Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.14 commit in: /
Date: Thu, 01 Oct 2015 13:18:42
Message-Id: 1444702180.1436107c61cfd76a7a9a3953a10991cd3dd0a0e3.mpagano@gentoo
1 commit: 1436107c61cfd76a7a9a3953a10991cd3dd0a0e3
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Oct 13 02:09:40 2015 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Oct 13 02:09:40 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=1436107c
7
8 Linux patch 3.14.54
9
10 0000_README | 4 +
11 1053_linux-3.14.54.patch | 3609 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3613 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 3ba7817..12856a3 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -254,6 +254,10 @@ Patch: 1052_linux-3.14.53.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.14.53
21
22 +Patch: 1053_linux-3.14.54.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.14.54
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1053_linux-3.14.54.patch b/1053_linux-3.14.54.patch
31 new file mode 100644
32 index 0000000..836dcd8
33 --- /dev/null
34 +++ b/1053_linux-3.14.54.patch
35 @@ -0,0 +1,3609 @@
36 +diff --git a/Makefile b/Makefile
37 +index 86d227774ae6..22c91fa0411e 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,8 +1,8 @@
41 + VERSION = 3
42 + PATCHLEVEL = 14
43 +-SUBLEVEL = 53
44 ++SUBLEVEL = 54
45 + EXTRAVERSION =
46 +-NAME = Remembering Coco
47 ++NAME = Kernel Recipes 2015
48 +
49 + # *DOCUMENTATION*
50 + # To see a list of typical targets execute "make help"
51 +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
52 +index 65b788410bd9..9a406627b0ef 100644
53 +--- a/arch/arm64/Kconfig
54 ++++ b/arch/arm64/Kconfig
55 +@@ -68,6 +68,10 @@ config NO_IOPORT
56 + config STACKTRACE_SUPPORT
57 + def_bool y
58 +
59 ++config ILLEGAL_POINTER_VALUE
60 ++ hex
61 ++ default 0xdead000000000000
62 ++
63 + config LOCKDEP_SUPPORT
64 + def_bool y
65 +
66 +@@ -302,6 +306,22 @@ menu "CPU Power Management"
67 +
68 + source "drivers/cpuidle/Kconfig"
69 +
70 ++config ARM64_ERRATUM_843419
71 ++ bool "Cortex-A53: 843419: A load or store might access an incorrect address"
72 ++ depends on MODULES
73 ++ default y
74 ++ help
75 ++ This option builds kernel modules using the large memory model in
76 ++ order to avoid the use of the ADRP instruction, which can cause
77 ++ a subsequent memory access to use an incorrect address on Cortex-A53
78 ++ parts up to r0p4.
79 ++
80 ++ Note that the kernel itself must be linked with a version of ld
81 ++ which fixes potentially affected ADRP instructions through the
82 ++ use of veneers.
83 ++
84 ++ If unsure, say Y.
85 ++
86 + endmenu
87 +
88 + source "net/Kconfig"
89 +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
90 +index 2fceb71ac3b7..0ab1a34dab58 100644
91 +--- a/arch/arm64/Makefile
92 ++++ b/arch/arm64/Makefile
93 +@@ -34,6 +34,10 @@ comma = ,
94 +
95 + CHECKFLAGS += -D__aarch64__
96 +
97 ++ifeq ($(CONFIG_ARM64_ERRATUM_843419), y)
98 ++CFLAGS_MODULE += -mcmodel=large
99 ++endif
100 ++
101 + # Default value
102 + head-y := arch/arm64/kernel/head.o
103 +
104 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
105 +index 0b281fffda51..150492b6cd02 100644
106 +--- a/arch/arm64/kernel/head.S
107 ++++ b/arch/arm64/kernel/head.S
108 +@@ -203,6 +203,11 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // Clear EE and E0E on LE systems
109 + msr hstr_el2, xzr // Disable CP15 traps to EL2
110 + #endif
111 +
112 ++ /* EL2 debug */
113 ++ mrs x0, pmcr_el0 // Disable debug access traps
114 ++ ubfx x0, x0, #11, #5 // to EL2 and allow access to
115 ++ msr mdcr_el2, x0 // all PMU counters from EL1
116 ++
117 + /* Stage-2 translation */
118 + msr vttbr_el2, xzr
119 +
120 +diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
121 +index 1eb1cc955139..e366329d96d8 100644
122 +--- a/arch/arm64/kernel/module.c
123 ++++ b/arch/arm64/kernel/module.c
124 +@@ -330,12 +330,14 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
125 + ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 0, 21,
126 + AARCH64_INSN_IMM_ADR);
127 + break;
128 ++#ifndef CONFIG_ARM64_ERRATUM_843419
129 + case R_AARCH64_ADR_PREL_PG_HI21_NC:
130 + overflow_check = false;
131 + case R_AARCH64_ADR_PREL_PG_HI21:
132 + ovf = reloc_insn_imm(RELOC_OP_PAGE, loc, val, 12, 21,
133 + AARCH64_INSN_IMM_ADR);
134 + break;
135 ++#endif
136 + case R_AARCH64_ADD_ABS_LO12_NC:
137 + case R_AARCH64_LDST8_ABS_LO12_NC:
138 + overflow_check = false;
139 +diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
140 +index a966baccf1c0..cbe646fa340b 100644
141 +--- a/arch/arm64/kernel/signal32.c
142 ++++ b/arch/arm64/kernel/signal32.c
143 +@@ -203,14 +203,32 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
144 +
145 + /*
146 + * VFP save/restore code.
147 ++ *
148 ++ * We have to be careful with endianness, since the fpsimd context-switch
149 ++ * code operates on 128-bit (Q) register values whereas the compat ABI
150 ++ * uses an array of 64-bit (D) registers. Consequently, we need to swap
151 ++ * the two halves of each Q register when running on a big-endian CPU.
152 + */
153 ++union __fpsimd_vreg {
154 ++ __uint128_t raw;
155 ++ struct {
156 ++#ifdef __AARCH64EB__
157 ++ u64 hi;
158 ++ u64 lo;
159 ++#else
160 ++ u64 lo;
161 ++ u64 hi;
162 ++#endif
163 ++ };
164 ++};
165 ++
166 + static int compat_preserve_vfp_context(struct compat_vfp_sigframe __user *frame)
167 + {
168 + struct fpsimd_state *fpsimd = &current->thread.fpsimd_state;
169 + compat_ulong_t magic = VFP_MAGIC;
170 + compat_ulong_t size = VFP_STORAGE_SIZE;
171 + compat_ulong_t fpscr, fpexc;
172 +- int err = 0;
173 ++ int i, err = 0;
174 +
175 + /*
176 + * Save the hardware registers to the fpsimd_state structure.
177 +@@ -226,10 +244,15 @@ static int compat_preserve_vfp_context(struct compat_vfp_sigframe __user *frame)
178 + /*
179 + * Now copy the FP registers. Since the registers are packed,
180 + * we can copy the prefix we want (V0-V15) as it is.
181 +- * FIXME: Won't work if big endian.
182 + */
183 +- err |= __copy_to_user(&frame->ufp.fpregs, fpsimd->vregs,
184 +- sizeof(frame->ufp.fpregs));
185 ++ for (i = 0; i < ARRAY_SIZE(frame->ufp.fpregs); i += 2) {
186 ++ union __fpsimd_vreg vreg = {
187 ++ .raw = fpsimd->vregs[i >> 1],
188 ++ };
189 ++
190 ++ __put_user_error(vreg.lo, &frame->ufp.fpregs[i], err);
191 ++ __put_user_error(vreg.hi, &frame->ufp.fpregs[i + 1], err);
192 ++ }
193 +
194 + /* Create an AArch32 fpscr from the fpsr and the fpcr. */
195 + fpscr = (fpsimd->fpsr & VFP_FPSCR_STAT_MASK) |
196 +@@ -254,7 +277,7 @@ static int compat_restore_vfp_context(struct compat_vfp_sigframe __user *frame)
197 + compat_ulong_t magic = VFP_MAGIC;
198 + compat_ulong_t size = VFP_STORAGE_SIZE;
199 + compat_ulong_t fpscr;
200 +- int err = 0;
201 ++ int i, err = 0;
202 +
203 + __get_user_error(magic, &frame->magic, err);
204 + __get_user_error(size, &frame->size, err);
205 +@@ -264,12 +287,14 @@ static int compat_restore_vfp_context(struct compat_vfp_sigframe __user *frame)
206 + if (magic != VFP_MAGIC || size != VFP_STORAGE_SIZE)
207 + return -EINVAL;
208 +
209 +- /*
210 +- * Copy the FP registers into the start of the fpsimd_state.
211 +- * FIXME: Won't work if big endian.
212 +- */
213 +- err |= __copy_from_user(fpsimd.vregs, frame->ufp.fpregs,
214 +- sizeof(frame->ufp.fpregs));
215 ++ /* Copy the FP registers into the start of the fpsimd_state. */
216 ++ for (i = 0; i < ARRAY_SIZE(frame->ufp.fpregs); i += 2) {
217 ++ union __fpsimd_vreg vreg;
218 ++
219 ++ __get_user_error(vreg.lo, &frame->ufp.fpregs[i], err);
220 ++ __get_user_error(vreg.hi, &frame->ufp.fpregs[i + 1], err);
221 ++ fpsimd.vregs[i >> 1] = vreg.raw;
222 ++ }
223 +
224 + /* Extract the fpsr and the fpcr from the fpscr */
225 + __get_user_error(fpscr, &frame->ufp.fpscr, err);
226 +diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
227 +index 3aaf3bc4ad8a..1343b2020891 100644
228 +--- a/arch/arm64/kvm/hyp.S
229 ++++ b/arch/arm64/kvm/hyp.S
230 +@@ -485,8 +485,6 @@ CPU_BE( rev w5, w5 )
231 + mrs x3, cntv_ctl_el0
232 + and x3, x3, #3
233 + str w3, [x0, #VCPU_TIMER_CNTV_CTL]
234 +- bic x3, x3, #1 // Clear Enable
235 +- msr cntv_ctl_el0, x3
236 +
237 + isb
238 +
239 +@@ -494,6 +492,9 @@ CPU_BE( rev w5, w5 )
240 + str x3, [x0, #VCPU_TIMER_CNTV_CVAL]
241 +
242 + 1:
243 ++ // Disable the virtual timer
244 ++ msr cntv_ctl_el0, xzr
245 ++
246 + // Allow physical timer/counter access for the host
247 + mrs x2, cnthctl_el2
248 + orr x2, x2, #3
249 +diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
250 +index 8ceac4785609..1ce320e4d3d8 100644
251 +--- a/arch/parisc/kernel/irq.c
252 ++++ b/arch/parisc/kernel/irq.c
253 +@@ -507,8 +507,8 @@ void do_cpu_irq_mask(struct pt_regs *regs)
254 + struct pt_regs *old_regs;
255 + unsigned long eirr_val;
256 + int irq, cpu = smp_processor_id();
257 +-#ifdef CONFIG_SMP
258 + struct irq_desc *desc;
259 ++#ifdef CONFIG_SMP
260 + cpumask_t dest;
261 + #endif
262 +
263 +@@ -521,8 +521,12 @@ void do_cpu_irq_mask(struct pt_regs *regs)
264 + goto set_out;
265 + irq = eirr_to_irq(eirr_val);
266 +
267 +-#ifdef CONFIG_SMP
268 ++ /* Filter out spurious interrupts, mostly from serial port at bootup */
269 + desc = irq_to_desc(irq);
270 ++ if (unlikely(!desc->action))
271 ++ goto set_out;
272 ++
273 ++#ifdef CONFIG_SMP
274 + cpumask_copy(&dest, desc->irq_data.affinity);
275 + if (irqd_is_per_cpu(&desc->irq_data) &&
276 + !cpu_isset(smp_processor_id(), dest)) {
277 +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S
278 +index 7ef22e3387e0..0b8d26d3ba43 100644
279 +--- a/arch/parisc/kernel/syscall.S
280 ++++ b/arch/parisc/kernel/syscall.S
281 +@@ -821,7 +821,7 @@ cas2_action:
282 + /* 64bit CAS */
283 + #ifdef CONFIG_64BIT
284 + 19: ldd,ma 0(%sr3,%r26), %r29
285 +- sub,= %r29, %r25, %r0
286 ++ sub,*= %r29, %r25, %r0
287 + b,n cas2_end
288 + 20: std,ma %r24, 0(%sr3,%r26)
289 + copy %r0, %r28
290 +diff --git a/arch/powerpc/include/asm/pgtable-ppc64.h b/arch/powerpc/include/asm/pgtable-ppc64.h
291 +index 7b3d54fae46f..7356053b1133 100644
292 +--- a/arch/powerpc/include/asm/pgtable-ppc64.h
293 ++++ b/arch/powerpc/include/asm/pgtable-ppc64.h
294 +@@ -135,7 +135,19 @@
295 + #define pte_iterate_hashed_end() } while(0)
296 +
297 + #ifdef CONFIG_PPC_HAS_HASH_64K
298 +-#define pte_pagesize_index(mm, addr, pte) get_slice_psize(mm, addr)
299 ++/*
300 ++ * We expect this to be called only for user addresses or kernel virtual
301 ++ * addresses other than the linear mapping.
302 ++ */
303 ++#define pte_pagesize_index(mm, addr, pte) \
304 ++ ({ \
305 ++ unsigned int psize; \
306 ++ if (is_kernel_addr(addr)) \
307 ++ psize = MMU_PAGE_4K; \
308 ++ else \
309 ++ psize = get_slice_psize(mm, addr); \
310 ++ psize; \
311 ++ })
312 + #else
313 + #define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K
314 + #endif
315 +diff --git a/arch/powerpc/include/asm/rtas.h b/arch/powerpc/include/asm/rtas.h
316 +index 9bd52c65e66f..14de1385dedb 100644
317 +--- a/arch/powerpc/include/asm/rtas.h
318 ++++ b/arch/powerpc/include/asm/rtas.h
319 +@@ -255,6 +255,7 @@ extern void rtas_power_off(void);
320 + extern void rtas_halt(void);
321 + extern void rtas_os_term(char *str);
322 + extern int rtas_get_sensor(int sensor, int index, int *state);
323 ++extern int rtas_get_sensor_fast(int sensor, int index, int *state);
324 + extern int rtas_get_power_level(int powerdomain, int *level);
325 + extern int rtas_set_power_level(int powerdomain, int level, int *setlevel);
326 + extern bool rtas_indicator_present(int token, int *maxindex);
327 +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
328 +index 4cf674d7d5ae..c4bc8d6cfd79 100644
329 +--- a/arch/powerpc/kernel/rtas.c
330 ++++ b/arch/powerpc/kernel/rtas.c
331 +@@ -584,6 +584,23 @@ int rtas_get_sensor(int sensor, int index, int *state)
332 + }
333 + EXPORT_SYMBOL(rtas_get_sensor);
334 +
335 ++int rtas_get_sensor_fast(int sensor, int index, int *state)
336 ++{
337 ++ int token = rtas_token("get-sensor-state");
338 ++ int rc;
339 ++
340 ++ if (token == RTAS_UNKNOWN_SERVICE)
341 ++ return -ENOENT;
342 ++
343 ++ rc = rtas_call(token, 2, 2, state, sensor, index);
344 ++ WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN &&
345 ++ rc <= RTAS_EXTENDED_DELAY_MAX));
346 ++
347 ++ if (rc < 0)
348 ++ return rtas_error_rc(rc);
349 ++ return rc;
350 ++}
351 ++
352 + bool rtas_indicator_present(int token, int *maxindex)
353 + {
354 + int proplen, count, i;
355 +diff --git a/arch/powerpc/mm/hugepage-hash64.c b/arch/powerpc/mm/hugepage-hash64.c
356 +index 5f5e6328c21c..5061c6f676da 100644
357 +--- a/arch/powerpc/mm/hugepage-hash64.c
358 ++++ b/arch/powerpc/mm/hugepage-hash64.c
359 +@@ -136,7 +136,6 @@ int __hash_page_thp(unsigned long ea, unsigned long access, unsigned long vsid,
360 + BUG_ON(index >= 4096);
361 +
362 + vpn = hpt_vpn(ea, vsid, ssize);
363 +- hash = hpt_hash(vpn, shift, ssize);
364 + hpte_slot_array = get_hpte_slot_array(pmdp);
365 + if (psize == MMU_PAGE_4K) {
366 + /*
367 +@@ -151,6 +150,7 @@ int __hash_page_thp(unsigned long ea, unsigned long access, unsigned long vsid,
368 + valid = hpte_valid(hpte_slot_array, index);
369 + if (valid) {
370 + /* update the hpte bits */
371 ++ hash = hpt_hash(vpn, shift, ssize);
372 + hidx = hpte_hash_index(hpte_slot_array, index);
373 + if (hidx & _PTEIDX_SECONDARY)
374 + hash = ~hash;
375 +@@ -176,6 +176,7 @@ int __hash_page_thp(unsigned long ea, unsigned long access, unsigned long vsid,
376 + if (!valid) {
377 + unsigned long hpte_group;
378 +
379 ++ hash = hpt_hash(vpn, shift, ssize);
380 + /* insert new entry */
381 + pa = pmd_pfn(__pmd(old_pmd)) << PAGE_SHIFT;
382 + new_pmd |= _PAGE_HASHPTE;
383 +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
384 +index 721c0586b284..50fd3ac7b7bf 100644
385 +--- a/arch/powerpc/platforms/pseries/ras.c
386 ++++ b/arch/powerpc/platforms/pseries/ras.c
387 +@@ -187,7 +187,8 @@ static irqreturn_t ras_epow_interrupt(int irq, void *dev_id)
388 + int state;
389 + int critical;
390 +
391 +- status = rtas_get_sensor(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, &state);
392 ++ status = rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX,
393 ++ &state);
394 +
395 + if (state > 3)
396 + critical = 1; /* Time Critical */
397 +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
398 +index 06469ee0f26e..6d6ab2b0bdfa 100644
399 +--- a/arch/x86/kernel/entry_64.S
400 ++++ b/arch/x86/kernel/entry_64.S
401 +@@ -1702,11 +1702,12 @@ ENTRY(nmi)
402 + * If the variable is not set and the stack is not the NMI
403 + * stack then:
404 + * o Set the special variable on the stack
405 +- * o Copy the interrupt frame into a "saved" location on the stack
406 +- * o Copy the interrupt frame into a "copy" location on the stack
407 ++ * o Copy the interrupt frame into an "outermost" location on the
408 ++ * stack
409 ++ * o Copy the interrupt frame into an "iret" location on the stack
410 + * o Continue processing the NMI
411 + * If the variable is set or the previous stack is the NMI stack:
412 +- * o Modify the "copy" location to jump to the repeate_nmi
413 ++ * o Modify the "iret" location to jump to the repeat_nmi
414 + * o return back to the first NMI
415 + *
416 + * Now on exit of the first NMI, we first clear the stack variable
417 +@@ -1715,52 +1716,184 @@ ENTRY(nmi)
418 + * a nested NMI that updated the copy interrupt stack frame, a
419 + * jump will be made to the repeat_nmi code that will handle the second
420 + * NMI.
421 ++ *
422 ++ * However, espfix prevents us from directly returning to userspace
423 ++ * with a single IRET instruction. Similarly, IRET to user mode
424 ++ * can fault. We therefore handle NMIs from user space like
425 ++ * other IST entries.
426 + */
427 +
428 + /* Use %rdx as out temp variable throughout */
429 + pushq_cfi %rdx
430 + CFI_REL_OFFSET rdx, 0
431 +
432 ++ testb $3, CS-RIP+8(%rsp)
433 ++ jz .Lnmi_from_kernel
434 ++
435 ++ /*
436 ++ * NMI from user mode. We need to run on the thread stack, but we
437 ++ * can't go through the normal entry paths: NMIs are masked, and
438 ++ * we don't want to enable interrupts, because then we'll end
439 ++ * up in an awkward situation in which IRQs are on but NMIs
440 ++ * are off.
