TYPE_ALC225,
4540 + ALC269_TYPE_ALC294,
4541 ++ ALC269_TYPE_ALC700,
4542 + };
4543 +
4544 + /*
4545 +@@ -2686,6 +2690,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
4546 + case ALC269_TYPE_ALC256:
4547 + case ALC269_TYPE_ALC225:
4548 + case ALC269_TYPE_ALC294:
4549 ++ case ALC269_TYPE_ALC700:
4550 + ssids = alc269_ssids;
4551 + break;
4552 + default:
4553 +@@ -3618,13 +3623,20 @@ static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec,
4554 + static void alc_headset_mode_unplugged(struct hda_codec *codec)
4555 + {
4556 + static struct coef_fw coef0255[] = {
4557 +- WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
4558 + WRITE_COEF(0x45, 0xd089), /* UAJ function set to menual mode */
4559 + UPDATE_COEFEX(0x57, 0x05, 1<<14, 0), /* Direct Drive HP Amp control(Set to verb control)*/
4560 + WRITE_COEF(0x06, 0x6104), /* Set MIC2 Vref gate with HP */
4561 + WRITE_COEFEX(0x57, 0x03, 0x8aa6), /* Direct Drive HP Amp control */
4562 + {}
4563 + };
4564 ++ static struct coef_fw coef0255_1[] = {
4565 ++ WRITE_COEF(0x1b, 0x0c0b), /* LDO and MISC control */
4566 ++ {}
4567 ++ };
4568 ++ static struct coef_fw coef0256[] = {
4569 ++ WRITE_COEF(0x1b, 0x0c4b), /* LDO and MISC control */
4570 ++ {}
4571 ++ };
4572 + static struct coef_fw coef0233[] = {
4573 + WRITE_COEF(0x1b, 0x0c0b),
4574 + WRITE_COEF(0x45, 0xc429),
4575 +@@ -3677,7 +3689,11 @@ static void alc_headset_mode_unplugged(struct hda_codec *codec)
4576 +
4577 + switch (codec->core.vendor_id) {
4578 + case 0x10ec0255:
4579 ++ alc_process_coef_fw(codec, coef0255_1);
4580 ++ alc_process_coef_fw(codec, coef0255);
4581 ++ break;
4582 + case 0x10ec0256:
4583 ++ alc_process_coef_fw(codec, coef0256);
4584 + alc_process_coef_fw(codec, coef0255);
4585 + break;
4586 + case 0x10ec0233:
4587 +@@ -3896,6 +3912,12 @@ static void alc_headset_mode_ctia(struct hda_codec *codec)
4588 + WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4589 + {}
4590 + };
4591 ++ static struct coef_fw coef0256[] = {
4592 ++ WRITE_COEF(0x45, 0xd489), /* Set to CTIA type */
4593 ++ WRITE_COEF(0x1b, 0x0c6b),
4594 ++ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4595 ++ {}
4596 ++ };
4597 + static struct coef_fw coef0233[] = {
4598 + WRITE_COEF(0x45, 0xd429),
4599 + WRITE_COEF(0x1b, 0x0c2b),
4600 +@@ -3936,9 +3958,11 @@ static void alc_headset_mode_ctia(struct hda_codec *codec)
4601 +
4602 + switch (codec->core.vendor_id) {
4603 + case 0x10ec0255:
4604 +- case 0x10ec0256:
4605 + alc_process_coef_fw(codec, coef0255);
4606 + break;
4607 ++ case 0x10ec0256:
4608 ++ alc_process_coef_fw(codec, coef0256);
4609 ++ break;
4610 + case 0x10ec0233:
4611 + case 0x10ec0283:
4612 + alc_process_coef_fw(codec, coef0233);
4613 +@@ -3978,6 +4002,12 @@ static void alc_headset_mode_omtp(struct hda_codec *codec)
4614 + WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4615 + {}
4616 + };
4617 ++ static struct coef_fw coef0256[] = {
4618 ++ WRITE_COEF(0x45, 0xe489), /* Set to OMTP Type */
4619 ++ WRITE_COEF(0x1b, 0x0c6b),
4620 ++ WRITE_COEFEX(0x57, 0x03, 0x8ea6),
4621 ++ {}
4622 ++ };
4623 + static struct coef_fw coef0233[] = {
4624 + WRITE_COEF(0x45, 0xe429),
4625 + WRITE_COEF(0x1b, 0x0c2b),
4626 +@@ -4018,9 +4048,11 @@ static void alc_headset_mode_omtp(struct hda_codec *codec)
4627 +
4628 + switch (codec->core.vendor_id) {
4629 + case 0x10ec0255:
4630 +- case 0x10ec0256:
4631 + alc_process_coef_fw(codec, coef0255);
4632 + break;
4633 ++ case 0x10ec0256:
4634 ++ alc_process_coef_fw(codec, coef0256);
4635 ++ break;
4636 + case 0x10ec0233:
4637 + case 0x10ec0283:
4638 + alc_process_coef_fw(codec, coef0233);
4639 +@@ -4266,7 +4298,7 @@ static void alc_fixup_headset_mode_no_hp_mic(struct hda_codec *codec,
4640 + static void alc255_set_default_jack_type(struct hda_codec *codec)
4641 + {
4642 + /* Set to iphone type */
4643 +- static struct coef_fw fw[] = {
4644 ++ static struct coef_fw alc255fw[] = {
4645 + WRITE_COEF(0x1b, 0x880b),
4646 + WRITE_COEF(0x45, 0xd089),
4647 + WRITE_COEF(0x1b, 0x080b),
4648 +@@ -4274,7 +4306,22 @@ static void alc255_set_default_jack_type(struct hda_codec *codec)
4649 + WRITE_COEF(0x1b, 0x0c0b),
4650 + {}