441 ++ */
442 ++ SWAPGS
443 ++ cld
444 ++ movq %rsp, %rdx
445 ++ movq PER_CPU_VAR(kernel_stack), %rsp
446 ++ addq $KERNEL_STACK_OFFSET, %rsp
447 ++ pushq 5*8(%rdx) /* pt_regs->ss */
448 ++ pushq 4*8(%rdx) /* pt_regs->rsp */
449 ++ pushq 3*8(%rdx) /* pt_regs->flags */
450 ++ pushq 2*8(%rdx) /* pt_regs->cs */
451 ++ pushq 1*8(%rdx) /* pt_regs->rip */
452 ++ pushq $-1 /* pt_regs->orig_ax */
453 ++ pushq %rdi /* pt_regs->di */
454 ++ pushq %rsi /* pt_regs->si */
455 ++ pushq (%rdx) /* pt_regs->dx */
456 ++ pushq %rcx /* pt_regs->cx */
457 ++ pushq %rax /* pt_regs->ax */
458 ++ pushq %r8 /* pt_regs->r8 */
459 ++ pushq %r9 /* pt_regs->r9 */
460 ++ pushq %r10 /* pt_regs->r10 */
461 ++ pushq %r11 /* pt_regs->r11 */
462 ++ pushq %rbx /* pt_regs->rbx */
463 ++ pushq %rbp /* pt_regs->rbp */
464 ++ pushq %r12 /* pt_regs->r12 */
465 ++ pushq %r13 /* pt_regs->r13 */
466 ++ pushq %r14 /* pt_regs->r14 */
467 ++ pushq %r15 /* pt_regs->r15 */
468 ++
469 ++ /*
470 ++ * At this point we no longer need to worry about stack damage
471 ++ * due to nesting -- we're on the normal thread stack and we're
472 ++ * done with the NMI stack.
473 ++ */
474 ++ movq %rsp, %rdi
475 ++ movq $-1, %rsi
476 ++ call do_nmi
477 ++
478 ++ /*
479 ++ * Return back to user mode. We must *not* do the normal exit
480 ++ * work, because we don't want to enable interrupts. Fortunately,
481 ++ * do_nmi doesn't modify pt_regs.
482 ++ */
483 ++ SWAPGS
484 ++
485 ++ /*
486 ++ * Open-code the entire return process for compatibility with varying
487 ++ * register layouts across different kernel versions.
488 ++ */
489 ++ addq $6*8, %rsp /* skip bx, bp, and r12-r15 */
490 ++ popq %r11 /* pt_regs->r11 */
491 ++ popq %r10 /* pt_regs->r10 */
492 ++ popq %r9 /* pt_regs->r9 */
493 ++ popq %r8 /* pt_regs->r8 */
494 ++ popq %rax /* pt_regs->ax */
495 ++ popq %rcx /* pt_regs->cx */
496 ++ popq %rdx /* pt_regs->dx */
497 ++ popq %rsi /* pt_regs->si */
498 ++ popq %rdi /* pt_regs->di */
499 ++ addq $8, %rsp /* skip orig_ax */
500 ++ INTERRUPT_RETURN
501 ++
502 ++.Lnmi_from_kernel:
503 + /*
504 +- * If %cs was not the kernel segment, then the NMI triggered in user
505 +- * space, which means it is definitely not nested.
506 ++ * Here's what our stack frame will look like:
507 ++ * +---------------------------------------------------------+
508 ++ * | original SS |
509 ++ * | original Return RSP |
510 ++ * | original RFLAGS |
511 ++ * | original CS |
512 ++ * | original RIP |
513 ++ * +---------------------------------------------------------+
514 ++ * | temp storage for rdx |
515 ++ * +---------------------------------------------------------+
516 ++ * | "NMI executing" variable |
517 ++ * +---------------------------------------------------------+
518 ++ * | iret SS } Copied from "outermost" frame |
519 ++ * | iret Return RSP } on each loop iteration; overwritten |
520 ++ * | iret RFLAGS } by a nested NMI to force another |
521 ++ * | iret CS } iteration if needed. |
522 ++ * | iret RIP } |
523 ++ * +---------------------------------------------------------+
524 ++ * | outermost SS } initialized in first_nmi; |
525 ++ * | outermost Return RSP } will not be changed before |
526 ++ * | outermost RFLAGS } NMI processing is done. |
527 ++ * | outermost CS } Copied to "iret" frame on each |
528 ++ * | outermost RIP } iteration. |
529 ++ * +---------------------------------------------------------+
530 ++ * | pt_regs |
531 ++ * +---------------------------------------------------------+
532 ++ *
533 ++ * The "original" frame is used by hardware. Before re-enabling
534 ++ * NMIs, we need to be done with it, and we need to leave enough
535 ++ * space for the asm code here.
536 ++ *
537 ++ * We return by executing IRET while RSP points to the "iret" frame.
538 ++ * That will either return for real or it will loop back into NMI
539 ++ * processing.
540 ++ *
541 ++ * The "outermost" frame is copied to the "iret" frame on each
542 ++ * iteration of the loop, so each iteration starts with the "iret"
543 ++ * frame pointing to the final return target.
544 + */
545 +- cmpl $__KERNEL_CS, 16(%rsp)
546 +- jne first_nmi
547 +
548 + /*
549 +- * Check the special variable on the stack to see if NMIs are
550 +- * executing.
551 ++ * Determine whether we're a nested NMI.
552 ++ *
553 ++ * If we interrupted kernel code between repeat_nmi and
554 ++ * end_repeat_nmi, then we are a nested NMI. We must not
555 ++ * modify the "iret" frame because it's being written by
556 ++ * the outer NMI. That's okay; the outer NMI handler is
557 ++ * about to about to call do_nmi anyway, so we can just
558 ++ * resume the outer NMI.
559 ++ */
560 ++ movq $repeat_nmi, %rdx
561 ++ cmpq 8(%rsp), %rdx
562 ++ ja 1f
563 ++ movq $end_repeat_nmi, %rdx
564 ++ cmpq 8(%rsp), %rdx
565 ++ ja nested_nmi_out
566 ++1:
567 ++
568 ++ /*
569 ++ * Now check "NMI executing". If it's set, then we're nested.
570 ++ * This will not detect if we interrupted an outer NMI just
571 ++ * before IRET.
572 + */
573 + cmpl $1, -8(%rsp)
574 + je nested_nmi
575 +
576 + /*
577 +- * Now test if the previous stack was an NMI stack.
578 +- * We need the double check. We check the NMI stack to satisfy the
579 +- * race when the first NMI clears the variable before returning.
580 +- * We check the variable because the first NMI could be in a
581 +- * breakpoint routine using a breakpoint stack.
582 ++ * Now test if the previous stack was an NMI stack. This covers
583 ++ * the case where we interrupt an outer NMI after it clears
584 ++ * "NMI executing" but before IRET. We need to be careful, though:
585 ++ * there is one case in which RSP could point to the NMI stack
586 ++ * despite there being no NMI active: naughty userspace controls
587 ++ * RSP at the very beginning of the SYSCALL targets. We can
588 ++ * pull a fast one on naughty userspace, though: we program
589 ++ * SYSCALL to mask DF, so userspace cannot cause DF to be set
590 ++ * if it controls the kernel's RSP. We set DF before we clear
591 ++ * "NMI executing".
592 + */
593 + lea 6*8(%rsp), %rdx
594 + test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
595 ++
596 ++ /* Ah, it is within the NMI stack. */
597 ++
598 ++ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
599 ++ jz first_nmi /* RSP was user controlled. */
600 ++
601 ++ /* This is a nested NMI. */
602 ++
603 + CFI_REMEMBER_STATE
604 +
605 + nested_nmi:
606 + /*
607 +- * Do nothing if we interrupted the fixup in repeat_nmi.
608 +- * It's about to repeat the NMI handler, so we are fine
609 +- * with ignoring this one.
610 ++ * Modify the "iret" frame to point to repeat_nmi, forcing another
611 ++ * iteration of NMI handling.
612 + */
613 +- movq $repeat_nmi, %rdx
614 +- cmpq 8(%rsp), %rdx
615 +- ja 1f
616 +- movq $end_repeat_nmi, %rdx
617 +- cmpq 8(%rsp), %rdx
618 +- ja nested_nmi_out
619 +-
620 +-1:
621 +- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
622 + leaq -1*8(%rsp), %rdx
623 + movq %rdx, %rsp
624 + CFI_ADJUST_CFA_OFFSET 1*8
625 +@@ -1779,60 +1912,23 @@ nested_nmi_out:
626 + popq_cfi %rdx
627 + CFI_RESTORE rdx
628 +
629 +- /* No need to check faults here */
630 ++ /* We are returning to kernel mode, so this cannot result in a fault. */
631 + INTERRUPT_RETURN
632 +
633 + CFI_RESTORE_STATE
634 + first_nmi:
635 +- /*
636 +- * Because nested NMIs will use the pushed location that we
637 +- * stored in rdx, we must keep that space available.
638 +- * Here's what our stack frame will look like:
639 +- * +-------------------------+
640 +- * | original SS |
641 +- * | original Return RSP |
642 +- * | original RFLAGS |
643 +- * | original CS |
644 +- * | original RIP |
645 +- * +-------------------------+
646 +- * | temp storage for rdx |
647 +- * +-------------------------+
648 +- * | NMI executing variable |
649 +- * +-------------------------+
650 +- * | copied SS |
651 +- * | copied Return RSP |
652 +- * | copied RFLAGS |
653 +- * | copied CS |
654 +- * | copied RIP |
655 +- * +-------------------------+
656 +- * | Saved SS |
657 +- * | Saved Return RSP |
658 +- * | Saved RFLAGS |
659 +- * | Saved CS |
660 +- * | Saved RIP |
661 +- * +-------------------------+
662 +- * | pt_regs |
663 +- * +-------------------------+
664 +- *
665 +- * The saved stack frame is used to fix up the copied stack frame
666 +- * that a nested NMI may change to make the interrupted NMI iret jump
667 +- * to the repeat_nmi. The original stack frame and the temp storage
668 +- * is also used by nested NMIs and can not be trusted on exit.
669 +- */
670 +- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
671 ++ /* Restore rdx. */
672 + movq (%rsp), %rdx
673 + CFI_RESTORE rdx
674 +
675 +- /* Set the NMI executing variable on the stack. */
676 ++ /* Set "NMI executing" on the stack. */
677 + pushq_cfi $1
678 +
679 +- /*
680 +- * Leave room for the "copied" frame
681 +- */
682 ++ /* Leave room for the "iret" frame */
683 + subq $(5*8), %rsp
684 + CFI_ADJUST_CFA_OFFSET 5*8
685 +
686 +- /* Copy the stack frame to the Saved frame */
687 ++ /* Copy the "original" frame to the "outermost" frame */
688 + .rept 5
689 + pushq_cfi 11*8(%rsp)
690 + .endr
691 +@@ -1840,6 +1936,7 @@ first_nmi:
692 +
693 + /* Everything up to here is safe from nested NMIs */
694 +
695 ++repeat_nmi:
696 + /*
697 + * If there was a nested NMI, the first NMI's iret will return
698 + * here. But NMIs are still enabled and we can take another
699 +@@ -1848,16 +1945,21 @@ first_nmi:
700 + * it will just return, as we are about to repeat an NMI anyway.
701 + * This makes it safe to copy to the stack frame that a nested
702 + * NMI will update.
703 +- */
704 +-repeat_nmi:
705 +- /*
706 +- * Update the stack variable to say we are still in NMI (the update
707 +- * is benign for the non-repeat case, where 1 was pushed just above
708 +- * to this very stack slot).
709 ++ *
710 ++ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
711 ++ * we're repeating an NMI, gsbase has the same value that it had on
712 ++ * the first iteration. paranoid_entry will load the kernel
713 ++ * gsbase if needed before we call do_nmi.
714 ++ *
715 ++ * Set "NMI executing" in case we came back here via IRET.
716 + */
717 + movq $1, 10*8(%rsp)
718 +
719 +- /* Make another copy, this one may be modified by nested NMIs */
720 ++ /*
721 ++ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
722 ++ * here must not modify the "iret" frame while we're writing to
723 ++ * it or it will end up containing garbage.
724 ++ */
725 + addq $(10*8), %rsp
726 + CFI_ADJUST_CFA_OFFSET -10*8
727 + .rept 5
728 +@@ -1868,9 +1970,9 @@ repeat_nmi:
729 + end_repeat_nmi:
730 +
731 + /*
732 +- * Everything below this point can be preempted by a nested
733 +- * NMI if the first NMI took an exception and reset our iret stack
734 +- * so that we repeat another NMI.
735 ++ * Everything below this point can be preempted by a nested NMI.
736 ++ * If this happens, then the inner NMI will change the "iret"
737 ++ * frame to point back to repeat_nmi.
738 + */
739 + pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
740 + subq $ORIG_RAX-R15, %rsp
741 +@@ -1885,28 +1987,10 @@ end_repeat_nmi:
742 + call save_paranoid
743 + DEFAULT_FRAME 0
744 +
745 +- /*
746 +- * Save off the CR2 register. If we take a page fault in the NMI then
747 +- * it could corrupt the CR2 value. If the NMI preempts a page fault
748 +- * handler before it was able to read the CR2 register, and then the
749 +- * NMI itself takes a page fault, the page fault that was preempted
750 +- * will read the information from the NMI page fault and not the
751 +- * origin fault. Save it off and restore it if it changes.
752 +- * Use the r12 callee-saved register.
753 +- */
754 +- movq %cr2, %r12
755 +-
756 + /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
757 + movq %rsp,%rdi
758 + movq $-1,%rsi
759 + call do_nmi
760 +-
761 +- /* Did the NMI take a page fault? Restore cr2 if it did */
762 +- movq %cr2, %rcx
763 +- cmpq %rcx, %r12
764 +- je 1f
765 +- movq %r12, %cr2
766 +-1:
767 +
768 + testl %ebx,%ebx /* swapgs needed? */
769 + jnz nmi_restore
770 +@@ -1916,9 +2000,23 @@ nmi_restore:
771 + /* Pop the extra iret frame at once */
772 + RESTORE_ALL 6*8
773 +
774 +- /* Clear the NMI executing stack variable */
775 +- movq $0, 5*8(%rsp)
776 +- jmp irq_return
777 ++ /*
778 ++ * Clear "NMI executing". Set DF first so that we can easily
779 ++ * distinguish the remaining code between here and IRET from
780 ++ * the SYSCALL entry and exit paths. On a native kernel, we
781 ++ * could just inspect RIP, but, on paravirt kernels,
782 ++ * INTERRUPT_RETURN can translate into a jump into a
783 ++ * hypercall page.
784 ++ */
785 ++ std
786 ++ movq $0, 5*8(%rsp) /* clear "NMI executing" */
787 ++
788 ++ /*
789 ++ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
790 ++ * stack in a single instruction. We are returning to kernel
791 ++ * mode, so this cannot result in a fault.
792 ++ */
793 ++ INTERRUPT_RETURN
794 + CFI_ENDPROC
795 + END(nmi)
796 +
797 +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
798 +index 6fcb49ce50a1..8facfb318a97 100644
799 +--- a/arch/x86/kernel/nmi.c
800 ++++ b/arch/x86/kernel/nmi.c
801 +@@ -392,15 +392,15 @@ static __kprobes void default_do_nmi(struct pt_regs *regs)
802 + }
803 +
804 + /*
805 +- * NMIs can hit breakpoints which will cause it to lose its
806 +- * NMI context with the CPU when the breakpoint does an iret.
807 +- */
808 +-#ifdef CONFIG_X86_32
809 +-/*
810 +- * For i386, NMIs use the same stack as the kernel, and we can
811 +- * add a workaround to the iret problem in C (preventing nested
812 +- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
813 +- * can be in:
814 ++ * NMIs can page fault or hit breakpoints which will cause it to lose
815 ++ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
816 ++ *
817 ++ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
818 ++ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
819 ++ * if the outer NMI came from kernel mode, but we can still nest if the
820 ++ * outer NMI came from user mode.
821 ++ *
822 ++ * To handle these nested NMIs, we have three states:
823 + *
824 + * 1) not running
825 + * 2) executing
826 +@@ -414,15 +414,14 @@ static __kprobes void default_do_nmi(struct pt_regs *regs)
827 + * (Note, the latch is binary, thus multiple NMIs triggering,
828 + * when one is running, are ignored. Only one NMI is restarted.)
829 + *
830 +- * If an NMI hits a breakpoint that executes an iret, another
831 +- * NMI can preempt it. We do not want to allow this new NMI
832 +- * to run, but we want to execute it when the first one finishes.
833 +- * We set the state to "latched", and the exit of the first NMI will
834 +- * perform a dec_return, if the result is zero (NOT_RUNNING), then
835 +- * it will simply exit the NMI handler. If not, the dec_return
836 +- * would have set the state to NMI_EXECUTING (what we want it to
837 +- * be when we are running). In this case, we simply jump back
838 +- * to rerun the NMI handler again, and restart the 'latched' NMI.
839 ++ * If an NMI executes an iret, another NMI can preempt it. We do not
840 ++ * want to allow this new NMI to run, but we want to execute it when the
841 ++ * first one finishes. We set the state to "latched", and the exit of
842 ++ * the first NMI will perform a dec_return, if the result is zero
843 ++ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
844 ++ * dec_return would have set the state to NMI_EXECUTING (what we want it
845 ++ * to be when we are running). In this case, we simply jump back to
846 ++ * rerun the NMI handler again, and restart the 'latched' NMI.
847 + *
848 + * No trap (breakpoint or page fault) should be hit before nmi_restart,
849 + * thus there is no race between the first check of state for NOT_RUNNING
850 +@@ -445,49 +444,36 @@ enum nmi_states {
851 + static DEFINE_PER_CPU(enum nmi_states, nmi_state);
852 + static DEFINE_PER_CPU(unsigned long, nmi_cr2);
853 +
854 +-#define nmi_nesting_preprocess(regs) \
855 +- do { \
856 +- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \
857 +- this_cpu_write(nmi_state, NMI_LATCHED); \
858 +- return; \
859 +- } \
860 +- this_cpu_write(nmi_state, NMI_EXECUTING); \
861 +- this_cpu_write(nmi_cr2, read_cr2()); \
862 +- } while (0); \
863 +- nmi_restart:
864 +-
865 +-#define nmi_nesting_postprocess() \
866 +- do { \
867 +- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \
868 +- write_cr2(this_cpu_read(nmi_cr2)); \
869 +- if (this_cpu_dec_return(nmi_state)) \
870 +- goto nmi_restart; \
871 +- } while (0)
872 +-#else /* x86_64 */
873 ++#ifdef CONFIG_X86_64
874 + /*
875 +- * In x86_64 things are a bit more difficult. This has the same problem
876 +- * where an NMI hitting a breakpoint that calls iret will remove the
877 +- * NMI context, allowing a nested NMI to enter. What makes this more
878 +- * difficult is that both NMIs and breakpoints have their own stack.
879 +- * When a new NMI or breakpoint is executed, the stack is set to a fixed
880 +- * point. If an NMI is nested, it will have its stack set at that same
881 +- * fixed address that the first NMI had, and will start corrupting the
882 +- * stack. This is handled in entry_64.S, but the same problem exists with
883 +- * the breakpoint stack.
884 ++ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without
885 ++ * some care, the inner breakpoint will clobber the outer breakpoint's
886 ++ * stack.
887 + *
888 +- * If a breakpoint is being processed, and the debug stack is being used,
889 +- * if an NMI comes in and also hits a breakpoint, the stack pointer
890 +- * will be set to the same fixed address as the breakpoint that was
891 +- * interrupted, causing that stack to be corrupted. To handle this case,
892 +- * check if the stack that was interrupted is the debug stack, and if
893 +- * so, change the IDT so that new breakpoints will use the current stack
894 +- * and not switch to the fixed address. On return of the NMI, switch back
895 +- * to the original IDT.
896 ++ * If a breakpoint is being processed, and the debug stack is being
897 ++ * used, if an NMI comes in and also hits a breakpoint, the stack
898 ++ * pointer will be set to the same fixed address as the breakpoint that
899 ++ * was interrupted, causing that stack to be corrupted. To handle this
900 ++ * case, check if the stack that was interrupted is the debug stack, and
901 ++ * if so, change the IDT so that new breakpoints will use the current
902 ++ * stack and not switch to the fixed address. On return of the NMI,
903 ++ * switch back to the original IDT.
904 + */
905 + static DEFINE_PER_CPU(int, update_debug_stack);
906 ++#endif
907 +
908 +-static inline void nmi_nesting_preprocess(struct pt_regs *regs)
909 ++dotraplinkage notrace void
910 ++do_nmi(struct pt_regs *regs, long error_code)
911 + {
912 ++ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
913 ++ this_cpu_write(nmi_state, NMI_LATCHED);
914 ++ return;
915 ++ }
916 ++ this_cpu_write(nmi_state, NMI_EXECUTING);
917 ++ this_cpu_write(nmi_cr2, read_cr2());
918 ++nmi_restart:
919 ++
920 ++#ifdef CONFIG_X86_64
921 + /*
922 + * If we interrupted a breakpoint, it is possible that
923 + * the nmi handler will have breakpoints too. We need to
924 +@@ -498,22 +484,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs)
925 + debug_stack_set_zero();
926 + this_cpu_write(update_debug_stack, 1);
927 + }
928 +-}
929 +-
930 +-static inline void nmi_nesting_postprocess(void)
931 +-{
932 +- if (unlikely(this_cpu_read(update_debug_stack))) {
933 +- debug_stack_reset();
934 +- this_cpu_write(update_debug_stack, 0);
935 +- }
936 +-}
937 + #endif
938 +
939 +-dotraplinkage notrace __kprobes void
940 +-do_nmi(struct pt_regs *regs, long error_code)
941 +-{
942 +- nmi_nesting_preprocess(regs);
943 +-
944 + nmi_enter();
945 +
946 + inc_irq_stat(__nmi_count);
947 +@@ -523,8 +495,17 @@ do_nmi(struct pt_regs *regs, long error_code)
948 +
949 + nmi_exit();
950 +
951 +- /* On i386, may loop back to preprocess */
952 +- nmi_nesting_postprocess();
953 ++#ifdef CONFIG_X86_64
954 ++ if (unlikely(this_cpu_read(update_debug_stack))) {
955 ++ debug_stack_reset();
956 ++ this_cpu_write(update_debug_stack, 0);
957 ++ }
958 ++#endif
959 ++
960 ++ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
961 ++ write_cr2(this_cpu_read(nmi_cr2));
962 ++ if (this_cpu_dec_return(nmi_state))
963 ++ goto nmi_restart;
964 + }
965 +
966 + void stop_nmi(void)
967 +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
968 +index e39504878aec..a7b5b3071072 100644
969 +--- a/arch/x86/mm/init_32.c
970 ++++ b/arch/x86/mm/init_32.c
971 +@@ -137,6 +137,7 @@ page_table_range_init_count(unsigned long start, unsigned long end)
972 +
973 + vaddr = start;
974 + pgd_idx = pgd_index(vaddr);
975 ++ pmd_idx = pmd_index(vaddr);
976 +
977 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd_idx++) {
978 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
979 +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
980 +index b91ce75bd35d..d2102c4eefbf 100644
981 +--- a/block/blk-mq-sysfs.c
982 ++++ b/block/blk-mq-sysfs.c
983 +@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_show(struct blk_mq_ctx *ctx, char *page)
984 +
985 + static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg)
986 + {
987 +- char *start_page = page;
988 + struct request *rq;
989 ++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg);
990 ++
991 ++ list_for_each_entry(rq, list, queuelist) {
992 ++ const int rq_len = 2 * sizeof(rq) + 2;
993 ++
994 ++ /* if the output will be truncated */
995 ++ if (PAGE_SIZE - 1 < len + rq_len) {
996 ++ /* backspacing if it can't hold '\t...\n' */
997 ++ if (PAGE_SIZE - 1 < len + 5)
998 ++ len -= rq_len;
999 ++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
1000 ++ "\t...\n");
1001 ++ break;
1002 ++ }
1003 ++ len += snprintf(page + len, PAGE_SIZE - 1 - len,
1004 ++ "\t%p\n", rq);
1005 ++ }
1006 +
1007 +- page += sprintf(page, "%s:\n", msg);
1008 +-
1009 +- list_for_each_entry(rq, list, queuelist)
1010 +- page += sprintf(page, "\t%p\n", rq);
1011 +-
1012 +- return page - start_page;
1013 ++ return len;
1014 + }
1015 +
1016 + static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page)
1017 +diff --git a/drivers/base/node.c b/drivers/base/node.c
1018 +index bc9f43bf7e29..5f5160c9455f 100644
1019 +--- a/drivers/base/node.c
1020 ++++ b/drivers/base/node.c
1021 +@@ -399,6 +399,16 @@ int register_mem_sect_under_node(struct memory_block *mem_blk, int nid)
1022 + for (pfn = sect_start_pfn; pfn <= sect_end_pfn; pfn++) {
1023 + int page_nid;
1024 +
1025 ++ /*
1026 ++ * memory block could have several absent sections from start.
1027 ++ * skip pfn range from absent section
1028 ++ */
1029 ++ if (!pfn_present(pfn)) {
1030 ++ pfn = round_down(pfn + PAGES_PER_SECTION,
1031 ++ PAGES_PER_SECTION) - 1;
1032 ++ continue;
1033 ++ }
1034 ++
1035 + page_nid = get_nid_for_pfn(pfn);
1036 + if (page_nid < 0)
1037 + continue;
1038 +diff --git a/drivers/block/nvme-core.c b/drivers/block/nvme-core.c
1039 +index 51824d1f23ea..2d3385d3c6a9 100644
1040 +--- a/drivers/block/nvme-core.c
1041 ++++ b/drivers/block/nvme-core.c
1042 +@@ -2464,6 +2464,7 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
1043 + if (result)
1044 + goto release;
1045 +
1046 ++ kref_init(&dev->kref);
1047 + result = nvme_dev_start(dev);
1048 + if (result) {
1049 + if (result == -EBUSY)
1050 +@@ -2471,7 +2472,6 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
1051 + goto release_pools;
1052 + }
1053 +
1054 +- kref_init(&dev->kref);
1055 + result = nvme_dev_add(dev);
1056 + if (result)
1057 + goto shutdown;
1058 +diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
1059 +index 79a266934327..fd2820ff9e5b 100644
1060 +--- a/drivers/gpu/drm/radeon/radeon_combios.c
1061 ++++ b/drivers/gpu/drm/radeon/radeon_combios.c
1062 +@@ -3387,6 +3387,14 @@ void radeon_combios_asic_init(struct drm_device *dev)
1063 + rdev->pdev->subsystem_device == 0x30ae)
1064 + return;
1065 +
1066 ++ /* quirk for rs4xx HP Compaq dc5750 Small Form Factor to make it resume
1067 ++ * - it hangs on resume inside the dynclk 1 table.
1068 ++ */
1069 ++ if (rdev->family == CHIP_RS480 &&
1070 ++ rdev->pdev->subsystem_vendor == 0x103c &&
1071 ++ rdev->pdev->subsystem_device == 0x280a)
1072 ++ return;
1073 ++
1074 + /* DYN CLK 1 */
1075 + table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE);
1076 + if (table)
1077 +diff --git a/drivers/iio/gyro/Kconfig b/drivers/iio/gyro/Kconfig
1078 +index 6f64c5cc5387..ac2d69e34c8c 100644
1079 +--- a/drivers/iio/gyro/Kconfig
1080 ++++ b/drivers/iio/gyro/Kconfig
1081 +@@ -93,8 +93,7 @@ config IIO_ST_GYRO_SPI_3AXIS
1082 + config ITG3200
1083 + tristate "InvenSense ITG3200 Digital 3-Axis Gyroscope I2C driver"
1084 + depends on I2C
1085 +- select IIO_BUFFER
1086 +- select IIO_TRIGGERED_BUFFER
1087 ++ select IIO_TRIGGERED_BUFFER if IIO_BUFFER
1088 + help
1089 + Say yes here to add support for the InvenSense ITG3200 digital
1090 + 3-axis gyroscope sensor.
1091 +diff --git a/drivers/infiniband/core/uverbs.h b/drivers/infiniband/core/uverbs.h
1092 +index a283274a5a09..639557bdc0cd 100644
1093 +--- a/drivers/infiniband/core/uverbs.h
1094 ++++ b/drivers/infiniband/core/uverbs.h
1095 +@@ -85,7 +85,7 @@
1096 + */
1097 +
1098 + struct ib_uverbs_device {
1099 +- struct kref ref;
1100 ++ atomic_t refcount;
1101 + int num_comp_vectors;
1102 + struct completion comp;
1103 + struct device *dev;
1104 +@@ -94,6 +94,7 @@ struct ib_uverbs_device {
1105 + struct cdev cdev;
1106 + struct rb_root xrcd_tree;
1107 + struct mutex xrcd_tree_mutex;
1108 ++ struct kobject kobj;
1109 + };
1110 +
1111 + struct ib_uverbs_event_file {
1112 +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
1113 +index 2adc14372b94..5e66eab292d8 100644
1114 +--- a/drivers/infiniband/core/uverbs_cmd.c
1115 ++++ b/drivers/infiniband/core/uverbs_cmd.c
1116 +@@ -2111,6 +2111,12 @@ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
1117 + next->send_flags = user_wr->send_flags;
1118 +
1119 + if (is_ud) {
1120 ++ if (next->opcode != IB_WR_SEND &&
1121 ++ next->opcode != IB_WR_SEND_WITH_IMM) {
1122 ++ ret = -EINVAL;
1123 ++ goto out_put;
1124 ++ }
1125 ++
1126 + next->wr.ud.ah = idr_read_ah(user_wr->wr.ud.ah,
1127 + file->ucontext);
1128 + if (!next->wr.ud.ah) {
1129 +@@ -2150,9 +2156,11 @@ ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
1130 + user_wr->wr.atomic.compare_add;
1131 + next->wr.atomic.swap = user_wr->wr.atomic.swap;
1132 + next->wr.atomic.rkey = user_wr->wr.atomic.rkey;
1133 ++ case IB_WR_SEND:
1134 + break;
1135 + default:
1136 +- break;
1137 ++ ret = -EINVAL;
1138 ++ goto out_put;
1139 + }
1140 + }
1141 +
1142 +diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
1143 +index 7a515c867674..8802d5ccd93d 100644
1144 +--- a/drivers/infiniband/core/uverbs_main.c
1145 ++++ b/drivers/infiniband/core/uverbs_main.c
1146 +@@ -127,14 +127,18 @@ static int (*uverbs_ex_cmd_table[])(struct ib_uverbs_file *file,
1147 + static void ib_uverbs_add_one(struct ib_device *device);
1148 + static void ib_uverbs_remove_one(struct ib_device *device);
1149 +
1150 +-static void ib_uverbs_release_dev(struct kref *ref)
1151 ++static void ib_uverbs_release_dev(struct kobject *kobj)
1152 + {
1153 + struct ib_uverbs_device *dev =
1154 +- container_of(ref, struct ib_uverbs_device, ref);
1155 ++ container_of(kobj, struct ib_uverbs_device, kobj);
1156 +
1157 +- complete(&dev->comp);
1158 ++ kfree(dev);
1159 + }
1160 +
1161 ++static struct kobj_type ib_uverbs_dev_ktype = {
1162 ++ .release = ib_uverbs_release_dev,
1163 ++};
1164 ++
1165 + static void ib_uverbs_release_event_file(struct kref *ref)
1166 + {
1167 + struct ib_uverbs_event_file *file =
1168 +@@ -298,13 +302,19 @@ static int ib_uverbs_cleanup_ucontext(struct ib_uverbs_file *file,
1169 + return context->device->dealloc_ucontext(context);
1170 + }
1171 +
1172 ++static void ib_uverbs_comp_dev(struct ib_uverbs_device *dev)
1173 ++{
1174 ++ complete(&dev->comp);
1175 ++}
1176 ++
1177 + static void ib_uverbs_release_file(struct kref *ref)
1178 + {
1179 + struct ib_uverbs_file *file =
1180 + container_of(ref, struct ib_uverbs_file, ref);
1181 +
1182 + module_put(file->device->ib_dev->owner);
1183 +- kref_put(&file->device->ref, ib_uverbs_release_dev);
1184 ++ if (atomic_dec_and_test(&file->device->refcount))
1185 ++ ib_uverbs_comp_dev(file->device);
1186 +
1187 + kfree(file);
1188 + }
1189 +@@ -734,9 +744,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp)
1190 + int ret;
1191 +
1192 + dev = container_of(inode->i_cdev, struct ib_uverbs_device, cdev);
1193 +- if (dev)
1194 +- kref_get(&dev->ref);
1195 +- else
1196 ++ if (!atomic_inc_not_zero(&dev->refcount))
1197 + return -ENXIO;
1198 +
1199 + if (!try_module_get(dev->ib_dev->owner)) {
1200 +@@ -757,6 +765,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp)
1201 + mutex_init(&file->mutex);
1202 +
1203 + filp->private_data = file;
1204 ++ kobject_get(&dev->kobj);
1205 +
1206 + return nonseekable_open(inode, filp);
1207 +
1208 +@@ -764,13 +773,16 @@ err_module:
1209 + module_put(dev->ib_dev->owner);
1210 +
1211 + err:
1212 +- kref_put(&dev->ref, ib_uverbs_release_dev);
1213 ++ if (atomic_dec_and_test(&dev->refcount))
1214 ++ ib_uverbs_comp_dev(dev);
1215 ++
1216 + return ret;
1217 + }
1218 +
1219 + static int ib_uverbs_close(struct inode *inode, struct file *filp)
1220 + {
1221 + struct ib_uverbs_file *file = filp->private_data;
1222 ++ struct ib_uverbs_device *dev = file->device;
1223 +
1224 + ib_uverbs_cleanup_ucontext(file, file->ucontext);
1225 +
1226 +@@ -778,6 +790,7 @@ static int ib_uverbs_close(struct inode *inode, struct file *filp)
1227 + kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
1228 +
1229 + kref_put(&file->ref, ib_uverbs_release_file);
1230 ++ kobject_put(&dev->kobj);
1231 +
1232 + return 0;
1233 + }
1234 +@@ -873,10 +886,11 @@ static void ib_uverbs_add_one(struct ib_device *device)
1235 + if (!uverbs_dev)
1236 + return;
1237 +
1238 +- kref_init(&uverbs_dev->ref);
1239 ++ atomic_set(&uverbs_dev->refcount, 1);
1240 + init_completion(&uverbs_dev->comp);
1241 + uverbs_dev->xrcd_tree = RB_ROOT;
1242 + mutex_init(&uverbs_dev->xrcd_tree_mutex);
1243 ++ kobject_init(&uverbs_dev->kobj, &ib_uverbs_dev_ktype);
1244 +
1245 + spin_lock(&map_lock);
1246 + devnum = find_first_zero_bit(dev_map, IB_UVERBS_MAX_DEVICES);
1247 +@@ -903,6 +917,7 @@ static void ib_uverbs_add_one(struct ib_device *device)
1248 + cdev_init(&uverbs_dev->cdev, NULL);
1249 + uverbs_dev->cdev.owner = THIS_MODULE;
1250 + uverbs_dev->cdev.ops = device->mmap ? &uverbs_mmap_fops : &uverbs_fops;
1251 ++ uverbs_dev->cdev.kobj.parent = &uverbs_dev->kobj;
1252 + kobject_set_name(&uverbs_dev->cdev.kobj, "uverbs%d", uverbs_dev->devnum);
1253 + if (cdev_add(&uverbs_dev->cdev, base, 1))
1254 + goto err_cdev;
1255 +@@ -933,9 +948,10 @@ err_cdev:
1256 + clear_bit(devnum, overflow_map);
1257 +
1258 + err:
1259 +- kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
1260 ++ if (atomic_dec_and_test(&uverbs_dev->refcount))
1261 ++ ib_uverbs_comp_dev(uverbs_dev);
1262 + wait_for_completion(&uverbs_dev->comp);
1263 +- kfree(uverbs_dev);
1264 ++ kobject_put(&uverbs_dev->kobj);
1265 + return;
1266 + }
1267 +
1268 +@@ -955,9 +971,10 @@ static void ib_uverbs_remove_one(struct ib_device *device)
1269 + else
1270 + clear_bit(uverbs_dev->devnum - IB_UVERBS_MAX_DEVICES, overflow_map);
1271 +
1272 +- kref_put(&uverbs_dev->ref, ib_uverbs_release_dev);
1273 ++ if (atomic_dec_and_test(&uverbs_dev->refcount))
1274 ++ ib_uverbs_comp_dev(uverbs_dev);
1275 + wait_for_completion(&uverbs_dev->comp);
1276 +- kfree(uverbs_dev);
1277 ++ kobject_put(&uverbs_dev->kobj);
1278 + }
1279 +
1280 + static char *uverbs_devnode(struct device *dev, umode_t *mode)
1281 +diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
1282 +index 170dca608042..1ddcebd84622 100644
1283 +--- a/drivers/infiniband/hw/mlx4/ah.c
1284 ++++ b/drivers/infiniband/hw/mlx4/ah.c
1285 +@@ -147,9 +147,13 @@ int mlx4_ib_query_ah(struct ib_ah *ibah, struct ib_ah_attr *ah_attr)
1286 + enum rdma_link_layer ll;
1287 +
1288 + memset(ah_attr, 0, sizeof *ah_attr);
1289 +- ah_attr->sl = be32_to_cpu(ah->av.ib.sl_tclass_flowlabel) >> 28;
1290 + ah_attr->port_num = be32_to_cpu(ah->av.ib.port_pd) >> 24;
1291 + ll = rdma_port_get_link_layer(ibah->device, ah_attr->port_num);
1292 ++ if (ll == IB_LINK_LAYER_ETHERNET)
1293 ++ ah_attr->sl = be32_to_cpu(ah->av.eth.sl_tclass_flowlabel) >> 29;
1294 ++ else
1295 ++ ah_attr->sl = be32_to_cpu(ah->av.ib.sl_tclass_flowlabel) >> 28;
1296 ++
1297 + ah_attr->dlid = ll == IB_LINK_LAYER_INFINIBAND ? be16_to_cpu(ah->av.ib.dlid) : 0;
1298 + if (ah->av.ib.stat_rate)
1299 + ah_attr->static_rate = ah->av.ib.stat_rate - MLX4_STAT_RATE_OFFSET;
1300 +diff --git a/drivers/infiniband/hw/mlx4/sysfs.c b/drivers/infiniband/hw/mlx4/sysfs.c
1301 +index db2ea31df832..b5e50c605933 100644
1302 +--- a/drivers/infiniband/hw/mlx4/sysfs.c
1303 ++++ b/drivers/infiniband/hw/mlx4/sysfs.c
1304 +@@ -563,6 +563,8 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
1305 + struct mlx4_port *p;
1306 + int i;
1307 + int ret;
1308 ++ int is_eth = rdma_port_get_link_layer(&dev->ib_dev, port_num) ==
1309 ++ IB_LINK_LAYER_ETHERNET;
1310 +
1311 + p = kzalloc(sizeof *p, GFP_KERNEL);
1312 + if (!p)
1313 +@@ -580,7 +582,8 @@ static int add_port(struct mlx4_ib_dev *dev, int port_num, int slave)
1314 +
1315 + p->pkey_group.name = "pkey_idx";
1316 + p->pkey_group.attrs =
1317 +- alloc_group_attrs(show_port_pkey, store_port_pkey,
1318 ++ alloc_group_attrs(show_port_pkey,
1319 ++ is_eth ? NULL : store_port_pkey,
1320 + dev->dev->caps.pkey_table_len[port_num]);
1321 + if (!p->pkey_group.attrs) {
1322 + ret = -ENOMEM;
1323 +diff --git a/drivers/infiniband/hw/qib/qib_keys.c b/drivers/infiniband/hw/qib/qib_keys.c
1324 +index 3b9afccaaade..eabe54738be6 100644
1325 +--- a/drivers/infiniband/hw/qib/qib_keys.c
1326 ++++ b/drivers/infiniband/hw/qib/qib_keys.c
1327 +@@ -86,6 +86,10 @@ int qib_alloc_lkey(struct qib_mregion *mr, int dma_region)
1328 + * unrestricted LKEY.
1329 + */
1330 + rkt->gen++;
1331 ++ /*
1332 ++ * bits are capped in qib_verbs.c to insure enough bits
1333 ++ * for generation number
1334 ++ */
1335 + mr->lkey = (r << (32 - ib_qib_lkey_table_size)) |
1336 + ((((1 << (24 - ib_qib_lkey_table_size)) - 1) & rkt->gen)
1337 + << 8);
1338 +diff --git a/drivers/infiniband/hw/qib/qib_verbs.c b/drivers/infiniband/hw/qib/qib_verbs.c
1339 +index 092b0bb1bb78..c141b9b2493d 100644
1340 +--- a/drivers/infiniband/hw/qib/qib_verbs.c
1341 ++++ b/drivers/infiniband/hw/qib/qib_verbs.c
1342 +@@ -40,6 +40,7 @@
1343 + #include <linux/rculist.h>
1344 + #include <linux/mm.h>
1345 + #include <linux/random.h>
1346 ++#include <linux/vmalloc.h>
1347 +
1348 + #include "qib.h"
1349 + #include "qib_common.h"
1350 +@@ -2086,10 +2087,16 @@ int qib_register_ib_device(struct qib_devdata *dd)
1351 + * the LKEY). The remaining bits act as a generation number or tag.