4651 + };
4652 +- alc_process_coef_fw(codec, fw);
4653 ++ static struct coef_fw alc256fw[] = {
4654 ++ WRITE_COEF(0x1b, 0x884b),
4655 ++ WRITE_COEF(0x45, 0xd089),
4656 ++ WRITE_COEF(0x1b, 0x084b),
4657 ++ WRITE_COEF(0x46, 0x0004),
4658 ++ WRITE_COEF(0x1b, 0x0c4b),
4659 ++ {}
4660 ++ };
4661 ++ switch (codec->core.vendor_id) {
4662 ++ case 0x10ec0255:
4663 ++ alc_process_coef_fw(codec, alc255fw);
4664 ++ break;
4665 ++ case 0x10ec0256:
4666 ++ alc_process_coef_fw(codec, alc256fw);
4667 ++ break;
4668 ++ }
4669 + msleep(30);
4670 + }
4671 +
4672 +@@ -5587,6 +5634,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
4673 + SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
4674 + SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
4675 + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
4676 ++ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460),
4677 + SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460),
4678 + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
4679 + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
4680 +@@ -5775,6 +5823,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
4681 + {0x12, 0x90a60180},
4682 + {0x14, 0x90170130},
4683 + {0x21, 0x02211040}),
4684 ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5565", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
4685 ++ {0x12, 0x90a60180},
4686 ++ {0x14, 0x90170120},
4687 ++ {0x21, 0x02211030}),
4688 + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
4689 + {0x12, 0x90a60160},
4690 + {0x14, 0x90170120},
4691 +@@ -6053,6 +6105,14 @@ static int patch_alc269(struct hda_codec *codec)
4692 + case 0x10ec0294:
4693 + spec->codec_variant = ALC269_TYPE_ALC294;
4694 + break;
4695 ++ case 0x10ec0700:
4696 ++ case 0x10ec0701:
4697 ++ case 0x10ec0703:
4698 ++ spec->codec_variant = ALC269_TYPE_ALC700;
4699 ++ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
4700 ++ alc_update_coef_idx(codec, 0x4a, 0, 1 << 15); /* Combo jack auto trigger control */
4701 ++ break;
4702 ++
4703 + }
4704 +
4705 + if (snd_hda_codec_read(codec, 0x51, 0, AC_VERB_PARAMETERS, 0) == 0x10ec5505) {
4706 +@@ -7008,6 +7068,9 @@ static const struct hda_device_id snd_hda_id_realtek[] = {
4707 + HDA_CODEC_ENTRY(0x10ec0670, "ALC670", patch_alc662),
4708 + HDA_CODEC_ENTRY(0x10ec0671, "ALC671", patch_alc662),
4709 + HDA_CODEC_ENTRY(0x10ec0680, "ALC680", patch_alc680),
4710 ++ HDA_CODEC_ENTRY(0x10ec0700, "ALC700", patch_alc269),
4711 ++ HDA_CODEC_ENTRY(0x10ec0701, "ALC701", patch_alc269),
4712 ++ HDA_CODEC_ENTRY(0x10ec0703, "ALC703", patch_alc269),
4713 + HDA_CODEC_ENTRY(0x10ec0867, "ALC891", patch_alc882),
4714 + HDA_CODEC_ENTRY(0x10ec0880, "ALC880", patch_alc880),
4715 + HDA_CODEC_ENTRY(0x10ec0882, "ALC882", patch_alc882),
4716 +diff --git a/virt/kvm/arm/hyp/vgic-v2-sr.c b/virt/kvm/arm/hyp/vgic-v2-sr.c
4717 +index 674bdf8ecf4f..501849ad0b60 100644
4718 +--- a/virt/kvm/arm/hyp/vgic-v2-sr.c
4719 ++++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
4720 +@@ -93,12 +93,11 @@ static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)
4721 + if (!(vcpu->arch.vgic_cpu.live_lrs & (1UL << i)))
4722 + continue;
4723 +
4724 +- if (cpu_if->vgic_elrsr & (1UL << i)) {
4725 ++ if (cpu_if->vgic_elrsr & (1UL << i))
4726 + cpu_if->vgic_lr[i] &= ~GICH_LR_STATE;
4727 +- continue;
4728 +- }
4729 ++ else
4730 ++ cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4));
4731 +
4732 +- cpu_if->vgic_lr[i] = readl_relaxed(base + GICH_LR0 + (i * 4));
4733 + writel_relaxed(0, base + GICH_LR0 + (i * 4));
4734 + }
4735 + }
4736 +diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
4737 +index fe84e1a95dd5..8db197bb6c7a 100644
4738 +--- a/virt/kvm/irqchip.c
4739 ++++ b/virt/kvm/irqchip.c
4740 +@@ -40,7 +40,7 @@ int kvm_irq_map_gsi(struct kvm *kvm,
4741 +
4742 + irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
4743 + lockdep_is_held(&kvm->irq_lock));
4744 +- if (gsi < irq_rt->nr_rt_entries) {
4745 ++ if (irq_rt && gsi < irq_rt->nr_rt_entries) {
4746 + hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
4747 + entries[n] = *e;
4748 + ++n;
Report Message
Find on MARC Find on Google Groups