1352 + */
1353 + spin_lock_init(&dev->lk_table.lock);
1354 ++ /* insure generation is at least 4 bits see keys.c */
1355 ++ if (ib_qib_lkey_table_size > MAX_LKEY_TABLE_BITS) {
1356 ++ qib_dev_warn(dd, "lkey bits %u too large, reduced to %u\n",
1357 ++ ib_qib_lkey_table_size, MAX_LKEY_TABLE_BITS);
1358 ++ ib_qib_lkey_table_size = MAX_LKEY_TABLE_BITS;
1359 ++ }
1360 + dev->lk_table.max = 1 << ib_qib_lkey_table_size;
1361 + lk_tab_size = dev->lk_table.max * sizeof(*dev->lk_table.table);
1362 + dev->lk_table.table = (struct qib_mregion __rcu **)
1363 +- __get_free_pages(GFP_KERNEL, get_order(lk_tab_size));
1364 ++ vmalloc(lk_tab_size);
1365 + if (dev->lk_table.table == NULL) {
1366 + ret = -ENOMEM;
1367 + goto err_lk;
1368 +@@ -2262,7 +2269,7 @@ err_tx:
1369 + sizeof(struct qib_pio_header),
1370 + dev->pio_hdrs, dev->pio_hdrs_phys);
1371 + err_hdrs:
1372 +- free_pages((unsigned long) dev->lk_table.table, get_order(lk_tab_size));
1373 ++ vfree(dev->lk_table.table);
1374 + err_lk:
1375 + kfree(dev->qp_table);
1376 + err_qpt:
1377 +@@ -2316,8 +2323,7 @@ void qib_unregister_ib_device(struct qib_devdata *dd)
1378 + sizeof(struct qib_pio_header),
1379 + dev->pio_hdrs, dev->pio_hdrs_phys);
1380 + lk_tab_size = dev->lk_table.max * sizeof(*dev->lk_table.table);
1381 +- free_pages((unsigned long) dev->lk_table.table,
1382 +- get_order(lk_tab_size));
1383 ++ vfree(dev->lk_table.table);
1384 + kfree(dev->qp_table);
1385 + }
1386 +
1387 +diff --git a/drivers/infiniband/hw/qib/qib_verbs.h b/drivers/infiniband/hw/qib/qib_verbs.h
1388 +index a01c7d2cf541..d34bc69f1f17 100644
1389 +--- a/drivers/infiniband/hw/qib/qib_verbs.h
1390 ++++ b/drivers/infiniband/hw/qib/qib_verbs.h
1391 +@@ -647,6 +647,8 @@ struct qib_qpn_table {
1392 + struct qpn_map map[QPNMAP_ENTRIES];
1393 + };
1394 +
1395 ++#define MAX_LKEY_TABLE_BITS 23
1396 ++
1397 + struct qib_lkey_table {
1398 + spinlock_t lock; /* protect changes in this struct */
1399 + u32 next; /* next unused index (speeds search) */
1400 +diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
1401 +index fb787c3e88d9..bb9f073a4e13 100644
1402 +--- a/drivers/input/evdev.c
1403 ++++ b/drivers/input/evdev.c
1404 +@@ -240,19 +240,14 @@ static int evdev_flush(struct file *file, fl_owner_t id)
1405 + {
1406 + struct evdev_client *client = file->private_data;
1407 + struct evdev *evdev = client->evdev;
1408 +- int retval;
1409 +
1410 +- retval = mutex_lock_interruptible(&evdev->mutex);
1411 +- if (retval)
1412 +- return retval;
1413 ++ mutex_lock(&evdev->mutex);
1414 +
1415 +- if (!evdev->exist || client->revoked)
1416 +- retval = -ENODEV;
1417 +- else
1418 +- retval = input_flush_device(&evdev->handle, file);
1419 ++ if (evdev->exist && !client->revoked)
1420 ++ input_flush_device(&evdev->handle, file);
1421 +
1422 + mutex_unlock(&evdev->mutex);
1423 +- return retval;
1424 ++ return 0;
1425 + }
1426 +
1427 + static void evdev_free(struct device *dev)
1428 +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
1429 +index 8c91fd5eb6fd..3ac9c4194814 100644
1430 +--- a/drivers/isdn/gigaset/ser-gigaset.c
1431 ++++ b/drivers/isdn/gigaset/ser-gigaset.c
1432 +@@ -524,9 +524,18 @@ gigaset_tty_open(struct tty_struct *tty)
1433 + cs->hw.ser->tty = tty;
1434 + atomic_set(&cs->hw.ser->refcnt, 1);
1435 + init_completion(&cs->hw.ser->dead_cmp);
1436 +-
1437 + tty->disc_data = cs;
1438 +
1439 ++ /* Set the amount of data we're willing to receive per call
1440 ++ * from the hardware driver to half of the input buffer size
1441 ++ * to leave some reserve.
1442 ++ * Note: We don't do flow control towards the hardware driver.
1443 ++ * If more data is received than will fit into the input buffer,
1444 ++ * it will be dropped and an error will be logged. This should
1445 ++ * never happen as the device is slow and the buffer size ample.
1446 ++ */
1447 ++ tty->receive_room = RBUFSIZE/2;
1448 ++
1449 + /* OK.. Initialization of the datastructures and the HW is done.. Now
1450 + * startup system and notify the LL that we are ready to run
1451 + */
1452 +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
1453 +index a46124ecafc7..73c9f579b042 100644
1454 +--- a/drivers/md/raid10.c
1455 ++++ b/drivers/md/raid10.c
1456 +@@ -3585,6 +3585,7 @@ static struct r10conf *setup_conf(struct mddev *mddev)
1457 + /* far_copies must be 1 */
1458 + conf->prev.stride = conf->dev_sectors;
1459 + }
1460 ++ conf->reshape_safe = conf->reshape_progress;
1461 + spin_lock_init(&conf->device_lock);
1462 + INIT_LIST_HEAD(&conf->retry_list);
1463 +
1464 +@@ -3793,7 +3794,6 @@ static int run(struct mddev *mddev)
1465 + }
1466 + conf->offset_diff = min_offset_diff;
1467 +
1468 +- conf->reshape_safe = conf->reshape_progress;
1469 + clear_bit(MD_RECOVERY_SYNC, &mddev->recovery);
1470 + clear_bit(MD_RECOVERY_CHECK, &mddev->recovery);
1471 + set_bit(MD_RECOVERY_RESHAPE, &mddev->recovery);
1472 +@@ -4138,6 +4138,7 @@ static int raid10_start_reshape(struct mddev *mddev)
1473 + conf->reshape_progress = size;
1474 + } else
1475 + conf->reshape_progress = 0;
1476 ++ conf->reshape_safe = conf->reshape_progress;
1477 + spin_unlock_irq(&conf->device_lock);
1478 +
1479 + if (mddev->delta_disks && mddev->bitmap) {
1480 +@@ -4204,6 +4205,7 @@ abort:
1481 + rdev->new_data_offset = rdev->data_offset;
1482 + smp_wmb();
1483 + conf->reshape_progress = MaxSector;
1484 ++ conf->reshape_safe = MaxSector;
1485 + mddev->reshape_position = MaxSector;
1486 + spin_unlock_irq(&conf->device_lock);
1487 + return ret;
1488 +@@ -4556,6 +4558,7 @@ static void end_reshape(struct r10conf *conf)
1489 + md_finish_reshape(conf->mddev);
1490 + smp_wmb();
1491 + conf->reshape_progress = MaxSector;
1492 ++ conf->reshape_safe = MaxSector;
1493 + spin_unlock_irq(&conf->device_lock);
1494 +
1495 + /* read-ahead size must cover two whole stripes, which is
1496 +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
1497 +index 5807185262fe..ee0015be1421 100644
1498 +--- a/drivers/media/platform/omap3isp/isp.c
1499 ++++ b/drivers/media/platform/omap3isp/isp.c
1500 +@@ -824,14 +824,14 @@ static int isp_pipeline_link_notify(struct media_link *link, u32 flags,
1501 + int ret;
1502 +
1503 + if (notification == MEDIA_DEV_NOTIFY_POST_LINK_CH &&
1504 +- !(link->flags & MEDIA_LNK_FL_ENABLED)) {
1505 ++ !(flags & MEDIA_LNK_FL_ENABLED)) {
1506 + /* Powering off entities is assumed to never fail. */
1507 + isp_pipeline_pm_power(source, -sink_use);
1508 + isp_pipeline_pm_power(sink, -source_use);
1509 + return 0;
1510 + }
1511 +
1512 +- if (notification == MEDIA_DEV_NOTIFY_POST_LINK_CH &&
1513 ++ if (notification == MEDIA_DEV_NOTIFY_PRE_LINK_CH &&
1514 + (flags & MEDIA_LNK_FL_ENABLED)) {
1515 +
1516 + ret = isp_pipeline_pm_power(source, sink_use);
1517 +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
1518 +index 02e2f38c9c85..bdd3609c7641 100644
1519 +--- a/drivers/media/rc/rc-main.c
1520 ++++ b/drivers/media/rc/rc-main.c
1521 +@@ -982,9 +982,6 @@ static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
1522 + {
1523 + struct rc_dev *dev = to_rc_dev(device);
1524 +
1525 +- if (!dev || !dev->input_dev)
1526 +- return -ENODEV;
1527 +-
1528 + if (dev->rc_map.name)
1529 + ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
1530 + if (dev->driver_name)
1531 +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
1532 +index 6a881ebe5b02..4a50b5049c51 100644
1533 +--- a/drivers/mmc/core/core.c
1534 ++++ b/drivers/mmc/core/core.c
1535 +@@ -329,8 +329,10 @@ EXPORT_SYMBOL(mmc_start_bkops);
1536 + */
1537 + static void mmc_wait_data_done(struct mmc_request *mrq)
1538 + {
1539 +- mrq->host->context_info.is_done_rcv = true;
1540 +- wake_up_interruptible(&mrq->host->context_info.wait);
1541 ++ struct mmc_context_info *context_info = &mrq->host->context_info;
1542 ++
1543 ++ context_info->is_done_rcv = true;
1544 ++ wake_up_interruptible(&context_info->wait);
1545 + }
1546 +
1547 + static void mmc_wait_done(struct mmc_request *mrq)
1548 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
1549 +index 32b0e7055b1e..0697d8f5f3cf 100644
1550 +--- a/drivers/net/bonding/bond_main.c
1551 ++++ b/drivers/net/bonding/bond_main.c
1552 +@@ -636,6 +636,23 @@ static void bond_set_dev_addr(struct net_device *bond_dev,
1553 + call_netdevice_notifiers(NETDEV_CHANGEADDR, bond_dev);
1554 + }
1555 +
1556 ++static struct slave *bond_get_old_active(struct bonding *bond,
1557 ++ struct slave *new_active)
1558 ++{
1559 ++ struct slave *slave;
1560 ++ struct list_head *iter;
1561 ++
1562 ++ bond_for_each_slave(bond, slave, iter) {
1563 ++ if (slave == new_active)
1564 ++ continue;
1565 ++
1566 ++ if (ether_addr_equal(bond->dev->dev_addr, slave->dev->dev_addr))
1567 ++ return slave;
1568 ++ }
1569 ++
1570 ++ return NULL;
1571 ++}
1572 ++
1573 + /*
1574 + * bond_do_fail_over_mac
1575 + *
1576 +@@ -672,6 +689,9 @@ static void bond_do_fail_over_mac(struct bonding *bond,
1577 +
1578 + write_unlock_bh(&bond->curr_slave_lock);
1579 +
1580 ++ if (!old_active)
1581 ++ old_active = bond_get_old_active(bond, new_active);
1582 ++
1583 + if (old_active) {
1584 + memcpy(tmp_mac, new_active->dev->dev_addr, ETH_ALEN);
1585 + memcpy(saddr.sa_data, old_active->dev->dev_addr,
1586 +@@ -1825,6 +1845,7 @@ static int bond_release_and_destroy(struct net_device *bond_dev,
1587 + bond_dev->priv_flags |= IFF_DISABLE_NETPOLL;
1588 + pr_info("%s: destroying bond %s.\n",
1589 + bond_dev->name, bond_dev->name);
1590 ++ bond_remove_proc_entry(bond);
1591 + unregister_netdevice(bond_dev);
1592 + }
1593 + return ret;
1594 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
1595 +index bc65dc85a622..91e7286ab1e1 100644
1596 +--- a/drivers/net/ethernet/broadcom/tg3.c
1597 ++++ b/drivers/net/ethernet/broadcom/tg3.c
1598 +@@ -10737,7 +10737,7 @@ static ssize_t tg3_show_temp(struct device *dev,
1599 + tg3_ape_scratchpad_read(tp, &temperature, attr->index,
1600 + sizeof(temperature));
1601 + spin_unlock_bh(&tp->lock);
1602 +- return sprintf(buf, "%u\n", temperature);
1603 ++ return sprintf(buf, "%u\n", temperature * 1000);
1604 + }
1605 +
1606 +
1607 +diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c
1608 +index 669eeb4eb247..f051783f5882 100644
1609 +--- a/drivers/net/ethernet/brocade/bna/bnad.c
1610 ++++ b/drivers/net/ethernet/brocade/bna/bnad.c
1611 +@@ -674,6 +674,7 @@ bnad_cq_process(struct bnad *bnad, struct bna_ccb *ccb, int budget)
1612 + if (!next_cmpl->valid)
1613 + break;
1614 + }
1615 ++ packets++;
1616 +
1617 + /* TODO: BNA_CQ_EF_LOCAL ? */
1618 + if (unlikely(flags & (BNA_CQ_EF_MAC_ERROR |
1619 +@@ -690,7 +691,6 @@ bnad_cq_process(struct bnad *bnad, struct bna_ccb *ccb, int budget)
1620 + else
1621 + bnad_cq_setup_skb_frags(rcb, skb, sop_ci, nvecs, len);
1622 +
1623 +- packets++;
1624 + rcb->rxq->rx_packets++;
1625 + rcb->rxq->rx_bytes += totlen;
1626 + ccb->bytes_per_intr += totlen;
1627 +diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
1628 +index 8992b38578d5..e8a1baa87c95 100644
1629 +--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
1630 ++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
1631 +@@ -557,7 +557,7 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq)
1632 + mlx4_dbg(dev, "%s: Sending MLX4_PORT_CHANGE_SUBTYPE_DOWN"
1633 + " to slave: %d, port:%d\n",
1634 + __func__, i, port);
1635 +- s_info = &priv->mfunc.master.vf_oper[slave].vport[port].state;
1636 ++ s_info = &priv->mfunc.master.vf_oper[i].vport[port].state;
1637 + if (IFLA_VF_LINK_STATE_AUTO == s_info->link_state)
1638 + mlx4_slave_event(dev, i, eqe);
1639 + } else { /* IB port */
1640 +@@ -583,7 +583,7 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq)
1641 + for (i = 0; i < dev->num_slaves; i++) {
1642 + if (i == mlx4_master_func_num(dev))
1643 + continue;
1644 +- s_info = &priv->mfunc.master.vf_oper[slave].vport[port].state;
1645 ++ s_info = &priv->mfunc.master.vf_oper[i].vport[port].state;
1646 + if (IFLA_VF_LINK_STATE_AUTO == s_info->link_state)
1647 + mlx4_slave_event(dev, i, eqe);
1648 + }
1649 +diff --git a/drivers/net/ethernet/stmicro/stmmac/descs.h b/drivers/net/ethernet/stmicro/stmmac/descs.h
1650 +index ad3996038018..799c2929c536 100644
1651 +--- a/drivers/net/ethernet/stmicro/stmmac/descs.h
1652 ++++ b/drivers/net/ethernet/stmicro/stmmac/descs.h
1653 +@@ -158,6 +158,8 @@ struct dma_desc {
1654 + u32 buffer2_size:13;
1655 + u32 reserved4:3;
1656 + } etx; /* -- enhanced -- */
1657 ++
1658 ++ u64 all_flags;
1659 + } des01;
1660 + unsigned int des2;
1661 + unsigned int des3;
1662 +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
1663 +index 7e6628a91514..59fb7f69841b 100644
1664 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
1665 ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
1666 +@@ -240,6 +240,7 @@ static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x,
1667 + static void enh_desc_init_rx_desc(struct dma_desc *p, int disable_rx_ic,
1668 + int mode, int end)
1669 + {
1670 ++ p->des01.all_flags = 0;
1671 + p->des01.erx.own = 1;
1672 + p->des01.erx.buffer1_size = BUF_SIZE_8KiB - 1;
1673 +
1674 +@@ -254,7 +255,7 @@ static void enh_desc_init_rx_desc(struct dma_desc *p, int disable_rx_ic,
1675 +
1676 + static void enh_desc_init_tx_desc(struct dma_desc *p, int mode, int end)
1677 + {
1678 +- p->des01.etx.own = 0;
1679 ++ p->des01.all_flags = 0;
1680 + if (mode == STMMAC_CHAIN_MODE)
1681 + ehn_desc_tx_set_on_chain(p, end);
1682 + else
1683 +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
1684 +index 35ad4f427ae2..48c3456445b2 100644
1685 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
1686 ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
1687 +@@ -123,6 +123,7 @@ static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x,
1688 + static void ndesc_init_rx_desc(struct dma_desc *p, int disable_rx_ic, int mode,
1689 + int end)
1690 + {
1691 ++ p->des01.all_flags = 0;
1692 + p->des01.rx.own = 1;
1693 + p->des01.rx.buffer1_size = BUF_SIZE_2KiB - 1;
1694 +
1695 +@@ -137,7 +138,7 @@ static void ndesc_init_rx_desc(struct dma_desc *p, int disable_rx_ic, int mode,
1696 +
1697 + static void ndesc_init_tx_desc(struct dma_desc *p, int mode, int end)
1698 + {
1699 +- p->des01.tx.own = 0;
1700 ++ p->des01.all_flags = 0;
1701 + if (mode == STMMAC_CHAIN_MODE)
1702 + ndesc_tx_set_on_chain(p, end);
1703 + else
1704 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1705 +index 8543e1cfd55e..582e0b3cf5ba 100644
1706 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1707 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1708 +@@ -1142,41 +1142,41 @@ static int alloc_dma_desc_resources(struct stmmac_priv *priv)
1709 + goto err_tx_skbuff;
1710 +
1711 + if (priv->extend_desc) {
1712 +- priv->dma_erx = dma_alloc_coherent(priv->device, rxsize *
1713 +- sizeof(struct
1714 +- dma_extended_desc),
1715 +- &priv->dma_rx_phy,
1716 +- GFP_KERNEL);
1717 ++ priv->dma_erx = dma_zalloc_coherent(priv->device, rxsize *
1718 ++ sizeof(struct
1719 ++ dma_extended_desc),
1720 ++ &priv->dma_rx_phy,
1721 ++ GFP_KERNEL);
1722 + if (!priv->dma_erx)
1723 + goto err_dma;
1724 +
1725 +- priv->dma_etx = dma_alloc_coherent(priv->device, txsize *
1726 +- sizeof(struct
1727 +- dma_extended_desc),
1728 +- &priv->dma_tx_phy,
1729 +- GFP_KERNEL);
1730 ++ priv->dma_etx = dma_zalloc_coherent(priv->device, txsize *
1731 ++ sizeof(struct
1732 ++ dma_extended_desc),
1733 ++ &priv->dma_tx_phy,
1734 ++ GFP_KERNEL);
1735 + if (!priv->dma_etx) {
1736 + dma_free_coherent(priv->device, priv->dma_rx_size *
1737 +- sizeof(struct dma_extended_desc),
1738 +- priv->dma_erx, priv->dma_rx_phy);
1739 ++ sizeof(struct dma_extended_desc),
1740 ++ priv->dma_erx, priv->dma_rx_phy);
1741 + goto err_dma;
1742 + }
1743 + } else {
1744 +- priv->dma_rx = dma_alloc_coherent(priv->device, rxsize *
1745 +- sizeof(struct dma_desc),
1746 +- &priv->dma_rx_phy,
1747 +- GFP_KERNEL);
1748 ++ priv->dma_rx = dma_zalloc_coherent(priv->device, rxsize *
1749 ++ sizeof(struct dma_desc),
1750 ++ &priv->dma_rx_phy,
1751 ++ GFP_KERNEL);
1752 + if (!priv->dma_rx)
1753 + goto err_dma;
1754 +
1755 +- priv->dma_tx = dma_alloc_coherent(priv->device, txsize *
1756 +- sizeof(struct dma_desc),
1757 +- &priv->dma_tx_phy,
1758 +- GFP_KERNEL);
1759 ++ priv->dma_tx = dma_zalloc_coherent(priv->device, txsize *
1760 ++ sizeof(struct dma_desc),
1761 ++ &priv->dma_tx_phy,
1762 ++ GFP_KERNEL);
1763 + if (!priv->dma_tx) {
1764 + dma_free_coherent(priv->device, priv->dma_rx_size *
1765 +- sizeof(struct dma_desc),
1766 +- priv->dma_rx, priv->dma_rx_phy);
1767 ++ sizeof(struct dma_desc),
1768 ++ priv->dma_rx, priv->dma_rx_phy);
1769 + goto err_dma;
1770 + }
1771 + }
1772 +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
1773 +index f9e96c427558..23dc1316c1c2 100644
1774 +--- a/drivers/net/usb/usbnet.c
1775 ++++ b/drivers/net/usb/usbnet.c
1776 +@@ -778,7 +778,7 @@ int usbnet_stop (struct net_device *net)
1777 + {
1778 + struct usbnet *dev = netdev_priv(net);
1779 + struct driver_info *info = dev->driver_info;
1780 +- int retval, pm;
1781 ++ int retval, pm, mpn;
1782 +
1783 + clear_bit(EVENT_DEV_OPEN, &dev->flags);
1784 + netif_stop_queue (net);
1785 +@@ -809,6 +809,8 @@ int usbnet_stop (struct net_device *net)
1786 +
1787 + usbnet_purge_paused_rxq(dev);
1788 +
1789 ++ mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags);
1790 ++
1791 + /* deferred work (task, timer, softirq) must also stop.
1792 + * can't flush_scheduled_work() until we drop rtnl (later),
1793 + * else workers could deadlock; so make workers a NOP.
1794 +@@ -819,8 +821,7 @@ int usbnet_stop (struct net_device *net)
1795 + if (!pm)
1796 + usb_autopm_put_interface(dev->intf);
1797 +
1798 +- if (info->manage_power &&
1799 +- !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags))
1800 ++ if (info->manage_power && mpn)
1801 + info->manage_power(dev, 0);
1802 + else
1803 + usb_autopm_put_interface(dev->intf);
1804 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
1805 +index 66c92a16da29..a35d1dedeffb 100644
1806 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
1807 ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
1808 +@@ -314,6 +314,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
1809 + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
1810 + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
1811 + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/
1812 ++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/
1813 + {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/
1814 + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/
1815 + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/
1816 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
1817 +index ff3c98f1ea95..91cc44611062 100644
1818 +--- a/drivers/xen/gntdev.c
1819 ++++ b/drivers/xen/gntdev.c
1820 +@@ -67,7 +67,7 @@ struct gntdev_priv {
1821 + * Only populated if populate_freeable_maps == 1 */
1822 + struct list_head freeable_maps;
1823 + /* lock protects maps and freeable_maps */
1824 +- spinlock_t lock;
1825 ++ struct mutex lock;
1826 + struct mm_struct *mm;
1827 + struct mmu_notifier mn;
1828 + };
1829 +@@ -216,9 +216,9 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map)
1830 + }
1831 +
1832 + if (populate_freeable_maps && priv) {
1833 +- spin_lock(&priv->lock);
1834 ++ mutex_lock(&priv->lock);
1835 + list_del(&map->next);
1836 +- spin_unlock(&priv->lock);
1837 ++ mutex_unlock(&priv->lock);
1838 + }
1839 +
1840 + if (map->pages && !use_ptemod)
1841 +@@ -387,9 +387,9 @@ static void gntdev_vma_close(struct vm_area_struct *vma)
1842 + * not do any unmapping, since that has been done prior to
1843 + * closing the vma, but it may still iterate the unmap_ops list.
1844 + */
1845 +- spin_lock(&priv->lock);
1846 ++ mutex_lock(&priv->lock);
1847 + map->vma = NULL;
1848 +- spin_unlock(&priv->lock);
1849 ++ mutex_unlock(&priv->lock);
1850 + }
1851 + vma->vm_private_data = NULL;
1852 + gntdev_put_map(priv, map);
1853 +@@ -433,14 +433,14 @@ static void mn_invl_range_start(struct mmu_notifier *mn,
1854 + struct gntdev_priv *priv = container_of(mn, struct gntdev_priv, mn);
1855 + struct grant_map *map;
1856 +
1857 +- spin_lock(&priv->lock);
1858 ++ mutex_lock(&priv->lock);
1859 + list_for_each_entry(map, &priv->maps, next) {
1860 + unmap_if_in_range(map, start, end);
1861 + }
1862 + list_for_each_entry(map, &priv->freeable_maps, next) {
1863 + unmap_if_in_range(map, start, end);
1864 + }
1865 +- spin_unlock(&priv->lock);
1866 ++ mutex_unlock(&priv->lock);
1867 + }
1868 +
1869 + static void mn_invl_page(struct mmu_notifier *mn,
1870 +@@ -457,7 +457,7 @@ static void mn_release(struct mmu_notifier *mn,
1871 + struct grant_map *map;
1872 + int err;
1873 +
1874 +- spin_lock(&priv->lock);
1875 ++ mutex_lock(&priv->lock);
1876 + list_for_each_entry(map, &priv->maps, next) {
1877 + if (!map->vma)
1878 + continue;
1879 +@@ -476,7 +476,7 @@ static void mn_release(struct mmu_notifier *mn,
1880 + err = unmap_grant_pages(map, /* offset */ 0, map->count);
1881 + WARN_ON(err);
1882 + }
1883 +- spin_unlock(&priv->lock);
1884 ++ mutex_unlock(&priv->lock);
1885 + }
1886 +
1887 + static struct mmu_notifier_ops gntdev_mmu_ops = {
1888 +@@ -498,7 +498,7 @@ static int gntdev_open(struct inode *inode, struct file *flip)
1889 +
1890 + INIT_LIST_HEAD(&priv->maps);
1891 + INIT_LIST_HEAD(&priv->freeable_maps);
1892 +- spin_lock_init(&priv->lock);
1893 ++ mutex_init(&priv->lock);
1894 +
1895 + if (use_ptemod) {
1896 + priv->mm = get_task_mm(current);
1897 +@@ -574,10 +574,10 @@ static long gntdev_ioctl_map_grant_ref(struct gntdev_priv *priv,
1898 + return -EFAULT;
1899 + }
1900 +
1901 +- spin_lock(&priv->lock);
1902 ++ mutex_lock(&priv->lock);
1903 + gntdev_add_map(priv, map);
1904 + op.index = map->index << PAGE_SHIFT;
1905 +- spin_unlock(&priv->lock);
1906 ++ mutex_unlock(&priv->lock);
1907 +
1908 + if (copy_to_user(u, &op, sizeof(op)) != 0)
1909 + return -EFAULT;
1910 +@@ -596,7 +596,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
1911 + return -EFAULT;
1912 + pr_debug("priv %p, del %d+%d\n", priv, (int)op.index, (int)op.count);
1913 +
1914 +- spin_lock(&priv->lock);
1915 ++ mutex_lock(&priv->lock);
1916 + map = gntdev_find_map_index(priv, op.index >> PAGE_SHIFT, op.count);
1917 + if (map) {
1918 + list_del(&map->next);
1919 +@@ -604,7 +604,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
1920 + list_add_tail(&map->next, &priv->freeable_maps);
1921 + err = 0;
1922 + }
1923 +- spin_unlock(&priv->lock);
1924 ++ mutex_unlock(&priv->lock);
1925 + if (map)
1926 + gntdev_put_map(priv, map);
1927 + return err;
1928 +@@ -672,7 +672,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
1929 + out_flags = op.action;
1930 + out_event = op.event_channel_port;
1931 +
1932 +- spin_lock(&priv->lock);
1933 ++ mutex_lock(&priv->lock);
1934 +
1935 + list_for_each_entry(map, &priv->maps, next) {
1936 + uint64_t begin = map->index << PAGE_SHIFT;
1937 +@@ -700,7 +700,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
1938 + rc = 0;
1939 +
1940 + unlock_out:
1941 +- spin_unlock(&priv->lock);
1942 ++ mutex_unlock(&priv->lock);
1943 +
1944 + /* Drop the reference to the event channel we did not save in the map */
1945 + if (out_flags & UNMAP_NOTIFY_SEND_EVENT)
1946 +@@ -750,7 +750,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
1947 + pr_debug("map %d+%d at %lx (pgoff %lx)\n",
1948 + index, count, vma->vm_start, vma->vm_pgoff);
1949 +
1950 +- spin_lock(&priv->lock);
1951 ++ mutex_lock(&priv->lock);
1952 + map = gntdev_find_map_index(priv, index, count);
1953 + if (!map)
1954 + goto unlock_out;
1955 +@@ -785,7 +785,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
1956 + map->flags |= GNTMAP_readonly;
1957 + }
1958 +
1959 +- spin_unlock(&priv->lock);
1960 ++ mutex_unlock(&priv->lock);
1961 +
1962 + if (use_ptemod) {
1963 + err = apply_to_page_range(vma->vm_mm, vma->vm_start,
1964 +@@ -813,11 +813,11 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
1965 + return 0;
1966 +
1967 + unlock_out:
1968 +- spin_unlock(&priv->lock);
1969 ++ mutex_unlock(&priv->lock);
1970 + return err;
1971 +
1972 + out_unlock_put:
1973 +- spin_unlock(&priv->lock);
1974 ++ mutex_unlock(&priv->lock);
1975 + out_put_map:
1976 + if (use_ptemod)
1977 + map->vma = NULL;
1978 +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
1979 +index a0b65a01fed7..86f86823a5f4 100644
1980 +--- a/fs/btrfs/transaction.c
1981 ++++ b/fs/btrfs/transaction.c
1982 +@@ -1710,8 +1710,11 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans,
1983 + spin_unlock(&root->fs_info->trans_lock);
1984 +
1985 + wait_for_commit(root, prev_trans);
1986 ++ ret = prev_trans->aborted;
1987 +
1988 + btrfs_put_transaction(prev_trans);
1989 ++ if (ret)
1990 ++ goto cleanup_transaction;
1991 + } else {
1992 + spin_unlock(&root->fs_info->trans_lock);
1993 + }
1994 +diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
1995 +index dfc95646b88c..31df9bceedca 100644
1996 +--- a/fs/cifs/ioctl.c
1997 ++++ b/fs/cifs/ioctl.c
1998 +@@ -67,6 +67,12 @@ static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file,
1999 + goto out_drop_write;
2000 + }
2001 +
2002 ++ if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) {
2003 ++ rc = -EBADF;
2004 ++ cifs_dbg(VFS, "src file seems to be from a different filesystem type\n");
2005 ++ goto out_fput;
2006 ++ }
2007 ++
2008 + if ((!src_file.file->private_data) || (!dst_file->private_data)) {
2009 + rc = -EBADF;
2010 + cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n");
2011 +diff --git a/fs/coredump.c b/fs/coredump.c
2012 +index a93f7e6ea4cf..72f97a56966f 100644
2013 +--- a/fs/coredump.c
2014 ++++ b/fs/coredump.c
2015 +@@ -498,10 +498,10 @@ void do_coredump(const siginfo_t *siginfo)
2016 + const struct cred *old_cred;
2017 + struct cred *cred;
2018 + int retval = 0;
2019 +- int flag = 0;
2020 + int ispipe;
2021 + struct files_struct *displaced;
2022 +- bool need_nonrelative = false;
2023 ++ /* require nonrelative corefile path and be extra careful */
2024 ++ bool need_suid_safe = false;
2025 + bool core_dumped = false;
2026 + static atomic_t core_dump_count = ATOMIC_INIT(0);
2027 + struct coredump_params cprm = {
2028 +@@ -535,9 +535,8 @@ void do_coredump(const siginfo_t *siginfo)
2029 + */
2030 + if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
2031 + /* Setuid core dump mode */
2032 +- flag = O_EXCL; /* Stop rewrite attacks */
2033 + cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */
2034 +- need_nonrelative = true;
2035 ++ need_suid_safe = true;
2036 + }
2037 +
2038 + retval = coredump_wait(siginfo->si_signo, &core_state);
2039 +@@ -618,7 +617,7 @@ void do_coredump(const siginfo_t *siginfo)
2040 + if (cprm.limit < binfmt->min_coredump)
2041 + goto fail_unlock;
2042 +
2043 +- if (need_nonrelative && cn.corename[0] != '/') {
2044 ++ if (need_suid_safe && cn.corename[0] != '/') {
2045 + printk(KERN_WARNING "Pid %d(%s) can only dump core "\
2046 + "to fully qualified path!\n",
2047 + task_tgid_vnr(current), current->comm);
2048 +@@ -626,8 +625,35 @@ void do_coredump(const siginfo_t *siginfo)
2049 + goto fail_unlock;
2050 + }
2051 +
2052 ++ /*
2053 ++ * Unlink the file if it exists unless this is a SUID
2054 ++ * binary - in that case, we're running around with root
2055 ++ * privs and don't want to unlink another user's coredump.
2056 ++ */
2057 ++ if (!need_suid_safe) {
2058 ++ mm_segment_t old_fs;
2059 ++
2060 ++ old_fs = get_fs();
2061 ++ set_fs(KERNEL_DS);
2062 ++ /*
2063 ++ * If it doesn't exist, that's fine. If there's some
2064 ++ * other problem, we'll catch it at the filp_open().
2065 ++ */
2066 ++ (void) sys_unlink((const char __user *)cn.corename);
2067 ++ set_fs(old_fs);
2068 ++ }
2069 ++
2070 ++ /*
2071 ++ * There is a race between unlinking and creating the
2072 ++ * file, but if that causes an EEXIST here, that's
2073 ++ * fine - another process raced with us while creating
2074 ++ * the corefile, and the other process won. To userspace,
2075 ++ * what matters is that at least one of the two processes
2076 ++ * writes its coredump successfully, not which one.
2077 ++ */
2078 + cprm.file = filp_open(cn.corename,
2079 +- O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
2080 ++ O_CREAT | 2 | O_NOFOLLOW |
2081 ++ O_LARGEFILE | O_EXCL,
2082 + 0600);
2083 + if (IS_ERR(cprm.file))
2084 + goto fail_unlock;
2085 +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
2086 +index d3fa6bd9503e..221719eac5de 100644
2087 +--- a/fs/hfs/bnode.c
2088 ++++ b/fs/hfs/bnode.c
2089 +@@ -288,7 +288,6 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
2090 + page_cache_release(page);
2091 + goto fail;
2092 + }
2093 +- page_cache_release(page);
2094 + node->page[i] = page;
2095 + }
2096 +
2097 +@@ -398,11 +397,11 @@ node_error:
2098 +
2099 + void hfs_bnode_free(struct hfs_bnode *node)
2100 + {
2101 +- //int i;
2102 ++ int i;
2103 +
2104 +- //for (i = 0; i < node->tree->pages_per_bnode; i++)
2105 +- // if (node->page[i])
2106 +- // page_cache_release(node->page[i]);
2107 ++ for (i = 0; i < node->tree->pages_per_bnode; i++)
2108 ++ if (node->page[i])
2109 ++ page_cache_release(node->page[i]);
2110 + kfree(node);
2111 + }
2112 +
2113 +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
2114 +index 9f4ee7f52026..6fc766df0461 100644
2115 +--- a/fs/hfs/brec.c
2116 ++++ b/fs/hfs/brec.c
2117 +@@ -131,13 +131,16 @@ skip:
2118 + hfs_bnode_write(node, entry, data_off + key_len, entry_len);
2119 + hfs_bnode_dump(node);
2120 +
2121 +- if (new_node) {
2122 +- /* update parent key if we inserted a key
2123 +- * at the start of the first node
2124 +- */
2125 +- if (!rec && new_node != node)
2126 +- hfs_brec_update_parent(fd);
2127 ++ /*
2128 ++ * update parent key if we inserted a key
2129 ++ * at the start of the node and it is not the new node
2130 ++ */
2131 ++ if (!rec && new_node != node) {
2132 ++ hfs_bnode_read_key(node, fd->search_key, data_off + size);
2133 ++ hfs_brec_update_parent(fd);
2134 ++ }
2135 +
2136 ++ if (new_node) {
2137 + hfs_bnode_put(fd->bnode);
2138 + if (!new_node->parent) {
2139 + hfs_btree_inc_height(tree);
2140 +@@ -166,9 +169,6 @@ skip:
2141 + goto again;
2142 + }
2143 +
2144 +- if (!rec)
2145 +- hfs_brec_update_parent(fd);
2146 +-
2147 + return 0;
2148 + }
2149 +
2150 +@@ -366,6 +366,8 @@ again:
2151 + if (IS_ERR(parent))
2152 + return PTR_ERR(parent);
2153 + __hfs_brec_find(parent, fd);
2154 ++ if (fd->record < 0)
2155 ++ return -ENOENT;
2156 + hfs_bnode_dump(parent);
2157 + rec = fd->record;
2158 +
2159 +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
2160 +index 11c860204520..bedfe5f7d332 100644
2161 +--- a/fs/hfsplus/bnode.c
2162 ++++ b/fs/hfsplus/bnode.c
2163 +@@ -456,7 +456,6 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
2164 + page_cache_release(page);
2165 + goto fail;
2166 + }
2167 +- page_cache_release(page);
2168 + node->page[i] = page;
2169 + }
2170 +
2171 +@@ -568,13 +567,11 @@ node_error:
2172 +
2173 + void hfs_bnode_free(struct hfs_bnode *node)
2174 + {
2175 +-#if 0
2176 + int i;
2177 +
2178 + for (i = 0; i < node->tree->pages_per_bnode; i++)
2179 + if (node->page[i])
2180 + page_cache_release(node->page[i]);
2181 +-#endif
2182 + kfree(node);
2183 + }
2184 +
2185 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
2186 +index 58258ad50d5f..7b945957e230 100644
2187 +--- a/fs/nfs/nfs4proc.c
2188 ++++ b/fs/nfs/nfs4proc.c
2189 +@@ -2275,7 +2275,7 @@ static int _nfs4_do_open(struct inode *dir,
2190 + goto err_free_label;
2191 + state = ctx->state;
2192 +
2193 +- if ((opendata->o_arg.open_flags & O_EXCL) &&
2194 ++ if ((opendata->o_arg.open_flags & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL) &&
2195 + (opendata->o_arg.createmode != NFS4_CREATE_GUARDED)) {
2196 + nfs4_exclusive_attrset(opendata, sattr);
2197 +
2198 +@@ -8368,6 +8368,7 @@ static const struct nfs4_minor_version_ops nfs_v4_2_minor_ops = {
2199 + .reboot_recovery_ops = &nfs41_reboot_recovery_ops,
2200 + .nograce_recovery_ops = &nfs41_nograce_recovery_ops,
2201 + .state_renewal_ops = &nfs41_state_renewal_ops,
2202 ++ .mig_recovery_ops = &nfs41_mig_recovery_ops,
2203 + };
2204 + #endif
2205 +
2206 +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
2207 +index 27d7f2742592..11763ce73709 100644
2208 +--- a/fs/nfs/pagelist.c
2209 ++++ b/fs/nfs/pagelist.c
2210 +@@ -60,8 +60,8 @@ EXPORT_SYMBOL_GPL(nfs_pgheader_init);
2211 + void nfs_set_pgio_error(struct nfs_pgio_header *hdr, int error, loff_t pos)
2212 + {
2213 + spin_lock(&hdr->lock);
2214 +- if (pos < hdr->io_start + hdr->good_bytes) {
2215 +- set_bit(NFS_IOHDR_ERROR, &hdr->flags);
2216 ++ if (!test_and_set_bit(NFS_IOHDR_ERROR, &hdr->flags)
2217 ++ || pos < hdr->io_start + hdr->good_bytes) {
2218 + clear_bit(NFS_IOHDR_EOF, &hdr->flags);
2219 + hdr->good_bytes = pos - hdr->io_start;
2220 + hdr->error = error;
2221 +diff --git a/fs/udf/inode.c b/fs/udf/inode.c
2222 +index 287cd5f23421..142d29e3ccdf 100644
2223 +--- a/fs/udf/inode.c
2224 ++++ b/fs/udf/inode.c
2225 +@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
2226 + iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
2227 + }
2228 +
2229 ++ /*
2230 ++ * Sanity check length of allocation descriptors and extended attrs to
2231 ++ * avoid integer overflows
2232 ++ */
2233 ++ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
2234 ++ || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
2235 ++ make_bad_inode(inode);
2236 ++ return;
2237 ++ }
2238 ++ /* Now do exact checks */
2239 ++ if (udf_file_entry_alloc_offset(inode)
2240 ++ + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
2241 ++ make_bad_inode(inode);
2242 ++ return;
2243 ++ }
2244 ++
2245 + switch (fe->icbTag.fileType) {
2246 + case ICBTAG_FILE_TYPE_DIRECTORY:
2247 + inode->i_op = &udf_dir_inode_operations;
2248 +diff --git a/include/net/ip.h b/include/net/ip.h
2249 +index 5128fa7a8302..476bab2d28b0 100644
2250 +--- a/include/net/ip.h
2251 ++++ b/include/net/ip.h
2252 +@@ -154,6 +154,7 @@ static inline __u8 get_rtconn_flags(struct ipcm_cookie* ipc, struct sock* sk)
2253 + }
2254 +
2255 + /* datagram.c */
2256 ++int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);
2257 + int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);
2258 +
2259 + void ip4_datagram_release_cb(struct sock *sk);
2260 +diff --git a/kernel/fork.c b/kernel/fork.c
2261 +index e2c685396295..1394fb3476d0 100644
2262 +--- a/kernel/fork.c
2263 ++++ b/kernel/fork.c
2264 +@@ -1756,13 +1756,21 @@ static int check_unshare_flags(unsigned long unshare_flags)
2265 + CLONE_NEWUSER|CLONE_NEWPID))
2266 + return -EINVAL;
2267 + /*
2268 +- * Not implemented, but pretend it works if there is nothing to
2269 +- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
2270 +- * needs to unshare vm.
2271 ++ * Not implemented, but pretend it works if there is nothing
2272 ++ * to unshare. Note that unsharing the address space or the
2273 ++ * signal handlers also need to unshare the signal queues (aka
2274 ++ * CLONE_THREAD).
2275 + */
2276 + if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
2277 +- /* FIXME: get_task_mm() increments ->mm_users */
2278 +- if (atomic_read(&current->mm->mm_users) > 1)
2279 ++ if (!thread_group_empty(current))
2280 ++ return -EINVAL;
2281 ++ }
2282 ++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
2283 ++ if (atomic_read(&current->sighand->count) > 1)
2284 ++ return -EINVAL;
2285 ++ }
2286 ++ if (unshare_flags & CLONE_VM) {
2287 ++ if (!current_is_single_threaded())
2288 + return -EINVAL;
2289 + }
2290 +
2291 +@@ -1831,16 +1839,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
2292 + if (unshare_flags & CLONE_NEWUSER)
2293 + unshare_flags |= CLONE_THREAD | CLONE_FS;
2294 + /*
2295 +- * If unsharing a thread from a thread group, must also unshare vm.
2296 +- */
2297 +- if (unshare_flags & CLONE_THREAD)
2298 +- unshare_flags |= CLONE_VM;
2299 +- /*
2300 + * If unsharing vm, must also unshare signal handlers.
2301 + */
2302 + if (unshare_flags & CLONE_VM)
2303 + unshare_flags |= CLONE_SIGHAND;
2304 + /*
2305 ++ * If unsharing a signal handlers, must also unshare the signal queues.
2306 ++ */
2307 ++ if (unshare_flags & CLONE_SIGHAND)
2308 ++ unshare_flags |= CLONE_THREAD;
2309 ++ /*
2310 + * If unsharing namespace, must also unshare filesystem information.
2311 + */
2312 + if (unshare_flags & CLONE_NEWNS)
2313 +diff --git a/mm/vmscan.c b/mm/vmscan.c
2314 +index 88edf53748ee..57af138d26a2 100644
2315 +--- a/mm/vmscan.c
2316 ++++ b/mm/vmscan.c
2317 +@@ -1087,7 +1087,7 @@ cull_mlocked:
2318 + if (PageSwapCache(page))
2319 + try_to_free_swap(page);
2320 + unlock_page(page);
2321 +- putback_lru_page(page);
2322 ++ list_add(&page->lru, &ret_pages);
2323 + continue;
2324 +
2325 + activate_locked:
2326 +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
2327 +index b7b1914dfa25..27cf128ebc15 100644
2328 +--- a/net/bridge/br_mdb.c
2329 ++++ b/net/bridge/br_mdb.c
2330 +@@ -347,7 +347,6 @@ static int br_mdb_add_group(struct net_bridge *br, struct net_bridge_port *port,
2331 + return -ENOMEM;
2332 + rcu_assign_pointer(*pp, p);
2333 +
2334 +- br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
2335 + return 0;
2336 + }
2337 +
2338 +@@ -370,6 +369,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br,
2339 + if (!p || p->br != br || p->state == BR_STATE_DISABLED)
2340 + return -EINVAL;
2341 +
2342 ++ memset(&ip, 0, sizeof(ip));
2343 + ip.proto = entry->addr.proto;
2344 + if (ip.proto == htons(ETH_P_IP))
2345 + ip.u.ip4 = entry->addr.u.ip4;
2346 +@@ -416,6 +416,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
2347 + if (!netif_running(br->dev) || br->multicast_disabled)
2348 + return -EINVAL;
2349 +
2350 ++ memset(&ip, 0, sizeof(ip));
2351 + ip.proto = entry->addr.proto;
2352 + if (ip.proto == htons(ETH_P_IP)) {
2353 + if (timer_pending(&br->ip4_querier.timer))
2354 +diff --git a/net/core/datagram.c b/net/core/datagram.c
2355 +index a16ed7bbe376..13bc7dad7990 100644
2356 +--- a/net/core/datagram.c
2357 ++++ b/net/core/datagram.c
2358 +@@ -130,6 +130,35 @@ out_noerr:
2359 + goto out;
2360 + }
2361 +
2362 ++static struct sk_buff *skb_set_peeked(struct sk_buff *skb)
2363 ++{
2364 ++ struct sk_buff *nskb;
2365 ++
2366 ++ if (skb->peeked)
2367 ++ return skb;
2368 ++
2369 ++ /* We have to unshare an skb before modifying it. */
2370 ++ if (!skb_shared(skb))
2371 ++ goto done;
2372 ++
2373 ++ nskb = skb_clone(skb, GFP_ATOMIC);
2374 ++ if (!nskb)
2375 ++ return ERR_PTR(-ENOMEM);
2376 ++
2377 ++ skb->prev->next = nskb;
2378 ++ skb->next->prev = nskb;
2379 ++ nskb->prev = skb->prev;
2380 ++ nskb->next = skb->next;
2381 ++
2382 ++ consume_skb(skb);
2383 ++ skb = nskb;
2384 ++
2385 ++done:
2386 ++ skb->peeked = 1;
2387 ++
2388 ++ return skb;
2389 ++}
2390 ++
2391 + /**
2392 + * __skb_recv_datagram - Receive a datagram skbuff
2393 + * @sk: socket
2394 +@@ -164,7 +193,9 @@ out_noerr:
2395 + struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
2396 + int *peeked, int *off, int *err)
2397 + {
2398 ++ struct sk_buff_head *queue = &sk->sk_receive_queue;
2399 + struct sk_buff *skb, *last;
2400 ++ unsigned long cpu_flags;
2401 + long timeo;
2402 + /*
2403 + * Caller is allowed not to check sk->sk_err before skb_recv_datagram()
2404 +@@ -183,8 +214,6 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
2405 + * Look at current nfs client by the way...
2406 + * However, this function was correct in any case. 8)
2407 + */
2408 +- unsigned long cpu_flags;
2409 +- struct sk_buff_head *queue = &sk->sk_receive_queue;
2410 + int _off = *off;
2411 +
2412 + last = (struct sk_buff *)queue;
2413 +@@ -198,7 +227,12 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
2414 + _off -= skb->len;
2415 + continue;
2416 + }
2417 +- skb->peeked = 1;
2418 ++
2419 ++ skb = skb_set_peeked(skb);
2420 ++ error = PTR_ERR(skb);
2421 ++ if (IS_ERR(skb))
2422 ++ goto unlock_err;
2423 ++
2424 + atomic_inc(&skb->users);
2425 + } else
2426 + __skb_unlink(skb, queue);
2427 +@@ -222,6 +256,8 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
2428 +
2429 + return NULL;
2430 +
2431 ++unlock_err:
2432 ++ spin_unlock_irqrestore(&queue->lock, cpu_flags);
2433 + no_packet:
2434 + *err = error;
2435 + return NULL;
2436 +@@ -742,7 +778,8 @@ __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
2437 + if (likely(!sum)) {
2438 + if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE))
2439 + netdev_rx_csum_fault(skb->dev);
2440 +- skb->ip_summed = CHECKSUM_UNNECESSARY;
2441 ++ if (!skb_shared(skb))
2442 ++ skb->ip_summed = CHECKSUM_UNNECESSARY;
2443 + }
2444 + return sum;
2445 + }
2446 +diff --git a/net/core/dev.c b/net/core/dev.c
2447 +index 1b9e700c85b6..ae3260fc133d 100644
2448 +--- a/net/core/dev.c
2449 ++++ b/net/core/dev.c
2450 +@@ -3214,6 +3214,8 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
2451 + local_irq_save(flags);
2452 +
2453 + rps_lock(sd);
2454 ++ if (!netif_running(skb->dev))
2455 ++ goto drop;
2456 + qlen = skb_queue_len(&sd->input_pkt_queue);
2457 + if (qlen <= netdev_max_backlog && !skb_flow_limit(skb, qlen)) {
2458 + if (skb_queue_len(&sd->input_pkt_queue)) {
2459 +@@ -3235,6 +3237,7 @@ enqueue:
2460 + goto enqueue;
2461 + }
2462 +
2463 ++drop:
2464 + sd->dropped++;
2465 + rps_unlock(sd);
2466 +
2467 +@@ -3551,8 +3554,6 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
2468 +
2469 + pt_prev = NULL;
2470 +
2471 +- rcu_read_lock();
2472 +-
2473 + another_round:
2474 + skb->skb_iif = skb->dev->ifindex;
2475 +
2476 +@@ -3562,7 +3563,7 @@ another_round:
2477 + skb->protocol == cpu_to_be16(ETH_P_8021AD)) {
2478 + skb = skb_vlan_untag(skb);
2479 + if (unlikely(!skb))
2480 +- goto unlock;
2481 ++ goto out;
2482 + }
2483 +
2484 + #ifdef CONFIG_NET_CLS_ACT
2485 +@@ -3587,7 +3588,7 @@ skip_taps:
2486 + #ifdef CONFIG_NET_CLS_ACT
2487 + skb = handle_ing(skb, &pt_prev, &ret, orig_dev);
2488 + if (!skb)
2489 +- goto unlock;
2490 ++ goto out;
2491 + ncls:
2492 + #endif
2493 +
2494 +@@ -3602,7 +3603,7 @@ ncls:
2495 + if (vlan_do_receive(&skb))
2496 + goto another_round;
2497 + else if (unlikely(!skb))
2498 +- goto unlock;
2499 ++ goto out;
2500 + }
2501 +
2502 + rx_handler = rcu_dereference(skb->dev->rx_handler);
2503 +@@ -3614,7 +3615,7 @@ ncls:
2504 + switch (rx_handler(&skb)) {
2505 + case RX_HANDLER_CONSUMED:
2506 + ret = NET_RX_SUCCESS;
2507 +- goto unlock;
2508 ++ goto out;
2509 + case RX_HANDLER_ANOTHER:
2510 + goto another_round;
2511 + case RX_HANDLER_EXACT:
2512 +@@ -3666,8 +3667,6 @@ drop:
2513 + ret = NET_RX_DROP;
2514 + }
2515 +
2516 +-unlock:
2517 +- rcu_read_unlock();
2518 + out:
2519 + return ret;
2520 + }
2521 +@@ -3699,29 +3698,30 @@ static int __netif_receive_skb(struct sk_buff *skb)
2522 +
2523 + static int netif_receive_skb_internal(struct sk_buff *skb)
2524 + {
2525 ++ int ret;
2526 ++
2527 + net_timestamp_check(netdev_tstamp_prequeue, skb);
2528 +
2529 + if (skb_defer_rx_timestamp(skb))
2530 + return NET_RX_SUCCESS;
2531 +
2532 ++ rcu_read_lock();
2533 ++
2534 + #ifdef CONFIG_RPS
2535 + if (static_key_false(&rps_needed)) {
2536 + struct rps_dev_flow voidflow, *rflow = &voidflow;
2537 +- int cpu, ret;
2538 +-
2539 +- rcu_read_lock();
2540 +-
2541 +- cpu = get_rps_cpu(skb->dev, skb, &rflow);
2542 ++ int cpu = get_rps_cpu(skb->dev, skb, &rflow);
2543 +
2544 + if (cpu >= 0) {
2545 + ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
2546 + rcu_read_unlock();
2547 + return ret;
2548 + }
2549 +- rcu_read_unlock();
2550 + }
2551 + #endif
2552 +- return __netif_receive_skb(skb);
2553 ++ ret = __netif_receive_skb(skb);
2554 ++ rcu_read_unlock();
2555 ++ return ret;
2556 + }
2557 +
2558 + /**
2559 +@@ -4182,8 +4182,10 @@ static int process_backlog(struct napi_struct *napi, int quota)
2560 + unsigned int qlen;
2561 +
2562 + while ((skb = __skb_dequeue(&sd->process_queue))) {
2563 ++ rcu_read_lock();
2564 + local_irq_enable();
2565 + __netif_receive_skb(skb);
2566 ++ rcu_read_unlock();
2567 + local_irq_disable();
2568 + input_queue_head_incr(sd);
2569 + if (++work >= quota) {
2570 +@@ -5694,6 +5696,7 @@ static void rollback_registered_many(struct list_head *head)
2571 + unlist_netdevice(dev);
2572 +
2573 + dev->reg_state = NETREG_UNREGISTERING;
2574 ++ on_each_cpu(flush_backlog, dev, 1);
2575 + }
2576 +
2577 + synchronize_net();
2578 +@@ -5951,7 +5954,8 @@ static int netif_alloc_netdev_queues(struct net_device *dev)
2579 + struct netdev_queue *tx;
2580 + size_t sz = count * sizeof(*tx);
2581 +
2582 +- BUG_ON(count < 1 || count > 0xffff);
2583 ++ if (count < 1 || count > 0xffff)
2584 ++ return -EINVAL;
2585 +
2586 + tx = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
2587 + if (!tx) {
2588 +@@ -6309,8 +6313,6 @@ void netdev_run_todo(void)
2589 +
2590 + dev->reg_state = NETREG_UNREGISTERED;
2591 +
2592 +- on_each_cpu(flush_backlog, dev, 1);
2593 +-
2594 + netdev_wait_allrefs(dev);
2595 +
2596 + /* paranoia */
2597 +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
2598 +index 185c341fafbd..aeedc3a961a1 100644
2599 +--- a/net/core/fib_rules.c
2600 ++++ b/net/core/fib_rules.c
2601 +@@ -621,15 +621,17 @@ static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
2602 + {
2603 + int idx = 0;
2604 + struct fib_rule *rule;
2605 ++ int err = 0;
2606 +
2607 + rcu_read_lock();
2608 + list_for_each_entry_rcu(rule, &ops->rules_list, list) {
2609 + if (idx < cb->args[1])
2610 + goto skip;
2611 +
2612 +- if (fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid,
2613 +- cb->nlh->nlmsg_seq, RTM_NEWRULE,
2614 +- NLM_F_MULTI, ops) < 0)
2615 ++ err = fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid,
2616 ++ cb->nlh->nlmsg_seq, RTM_NEWRULE,
2617 ++ NLM_F_MULTI, ops);
2618 ++ if (err)
2619 + break;
2620 + skip:
2621 + idx++;
2622 +@@ -638,7 +640,7 @@ skip:
2623 + cb->args[1] = idx;
2624 + rules_ops_put(ops);
2625 +
2626 +- return skb->len;
2627 ++ return err;
2628 + }
2629 +
2630 + static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
2631 +@@ -654,7 +656,9 @@ static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
2632 + if (ops == NULL)
2633 + return -EAFNOSUPPORT;
2634 +
2635 +- return dump_rules(skb, cb, ops);
2636 ++ dump_rules(skb, cb, ops);
2637 ++
2638 ++ return skb->len;
2639 + }
2640 +
2641 + rcu_read_lock();
2642 +diff --git a/net/core/pktgen.c b/net/core/pktgen.c
2643 +index ca68d32b49ba..dbd797a62b3a 100644
2644 +--- a/net/core/pktgen.c
2645 ++++ b/net/core/pktgen.c
2646 +@@ -3464,8 +3464,10 @@ static int pktgen_thread_worker(void *arg)
2647 + pktgen_rem_thread(t);
2648 +
2649 + /* Wait for kthread_stop */
2650 +- while (!kthread_should_stop()) {
2651 ++ for (;;) {
2652 + set_current_state(TASK_INTERRUPTIBLE);
2653 ++ if (kthread_should_stop())
2654 ++ break;
2655 + schedule();
2656 + }
2657 + __set_current_state(TASK_RUNNING);
2658 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
2659 +index 8aadd6a072a4..465092f8fb76 100644
2660 +--- a/net/core/rtnetlink.c
2661 ++++ b/net/core/rtnetlink.c
2662 +@@ -1259,10 +1259,6 @@ static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
2663 + [IFLA_INFO_SLAVE_DATA] = { .type = NLA_NESTED },
2664 + };
2665 +
2666 +-static const struct nla_policy ifla_vfinfo_policy[IFLA_VF_INFO_MAX+1] = {
2667 +- [IFLA_VF_INFO] = { .type = NLA_NESTED },
2668 +-};
2669 +-
2670 + static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
2671 + [IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) },
2672 + [IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) },
2673 +@@ -1336,67 +1332,66 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
2674 + return 0;
2675 + }
2676 +
2677 +-static int do_setvfinfo(struct net_device *dev, struct nlattr *attr)
2678 ++static int do_setvfinfo(struct net_device *dev, struct nlattr **tb)
2679 + {
2680 +- int rem, err = -EINVAL;
2681 +- struct nlattr *vf;
2682 + const struct net_device_ops *ops = dev->netdev_ops;
2683 ++ int err = -EINVAL;
2684 +
2685 +- nla_for_each_nested(vf, attr, rem) {
2686 +- switch (nla_type(vf)) {
2687 +- case IFLA_VF_MAC: {
2688 +- struct ifla_vf_mac *ivm;
2689 +- ivm = nla_data(vf);
2690 +- err = -EOPNOTSUPP;
2691 +- if (ops->ndo_set_vf_mac)
2692 +- err = ops->ndo_set_vf_mac(dev, ivm->vf,
2693 +- ivm->mac);
2694 +- break;
2695 +- }
2696 +- case IFLA_VF_VLAN: {
2697 +- struct ifla_vf_vlan *ivv;
2698 +- ivv = nla_data(vf);
2699 +- err = -EOPNOTSUPP;
2700 +- if (ops->ndo_set_vf_vlan)
2701 +- err = ops->ndo_set_vf_vlan(dev, ivv->vf,
2702 +- ivv->vlan,
2703 +- ivv->qos);
2704 +- break;
2705 +- }
2706 +- case IFLA_VF_TX_RATE: {
2707 +- struct ifla_vf_tx_rate *ivt;
2708 +- ivt = nla_data(vf);
2709 +- err = -EOPNOTSUPP;
2710 +- if (ops->ndo_set_vf_tx_rate)
2711 +- err = ops->ndo_set_vf_tx_rate(dev, ivt->vf,
2712 +- ivt->rate);
2713 +- break;
2714 +- }
2715 +- case IFLA_VF_SPOOFCHK: {
2716 +- struct ifla_vf_spoofchk *ivs;
2717 +- ivs = nla_data(vf);
2718 +- err = -EOPNOTSUPP;
2719 +- if (ops->ndo_set_vf_spoofchk)
2720 +- err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
2721 +- ivs->setting);
2722 +- break;
2723 +- }
2724 +- case IFLA_VF_LINK_STATE: {
2725 +- struct ifla_vf_link_state *ivl;
2726 +- ivl = nla_data(vf);
2727 +- err = -EOPNOTSUPP;
2728 +- if (ops->ndo_set_vf_link_state)
2729 +- err = ops->ndo_set_vf_link_state(dev, ivl->vf,
2730 +- ivl->link_state);
2731 +- break;
2732 +- }
2733 +- default:
2734 +- err = -EINVAL;
2735 +- break;
2736 +- }
2737 +- if (err)
2738 +- break;
2739 ++ if (tb[IFLA_VF_MAC]) {
2740 ++ struct ifla_vf_mac *ivm = nla_data(tb[IFLA_VF_MAC]);
2741 ++
2742 ++ err = -EOPNOTSUPP;
2743 ++ if (ops->ndo_set_vf_mac)
2744 ++ err = ops->ndo_set_vf_mac(dev, ivm->vf,
2745 ++ ivm->mac);
2746 ++ if (err < 0)
2747 ++ return err;
2748 ++ }
2749 ++
2750 ++ if (tb[IFLA_VF_VLAN]) {
2751 ++ struct ifla_vf_vlan *ivv = nla_data(tb[IFLA_VF_VLAN]);
2752 ++
2753 ++ err = -EOPNOTSUPP;
2754 ++ if (ops->ndo_set_vf_vlan)
2755 ++ err = ops->ndo_set_vf_vlan(dev, ivv->vf, ivv->vlan,
2756 ++ ivv->qos);
2757 ++ if (err < 0)
2758 ++ return err;
2759 ++ }
2760 ++
2761 ++ if (tb[IFLA_VF_TX_RATE]) {
2762 ++ struct ifla_vf_tx_rate *ivt = nla_data(tb[IFLA_VF_TX_RATE]);
2763 ++
2764 ++ err = -EOPNOTSUPP;
2765 ++ if (ops->ndo_set_vf_tx_rate)
2766 ++ err = ops->ndo_set_vf_tx_rate(dev, ivt->vf,
2767 ++ ivt->rate);
2768 ++ if (err < 0)
2769 ++ return err;
2770 + }
2771 ++
2772 ++ if (tb[IFLA_VF_SPOOFCHK]) {
2773 ++ struct ifla_vf_spoofchk *ivs = nla_data(tb[IFLA_VF_SPOOFCHK]);
2774 ++
2775 ++ err = -EOPNOTSUPP;
2776 ++ if (ops->ndo_set_vf_spoofchk)
2777 ++ err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
2778 ++ ivs->setting);
2779 ++ if (err < 0)
2780 ++ return err;
2781 ++ }
2782 ++
2783 ++ if (tb[IFLA_VF_LINK_STATE]) {
2784 ++ struct ifla_vf_link_state *ivl = nla_data(tb[IFLA_VF_LINK_STATE]);
2785 ++
2786 ++ err = -EOPNOTSUPP;
2787 ++ if (ops->ndo_set_vf_link_state)
2788 ++ err = ops->ndo_set_vf_link_state(dev, ivl->vf,
2789 ++ ivl->link_state);
2790 ++ if (err < 0)
2791 ++ return err;
2792 ++ }
2793 ++
2794 + return err;
2795 + }
2796 +
2797 +@@ -1579,14 +1574,21 @@ static int do_setlink(const struct sk_buff *skb,
2798 + }
2799 +
2800 + if (tb[IFLA_VFINFO_LIST]) {
2801 ++ struct nlattr *vfinfo[IFLA_VF_MAX + 1];
2802 + struct nlattr *attr;
2803 + int rem;
2804 ++
2805 + nla_for_each_nested(attr, tb[IFLA_VFINFO_LIST], rem) {
2806 +- if (nla_type(attr) != IFLA_VF_INFO) {
2807 ++ if (nla_type(attr) != IFLA_VF_INFO ||
2808 ++ nla_len(attr) < NLA_HDRLEN) {
2809 + err = -EINVAL;
2810 + goto errout;
2811 + }
2812 +- err = do_setvfinfo(dev, attr);
2813 ++ err = nla_parse_nested(vfinfo, IFLA_VF_MAX, attr,
2814 ++ ifla_vf_policy);
2815 ++ if (err < 0)
2816 ++ goto errout;
2817 ++ err = do_setvfinfo(dev, vfinfo);
2818 + if (err < 0)
2819 + goto errout;
2820 + modified = 1;
2821 +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
2822 +index 951fe55b1671..f4c804dbd3b4 100644
2823 +--- a/net/ipv4/af_inet.c
2824 ++++ b/net/ipv4/af_inet.c
2825 +@@ -1291,7 +1291,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb,
2826 +
2827 + encap = SKB_GSO_CB(skb)->encap_level > 0;
2828 + if (encap)
2829 +- features = skb->dev->hw_enc_features & netif_skb_features(skb);
2830 ++ features &= skb->dev->hw_enc_features;
2831 + SKB_GSO_CB(skb)->encap_level += ihl;
2832 +
2833 + skb_reset_transport_header(skb);
2834 +diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
2835 +index a3095fdefbed..f0c307cb6196 100644
2836 +--- a/net/ipv4/datagram.c
2837 ++++ b/net/ipv4/datagram.c
2838 +@@ -20,7 +20,7 @@
2839 + #include <net/route.h>
2840 + #include <net/tcp_states.h>
2841 +
2842 +-int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
2843 ++int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
2844 + {
2845 + struct inet_sock *inet = inet_sk(sk);
2846 + struct sockaddr_in *usin = (struct sockaddr_in *) uaddr;
2847 +@@ -39,8 +39,6 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
2848 +
2849 + sk_dst_reset(sk);
2850 +
2851 +- lock_sock(sk);
2852 +-
2853 + oif = sk->sk_bound_dev_if;
2854 + saddr = inet->inet_saddr;
2855 + if (ipv4_is_multicast(usin->sin_addr.s_addr)) {
2856 +@@ -81,9 +79,19 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
2857 + sk_dst_set(sk, &rt->dst);
2858 + err = 0;
2859 + out:
2860 +- release_sock(sk);
2861 + return err;
2862 + }
2863 ++EXPORT_SYMBOL(__ip4_datagram_connect);
2864 ++
2865 ++int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
2866 ++{
2867 ++ int res;
2868 ++
2869 ++ lock_sock(sk);
2870 ++ res = __ip4_datagram_connect(sk, uaddr, addr_len);
2871 ++ release_sock(sk);
2872 ++ return res;
2873 ++}
2874 + EXPORT_SYMBOL(ip4_datagram_connect);
2875 +
2876 + /* Because UDP xmit path can manipulate sk_dst_cache without holding
2877 +diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
2878 +index 278836f1a5ad..0da513e7730a 100644
2879 +--- a/net/ipv4/gre_offload.c
2880 ++++ b/net/ipv4/gre_offload.c
2881 +@@ -69,7 +69,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
2882 + skb->mac_len = skb_inner_network_offset(skb);
2883 +
2884 + /* segment inner packet. */
2885 +- enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
2886 ++ enc_features = skb->dev->hw_enc_features & features;
2887 + segs = skb_mac_gso_segment(skb, enc_features);
2888 + if (!segs || IS_ERR(segs)) {
2889 + skb_gso_error_unwind(skb, protocol, ghl, mac_offset, mac_len);
2890 +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
2891 +index 9ff497d17545..3f3a424ef0d5 100644
2892 +--- a/net/ipv4/ip_fragment.c
2893 ++++ b/net/ipv4/ip_fragment.c
2894 +@@ -357,7 +357,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
2895 + ihl = ip_hdrlen(skb);
2896 +
2897 + /* Determine the position of this fragment. */
2898 +- end = offset + skb->len - ihl;
2899 ++ end = offset + skb->len - skb_network_offset(skb) - ihl;
2900 + err = -EINVAL;
2901 +
2902 + /* Is this the final fragment? */
2903 +@@ -387,7 +387,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
2904 + goto err;
2905 +
2906 + err = -ENOMEM;
2907 +- if (pskb_pull(skb, ihl) == NULL)
2908 ++ if (!pskb_pull(skb, skb_network_offset(skb) + ihl))
2909 + goto err;
2910 +
2911 + err = pskb_trim_rcsum(skb, end - offset);
2912 +@@ -628,6 +628,9 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
2913 + iph->frag_off = qp->q.max_size ? htons(IP_DF) : 0;
2914 + iph->tot_len = htons(len);
2915 + iph->tos |= ecn;
2916 ++
2917 ++ ip_send_check(iph);
2918 ++
2919 + IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
2920 + qp->q.fragments = NULL;
2921 + qp->q.fragments_tail = NULL;
2922 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
2923 +index 0a4af0920af3..2d4be69c64f4 100644
2924 +--- a/net/ipv4/ip_tunnel.c
2925 ++++ b/net/ipv4/ip_tunnel.c
2926 +@@ -484,7 +484,8 @@ drop:
2927 + EXPORT_SYMBOL_GPL(ip_tunnel_rcv);
2928 +
2929 + static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
2930 +- struct rtable *rt, __be16 df)
2931 ++ struct rtable *rt, __be16 df,
2932 ++ const struct iphdr *inner_iph)
2933 + {
2934 + struct ip_tunnel *tunnel = netdev_priv(dev);
2935 + int pkt_size = skb->len - tunnel->hlen - dev->hard_header_len;
2936 +@@ -501,7 +502,8 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
2937 +
2938 + if (skb->protocol == htons(ETH_P_IP)) {
2939 + if (!skb_is_gso(skb) &&
2940 +- (df & htons(IP_DF)) && mtu < pkt_size) {
2941 ++ (inner_iph->frag_off & htons(IP_DF)) &&
2942 ++ mtu < pkt_size) {
2943 + memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
2944 + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
2945 + return -E2BIG;
2946 +@@ -632,7 +634,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
2947 + goto tx_error;
2948 + }
2949 +
2950 +- if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off)) {
2951 ++ if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off, inner_iph)) {
2952 + ip_rt_put(rt);
2953 + goto tx_error;
2954 + }
2955 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
2956 +index 21a3a9e90b10..6970e36ad7b8 100644
2957 +--- a/net/ipv4/udp.c
2958 ++++ b/net/ipv4/udp.c
2959 +@@ -1957,12 +1957,19 @@ void udp_v4_early_demux(struct sk_buff *skb)
2960 +
2961 + skb->sk = sk;
2962 + skb->destructor = sock_edemux;
2963 +- dst = sk->sk_rx_dst;
2964 ++ dst = ACCESS_ONCE(sk->sk_rx_dst);
2965 +
2966 + if (dst)
2967 + dst = dst_check(dst, 0);
2968 +- if (dst)
2969 +- skb_dst_set_noref(skb, dst);
2970 ++ if (dst) {
2971 ++ /* DST_NOCACHE can not be used without taking a reference */
2972 ++ if (dst->flags & DST_NOCACHE) {
2973 ++ if (likely(atomic_inc_not_zero(&dst->__refcnt)))
2974 ++ skb_dst_set(skb, dst);
2975 ++ } else {
2976 ++ skb_dst_set_noref(skb, dst);
2977 ++ }
2978 ++ }
2979 + }
2980 +
2981 + int udp_rcv(struct sk_buff *skb)
2982 +@@ -2510,7 +2517,7 @@ struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb,
2983 + skb->protocol = htons(ETH_P_TEB);
2984 +
2985 + /* segment inner packet. */
2986 +- enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
2987 ++ enc_features = skb->dev->hw_enc_features & features;
2988 + segs = skb_mac_gso_segment(skb, enc_features);
2989 + if (!segs || IS_ERR(segs)) {
2990 + skb_gso_error_unwind(skb, protocol, tnl_hlen, mac_offset,
2991 +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
2992 +index 841cfa2c4600..6b89b2a1ac74 100644
2993 +--- a/net/ipv6/datagram.c
2994 ++++ b/net/ipv6/datagram.c
2995 +@@ -40,7 +40,7 @@ static bool ipv6_mapped_addr_any(const struct in6_addr *a)
2996 + return ipv6_addr_v4mapped(a) && (a->s6_addr32[3] == 0);
2997 + }
2998 +
2999 +-int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
3000 ++static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
3001 + {
3002 + struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
3003 + struct inet_sock *inet = inet_sk(sk);
3004 +@@ -56,7 +56,7 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
3005 + if (usin->sin6_family == AF_INET) {
3006 + if (__ipv6_only_sock(sk))
3007 + return -EAFNOSUPPORT;
3008 +- err = ip4_datagram_connect(sk, uaddr, addr_len);
3009 ++ err = __ip4_datagram_connect(sk, uaddr, addr_len);
3010 + goto ipv4_connected;
3011 + }
3012 +
3013 +@@ -98,9 +98,9 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
3014 + sin.sin_addr.s_addr = daddr->s6_addr32[3];
3015 + sin.sin_port = usin->sin6_port;
3016 +
3017 +- err = ip4_datagram_connect(sk,
3018 +- (struct sockaddr *) &sin,
3019 +- sizeof(sin));
3020 ++ err = __ip4_datagram_connect(sk,
3021 ++ (struct sockaddr *) &sin,
3022 ++ sizeof(sin));
3023 +
3024 + ipv4_connected:
3025 + if (err)
3026 +@@ -203,6 +203,16 @@ out:
3027 + fl6_sock_release(flowlabel);
3028 + return err;
3029 + }
3030 ++
3031 ++int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
3032 ++{
3033 ++ int res;
3034 ++
3035 ++ lock_sock(sk);
3036 ++ res = __ip6_datagram_connect(sk, uaddr, addr_len);
3037 ++ release_sock(sk);
3038 ++ return res;
3039 ++}
3040 + EXPORT_SYMBOL_GPL(ip6_datagram_connect);
3041 +
3042 + int ip6_datagram_connect_v6_only(struct sock *sk, struct sockaddr *uaddr,
3043 +diff --git a/net/ipv6/exthdrs_offload.c b/net/ipv6/exthdrs_offload.c
3044 +index 447a7fbd1bb6..f5e2ba1c18bf 100644
3045 +--- a/net/ipv6/exthdrs_offload.c
3046 ++++ b/net/ipv6/exthdrs_offload.c
3047 +@@ -36,6 +36,6 @@ out:
3048 + return ret;
3049 +
3050 + out_rt:
3051 +- inet_del_offload(&rthdr_offload, IPPROTO_ROUTING);
3052 ++ inet6_del_offload(&rthdr_offload, IPPROTO_ROUTING);
3053 + goto out;
3054 + }
3055 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
3056 +index 4a230b18dfe3..baffa3b7a328 100644
3057 +--- a/net/ipv6/ip6_gre.c
3058 ++++ b/net/ipv6/ip6_gre.c
3059 +@@ -357,6 +357,7 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
3060 + struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
3061 +
3062 + ip6gre_tunnel_unlink(ign, netdev_priv(dev));
3063 ++ ip6_tnl_dst_reset(netdev_priv(dev));
3064 + dev_put(dev);
3065 + }
3066 +
3067 +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
3068 +index 51d54dc376f3..05c94d9c3776 100644
3069 +--- a/net/ipv6/ip6_input.c
3070 ++++ b/net/ipv6/ip6_input.c
3071 +@@ -329,10 +329,10 @@ int ip6_mc_input(struct sk_buff *skb)
3072 + if (offset < 0)
3073 + goto out;
3074 +
3075 +- if (!ipv6_is_mld(skb, nexthdr, offset))
3076 +- goto out;
3077 ++ if (ipv6_is_mld(skb, nexthdr, offset))
3078 ++ deliver = true;
3079 +
3080 +- deliver = true;
3081 ++ goto out;
3082 + }
3083 + /* unknown RA - process it normally */
3084 + }
3085 +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
3086 +index b2f091566f88..dc46ebae1987 100644
3087 +--- a/net/ipv6/ip6_offload.c
3088 ++++ b/net/ipv6/ip6_offload.c
3089 +@@ -112,7 +112,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
3090 +
3091 + encap = SKB_GSO_CB(skb)->encap_level > 0;
3092 + if (encap)
3093 +- features = skb->dev->hw_enc_features & netif_skb_features(skb);
3094 ++ features &= skb->dev->hw_enc_features;
3095 + SKB_GSO_CB(skb)->encap_level += sizeof(*ipv6h);
3096 +
3097 + ipv6h = ipv6_hdr(skb);
3098 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
3099 +index 8737400af0a0..821d8dfb2ddd 100644
3100 +--- a/net/ipv6/ip6mr.c
3101 ++++ b/net/ipv6/ip6mr.c
3102 +@@ -552,7 +552,7 @@ static void ipmr_mfc_seq_stop(struct seq_file *seq, void *v)
3103 +
3104 + if (it->cache == &mrt->mfc6_unres_queue)
3105 + spin_unlock_bh(&mfc_unres_lock);
3106 +- else if (it->cache == mrt->mfc6_cache_array)
3107 ++ else if (it->cache == &mrt->mfc6_cache_array[it->ct])
3108 + read_unlock(&mrt_lock);
3109 + }
3110 +
3111 +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
3112 +index dca076f6252c..bc08a9ce3bd4 100644
3113 +--- a/net/mac80211/tx.c
3114 ++++ b/net/mac80211/tx.c
3115 +@@ -297,9 +297,6 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
3116 + if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
3117 + return TX_CONTINUE;
3118 +
3119 +- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3120 +- return TX_CONTINUE;
3121 +-
3122 + if (tx->flags & IEEE80211_TX_PS_BUFFERED)
3123 + return TX_CONTINUE;
3124 +
3125 +diff --git a/net/mpls/mpls_gso.c b/net/mpls/mpls_gso.c
3126 +index 851cd880b0c0..0c970cbe0405 100644
3127 +--- a/net/mpls/mpls_gso.c
3128 ++++ b/net/mpls/mpls_gso.c
3129 +@@ -47,7 +47,7 @@ static struct sk_buff *mpls_gso_segment(struct sk_buff *skb,
3130 + __skb_push(skb, skb->mac_len);
3131 +
3132 + /* Segment inner packet. */
3133 +- mpls_features = skb->dev->mpls_features & netif_skb_features(skb);
3134 ++ mpls_features = skb->dev->mpls_features & features;
3135 + segs = skb_mac_gso_segment(skb, mpls_features);
3136 +
3137 +
3138 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
3139 +index a0b0ea949192..fd9373c9f057 100644
3140 +--- a/net/netlink/af_netlink.c
3141 ++++ b/net/netlink/af_netlink.c
3142 +@@ -115,6 +115,24 @@ static inline struct hlist_head *nl_portid_hashfn(struct nl_portid_hash *hash, u
3143 + return &hash->table[jhash_1word(portid, hash->rnd) & hash->mask];
3144 + }
3145 +
3146 ++static struct sk_buff *netlink_to_full_skb(const struct sk_buff *skb,
3147 ++ gfp_t gfp_mask)
3148 ++{
3149 ++ unsigned int len = skb_end_offset(skb);
3150 ++ struct sk_buff *new;
3151 ++
3152 ++ new = alloc_skb(len, gfp_mask);
3153 ++ if (new == NULL)
3154 ++ return NULL;
3155 ++
3156 ++ NETLINK_CB(new).portid = NETLINK_CB(skb).portid;
3157 ++ NETLINK_CB(new).dst_group = NETLINK_CB(skb).dst_group;
3158 ++ NETLINK_CB(new).creds = NETLINK_CB(skb).creds;
3159 ++
3160 ++ memcpy(skb_put(new, len), skb->data, len);
3161 ++ return new;
3162 ++}
3163 ++
3164 + int netlink_add_tap(struct netlink_tap *nt)
3165 + {
3166 + if (unlikely(nt->dev->type != ARPHRD_NETLINK))
3167 +@@ -199,7 +217,11 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
3168 + int ret = -ENOMEM;
3169 +
3170 + dev_hold(dev);
3171 +- nskb = skb_clone(skb, GFP_ATOMIC);
3172 ++
3173 ++ if (netlink_skb_is_mmaped(skb) || is_vmalloc_addr(skb->head))
3174 ++ nskb = netlink_to_full_skb(skb, GFP_ATOMIC);
3175 ++ else
3176 ++ nskb = skb_clone(skb, GFP_ATOMIC);
3177 + if (nskb) {
3178 + nskb->dev = dev;
3179 + nskb->protocol = htons((u16) sk->sk_protocol);
3180 +@@ -271,11 +293,6 @@ static void netlink_rcv_wake(struct sock *sk)
3181 + }
3182 +
3183 + #ifdef CONFIG_NETLINK_MMAP
3184 +-static bool netlink_skb_is_mmaped(const struct sk_buff *skb)
3185 +-{
3186 +- return NETLINK_CB(skb).flags & NETLINK_SKB_MMAPED;
3187 +-}
3188 +-
3189 + static bool netlink_rx_is_mmaped(struct sock *sk)
3190 + {
3191 + return nlk_sk(sk)->rx_ring.pg_vec != NULL;
3192 +@@ -350,25 +367,52 @@ err1:
3193 + return NULL;
3194 + }
3195 +
3196 ++
3197 ++static void
3198 ++__netlink_set_ring(struct sock *sk, struct nl_mmap_req *req, bool tx_ring, void **pg_vec,
3199 ++ unsigned int order)
3200 ++{
3201 ++ struct netlink_sock *nlk = nlk_sk(sk);
3202 ++ struct sk_buff_head *queue;
3203 ++ struct netlink_ring *ring;
3204 ++
3205 ++ queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
3206 ++ ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
3207 ++
3208 ++ spin_lock_bh(&queue->lock);
3209 ++
3210 ++ ring->frame_max = req->nm_frame_nr - 1;
3211 ++ ring->head = 0;
3212 ++ ring->frame_size = req->nm_frame_size;
3213 ++ ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
3214 ++
3215 ++ swap(ring->pg_vec_len, req->nm_block_nr);
3216 ++ swap(ring->pg_vec_order, order);
3217 ++ swap(ring->pg_vec, pg_vec);
3218 ++
3219 ++ __skb_queue_purge(queue);
3220 ++ spin_unlock_bh(&queue->lock);
3221 ++
3222 ++ WARN_ON(atomic_read(&nlk->mapped));
3223 ++
3224 ++ if (pg_vec)
3225 ++ free_pg_vec(pg_vec, order, req->nm_block_nr);
3226 ++}
3227 ++
3228 + static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
3229 +- bool closing, bool tx_ring)
3230 ++ bool tx_ring)
3231 + {
3232 + struct netlink_sock *nlk = nlk_sk(sk);
3233 + struct netlink_ring *ring;
3234 +- struct sk_buff_head *queue;
3235 + void **pg_vec = NULL;
3236 + unsigned int order = 0;
3237 +- int err;
3238 +
3239 + ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
3240 +- queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
3241 +
3242 +- if (!closing) {
3243 +- if (atomic_read(&nlk->mapped))
3244 +- return -EBUSY;
3245 +- if (atomic_read(&ring->pending))
3246 +- return -EBUSY;
3247 +- }
3248 ++ if (atomic_read(&nlk->mapped))
3249 ++ return -EBUSY;
3250 ++ if (atomic_read(&ring->pending))
3251 ++ return -EBUSY;
3252 +
3253 + if (req->nm_block_nr) {
3254 + if (ring->pg_vec != NULL)
3255 +@@ -400,31 +444,19 @@ static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
3256 + return -EINVAL;
3257 + }
3258 +
3259 +- err = -EBUSY;
3260 + mutex_lock(&nlk->pg_vec_lock);
3261 +- if (closing || atomic_read(&nlk->mapped) == 0) {
3262 +- err = 0;
3263 +- spin_lock_bh(&queue->lock);
3264 +-
3265 +- ring->frame_max = req->nm_frame_nr - 1;
3266 +- ring->head = 0;
3267 +- ring->frame_size = req->nm_frame_size;
3268 +- ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
3269 +-
3270 +- swap(ring->pg_vec_len, req->nm_block_nr);
3271 +- swap(ring->pg_vec_order, order);
3272 +- swap(ring->pg_vec, pg_vec);
3273 +-
3274 +- __skb_queue_purge(queue);
3275 +- spin_unlock_bh(&queue->lock);
3276 +-
3277 +- WARN_ON(atomic_read(&nlk->mapped));
3278 ++ if (atomic_read(&nlk->mapped) == 0) {
3279 ++ __netlink_set_ring(sk, req, tx_ring, pg_vec, order);
3280 ++ mutex_unlock(&nlk->pg_vec_lock);
3281 ++ return 0;
3282 + }
3283 ++
3284 + mutex_unlock(&nlk->pg_vec_lock);
3285 +
3286 + if (pg_vec)
3287 + free_pg_vec(pg_vec, order, req->nm_block_nr);
3288 +- return err;
3289 ++
3290 ++ return -EBUSY;
3291 + }
3292 +
3293 + static void netlink_mm_open(struct vm_area_struct *vma)
3294 +@@ -812,7 +844,6 @@ static void netlink_ring_set_copied(struct sock *sk, struct sk_buff *skb)
3295 + }
3296 +
3297 + #else /* CONFIG_NETLINK_MMAP */
3298 +-#define netlink_skb_is_mmaped(skb) false
3299 + #define netlink_rx_is_mmaped(sk) false
3300 + #define netlink_tx_is_mmaped(sk) false
3301 + #define netlink_mmap sock_no_mmap
3302 +@@ -893,10 +924,10 @@ static void netlink_sock_destruct(struct sock *sk)
3303 +
3304 + memset(&req, 0, sizeof(req));
3305 + if (nlk->rx_ring.pg_vec)
3306 +- netlink_set_ring(sk, &req, true, false);
3307 ++ __netlink_set_ring(sk, &req, false, NULL, 0);
3308 + memset(&req, 0, sizeof(req));
3309 + if (nlk->tx_ring.pg_vec)
3310 +- netlink_set_ring(sk, &req, true, true);
3311 ++ __netlink_set_ring(sk, &req, true, NULL, 0);
3312 + }
3313 + #endif /* CONFIG_NETLINK_MMAP */
3314 +
3315 +@@ -2190,7 +2221,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
3316 + return -EINVAL;
3317 + if (copy_from_user(&req, optval, sizeof(req)))
3318 + return -EFAULT;
3319 +- err = netlink_set_ring(sk, &req, false,
3320 ++ err = netlink_set_ring(sk, &req,
3321 + optname == NETLINK_TX_RING);
3322 + break;
3323 + }
3324 +diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h
3325 +index acbd774eeb7c..dcc89c74b514 100644
3326 +--- a/net/netlink/af_netlink.h
3327 ++++ b/net/netlink/af_netlink.h
3328 +@@ -65,6 +65,15 @@ struct nl_portid_hash {
3329 + u32 rnd;
3330 + };
3331 +
3332 ++static inline bool netlink_skb_is_mmaped(const struct sk_buff *skb)
3333 ++{
3334 ++#ifdef CONFIG_NETLINK_MMAP
3335 ++ return NETLINK_CB(skb).flags & NETLINK_SKB_MMAPED;
3336 ++#else
3337 ++ return false;
3338 ++#endif /* CONFIG_NETLINK_MMAP */
3339 ++}
3340 ++
3341 + struct netlink_table {
3342 + struct nl_portid_hash hash;
3343 + struct hlist_head mc_list;
3344 +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
3345 +index 270b77dfac30..8bb1a5a9b02e 100644
3346 +--- a/net/openvswitch/datapath.c
3347 ++++ b/net/openvswitch/datapath.c
3348 +@@ -803,7 +803,7 @@ static int ovs_flow_cmd_new_or_set(struct sk_buff *skb, struct genl_info *info)
3349 + if (IS_ERR(acts))
3350 + goto error;
3351 +
3352 +- ovs_flow_mask_key(&masked_key, &key, &mask);
3353 ++ ovs_flow_mask_key(&masked_key, &key, true, &mask);
3354 + error = ovs_nla_copy_actions(a[OVS_FLOW_ATTR_ACTIONS],
3355 + &masked_key, 0, &acts);
3356 + if (error) {
3357 +diff --git a/net/openvswitch/flow_table.c b/net/openvswitch/flow_table.c
3358 +index 3c268b3d71c3..4877d5a212a2 100644
3359 +--- a/net/openvswitch/flow_table.c
3360 ++++ b/net/openvswitch/flow_table.c
3361 +@@ -55,18 +55,21 @@ static u16 range_n_bytes(const struct sw_flow_key_range *range)
3362 + }
3363 +
3364 + void ovs_flow_mask_key(struct sw_flow_key *dst, const struct sw_flow_key *src,
3365 +- const struct sw_flow_mask *mask)
3366 ++ bool full, const struct sw_flow_mask *mask)
3367 + {
3368 +- const long *m = (long *)((u8 *)&mask->key + mask->range.start);
3369 +- const long *s = (long *)((u8 *)src + mask->range.start);
3370 +- long *d = (long *)((u8 *)dst + mask->range.start);
3371 ++ int start = full ? 0 : mask->range.start;
3372 ++ int len = full ? sizeof *dst : range_n_bytes(&mask->range);
3373 ++ const long *m = (const long *)((const u8 *)&mask->key + start);
3374 ++ const long *s = (const long *)((const u8 *)src + start);
3375 ++ long *d = (long *)((u8 *)dst + start);
3376 + int i;
3377 +
3378 +- /* The memory outside of the 'mask->range' are not set since
3379 +- * further operations on 'dst' only uses contents within
3380 +- * 'mask->range'.
3381 ++ /* If 'full' is true then all of 'dst' is fully initialized. Otherwise,
3382 ++ * if 'full' is false the memory outside of the 'mask->range' is left
3383 ++ * uninitialized. This can be used as an optimization when further
3384 ++ * operations on 'dst' only use contents within 'mask->range'.
3385 + */
3386 +- for (i = 0; i < range_n_bytes(&mask->range); i += sizeof(long))
3387 ++ for (i = 0; i < len; i += sizeof(long))
3388 + *d++ = *s++ & *m++;
3389 + }
3390 +
3391 +@@ -436,7 +439,7 @@ static struct sw_flow *masked_flow_lookup(struct table_instance *ti,
3392 + u32 hash;
3393 + struct sw_flow_key masked_key;
3394 +
3395 +- ovs_flow_mask_key(&masked_key, unmasked, mask);
3396 ++ ovs_flow_mask_key(&masked_key, unmasked, false, mask);
3397 + hash = flow_hash(&masked_key, key_start, key_end);
3398 + head = find_bucket(ti, hash);
3399 + hlist_for_each_entry_rcu(flow, head, hash_node[ti->node_ver]) {
3400 +diff --git a/net/openvswitch/flow_table.h b/net/openvswitch/flow_table.h
3401 +index baaeb101924d..82e64a9b6416 100644
3402 +--- a/net/openvswitch/flow_table.h
3403 ++++ b/net/openvswitch/flow_table.h
3404 +@@ -79,5 +79,5 @@ bool ovs_flow_cmp_unmasked_key(const struct sw_flow *flow,
3405 + struct sw_flow_match *match);
3406 +
3407 + void ovs_flow_mask_key(struct sw_flow_key *dst, const struct sw_flow_key *src,
3408 +- const struct sw_flow_mask *mask);
3409 ++ bool full, const struct sw_flow_mask *mask);
3410 + #endif /* flow_table.h */
3411 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
3412 +index 84a60b82e235..fee7dcc28abd 100644
3413 +--- a/net/packet/af_packet.c
3414 ++++ b/net/packet/af_packet.c
3415 +@@ -2645,7 +2645,7 @@ static int packet_release(struct socket *sock)
3416 + static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
3417 + {
3418 + struct packet_sock *po = pkt_sk(sk);
3419 +- const struct net_device *dev_curr;
3420 ++ struct net_device *dev_curr;
3421 + __be16 proto_curr;
3422 + bool need_rehook;
3423 +
3424 +@@ -2669,15 +2669,13 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 proto)
3425 +
3426 + po->num = proto;
3427 + po->prot_hook.type = proto;
3428 +-
3429 +- if (po->prot_hook.dev)
3430 +- dev_put(po->prot_hook.dev);
3431 +-
3432 + po->prot_hook.dev = dev;
3433 +
3434 + po->ifindex = dev ? dev->ifindex : 0;
3435 + packet_cached_dev_assign(po, dev);
3436 + }
3437 ++ if (dev_curr)
3438 ++ dev_put(dev_curr);
3439 +
3440 + if (proto == 0 || !need_rehook)
3441 + goto out_unlock;
3442 +diff --git a/net/rds/info.c b/net/rds/info.c
3443 +index 9a6b4f66187c..140a44a5f7b7 100644
3444 +--- a/net/rds/info.c
3445 ++++ b/net/rds/info.c
3446 +@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
3447 +
3448 + /* check for all kinds of wrapping and the like */
3449 + start = (unsigned long)optval;
3450 +- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
3451 ++ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
3452 + ret = -EINVAL;
3453 + goto out;
3454 + }
3455 +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
3456 +index a62a215dd22e..1237a237495b 100644
3457 +--- a/net/sctp/protocol.c
3458 ++++ b/net/sctp/protocol.c
3459 +@@ -1167,7 +1167,7 @@ static void sctp_v4_del_protocol(void)
3460 + unregister_inetaddr_notifier(&sctp_inetaddr_notifier);
3461 + }
3462 +
3463 +-static int __net_init sctp_net_init(struct net *net)
3464 ++static int __net_init sctp_defaults_init(struct net *net)
3465 + {
3466 + int status;
3467 +
3468 +@@ -1260,12 +1260,6 @@ static int __net_init sctp_net_init(struct net *net)
3469 +
3470 + sctp_dbg_objcnt_init(net);
3471 +
3472 +- /* Initialize the control inode/socket for handling OOTB packets. */
3473 +- if ((status = sctp_ctl_sock_init(net))) {
3474 +- pr_err("Failed to initialize the SCTP control sock\n");
3475 +- goto err_ctl_sock_init;
3476 +- }
3477 +-
3478 + /* Initialize the local address list. */
3479 + INIT_LIST_HEAD(&net->sctp.local_addr_list);
3480 + spin_lock_init(&net->sctp.local_addr_lock);
3481 +@@ -1281,9 +1275,6 @@ static int __net_init sctp_net_init(struct net *net)
3482 +
3483 + return 0;
3484 +
3485 +-err_ctl_sock_init:
3486 +- sctp_dbg_objcnt_exit(net);
3487 +- sctp_proc_exit(net);
3488 + err_init_proc:
3489 + cleanup_sctp_mibs(net);
3490 + err_init_mibs:
3491 +@@ -1292,15 +1283,12 @@ err_sysctl_register:
3492 + return status;
3493 + }
3494 +
3495 +-static void __net_exit sctp_net_exit(struct net *net)
3496 ++static void __net_exit sctp_defaults_exit(struct net *net)
3497 + {
3498 + /* Free the local address list */
3499 + sctp_free_addr_wq(net);
3500 + sctp_free_local_addr_list(net);
3501 +
3502 +- /* Free the control endpoint. */
3503 +- inet_ctl_sock_destroy(net->sctp.ctl_sock);
3504 +-
3505 + sctp_dbg_objcnt_exit(net);
3506 +
3507 + sctp_proc_exit(net);
3508 +@@ -1308,9 +1296,32 @@ static void __net_exit sctp_net_exit(struct net *net)
3509 + sctp_sysctl_net_unregister(net);
3510 + }
3511 +
3512 +-static struct pernet_operations sctp_net_ops = {
3513 +- .init = sctp_net_init,
3514 +- .exit = sctp_net_exit,
3515 ++static struct pernet_operations sctp_defaults_ops = {
3516 ++ .init = sctp_defaults_init,
3517 ++ .exit = sctp_defaults_exit,
3518 ++};
3519 ++
3520 ++static int __net_init sctp_ctrlsock_init(struct net *net)
3521 ++{
3522 ++ int status;
3523 ++
3524 ++ /* Initialize the control inode/socket for handling OOTB packets. */
3525 ++ status = sctp_ctl_sock_init(net);
3526 ++ if (status)
3527 ++ pr_err("Failed to initialize the SCTP control sock\n");
3528 ++
3529 ++ return status;
3530 ++}
3531 ++
3532 ++static void __net_init sctp_ctrlsock_exit(struct net *net)
3533 ++{
3534 ++ /* Free the control endpoint. */
3535 ++ inet_ctl_sock_destroy(net->sctp.ctl_sock);
3536 ++}
3537 ++
3538 ++static struct pernet_operations sctp_ctrlsock_ops = {
3539 ++ .init = sctp_ctrlsock_init,
3540 ++ .exit = sctp_ctrlsock_exit,
3541 + };
3542 +
3543 + /* Initialize the universe into something sensible. */
3544 +@@ -1444,8 +1455,11 @@ static __init int sctp_init(void)
3545 + sctp_v4_pf_init();
3546 + sctp_v6_pf_init();
3547 +
3548 +- status = sctp_v4_protosw_init();
3549 ++ status = register_pernet_subsys(&sctp_defaults_ops);
3550 ++ if (status)
3551 ++ goto err_register_defaults;
3552 +
3553 ++ status = sctp_v4_protosw_init();
3554 + if (status)
3555 + goto err_protosw_init;
3556 +
3557 +@@ -1453,9 +1467,9 @@ static __init int sctp_init(void)
3558 + if (status)
3559 + goto err_v6_protosw_init;
3560 +
3561 +- status = register_pernet_subsys(&sctp_net_ops);
3562 ++ status = register_pernet_subsys(&sctp_ctrlsock_ops);
3563 + if (status)
3564 +- goto err_register_pernet_subsys;
3565 ++ goto err_register_ctrlsock;
3566 +
3567 + status = sctp_v4_add_protocol();
3568 + if (status)
3569 +@@ -1471,12 +1485,14 @@ out:
3570 + err_v6_add_protocol:
3571 + sctp_v4_del_protocol();
3572 + err_add_protocol:
3573 +- unregister_pernet_subsys(&sctp_net_ops);
3574 +-err_register_pernet_subsys:
3575 ++ unregister_pernet_subsys(&sctp_ctrlsock_ops);
3576 ++err_register_ctrlsock:
3577 + sctp_v6_protosw_exit();
3578 + err_v6_protosw_init:
3579 + sctp_v4_protosw_exit();
3580 + err_protosw_init:
3581 ++ unregister_pernet_subsys(&sctp_defaults_ops);
3582 ++err_register_defaults:
3583 + sctp_v4_pf_exit();
3584 + sctp_v6_pf_exit();
3585 + sctp_sysctl_unregister();
3586 +@@ -1509,12 +1525,14 @@ static __exit void sctp_exit(void)
3587 + sctp_v6_del_protocol();
3588 + sctp_v4_del_protocol();
3589 +
3590 +- unregister_pernet_subsys(&sctp_net_ops);
3591 ++ unregister_pernet_subsys(&sctp_ctrlsock_ops);
3592 +
3593 + /* Free protosw registrations */
3594 + sctp_v6_protosw_exit();
3595 + sctp_v4_protosw_exit();
3596 +
3597 ++ unregister_pernet_subsys(&sctp_defaults_ops);
3598 ++
3599 + /* Unregister with socket layer. */
3600 + sctp_v6_pf_exit();
3601 + sctp_v4_pf_exit();
3602 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
3603 +index 0ed0eaa62f29..830e40b329d6 100644
3604 +--- a/net/tipc/socket.c
3605 ++++ b/net/tipc/socket.c
3606 +@@ -1681,6 +1681,7 @@ static int accept(struct socket *sock, struct socket *new_sock, int flags)
3607 + res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1);
3608 + if (res)
3609 + goto exit;
3610 ++ security_sk_clone(sock->sk, new_sock->sk);
3611 +
3612 + new_sk = new_sock->sk;
3613 + new_tsock = tipc_sk(new_sk);
3614 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
3615 +index 907371d87312..08e29311e17d 100644
3616 +--- a/sound/pci/hda/patch_realtek.c
3617 ++++ b/sound/pci/hda/patch_realtek.c
3618 +@@ -1193,7 +1193,7 @@ static const struct hda_fixup alc880_fixups[] = {
3619 + /* override all pins as BIOS on old Amilo is broken */
3620 + .type = HDA_FIXUP_PINS,
3621 + .v.pins = (const struct hda_pintbl[]) {
3622 +- { 0x14, 0x0121411f }, /* HP */
3623 ++ { 0x14, 0x0121401f }, /* HP */
3624 + { 0x15, 0x99030120 }, /* speaker */
3625 + { 0x16, 0x99030130 }, /* bass speaker */
3626 + { 0x17, 0x411111f0 }, /* N/A */
3627 +@@ -1213,7 +1213,7 @@ static const struct hda_fixup alc880_fixups[] = {
3628 + /* almost compatible with FUJITSU, but no bass and SPDIF */
3629 + .type = HDA_FIXUP_PINS,
3630 + .v.pins = (const struct hda_pintbl[]) {
3631 +- { 0x14, 0x0121411f }, /* HP */
3632 ++ { 0x14, 0x0121401f }, /* HP */
3633 + { 0x15, 0x99030120 }, /* speaker */
3634 + { 0x16, 0x411111f0 }, /* N/A */
3635 + { 0x17, 0x411111f0 }, /* N/A */
3636 +@@ -1421,7 +1421,7 @@ static const struct snd_pci_quirk alc880_fixup_tbl[] = {
3637 + SND_PCI_QUIRK(0x161f, 0x203d, "W810", ALC880_FIXUP_W810),
3638 + SND_PCI_QUIRK(0x161f, 0x205d, "Medion Rim 2150", ALC880_FIXUP_MEDION_RIM),
3639 + SND_PCI_QUIRK(0x1631, 0xe011, "PB 13201056", ALC880_FIXUP_6ST_AUTOMUTE),
3640 +- SND_PCI_QUIRK(0x1734, 0x107c, "FSC F1734", ALC880_FIXUP_F1734),
3641 ++ SND_PCI_QUIRK(0x1734, 0x107c, "FSC Amilo M1437", ALC880_FIXUP_FUJITSU),
3642 + SND_PCI_QUIRK(0x1734, 0x1094, "FSC Amilo M1451G", ALC880_FIXUP_FUJITSU),
3643 + SND_PCI_QUIRK(0x1734, 0x10ac, "FSC AMILO Xi 1526", ALC880_FIXUP_F1734),
3644 + SND_PCI_QUIRK(0x1734, 0x10b0, "FSC Amilo Pi1556", ALC880_FIXUP_FUJITSU),
Report Message
Find on MARC Find on Google Groups